diff options
author | Endi S. Dewata <edewata@redhat.com> | 2013-11-13 22:50:17 -0500 |
---|---|---|
committer | Endi S. Dewata <edewata@redhat.com> | 2013-11-14 16:55:01 -0500 |
commit | c694fde37b64d2d5a58f0146e0a8db47bec5be14 (patch) | |
tree | ae2d52fc91b69befb94f35d23f20935651437d44 | |
parent | b7716af212ba857f45efa7f1811d92e916abbe26 (diff) | |
download | pki-c694fde37b64d2d5a58f0146e0a8db47bec5be14.tar.gz pki-c694fde37b64d2d5a58f0146e0a8db47bec5be14.tar.xz pki-c694fde37b64d2d5a58f0146e0a8db47bec5be14.zip |
Added ACL for TPS configuration.
New ACL has been added to allow only the administrators to access
TPS configuration.
Ticket #652
5 files changed, 23 insertions, 0 deletions
diff --git a/base/common/src/com/netscape/certsrv/tps/config/ConfigResource.java b/base/common/src/com/netscape/certsrv/tps/config/ConfigResource.java index e1076a48e..21cb3f0b1 100644 --- a/base/common/src/com/netscape/certsrv/tps/config/ConfigResource.java +++ b/base/common/src/com/netscape/certsrv/tps/config/ConfigResource.java @@ -27,11 +27,16 @@ import javax.ws.rs.core.Response; import org.jboss.resteasy.annotations.ClientResponseType; +import com.netscape.certsrv.acls.ACLMapping; +import com.netscape.certsrv.authentication.AuthMethodMapping; + /** * @author Endi S. Dewata */ @Path("config") +@AuthMethodMapping("config") +@ACLMapping("config.read") public interface ConfigResource { @GET @@ -42,5 +47,6 @@ public interface ConfigResource { @ClientResponseType(entityType=ConfigData.class) @Consumes({ MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON }) @Produces({ MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON }) + @ACLMapping("config.modify") public Response updateConfig(ConfigData configData); } diff --git a/base/server/cms/src/com/netscape/cms/authorization/AuthMethodInterceptor.java b/base/server/cms/src/com/netscape/cms/authorization/AuthMethodInterceptor.java index a656b4596..afcc17514 100644 --- a/base/server/cms/src/com/netscape/cms/authorization/AuthMethodInterceptor.java +++ b/base/server/cms/src/com/netscape/cms/authorization/AuthMethodInterceptor.java @@ -70,6 +70,7 @@ public class AuthMethodInterceptor implements ContainerRequestFilter { authMethodProperties.put("account", "certUserDBAuthMgr,passwdUserDBAuthMgr"); authMethodProperties.put("admin", "certUserDBAuthMgr"); authMethodProperties.put("agent", "certUserDBAuthMgr"); + authMethodProperties.put("config", "certUserDBAuthMgr"); authMethodProperties.put("authenticators", "certUserDBAuthMgr"); authMethodProperties.put("profiles", "certUserDBAuthMgr"); authMethodProperties.put("securityDomain.installToken", "passwdUserDBAuthMgr"); diff --git a/base/tps-tomcat/shared/conf/acl.ldif b/base/tps-tomcat/shared/conf/acl.ldif index db7dbe357..b5bbdf7a2 100644 --- a/base/tps-tomcat/shared/conf/acl.ldif +++ b/base/tps-tomcat/shared/conf/acl.ldif @@ -22,6 +22,7 @@ resourceACLS: certServer.admin.request.enrollment:submit,read,execute:allow (sub resourceACLS: certServer.clone.configuration:read,modify:allow (modify,read) group="Enterprise CA Administrators" || group="Enterprise KRA Administrators" || group="Enterprise OCSP Administrators" || group="Enterprise TPS Administrators":Only Enterprise Administrators are allowed to clone the configuration. resourceACLS: certServer.tps.account:login,logout:allow (login,logout) user="anybody":Anybody can login and logout resourceACLS: certServer.tps.authenticators:read,add,modify,remove:allow (read,add,modify,remove) group="TUS Administrators":Only admins can access authenticators. +resourceACLS: certServer.tps.config:read,modify:allow (read,modify) group="TUS Administrators":Only admins can access configuration. resourceACLS: certServer.tps.groups:execute:allow (execute) group="TUS Administrators":Admins may execute group operations resourceACLS: certServer.tps.users:execute:allow (execute) group="TUS Administrators":Admins may execute user operations resourceACLS: certServer.tps.profiles:read,add,modify,approve,remove:allow (read) group="TUS Administrators" || group="TUS Agents" ; allow (add,remove,modify) group="TUS Administrators" ; allow (approve) group="TUS Agents":Admins, agents, and operators can read profiles, but only admins can add, modify, and remove profiles, and only agents can approve profiles. diff --git a/base/tps-tomcat/shared/webapps/tps/WEB-INF/auth.properties b/base/tps-tomcat/shared/webapps/tps/WEB-INF/auth.properties index 7e219d78a..b21a0e03a 100644 --- a/base/tps-tomcat/shared/webapps/tps/WEB-INF/auth.properties +++ b/base/tps-tomcat/shared/webapps/tps/WEB-INF/auth.properties @@ -12,6 +12,8 @@ authenticators.read = certServer.tps.authenticators,read authenticators.add = certServer.tps.authenticators,add authenticators.modify = certServer.tps.authenticators,modify authenticators.remove = certServer.tps.authenticators,remove +config.read = certServer.tps.config,read +config.modify = certServer.tps.config,modify profiles.read = certServer.tps.profiles,read profiles.add = certServer.tps.profiles,add profiles.modify = certServer.tps.profiles,modify diff --git a/base/tps-tomcat/shared/webapps/tps/WEB-INF/web.xml b/base/tps-tomcat/shared/webapps/tps/WEB-INF/web.xml index eb0b7195b..bd8958201 100644 --- a/base/tps-tomcat/shared/webapps/tps/WEB-INF/web.xml +++ b/base/tps-tomcat/shared/webapps/tps/WEB-INF/web.xml @@ -214,6 +214,19 @@ <security-constraint> <web-resource-collection> + <web-resource-name>Configuration</web-resource-name> + <url-pattern>/rest/config/*</url-pattern> + </web-resource-collection> + <auth-constraint> + <role-name>*</role-name> + </auth-constraint> + <user-data-constraint> + <transport-guarantee>CONFIDENTIAL</transport-guarantee> + </user-data-constraint> + </security-constraint> + + <security-constraint> + <web-resource-collection> <web-resource-name>Profiles</web-resource-name> <url-pattern>/rest/profiles/*</url-pattern> </web-resource-collection> |