Github user revans2 commented on a diff in the pull request:
https://github.com/apache/storm/pull/2752#discussion_r200408787
--- Diff: storm-core/src/jvm/org/apache/storm/ui/UIServer.java ---
@@ -0,0 +1,101 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.storm.ui;
+
+import org.apache.storm.DaemonConfig;
+import org.apache.storm.daemon.drpc.webapp.ReqContextFilter;
+import org.apache.storm.security.auth.IHttpCredentialsPlugin;
+import org.apache.storm.security.auth.ServerAuthUtils;
+import org.apache.storm.ui.filters.AuthorizedUserFilter;
+import org.apache.storm.utils.Utils;
+import org.eclipse.jetty.server.Server;
+import org.eclipse.jetty.server.ServerConnector;
+import org.eclipse.jetty.servlet.DefaultServlet;
+import org.eclipse.jetty.servlet.FilterHolder;
+import org.eclipse.jetty.servlet.ServletContextHandler;
+import org.eclipse.jetty.servlet.ServletHolder;
+
+import org.glassfish.jersey.server.ResourceConfig;
+import org.glassfish.jersey.servlet.ServletContainer;
+
+
+import javax.servlet.DispatcherType;
+import java.util.EnumSet;
+import java.util.Map;
+
+/**
+ * Main class.
+ *
+ */
+public class UIServer {
+
+ public static void addRequestContextFilter(ServletContextHandler
context,
+ String configName,
Map<String, Object> conf) {
+ IHttpCredentialsPlugin auth =
ServerAuthUtils.getHttpCredentialsPlugin(conf, (String) conf.get(configName));
+ ReqContextFilter filter = new ReqContextFilter(auth);
+ context.addFilter(new FilterHolder(filter), "/*",
EnumSet.allOf(DispatcherType.class));
+ }
+
+ public static void main(String[] args) throws Exception {
+
+ Map<String, Object> conf = Utils.readStormConfig();
+ Server jettyServer = new Server();
+ ServerConnector connector = new ServerConnector(jettyServer);
+ connector.setPort(4443);
+ //connector.setPort((Integer) conf.get(DaemonConfig.UI_PORT));
+ jettyServer.addConnector(connector);
+
+ ServletContextHandler context = new
ServletContextHandler(ServletContextHandler.SESSIONS);
+ context.setContextPath("/");
+ jettyServer.setHandler(context);
+
+
+ ResourceConfig resourceConfig =
+ new ResourceConfig()
+ .packages("org.apache.storm.ui.resources")
+ .register(AuthorizedUserFilter.class);
+
+ ServletHolder jerseyServlet = new ServletHolder(new
ServletContainer(resourceConfig));
+ jerseyServlet.setInitOrder(0);
+ context.addServlet(jerseyServlet, "/api/v1/*");
+ addRequestContextFilter(context,
DaemonConfig.DRPC_HTTP_CREDS_PLUGIN, conf);
+
+ // add special pathspec of static content mapped to the homePath
+ ServletHolder holderHome = new ServletHolder("static-home",
DefaultServlet.class);
+
holderHome.setInitParameter("resourceBase",UIServer.class.getProtectionDomain().getCodeSource().getLocation().toExternalForm()
+ "/WEB-INF/");
+ holderHome.setInitParameter("dirAllowed","true");
+ holderHome.setInitParameter("pathInfoOnly","true");
+ context.addServlet(holderHome,"/*");
+
+
+ // Lastly, the default servlet for root content (always needed, to
satisfy servlet spec)
+ ServletHolder holderPwd = new ServletHolder("default",
DefaultServlet.class);
+ holderPwd.setInitParameter("dirAllowed","true");
--- End diff --
question: does dirAllowed let someone do a '/foo/../../bar/' like URL? I
assume that it does not, but I want to be sure.
---
