Add simple authentication to WebApp settings with clear-text password

h2/src/docsrc/html/tutorial.html

@@ -436,6 +436,7 @@ Supported settings are:
 <ul><li><code>webAllowOthers</code>: allow other computers to connect.
 </li><li><code>webPort</code>: the port of the H2 Console
 </li><li><code>webSSL</code>: use encrypted TLS (HTTPS) connections.
+</li><li><code>adminPassword</code>: password to access preferences and tools of H2 Console.
 </li></ul>
 <p>
 In addition to those settings, the properties of the last recently used connection

h2/src/main/org/h2/server/web/WebApp.java

@@ -168,6 +168,14 @@ public class WebApp {
         trace(file);
         if (file.endsWith(".do")) {
             file = process(file);
+        } else if (file.endsWith(".jsp")) {
+            switch (file) {
+            case "admin.jsp":
+            case "tools.jsp":
+                if (!checkAdmin(file)) {
+                    file = process("adminLogin.do");
+                }
+            }
         }
         return file;
     }
@@ -207,46 +215,86 @@ public class WebApp {
     private String process(String file) {
         trace("process " + file);
         while (file.endsWith(".do")) {
-            if ("login.do".equals(file)) {
+            switch (file) {
+            case "login.do":
                 file = login();
-            } else if ("index.do".equals(file)) {
+                break;
+            case "index.do":
                 file = index();
-            } else if ("logout.do".equals(file)) {
+                break;
+            case "logout.do":
                 file = logout();
-            } else if ("settingRemove.do".equals(file)) {
+                break;
+            case "settingRemove.do":
                 file = settingRemove();
-            } else if ("settingSave.do".equals(file)) {
+                break;
+            case "settingSave.do":
                 file = settingSave();
-            } else if ("test.do".equals(file)) {
+                break;
+            case "test.do":
                 file = test();
-            } else if ("query.do".equals(file)) {
+                break;
+            case "query.do":
                 file = query();
-            } else if ("tables.do".equals(file)) {
+                break;
+            case "tables.do":
                 file = tables();
-            } else if ("editResult.do".equals(file)) {
+                break;
+            case "editResult.do":
                 file = editResult();
-            } else if ("getHistory.do".equals(file)) {
+                break;
+            case "getHistory.do":
                 file = getHistory();
-            } else if ("admin.do".equals(file)) {
-                file = admin();
-            } else if ("adminSave.do".equals(file)) {
-                file = adminSave();
-            } else if ("adminStartTranslate.do".equals(file)) {
-                file = adminStartTranslate();
-            } else if ("adminShutdown.do".equals(file)) {
-                file = adminShutdown();
-            } else if ("autoCompleteList.do".equals(file)) {
+                break;
+            case "admin.do":
+                file = checkAdmin(file) ? admin() : "adminLogin.do";
+                break;
+            case "adminSave.do":
+                file = checkAdmin(file) ? adminSave() : "adminLogin.do";
+                break;
+            case "adminStartTranslate.do":
+                file = checkAdmin(file) ? adminStartTranslate() : "adminLogin.do";
+                break;
+            case "adminShutdown.do":
+                file = checkAdmin(file) ? adminShutdown() : "adminLogin.do";
+                break;
+            case "autoCompleteList.do":
                 file = autoCompleteList();
-            } else if ("tools.do".equals(file)) {
-                file = tools();
-            } else {
+                break;
+            case "tools.do":
+                file = checkAdmin(file) ? tools() : "adminLogin.do";
+                break;
+            case "adminLogin.do":
+                file = adminLogin();
+                break;
+            default:
                 file = "error.jsp";
+                break;
             }
         }
         trace("return " + file);
         return file;
     }
 
+    private boolean checkAdmin(String file) {
+        Boolean b = (Boolean) session.get("admin");
+        if (b != null && b) {
+            return true;
+        }
+        session.put("adminBack", file);
+        return false;
+    }
+
+    private String adminLogin() {
+        String password = attributes.getProperty("password");
+        if (password == null || password.isEmpty() || !server.checkAdminPassword(password)) {
+            return "adminLogin.jsp";
+        }
+        String back = (String) session.remove("adminBack");
+        session.put("admin", true);
+        return back != null ? back : "admin.do";
+    }
+
     private String autoCompleteList() {
         String query = (String) attributes.get("query");
         boolean lowercase = false;
@@ -358,6 +406,10 @@ public class WebApp {
             boolean ssl = Utils.parseBoolean((String) attributes.get("ssl"), false, false);
             prop.setProperty("webSSL", String.valueOf(ssl));
             server.setSSL(ssl);
+            String adminPassword = server.getAdminPassword();
+            if (adminPassword != null && !adminPassword.isEmpty()) {
+                prop.setProperty("adminPassword", adminPassword);
+            }
             server.saveProperties(prop);
         } catch (Exception e) {
             trace(e.toString());
@@ -983,6 +1035,7 @@ public class WebApp {
         } catch (Exception e) {
             trace(e.toString());
         }
+        session.remove("admin");
         return "index.do";
     }
 

h2/src/main/org/h2/server/web/WebServer.java

@@ -154,6 +154,7 @@ public class WebServer implements Service {
     private final Set<WebThread> running =
             Collections.synchronizedSet(new HashSet<WebThread>());
     private boolean ssl;
+    private String adminPassword;
     private final HashMap<String, ConnectionInfo> connInfoMap = new HashMap<>();
 
     private long lastTimeoutCheck;
@@ -278,6 +279,7 @@ public class WebServer implements Service {
                 "webSSL", false);
         allowOthers = SortedProperties.getBooleanProperty(prop,
                 "webAllowOthers", false);
+        adminPassword = SortedProperties.getStringProperty(prop, "adminPassword", null);
         commandHistoryString = prop.getProperty(COMMAND_HISTORY);
         for (int i = 0; args != null && i < args.length; i++) {
             String a = args[i];
@@ -296,6 +298,8 @@ public class WebServer implements Service {
                 ifExists = true;
             } else if (Tool.isOption(a, "-ifNotExists")) {
                 ifExists = false;
+            } else if (Tool.isOption(a, "-adminPassword")) {
+                adminPassword = args[++i];
             } else if (Tool.isOption(a, "-properties")) {
                 // already set
                 i++;
@@ -679,6 +683,9 @@ public class WebServer implements Service {
                         Boolean.toString(SortedProperties.getBooleanProperty(old, "webAllowOthers", allowOthers)));
                 prop.setProperty("webSSL",
                         Boolean.toString(SortedProperties.getBooleanProperty(old, "webSSL", ssl)));
+                if (adminPassword != null && !adminPassword.isEmpty()) {
+                    prop.setProperty("adminPassword", adminPassword);
+                }
                 if (commandHistoryString != null) {
                     prop.setProperty(COMMAND_HISTORY, commandHistoryString);
                 }
@@ -848,4 +855,15 @@ public class WebServer implements Service {
         return allowChunked;
     }
 
+    String getAdminPassword() {
+        return adminPassword;
+    }
+
+    boolean checkAdminPassword(String password) {
+        if (adminPassword == null) {
+            return false;
+        }
+        return adminPassword.equals(password);
+    }
+
 }

h2/src/main/org/h2/server/web/WebSession.java

@@ -98,9 +98,10 @@ class WebSession {
      * Remove a session attribute from the map.
      *
      * @param key the key
+     * @return value that was associated with the key, or null
      */
-    void remove(String key) {
-        map.remove(key);
+    Object remove(String key) {
+        return map.remove(key);
     }
 
     /**

h2/src/main/org/h2/server/web/res/admin.jsp

@@ -15,7 +15,7 @@ Initial Developer: H2 Group
         ${text.adminTitle}
     </h1>
     <p>
-        <a href="index.do?jsessionid=${sessionId}">${text.adminLogout}</a>
+        <a href="logout.do?jsessionid=${sessionId}">${text.adminLogout}</a>
     </p>
     <hr />
     <form name="admin" method="post" action="adminSave.do?jsessionid=${sessionId}">

h2/src/main/org/h2/server/web/res/adminLogin.jsp

@@ -10,7 +10,7 @@ Initial Developer: H2 Group
     <link rel="stylesheet" type="text/css" href="stylesheet.css" />
 </head>
 <body style="margin: 20px">
-    <form name="adminLogin" method="post" action="admin.do?jsessionid=${sessionId}">
+    <form name="adminLogin" method="post" action="adminLogin.do?jsessionid=${sessionId}">
         <table class="login" cellspacing="0" cellpadding="0">
             <tr class="login">
                 <th class="login">${text.adminLogin}</th>

h2/src/main/org/h2/util/SortedProperties.java

@@ -78,6 +78,18 @@ public class SortedProperties extends Properties {
         }
     }
 
+    /**
+     * Get a string property value from a properties object.
+     *
+     * @param prop the properties object
+     * @param key the key
+     * @param def the default value
+     * @return the value if set, or the default value if not
+     */
+    public static String getStringProperty(Properties prop, String key, String def) {
+        return prop.getProperty(key, def);
+    }
+
     /**
      * Load a properties object from a file.
      *