summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorEndi Sukma Dewata <edewata@redhat.com>2013-02-01 13:05:38 -0500
committerEndi Sukma Dewata <edewata@redhat.com>2013-02-02 02:57:55 -0500
commit1465ca82ef3436344992f8a428b5781c437b901a (patch)
tree552409eefbcb078a1a60afe1c3a05658b3d2dbc3
parent4f7fb41fd393f00cf3931672d6f99be764a07f2e (diff)
downloadpki-1465ca82ef3436344992f8a428b5781c437b901a.zip
pki-1465ca82ef3436344992f8a428b5781c437b901a.tar.gz
pki-1465ca82ef3436344992f8a428b5781c437b901a.tar.xz
Added AuthMapping annotation.ticket-474-6
A new AuthMapping annotation has been added to configure the required authentication methods to acces each REST method. The annotation maps each method into a list of authentication methods in auth.properties. For security reason, most REST methods that require authentication have been configured to require client certificate authentication. Authentication using username and password will only be used to get installation token from the security domain. Previously the auth.properties files were used to store ACL mappings. Now the ACL mappings have been moved into acl.properties. Ticket #477
-rw-r--r--base/ca/shared/webapps/ca/WEB-INF/acl.properties14
-rw-r--r--base/ca/shared/webapps/ca/WEB-INF/auth.properties19
-rw-r--r--base/ca/src/com/netscape/ca/CertificateAuthorityApplication.java4
-rw-r--r--base/common/src/com/netscape/certsrv/account/AccountResource.java2
-rw-r--r--base/common/src/com/netscape/certsrv/acls/ACLInterceptor.java16
-rw-r--r--base/common/src/com/netscape/certsrv/authentication/AuthInterceptor.java159
-rw-r--r--base/common/src/com/netscape/certsrv/authentication/AuthMapping.java31
-rw-r--r--base/common/src/com/netscape/certsrv/cert/CertRequestResource.java52
-rw-r--r--base/common/src/com/netscape/certsrv/cert/CertResource.java5
-rw-r--r--base/common/src/com/netscape/certsrv/group/GroupMemberResource.java2
-rw-r--r--base/common/src/com/netscape/certsrv/group/GroupResource.java2
-rw-r--r--base/common/src/com/netscape/certsrv/key/KeyRequestResource.java2
-rw-r--r--base/common/src/com/netscape/certsrv/key/KeyResource.java2
-rw-r--r--base/common/src/com/netscape/certsrv/profile/ProfileResource.java3
-rw-r--r--base/common/src/com/netscape/certsrv/system/KRAConnectorResource.java2
-rw-r--r--base/common/src/com/netscape/certsrv/system/SecurityDomainResource.java2
-rw-r--r--base/common/src/com/netscape/certsrv/user/UserCertResource.java2
-rw-r--r--base/common/src/com/netscape/certsrv/user/UserResource.java2
-rw-r--r--base/kra/shared/webapps/kra/WEB-INF/acl.properties12
-rw-r--r--base/kra/shared/webapps/kra/WEB-INF/auth.properties16
-rw-r--r--base/kra/src/com/netscape/kra/KeyRecoveryAuthorityApplication.java4
-rw-r--r--base/ocsp/shared/webapps/ocsp/WEB-INF/acl.properties10
-rw-r--r--base/ocsp/shared/webapps/ocsp/WEB-INF/auth.properties13
-rw-r--r--base/ocsp/src/com/netscape/ocsp/OCSPApplication.java4
-rw-r--r--base/tks/shared/webapps/tks/WEB-INF/acl.properties10
-rw-r--r--base/tks/shared/webapps/tks/WEB-INF/auth.properties13
-rw-r--r--base/tks/src/com/netscape/tks/TKSApplication.java4
27 files changed, 340 insertions, 67 deletions
diff --git a/base/ca/shared/webapps/ca/WEB-INF/acl.properties b/base/ca/shared/webapps/ca/WEB-INF/acl.properties
new file mode 100644
index 0000000..20f3dd8
--- /dev/null
+++ b/base/ca/shared/webapps/ca/WEB-INF/acl.properties
@@ -0,0 +1,14 @@
+# Restful API authorization mapping info
+#
+# Format:
+# <mapping name> = <resource ID>,<operation>
+# ex: admin.users = certServer.ca.users,read
+
+account.login = certServer.ca.account,login
+account.logout = certServer.ca.account,logout
+admin.users = certServer.ca.users,execute
+admin.groups = certServer.ca.groups,execute
+admin.kraconnector = certServer.ca.connectorInfo,modify
+agent.certrequests = certServer.ca.certrequests,execute
+agent.certs = certServer.ca.certs,execute
+securityDomain.installToken = certServer.securitydomain.domainxml,read
diff --git a/base/ca/shared/webapps/ca/WEB-INF/auth.properties b/base/ca/shared/webapps/ca/WEB-INF/auth.properties
index b73b9ac..3a66587 100644
--- a/base/ca/shared/webapps/ca/WEB-INF/auth.properties
+++ b/base/ca/shared/webapps/ca/WEB-INF/auth.properties
@@ -1,14 +1,11 @@
-# Restful API auth/authz mapping info
+# Restful API auth mapping info
#
# Format:
-# <ACL Mapping> = <ACL Resource ID>,<ACL Resource Operation>
-# ex: admin.users = certServer.ca.users,read
+# <mapping name> = <allowed auth methods>
+# ex: admin.users = certUserDBAuthMgr,passwdUserDBAuthMgr
-account.login = certServer.ca.account,login
-account.logout = certServer.ca.account,logout
-admin.users = certServer.ca.users,execute
-admin.groups = certServer.ca.groups,execute
-admin.kraconnector = certServer.ca.connectorInfo,modify
-agent.certrequests = certServer.ca.certrequests,execute
-agent.certs = certServer.ca.certs,execute
-securityDomain.installToken = certServer.securitydomain.domainxml,read
+default = *
+account = certUserDBAuthMgr,passwdUserDBAuthMgr
+admin = certUserDBAuthMgr
+agent = certUserDBAuthMgr
+securityDomain.installToken = passwdUserDBAuthMgr
diff --git a/base/ca/src/com/netscape/ca/CertificateAuthorityApplication.java b/base/ca/src/com/netscape/ca/CertificateAuthorityApplication.java
index 14b44e5..35e9381 100644
--- a/base/ca/src/com/netscape/ca/CertificateAuthorityApplication.java
+++ b/base/ca/src/com/netscape/ca/CertificateAuthorityApplication.java
@@ -7,6 +7,7 @@ import javax.ws.rs.core.Application;
import com.netscape.certsrv.acls.ACLInterceptor;
import com.netscape.certsrv.apps.CMS;
+import com.netscape.certsrv.authentication.AuthInterceptor;
import com.netscape.certsrv.base.EBaseException;
import com.netscape.certsrv.base.IConfigStore;
import com.netscape.certsrv.base.PKIException;
@@ -85,7 +86,8 @@ public class CertificateAuthorityApplication extends Application {
// exception mapper
classes.add(PKIException.Mapper.class);
- // ACL interceptor
+ // interceptors
+ singletons.add(new AuthInterceptor());
singletons.add(new ACLInterceptor());
}
diff --git a/base/common/src/com/netscape/certsrv/account/AccountResource.java b/base/common/src/com/netscape/certsrv/account/AccountResource.java
index a69a3d1..cbe061b 100644
--- a/base/common/src/com/netscape/certsrv/account/AccountResource.java
+++ b/base/common/src/com/netscape/certsrv/account/AccountResource.java
@@ -22,11 +22,13 @@ import javax.ws.rs.GET;
import javax.ws.rs.Path;
import com.netscape.certsrv.acls.ACLMapping;
+import com.netscape.certsrv.authentication.AuthMapping;
/**
* @author Endi S. Dewata
*/
@Path("account")
+@AuthMapping("account")
public interface AccountResource {
@GET
diff --git a/base/common/src/com/netscape/certsrv/acls/ACLInterceptor.java b/base/common/src/com/netscape/certsrv/acls/ACLInterceptor.java
index c307402..dd4985e 100644
--- a/base/common/src/com/netscape/certsrv/acls/ACLInterceptor.java
+++ b/base/common/src/com/netscape/certsrv/acls/ACLInterceptor.java
@@ -54,7 +54,7 @@ import com.netscape.cmscore.realm.PKIPrincipal;
@Precedence("SECURITY")
public class ACLInterceptor implements PreProcessInterceptor {
- Properties authProperties;
+ Properties aclProperties;
@Context
ServletContext servletContext;
@@ -62,13 +62,13 @@ public class ACLInterceptor implements PreProcessInterceptor {
@Context
SecurityContext securityContext;
- public synchronized void loadAuthProperties() throws IOException {
+ public synchronized void loadACLProperties() throws IOException {
- if (authProperties != null) return;
+ if (aclProperties != null) return;
- URL url = servletContext.getResource("/WEB-INF/auth.properties");
- authProperties = new Properties();
- authProperties.load(url.openStream());
+ URL url = servletContext.getResource("/WEB-INF/acl.properties");
+ aclProperties = new Properties();
+ aclProperties.load(url.openStream());
}
@Override
@@ -111,10 +111,10 @@ public class ACLInterceptor implements PreProcessInterceptor {
}
try {
- loadAuthProperties();
+ loadACLProperties();
String name = aclMapping.value();
- String value = authProperties.getProperty(name);
+ String value = aclProperties.getProperty(name);
// If no property defined, allow request.
if (value == null) return null;
diff --git a/base/common/src/com/netscape/certsrv/authentication/AuthInterceptor.java b/base/common/src/com/netscape/certsrv/authentication/AuthInterceptor.java
new file mode 100644
index 0000000..6fd7cdd
--- /dev/null
+++ b/base/common/src/com/netscape/certsrv/authentication/AuthInterceptor.java
@@ -0,0 +1,159 @@
+//--- BEGIN COPYRIGHT BLOCK ---
+//This program is free software; you can redistribute it and/or modify
+//it under the terms of the GNU General Public License as published by
+//the Free Software Foundation; version 2 of the License.
+//
+//This program is distributed in the hope that it will be useful,
+//but WITHOUT ANY WARRANTY; without even the implied warranty of
+//MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+//GNU General Public License for more details.
+//
+//You should have received a copy of the GNU General Public License along
+//with this program; if not, write to the Free Software Foundation, Inc.,
+//51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+//(C) 2013 Red Hat, Inc.
+//All rights reserved.
+//--- END COPYRIGHT BLOCK ---
+package com.netscape.certsrv.authentication;
+
+import java.io.IOException;
+import java.lang.reflect.Method;
+import java.net.URL;
+import java.security.Principal;
+import java.util.Collection;
+import java.util.HashSet;
+import java.util.Properties;
+
+import javax.servlet.ServletContext;
+import javax.ws.rs.core.Context;
+import javax.ws.rs.core.SecurityContext;
+import javax.ws.rs.ext.Provider;
+
+import org.jboss.resteasy.annotations.interception.Precedence;
+import org.jboss.resteasy.annotations.interception.ServerInterceptor;
+import org.jboss.resteasy.core.ResourceMethod;
+import org.jboss.resteasy.core.ServerResponse;
+import org.jboss.resteasy.spi.Failure;
+import org.jboss.resteasy.spi.HttpRequest;
+import org.jboss.resteasy.spi.interception.PreProcessInterceptor;
+
+import com.netscape.certsrv.base.ForbiddenException;
+import com.netscape.cmscore.realm.PKIPrincipal;
+
+
+/**
+ * @author Endi S. Dewata
+ */
+@Provider
+@ServerInterceptor
+@Precedence("SECURITY")
+public class AuthInterceptor implements PreProcessInterceptor {
+
+ Properties authProperties;
+
+ @Context
+ ServletContext servletContext;
+
+ @Context
+ SecurityContext securityContext;
+
+ public synchronized void loadAuthProperties() throws IOException {
+
+ if (authProperties != null) return;
+
+ URL url = servletContext.getResource("/WEB-INF/auth.properties");
+ authProperties = new Properties();
+ authProperties.load(url.openStream());
+ }
+
+ @Override
+ public ServerResponse preProcess(
+ HttpRequest request,
+ ResourceMethod resourceMethod
+ ) throws Failure, ForbiddenException {
+
+ Class<?> clazz = resourceMethod.getResourceClass();
+ Method method = resourceMethod.getMethod();
+ System.out.println("AuthInterceptor: "+clazz.getSimpleName()+"."+method.getName()+"()");
+
+ // Get authentication mapping for the method.
+ AuthMapping authMapping = method.getAnnotation(AuthMapping.class);
+
+ // If not available, get authentication mapping for the class.
+ if (authMapping == null) {
+ authMapping = clazz.getAnnotation(AuthMapping.class);
+ }
+
+ String name;
+ if (authMapping == null) {
+ // If not available, use the default mapping.
+ name = "default";
+ } else {
+ // Get the method label
+ name = authMapping.value();
+ }
+
+ System.out.println("AuthInterceptor: mapping name: "+name);
+
+ try {
+ loadAuthProperties();
+
+ String value = authProperties.getProperty(name);
+ Collection<String> authMethods = new HashSet<String>();
+ if (value != null) {
+ for (String v : value.split(",")) {
+ authMethods.add(v.trim());
+ }
+ }
+
+ System.out.println("AuthInterceptor: required auth methods: "+authMethods);
+
+ Principal principal = securityContext.getUserPrincipal();
+
+ // If unauthenticated, reject request.
+ if (principal == null) {
+ if (authMethods.isEmpty() || authMethods.contains("anonymous") || authMethods.contains("*")) {
+ System.out.println("AuthInterceptor: anonymous access allowed");
+ return null;
+ }
+ System.out.println("AuthInterceptor: anonymous access not allowed");
+ throw new ForbiddenException("Anonymous access not allowed.");
+ }
+
+ // If unrecognized principal, reject request.
+ if (!(principal instanceof PKIPrincipal)) {
+ System.out.println("AuthInterceptor: unknown principal");
+ throw new ForbiddenException("Unknown user principal");
+ }
+
+ PKIPrincipal pkiPrincipal = (PKIPrincipal)principal;
+ IAuthToken authToken = pkiPrincipal.getAuthToken();
+
+ // If missing auth token, reject request.
+ if (authToken == null) {
+ System.out.println("AuthInterceptor: missing authentication token");
+ throw new ForbiddenException("Missing authentication token.");
+ }
+
+ String authManager = (String)authToken.get(AuthToken.TOKEN_AUTHMGR_INST_NAME);
+ System.out.println("AuthInterceptor: authentication manager: "+authManager);
+
+ if (authManager == null) {
+ System.out.println("AuthInterceptor: missing authentication manager");
+ throw new ForbiddenException("Missing authentication manager.");
+ }
+
+ if (authMethods.isEmpty() || authMethods.contains(authManager) || authMethods.contains("*")) {
+ System.out.println("AuthInterceptor: "+authManager+" allowed");
+ return null;
+ }
+
+ throw new ForbiddenException("Authentication method not allowed.");
+
+ } catch (IOException e) {
+ e.printStackTrace();
+ throw new Failure(e);
+ }
+ }
+}
diff --git a/base/common/src/com/netscape/certsrv/authentication/AuthMapping.java b/base/common/src/com/netscape/certsrv/authentication/AuthMapping.java
new file mode 100644
index 0000000..e00cc9d
--- /dev/null
+++ b/base/common/src/com/netscape/certsrv/authentication/AuthMapping.java
@@ -0,0 +1,31 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2013 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+
+package com.netscape.certsrv.authentication;
+
+import java.lang.annotation.Retention;
+import java.lang.annotation.RetentionPolicy;
+
+
+/**
+ * @author Endi S. Dewata
+ */
+@Retention(RetentionPolicy.RUNTIME)
+public @interface AuthMapping {
+ public String value();
+}
diff --git a/base/common/src/com/netscape/certsrv/cert/CertRequestResource.java b/base/common/src/com/netscape/certsrv/cert/CertRequestResource.java
index 0bd2851..901104c 100644
--- a/base/common/src/com/netscape/certsrv/cert/CertRequestResource.java
+++ b/base/common/src/com/netscape/certsrv/cert/CertRequestResource.java
@@ -28,11 +28,33 @@ import javax.ws.rs.core.MediaType;
import javax.ws.rs.core.MultivaluedMap;
import com.netscape.certsrv.acls.ACLMapping;
+import com.netscape.certsrv.authentication.AuthMapping;
import com.netscape.certsrv.request.RequestId;
@Path("")
public interface CertRequestResource {
+ // Enrollment - used to test integration with a browser
+ @POST
+ @Path("certrequests")
+ @Produces({ MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON })
+ @Consumes({ MediaType.APPLICATION_FORM_URLENCODED })
+ public CertRequestInfos enrollCert(MultivaluedMap<String, String> form);
+
+ @POST
+ @Path("certrequests")
+ @Produces({ MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON })
+ @Consumes({ MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON })
+ public CertRequestInfos enrollCert(CertEnrollmentRequest data);
+
+ /**
+ * Used to retrieve cert request info for a specific request
+ */
+ @GET
+ @Path("certrequests/{id}")
+ @Produces({ MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON })
+ public CertRequestInfo getRequestInfo(@PathParam("id") RequestId id);
+
/**
* Used to generate list of cert requests based on the search parameters
*/
@@ -40,6 +62,7 @@ public interface CertRequestResource {
@Path("agent/certrequests")
@Produces({ MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON })
@ACLMapping("agent.certrequests")
+ @AuthMapping("agent")
public CertRequestInfos listRequests(@QueryParam("requestState") String requestState,
@QueryParam("requestType") String requestType,
@QueryParam("start") RequestId start,
@@ -47,72 +70,59 @@ public interface CertRequestResource {
@QueryParam("maxResults") Integer maxResults,
@QueryParam("maxTime") Integer maxTime);
- /**
- * Used to retrieve cert request info for a specific request
- */
- @GET
- @Path("certrequests/{id}")
- @Produces({ MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON })
- public CertRequestInfo getRequestInfo(@PathParam("id") RequestId id);
-
@GET
@Path("agent/certrequests/{id}")
@Produces({ MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON })
@ACLMapping("agent.certrequests")
+ @AuthMapping("agent")
public CertReviewResponse reviewRequest(@PathParam("id") RequestId id);
- // Enrollment - used to test integration with a browser
- @POST
- @Path("certrequests")
- @Produces({ MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON })
- @Consumes({ MediaType.APPLICATION_FORM_URLENCODED })
- public CertRequestInfos enrollCert(MultivaluedMap<String, String> form);
-
- @POST
- @Path("certrequests")
- @Produces({ MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON })
- @Consumes({ MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON })
- public CertRequestInfos enrollCert(CertEnrollmentRequest data);
-
@POST
@Path("agent/certrequests/{id}/approve")
@Consumes({ MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON })
@ACLMapping("agent.certrequests")
+ @AuthMapping("agent")
public void approveRequest(@PathParam("id") RequestId id, CertReviewResponse data);
@POST
@Path("agent/certrequests/{id}/reject")
@Consumes({ MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON })
@ACLMapping("agent.certrequests")
+ @AuthMapping("agent")
public void rejectRequest(@PathParam("id") RequestId id, CertReviewResponse data);
@POST
@Path("agent/certrequests/{id}/cancel")
@Consumes({ MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON })
@ACLMapping("agent.certrequests")
+ @AuthMapping("agent")
public void cancelRequest(@PathParam("id") RequestId id, CertReviewResponse data);
@POST
@Path("agent/certrequests/{id}/update")
@Consumes({ MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON })
@ACLMapping("agent.certrequests")
+ @AuthMapping("agent")
public void updateRequest(@PathParam("id") RequestId id, CertReviewResponse data);
@POST
@Path("agent/certrequests/{id}/validate")
@Consumes({ MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON })
@ACLMapping("agent.certrequests")
+ @AuthMapping("agent")
public void validateRequest(@PathParam("id") RequestId id, CertReviewResponse data);
@POST
@Path("agent/certrequests/{id}/unassign")
@Consumes({ MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON })
@ACLMapping("agent.certrequests")
+ @AuthMapping("agent")
public void unassignRequest(@PathParam("id") RequestId id, CertReviewResponse data);
@POST
@Path("agent/certrequests/{id}/assign")
@Consumes({ MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON })
@ACLMapping("agent.certrequests")
+ @AuthMapping("agent")
public void assignRequest(@PathParam("id") RequestId id, CertReviewResponse data);
}
diff --git a/base/common/src/com/netscape/certsrv/cert/CertResource.java b/base/common/src/com/netscape/certsrv/cert/CertResource.java
index 1739503..d7e2c0f 100644
--- a/base/common/src/com/netscape/certsrv/cert/CertResource.java
+++ b/base/common/src/com/netscape/certsrv/cert/CertResource.java
@@ -11,6 +11,7 @@ import javax.ws.rs.QueryParam;
import javax.ws.rs.core.MediaType;
import com.netscape.certsrv.acls.ACLMapping;
+import com.netscape.certsrv.authentication.AuthMapping;
import com.netscape.certsrv.dbs.certdb.CertId;
@Path("")
@@ -45,6 +46,7 @@ public interface CertResource {
@Path("agent/certs/{id}")
@Produces({ MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON })
@ACLMapping("agent.certs")
+ @AuthMapping("agent")
public CertData reviewCert(@PathParam("id") CertId id);
@POST
@@ -52,6 +54,7 @@ public interface CertResource {
@Consumes({ MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON })
@Produces({ MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON })
@ACLMapping("agent.certs")
+ @AuthMapping("agent")
public CertRequestInfo revokeCACert(@PathParam("id") CertId id, CertRevokeRequest request);
@POST
@@ -59,6 +62,7 @@ public interface CertResource {
@Consumes({ MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON })
@Produces({ MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON })
@ACLMapping("agent.certs")
+ @AuthMapping("agent")
public CertRequestInfo revokeCert(@PathParam("id") CertId id, CertRevokeRequest request);
@POST
@@ -66,5 +70,6 @@ public interface CertResource {
@Consumes({ MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON })
@Produces({ MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON })
@ACLMapping("agent.certs")
+ @AuthMapping("agent")
public CertRequestInfo unrevokeCert(@PathParam("id") CertId id, CertUnrevokeRequest request);
}
diff --git a/base/common/src/com/netscape/certsrv/group/GroupMemberResource.java b/base/common/src/com/netscape/certsrv/group/GroupMemberResource.java
index c984daa..7ebb09c 100644
--- a/base/common/src/com/netscape/certsrv/group/GroupMemberResource.java
+++ b/base/common/src/com/netscape/certsrv/group/GroupMemberResource.java
@@ -32,12 +32,14 @@ import javax.ws.rs.core.Response;
import org.jboss.resteasy.annotations.ClientResponseType;
import com.netscape.certsrv.acls.ACLMapping;
+import com.netscape.certsrv.authentication.AuthMapping;
/**
* @author Endi S. Dewata
*/
@Path("admin/groups/{groupID}/members")
@ACLMapping("admin.groups")
+@AuthMapping("admin")
public interface GroupMemberResource {
@GET
diff --git a/base/common/src/com/netscape/certsrv/group/GroupResource.java b/base/common/src/com/netscape/certsrv/group/GroupResource.java
index 17728dd..8851bda 100644
--- a/base/common/src/com/netscape/certsrv/group/GroupResource.java
+++ b/base/common/src/com/netscape/certsrv/group/GroupResource.java
@@ -32,12 +32,14 @@ import javax.ws.rs.core.Response;
import org.jboss.resteasy.annotations.ClientResponseType;
import com.netscape.certsrv.acls.ACLMapping;
+import com.netscape.certsrv.authentication.AuthMapping;
/**
* @author Endi S. Dewata
*/
@Path("admin/groups")
@ACLMapping("admin.groups")
+@AuthMapping("admin")
public interface GroupResource {
@GET
diff --git a/base/common/src/com/netscape/certsrv/key/KeyRequestResource.java b/base/common/src/com/netscape/certsrv/key/KeyRequestResource.java
index 9f1ffbe..fc1132f 100644
--- a/base/common/src/com/netscape/certsrv/key/KeyRequestResource.java
+++ b/base/common/src/com/netscape/certsrv/key/KeyRequestResource.java
@@ -11,10 +11,12 @@ import javax.ws.rs.core.MediaType;
import javax.ws.rs.core.MultivaluedMap;
import com.netscape.certsrv.acls.ACLMapping;
+import com.netscape.certsrv.authentication.AuthMapping;
import com.netscape.certsrv.request.RequestId;
@Path("agent/keyrequests")
@ACLMapping("agent.keyrequests")
+@AuthMapping("agent")
public interface KeyRequestResource {
public final String SYMMETRIC_KEY_TYPE = "symmetricKey";
diff --git a/base/common/src/com/netscape/certsrv/key/KeyResource.java b/base/common/src/com/netscape/certsrv/key/KeyResource.java
index da7f220..4a419a8 100644
--- a/base/common/src/com/netscape/certsrv/key/KeyResource.java
+++ b/base/common/src/com/netscape/certsrv/key/KeyResource.java
@@ -10,10 +10,12 @@ import javax.ws.rs.core.MediaType;
import javax.ws.rs.core.MultivaluedMap;
import com.netscape.certsrv.acls.ACLMapping;
+import com.netscape.certsrv.authentication.AuthMapping;
@Path("agent/keys")
@ACLMapping("agent.keys")
+@AuthMapping("agent")
public interface KeyResource {
@GET
diff --git a/base/common/src/com/netscape/certsrv/profile/ProfileResource.java b/base/common/src/com/netscape/certsrv/profile/ProfileResource.java
index 6dadef5..93cb678 100644
--- a/base/common/src/com/netscape/certsrv/profile/ProfileResource.java
+++ b/base/common/src/com/netscape/certsrv/profile/ProfileResource.java
@@ -6,8 +6,11 @@ import javax.ws.rs.PathParam;
import javax.ws.rs.Produces;
import javax.ws.rs.core.MediaType;
+import com.netscape.certsrv.authentication.AuthMapping;
+
@Path("agent/profiles")
+@AuthMapping("agent")
public interface ProfileResource {
@GET
diff --git a/base/common/src/com/netscape/certsrv/system/KRAConnectorResource.java b/base/common/src/com/netscape/certsrv/system/KRAConnectorResource.java
index 01f159e..8f34985 100644
--- a/base/common/src/com/netscape/certsrv/system/KRAConnectorResource.java
+++ b/base/common/src/com/netscape/certsrv/system/KRAConnectorResource.java
@@ -26,12 +26,14 @@ import javax.ws.rs.core.MediaType;
import javax.ws.rs.core.MultivaluedMap;
import com.netscape.certsrv.acls.ACLMapping;
+import com.netscape.certsrv.authentication.AuthMapping;
/**
* @author Ade Lee
*/
@Path("admin/kraconnector")
@ACLMapping("admin.kraconnector")
+@AuthMapping("admin")
public interface KRAConnectorResource {
@POST
diff --git a/base/common/src/com/netscape/certsrv/system/SecurityDomainResource.java b/base/common/src/com/netscape/certsrv/system/SecurityDomainResource.java
index b34d9fe..dd9693e 100644
--- a/base/common/src/com/netscape/certsrv/system/SecurityDomainResource.java
+++ b/base/common/src/com/netscape/certsrv/system/SecurityDomainResource.java
@@ -24,6 +24,7 @@ import javax.ws.rs.QueryParam;
import javax.ws.rs.core.MediaType;
import com.netscape.certsrv.acls.ACLMapping;
+import com.netscape.certsrv.authentication.AuthMapping;
/**
* @author alee
@@ -35,6 +36,7 @@ public interface SecurityDomainResource {
@Path("installToken")
@Produces({ MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON })
@ACLMapping("securityDomain.installToken")
+ @AuthMapping("securityDomain.installToken")
public InstallToken getInstallToken(
@QueryParam("hostname") String hostname,
@QueryParam("subsystem") String subsystem);
diff --git a/base/common/src/com/netscape/certsrv/user/UserCertResource.java b/base/common/src/com/netscape/certsrv/user/UserCertResource.java
index d85abd6..67159c5 100644
--- a/base/common/src/com/netscape/certsrv/user/UserCertResource.java
+++ b/base/common/src/com/netscape/certsrv/user/UserCertResource.java
@@ -32,12 +32,14 @@ import javax.ws.rs.core.Response;
import org.jboss.resteasy.annotations.ClientResponseType;
import com.netscape.certsrv.acls.ACLMapping;
+import com.netscape.certsrv.authentication.AuthMapping;
/**
* @author Endi S. Dewata
*/
@Path("admin/users/{userID}/certs")
@ACLMapping("admin.users")
+@AuthMapping("admin")
public interface UserCertResource {
@GET
diff --git a/base/common/src/com/netscape/certsrv/user/UserResource.java b/base/common/src/com/netscape/certsrv/user/UserResource.java
index e72bb0c..b00278a 100644
--- a/base/common/src/com/netscape/certsrv/user/UserResource.java
+++ b/base/common/src/com/netscape/certsrv/user/UserResource.java
@@ -32,12 +32,14 @@ import javax.ws.rs.core.Response;
import org.jboss.resteasy.annotations.ClientResponseType;
import com.netscape.certsrv.acls.ACLMapping;
+import com.netscape.certsrv.authentication.AuthMapping;
/**
* @author Endi S. Dewata
*/
@Path("admin/users")
@ACLMapping("admin.users")
+@AuthMapping("admin")
public interface UserResource {
@GET
diff --git a/base/kra/shared/webapps/kra/WEB-INF/acl.properties b/base/kra/shared/webapps/kra/WEB-INF/acl.properties
new file mode 100644
index 0000000..952bdad
--- /dev/null
+++ b/base/kra/shared/webapps/kra/WEB-INF/acl.properties
@@ -0,0 +1,12 @@
+# Restful API authorization mapping info
+#
+# Format:
+# <mapping name> = <resource ID>,<operation>
+# ex: admin.users = certServer.ca.users,read
+
+account.login = certServer.kra.account,login
+account.logout = certServer.kra.account,logout
+admin.users = certServer.kra.users,execute
+admin.groups = certServer.kra.groups,execute
+agent.keys = certServer.kra.keys,execute
+agent.keyrequests = certServer.kra.keyrequests,execute
diff --git a/base/kra/shared/webapps/kra/WEB-INF/auth.properties b/base/kra/shared/webapps/kra/WEB-INF/auth.properties
index 567747f..29a2f23 100644
--- a/base/kra/shared/webapps/kra/WEB-INF/auth.properties
+++ b/base/kra/shared/webapps/kra/WEB-INF/auth.properties
@@ -1,12 +1,10 @@
-# Restful API auth/authz mapping info
+# Restful API auth mapping info
#
# Format:
-# <ACL Mapping> = <ACL Resource ID>,<ACL Resource Operation>
-# ex: admin.users = certServer.ca.users,read
+# <mapping name> = <allowed auth methods>
+# ex: admin.users = certUserDBAuthMgr,passwdUserDBAuthMgr
-account.login = certServer.kra.account,login
-account.logout = certServer.kra.account,logout
-admin.users = certServer.kra.users,execute
-admin.groups = certServer.kra.groups,execute
-agent.keys = certServer.kra.keys,execute
-agent.keyrequests = certServer.kra.keyrequests,execute
+default = *
+account = certUserDBAuthMgr,passwdUserDBAuthMgr
+admin = certUserDBAuthMgr
+agent = certUserDBAuthMgr
diff --git a/base/kra/src/com/netscape/kra/KeyRecoveryAuthorityApplication.java b/base/kra/src/com/netscape/kra/KeyRecoveryAuthorityApplication.java
index 0ed23f6..d256c04 100644
--- a/base/kra/src/com/netscape/kra/KeyRecoveryAuthorityApplication.java
+++ b/base/kra/src/com/netscape/kra/KeyRecoveryAuthorityApplication.java
@@ -6,6 +6,7 @@ import java.util.Set;
import javax.ws.rs.core.Application;
import com.netscape.certsrv.acls.ACLInterceptor;
+import com.netscape.certsrv.authentication.AuthInterceptor;
import com.netscape.certsrv.base.PKIException;
import com.netscape.cms.servlet.account.AccountService;
import com.netscape.cms.servlet.admin.GroupMemberService;
@@ -46,7 +47,8 @@ public class KeyRecoveryAuthorityApplication extends Application {
// exception mapper
classes.add(PKIException.Mapper.class);
- // ACL interceptor
+ // interceptors
+ singletons.add(new AuthInterceptor());
singletons.add(new ACLInterceptor());
}
diff --git a/base/ocsp/shared/webapps/ocsp/WEB-INF/acl.properties b/base/ocsp/shared/webapps/ocsp/WEB-INF/acl.properties
new file mode 100644
index 0000000..95fabba
--- /dev/null
+++ b/base/ocsp/shared/webapps/ocsp/WEB-INF/acl.properties
@@ -0,0 +1,10 @@
+# Restful API authorization mapping info
+#
+# Format:
+# <mapping name> = <resource ID>,<operation>
+# ex: admin.users = certServer.ca.users,read
+
+account.login = certServer.ocsp.account,login
+account.logout = certServer.ocsp.account,logout
+admin.users = certServer.ocsp.users,execute
+admin.groups = certServer.ocsp.groups,execute
diff --git a/base/ocsp/shared/webapps/ocsp/WEB-INF/auth.properties b/base/ocsp/shared/webapps/ocsp/WEB-INF/auth.properties
index cd2e140..81e2440 100644
--- a/base/ocsp/shared/webapps/ocsp/WEB-INF/auth.properties
+++ b/base/ocsp/shared/webapps/ocsp/WEB-INF/auth.properties
@@ -1,10 +1,9 @@
-# Restful API auth/authz mapping info
+# Restful API auth mapping info
#
# Format:
-# <ACL Mapping> = <ACL Resource ID>,<ACL Resource Operation>
-# ex: admin.users = certServer.ca.users,read
+# <mapping name> = <allowed auth methods>
+# ex: admin.users = certUserDBAuthMgr,passwdUserDBAuthMgr
-account.login = certServer.ocsp.account,login
-account.logout = certServer.ocsp.account,logout
-admin.users = certServer.ocsp.users,execute
-admin.groups = certServer.ocsp.groups,execute
+default = *
+account = certUserDBAuthMgr,passwdUserDBAuthMgr
+admin = certUserDBAuthMgr
diff --git a/base/ocsp/src/com/netscape/ocsp/OCSPApplication.java b/base/ocsp/src/com/netscape/ocsp/OCSPApplication.java
index 21b37f8..6a5f60f 100644
--- a/base/ocsp/src/com/netscape/ocsp/OCSPApplication.java
+++ b/base/ocsp/src/com/netscape/ocsp/OCSPApplication.java
@@ -6,6 +6,7 @@ import java.util.Set;
import javax.ws.rs.core.Application;
import com.netscape.certsrv.acls.ACLInterceptor;
+import com.netscape.certsrv.authentication.AuthInterceptor;
import com.netscape.certsrv.base.PKIException;
import com.netscape.cms.servlet.account.AccountService;
import com.netscape.cms.servlet.admin.GroupMemberService;
@@ -40,7 +41,8 @@ public class OCSPApplication extends Application {
// exception mapper
classes.add(PKIException.Mapper.class);
- // ACL interceptor
+ // interceptors
+ singletons.add(new AuthInterceptor());
singletons.add(new ACLInterceptor());
}
diff --git a/base/tks/shared/webapps/tks/WEB-INF/acl.properties b/base/tks/shared/webapps/tks/WEB-INF/acl.properties
new file mode 100644
index 0000000..6236713
--- /dev/null
+++ b/base/tks/shared/webapps/tks/WEB-INF/acl.properties
@@ -0,0 +1,10 @@
+# Restful API authorization mapping info
+#
+# Format:
+# <mapping name> = <resource ID>,<operation>
+# ex: admin.users = certServer.ca.users,read
+
+account.login = certServer.tks.account,login
+account.logout = certServer.tks.account,logout
+admin.users = certServer.tks.users,execute
+admin.groups = certServer.tks.groups,execute
diff --git a/base/tks/shared/webapps/tks/WEB-INF/auth.properties b/base/tks/shared/webapps/tks/WEB-INF/auth.properties
index 6de7f08..81e2440 100644
--- a/base/tks/shared/webapps/tks/WEB-INF/auth.properties
+++ b/base/tks/shared/webapps/tks/WEB-INF/auth.properties
@@ -1,10 +1,9 @@
-# Restful API auth/authz mapping info
+# Restful API auth mapping info
#
# Format:
-# <ACL Mapping> = <ACL Resource ID>,<ACL Resource Operation>
-# ex: admin.users = certServer.ca.users,read
+# <mapping name> = <allowed auth methods>
+# ex: admin.users = certUserDBAuthMgr,passwdUserDBAuthMgr
-account.login = certServer.tks.account,login
-account.logout = certServer.tks.account,logout
-admin.users = certServer.tks.users,execute
-admin.groups = certServer.tks.groups,execute
+default = *
+account = certUserDBAuthMgr,passwdUserDBAuthMgr
+admin = certUserDBAuthMgr
diff --git a/base/tks/src/com/netscape/tks/TKSApplication.java b/base/tks/src/com/netscape/tks/TKSApplication.java
index 229a64c..c79e0d0 100644
--- a/base/tks/src/com/netscape/tks/TKSApplication.java
+++ b/base/tks/src/com/netscape/tks/TKSApplication.java
@@ -6,6 +6,7 @@ import java.util.Set;
import javax.ws.rs.core.Application;
import com.netscape.certsrv.acls.ACLInterceptor;
+import com.netscape.certsrv.authentication.AuthInterceptor;
import com.netscape.certsrv.base.PKIException;
import com.netscape.cms.servlet.account.AccountService;
import com.netscape.cms.servlet.admin.GroupMemberService;
@@ -40,7 +41,8 @@ public class TKSApplication extends Application {
// exception mapper
classes.add(PKIException.Mapper.class);
- // ACL interceptor
+ // interceptors
+ singletons.add(new AuthInterceptor());
singletons.add(new ACLInterceptor());
}