summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorEndi Sukma Dewata <edewata@redhat.com>2013-02-01 13:05:38 -0500
committerEndi Sukma Dewata <edewata@redhat.com>2013-02-01 13:05:38 -0500
commitee5585e96c7c7d82782141943ab196472da084a2 (patch)
tree95c0883b6cef51ccb7f8766fdae560e5f5320459
parentb7b3bcfecc792ea689af2ecc554e12b42a58f1ce (diff)
downloadpki-ticket-477.zip
pki-ticket-477.tar.gz
pki-ticket-477.tar.xz
-rw-r--r--base/ca/shared/webapps/ca/WEB-INF/acl.properties14
-rw-r--r--base/ca/shared/webapps/ca/WEB-INF/auth.properties16
-rw-r--r--base/ca/src/com/netscape/ca/CertificateAuthorityApplication.java4
-rw-r--r--base/common/src/com/netscape/certsrv/acls/ACLInterceptor.java16
-rw-r--r--base/common/src/com/netscape/certsrv/authentication/AuthInterceptor.java152
-rw-r--r--base/common/src/com/netscape/certsrv/authentication/AuthMapping.java31
-rw-r--r--base/common/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java1
-rw-r--r--base/kra/shared/webapps/kra/WEB-INF/acl.properties (renamed from base/kra/shared/webapps/kra/WEB-INF/auth.properties)0
-rw-r--r--base/kra/src/com/netscape/kra/KeyRecoveryAuthorityApplication.java4
-rw-r--r--base/ocsp/shared/webapps/ocsp/WEB-INF/acl.properties (renamed from base/ocsp/shared/webapps/ocsp/WEB-INF/auth.properties)0
-rw-r--r--base/ocsp/src/com/netscape/ocsp/OCSPApplication.java4
-rw-r--r--base/tks/shared/webapps/tks/WEB-INF/acl.properties (renamed from base/tks/shared/webapps/tks/WEB-INF/auth.properties)0
-rw-r--r--base/tks/src/com/netscape/tks/TKSApplication.java4
13 files changed, 223 insertions, 23 deletions
diff --git a/base/ca/shared/webapps/ca/WEB-INF/acl.properties b/base/ca/shared/webapps/ca/WEB-INF/acl.properties
new file mode 100644
index 0000000..2e82831
--- /dev/null
+++ b/base/ca/shared/webapps/ca/WEB-INF/acl.properties
@@ -0,0 +1,14 @@
+# Restful API authorization mapping info
+#
+# Format:
+# <mapping ID = <ACL resource ID>,<ACL resource operation>
+# ex: admin.users = certServer.ca.users,read
+
+account.login = certServer.ca.account,login
+account.logout = certServer.ca.account,logout
+admin.users = certServer.ca.users,execute
+admin.groups = certServer.ca.groups,execute
+admin.kraconnector = certServer.ca.connectorInfo,modify
+agent.certrequests = certServer.ca.certrequests,execute
+agent.certs = certServer.ca.certs,execute
+securityDomain.installToken = certServer.securitydomain.domainxml,read
diff --git a/base/ca/shared/webapps/ca/WEB-INF/auth.properties b/base/ca/shared/webapps/ca/WEB-INF/auth.properties
index b73b9ac..54fbf27 100644
--- a/base/ca/shared/webapps/ca/WEB-INF/auth.properties
+++ b/base/ca/shared/webapps/ca/WEB-INF/auth.properties
@@ -1,14 +1,8 @@
-# Restful API auth/authz mapping info
+# Restful API auth mapping info
#
# Format:
-# <ACL Mapping> = <ACL Resource ID>,<ACL Resource Operation>
-# ex: admin.users = certServer.ca.users,read
+# <mapping ID> = <auth method list>
+# ex: admin.users = anonymous,basic,client-cert,any
-account.login = certServer.ca.account,login
-account.logout = certServer.ca.account,logout
-admin.users = certServer.ca.users,execute
-admin.groups = certServer.ca.groups,execute
-admin.kraconnector = certServer.ca.connectorInfo,modify
-agent.certrequests = certServer.ca.certrequests,execute
-agent.certs = certServer.ca.certs,execute
-securityDomain.installToken = certServer.securitydomain.domainxml,read
+default = any
+securityDomain.installToken = basic
diff --git a/base/ca/src/com/netscape/ca/CertificateAuthorityApplication.java b/base/ca/src/com/netscape/ca/CertificateAuthorityApplication.java
index 14b44e5..35e9381 100644
--- a/base/ca/src/com/netscape/ca/CertificateAuthorityApplication.java
+++ b/base/ca/src/com/netscape/ca/CertificateAuthorityApplication.java
@@ -7,6 +7,7 @@ import javax.ws.rs.core.Application;
import com.netscape.certsrv.acls.ACLInterceptor;
import com.netscape.certsrv.apps.CMS;
+import com.netscape.certsrv.authentication.AuthInterceptor;
import com.netscape.certsrv.base.EBaseException;
import com.netscape.certsrv.base.IConfigStore;
import com.netscape.certsrv.base.PKIException;
@@ -85,7 +86,8 @@ public class CertificateAuthorityApplication extends Application {
// exception mapper
classes.add(PKIException.Mapper.class);
- // ACL interceptor
+ // interceptors
+ singletons.add(new AuthInterceptor());
singletons.add(new ACLInterceptor());
}
diff --git a/base/common/src/com/netscape/certsrv/acls/ACLInterceptor.java b/base/common/src/com/netscape/certsrv/acls/ACLInterceptor.java
index c307402..dd4985e 100644
--- a/base/common/src/com/netscape/certsrv/acls/ACLInterceptor.java
+++ b/base/common/src/com/netscape/certsrv/acls/ACLInterceptor.java
@@ -54,7 +54,7 @@ import com.netscape.cmscore.realm.PKIPrincipal;
@Precedence("SECURITY")
public class ACLInterceptor implements PreProcessInterceptor {
- Properties authProperties;
+ Properties aclProperties;
@Context
ServletContext servletContext;
@@ -62,13 +62,13 @@ public class ACLInterceptor implements PreProcessInterceptor {
@Context
SecurityContext securityContext;
- public synchronized void loadAuthProperties() throws IOException {
+ public synchronized void loadACLProperties() throws IOException {
- if (authProperties != null) return;
+ if (aclProperties != null) return;
- URL url = servletContext.getResource("/WEB-INF/auth.properties");
- authProperties = new Properties();
- authProperties.load(url.openStream());
+ URL url = servletContext.getResource("/WEB-INF/acl.properties");
+ aclProperties = new Properties();
+ aclProperties.load(url.openStream());
}
@Override
@@ -111,10 +111,10 @@ public class ACLInterceptor implements PreProcessInterceptor {
}
try {
- loadAuthProperties();
+ loadACLProperties();
String name = aclMapping.value();
- String value = authProperties.getProperty(name);
+ String value = aclProperties.getProperty(name);
// If no property defined, allow request.
if (value == null) return null;
diff --git a/base/common/src/com/netscape/certsrv/authentication/AuthInterceptor.java b/base/common/src/com/netscape/certsrv/authentication/AuthInterceptor.java
new file mode 100644
index 0000000..249828d
--- /dev/null
+++ b/base/common/src/com/netscape/certsrv/authentication/AuthInterceptor.java
@@ -0,0 +1,152 @@
+//--- BEGIN COPYRIGHT BLOCK ---
+//This program is free software; you can redistribute it and/or modify
+//it under the terms of the GNU General Public License as published by
+//the Free Software Foundation; version 2 of the License.
+//
+//This program is distributed in the hope that it will be useful,
+//but WITHOUT ANY WARRANTY; without even the implied warranty of
+//MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+//GNU General Public License for more details.
+//
+//You should have received a copy of the GNU General Public License along
+//with this program; if not, write to the Free Software Foundation, Inc.,
+//51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+//(C) 2013 Red Hat, Inc.
+//All rights reserved.
+//--- END COPYRIGHT BLOCK ---
+package com.netscape.certsrv.authentication;
+
+import java.io.IOException;
+import java.lang.reflect.Method;
+import java.net.URL;
+import java.security.Principal;
+import java.util.Collection;
+import java.util.HashSet;
+import java.util.Properties;
+
+import javax.servlet.ServletContext;
+import javax.ws.rs.core.Context;
+import javax.ws.rs.core.SecurityContext;
+import javax.ws.rs.ext.Provider;
+
+import org.jboss.resteasy.annotations.interception.Precedence;
+import org.jboss.resteasy.annotations.interception.ServerInterceptor;
+import org.jboss.resteasy.core.ResourceMethod;
+import org.jboss.resteasy.core.ServerResponse;
+import org.jboss.resteasy.spi.Failure;
+import org.jboss.resteasy.spi.HttpRequest;
+import org.jboss.resteasy.spi.interception.PreProcessInterceptor;
+
+import com.netscape.certsrv.base.ForbiddenException;
+import com.netscape.cmscore.realm.PKIPrincipal;
+
+
+/**
+ * @author Endi S. Dewata
+ */
+@Provider
+@ServerInterceptor
+@Precedence("SECURITY")
+public class AuthInterceptor implements PreProcessInterceptor {
+
+ Properties authProperties;
+
+ @Context
+ ServletContext servletContext;
+
+ @Context
+ SecurityContext securityContext;
+
+ public synchronized void loadAuthProperties() throws IOException {
+
+ if (authProperties != null) return;
+
+ URL url = servletContext.getResource("/WEB-INF/auth.properties");
+ authProperties = new Properties();
+ authProperties.load(url.openStream());
+ }
+
+ @Override
+ public ServerResponse preProcess(
+ HttpRequest request,
+ ResourceMethod resourceMethod
+ ) throws Failure, ForbiddenException {
+
+ Class<?> clazz = resourceMethod.getResourceClass();
+ Method method = resourceMethod.getMethod();
+ System.out.println("AuthInterceptor: invoking "+clazz.getSimpleName()+"."+method.getName()+"()");
+
+ // Get authentication mapping for the method.
+ System.out.println("AuthInterceptor: checking method mapping");
+ AuthMapping authMapping = method.getAnnotation(AuthMapping.class);
+
+ // If not available, get authentication mapping for the class.
+ if (authMapping == null) {
+ System.out.println("AuthInterceptor: checking class mapping");
+ authMapping = clazz.getAnnotation(AuthMapping.class);
+ }
+
+ String name;
+ if (authMapping == null) {
+ // If not available, use the default mapping.
+ name = "default";
+ } else {
+ // Get the method label
+ name = authMapping.value();
+ }
+
+ System.out.println("AuthInterceptor: mapping ID: "+name);
+
+ try {
+ loadAuthProperties();
+
+ String value = authProperties.getProperty(name);
+ Collection<String> authMethods = new HashSet<String>();
+ if (value != null) {
+ for (String v : value.split(",")) {
+ authMethods.add(v.trim());
+ }
+ }
+
+ System.out.println("AuthInterceptor: auth methods: "+authMethods);
+
+ Principal principal = securityContext.getUserPrincipal();
+
+ // If unauthenticated, reject request.
+ if (principal == null) {
+ if (authMethods.isEmpty() || authMethods.contains("anonymous") || authMethods.contains("any")) {
+ System.out.println("AuthInterceptor: anonymous allowed");
+ return null;
+ }
+ System.out.println("AuthInterceptor: anonymous not allowed");
+ throw new ForbiddenException("No user principal provided.");
+ }
+
+ // If unrecognized principal, reject request.
+ if (!(principal instanceof PKIPrincipal)) {
+ System.out.println("AuthInterceptor: invalid principal");
+ throw new ForbiddenException("Invalid user principal");
+ }
+
+ PKIPrincipal pkiPrincipal = (PKIPrincipal)principal;
+ IAuthToken authToken = pkiPrincipal.getAuthToken();
+
+ // If missing auth token, reject request.
+ if (authToken == null) {
+ System.out.println("AuthInterceptor: missing authentication token");
+ throw new ForbiddenException("No authentication token present.");
+ }
+
+ Object authManager = authToken.get(AuthToken.TOKEN_AUTHMGR_INST_NAME);
+ System.out.println("Authentication manager: "+authManager);
+
+ // Allow request.
+ return null;
+
+ } catch (IOException e) {
+ e.printStackTrace();
+ throw new Failure(e);
+ }
+ }
+}
diff --git a/base/common/src/com/netscape/certsrv/authentication/AuthMapping.java b/base/common/src/com/netscape/certsrv/authentication/AuthMapping.java
new file mode 100644
index 0000000..e00cc9d
--- /dev/null
+++ b/base/common/src/com/netscape/certsrv/authentication/AuthMapping.java
@@ -0,0 +1,31 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2013 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+
+package com.netscape.certsrv.authentication;
+
+import java.lang.annotation.Retention;
+import java.lang.annotation.RetentionPolicy;
+
+
+/**
+ * @author Endi S. Dewata
+ */
+@Retention(RetentionPolicy.RUNTIME)
+public @interface AuthMapping {
+ public String value();
+}
diff --git a/base/common/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java b/base/common/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java
index a7ec566..b7abe26 100644
--- a/base/common/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java
+++ b/base/common/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java
@@ -325,6 +325,7 @@ public class ConfigurationUtils {
config.setServerURI("https://" + sdhost + ":" + sdport + "/ca");
config.setUsername(user);
config.setPassword(passwd);
+ config.setInstanceCreationMode(true);
PKIConnection connection = new PKIConnection(config);
AccountClient accountClient = new AccountClient(connection);
diff --git a/base/kra/shared/webapps/kra/WEB-INF/auth.properties b/base/kra/shared/webapps/kra/WEB-INF/acl.properties
index 567747f..567747f 100644
--- a/base/kra/shared/webapps/kra/WEB-INF/auth.properties
+++ b/base/kra/shared/webapps/kra/WEB-INF/acl.properties
diff --git a/base/kra/src/com/netscape/kra/KeyRecoveryAuthorityApplication.java b/base/kra/src/com/netscape/kra/KeyRecoveryAuthorityApplication.java
index 0ed23f6..d256c04 100644
--- a/base/kra/src/com/netscape/kra/KeyRecoveryAuthorityApplication.java
+++ b/base/kra/src/com/netscape/kra/KeyRecoveryAuthorityApplication.java
@@ -6,6 +6,7 @@ import java.util.Set;
import javax.ws.rs.core.Application;
import com.netscape.certsrv.acls.ACLInterceptor;
+import com.netscape.certsrv.authentication.AuthInterceptor;
import com.netscape.certsrv.base.PKIException;
import com.netscape.cms.servlet.account.AccountService;
import com.netscape.cms.servlet.admin.GroupMemberService;
@@ -46,7 +47,8 @@ public class KeyRecoveryAuthorityApplication extends Application {
// exception mapper
classes.add(PKIException.Mapper.class);
- // ACL interceptor
+ // interceptors
+ singletons.add(new AuthInterceptor());
singletons.add(new ACLInterceptor());
}
diff --git a/base/ocsp/shared/webapps/ocsp/WEB-INF/auth.properties b/base/ocsp/shared/webapps/ocsp/WEB-INF/acl.properties
index cd2e140..cd2e140 100644
--- a/base/ocsp/shared/webapps/ocsp/WEB-INF/auth.properties
+++ b/base/ocsp/shared/webapps/ocsp/WEB-INF/acl.properties
diff --git a/base/ocsp/src/com/netscape/ocsp/OCSPApplication.java b/base/ocsp/src/com/netscape/ocsp/OCSPApplication.java
index 21b37f8..6a5f60f 100644
--- a/base/ocsp/src/com/netscape/ocsp/OCSPApplication.java
+++ b/base/ocsp/src/com/netscape/ocsp/OCSPApplication.java
@@ -6,6 +6,7 @@ import java.util.Set;
import javax.ws.rs.core.Application;
import com.netscape.certsrv.acls.ACLInterceptor;
+import com.netscape.certsrv.authentication.AuthInterceptor;
import com.netscape.certsrv.base.PKIException;
import com.netscape.cms.servlet.account.AccountService;
import com.netscape.cms.servlet.admin.GroupMemberService;
@@ -40,7 +41,8 @@ public class OCSPApplication extends Application {
// exception mapper
classes.add(PKIException.Mapper.class);
- // ACL interceptor
+ // interceptors
+ singletons.add(new AuthInterceptor());
singletons.add(new ACLInterceptor());
}
diff --git a/base/tks/shared/webapps/tks/WEB-INF/auth.properties b/base/tks/shared/webapps/tks/WEB-INF/acl.properties
index 6de7f08..6de7f08 100644
--- a/base/tks/shared/webapps/tks/WEB-INF/auth.properties
+++ b/base/tks/shared/webapps/tks/WEB-INF/acl.properties
diff --git a/base/tks/src/com/netscape/tks/TKSApplication.java b/base/tks/src/com/netscape/tks/TKSApplication.java
index 229a64c..c79e0d0 100644
--- a/base/tks/src/com/netscape/tks/TKSApplication.java
+++ b/base/tks/src/com/netscape/tks/TKSApplication.java
@@ -6,6 +6,7 @@ import java.util.Set;
import javax.ws.rs.core.Application;
import com.netscape.certsrv.acls.ACLInterceptor;
+import com.netscape.certsrv.authentication.AuthInterceptor;
import com.netscape.certsrv.base.PKIException;
import com.netscape.cms.servlet.account.AccountService;
import com.netscape.cms.servlet.admin.GroupMemberService;
@@ -40,7 +41,8 @@ public class TKSApplication extends Application {
// exception mapper
classes.add(PKIException.Mapper.class);
- // ACL interceptor
+ // interceptors
+ singletons.add(new AuthInterceptor());
singletons.add(new ACLInterceptor());
}