summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorEndi Sukma Dewata <edewata@redhat.com>2012-10-08 14:50:26 -0500
committerEndi Sukma Dewata <edewata@redhat.com>2012-10-22 17:12:20 -0500
commit1723a2ecd9d4d741ecd6d292712eeaea9d19bde9 (patch)
treef9812748c4d5c8895a8da7be352983eb792ed000
parent1c45197227a0d54b525d4b40f66aa96aeb4f2e6a (diff)
downloadpki-1723a2ecd9d4d741ecd6d292712eeaea9d19bde9.tar.gz
pki-1723a2ecd9d4d741ecd6d292712eeaea9d19bde9.tar.xz
pki-1723a2ecd9d4d741ecd6d292712eeaea9d19bde9.zip
Added REST account service.
A REST account service has been added to allow client to login to establish a session and to logout to destroy the session. This way multiple operations can be executed using the same session without having to re-authenticate. Ticket #357
-rw-r--r--base/ca/shared/conf/acl.ldif1
-rw-r--r--base/ca/shared/webapps/ca/WEB-INF/auth.properties2
-rw-r--r--base/ca/shared/webapps/ca/WEB-INF/web.xml13
-rw-r--r--base/ca/src/com/netscape/ca/CertificateAuthorityApplication.java5
-rw-r--r--base/common/src/com/netscape/certsrv/account/AccountClient.java54
-rw-r--r--base/common/src/com/netscape/certsrv/account/AccountResource.java37
-rw-r--r--base/common/src/com/netscape/cms/servlet/account/AccountService.java50
-rw-r--r--base/java-tools/src/com/netscape/cmstools/cli/MainCLI.java34
-rw-r--r--base/kra/shared/conf/acl.ldif1
-rw-r--r--base/kra/shared/webapps/kra/WEB-INF/auth.properties2
-rw-r--r--base/kra/shared/webapps/kra/WEB-INF/web.xml13
-rw-r--r--base/kra/src/com/netscape/kra/KeyRecoveryAuthorityApplication.java5
12 files changed, 212 insertions, 5 deletions
diff --git a/base/ca/shared/conf/acl.ldif b/base/ca/shared/conf/acl.ldif
index aec1447e5..4807a4dcf 100644
--- a/base/ca/shared/conf/acl.ldif
+++ b/base/ca/shared/conf/acl.ldif
@@ -51,6 +51,7 @@ resourceACLS: certServer.ca.connectorInfo:read,modify:allow (modify,read) group=
resourceACLS: certServer.ca.registerUser:read,modify:allow (modify,read) group="Enterprise CA Administrators" || group="Enterprise KRA Administrators" || group="Enterprise RA Administrators" || group="Enterprise OCSP Administrators" || group="Enterprise TKS Administrators" || group="Enterprise TPS Administrators":Only Enterprise Administrators are allowed to register a new agent
resourceACLS: certServer.clone.configuration:read,modify:allow (modify,read) group="Enterprise CA Administrators" || group="Enterprise KRA Administrators" || group="Enterprise RA Administrators" || group="Enterprise OCSP Administrators" || group="Enterprise TKS Administrators":Only Enterprise Administrators are allowed to clone the configuration.
resourceACLS: certServer.admin.ocsp:read,modify:allow (modify,read) group="Enterprise OCSP Administrators":Only Enterprise Administrators are allowed to read or update the OCSP configuration.
+resourceACLS: certServer.ca.account:login,logout:allow (login,logout) user="anybody":Anybody can login and logout
resourceACLS: certServer.ca.certs:execute:allow (execute) group="Certificate Manager Agents":Agents may execute cert operations
resourceACLS: certServer.ca.groups:execute:allow (execute) group="Administrators":Admins may execute group operations
resourceACLS: certServer.ca.users:execute:allow (execute) group="Administrators":Admins may execute user operations
diff --git a/base/ca/shared/webapps/ca/WEB-INF/auth.properties b/base/ca/shared/webapps/ca/WEB-INF/auth.properties
index b13795760..21ec281da 100644
--- a/base/ca/shared/webapps/ca/WEB-INF/auth.properties
+++ b/base/ca/shared/webapps/ca/WEB-INF/auth.properties
@@ -4,6 +4,8 @@
# <Rest API URL> = <ACL Resource ID>,<ACL resource operation>
# ex: /ca/pki/users = certServer.ca.users,read
+/ca/rest/account/login = certServer.ca.account,login
+/ca/rest/account/logout = certServer.ca.account,logout
/ca/rest/admin/users = certServer.ca.users,execute
/ca/rest/admin/groups = certServer.ca.groups,execute
/ca/rest/agent/certs = certServer.ca.certs,execute
diff --git a/base/ca/shared/webapps/ca/WEB-INF/web.xml b/base/ca/shared/webapps/ca/WEB-INF/web.xml
index 9f876e5c2..47ad924c5 100644
--- a/base/ca/shared/webapps/ca/WEB-INF/web.xml
+++ b/base/ca/shared/webapps/ca/WEB-INF/web.xml
@@ -2387,6 +2387,19 @@
<security-constraint>
<web-resource-collection>
+ <web-resource-name>Account Services</web-resource-name>
+ <url-pattern>/rest/account/*</url-pattern>
+ </web-resource-collection>
+ <auth-constraint>
+ <role-name>*</role-name>
+ </auth-constraint>
+ <user-data-constraint>
+ <transport-guarantee>CONFIDENTIAL</transport-guarantee>
+ </user-data-constraint>
+ </security-constraint>
+
+ <security-constraint>
+ <web-resource-collection>
<web-resource-name>Admin Services</web-resource-name>
<url-pattern>/rest/admin/*</url-pattern>
</web-resource-collection>
diff --git a/base/ca/src/com/netscape/ca/CertificateAuthorityApplication.java b/base/ca/src/com/netscape/ca/CertificateAuthorityApplication.java
index 51d48cf5e..dc23042a2 100644
--- a/base/ca/src/com/netscape/ca/CertificateAuthorityApplication.java
+++ b/base/ca/src/com/netscape/ca/CertificateAuthorityApplication.java
@@ -9,6 +9,7 @@ import com.netscape.certsrv.apps.CMS;
import com.netscape.certsrv.base.EBaseException;
import com.netscape.certsrv.base.IConfigStore;
import com.netscape.certsrv.base.PKIException;
+import com.netscape.cms.servlet.account.AccountService;
import com.netscape.cms.servlet.admin.GroupMemberService;
import com.netscape.cms.servlet.admin.GroupService;
import com.netscape.cms.servlet.admin.SystemCertService;
@@ -25,6 +26,10 @@ public class CertificateAuthorityApplication extends Application {
private Set<Class<?>> classes = new HashSet<Class<?>>();
public CertificateAuthorityApplication() {
+
+ // account
+ classes.add(AccountService.class);
+
// installer
classes.add(SystemConfigService.class);
diff --git a/base/common/src/com/netscape/certsrv/account/AccountClient.java b/base/common/src/com/netscape/certsrv/account/AccountClient.java
new file mode 100644
index 000000000..e60112229
--- /dev/null
+++ b/base/common/src/com/netscape/certsrv/account/AccountClient.java
@@ -0,0 +1,54 @@
+//--- BEGIN COPYRIGHT BLOCK ---
+//This program is free software; you can redistribute it and/or modify
+//it under the terms of the GNU General Public License as published by
+//the Free Software Foundation; version 2 of the License.
+//
+//This program is distributed in the hope that it will be useful,
+//but WITHOUT ANY WARRANTY; without even the implied warranty of
+//MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+//GNU General Public License for more details.
+//
+//You should have received a copy of the GNU General Public License along
+//with this program; if not, write to the Free Software Foundation, Inc.,
+//51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+//(C) 2012 Red Hat, Inc.
+//All rights reserved.
+//--- END COPYRIGHT BLOCK ---
+package com.netscape.certsrv.account;
+
+import java.net.URISyntaxException;
+
+import com.netscape.certsrv.client.ClientConfig;
+import com.netscape.certsrv.client.PKIClient;
+import com.netscape.certsrv.client.PKIConnection;
+
+/**
+ * @author Endi S. Dewata
+ */
+public class AccountClient extends PKIClient {
+
+ public AccountResource resource;
+
+ public AccountClient(PKIConnection connection) throws URISyntaxException {
+ super(connection);
+ init();
+ }
+
+ public AccountClient(ClientConfig config) throws URISyntaxException {
+ super(config);
+ init();
+ }
+
+ public void init() throws URISyntaxException {
+ resource = createProxy(AccountResource.class);
+ }
+
+ public void login() {
+ resource.login();
+ }
+
+ public void logout() {
+ resource.logout();
+ }
+}
diff --git a/base/common/src/com/netscape/certsrv/account/AccountResource.java b/base/common/src/com/netscape/certsrv/account/AccountResource.java
new file mode 100644
index 000000000..ee40b24a8
--- /dev/null
+++ b/base/common/src/com/netscape/certsrv/account/AccountResource.java
@@ -0,0 +1,37 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2012 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+
+package com.netscape.certsrv.account;
+
+import javax.ws.rs.GET;
+import javax.ws.rs.Path;
+
+/**
+ * @author Endi S. Dewata
+ */
+@Path("account")
+public interface AccountResource {
+
+ @GET
+ @Path("login")
+ public void login();
+
+ @GET
+ @Path("logout")
+ public void logout();
+}
diff --git a/base/common/src/com/netscape/cms/servlet/account/AccountService.java b/base/common/src/com/netscape/cms/servlet/account/AccountService.java
new file mode 100644
index 000000000..eb4323353
--- /dev/null
+++ b/base/common/src/com/netscape/cms/servlet/account/AccountService.java
@@ -0,0 +1,50 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2012 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+
+package com.netscape.cms.servlet.account;
+
+import java.security.Principal;
+
+import javax.servlet.http.HttpSession;
+
+import com.netscape.certsrv.account.AccountResource;
+import com.netscape.cms.servlet.base.PKIService;
+
+/**
+ * @author Endi S. Dewata
+ */
+public class AccountService extends PKIService implements AccountResource {
+
+ @Override
+ public void login() {
+ HttpSession session = servletRequest.getSession();
+ System.out.println("Creating session "+session.getId());
+
+ Principal principal = servletRequest.getUserPrincipal();
+ System.out.println("Principal: "+principal);
+ }
+
+ @Override
+ public void logout() {
+ HttpSession session = servletRequest.getSession(false);
+ if (session == null) return;
+
+ System.out.println("Destroying session "+session.getId());
+ session.invalidate();
+ }
+}
diff --git a/base/java-tools/src/com/netscape/cmstools/cli/MainCLI.java b/base/java-tools/src/com/netscape/cmstools/cli/MainCLI.java
index 6f1c4909f..d7cb293a7 100644
--- a/base/java-tools/src/com/netscape/cmstools/cli/MainCLI.java
+++ b/base/java-tools/src/com/netscape/cmstools/cli/MainCLI.java
@@ -30,6 +30,7 @@ import org.mozilla.jss.crypto.CryptoToken;
import org.mozilla.jss.util.IncorrectPasswordException;
import org.mozilla.jss.util.Password;
+import com.netscape.certsrv.account.AccountClient;
import com.netscape.certsrv.client.ClientConfig;
import com.netscape.certsrv.client.PKIConnection;
import com.netscape.cmstools.cert.CertCLI;
@@ -45,6 +46,7 @@ public class MainCLI extends CLI {
public ClientConfig config = new ClientConfig();
public PKIConnection connection;
+ public AccountClient accountClient;
public MainCLI() throws Exception {
super("pki", "PKI command-line interface");
@@ -167,6 +169,8 @@ public class MainCLI extends CLI {
public void connect() throws Exception {
connection = new PKIConnection(config);
connection.setVerbose(verbose);
+
+ accountClient = new AccountClient(connection);
}
public void execute(String[] args) throws Exception {
@@ -253,13 +257,12 @@ public class MainCLI extends CLI {
return;
}
- // execute module command
- try {
- if (verbose) System.out.println("Server URI: "+config.getServerURI());
+ if (verbose) System.out.println("Server URI: "+config.getServerURI());
- // initialize certificate database if specified
- if (config.getCertDatabase() != null) {
+ // initialize certificate database if specified
+ if (config.getCertDatabase() != null) {
+ try {
if (verbose) System.out.println("Certificate database: "+config.getCertDatabase());
CryptoManager.initialize(config.getCertDatabase());
@@ -274,10 +277,28 @@ public class MainCLI extends CLI {
throw new Error("Incorrect certificate database password.", e);
}
}
+
+ } catch (Throwable t) {
+ if (verbose) {
+ t.printStackTrace(System.err);
+ } else {
+ System.err.println(t.getClass().getSimpleName()+": "+t.getMessage());
+ }
+ System.exit(1);
}
+ }
+ // execute command
+ boolean loggedIn = false;
+ try {
connect();
+ // login
+ if (config.getCertDatabase() != null || config.getUsername() != null) {
+ accountClient.login();
+ loggedIn = true;
+ }
+
// execute module command
module.execute(moduleArgs);
@@ -288,6 +309,9 @@ public class MainCLI extends CLI {
System.err.println(t.getClass().getSimpleName()+": "+t.getMessage());
}
System.exit(1);
+
+ } finally {
+ if (loggedIn) accountClient.logout();
}
}
diff --git a/base/kra/shared/conf/acl.ldif b/base/kra/shared/conf/acl.ldif
index ea70ffd21..c3eae7596 100644
--- a/base/kra/shared/conf/acl.ldif
+++ b/base/kra/shared/conf/acl.ldif
@@ -30,6 +30,7 @@ resourceACLS: certServer.kra.TokenKeyRecovery:submit:allow (submit) group="Data
resourceACLS: certServer.kra.registerUser:read,modify:allow (modify,read) group="Enterprise CA Administrators" || group="Enterprise KRA Administrators" || group="Enterprise OCSP Administrators" || group="Enterprise TKS Administrators" || group="Enterprise TPS Administrators":Only Enterprise Administrators are allowed to register a new agent
resourceACLS: certServer.kra.getTransportCert:read:allow (read) group="Enterprise CA Administrators" || group="Enterprise KRA Administrators" || group="Enterprise OCSP Administrators" || group="Enterprise TKS Administrators" || group="Enterprise TPS Administrators":Only Enterprise Administrators are allowed to retrieve the transport cert
resourceACLS: certServer.clone.configuration:read,modify:allow (modify,read) group="Enterprise CA Administrators" || group="Enterprise KRA Administrators" || group="Enterprise OCSP Administrators" || group="Enterprise TKS Administrators":Only Enterprise Administrators are allowed to clone the configuration.
+resourceACLS: certServer.kra.account:login,logout:allow (login,logout) user="anybody":Anybody can login and logout
resourceACLS: certServer.kra.groups:execute:allow (execute) group="Administrators":Admins may execute group operations
resourceACLS: certServer.kra.keys:execute:allow (execute) group="Data Recovery Manager Agents":Agents may execute key operations
resourceACLS: certServer.kra.keyrequests:execute:allow (execute) group="Data Recovery Manager Agents":Agents may execute key request operations
diff --git a/base/kra/shared/webapps/kra/WEB-INF/auth.properties b/base/kra/shared/webapps/kra/WEB-INF/auth.properties
index d2ba3075e..0a529f060 100644
--- a/base/kra/shared/webapps/kra/WEB-INF/auth.properties
+++ b/base/kra/shared/webapps/kra/WEB-INF/auth.properties
@@ -4,6 +4,8 @@
# <Rest API URL> = <ACL Resource ID>,<ACL resource operation>
# ex: /kra/pki/key/retrieve = certServer.kra.pki.key.retrieve,execute
+/kra/rest/account/login = certServer.kra.account,login
+/kra/rest/account/logout = certServer.kra.account,logout
/kra/rest/admin/users = certServer.kra.users,execute
/kra/rest/admin/groups = certServer.kra.groups,execute
/kra/rest/agent/keys = certServer.kra.keys,execute
diff --git a/base/kra/shared/webapps/kra/WEB-INF/web.xml b/base/kra/shared/webapps/kra/WEB-INF/web.xml
index 1a5b6aaf5..03def86c7 100644
--- a/base/kra/shared/webapps/kra/WEB-INF/web.xml
+++ b/base/kra/shared/webapps/kra/WEB-INF/web.xml
@@ -954,6 +954,19 @@
<session-timeout>30</session-timeout>
</session-config>
+ <security-constraint>
+ <web-resource-collection>
+ <web-resource-name>Account Services</web-resource-name>
+ <url-pattern>/rest/account/*</url-pattern>
+ </web-resource-collection>
+ <auth-constraint>
+ <role-name>*</role-name>
+ </auth-constraint>
+ <user-data-constraint>
+ <transport-guarantee>CONFIDENTIAL</transport-guarantee>
+ </user-data-constraint>
+ </security-constraint>
+
<!--
<security-constraint>
<web-resource-collection>
diff --git a/base/kra/src/com/netscape/kra/KeyRecoveryAuthorityApplication.java b/base/kra/src/com/netscape/kra/KeyRecoveryAuthorityApplication.java
index f972fe4b5..280ffe1dc 100644
--- a/base/kra/src/com/netscape/kra/KeyRecoveryAuthorityApplication.java
+++ b/base/kra/src/com/netscape/kra/KeyRecoveryAuthorityApplication.java
@@ -6,6 +6,7 @@ import java.util.Set;
import javax.ws.rs.core.Application;
import com.netscape.certsrv.base.PKIException;
+import com.netscape.cms.servlet.account.AccountService;
import com.netscape.cms.servlet.admin.GroupMemberService;
import com.netscape.cms.servlet.admin.GroupService;
import com.netscape.cms.servlet.admin.SystemCertService;
@@ -21,6 +22,10 @@ public class KeyRecoveryAuthorityApplication extends Application {
private Set<Class<?>> classes = new HashSet<Class<?>>();
public KeyRecoveryAuthorityApplication() {
+
+ // account
+ classes.add(AccountService.class);
+
// installer
classes.add(SystemConfigService.class);