diff options
| author | Endi Sukma Dewata <edewata@redhat.com> | 2013-02-01 13:05:38 -0500 |
|---|---|---|
| committer | Endi Sukma Dewata <edewata@redhat.com> | 2013-02-18 12:47:28 -0500 |
| commit | 1a96cb363c87ec7c2e3caff407289dcfd323e31b (patch) | |
| tree | 18c929a526396ddd401c13557d090b43bed17899 | |
| parent | dd01437171044ecb4cdc63998250a4d9f3277119 (diff) | |
| download | pki-ticket-477-5.tar.gz pki-ticket-477-5.tar.xz pki-ticket-477-5.zip | |
Added authentication method validation.ticket-477-5
A new mechanism has been added to limit the authentication methods that
can be used to invoke the REST methods. The AuthMethodMapping annotation
maps each REST method to a list of allowed authentication methods defined
auth-method.properties. When a client calls a REST method, the AuthMethod-
Interceptor will intercept the call and verify that the client uses an
allowed authentication method.
For security reason, most REST methods that require authentication have been
configured to require client certificate authentication. Authentication using
username and password will only be used to get the installation token from
security domain.
The auth.properties have been renamed to acl.properties since it's used to
store ACL mappings.
Ticket #477
29 files changed, 318 insertions, 52 deletions
diff --git a/base/ca/shared/webapps/ca/WEB-INF/auth.properties b/base/ca/shared/webapps/ca/WEB-INF/acl.properties index b73b9ac10..20f3dd864 100644 --- a/base/ca/shared/webapps/ca/WEB-INF/auth.properties +++ b/base/ca/shared/webapps/ca/WEB-INF/acl.properties @@ -1,8 +1,8 @@ -# Restful API auth/authz mapping info +# Restful API authorization mapping info # # Format: -# <ACL Mapping> = <ACL Resource ID>,<ACL Resource Operation> -# ex: admin.users = certServer.ca.users,read +# <mapping name> = <resource ID>,<operation> +# ex: admin.users = certServer.ca.users,read account.login = certServer.ca.account,login account.logout = certServer.ca.account,logout diff --git a/base/ca/shared/webapps/ca/WEB-INF/auth-method.properties b/base/ca/shared/webapps/ca/WEB-INF/auth-method.properties new file mode 100644 index 000000000..3a6658765 --- /dev/null +++ b/base/ca/shared/webapps/ca/WEB-INF/auth-method.properties @@ -0,0 +1,11 @@ +# Restful API auth mapping info +# +# Format: +# <mapping name> = <allowed auth methods> +# ex: admin.users = certUserDBAuthMgr,passwdUserDBAuthMgr + +default = * +account = certUserDBAuthMgr,passwdUserDBAuthMgr +admin = certUserDBAuthMgr +agent = certUserDBAuthMgr +securityDomain.installToken = passwdUserDBAuthMgr diff --git a/base/ca/src/com/netscape/ca/CertificateAuthorityApplication.java b/base/ca/src/com/netscape/ca/CertificateAuthorityApplication.java index 4c81ff925..7b45222d6 100644 --- a/base/ca/src/com/netscape/ca/CertificateAuthorityApplication.java +++ b/base/ca/src/com/netscape/ca/CertificateAuthorityApplication.java @@ -7,6 +7,7 @@ import javax.ws.rs.core.Application; import com.netscape.certsrv.acls.ACLInterceptor; import com.netscape.certsrv.apps.CMS; +import com.netscape.certsrv.authentication.AuthMethodInterceptor; import com.netscape.certsrv.base.EBaseException; import com.netscape.certsrv.base.IConfigStore; import com.netscape.certsrv.base.PKIException; @@ -87,7 +88,8 @@ public class CertificateAuthorityApplication extends Application { // exception mapper classes.add(PKIException.Mapper.class); - // ACL interceptor + // interceptors + singletons.add(new AuthMethodInterceptor()); singletons.add(new ACLInterceptor()); } diff --git a/base/common/src/com/netscape/certsrv/account/AccountResource.java b/base/common/src/com/netscape/certsrv/account/AccountResource.java index a69a3d122..c18e26de8 100644 --- a/base/common/src/com/netscape/certsrv/account/AccountResource.java +++ b/base/common/src/com/netscape/certsrv/account/AccountResource.java @@ -22,11 +22,13 @@ import javax.ws.rs.GET; import javax.ws.rs.Path; import com.netscape.certsrv.acls.ACLMapping; +import com.netscape.certsrv.authentication.AuthMethodMapping; /** * @author Endi S. Dewata */ @Path("account") +@AuthMethodMapping("account") public interface AccountResource { @GET diff --git a/base/common/src/com/netscape/certsrv/acls/ACLInterceptor.java b/base/common/src/com/netscape/certsrv/acls/ACLInterceptor.java index c30740260..dd4985eab 100644 --- a/base/common/src/com/netscape/certsrv/acls/ACLInterceptor.java +++ b/base/common/src/com/netscape/certsrv/acls/ACLInterceptor.java @@ -54,7 +54,7 @@ import com.netscape.cmscore.realm.PKIPrincipal; @Precedence("SECURITY") public class ACLInterceptor implements PreProcessInterceptor { - Properties authProperties; + Properties aclProperties; @Context ServletContext servletContext; @@ -62,13 +62,13 @@ public class ACLInterceptor implements PreProcessInterceptor { @Context SecurityContext securityContext; - public synchronized void loadAuthProperties() throws IOException { + public synchronized void loadACLProperties() throws IOException { - if (authProperties != null) return; + if (aclProperties != null) return; - URL url = servletContext.getResource("/WEB-INF/auth.properties"); - authProperties = new Properties(); - authProperties.load(url.openStream()); + URL url = servletContext.getResource("/WEB-INF/acl.properties"); + aclProperties = new Properties(); + aclProperties.load(url.openStream()); } @Override @@ -111,10 +111,10 @@ public class ACLInterceptor implements PreProcessInterceptor { } try { - loadAuthProperties(); + loadACLProperties(); String name = aclMapping.value(); - String value = authProperties.getProperty(name); + String value = aclProperties.getProperty(name); // If no property defined, allow request. if (value == null) return null; diff --git a/base/common/src/com/netscape/certsrv/authentication/AuthMethodInterceptor.java b/base/common/src/com/netscape/certsrv/authentication/AuthMethodInterceptor.java new file mode 100644 index 000000000..145cd26f5 --- /dev/null +++ b/base/common/src/com/netscape/certsrv/authentication/AuthMethodInterceptor.java @@ -0,0 +1,159 @@ +//--- BEGIN COPYRIGHT BLOCK --- +//This program is free software; you can redistribute it and/or modify +//it under the terms of the GNU General Public License as published by +//the Free Software Foundation; version 2 of the License. +// +//This program is distributed in the hope that it will be useful, +//but WITHOUT ANY WARRANTY; without even the implied warranty of +//MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +//GNU General Public License for more details. +// +//You should have received a copy of the GNU General Public License along +//with this program; if not, write to the Free Software Foundation, Inc., +//51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +// +//(C) 2013 Red Hat, Inc. +//All rights reserved. +//--- END COPYRIGHT BLOCK --- +package com.netscape.certsrv.authentication; + +import java.io.IOException; +import java.lang.reflect.Method; +import java.net.URL; +import java.security.Principal; +import java.util.Collection; +import java.util.HashSet; +import java.util.Properties; + +import javax.servlet.ServletContext; +import javax.ws.rs.core.Context; +import javax.ws.rs.core.SecurityContext; +import javax.ws.rs.ext.Provider; + +import org.jboss.resteasy.annotations.interception.Precedence; +import org.jboss.resteasy.annotations.interception.ServerInterceptor; +import org.jboss.resteasy.core.ResourceMethod; +import org.jboss.resteasy.core.ServerResponse; +import org.jboss.resteasy.spi.Failure; +import org.jboss.resteasy.spi.HttpRequest; +import org.jboss.resteasy.spi.interception.PreProcessInterceptor; + +import com.netscape.certsrv.base.ForbiddenException; +import com.netscape.cmscore.realm.PKIPrincipal; + + +/** + * @author Endi S. Dewata + */ +@Provider +@ServerInterceptor +@Precedence("SECURITY") +public class AuthMethodInterceptor implements PreProcessInterceptor { + + Properties authProperties; + + @Context + ServletContext servletContext; + + @Context + SecurityContext securityContext; + + public synchronized void loadAuthProperties() throws IOException { + + if (authProperties != null) return; + + URL url = servletContext.getResource("/WEB-INF/auth-method.properties"); + authProperties = new Properties(); + authProperties.load(url.openStream()); + } + + @Override + public ServerResponse preProcess( + HttpRequest request, + ResourceMethod resourceMethod + ) throws Failure, ForbiddenException { + + Class<?> clazz = resourceMethod.getResourceClass(); + Method method = resourceMethod.getMethod(); + System.out.println("AuthInterceptor: "+clazz.getSimpleName()+"."+method.getName()+"()"); + + // Get authentication mapping for the method. + AuthMethodMapping authMapping = method.getAnnotation(AuthMethodMapping.class); + + // If not available, get authentication mapping for the class. + if (authMapping == null) { + authMapping = clazz.getAnnotation(AuthMethodMapping.class); + } + + String name; + if (authMapping == null) { + // If not available, use the default mapping. + name = "default"; + } else { + // Get the method label + name = authMapping.value(); + } + + System.out.println("AuthInterceptor: mapping name: "+name); + + try { + loadAuthProperties(); + + String value = authProperties.getProperty(name); + Collection<String> authMethods = new HashSet<String>(); + if (value != null) { + for (String v : value.split(",")) { + authMethods.add(v.trim()); + } + } + + System.out.println("AuthInterceptor: required auth methods: "+authMethods); + + Principal principal = securityContext.getUserPrincipal(); + + // If unauthenticated, reject request. + if (principal == null) { + if (authMethods.isEmpty() || authMethods.contains("anonymous") || authMethods.contains("*")) { + System.out.println("AuthInterceptor: anonymous access allowed"); + return null; + } + System.out.println("AuthInterceptor: anonymous access not allowed"); + throw new ForbiddenException("Anonymous access not allowed."); + } + + // If unrecognized principal, reject request. + if (!(principal instanceof PKIPrincipal)) { + System.out.println("AuthInterceptor: unknown principal"); + throw new ForbiddenException("Unknown user principal"); + } + + PKIPrincipal pkiPrincipal = (PKIPrincipal)principal; + IAuthToken authToken = pkiPrincipal.getAuthToken(); + + // If missing auth token, reject request. + if (authToken == null) { + System.out.println("AuthInterceptor: missing authentication token"); + throw new ForbiddenException("Missing authentication token."); + } + + String authManager = (String)authToken.get(AuthToken.TOKEN_AUTHMGR_INST_NAME); + System.out.println("AuthInterceptor: authentication manager: "+authManager); + + if (authManager == null) { + System.out.println("AuthInterceptor: missing authentication manager"); + throw new ForbiddenException("Missing authentication manager."); + } + + if (authMethods.isEmpty() || authMethods.contains(authManager) || authMethods.contains("*")) { + System.out.println("AuthInterceptor: "+authManager+" allowed"); + return null; + } + + throw new ForbiddenException("Authentication method not allowed."); + + } catch (IOException e) { + e.printStackTrace(); + throw new Failure(e); + } + } +} diff --git a/base/common/src/com/netscape/certsrv/authentication/AuthMethodMapping.java b/base/common/src/com/netscape/certsrv/authentication/AuthMethodMapping.java new file mode 100644 index 000000000..6170c0f9b --- /dev/null +++ b/base/common/src/com/netscape/certsrv/authentication/AuthMethodMapping.java @@ -0,0 +1,31 @@ +// --- BEGIN COPYRIGHT BLOCK --- +// This program is free software; you can redistribute it and/or modify +// it under the terms of the GNU General Public License as published by +// the Free Software Foundation; version 2 of the License. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +// +// (C) 2013 Red Hat, Inc. +// All rights reserved. +// --- END COPYRIGHT BLOCK --- + +package com.netscape.certsrv.authentication; + +import java.lang.annotation.Retention; +import java.lang.annotation.RetentionPolicy; + + +/** + * @author Endi S. Dewata + */ +@Retention(RetentionPolicy.RUNTIME) +public @interface AuthMethodMapping { + public String value(); +} diff --git a/base/common/src/com/netscape/certsrv/cert/CertRequestResource.java b/base/common/src/com/netscape/certsrv/cert/CertRequestResource.java index 0bd285136..2c103f729 100644 --- a/base/common/src/com/netscape/certsrv/cert/CertRequestResource.java +++ b/base/common/src/com/netscape/certsrv/cert/CertRequestResource.java @@ -28,11 +28,33 @@ import javax.ws.rs.core.MediaType; import javax.ws.rs.core.MultivaluedMap; import com.netscape.certsrv.acls.ACLMapping; +import com.netscape.certsrv.authentication.AuthMethodMapping; import com.netscape.certsrv.request.RequestId; @Path("") public interface CertRequestResource { + // Enrollment - used to test integration with a browser + @POST + @Path("certrequests") + @Produces({ MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON }) + @Consumes({ MediaType.APPLICATION_FORM_URLENCODED }) + public CertRequestInfos enrollCert(MultivaluedMap<String, String> form); + + @POST + @Path("certrequests") + @Produces({ MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON }) + @Consumes({ MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON }) + public CertRequestInfos enrollCert(CertEnrollmentRequest data); + + /** + * Used to retrieve cert request info for a specific request + */ + @GET + @Path("certrequests/{id}") + @Produces({ MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON }) + public CertRequestInfo getRequestInfo(@PathParam("id") RequestId id); + /** * Used to generate list of cert requests based on the search parameters */ @@ -40,6 +62,7 @@ public interface CertRequestResource { @Path("agent/certrequests") @Produces({ MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON }) @ACLMapping("agent.certrequests") + @AuthMethodMapping("agent") public CertRequestInfos listRequests(@QueryParam("requestState") String requestState, @QueryParam("requestType") String requestType, @QueryParam("start") RequestId start, @@ -47,72 +70,59 @@ public interface CertRequestResource { @QueryParam("maxResults") Integer maxResults, @QueryParam("maxTime") Integer maxTime); - /** - * Used to retrieve cert request info for a specific request - */ - @GET - @Path("certrequests/{id}") - @Produces({ MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON }) - public CertRequestInfo getRequestInfo(@PathParam("id") RequestId id); - @GET @Path("agent/certrequests/{id}") @Produces({ MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON }) @ACLMapping("agent.certrequests") + @AuthMethodMapping("agent") public CertReviewResponse reviewRequest(@PathParam("id") RequestId id); - // Enrollment - used to test integration with a browser - @POST - @Path("certrequests") - @Produces({ MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON }) - @Consumes({ MediaType.APPLICATION_FORM_URLENCODED }) - public CertRequestInfos enrollCert(MultivaluedMap<String, String> form); - - @POST - @Path("certrequests") - @Produces({ MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON }) - @Consumes({ MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON }) - public CertRequestInfos enrollCert(CertEnrollmentRequest data); - @POST @Path("agent/certrequests/{id}/approve") @Consumes({ MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON }) @ACLMapping("agent.certrequests") + @AuthMethodMapping("agent") public void approveRequest(@PathParam("id") RequestId id, CertReviewResponse data); @POST @Path("agent/certrequests/{id}/reject") @Consumes({ MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON }) @ACLMapping("agent.certrequests") + @AuthMethodMapping("agent") public void rejectRequest(@PathParam("id") RequestId id, CertReviewResponse data); @POST @Path("agent/certrequests/{id}/cancel") @Consumes({ MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON }) @ACLMapping("agent.certrequests") + @AuthMethodMapping("agent") public void cancelRequest(@PathParam("id") RequestId id, CertReviewResponse data); @POST @Path("agent/certrequests/{id}/update") @Consumes({ MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON }) @ACLMapping("agent.certrequests") + @AuthMethodMapping("agent") public void updateRequest(@PathParam("id") RequestId id, CertReviewResponse data); @POST @Path("agent/certrequests/{id}/validate") @Consumes({ MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON }) @ACLMapping("agent.certrequests") + @AuthMethodMapping("agent") public void validateRequest(@PathParam("id") RequestId id, CertReviewResponse data); @POST @Path("agent/certrequests/{id}/unassign") @Consumes({ MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON }) @ACLMapping("agent.certrequests") + @AuthMethodMapping("agent") public void unassignRequest(@PathParam("id") RequestId id, CertReviewResponse data); @POST @Path("agent/certrequests/{id}/assign") @Consumes({ MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON }) @ACLMapping("agent.certrequests") + @AuthMethodMapping("agent") public void assignRequest(@PathParam("id") RequestId id, CertReviewResponse data); } diff --git a/base/common/src/com/netscape/certsrv/cert/CertResource.java b/base/common/src/com/netscape/certsrv/cert/CertResource.java index 17395032d..a667fdc2d 100644 --- a/base/common/src/com/netscape/certsrv/cert/CertResource.java +++ b/base/common/src/com/netscape/certsrv/cert/CertResource.java @@ -11,6 +11,7 @@ import javax.ws.rs.QueryParam; import javax.ws.rs.core.MediaType; import com.netscape.certsrv.acls.ACLMapping; +import com.netscape.certsrv.authentication.AuthMethodMapping; import com.netscape.certsrv.dbs.certdb.CertId; @Path("") @@ -45,6 +46,7 @@ public interface CertResource { @Path("agent/certs/{id}") @Produces({ MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON }) @ACLMapping("agent.certs") + @AuthMethodMapping("agent") public CertData reviewCert(@PathParam("id") CertId id); @POST @@ -52,6 +54,7 @@ public interface CertResource { @Consumes({ MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON }) @Produces({ MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON }) @ACLMapping("agent.certs") + @AuthMethodMapping("agent") public CertRequestInfo revokeCACert(@PathParam("id") CertId id, CertRevokeRequest request); @POST @@ -59,6 +62,7 @@ public interface CertResource { @Consumes({ MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON }) @Produces({ MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON }) @ACLMapping("agent.certs") + @AuthMethodMapping("agent") public CertRequestInfo revokeCert(@PathParam("id") CertId id, CertRevokeRequest request); @POST @@ -66,5 +70,6 @@ public interface CertResource { @Consumes({ MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON }) @Produces({ MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON }) @ACLMapping("agent.certs") + @AuthMethodMapping("agent") public CertRequestInfo unrevokeCert(@PathParam("id") CertId id, CertUnrevokeRequest request); } diff --git a/base/common/src/com/netscape/certsrv/group/GroupMemberResource.java b/base/common/src/com/netscape/certsrv/group/GroupMemberResource.java index c984daa65..cd4d2eb24 100644 --- a/base/common/src/com/netscape/certsrv/group/GroupMemberResource.java +++ b/base/common/src/com/netscape/certsrv/group/GroupMemberResource.java @@ -32,12 +32,14 @@ import javax.ws.rs.core.Response; import org.jboss.resteasy.annotations.ClientResponseType; import com.netscape.certsrv.acls.ACLMapping; +import com.netscape.certsrv.authentication.AuthMethodMapping; /** * @author Endi S. Dewata */ @Path("admin/groups/{groupID}/members") @ACLMapping("admin.groups") +@AuthMethodMapping("admin") public interface GroupMemberResource { @GET diff --git a/base/common/src/com/netscape/certsrv/group/GroupResource.java b/base/common/src/com/netscape/certsrv/group/GroupResource.java index 17728dd13..ffe32e2cd 100644 --- a/base/common/src/com/netscape/certsrv/group/GroupResource.java +++ b/base/common/src/com/netscape/certsrv/group/GroupResource.java @@ -32,12 +32,14 @@ import javax.ws.rs.core.Response; import org.jboss.resteasy.annotations.ClientResponseType; import com.netscape.certsrv.acls.ACLMapping; +import com.netscape.certsrv.authentication.AuthMethodMapping; /** * @author Endi S. Dewata */ @Path("admin/groups") @ACLMapping("admin.groups") +@AuthMethodMapping("admin") public interface GroupResource { @GET diff --git a/base/common/src/com/netscape/certsrv/key/KeyRequestResource.java b/base/common/src/com/netscape/certsrv/key/KeyRequestResource.java index 9f1ffbe02..6fc12d5ee 100644 --- a/base/common/src/com/netscape/certsrv/key/KeyRequestResource.java +++ b/base/common/src/com/netscape/certsrv/key/KeyRequestResource.java @@ -11,10 +11,12 @@ import javax.ws.rs.core.MediaType; import javax.ws.rs.core.MultivaluedMap; import com.netscape.certsrv.acls.ACLMapping; +import com.netscape.certsrv.authentication.AuthMethodMapping; import com.netscape.certsrv.request.RequestId; @Path("agent/keyrequests") @ACLMapping("agent.keyrequests") +@AuthMethodMapping("agent") public interface KeyRequestResource { public final String SYMMETRIC_KEY_TYPE = "symmetricKey"; diff --git a/base/common/src/com/netscape/certsrv/key/KeyResource.java b/base/common/src/com/netscape/certsrv/key/KeyResource.java index da7f22031..bcca6bb97 100644 --- a/base/common/src/com/netscape/certsrv/key/KeyResource.java +++ b/base/common/src/com/netscape/certsrv/key/KeyResource.java @@ -10,10 +10,12 @@ import javax.ws.rs.core.MediaType; import javax.ws.rs.core.MultivaluedMap; import com.netscape.certsrv.acls.ACLMapping; +import com.netscape.certsrv.authentication.AuthMethodMapping; @Path("agent/keys") @ACLMapping("agent.keys") +@AuthMethodMapping("agent") public interface KeyResource { @GET diff --git a/base/common/src/com/netscape/certsrv/profile/ProfileResource.java b/base/common/src/com/netscape/certsrv/profile/ProfileResource.java index 6dadef560..572e6eb88 100644 --- a/base/common/src/com/netscape/certsrv/profile/ProfileResource.java +++ b/base/common/src/com/netscape/certsrv/profile/ProfileResource.java @@ -6,8 +6,11 @@ import javax.ws.rs.PathParam; import javax.ws.rs.Produces; import javax.ws.rs.core.MediaType; +import com.netscape.certsrv.authentication.AuthMethodMapping; + @Path("agent/profiles") +@AuthMethodMapping("agent") public interface ProfileResource { @GET diff --git a/base/common/src/com/netscape/certsrv/system/KRAConnectorResource.java b/base/common/src/com/netscape/certsrv/system/KRAConnectorResource.java index 01f159e96..0799b55a6 100644 --- a/base/common/src/com/netscape/certsrv/system/KRAConnectorResource.java +++ b/base/common/src/com/netscape/certsrv/system/KRAConnectorResource.java @@ -26,12 +26,14 @@ import javax.ws.rs.core.MediaType; import javax.ws.rs.core.MultivaluedMap; import com.netscape.certsrv.acls.ACLMapping; +import com.netscape.certsrv.authentication.AuthMethodMapping; /** * @author Ade Lee */ @Path("admin/kraconnector") @ACLMapping("admin.kraconnector") +@AuthMethodMapping("admin") public interface KRAConnectorResource { @POST diff --git a/base/common/src/com/netscape/certsrv/system/SecurityDomainResource.java b/base/common/src/com/netscape/certsrv/system/SecurityDomainResource.java index b34d9fe13..740786f79 100644 --- a/base/common/src/com/netscape/certsrv/system/SecurityDomainResource.java +++ b/base/common/src/com/netscape/certsrv/system/SecurityDomainResource.java @@ -24,6 +24,7 @@ import javax.ws.rs.QueryParam; import javax.ws.rs.core.MediaType; import com.netscape.certsrv.acls.ACLMapping; +import com.netscape.certsrv.authentication.AuthMethodMapping; /** * @author alee @@ -35,6 +36,7 @@ public interface SecurityDomainResource { @Path("installToken") @Produces({ MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON }) @ACLMapping("securityDomain.installToken") + @AuthMethodMapping("securityDomain.installToken") public InstallToken getInstallToken( @QueryParam("hostname") String hostname, @QueryParam("subsystem") String subsystem); diff --git a/base/common/src/com/netscape/certsrv/user/UserCertResource.java b/base/common/src/com/netscape/certsrv/user/UserCertResource.java index d85abd6e0..81133df3b 100644 --- a/base/common/src/com/netscape/certsrv/user/UserCertResource.java +++ b/base/common/src/com/netscape/certsrv/user/UserCertResource.java @@ -32,12 +32,14 @@ import javax.ws.rs.core.Response; import org.jboss.resteasy.annotations.ClientResponseType; import com.netscape.certsrv.acls.ACLMapping; +import com.netscape.certsrv.authentication.AuthMethodMapping; /** * @author Endi S. Dewata */ @Path("admin/users/{userID}/certs") @ACLMapping("admin.users") +@AuthMethodMapping("admin") public interface UserCertResource { @GET diff --git a/base/common/src/com/netscape/certsrv/user/UserResource.java b/base/common/src/com/netscape/certsrv/user/UserResource.java index e72bb0cef..078992897 100644 --- a/base/common/src/com/netscape/certsrv/user/UserResource.java +++ b/base/common/src/com/netscape/certsrv/user/UserResource.java @@ -32,12 +32,14 @@ import javax.ws.rs.core.Response; import org.jboss.resteasy.annotations.ClientResponseType; import com.netscape.certsrv.acls.ACLMapping; +import com.netscape.certsrv.authentication.AuthMethodMapping; /** * @author Endi S. Dewata */ @Path("admin/users") @ACLMapping("admin.users") +@AuthMethodMapping("admin") public interface UserResource { @GET diff --git a/base/deploy/src/scriptlets/pkiparser.py b/base/deploy/src/scriptlets/pkiparser.py index 7f2d5859d..aec125016 100644 --- a/base/deploy/src/scriptlets/pkiparser.py +++ b/base/deploy/src/scriptlets/pkiparser.py @@ -434,11 +434,6 @@ class PKIConfigParser: config.pki_master_dict['pki_instance_configuration_path'], "tomcat.conf") # in-place slot substitution name/value pairs - config.pki_master_dict['pki_target_auth_properties'] =\ - os.path.join( - config.pki_master_dict['pki_tomcat_webapps_subsystem_path'], - "WEB-INF", - "auth.properties") config.pki_master_dict['pki_target_velocity_properties'] =\ os.path.join( config.pki_master_dict['pki_tomcat_webapps_subsystem_path'], diff --git a/base/deploy/src/scriptlets/slot_substitution.py b/base/deploy/src/scriptlets/slot_substitution.py index 055908b5b..205ed49f6 100644 --- a/base/deploy/src/scriptlets/slot_substitution.py +++ b/base/deploy/src/scriptlets/slot_substitution.py @@ -70,8 +70,6 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): master['pki_target_tomcat_conf'], overwrite_flag=True) util.file.apply_slot_substitution( - master['pki_target_auth_properties']) - util.file.apply_slot_substitution( master['pki_target_velocity_properties']) util.file.apply_slot_substitution( master['pki_target_subsystem_web_xml']) diff --git a/base/kra/shared/webapps/kra/WEB-INF/auth.properties b/base/kra/shared/webapps/kra/WEB-INF/acl.properties index 567747f5b..952bdad33 100644 --- a/base/kra/shared/webapps/kra/WEB-INF/auth.properties +++ b/base/kra/shared/webapps/kra/WEB-INF/acl.properties @@ -1,8 +1,8 @@ -# Restful API auth/authz mapping info +# Restful API authorization mapping info # # Format: -# <ACL Mapping> = <ACL Resource ID>,<ACL Resource Operation> -# ex: admin.users = certServer.ca.users,read +# <mapping name> = <resource ID>,<operation> +# ex: admin.users = certServer.ca.users,read account.login = certServer.kra.account,login account.logout = certServer.kra.account,logout diff --git a/base/kra/shared/webapps/kra/WEB-INF/auth-method.properties b/base/kra/shared/webapps/kra/WEB-INF/auth-method.properties new file mode 100644 index 000000000..29a2f2381 --- /dev/null +++ b/base/kra/shared/webapps/kra/WEB-INF/auth-method.properties @@ -0,0 +1,10 @@ +# Restful API auth mapping info +# +# Format: +# <mapping name> = <allowed auth methods> +# ex: admin.users = certUserDBAuthMgr,passwdUserDBAuthMgr + +default = * +account = certUserDBAuthMgr,passwdUserDBAuthMgr +admin = certUserDBAuthMgr +agent = certUserDBAuthMgr diff --git a/base/kra/src/com/netscape/kra/KeyRecoveryAuthorityApplication.java b/base/kra/src/com/netscape/kra/KeyRecoveryAuthorityApplication.java index b205c6a5d..6b7f3e2cf 100644 --- a/base/kra/src/com/netscape/kra/KeyRecoveryAuthorityApplication.java +++ b/base/kra/src/com/netscape/kra/KeyRecoveryAuthorityApplication.java @@ -6,6 +6,7 @@ import java.util.Set; import javax.ws.rs.core.Application; import com.netscape.certsrv.acls.ACLInterceptor; +import com.netscape.certsrv.authentication.AuthMethodInterceptor; import com.netscape.certsrv.base.PKIException; import com.netscape.cms.servlet.account.AccountService; import com.netscape.cms.servlet.admin.GroupMemberService; @@ -48,7 +49,8 @@ public class KeyRecoveryAuthorityApplication extends Application { // exception mapper classes.add(PKIException.Mapper.class); - // ACL interceptor + // interceptors + singletons.add(new AuthMethodInterceptor()); singletons.add(new ACLInterceptor()); } diff --git a/base/ocsp/shared/webapps/ocsp/WEB-INF/auth.properties b/base/ocsp/shared/webapps/ocsp/WEB-INF/acl.properties index cd2e14058..95fabba72 100644 --- a/base/ocsp/shared/webapps/ocsp/WEB-INF/auth.properties +++ b/base/ocsp/shared/webapps/ocsp/WEB-INF/acl.properties @@ -1,8 +1,8 @@ -# Restful API auth/authz mapping info +# Restful API authorization mapping info # # Format: -# <ACL Mapping> = <ACL Resource ID>,<ACL Resource Operation> -# ex: admin.users = certServer.ca.users,read +# <mapping name> = <resource ID>,<operation> +# ex: admin.users = certServer.ca.users,read account.login = certServer.ocsp.account,login account.logout = certServer.ocsp.account,logout diff --git a/base/ocsp/shared/webapps/ocsp/WEB-INF/auth-method.properties b/base/ocsp/shared/webapps/ocsp/WEB-INF/auth-method.properties new file mode 100644 index 000000000..81e24403f --- /dev/null +++ b/base/ocsp/shared/webapps/ocsp/WEB-INF/auth-method.properties @@ -0,0 +1,9 @@ +# Restful API auth mapping info +# +# Format: +# <mapping name> = <allowed auth methods> +# ex: admin.users = certUserDBAuthMgr,passwdUserDBAuthMgr + +default = * +account = certUserDBAuthMgr,passwdUserDBAuthMgr +admin = certUserDBAuthMgr diff --git a/base/ocsp/src/com/netscape/ocsp/OCSPApplication.java b/base/ocsp/src/com/netscape/ocsp/OCSPApplication.java index f9995c1a0..3a8737856 100644 --- a/base/ocsp/src/com/netscape/ocsp/OCSPApplication.java +++ b/base/ocsp/src/com/netscape/ocsp/OCSPApplication.java @@ -6,6 +6,7 @@ import java.util.Set; import javax.ws.rs.core.Application; import com.netscape.certsrv.acls.ACLInterceptor; +import com.netscape.certsrv.authentication.AuthMethodInterceptor; import com.netscape.certsrv.base.PKIException; import com.netscape.cms.servlet.account.AccountService; import com.netscape.cms.servlet.admin.GroupMemberService; @@ -42,7 +43,8 @@ public class OCSPApplication extends Application { // exception mapper classes.add(PKIException.Mapper.class); - // ACL interceptor + // interceptors + singletons.add(new AuthMethodInterceptor()); singletons.add(new ACLInterceptor()); } diff --git a/base/tks/shared/webapps/tks/WEB-INF/auth.properties b/base/tks/shared/webapps/tks/WEB-INF/acl.properties index 6de7f08e5..62367135e 100644 --- a/base/tks/shared/webapps/tks/WEB-INF/auth.properties +++ b/base/tks/shared/webapps/tks/WEB-INF/acl.properties @@ -1,8 +1,8 @@ -# Restful API auth/authz mapping info +# Restful API authorization mapping info # # Format: -# <ACL Mapping> = <ACL Resource ID>,<ACL Resource Operation> -# ex: admin.users = certServer.ca.users,read +# <mapping name> = <resource ID>,<operation> +# ex: admin.users = certServer.ca.users,read account.login = certServer.tks.account,login account.logout = certServer.tks.account,logout diff --git a/base/tks/shared/webapps/tks/WEB-INF/auth-method.properties b/base/tks/shared/webapps/tks/WEB-INF/auth-method.properties new file mode 100644 index 000000000..81e24403f --- /dev/null +++ b/base/tks/shared/webapps/tks/WEB-INF/auth-method.properties @@ -0,0 +1,9 @@ +# Restful API auth mapping info +# +# Format: +# <mapping name> = <allowed auth methods> +# ex: admin.users = certUserDBAuthMgr,passwdUserDBAuthMgr + +default = * +account = certUserDBAuthMgr,passwdUserDBAuthMgr +admin = certUserDBAuthMgr diff --git a/base/tks/src/com/netscape/tks/TKSApplication.java b/base/tks/src/com/netscape/tks/TKSApplication.java index 0939d1cd2..1ff193058 100644 --- a/base/tks/src/com/netscape/tks/TKSApplication.java +++ b/base/tks/src/com/netscape/tks/TKSApplication.java @@ -6,6 +6,7 @@ import java.util.Set; import javax.ws.rs.core.Application; import com.netscape.certsrv.acls.ACLInterceptor; +import com.netscape.certsrv.authentication.AuthMethodInterceptor; import com.netscape.certsrv.base.PKIException; import com.netscape.cms.servlet.account.AccountService; import com.netscape.cms.servlet.admin.GroupMemberService; @@ -42,7 +43,8 @@ public class TKSApplication extends Application { // exception mapper classes.add(PKIException.Mapper.class); - // ACL interceptor + // interceptors + singletons.add(new AuthMethodInterceptor()); singletons.add(new ACLInterceptor()); } |