summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorEndi Sukma Dewata <edewata@redhat.com>2012-10-23 18:05:50 -0500
committerEndi Sukma Dewata <edewata@redhat.com>2012-10-25 23:36:42 -0500
commit6359021315622e97ae3c074752548f915e4af00d (patch)
tree6fa92b4c2ac48d469b9fea0970931b005e3903ba
parent7c105a64f41000737b85de832522738fd9af4200 (diff)
downloadpki-6359021315622e97ae3c074752548f915e4af00d.tar.gz
pki-6359021315622e97ae3c074752548f915e4af00d.tar.xz
pki-6359021315622e97ae3c074752548f915e4af00d.zip
Enabled account service for TKS and OCSP.
The REST account service has been added to TKS and OCSP to enable authentication. Ticket #375
-rw-r--r--base/ocsp/shared/conf/acl.ldif3
-rw-r--r--base/ocsp/shared/webapps/ocsp/WEB-INF/auth.properties2
-rw-r--r--base/ocsp/shared/webapps/ocsp/WEB-INF/web.xml35
-rw-r--r--base/ocsp/src/com/netscape/ocsp/OCSPApplication.java5
-rw-r--r--base/tks/shared/conf/acl.ldif3
-rw-r--r--base/tks/shared/webapps/tks/WEB-INF/auth.properties2
-rw-r--r--base/tks/shared/webapps/tks/WEB-INF/web.xml36
-rw-r--r--base/tks/src/com/netscape/tks/TKSApplication.java5
8 files changed, 90 insertions, 1 deletions
diff --git a/base/ocsp/shared/conf/acl.ldif b/base/ocsp/shared/conf/acl.ldif
index 94a102b48..b1dbc4c5b 100644
--- a/base/ocsp/shared/conf/acl.ldif
+++ b/base/ocsp/shared/conf/acl.ldif
@@ -27,3 +27,6 @@ resourceACLS: certServer.ocsp.cas:list:allow (list) group="Online Certificate St
resourceACLS: certServer.ocsp.certificate:validate:allow (validate) group="Online Certificate Status Manager Agents":Online Certificate Status Manager agents may validate certificate status
resourceACLS: certServer.ocsp.group:read,modify:allow (modify,read) group="Administrators":Only administrators are allowed to read and modify groups
resourceACLS: certServer.clone.configuration:read,modify:allow (modify,read) group="Enterprise CA Administrators" || group="Enterprise KRA Administrators" || group="Enterprise OCSP Administrators" || group="Enterprise TKS Administrators":Only Enterprise Administrators are allowed to clone the configuration.
+resourceACLS: certServer.ocsp.account:login,logout:allow (login,logout) user="anybody":Anybody can login and logout
+resourceACLS: certServer.ocsp.groups:execute:allow (execute) group="Administrators":Admins may execute group operations
+resourceACLS: certServer.ocsp.users:execute:allow (execute) group="Administrators":Admins may execute user operations
diff --git a/base/ocsp/shared/webapps/ocsp/WEB-INF/auth.properties b/base/ocsp/shared/webapps/ocsp/WEB-INF/auth.properties
index 3a85e209f..8eda09bc3 100644
--- a/base/ocsp/shared/webapps/ocsp/WEB-INF/auth.properties
+++ b/base/ocsp/shared/webapps/ocsp/WEB-INF/auth.properties
@@ -4,5 +4,7 @@
# <Rest API URL> = <ACL Resource ID>,<ACL resource operation>
# ex: /kra/pki/key/retrieve = certServer.kra.pki.key.retrieve,execute
+/ocsp/rest/account/login = certServer.ocsp.account,login
+/ocsp/rest/account/logout = certServer.ocsp.account,logout
/ocsp/rest/admin/users = certServer.ocsp.users,execute
/ocsp/rest/admin/groups = certServer.ocsp.groups,execute
diff --git a/base/ocsp/shared/webapps/ocsp/WEB-INF/web.xml b/base/ocsp/shared/webapps/ocsp/WEB-INF/web.xml
index 040e7f7ed..1deadc9dc 100644
--- a/base/ocsp/shared/webapps/ocsp/WEB-INF/web.xml
+++ b/base/ocsp/shared/webapps/ocsp/WEB-INF/web.xml
@@ -587,5 +587,40 @@
<session-config>
<session-timeout>30</session-timeout>
</session-config>
+
+ <security-constraint>
+ <web-resource-collection>
+ <web-resource-name>Account Services</web-resource-name>
+ <url-pattern>/rest/account/*</url-pattern>
+ </web-resource-collection>
+ <auth-constraint>
+ <role-name>*</role-name>
+ </auth-constraint>
+ <user-data-constraint>
+ <transport-guarantee>CONFIDENTIAL</transport-guarantee>
+ </user-data-constraint>
+ </security-constraint>
+
+ <security-constraint>
+ <web-resource-collection>
+ <web-resource-name>Admin Services</web-resource-name>
+ <url-pattern>/rest/admin/*</url-pattern>
+ </web-resource-collection>
+ <auth-constraint>
+ <role-name>*</role-name>
+ </auth-constraint>
+ <user-data-constraint>
+ <transport-guarantee>CONFIDENTIAL</transport-guarantee>
+ </user-data-constraint>
+ </security-constraint>
+
+ <login-config>
+ <realm-name>Online Certificate Status Protocol Manager</realm-name>
+ </login-config>
+
+ <security-role>
+ <role-name>*</role-name>
+ </security-role>
+
</web-app>
diff --git a/base/ocsp/src/com/netscape/ocsp/OCSPApplication.java b/base/ocsp/src/com/netscape/ocsp/OCSPApplication.java
index 498aa63ab..e6816721c 100644
--- a/base/ocsp/src/com/netscape/ocsp/OCSPApplication.java
+++ b/base/ocsp/src/com/netscape/ocsp/OCSPApplication.java
@@ -6,6 +6,7 @@ import java.util.Set;
import javax.ws.rs.core.Application;
import com.netscape.certsrv.base.PKIException;
+import com.netscape.cms.servlet.account.AccountService;
import com.netscape.cms.servlet.admin.GroupMemberService;
import com.netscape.cms.servlet.admin.GroupService;
import com.netscape.cms.servlet.admin.SystemCertService;
@@ -19,6 +20,10 @@ public class OCSPApplication extends Application {
private Set<Class<?>> classes = new HashSet<Class<?>>();
public OCSPApplication() {
+
+ // account
+ classes.add(AccountService.class);
+
// installer
classes.add(SystemConfigService.class);
diff --git a/base/tks/shared/conf/acl.ldif b/base/tks/shared/conf/acl.ldif
index b38b5963f..bed8ba7cb 100644
--- a/base/tks/shared/conf/acl.ldif
+++ b/base/tks/shared/conf/acl.ldif
@@ -28,3 +28,6 @@ resourceACLS: certServer.tks.randomdata:execute:allow (execute) group="Token Key
resourceACLS: certServer.tks.registerUser:read,modify:allow (modify,read) group="Enterprise CA Administrators" || group="Enterprise KRA Administrators" || group="Enterprise OCSP Administrators" || group="Enterprise TKS Administrators" || group="Enterprise TPS Administrators":Only Enterprise Administrators are allowed to register a new agent
resourceACLS: certServer.tks.importTransportCert:read,modify:allow (modify,read) group="Enterprise CA Administrators" || group="Enterprise KRA Administrators" || group="Enterprise OCSP Administrators" || group="Enterprise TKS Administrators" || group="Enterprise TPS Administrators":Only Enterprise Administrators are allowed to import transport certificate
resourceACLS: certServer.clone.configuration:read,modify:allow (modify,read) group="Enterprise CA Administrators" || group="Enterprise KRA Administrators" || group="Enterprise OCSP Administrators" || group="Enterprise TKS Administrators":Only Enterprise Administrators are allowed to clone the configuration.
+resourceACLS: certServer.tks.account:login,logout:allow (login,logout) user="anybody":Anybody can login and logout
+resourceACLS: certServer.tks.groups:execute:allow (execute) group="Administrators":Admins may execute group operations
+resourceACLS: certServer.tks.users:execute:allow (execute) group="Administrators":Admins may execute user operations
diff --git a/base/tks/shared/webapps/tks/WEB-INF/auth.properties b/base/tks/shared/webapps/tks/WEB-INF/auth.properties
index 29dc9f3fc..90897683e 100644
--- a/base/tks/shared/webapps/tks/WEB-INF/auth.properties
+++ b/base/tks/shared/webapps/tks/WEB-INF/auth.properties
@@ -4,5 +4,7 @@
# <Rest API URL> = <ACL Resource ID>,<ACL resource operation>
# ex: /kra/pki/key/retrieve = certServer.kra.pki.key.retrieve,execute
+/tks/rest/account/login = certServer.tks.account,login
+/tks/rest/account/logout = certServer.tks.account,logout
/tks/rest/admin/users = certServer.tks.users,execute
/tks/rest/admin/groups = certServer.tks.groups,execute
diff --git a/base/tks/shared/webapps/tks/WEB-INF/web.xml b/base/tks/shared/webapps/tks/WEB-INF/web.xml
index a06b2f213..b1958c033 100644
--- a/base/tks/shared/webapps/tks/WEB-INF/web.xml
+++ b/base/tks/shared/webapps/tks/WEB-INF/web.xml
@@ -417,5 +417,39 @@
<session-config>
<session-timeout>30</session-timeout>
</session-config>
-</web-app>
+ <security-constraint>
+ <web-resource-collection>
+ <web-resource-name>Account Services</web-resource-name>
+ <url-pattern>/rest/account/*</url-pattern>
+ </web-resource-collection>
+ <auth-constraint>
+ <role-name>*</role-name>
+ </auth-constraint>
+ <user-data-constraint>
+ <transport-guarantee>CONFIDENTIAL</transport-guarantee>
+ </user-data-constraint>
+ </security-constraint>
+
+ <security-constraint>
+ <web-resource-collection>
+ <web-resource-name>Admin Services</web-resource-name>
+ <url-pattern>/rest/admin/*</url-pattern>
+ </web-resource-collection>
+ <auth-constraint>
+ <role-name>*</role-name>
+ </auth-constraint>
+ <user-data-constraint>
+ <transport-guarantee>CONFIDENTIAL</transport-guarantee>
+ </user-data-constraint>
+ </security-constraint>
+
+ <login-config>
+ <realm-name>Token Key Service</realm-name>
+ </login-config>
+
+ <security-role>
+ <role-name>*</role-name>
+ </security-role>
+
+</web-app>
diff --git a/base/tks/src/com/netscape/tks/TKSApplication.java b/base/tks/src/com/netscape/tks/TKSApplication.java
index a3d43f661..5493bb4da 100644
--- a/base/tks/src/com/netscape/tks/TKSApplication.java
+++ b/base/tks/src/com/netscape/tks/TKSApplication.java
@@ -6,6 +6,7 @@ import java.util.Set;
import javax.ws.rs.core.Application;
import com.netscape.certsrv.base.PKIException;
+import com.netscape.cms.servlet.account.AccountService;
import com.netscape.cms.servlet.admin.GroupMemberService;
import com.netscape.cms.servlet.admin.GroupService;
import com.netscape.cms.servlet.admin.SystemCertService;
@@ -19,6 +20,10 @@ public class TKSApplication extends Application {
private Set<Class<?>> classes = new HashSet<Class<?>>();
public TKSApplication() {
+
+ // account
+ classes.add(AccountService.class);
+
// installer
classes.add(SystemConfigService.class);