diff options
author | Endi Sukma Dewata <edewata@redhat.com> | 2013-02-01 13:05:38 -0500 |
---|---|---|
committer | Endi Sukma Dewata <edewata@redhat.com> | 2013-02-18 12:47:28 -0500 |
commit | 1a96cb363c87ec7c2e3caff407289dcfd323e31b (patch) | |
tree | 18c929a526396ddd401c13557d090b43bed17899 | |
parent | dd01437171044ecb4cdc63998250a4d9f3277119 (diff) | |
download | pki-ticket-477-5.zip pki-ticket-477-5.tar.gz pki-ticket-477-5.tar.xz |
Added authentication method validation.ticket-477-5
A new mechanism has been added to limit the authentication methods that
can be used to invoke the REST methods. The AuthMethodMapping annotation
maps each REST method to a list of allowed authentication methods defined
auth-method.properties. When a client calls a REST method, the AuthMethod-
Interceptor will intercept the call and verify that the client uses an
allowed authentication method.
For security reason, most REST methods that require authentication have been
configured to require client certificate authentication. Authentication using
username and password will only be used to get the installation token from
security domain.
The auth.properties have been renamed to acl.properties since it's used to
store ACL mappings.
Ticket #477
29 files changed, 318 insertions, 52 deletions
diff --git a/base/ca/shared/webapps/ca/WEB-INF/auth.properties b/base/ca/shared/webapps/ca/WEB-INF/acl.properties index b73b9ac..20f3dd8 100644 --- a/base/ca/shared/webapps/ca/WEB-INF/auth.properties +++ b/base/ca/shared/webapps/ca/WEB-INF/acl.properties @@ -1,8 +1,8 @@ -# Restful API auth/authz mapping info +# Restful API authorization mapping info # # Format: -# <ACL Mapping> = <ACL Resource ID>,<ACL Resource Operation> -# ex: admin.users = certServer.ca.users,read +# <mapping name> = <resource ID>,<operation> +# ex: admin.users = certServer.ca.users,read account.login = certServer.ca.account,login account.logout = certServer.ca.account,logout diff --git a/base/ca/shared/webapps/ca/WEB-INF/auth-method.properties b/base/ca/shared/webapps/ca/WEB-INF/auth-method.properties new file mode 100644 index 0000000..3a66587 --- /dev/null +++ b/base/ca/shared/webapps/ca/WEB-INF/auth-method.properties @@ -0,0 +1,11 @@ +# Restful API auth mapping info +# +# Format: +# <mapping name> = <allowed auth methods> +# ex: admin.users = certUserDBAuthMgr,passwdUserDBAuthMgr + +default = * +account = certUserDBAuthMgr,passwdUserDBAuthMgr +admin = certUserDBAuthMgr +agent = certUserDBAuthMgr +securityDomain.installToken = passwdUserDBAuthMgr diff --git a/base/ca/src/com/netscape/ca/CertificateAuthorityApplication.java b/base/ca/src/com/netscape/ca/CertificateAuthorityApplication.java index 4c81ff9..7b45222 100644 --- a/base/ca/src/com/netscape/ca/CertificateAuthorityApplication.java +++ b/base/ca/src/com/netscape/ca/CertificateAuthorityApplication.java @@ -7,6 +7,7 @@ import javax.ws.rs.core.Application; import com.netscape.certsrv.acls.ACLInterceptor; import com.netscape.certsrv.apps.CMS; +import com.netscape.certsrv.authentication.AuthMethodInterceptor; import com.netscape.certsrv.base.EBaseException; import com.netscape.certsrv.base.IConfigStore; import com.netscape.certsrv.base.PKIException; @@ -87,7 +88,8 @@ public class CertificateAuthorityApplication extends Application { // exception mapper classes.add(PKIException.Mapper.class); - // ACL interceptor + // interceptors + singletons.add(new AuthMethodInterceptor()); singletons.add(new ACLInterceptor()); } diff --git a/base/common/src/com/netscape/certsrv/account/AccountResource.java b/base/common/src/com/netscape/certsrv/account/AccountResource.java index a69a3d1..c18e26d 100644 --- a/base/common/src/com/netscape/certsrv/account/AccountResource.java +++ b/base/common/src/com/netscape/certsrv/account/AccountResource.java @@ -22,11 +22,13 @@ import javax.ws.rs.GET; import javax.ws.rs.Path; import com.netscape.certsrv.acls.ACLMapping; +import com.netscape.certsrv.authentication.AuthMethodMapping; /** * @author Endi S. Dewata */ @Path("account") +@AuthMethodMapping("account") public interface AccountResource { @GET diff --git a/base/common/src/com/netscape/certsrv/acls/ACLInterceptor.java b/base/common/src/com/netscape/certsrv/acls/ACLInterceptor.java index c307402..dd4985e 100644 --- a/base/common/src/com/netscape/certsrv/acls/ACLInterceptor.java +++ b/base/common/src/com/netscape/certsrv/acls/ACLInterceptor.java @@ -54,7 +54,7 @@ import com.netscape.cmscore.realm.PKIPrincipal; @Precedence("SECURITY") public class ACLInterceptor implements PreProcessInterceptor { - Properties authProperties; + Properties aclProperties; @Context ServletContext servletContext; @@ -62,13 +62,13 @@ public class ACLInterceptor implements PreProcessInterceptor { @Context SecurityContext securityContext; - public synchronized void loadAuthProperties() throws IOException { + public synchronized void loadACLProperties() throws IOException { - if (authProperties != null) return; + if (aclProperties != null) return; - URL url = servletContext.getResource("/WEB-INF/auth.properties"); - authProperties = new Properties(); - authProperties.load(url.openStream()); + URL url = servletContext.getResource("/WEB-INF/acl.properties"); + aclProperties = new Properties(); + aclProperties.load(url.openStream()); } @Override @@ -111,10 +111,10 @@ public class ACLInterceptor implements PreProcessInterceptor { } try { - loadAuthProperties(); + loadACLProperties(); String name = aclMapping.value(); - String value = authProperties.getProperty(name); + String value = aclProperties.getProperty(name); // If no property defined, allow request. if (value == null) return null; diff --git a/base/common/src/com/netscape/certsrv/authentication/AuthMethodInterceptor.java b/base/common/src/com/netscape/certsrv/authentication/AuthMethodInterceptor.java new file mode 100644 index 0000000..145cd26 --- /dev/null +++ b/base/common/src/com/netscape/certsrv/authentication/AuthMethodInterceptor.java @@ -0,0 +1,159 @@ +//--- BEGIN COPYRIGHT BLOCK --- +//This program is free software; you can redistribute it and/or modify +//it under the terms of the GNU General Public License as published by +//the Free Software Foundation; version 2 of the License. +// +//This program is distributed in the hope that it will be useful, +//but WITHOUT ANY WARRANTY; without even the implied warranty of +//MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +//GNU General Public License for more details. +// +//You should have received a copy of the GNU General Public License along +//with this program; if not, write to the Free Software Foundation, Inc., +//51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +// +//(C) 2013 Red Hat, Inc. +//All rights reserved. +//--- END COPYRIGHT BLOCK --- +package com.netscape.certsrv.authentication; + +import java.io.IOException; +import java.lang.reflect.Method; +import java.net.URL; +import java.security.Principal; +import java.util.Collection; +import java.util.HashSet; +import java.util.Properties; + +import javax.servlet.ServletContext; +import javax.ws.rs.core.Context; +import javax.ws.rs.core.SecurityContext; +import javax.ws.rs.ext.Provider; + +import org.jboss.resteasy.annotations.interception.Precedence; +import org.jboss.resteasy.annotations.interception.ServerInterceptor; +import org.jboss.resteasy.core.ResourceMethod; +import org.jboss.resteasy.core.ServerResponse; +import org.jboss.resteasy.spi.Failure; +import org.jboss.resteasy.spi.HttpRequest; +import org.jboss.resteasy.spi.interception.PreProcessInterceptor; + +import com.netscape.certsrv.base.ForbiddenException; +import com.netscape.cmscore.realm.PKIPrincipal; + + +/** + * @author Endi S. Dewata + */ +@Provider +@ServerInterceptor +@Precedence("SECURITY") +public class AuthMethodInterceptor implements PreProcessInterceptor { + + Properties authProperties; + + @Context + ServletContext servletContext; + + @Context + SecurityContext securityContext; + + public synchronized void loadAuthProperties() throws IOException { + + if (authProperties != null) return; + + URL url = servletContext.getResource("/WEB-INF/auth-method.properties"); + authProperties = new Properties(); + authProperties.load(url.openStream()); + } + + @Override + public ServerResponse preProcess( + HttpRequest request, + ResourceMethod resourceMethod + ) throws Failure, ForbiddenException { + + Class<?> clazz = resourceMethod.getResourceClass(); + Method method = resourceMethod.getMethod(); + System.out.println("AuthInterceptor: "+clazz.getSimpleName()+"."+method.getName()+"()"); + + // Get authentication mapping for the method. + AuthMethodMapping authMapping = method.getAnnotation(AuthMethodMapping.class); + + // If not available, get authentication mapping for the class. + if (authMapping == null) { + authMapping = clazz.getAnnotation(AuthMethodMapping.class); + } + + String name; + if (authMapping == null) { + // If not available, use the default mapping. + name = "default"; + } else { + // Get the method label + name = authMapping.value(); + } + + System.out.println("AuthInterceptor: mapping name: "+name); + + try { + loadAuthProperties(); + + String value = authProperties.getProperty(name); + Collection<String> authMethods = new HashSet<String>(); + if (value != null) { + for (String v : value.split(",")) { + authMethods.add(v.trim()); + } + } + + System.out.println("AuthInterceptor: required auth methods: "+authMethods); + + Principal principal = securityContext.getUserPrincipal(); + + // If unauthenticated, reject request. + if (principal == null) { + if (authMethods.isEmpty() || authMethods.contains("anonymous") || authMethods.contains("*")) { + System.out.println("AuthInterceptor: anonymous access allowed"); + return null; + } + System.out.println("AuthInterceptor: anonymous access not allowed"); + throw new ForbiddenException("Anonymous access not allowed."); + } + + // If unrecognized principal, reject request. + if (!(principal instanceof PKIPrincipal)) { + System.out.println("AuthInterceptor: unknown principal"); + throw new ForbiddenException("Unknown user principal"); + } + + PKIPrincipal pkiPrincipal = (PKIPrincipal)principal; + IAuthToken authToken = pkiPrincipal.getAuthToken(); + + // If missing auth token, reject request. + if (authToken == null) { + System.out.println("AuthInterceptor: missing authentication token"); + throw new ForbiddenException("Missing authentication token."); + } + + String authManager = (String)authToken.get(AuthToken.TOKEN_AUTHMGR_INST_NAME); + System.out.println("AuthInterceptor: authentication manager: "+authManager); + + if (authManager == null) { + System.out.println("AuthInterceptor: missing authentication manager"); + throw new ForbiddenException("Missing authentication manager."); + } + + if (authMethods.isEmpty() || authMethods.contains(authManager) || authMethods.contains("*")) { + System.out.println("AuthInterceptor: "+authManager+" allowed"); + return null; + } + + throw new ForbiddenException("Authentication method not allowed."); + + } catch (IOException e) { + e.printStackTrace(); + throw new Failure(e); + } + } +} diff --git a/base/common/src/com/netscape/certsrv/authentication/AuthMethodMapping.java b/base/common/src/com/netscape/certsrv/authentication/AuthMethodMapping.java new file mode 100644 index 0000000..6170c0f --- /dev/null +++ b/base/common/src/com/netscape/certsrv/authentication/AuthMethodMapping.java @@ -0,0 +1,31 @@ +// --- BEGIN COPYRIGHT BLOCK --- +// This program is free software; you can redistribute it and/or modify +// it under the terms of the GNU General Public License as published by +// the Free Software Foundation; version 2 of the License. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +// +// (C) 2013 Red Hat, Inc. +// All rights reserved. +// --- END COPYRIGHT BLOCK --- + +package com.netscape.certsrv.authentication; + +import java.lang.annotation.Retention; +import java.lang.annotation.RetentionPolicy; + + +/** + * @author Endi S. Dewata + */ +@Retention(RetentionPolicy.RUNTIME) +public @interface AuthMethodMapping { + public String value(); +} diff --git a/base/common/src/com/netscape/certsrv/cert/CertRequestResource.java b/base/common/src/com/netscape/certsrv/cert/CertRequestResource.java index 0bd2851..2c103f7 100644 --- a/base/common/src/com/netscape/certsrv/cert/CertRequestResource.java +++ b/base/common/src/com/netscape/certsrv/cert/CertRequestResource.java @@ -28,11 +28,33 @@ import javax.ws.rs.core.MediaType; import javax.ws.rs.core.MultivaluedMap; import com.netscape.certsrv.acls.ACLMapping; +import com.netscape.certsrv.authentication.AuthMethodMapping; import com.netscape.certsrv.request.RequestId; @Path("") public interface CertRequestResource { + // Enrollment - used to test integration with a browser + @POST + @Path("certrequests") + @Produces({ MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON }) + @Consumes({ MediaType.APPLICATION_FORM_URLENCODED }) + public CertRequestInfos enrollCert(MultivaluedMap<String, String> form); + + @POST + @Path("certrequests") + @Produces({ MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON }) + @Consumes({ MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON }) + public CertRequestInfos enrollCert(CertEnrollmentRequest data); + + /** + * Used to retrieve cert request info for a specific request + */ + @GET + @Path("certrequests/{id}") + @Produces({ MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON }) + public CertRequestInfo getRequestInfo(@PathParam("id") RequestId id); + /** * Used to generate list of cert requests based on the search parameters */ @@ -40,6 +62,7 @@ public interface CertRequestResource { @Path("agent/certrequests") @Produces({ MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON }) @ACLMapping("agent.certrequests") + @AuthMethodMapping("agent") public CertRequestInfos listRequests(@QueryParam("requestState") String requestState, @QueryParam("requestType") String requestType, @QueryParam("start") RequestId start, @@ -47,72 +70,59 @@ public interface CertRequestResource { @QueryParam("maxResults") Integer maxResults, @QueryParam("maxTime") Integer maxTime); - /** - * Used to retrieve cert request info for a specific request - */ - @GET - @Path("certrequests/{id}") - @Produces({ MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON }) - public CertRequestInfo getRequestInfo(@PathParam("id") RequestId id); - @GET @Path("agent/certrequests/{id}") @Produces({ MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON }) @ACLMapping("agent.certrequests") + @AuthMethodMapping("agent") public CertReviewResponse reviewRequest(@PathParam("id") RequestId id); - // Enrollment - used to test integration with a browser - @POST - @Path("certrequests") - @Produces({ MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON }) - @Consumes({ MediaType.APPLICATION_FORM_URLENCODED }) - public CertRequestInfos enrollCert(MultivaluedMap<String, String> form); - - @POST - @Path("certrequests") - @Produces({ MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON }) - @Consumes({ MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON }) - public CertRequestInfos enrollCert(CertEnrollmentRequest data); - @POST @Path("agent/certrequests/{id}/approve") @Consumes({ MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON }) @ACLMapping("agent.certrequests") + @AuthMethodMapping("agent") public void approveRequest(@PathParam("id") RequestId id, CertReviewResponse data); @POST @Path("agent/certrequests/{id}/reject") @Consumes({ MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON }) @ACLMapping("agent.certrequests") + @AuthMethodMapping("agent") public void rejectRequest(@PathParam("id") RequestId id, CertReviewResponse data); @POST @Path("agent/certrequests/{id}/cancel") @Consumes({ MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON }) @ACLMapping("agent.certrequests") + @AuthMethodMapping("agent") public void cancelRequest(@PathParam("id") RequestId id, CertReviewResponse data); @POST @Path("agent/certrequests/{id}/update") @Consumes({ MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON }) @ACLMapping("agent.certrequests") + @AuthMethodMapping("agent") public void updateRequest(@PathParam("id") RequestId id, CertReviewResponse data); @POST @Path("agent/certrequests/{id}/validate") @Consumes({ MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON }) @ACLMapping("agent.certrequests") + @AuthMethodMapping("agent") public void validateRequest(@PathParam("id") RequestId id, CertReviewResponse data); @POST @Path("agent/certrequests/{id}/unassign") @Consumes({ MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON }) @ACLMapping("agent.certrequests") + @AuthMethodMapping("agent") public void unassignRequest(@PathParam("id") RequestId id, CertReviewResponse data); @POST @Path("agent/certrequests/{id}/assign") @Consumes({ MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON }) @ACLMapping("agent.certrequests") + @AuthMethodMapping("agent") public void assignRequest(@PathParam("id") RequestId id, CertReviewResponse data); } diff --git a/base/common/src/com/netscape/certsrv/cert/CertResource.java b/base/common/src/com/netscape/certsrv/cert/CertResource.java index 1739503..a667fdc 100644 --- a/base/common/src/com/netscape/certsrv/cert/CertResource.java +++ b/base/common/src/com/netscape/certsrv/cert/CertResource.java @@ -11,6 +11,7 @@ import javax.ws.rs.QueryParam; import javax.ws.rs.core.MediaType; import com.netscape.certsrv.acls.ACLMapping; +import com.netscape.certsrv.authentication.AuthMethodMapping; import com.netscape.certsrv.dbs.certdb.CertId; @Path("") @@ -45,6 +46,7 @@ public interface CertResource { @Path("agent/certs/{id}") @Produces({ MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON }) @ACLMapping("agent.certs") + @AuthMethodMapping("agent") public CertData reviewCert(@PathParam("id") CertId id); @POST @@ -52,6 +54,7 @@ public interface CertResource { @Consumes({ MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON }) @Produces({ MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON }) @ACLMapping("agent.certs") + @AuthMethodMapping("agent") public CertRequestInfo revokeCACert(@PathParam("id") CertId id, CertRevokeRequest request); @POST @@ -59,6 +62,7 @@ public interface CertResource { @Consumes({ MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON }) @Produces({ MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON }) @ACLMapping("agent.certs") + @AuthMethodMapping("agent") public CertRequestInfo revokeCert(@PathParam("id") CertId id, CertRevokeRequest request); @POST @@ -66,5 +70,6 @@ public interface CertResource { @Consumes({ MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON }) @Produces({ MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON }) @ACLMapping("agent.certs") + @AuthMethodMapping("agent") public CertRequestInfo unrevokeCert(@PathParam("id") CertId id, CertUnrevokeRequest request); } diff --git a/base/common/src/com/netscape/certsrv/group/GroupMemberResource.java b/base/common/src/com/netscape/certsrv/group/GroupMemberResource.java index c984daa..cd4d2eb 100644 --- a/base/common/src/com/netscape/certsrv/group/GroupMemberResource.java +++ b/base/common/src/com/netscape/certsrv/group/GroupMemberResource.java @@ -32,12 +32,14 @@ import javax.ws.rs.core.Response; import org.jboss.resteasy.annotations.ClientResponseType; import com.netscape.certsrv.acls.ACLMapping; +import com.netscape.certsrv.authentication.AuthMethodMapping; /** * @author Endi S. Dewata */ @Path("admin/groups/{groupID}/members") @ACLMapping("admin.groups") +@AuthMethodMapping("admin") public interface GroupMemberResource { @GET diff --git a/base/common/src/com/netscape/certsrv/group/GroupResource.java b/base/common/src/com/netscape/certsrv/group/GroupResource.java index 17728dd..ffe32e2 100644 --- a/base/common/src/com/netscape/certsrv/group/GroupResource.java +++ b/base/common/src/com/netscape/certsrv/group/GroupResource.java @@ -32,12 +32,14 @@ import javax.ws.rs.core.Response; import org.jboss.resteasy.annotations.ClientResponseType; import com.netscape.certsrv.acls.ACLMapping; +import com.netscape.certsrv.authentication.AuthMethodMapping; /** * @author Endi S. Dewata */ @Path("admin/groups") @ACLMapping("admin.groups") +@AuthMethodMapping("admin") public interface GroupResource { @GET diff --git a/base/common/src/com/netscape/certsrv/key/KeyRequestResource.java b/base/common/src/com/netscape/certsrv/key/KeyRequestResource.java index 9f1ffbe..6fc12d5 100644 --- a/base/common/src/com/netscape/certsrv/key/KeyRequestResource.java +++ b/base/common/src/com/netscape/certsrv/key/KeyRequestResource.java @@ -11,10 +11,12 @@ import javax.ws.rs.core.MediaType; import javax.ws.rs.core.MultivaluedMap; import com.netscape.certsrv.acls.ACLMapping; +import com.netscape.certsrv.authentication.AuthMethodMapping; import com.netscape.certsrv.request.RequestId; @Path("agent/keyrequests") @ACLMapping("agent.keyrequests") +@AuthMethodMapping("agent") public interface KeyRequestResource { public final String SYMMETRIC_KEY_TYPE = "symmetricKey"; diff --git a/base/common/src/com/netscape/certsrv/key/KeyResource.java b/base/common/src/com/netscape/certsrv/key/KeyResource.java index da7f220..bcca6bb 100644 --- a/base/common/src/com/netscape/certsrv/key/KeyResource.java +++ b/base/common/src/com/netscape/certsrv/key/KeyResource.java @@ -10,10 +10,12 @@ import javax.ws.rs.core.MediaType; import javax.ws.rs.core.MultivaluedMap; import com.netscape.certsrv.acls.ACLMapping; +import com.netscape.certsrv.authentication.AuthMethodMapping; @Path("agent/keys") @ACLMapping("agent.keys") +@AuthMethodMapping("agent") public interface KeyResource { @GET diff --git a/base/common/src/com/netscape/certsrv/profile/ProfileResource.java b/base/common/src/com/netscape/certsrv/profile/ProfileResource.java index 6dadef5..572e6eb 100644 --- a/base/common/src/com/netscape/certsrv/profile/ProfileResource.java +++ b/base/common/src/com/netscape/certsrv/profile/ProfileResource.java @@ -6,8 +6,11 @@ import javax.ws.rs.PathParam; import javax.ws.rs.Produces; import javax.ws.rs.core.MediaType; +import com.netscape.certsrv.authentication.AuthMethodMapping; + @Path("agent/profiles") +@AuthMethodMapping("agent") public interface ProfileResource { @GET diff --git a/base/common/src/com/netscape/certsrv/system/KRAConnectorResource.java b/base/common/src/com/netscape/certsrv/system/KRAConnectorResource.java index 01f159e..0799b55 100644 --- a/base/common/src/com/netscape/certsrv/system/KRAConnectorResource.java +++ b/base/common/src/com/netscape/certsrv/system/KRAConnectorResource.java @@ -26,12 +26,14 @@ import javax.ws.rs.core.MediaType; import javax.ws.rs.core.MultivaluedMap; import com.netscape.certsrv.acls.ACLMapping; +import com.netscape.certsrv.authentication.AuthMethodMapping; /** * @author Ade Lee */ @Path("admin/kraconnector") @ACLMapping("admin.kraconnector") +@AuthMethodMapping("admin") public interface KRAConnectorResource { @POST diff --git a/base/common/src/com/netscape/certsrv/system/SecurityDomainResource.java b/base/common/src/com/netscape/certsrv/system/SecurityDomainResource.java index b34d9fe..740786f 100644 --- a/base/common/src/com/netscape/certsrv/system/SecurityDomainResource.java +++ b/base/common/src/com/netscape/certsrv/system/SecurityDomainResource.java @@ -24,6 +24,7 @@ import javax.ws.rs.QueryParam; import javax.ws.rs.core.MediaType; import com.netscape.certsrv.acls.ACLMapping; +import com.netscape.certsrv.authentication.AuthMethodMapping; /** * @author alee @@ -35,6 +36,7 @@ public interface SecurityDomainResource { @Path("installToken") @Produces({ MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON }) @ACLMapping("securityDomain.installToken") + @AuthMethodMapping("securityDomain.installToken") public InstallToken getInstallToken( @QueryParam("hostname") String hostname, @QueryParam("subsystem") String subsystem); diff --git a/base/common/src/com/netscape/certsrv/user/UserCertResource.java b/base/common/src/com/netscape/certsrv/user/UserCertResource.java index d85abd6..81133df 100644 --- a/base/common/src/com/netscape/certsrv/user/UserCertResource.java +++ b/base/common/src/com/netscape/certsrv/user/UserCertResource.java @@ -32,12 +32,14 @@ import javax.ws.rs.core.Response; import org.jboss.resteasy.annotations.ClientResponseType; import com.netscape.certsrv.acls.ACLMapping; +import com.netscape.certsrv.authentication.AuthMethodMapping; /** * @author Endi S. Dewata */ @Path("admin/users/{userID}/certs") @ACLMapping("admin.users") +@AuthMethodMapping("admin") public interface UserCertResource { @GET diff --git a/base/common/src/com/netscape/certsrv/user/UserResource.java b/base/common/src/com/netscape/certsrv/user/UserResource.java index e72bb0c..0789928 100644 --- a/base/common/src/com/netscape/certsrv/user/UserResource.java +++ b/base/common/src/com/netscape/certsrv/user/UserResource.java @@ -32,12 +32,14 @@ import javax.ws.rs.core.Response; import org.jboss.resteasy.annotations.ClientResponseType; import com.netscape.certsrv.acls.ACLMapping; +import com.netscape.certsrv.authentication.AuthMethodMapping; /** * @author Endi S. Dewata */ @Path("admin/users") @ACLMapping("admin.users") +@AuthMethodMapping("admin") public interface UserResource { @GET diff --git a/base/deploy/src/scriptlets/pkiparser.py b/base/deploy/src/scriptlets/pkiparser.py index 7f2d585..aec1250 100644 --- a/base/deploy/src/scriptlets/pkiparser.py +++ b/base/deploy/src/scriptlets/pkiparser.py @@ -434,11 +434,6 @@ class PKIConfigParser: config.pki_master_dict['pki_instance_configuration_path'], "tomcat.conf") # in-place slot substitution name/value pairs - config.pki_master_dict['pki_target_auth_properties'] =\ - os.path.join( - config.pki_master_dict['pki_tomcat_webapps_subsystem_path'], - "WEB-INF", - "auth.properties") config.pki_master_dict['pki_target_velocity_properties'] =\ os.path.join( config.pki_master_dict['pki_tomcat_webapps_subsystem_path'], diff --git a/base/deploy/src/scriptlets/slot_substitution.py b/base/deploy/src/scriptlets/slot_substitution.py index 055908b..205ed49 100644 --- a/base/deploy/src/scriptlets/slot_substitution.py +++ b/base/deploy/src/scriptlets/slot_substitution.py @@ -70,8 +70,6 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): master['pki_target_tomcat_conf'], overwrite_flag=True) util.file.apply_slot_substitution( - master['pki_target_auth_properties']) - util.file.apply_slot_substitution( master['pki_target_velocity_properties']) util.file.apply_slot_substitution( master['pki_target_subsystem_web_xml']) diff --git a/base/kra/shared/webapps/kra/WEB-INF/auth.properties b/base/kra/shared/webapps/kra/WEB-INF/acl.properties index 567747f..952bdad 100644 --- a/base/kra/shared/webapps/kra/WEB-INF/auth.properties +++ b/base/kra/shared/webapps/kra/WEB-INF/acl.properties @@ -1,8 +1,8 @@ -# Restful API auth/authz mapping info +# Restful API authorization mapping info # # Format: -# <ACL Mapping> = <ACL Resource ID>,<ACL Resource Operation> -# ex: admin.users = certServer.ca.users,read +# <mapping name> = <resource ID>,<operation> +# ex: admin.users = certServer.ca.users,read account.login = certServer.kra.account,login account.logout = certServer.kra.account,logout diff --git a/base/kra/shared/webapps/kra/WEB-INF/auth-method.properties b/base/kra/shared/webapps/kra/WEB-INF/auth-method.properties new file mode 100644 index 0000000..29a2f23 --- /dev/null +++ b/base/kra/shared/webapps/kra/WEB-INF/auth-method.properties @@ -0,0 +1,10 @@ +# Restful API auth mapping info +# +# Format: +# <mapping name> = <allowed auth methods> +# ex: admin.users = certUserDBAuthMgr,passwdUserDBAuthMgr + +default = * +account = certUserDBAuthMgr,passwdUserDBAuthMgr +admin = certUserDBAuthMgr +agent = certUserDBAuthMgr diff --git a/base/kra/src/com/netscape/kra/KeyRecoveryAuthorityApplication.java b/base/kra/src/com/netscape/kra/KeyRecoveryAuthorityApplication.java index b205c6a..6b7f3e2 100644 --- a/base/kra/src/com/netscape/kra/KeyRecoveryAuthorityApplication.java +++ b/base/kra/src/com/netscape/kra/KeyRecoveryAuthorityApplication.java @@ -6,6 +6,7 @@ import java.util.Set; import javax.ws.rs.core.Application; import com.netscape.certsrv.acls.ACLInterceptor; +import com.netscape.certsrv.authentication.AuthMethodInterceptor; import com.netscape.certsrv.base.PKIException; import com.netscape.cms.servlet.account.AccountService; import com.netscape.cms.servlet.admin.GroupMemberService; @@ -48,7 +49,8 @@ public class KeyRecoveryAuthorityApplication extends Application { // exception mapper classes.add(PKIException.Mapper.class); - // ACL interceptor + // interceptors + singletons.add(new AuthMethodInterceptor()); singletons.add(new ACLInterceptor()); } diff --git a/base/ocsp/shared/webapps/ocsp/WEB-INF/auth.properties b/base/ocsp/shared/webapps/ocsp/WEB-INF/acl.properties index cd2e140..95fabba 100644 --- a/base/ocsp/shared/webapps/ocsp/WEB-INF/auth.properties +++ b/base/ocsp/shared/webapps/ocsp/WEB-INF/acl.properties @@ -1,8 +1,8 @@ -# Restful API auth/authz mapping info +# Restful API authorization mapping info # # Format: -# <ACL Mapping> = <ACL Resource ID>,<ACL Resource Operation> -# ex: admin.users = certServer.ca.users,read +# <mapping name> = <resource ID>,<operation> +# ex: admin.users = certServer.ca.users,read account.login = certServer.ocsp.account,login account.logout = certServer.ocsp.account,logout diff --git a/base/ocsp/shared/webapps/ocsp/WEB-INF/auth-method.properties b/base/ocsp/shared/webapps/ocsp/WEB-INF/auth-method.properties new file mode 100644 index 0000000..81e2440 --- /dev/null +++ b/base/ocsp/shared/webapps/ocsp/WEB-INF/auth-method.properties @@ -0,0 +1,9 @@ +# Restful API auth mapping info +# +# Format: +# <mapping name> = <allowed auth methods> +# ex: admin.users = certUserDBAuthMgr,passwdUserDBAuthMgr + +default = * +account = certUserDBAuthMgr,passwdUserDBAuthMgr +admin = certUserDBAuthMgr diff --git a/base/ocsp/src/com/netscape/ocsp/OCSPApplication.java b/base/ocsp/src/com/netscape/ocsp/OCSPApplication.java index f9995c1..3a87378 100644 --- a/base/ocsp/src/com/netscape/ocsp/OCSPApplication.java +++ b/base/ocsp/src/com/netscape/ocsp/OCSPApplication.java @@ -6,6 +6,7 @@ import java.util.Set; import javax.ws.rs.core.Application; import com.netscape.certsrv.acls.ACLInterceptor; +import com.netscape.certsrv.authentication.AuthMethodInterceptor; import com.netscape.certsrv.base.PKIException; import com.netscape.cms.servlet.account.AccountService; import com.netscape.cms.servlet.admin.GroupMemberService; @@ -42,7 +43,8 @@ public class OCSPApplication extends Application { // exception mapper classes.add(PKIException.Mapper.class); - // ACL interceptor + // interceptors + singletons.add(new AuthMethodInterceptor()); singletons.add(new ACLInterceptor()); } diff --git a/base/tks/shared/webapps/tks/WEB-INF/auth.properties b/base/tks/shared/webapps/tks/WEB-INF/acl.properties index 6de7f08..6236713 100644 --- a/base/tks/shared/webapps/tks/WEB-INF/auth.properties +++ b/base/tks/shared/webapps/tks/WEB-INF/acl.properties @@ -1,8 +1,8 @@ -# Restful API auth/authz mapping info +# Restful API authorization mapping info # # Format: -# <ACL Mapping> = <ACL Resource ID>,<ACL Resource Operation> -# ex: admin.users = certServer.ca.users,read +# <mapping name> = <resource ID>,<operation> +# ex: admin.users = certServer.ca.users,read account.login = certServer.tks.account,login account.logout = certServer.tks.account,logout diff --git a/base/tks/shared/webapps/tks/WEB-INF/auth-method.properties b/base/tks/shared/webapps/tks/WEB-INF/auth-method.properties new file mode 100644 index 0000000..81e2440 --- /dev/null +++ b/base/tks/shared/webapps/tks/WEB-INF/auth-method.properties @@ -0,0 +1,9 @@ +# Restful API auth mapping info +# +# Format: +# <mapping name> = <allowed auth methods> +# ex: admin.users = certUserDBAuthMgr,passwdUserDBAuthMgr + +default = * +account = certUserDBAuthMgr,passwdUserDBAuthMgr +admin = certUserDBAuthMgr diff --git a/base/tks/src/com/netscape/tks/TKSApplication.java b/base/tks/src/com/netscape/tks/TKSApplication.java index 0939d1c..1ff1930 100644 --- a/base/tks/src/com/netscape/tks/TKSApplication.java +++ b/base/tks/src/com/netscape/tks/TKSApplication.java @@ -6,6 +6,7 @@ import java.util.Set; import javax.ws.rs.core.Application; import com.netscape.certsrv.acls.ACLInterceptor; +import com.netscape.certsrv.authentication.AuthMethodInterceptor; import com.netscape.certsrv.base.PKIException; import com.netscape.cms.servlet.account.AccountService; import com.netscape.cms.servlet.admin.GroupMemberService; @@ -42,7 +43,8 @@ public class TKSApplication extends Application { // exception mapper classes.add(PKIException.Mapper.class); - // ACL interceptor + // interceptors + singletons.add(new AuthMethodInterceptor()); singletons.add(new ACLInterceptor()); } |