diff options
author | Endi S. Dewata <edewata@redhat.com> | 2013-11-13 13:52:31 -0500 |
---|---|---|
committer | Endi S. Dewata <edewata@redhat.com> | 2013-11-14 16:54:54 -0500 |
commit | b7716af212ba857f45efa7f1811d92e916abbe26 (patch) | |
tree | c8e78ae39fc3e7eea38e2c7aff2443d0cf1cf526 | |
parent | 0aab0a6d60f139e958020cc59e07faf9517c235b (diff) | |
download | pki-b7716af212ba857f45efa7f1811d92e916abbe26.tar.gz pki-b7716af212ba857f45efa7f1811d92e916abbe26.tar.xz pki-b7716af212ba857f45efa7f1811d92e916abbe26.zip |
Added ACL for TPS authenticators.
New ACL has been added to allow only the administrators to access
TPS authenticators.
The set of interceptors in each application has been modified to
preserve the order.
Ticket #652
10 files changed, 58 insertions, 17 deletions
diff --git a/base/ca/src/com/netscape/ca/CertificateAuthorityApplication.java b/base/ca/src/com/netscape/ca/CertificateAuthorityApplication.java index b26182dda..b20a544f5 100644 --- a/base/ca/src/com/netscape/ca/CertificateAuthorityApplication.java +++ b/base/ca/src/com/netscape/ca/CertificateAuthorityApplication.java @@ -1,6 +1,6 @@ package com.netscape.ca; -import java.util.HashSet; +import java.util.LinkedHashSet; import java.util.Set; import javax.ws.rs.core.Application; @@ -25,8 +25,9 @@ import com.netscape.cmscore.logging.AuditService; import com.netscape.cmscore.selftests.SelfTestService; public class CertificateAuthorityApplication extends Application { - private Set<Object> singletons = new HashSet<Object>(); - private Set<Class<?>> classes = new HashSet<Class<?>>(); + + private Set<Object> singletons = new LinkedHashSet<Object>(); + private Set<Class<?>> classes = new LinkedHashSet<Class<?>>(); public CertificateAuthorityApplication() { diff --git a/base/common/src/com/netscape/certsrv/tps/authenticator/AuthenticatorResource.java b/base/common/src/com/netscape/certsrv/tps/authenticator/AuthenticatorResource.java index 8e9f7284a..6a2ef0d9a 100644 --- a/base/common/src/com/netscape/certsrv/tps/authenticator/AuthenticatorResource.java +++ b/base/common/src/com/netscape/certsrv/tps/authenticator/AuthenticatorResource.java @@ -31,11 +31,16 @@ import javax.ws.rs.core.Response; import org.jboss.resteasy.annotations.ClientResponseType; +import com.netscape.certsrv.acls.ACLMapping; +import com.netscape.certsrv.authentication.AuthMethodMapping; + /** * @author Endi S. Dewata */ @Path("authenticators") +@AuthMethodMapping("authenticators") +@ACLMapping("authenticators.read") public interface AuthenticatorResource { @GET @@ -53,6 +58,7 @@ public interface AuthenticatorResource { @ClientResponseType(entityType=AuthenticatorData.class) @Consumes({ MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON }) @Produces({ MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON }) + @ACLMapping("authenticators.add") public Response addAuthenticator(AuthenticatorData authenticatorData); @PUT @@ -60,6 +66,7 @@ public interface AuthenticatorResource { @ClientResponseType(entityType=AuthenticatorData.class) @Consumes({ MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON }) @Produces({ MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON }) + @ACLMapping("authenticators.modify") public Response updateAuthenticator( @PathParam("authenticatorID") String authenticatorID, AuthenticatorData authenticatorData); @@ -67,5 +74,6 @@ public interface AuthenticatorResource { @DELETE @Path("{authenticatorID}") @Produces({ MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON }) + @ACLMapping("authenticators.remove") public void removeAuthenticator(@PathParam("authenticatorID") String authenticatorID); } diff --git a/base/kra/src/com/netscape/kra/KeyRecoveryAuthorityApplication.java b/base/kra/src/com/netscape/kra/KeyRecoveryAuthorityApplication.java index 5e6aa048d..0b311427f 100644 --- a/base/kra/src/com/netscape/kra/KeyRecoveryAuthorityApplication.java +++ b/base/kra/src/com/netscape/kra/KeyRecoveryAuthorityApplication.java @@ -1,6 +1,6 @@ package com.netscape.kra; -import java.util.HashSet; +import java.util.LinkedHashSet; import java.util.Set; import javax.ws.rs.core.Application; @@ -15,8 +15,8 @@ import com.netscape.cms.servlet.account.AccountService; import com.netscape.cms.servlet.admin.GroupService; import com.netscape.cms.servlet.admin.SystemCertService; import com.netscape.cms.servlet.admin.UserService; -import com.netscape.cms.servlet.csadmin.SystemConfigService; import com.netscape.cms.servlet.csadmin.SecurityDomainService; +import com.netscape.cms.servlet.csadmin.SystemConfigService; import com.netscape.cms.servlet.key.KeyService; import com.netscape.cms.servlet.request.KeyRequestService; import com.netscape.cmscore.logging.AuditService; @@ -24,8 +24,8 @@ import com.netscape.cmscore.selftests.SelfTestService; public class KeyRecoveryAuthorityApplication extends Application { - private Set<Object> singletons = new HashSet<Object>(); - private Set<Class<?>> classes = new HashSet<Class<?>>(); + private Set<Object> singletons = new LinkedHashSet<Object>(); + private Set<Class<?>> classes = new LinkedHashSet<Class<?>>(); public KeyRecoveryAuthorityApplication() { diff --git a/base/ocsp/src/com/netscape/ocsp/OCSPApplication.java b/base/ocsp/src/com/netscape/ocsp/OCSPApplication.java index a134e5c84..21b81f47f 100644 --- a/base/ocsp/src/com/netscape/ocsp/OCSPApplication.java +++ b/base/ocsp/src/com/netscape/ocsp/OCSPApplication.java @@ -1,6 +1,6 @@ package com.netscape.ocsp; -import java.util.HashSet; +import java.util.LinkedHashSet; import java.util.Set; import javax.ws.rs.core.Application; @@ -15,15 +15,15 @@ import com.netscape.cms.servlet.account.AccountService; import com.netscape.cms.servlet.admin.GroupService; import com.netscape.cms.servlet.admin.SystemCertService; import com.netscape.cms.servlet.admin.UserService; +import com.netscape.cms.servlet.csadmin.SecurityDomainService; import com.netscape.cms.servlet.csadmin.SystemConfigService; import com.netscape.cmscore.logging.AuditService; -import com.netscape.cms.servlet.csadmin.SecurityDomainService; import com.netscape.cmscore.selftests.SelfTestService; public class OCSPApplication extends Application { - private Set<Object> singletons = new HashSet<Object>(); - private Set<Class<?>> classes = new HashSet<Class<?>>(); + private Set<Object> singletons = new LinkedHashSet<Object>(); + private Set<Class<?>> classes = new LinkedHashSet<Class<?>>(); public OCSPApplication() { diff --git a/base/server/cms/src/com/netscape/cms/authorization/AuthMethodInterceptor.java b/base/server/cms/src/com/netscape/cms/authorization/AuthMethodInterceptor.java index 25e24a540..a656b4596 100644 --- a/base/server/cms/src/com/netscape/cms/authorization/AuthMethodInterceptor.java +++ b/base/server/cms/src/com/netscape/cms/authorization/AuthMethodInterceptor.java @@ -70,6 +70,7 @@ public class AuthMethodInterceptor implements ContainerRequestFilter { authMethodProperties.put("account", "certUserDBAuthMgr,passwdUserDBAuthMgr"); authMethodProperties.put("admin", "certUserDBAuthMgr"); authMethodProperties.put("agent", "certUserDBAuthMgr"); + authMethodProperties.put("authenticators", "certUserDBAuthMgr"); authMethodProperties.put("profiles", "certUserDBAuthMgr"); authMethodProperties.put("securityDomain.installToken", "passwdUserDBAuthMgr"); authMethodProperties.put("tokens", "certUserDBAuthMgr"); diff --git a/base/tks/src/com/netscape/tks/TKSApplication.java b/base/tks/src/com/netscape/tks/TKSApplication.java index 1f31bae37..f4a8730d9 100644 --- a/base/tks/src/com/netscape/tks/TKSApplication.java +++ b/base/tks/src/com/netscape/tks/TKSApplication.java @@ -1,6 +1,6 @@ package com.netscape.tks; -import java.util.HashSet; +import java.util.LinkedHashSet; import java.util.Set; import javax.ws.rs.core.Application; @@ -19,8 +19,8 @@ import com.netscape.cmscore.selftests.SelfTestService; public class TKSApplication extends Application { - private Set<Object> singletons = new HashSet<Object>(); - private Set<Class<?>> classes = new HashSet<Class<?>>(); + private Set<Object> singletons = new LinkedHashSet<Object>(); + private Set<Class<?>> classes = new LinkedHashSet<Class<?>>(); public TKSApplication() { diff --git a/base/tps-tomcat/shared/conf/acl.ldif b/base/tps-tomcat/shared/conf/acl.ldif index 1e1d8740c..db7dbe357 100644 --- a/base/tps-tomcat/shared/conf/acl.ldif +++ b/base/tps-tomcat/shared/conf/acl.ldif @@ -21,6 +21,7 @@ resourceACLS: certServer.admin.certificate:import:allow (import) user="anybody": resourceACLS: certServer.admin.request.enrollment:submit,read,execute:allow (submit) user="anybody":Anybody may submit an enrollment request resourceACLS: certServer.clone.configuration:read,modify:allow (modify,read) group="Enterprise CA Administrators" || group="Enterprise KRA Administrators" || group="Enterprise OCSP Administrators" || group="Enterprise TPS Administrators":Only Enterprise Administrators are allowed to clone the configuration. resourceACLS: certServer.tps.account:login,logout:allow (login,logout) user="anybody":Anybody can login and logout +resourceACLS: certServer.tps.authenticators:read,add,modify,remove:allow (read,add,modify,remove) group="TUS Administrators":Only admins can access authenticators. resourceACLS: certServer.tps.groups:execute:allow (execute) group="TUS Administrators":Admins may execute group operations resourceACLS: certServer.tps.users:execute:allow (execute) group="TUS Administrators":Admins may execute user operations resourceACLS: certServer.tps.profiles:read,add,modify,approve,remove:allow (read) group="TUS Administrators" || group="TUS Agents" ; allow (add,remove,modify) group="TUS Administrators" ; allow (approve) group="TUS Agents":Admins, agents, and operators can read profiles, but only admins can add, modify, and remove profiles, and only agents can approve profiles. diff --git a/base/tps-tomcat/shared/webapps/tps/WEB-INF/auth.properties b/base/tps-tomcat/shared/webapps/tps/WEB-INF/auth.properties index 4d18d757a..7e219d78a 100644 --- a/base/tps-tomcat/shared/webapps/tps/WEB-INF/auth.properties +++ b/base/tps-tomcat/shared/webapps/tps/WEB-INF/auth.properties @@ -8,6 +8,10 @@ account.login = certServer.tps.account,login account.logout = certServer.tps.account,logout admin.users = certServer.tps.users,execute admin.groups = certServer.tps.groups,execute +authenticators.read = certServer.tps.authenticators,read +authenticators.add = certServer.tps.authenticators,add +authenticators.modify = certServer.tps.authenticators,modify +authenticators.remove = certServer.tps.authenticators,remove profiles.read = certServer.tps.profiles,read profiles.add = certServer.tps.profiles,add profiles.modify = certServer.tps.profiles,modify diff --git a/base/tps-tomcat/shared/webapps/tps/WEB-INF/web.xml b/base/tps-tomcat/shared/webapps/tps/WEB-INF/web.xml index 056de68e0..eb0b7195b 100644 --- a/base/tps-tomcat/shared/webapps/tps/WEB-INF/web.xml +++ b/base/tps-tomcat/shared/webapps/tps/WEB-INF/web.xml @@ -201,6 +201,32 @@ <security-constraint> <web-resource-collection> + <web-resource-name>Authenticators</web-resource-name> + <url-pattern>/rest/authenticators/*</url-pattern> + </web-resource-collection> + <auth-constraint> + <role-name>*</role-name> + </auth-constraint> + <user-data-constraint> + <transport-guarantee>CONFIDENTIAL</transport-guarantee> + </user-data-constraint> + </security-constraint> + + <security-constraint> + <web-resource-collection> + <web-resource-name>Profiles</web-resource-name> + <url-pattern>/rest/profiles/*</url-pattern> + </web-resource-collection> + <auth-constraint> + <role-name>*</role-name> + </auth-constraint> + <user-data-constraint> + <transport-guarantee>CONFIDENTIAL</transport-guarantee> + </user-data-constraint> + </security-constraint> + + <security-constraint> + <web-resource-collection> <web-resource-name>Token Services</web-resource-name> <url-pattern>/rest/tokens/*</url-pattern> </web-resource-collection> diff --git a/base/tps-tomcat/src/org/dogtagpki/server/tps/TPSApplication.java b/base/tps-tomcat/src/org/dogtagpki/server/tps/TPSApplication.java index 5ec99bc11..2571e2604 100644 --- a/base/tps-tomcat/src/org/dogtagpki/server/tps/TPSApplication.java +++ b/base/tps-tomcat/src/org/dogtagpki/server/tps/TPSApplication.java @@ -17,7 +17,7 @@ // --- END COPYRIGHT BLOCK --- package org.dogtagpki.server.tps; -import java.util.HashSet; +import java.util.LinkedHashSet; import java.util.Set; import javax.ws.rs.core.Application; @@ -47,8 +47,8 @@ import com.netscape.cmscore.selftests.SelfTestService; */ public class TPSApplication extends Application { - private Set<Object> singletons = new HashSet<Object>(); - private Set<Class<?>> classes = new HashSet<Class<?>>(); + private Set<Object> singletons = new LinkedHashSet<Object>(); + private Set<Class<?>> classes = new LinkedHashSet<Class<?>>(); public TPSApplication() { |