[Dart] htaccess with Jetty ?

Olivier Warin daffy at xview.net
Wed Mar 8 09:37:04 EST 2006 

James,

Le 2 mars 06 à 17:36, Miller, James V ((GE, Research)) a écrit :

> I wonder if we should have xml-rpc on more than one port.
>
> The xml-rpc connection can be used for more than just submissions.
> It also provides the mechanism to control the server (shutdown etc.)
>
> Perhaps, we can have one port for xml-rpc server control and http  
> support
> and allow (but not require) the port for xml-rpc submissions to be  
> different.

Interesting ...

> We put them same port to simplify the server setup for the general  
> user.

This should be configurable & documented.
People who are using Dart2 may know what they are doing, if  
documentation is consistant (this was not the case some times ago as  
I said on the ml), people won't get lost.

> Another option is to see if constraints can be placed on specific
> contexts.  While the xml-rpc and http are using the same port, they
> are/could be managed by separate HTTP/Servlet contexts.  Access  
> restrictions
> could be placed on a context by context basis.

Ok, let me explain the case.
We are using Dart inside our intranet, nevertheless, even if we can  
trust our developpers, it does not mean I want them to see their  
neighbours's projects.
Sometimes, there are internships too, which may not get access to  
gcov results published on the dashboard.

Thus, we need to enforce security (authentication & cryptography)  
thanks to a proxy, but people can still get direct access on 8081.  
Filtering by IP address is a shame and would be useless if someone  
really wants to get access to the dashboard.

IMHO, the most secure way to deal with this is to prohibe the usage  
of the POST & GET HTTP method on jetty except for localhost.

I have directly asked on the jetty ml, Greg Wilkins advises me to use  
Jetty Filter functionabilities & HttpServletRequest to match some  
params in the request.
Where exactly should I put something like this int the  code ? (a  
diff would be greatly appreciated :-D)
Sorry but I have not been able to understand how addHandler()  
currently works... and I am not a Java coder...

   class LocalHostFilter implements Filter
   {

       filter(SerlvetRequest, ServletResponse response, FilterChain  
chain)
       {
           if (((HttpServletRequest)request).getLocalAddress().equals 
("localhost"))
               chain.doFilter(request,response);
           else
               response.sendError(403);
       }
   }


To conclude with, dart2 should provide some more fined-grained ways  
to deal with security and authentication, maybee some kind of  
authentication between the Server and the Clients (ctest or  
DartClient), over SSL....
I just suggest some ideas :-)

Kind regards,

> Perhaps it is best to proceed by capturing more details on your use
> case. It sounds like you have interest in controlling the access to  
> the
> Dart web pages that is different than the two use cases we have:
>
> 1. Dart server running on the internet.  Anyone in the world can  
> submit to
> and review the testing results.
>
> 2. Dart server running on an intranet.  Only machines within the  
> intranet can
> submit and only machines within the intranet can review testing  
> results.
>
> Jim
>
> -----Original Message-----
> From: Olivier Warin [mailto:daffy at xview.net]
> Sent: Thursday, March 02, 2006 11:04 AM
> To: Miller, James V (GE, Research)
> Subject: Re: [Dart] htaccess with Jetty ?
>
>
> Is there a way to split the XML-RPC & "web HTTP" part ?
> Two separate ports will be easier to control.
> Like this I can simply tell jetty not to bind on anything than
> localhost for requests to 8080 (results presentation) while 8081 will
> be freely available for ctest clients.
> I know this was the case (two separates TCP ports used) in the past,
> how can I revert to that state ?
> Kind regards,
>
> Le 28 févr. 06 à 17:50, Miller, James V ((GE, Research)) a écrit :
>
>> Olivier,
>>
>> I added your request to our todo list.
>>
>> If you wanted to dig into code and experiment with jetty, you can
>> look at
>> Server.java and Project.java and look at where the addHandler() is
>> called.
>> This is where we would slip in an additional security handlers. You
>> could
>> create an HTAccessHandler and add it to the context.
>>
>> In the end, we'd specify a configuration for this in the
>> Project.xml and
>> Server.xml files. At first glance, it does not look too hard  
>> (although
>> I don't know whether this is impacted by servlets or not). The tricky
>> part is probably in specifying the HTAccess file and putting it in
>> place that the server can access (but not serve).
>>
>> Jim
>>
>> -----Original Message-----
>> From: dart-bounces+millerjv=crd.ge.com at public.kitware.com
>> [mailto:dart-bounces+millerjv=crd.ge.com at public.kitware.com]On
>> Behalf Of
>> Olivier Warin
>> Sent: Tuesday, February 28, 2006 10:52 AM
>> To: Miller, James V (GE, Research)
>> Cc: dart at public.kitware.com
>> Subject: Re: [Dart] htaccess with Jetty ?
>>
>>
>> Le 28 févr. 06 à 15:33, Miller, James V (GE, Research) a écrit :
>>
>>> Dart is not currently set up to use HTAccess files.  We'd have to
>>> add some configuration information to Project.xml file and add the
>>> HTAccessHandler to the contexts.
>>>
>>> I'll have to read up on this wrt to servlets. Most the Dart content
>>> is served by servlets whcih we'll need to constrain with HTAccess.
>>
>> -> ToDo List :-)
>>
>> Just filtering on an IP basis sucks. Using restrictions to the usage
>> of POST & GET (we only trust the fronted proxy) in conjonction can do
>> a nice job.
>>
>>> -----Original Message-----
>>> From: dart-bounces+millerjv=crd.ge.com at public.kitware.com
>>> [mailto:dart-bounces+millerjv=crd.ge.com at public.kitware.com]On
>>> Behalf Of
>>> Olivier Warin
>>> Sent: Monday, February 27, 2006 9:39 PM
>>> To: dart at public.kitware.com
>>> Subject: [Dart] htaccess with Jetty ?
>>>
>>>
>>> Hi,
>>> I want to use a htaccess files with Jetty.
>>> I saw there were the HTAccessHandler.class and IPAccessHandler.class
>>> inside the jetty.jar provided with dart2, nevertheless I cannot find
>>> some good documentation on how/where to put the configuration.
>>> Basically I want to achieve something like the following:
>>>
>>> <Directory "/">
>>>      <limit GET POST>
>>>      Order deny,allow
>>>      deny from all
>>>      allow from 127.0.0.1
>>>      </Limit>
>>> </Directory>
>>>
>>> This will prohibe user to get direct access to jetty http server :-)
>>> Any advice would be appreciated.
>>> Regards,
--
Olivier Warin - http://xview.net
Stay connected !

More information about the Dart mailing list