summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorEndi Sukma Dewata <edewata@redhat.com>2013-02-01 13:05:38 -0500
committerEndi Sukma Dewata <edewata@redhat.com>2013-02-12 22:32:51 -0500
commitaf5d06d241b33cea3a9e6b54ead00436fb2d5edc (patch)
tree01341b098eecc7acb7579061cf708b8b309c3188
parent12bd85dc50052107e5dccff56f4110b133aafdc1 (diff)
downloadpki-ticket-477-4.tar.gz
pki-ticket-477-4.tar.xz
pki-ticket-477-4.zip
Added authentication method validation.ticket-477-4
A new mechanism has been added to limit the authentication methods that can be used to invoke the REST methods. The AuthMethodMapping annotation maps each REST method to a list of allowed authentication methods defined auth-method.properties. When a client calls a REST method, the AuthMethod- Interceptor will intercept the call and verify that the client uses an allowed authentication method. For security reason, most REST methods that require authentication have been configured to require client certificate authentication. Authentication using username and password will only be used to get the installation token from security domain. The auth.properties have been renamed to acl.properties since it's used to store ACL mappings. Ticket #477
-rw-r--r--base/ca/shared/webapps/ca/WEB-INF/acl.properties (renamed from base/ca/shared/webapps/ca/WEB-INF/auth.properties)6
-rw-r--r--base/ca/shared/webapps/ca/WEB-INF/auth-method.properties11
-rw-r--r--base/ca/src/com/netscape/ca/CertificateAuthorityApplication.java4
-rw-r--r--base/common/src/com/netscape/certsrv/account/AccountResource.java2
-rw-r--r--base/common/src/com/netscape/certsrv/acls/ACLInterceptor.java16
-rw-r--r--base/common/src/com/netscape/certsrv/authentication/AuthMethodInterceptor.java159
-rw-r--r--base/common/src/com/netscape/certsrv/authentication/AuthMethodMapping.java31
-rw-r--r--base/common/src/com/netscape/certsrv/cert/CertRequestResource.java52
-rw-r--r--base/common/src/com/netscape/certsrv/cert/CertResource.java5
-rw-r--r--base/common/src/com/netscape/certsrv/group/GroupMemberResource.java2
-rw-r--r--base/common/src/com/netscape/certsrv/group/GroupResource.java2
-rw-r--r--base/common/src/com/netscape/certsrv/key/KeyRequestResource.java2
-rw-r--r--base/common/src/com/netscape/certsrv/key/KeyResource.java2
-rw-r--r--base/common/src/com/netscape/certsrv/profile/ProfileResource.java3
-rw-r--r--base/common/src/com/netscape/certsrv/system/KRAConnectorResource.java2
-rw-r--r--base/common/src/com/netscape/certsrv/system/SecurityDomainResource.java2
-rw-r--r--base/common/src/com/netscape/certsrv/user/UserCertResource.java2
-rw-r--r--base/common/src/com/netscape/certsrv/user/UserResource.java2
-rw-r--r--base/deploy/src/scriptlets/pkiparser.py5
-rw-r--r--base/deploy/src/scriptlets/slot_substitution.py2
-rw-r--r--base/kra/shared/webapps/kra/WEB-INF/acl.properties (renamed from base/kra/shared/webapps/kra/WEB-INF/auth.properties)6
-rw-r--r--base/kra/shared/webapps/kra/WEB-INF/auth-method.properties10
-rw-r--r--base/kra/src/com/netscape/kra/KeyRecoveryAuthorityApplication.java4
-rw-r--r--base/ocsp/shared/webapps/ocsp/WEB-INF/acl.properties (renamed from base/ocsp/shared/webapps/ocsp/WEB-INF/auth.properties)6
-rw-r--r--base/ocsp/shared/webapps/ocsp/WEB-INF/auth-method.properties9
-rw-r--r--base/ocsp/src/com/netscape/ocsp/OCSPApplication.java4
-rw-r--r--base/tks/shared/webapps/tks/WEB-INF/acl.properties (renamed from base/tks/shared/webapps/tks/WEB-INF/auth.properties)6
-rw-r--r--base/tks/shared/webapps/tks/WEB-INF/auth-method.properties9
-rw-r--r--base/tks/src/com/netscape/tks/TKSApplication.java4
29 files changed, 318 insertions, 52 deletions
diff --git a/base/ca/shared/webapps/ca/WEB-INF/auth.properties b/base/ca/shared/webapps/ca/WEB-INF/acl.properties
index b73b9ac10..20f3dd864 100644
--- a/base/ca/shared/webapps/ca/WEB-INF/auth.properties
+++ b/base/ca/shared/webapps/ca/WEB-INF/acl.properties
@@ -1,8 +1,8 @@
-# Restful API auth/authz mapping info
+# Restful API authorization mapping info
#
# Format:
-# <ACL Mapping> = <ACL Resource ID>,<ACL Resource Operation>
-# ex: admin.users = certServer.ca.users,read
+# <mapping name> = <resource ID>,<operation>
+# ex: admin.users = certServer.ca.users,read
account.login = certServer.ca.account,login
account.logout = certServer.ca.account,logout
diff --git a/base/ca/shared/webapps/ca/WEB-INF/auth-method.properties b/base/ca/shared/webapps/ca/WEB-INF/auth-method.properties
new file mode 100644
index 000000000..3a6658765
--- /dev/null
+++ b/base/ca/shared/webapps/ca/WEB-INF/auth-method.properties
@@ -0,0 +1,11 @@
+# Restful API auth mapping info
+#
+# Format:
+# <mapping name> = <allowed auth methods>
+# ex: admin.users = certUserDBAuthMgr,passwdUserDBAuthMgr
+
+default = *
+account = certUserDBAuthMgr,passwdUserDBAuthMgr
+admin = certUserDBAuthMgr
+agent = certUserDBAuthMgr
+securityDomain.installToken = passwdUserDBAuthMgr
diff --git a/base/ca/src/com/netscape/ca/CertificateAuthorityApplication.java b/base/ca/src/com/netscape/ca/CertificateAuthorityApplication.java
index 14b44e5d7..a8702459e 100644
--- a/base/ca/src/com/netscape/ca/CertificateAuthorityApplication.java
+++ b/base/ca/src/com/netscape/ca/CertificateAuthorityApplication.java
@@ -7,6 +7,7 @@ import javax.ws.rs.core.Application;
import com.netscape.certsrv.acls.ACLInterceptor;
import com.netscape.certsrv.apps.CMS;
+import com.netscape.certsrv.authentication.AuthMethodInterceptor;
import com.netscape.certsrv.base.EBaseException;
import com.netscape.certsrv.base.IConfigStore;
import com.netscape.certsrv.base.PKIException;
@@ -85,7 +86,8 @@ public class CertificateAuthorityApplication extends Application {
// exception mapper
classes.add(PKIException.Mapper.class);
- // ACL interceptor
+ // interceptors
+ singletons.add(new AuthMethodInterceptor());
singletons.add(new ACLInterceptor());
}
diff --git a/base/common/src/com/netscape/certsrv/account/AccountResource.java b/base/common/src/com/netscape/certsrv/account/AccountResource.java
index a69a3d122..c18e26de8 100644
--- a/base/common/src/com/netscape/certsrv/account/AccountResource.java
+++ b/base/common/src/com/netscape/certsrv/account/AccountResource.java
@@ -22,11 +22,13 @@ import javax.ws.rs.GET;
import javax.ws.rs.Path;
import com.netscape.certsrv.acls.ACLMapping;
+import com.netscape.certsrv.authentication.AuthMethodMapping;
/**
* @author Endi S. Dewata
*/
@Path("account")
+@AuthMethodMapping("account")
public interface AccountResource {
@GET
diff --git a/base/common/src/com/netscape/certsrv/acls/ACLInterceptor.java b/base/common/src/com/netscape/certsrv/acls/ACLInterceptor.java
index c30740260..dd4985eab 100644
--- a/base/common/src/com/netscape/certsrv/acls/ACLInterceptor.java
+++ b/base/common/src/com/netscape/certsrv/acls/ACLInterceptor.java
@@ -54,7 +54,7 @@ import com.netscape.cmscore.realm.PKIPrincipal;
@Precedence("SECURITY")
public class ACLInterceptor implements PreProcessInterceptor {
- Properties authProperties;
+ Properties aclProperties;
@Context
ServletContext servletContext;
@@ -62,13 +62,13 @@ public class ACLInterceptor implements PreProcessInterceptor {
@Context
SecurityContext securityContext;
- public synchronized void loadAuthProperties() throws IOException {
+ public synchronized void loadACLProperties() throws IOException {
- if (authProperties != null) return;
+ if (aclProperties != null) return;
- URL url = servletContext.getResource("/WEB-INF/auth.properties");
- authProperties = new Properties();
- authProperties.load(url.openStream());
+ URL url = servletContext.getResource("/WEB-INF/acl.properties");
+ aclProperties = new Properties();
+ aclProperties.load(url.openStream());
}
@Override
@@ -111,10 +111,10 @@ public class ACLInterceptor implements PreProcessInterceptor {
}
try {
- loadAuthProperties();
+ loadACLProperties();
String name = aclMapping.value();
- String value = authProperties.getProperty(name);
+ String value = aclProperties.getProperty(name);
// If no property defined, allow request.
if (value == null) return null;
diff --git a/base/common/src/com/netscape/certsrv/authentication/AuthMethodInterceptor.java b/base/common/src/com/netscape/certsrv/authentication/AuthMethodInterceptor.java
new file mode 100644
index 000000000..145cd26f5
--- /dev/null
+++ b/base/common/src/com/netscape/certsrv/authentication/AuthMethodInterceptor.java
@@ -0,0 +1,159 @@
+//--- BEGIN COPYRIGHT BLOCK ---
+//This program is free software; you can redistribute it and/or modify
+//it under the terms of the GNU General Public License as published by
+//the Free Software Foundation; version 2 of the License.
+//
+//This program is distributed in the hope that it will be useful,
+//but WITHOUT ANY WARRANTY; without even the implied warranty of
+//MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+//GNU General Public License for more details.
+//
+//You should have received a copy of the GNU General Public License along
+//with this program; if not, write to the Free Software Foundation, Inc.,
+//51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+//(C) 2013 Red Hat, Inc.
+//All rights reserved.
+//--- END COPYRIGHT BLOCK ---
+package com.netscape.certsrv.authentication;
+
+import java.io.IOException;
+import java.lang.reflect.Method;
+import java.net.URL;
+import java.security.Principal;
+import java.util.Collection;
+import java.util.HashSet;
+import java.util.Properties;
+
+import javax.servlet.ServletContext;
+import javax.ws.rs.core.Context;
+import javax.ws.rs.core.SecurityContext;
+import javax.ws.rs.ext.Provider;
+
+import org.jboss.resteasy.annotations.interception.Precedence;
+import org.jboss.resteasy.annotations.interception.ServerInterceptor;
+import org.jboss.resteasy.core.ResourceMethod;
+import org.jboss.resteasy.core.ServerResponse;
+import org.jboss.resteasy.spi.Failure;
+import org.jboss.resteasy.spi.HttpRequest;
+import org.jboss.resteasy.spi.interception.PreProcessInterceptor;
+
+import com.netscape.certsrv.base.ForbiddenException;
+import com.netscape.cmscore.realm.PKIPrincipal;
+
+
+/**
+ * @author Endi S. Dewata
+ */
+@Provider
+@ServerInterceptor
+@Precedence("SECURITY")
+public class AuthMethodInterceptor implements PreProcessInterceptor {
+
+ Properties authProperties;
+
+ @Context
+ ServletContext servletContext;
+
+ @Context
+ SecurityContext securityContext;
+
+ public synchronized void loadAuthProperties() throws IOException {
+
+ if (authProperties != null) return;
+
+ URL url = servletContext.getResource("/WEB-INF/auth-method.properties");
+ authProperties = new Properties();
+ authProperties.load(url.openStream());
+ }
+
+ @Override
+ public ServerResponse preProcess(
+ HttpRequest request,
+ ResourceMethod resourceMethod
+ ) throws Failure, ForbiddenException {
+
+ Class<?> clazz = resourceMethod.getResourceClass();
+ Method method = resourceMethod.getMethod();
+ System.out.println("AuthInterceptor: "+clazz.getSimpleName()+"."+method.getName()+"()");
+
+ // Get authentication mapping for the method.
+ AuthMethodMapping authMapping = method.getAnnotation(AuthMethodMapping.class);
+
+ // If not available, get authentication mapping for the class.
+ if (authMapping == null) {
+ authMapping = clazz.getAnnotation(AuthMethodMapping.class);
+ }
+
+ String name;
+ if (authMapping == null) {
+ // If not available, use the default mapping.
+ name = "default";
+ } else {
+ // Get the method label
+ name = authMapping.value();
+ }
+
+ System.out.println("AuthInterceptor: mapping name: "+name);
+
+ try {
+ loadAuthProperties();
+
+ String value = authProperties.getProperty(name);
+ Collection<String> authMethods = new HashSet<String>();
+ if (value != null) {
+ for (String v : value.split(",")) {
+ authMethods.add(v.trim());
+ }
+ }
+
+ System.out.println("AuthInterceptor: required auth methods: "+authMethods);
+
+ Principal principal = securityContext.getUserPrincipal();
+
+ // If unauthenticated, reject request.
+ if (principal == null) {
+ if (authMethods.isEmpty() || authMethods.contains("anonymous") || authMethods.contains("*")) {
+ System.out.println("AuthInterceptor: anonymous access allowed");
+ return null;
+ }
+ System.out.println("AuthInterceptor: anonymous access not allowed");
+ throw new ForbiddenException("Anonymous access not allowed.");
+ }
+
+ // If unrecognized principal, reject request.
+ if (!(principal instanceof PKIPrincipal)) {
+ System.out.println("AuthInterceptor: unknown principal");
+ throw new ForbiddenException("Unknown user principal");
+ }
+
+ PKIPrincipal pkiPrincipal = (PKIPrincipal)principal;
+ IAuthToken authToken = pkiPrincipal.getAuthToken();
+
+ // If missing auth token, reject request.
+ if (authToken == null) {
+ System.out.println("AuthInterceptor: missing authentication token");
+ throw new ForbiddenException("Missing authentication token.");
+ }
+
+ String authManager = (String)authToken.get(AuthToken.TOKEN_AUTHMGR_INST_NAME);
+ System.out.println("AuthInterceptor: authentication manager: "+authManager);
+
+ if (authManager == null) {
+ System.out.println("AuthInterceptor: missing authentication manager");
+ throw new ForbiddenException("Missing authentication manager.");
+ }
+
+ if (authMethods.isEmpty() || authMethods.contains(authManager) || authMethods.contains("*")) {
+ System.out.println("AuthInterceptor: "+authManager+" allowed");
+ return null;
+ }
+
+ throw new ForbiddenException("Authentication method not allowed.");
+
+ } catch (IOException e) {
+ e.printStackTrace();
+ throw new Failure(e);
+ }
+ }
+}
diff --git a/base/common/src/com/netscape/certsrv/authentication/AuthMethodMapping.java b/base/common/src/com/netscape/certsrv/authentication/AuthMethodMapping.java
new file mode 100644
index 000000000..6170c0f9b
--- /dev/null
+++ b/base/common/src/com/netscape/certsrv/authentication/AuthMethodMapping.java
@@ -0,0 +1,31 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2013 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+
+package com.netscape.certsrv.authentication;
+
+import java.lang.annotation.Retention;
+import java.lang.annotation.RetentionPolicy;
+
+
+/**
+ * @author Endi S. Dewata
+ */
+@Retention(RetentionPolicy.RUNTIME)
+public @interface AuthMethodMapping {
+ public String value();
+}
diff --git a/base/common/src/com/netscape/certsrv/cert/CertRequestResource.java b/base/common/src/com/netscape/certsrv/cert/CertRequestResource.java
index 0bd285136..2c103f729 100644
--- a/base/common/src/com/netscape/certsrv/cert/CertRequestResource.java
+++ b/base/common/src/com/netscape/certsrv/cert/CertRequestResource.java
@@ -28,11 +28,33 @@ import javax.ws.rs.core.MediaType;
import javax.ws.rs.core.MultivaluedMap;
import com.netscape.certsrv.acls.ACLMapping;
+import com.netscape.certsrv.authentication.AuthMethodMapping;
import com.netscape.certsrv.request.RequestId;
@Path("")
public interface CertRequestResource {
+ // Enrollment - used to test integration with a browser
+ @POST
+ @Path("certrequests")
+ @Produces({ MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON })
+ @Consumes({ MediaType.APPLICATION_FORM_URLENCODED })
+ public CertRequestInfos enrollCert(MultivaluedMap<String, String> form);
+
+ @POST
+ @Path("certrequests")
+ @Produces({ MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON })
+ @Consumes({ MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON })
+ public CertRequestInfos enrollCert(CertEnrollmentRequest data);
+
+ /**
+ * Used to retrieve cert request info for a specific request
+ */
+ @GET
+ @Path("certrequests/{id}")
+ @Produces({ MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON })
+ public CertRequestInfo getRequestInfo(@PathParam("id") RequestId id);
+
/**
* Used to generate list of cert requests based on the search parameters
*/
@@ -40,6 +62,7 @@ public interface CertRequestResource {
@Path("agent/certrequests")
@Produces({ MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON })
@ACLMapping("agent.certrequests")
+ @AuthMethodMapping("agent")
public CertRequestInfos listRequests(@QueryParam("requestState") String requestState,
@QueryParam("requestType") String requestType,
@QueryParam("start") RequestId start,
@@ -47,72 +70,59 @@ public interface CertRequestResource {
@QueryParam("maxResults") Integer maxResults,
@QueryParam("maxTime") Integer maxTime);
- /**
- * Used to retrieve cert request info for a specific request
- */
- @GET
- @Path("certrequests/{id}")
- @Produces({ MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON })
- public CertRequestInfo getRequestInfo(@PathParam("id") RequestId id);
-
@GET
@Path("agent/certrequests/{id}")
@Produces({ MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON })
@ACLMapping("agent.certrequests")
+ @AuthMethodMapping("agent")
public CertReviewResponse reviewRequest(@PathParam("id") RequestId id);
- // Enrollment - used to test integration with a browser
- @POST
- @Path("certrequests")
- @Produces({ MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON })
- @Consumes({ MediaType.APPLICATION_FORM_URLENCODED })
- public CertRequestInfos enrollCert(MultivaluedMap<String, String> form);
-
- @POST
- @Path("certrequests")
- @Produces({ MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON })
- @Consumes({ MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON })
- public CertRequestInfos enrollCert(CertEnrollmentRequest data);
-
@POST
@Path("agent/certrequests/{id}/approve")
@Consumes({ MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON })
@ACLMapping("agent.certrequests")
+ @AuthMethodMapping("agent")
public void approveRequest(@PathParam("id") RequestId id, CertReviewResponse data);
@POST
@Path("agent/certrequests/{id}/reject")
@Consumes({ MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON })
@ACLMapping("agent.certrequests")
+ @AuthMethodMapping("agent")
public void rejectRequest(@PathParam("id") RequestId id, CertReviewResponse data);
@POST
@Path("agent/certrequests/{id}/cancel")
@Consumes({ MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON })
@ACLMapping("agent.certrequests")
+ @AuthMethodMapping("agent")
public void cancelRequest(@PathParam("id") RequestId id, CertReviewResponse data);
@POST
@Path("agent/certrequests/{id}/update")
@Consumes({ MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON })
@ACLMapping("agent.certrequests")
+ @AuthMethodMapping("agent")
public void updateRequest(@PathParam("id") RequestId id, CertReviewResponse data);
@POST
@Path("agent/certrequests/{id}/validate")
@Consumes({ MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON })
@ACLMapping("agent.certrequests")
+ @AuthMethodMapping("agent")
public void validateRequest(@PathParam("id") RequestId id, CertReviewResponse data);
@POST
@Path("agent/certrequests/{id}/unassign")
@Consumes({ MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON })
@ACLMapping("agent.certrequests")
+ @AuthMethodMapping("agent")
public void unassignRequest(@PathParam("id") RequestId id, CertReviewResponse data);
@POST
@Path("agent/certrequests/{id}/assign")
@Consumes({ MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON })
@ACLMapping("agent.certrequests")
+ @AuthMethodMapping("agent")
public void assignRequest(@PathParam("id") RequestId id, CertReviewResponse data);
}
diff --git a/base/common/src/com/netscape/certsrv/cert/CertResource.java b/base/common/src/com/netscape/certsrv/cert/CertResource.java
index 17395032d..a667fdc2d 100644
--- a/base/common/src/com/netscape/certsrv/cert/CertResource.java
+++ b/base/common/src/com/netscape/certsrv/cert/CertResource.java
@@ -11,6 +11,7 @@ import javax.ws.rs.QueryParam;
import javax.ws.rs.core.MediaType;
import com.netscape.certsrv.acls.ACLMapping;
+import com.netscape.certsrv.authentication.AuthMethodMapping;
import com.netscape.certsrv.dbs.certdb.CertId;
@Path("")
@@ -45,6 +46,7 @@ public interface CertResource {
@Path("agent/certs/{id}")
@Produces({ MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON })
@ACLMapping("agent.certs")
+ @AuthMethodMapping("agent")
public CertData reviewCert(@PathParam("id") CertId id);
@POST
@@ -52,6 +54,7 @@ public interface CertResource {
@Consumes({ MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON })
@Produces({ MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON })
@ACLMapping("agent.certs")
+ @AuthMethodMapping("agent")
public CertRequestInfo revokeCACert(@PathParam("id") CertId id, CertRevokeRequest request);
@POST
@@ -59,6 +62,7 @@ public interface CertResource {
@Consumes({ MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON })
@Produces({ MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON })
@ACLMapping("agent.certs")
+ @AuthMethodMapping("agent")
public CertRequestInfo revokeCert(@PathParam("id") CertId id, CertRevokeRequest request);
@POST
@@ -66,5 +70,6 @@ public interface CertResource {
@Consumes({ MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON })
@Produces({ MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON })
@ACLMapping("agent.certs")
+ @AuthMethodMapping("agent")
public CertRequestInfo unrevokeCert(@PathParam("id") CertId id, CertUnrevokeRequest request);
}
diff --git a/base/common/src/com/netscape/certsrv/group/GroupMemberResource.java b/base/common/src/com/netscape/certsrv/group/GroupMemberResource.java
index c984daa65..cd4d2eb24 100644
--- a/base/common/src/com/netscape/certsrv/group/GroupMemberResource.java
+++ b/base/common/src/com/netscape/certsrv/group/GroupMemberResource.java
@@ -32,12 +32,14 @@ import javax.ws.rs.core.Response;
import org.jboss.resteasy.annotations.ClientResponseType;
import com.netscape.certsrv.acls.ACLMapping;
+import com.netscape.certsrv.authentication.AuthMethodMapping;
/**
* @author Endi S. Dewata
*/
@Path("admin/groups/{groupID}/members")
@ACLMapping("admin.groups")
+@AuthMethodMapping("admin")
public interface GroupMemberResource {
@GET
diff --git a/base/common/src/com/netscape/certsrv/group/GroupResource.java b/base/common/src/com/netscape/certsrv/group/GroupResource.java
index 17728dd13..ffe32e2cd 100644
--- a/base/common/src/com/netscape/certsrv/group/GroupResource.java
+++ b/base/common/src/com/netscape/certsrv/group/GroupResource.java
@@ -32,12 +32,14 @@ import javax.ws.rs.core.Response;
import org.jboss.resteasy.annotations.ClientResponseType;
import com.netscape.certsrv.acls.ACLMapping;
+import com.netscape.certsrv.authentication.AuthMethodMapping;
/**
* @author Endi S. Dewata
*/
@Path("admin/groups")
@ACLMapping("admin.groups")
+@AuthMethodMapping("admin")
public interface GroupResource {
@GET
diff --git a/base/common/src/com/netscape/certsrv/key/KeyRequestResource.java b/base/common/src/com/netscape/certsrv/key/KeyRequestResource.java
index 9f1ffbe02..6fc12d5ee 100644
--- a/base/common/src/com/netscape/certsrv/key/KeyRequestResource.java
+++ b/base/common/src/com/netscape/certsrv/key/KeyRequestResource.java
@@ -11,10 +11,12 @@ import javax.ws.rs.core.MediaType;
import javax.ws.rs.core.MultivaluedMap;
import com.netscape.certsrv.acls.ACLMapping;
+import com.netscape.certsrv.authentication.AuthMethodMapping;
import com.netscape.certsrv.request.RequestId;
@Path("agent/keyrequests")
@ACLMapping("agent.keyrequests")
+@AuthMethodMapping("agent")
public interface KeyRequestResource {
public final String SYMMETRIC_KEY_TYPE = "symmetricKey";
diff --git a/base/common/src/com/netscape/certsrv/key/KeyResource.java b/base/common/src/com/netscape/certsrv/key/KeyResource.java
index da7f22031..bcca6bb97 100644
--- a/base/common/src/com/netscape/certsrv/key/KeyResource.java
+++ b/base/common/src/com/netscape/certsrv/key/KeyResource.java
@@ -10,10 +10,12 @@ import javax.ws.rs.core.MediaType;
import javax.ws.rs.core.MultivaluedMap;
import com.netscape.certsrv.acls.ACLMapping;
+import com.netscape.certsrv.authentication.AuthMethodMapping;
@Path("agent/keys")
@ACLMapping("agent.keys")
+@AuthMethodMapping("agent")
public interface KeyResource {
@GET
diff --git a/base/common/src/com/netscape/certsrv/profile/ProfileResource.java b/base/common/src/com/netscape/certsrv/profile/ProfileResource.java
index 6dadef560..572e6eb88 100644
--- a/base/common/src/com/netscape/certsrv/profile/ProfileResource.java
+++ b/base/common/src/com/netscape/certsrv/profile/ProfileResource.java
@@ -6,8 +6,11 @@ import javax.ws.rs.PathParam;
import javax.ws.rs.Produces;
import javax.ws.rs.core.MediaType;
+import com.netscape.certsrv.authentication.AuthMethodMapping;
+
@Path("agent/profiles")
+@AuthMethodMapping("agent")
public interface ProfileResource {
@GET
diff --git a/base/common/src/com/netscape/certsrv/system/KRAConnectorResource.java b/base/common/src/com/netscape/certsrv/system/KRAConnectorResource.java
index 01f159e96..0799b55a6 100644
--- a/base/common/src/com/netscape/certsrv/system/KRAConnectorResource.java
+++ b/base/common/src/com/netscape/certsrv/system/KRAConnectorResource.java
@@ -26,12 +26,14 @@ import javax.ws.rs.core.MediaType;
import javax.ws.rs.core.MultivaluedMap;
import com.netscape.certsrv.acls.ACLMapping;
+import com.netscape.certsrv.authentication.AuthMethodMapping;
/**
* @author Ade Lee
*/
@Path("admin/kraconnector")
@ACLMapping("admin.kraconnector")
+@AuthMethodMapping("admin")
public interface KRAConnectorResource {
@POST
diff --git a/base/common/src/com/netscape/certsrv/system/SecurityDomainResource.java b/base/common/src/com/netscape/certsrv/system/SecurityDomainResource.java
index b34d9fe13..740786f79 100644
--- a/base/common/src/com/netscape/certsrv/system/SecurityDomainResource.java
+++ b/base/common/src/com/netscape/certsrv/system/SecurityDomainResource.java
@@ -24,6 +24,7 @@ import javax.ws.rs.QueryParam;
import javax.ws.rs.core.MediaType;
import com.netscape.certsrv.acls.ACLMapping;
+import com.netscape.certsrv.authentication.AuthMethodMapping;
/**
* @author alee
@@ -35,6 +36,7 @@ public interface SecurityDomainResource {
@Path("installToken")
@Produces({ MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON })
@ACLMapping("securityDomain.installToken")
+ @AuthMethodMapping("securityDomain.installToken")
public InstallToken getInstallToken(
@QueryParam("hostname") String hostname,
@QueryParam("subsystem") String subsystem);
diff --git a/base/common/src/com/netscape/certsrv/user/UserCertResource.java b/base/common/src/com/netscape/certsrv/user/UserCertResource.java
index d85abd6e0..81133df3b 100644
--- a/base/common/src/com/netscape/certsrv/user/UserCertResource.java
+++ b/base/common/src/com/netscape/certsrv/user/UserCertResource.java
@@ -32,12 +32,14 @@ import javax.ws.rs.core.Response;
import org.jboss.resteasy.annotations.ClientResponseType;
import com.netscape.certsrv.acls.ACLMapping;
+import com.netscape.certsrv.authentication.AuthMethodMapping;
/**
* @author Endi S. Dewata
*/
@Path("admin/users/{userID}/certs")
@ACLMapping("admin.users")
+@AuthMethodMapping("admin")
public interface UserCertResource {
@GET
diff --git a/base/common/src/com/netscape/certsrv/user/UserResource.java b/base/common/src/com/netscape/certsrv/user/UserResource.java
index e72bb0cef..078992897 100644
--- a/base/common/src/com/netscape/certsrv/user/UserResource.java
+++ b/base/common/src/com/netscape/certsrv/user/UserResource.java
@@ -32,12 +32,14 @@ import javax.ws.rs.core.Response;
import org.jboss.resteasy.annotations.ClientResponseType;
import com.netscape.certsrv.acls.ACLMapping;
+import com.netscape.certsrv.authentication.AuthMethodMapping;
/**
* @author Endi S. Dewata
*/
@Path("admin/users")
@ACLMapping("admin.users")
+@AuthMethodMapping("admin")
public interface UserResource {
@GET
diff --git a/base/deploy/src/scriptlets/pkiparser.py b/base/deploy/src/scriptlets/pkiparser.py
index 7f2d5859d..aec125016 100644
--- a/base/deploy/src/scriptlets/pkiparser.py
+++ b/base/deploy/src/scriptlets/pkiparser.py
@@ -434,11 +434,6 @@ class PKIConfigParser:
config.pki_master_dict['pki_instance_configuration_path'],
"tomcat.conf")
# in-place slot substitution name/value pairs
- config.pki_master_dict['pki_target_auth_properties'] =\
- os.path.join(
- config.pki_master_dict['pki_tomcat_webapps_subsystem_path'],
- "WEB-INF",
- "auth.properties")
config.pki_master_dict['pki_target_velocity_properties'] =\
os.path.join(
config.pki_master_dict['pki_tomcat_webapps_subsystem_path'],
diff --git a/base/deploy/src/scriptlets/slot_substitution.py b/base/deploy/src/scriptlets/slot_substitution.py
index 055908b5b..205ed49f6 100644
--- a/base/deploy/src/scriptlets/slot_substitution.py
+++ b/base/deploy/src/scriptlets/slot_substitution.py
@@ -70,8 +70,6 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
master['pki_target_tomcat_conf'],
overwrite_flag=True)
util.file.apply_slot_substitution(
- master['pki_target_auth_properties'])
- util.file.apply_slot_substitution(
master['pki_target_velocity_properties'])
util.file.apply_slot_substitution(
master['pki_target_subsystem_web_xml'])
diff --git a/base/kra/shared/webapps/kra/WEB-INF/auth.properties b/base/kra/shared/webapps/kra/WEB-INF/acl.properties
index 567747f5b..952bdad33 100644
--- a/base/kra/shared/webapps/kra/WEB-INF/auth.properties
+++ b/base/kra/shared/webapps/kra/WEB-INF/acl.properties
@@ -1,8 +1,8 @@
-# Restful API auth/authz mapping info
+# Restful API authorization mapping info
#
# Format:
-# <ACL Mapping> = <ACL Resource ID>,<ACL Resource Operation>
-# ex: admin.users = certServer.ca.users,read
+# <mapping name> = <resource ID>,<operation>
+# ex: admin.users = certServer.ca.users,read
account.login = certServer.kra.account,login
account.logout = certServer.kra.account,logout
diff --git a/base/kra/shared/webapps/kra/WEB-INF/auth-method.properties b/base/kra/shared/webapps/kra/WEB-INF/auth-method.properties
new file mode 100644
index 000000000..29a2f2381
--- /dev/null
+++ b/base/kra/shared/webapps/kra/WEB-INF/auth-method.properties
@@ -0,0 +1,10 @@
+# Restful API auth mapping info
+#
+# Format:
+# <mapping name> = <allowed auth methods>
+# ex: admin.users = certUserDBAuthMgr,passwdUserDBAuthMgr
+
+default = *
+account = certUserDBAuthMgr,passwdUserDBAuthMgr
+admin = certUserDBAuthMgr
+agent = certUserDBAuthMgr
diff --git a/base/kra/src/com/netscape/kra/KeyRecoveryAuthorityApplication.java b/base/kra/src/com/netscape/kra/KeyRecoveryAuthorityApplication.java
index 0ed23f697..b7e288fdb 100644
--- a/base/kra/src/com/netscape/kra/KeyRecoveryAuthorityApplication.java
+++ b/base/kra/src/com/netscape/kra/KeyRecoveryAuthorityApplication.java
@@ -6,6 +6,7 @@ import java.util.Set;
import javax.ws.rs.core.Application;
import com.netscape.certsrv.acls.ACLInterceptor;
+import com.netscape.certsrv.authentication.AuthMethodInterceptor;
import com.netscape.certsrv.base.PKIException;
import com.netscape.cms.servlet.account.AccountService;
import com.netscape.cms.servlet.admin.GroupMemberService;
@@ -46,7 +47,8 @@ public class KeyRecoveryAuthorityApplication extends Application {
// exception mapper
classes.add(PKIException.Mapper.class);
- // ACL interceptor
+ // interceptors
+ singletons.add(new AuthMethodInterceptor());
singletons.add(new ACLInterceptor());
}
diff --git a/base/ocsp/shared/webapps/ocsp/WEB-INF/auth.properties b/base/ocsp/shared/webapps/ocsp/WEB-INF/acl.properties
index cd2e14058..95fabba72 100644
--- a/base/ocsp/shared/webapps/ocsp/WEB-INF/auth.properties
+++ b/base/ocsp/shared/webapps/ocsp/WEB-INF/acl.properties
@@ -1,8 +1,8 @@
-# Restful API auth/authz mapping info
+# Restful API authorization mapping info
#
# Format:
-# <ACL Mapping> = <ACL Resource ID>,<ACL Resource Operation>
-# ex: admin.users = certServer.ca.users,read
+# <mapping name> = <resource ID>,<operation>
+# ex: admin.users = certServer.ca.users,read
account.login = certServer.ocsp.account,login
account.logout = certServer.ocsp.account,logout
diff --git a/base/ocsp/shared/webapps/ocsp/WEB-INF/auth-method.properties b/base/ocsp/shared/webapps/ocsp/WEB-INF/auth-method.properties
new file mode 100644
index 000000000..81e24403f
--- /dev/null
+++ b/base/ocsp/shared/webapps/ocsp/WEB-INF/auth-method.properties
@@ -0,0 +1,9 @@
+# Restful API auth mapping info
+#
+# Format:
+# <mapping name> = <allowed auth methods>
+# ex: admin.users = certUserDBAuthMgr,passwdUserDBAuthMgr
+
+default = *
+account = certUserDBAuthMgr,passwdUserDBAuthMgr
+admin = certUserDBAuthMgr
diff --git a/base/ocsp/src/com/netscape/ocsp/OCSPApplication.java b/base/ocsp/src/com/netscape/ocsp/OCSPApplication.java
index 21b37f801..e9f5fbf3e 100644
--- a/base/ocsp/src/com/netscape/ocsp/OCSPApplication.java
+++ b/base/ocsp/src/com/netscape/ocsp/OCSPApplication.java
@@ -6,6 +6,7 @@ import java.util.Set;
import javax.ws.rs.core.Application;
import com.netscape.certsrv.acls.ACLInterceptor;
+import com.netscape.certsrv.authentication.AuthMethodInterceptor;
import com.netscape.certsrv.base.PKIException;
import com.netscape.cms.servlet.account.AccountService;
import com.netscape.cms.servlet.admin.GroupMemberService;
@@ -40,7 +41,8 @@ public class OCSPApplication extends Application {
// exception mapper
classes.add(PKIException.Mapper.class);
- // ACL interceptor
+ // interceptors
+ singletons.add(new AuthMethodInterceptor());
singletons.add(new ACLInterceptor());
}
diff --git a/base/tks/shared/webapps/tks/WEB-INF/auth.properties b/base/tks/shared/webapps/tks/WEB-INF/acl.properties
index 6de7f08e5..62367135e 100644
--- a/base/tks/shared/webapps/tks/WEB-INF/auth.properties
+++ b/base/tks/shared/webapps/tks/WEB-INF/acl.properties
@@ -1,8 +1,8 @@
-# Restful API auth/authz mapping info
+# Restful API authorization mapping info
#
# Format:
-# <ACL Mapping> = <ACL Resource ID>,<ACL Resource Operation>
-# ex: admin.users = certServer.ca.users,read
+# <mapping name> = <resource ID>,<operation>
+# ex: admin.users = certServer.ca.users,read
account.login = certServer.tks.account,login
account.logout = certServer.tks.account,logout
diff --git a/base/tks/shared/webapps/tks/WEB-INF/auth-method.properties b/base/tks/shared/webapps/tks/WEB-INF/auth-method.properties
new file mode 100644
index 000000000..81e24403f
--- /dev/null
+++ b/base/tks/shared/webapps/tks/WEB-INF/auth-method.properties
@@ -0,0 +1,9 @@
+# Restful API auth mapping info
+#
+# Format:
+# <mapping name> = <allowed auth methods>
+# ex: admin.users = certUserDBAuthMgr,passwdUserDBAuthMgr
+
+default = *
+account = certUserDBAuthMgr,passwdUserDBAuthMgr
+admin = certUserDBAuthMgr
diff --git a/base/tks/src/com/netscape/tks/TKSApplication.java b/base/tks/src/com/netscape/tks/TKSApplication.java
index 229a64c95..6dfbeae0b 100644
--- a/base/tks/src/com/netscape/tks/TKSApplication.java
+++ b/base/tks/src/com/netscape/tks/TKSApplication.java
@@ -6,6 +6,7 @@ import java.util.Set;
import javax.ws.rs.core.Application;
import com.netscape.certsrv.acls.ACLInterceptor;
+import com.netscape.certsrv.authentication.AuthMethodInterceptor;
import com.netscape.certsrv.base.PKIException;
import com.netscape.cms.servlet.account.AccountService;
import com.netscape.cms.servlet.admin.GroupMemberService;
@@ -40,7 +41,8 @@ public class TKSApplication extends Application {
// exception mapper
classes.add(PKIException.Mapper.class);
- // ACL interceptor
+ // interceptors
+ singletons.add(new AuthMethodInterceptor());
singletons.add(new ACLInterceptor());
}