summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorEndi Sukma Dewata <edewata@redhat.com>2013-02-01 13:05:38 -0500
committerEndi Sukma Dewata <edewata@redhat.com>2013-02-18 13:59:26 -0500
commitdb56da6d015d4fc040d73277c68fea590c5929b7 (patch)
tree686932298bfce30d8cdd10622f4b0fc51b554250
parentdd01437171044ecb4cdc63998250a4d9f3277119 (diff)
downloadpki-db56da6d015d4fc040d73277c68fea590c5929b7.zip
pki-db56da6d015d4fc040d73277c68fea590c5929b7.tar.gz
pki-db56da6d015d4fc040d73277c68fea590c5929b7.tar.xz
Added authentication method validation.ticket-477-7
A new mechanism has been added to specify the authentication methods that can be used to invoke the REST methods. The AuthMethodMapping annotation maps each REST method to a list of allowed authentication methods. When a client calls a REST method, the AuthMethodInterceptor will intercept the call and verify that the client uses an allowed authentication method. Most REST methods that require authentication have been configured to require client certificate authentication. Authentication using username and password will only be used to get the installation token from security domain. Ticket #477
-rw-r--r--base/ca/shared/webapps/ca/WEB-INF/auth.properties6
-rw-r--r--base/ca/src/com/netscape/ca/CertificateAuthorityApplication.java4
-rw-r--r--base/common/src/com/netscape/certsrv/account/AccountResource.java2
-rw-r--r--base/common/src/com/netscape/certsrv/authentication/AuthMethodInterceptor.java170
-rw-r--r--base/common/src/com/netscape/certsrv/authentication/AuthMethodMapping.java31
-rw-r--r--base/common/src/com/netscape/certsrv/cert/CertRequestResource.java52
-rw-r--r--base/common/src/com/netscape/certsrv/cert/CertResource.java5
-rw-r--r--base/common/src/com/netscape/certsrv/group/GroupMemberResource.java2
-rw-r--r--base/common/src/com/netscape/certsrv/group/GroupResource.java2
-rw-r--r--base/common/src/com/netscape/certsrv/key/KeyRequestResource.java2
-rw-r--r--base/common/src/com/netscape/certsrv/key/KeyResource.java2
-rw-r--r--base/common/src/com/netscape/certsrv/profile/ProfileResource.java3
-rw-r--r--base/common/src/com/netscape/certsrv/system/KRAConnectorResource.java2
-rw-r--r--base/common/src/com/netscape/certsrv/system/SecurityDomainResource.java2
-rw-r--r--base/common/src/com/netscape/certsrv/user/UserCertResource.java2
-rw-r--r--base/common/src/com/netscape/certsrv/user/UserMembershipResource.java2
-rw-r--r--base/common/src/com/netscape/certsrv/user/UserResource.java2
-rw-r--r--base/deploy/src/scriptlets/pkiparser.py5
-rw-r--r--base/deploy/src/scriptlets/slot_substitution.py2
-rw-r--r--base/kra/shared/webapps/kra/WEB-INF/auth.properties6
-rw-r--r--base/kra/src/com/netscape/kra/KeyRecoveryAuthorityApplication.java4
-rw-r--r--base/ocsp/shared/webapps/ocsp/WEB-INF/auth.properties6
-rw-r--r--base/ocsp/src/com/netscape/ocsp/OCSPApplication.java4
-rw-r--r--base/tks/shared/webapps/tks/WEB-INF/auth.properties6
-rw-r--r--base/tks/src/com/netscape/tks/TKSApplication.java4
25 files changed, 284 insertions, 44 deletions
diff --git a/base/ca/shared/webapps/ca/WEB-INF/auth.properties b/base/ca/shared/webapps/ca/WEB-INF/auth.properties
index b73b9ac..20f3dd8 100644
--- a/base/ca/shared/webapps/ca/WEB-INF/auth.properties
+++ b/base/ca/shared/webapps/ca/WEB-INF/auth.properties
@@ -1,8 +1,8 @@
-# Restful API auth/authz mapping info
+# Restful API authorization mapping info
#
# Format:
-# <ACL Mapping> = <ACL Resource ID>,<ACL Resource Operation>
-# ex: admin.users = certServer.ca.users,read
+# <mapping name> = <resource ID>,<operation>
+# ex: admin.users = certServer.ca.users,read
account.login = certServer.ca.account,login
account.logout = certServer.ca.account,logout
diff --git a/base/ca/src/com/netscape/ca/CertificateAuthorityApplication.java b/base/ca/src/com/netscape/ca/CertificateAuthorityApplication.java
index 4c81ff9..7b45222 100644
--- a/base/ca/src/com/netscape/ca/CertificateAuthorityApplication.java
+++ b/base/ca/src/com/netscape/ca/CertificateAuthorityApplication.java
@@ -7,6 +7,7 @@ import javax.ws.rs.core.Application;
import com.netscape.certsrv.acls.ACLInterceptor;
import com.netscape.certsrv.apps.CMS;
+import com.netscape.certsrv.authentication.AuthMethodInterceptor;
import com.netscape.certsrv.base.EBaseException;
import com.netscape.certsrv.base.IConfigStore;
import com.netscape.certsrv.base.PKIException;
@@ -87,7 +88,8 @@ public class CertificateAuthorityApplication extends Application {
// exception mapper
classes.add(PKIException.Mapper.class);
- // ACL interceptor
+ // interceptors
+ singletons.add(new AuthMethodInterceptor());
singletons.add(new ACLInterceptor());
}
diff --git a/base/common/src/com/netscape/certsrv/account/AccountResource.java b/base/common/src/com/netscape/certsrv/account/AccountResource.java
index a69a3d1..c18e26d 100644
--- a/base/common/src/com/netscape/certsrv/account/AccountResource.java
+++ b/base/common/src/com/netscape/certsrv/account/AccountResource.java
@@ -22,11 +22,13 @@ import javax.ws.rs.GET;
import javax.ws.rs.Path;
import com.netscape.certsrv.acls.ACLMapping;
+import com.netscape.certsrv.authentication.AuthMethodMapping;
/**
* @author Endi S. Dewata
*/
@Path("account")
+@AuthMethodMapping("account")
public interface AccountResource {
@GET
diff --git a/base/common/src/com/netscape/certsrv/authentication/AuthMethodInterceptor.java b/base/common/src/com/netscape/certsrv/authentication/AuthMethodInterceptor.java
new file mode 100644
index 0000000..502c893
--- /dev/null
+++ b/base/common/src/com/netscape/certsrv/authentication/AuthMethodInterceptor.java
@@ -0,0 +1,170 @@
+//--- BEGIN COPYRIGHT BLOCK ---
+//This program is free software; you can redistribute it and/or modify
+//it under the terms of the GNU General Public License as published by
+//the Free Software Foundation; version 2 of the License.
+//
+//This program is distributed in the hope that it will be useful,
+//but WITHOUT ANY WARRANTY; without even the implied warranty of
+//MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+//GNU General Public License for more details.
+//
+//You should have received a copy of the GNU General Public License along
+//with this program; if not, write to the Free Software Foundation, Inc.,
+//51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+//(C) 2013 Red Hat, Inc.
+//All rights reserved.
+//--- END COPYRIGHT BLOCK ---
+package com.netscape.certsrv.authentication;
+
+import java.io.IOException;
+import java.lang.reflect.Method;
+import java.net.URL;
+import java.security.Principal;
+import java.util.Collection;
+import java.util.HashSet;
+import java.util.Properties;
+
+import javax.servlet.ServletContext;
+import javax.ws.rs.core.Context;
+import javax.ws.rs.core.SecurityContext;
+import javax.ws.rs.ext.Provider;
+
+import org.jboss.resteasy.annotations.interception.Precedence;
+import org.jboss.resteasy.annotations.interception.ServerInterceptor;
+import org.jboss.resteasy.core.ResourceMethod;
+import org.jboss.resteasy.core.ServerResponse;
+import org.jboss.resteasy.spi.Failure;
+import org.jboss.resteasy.spi.HttpRequest;
+import org.jboss.resteasy.spi.interception.PreProcessInterceptor;
+
+import com.netscape.certsrv.base.ForbiddenException;
+import com.netscape.cmscore.realm.PKIPrincipal;
+
+
+/**
+ * @author Endi S. Dewata
+ */
+@Provider
+@ServerInterceptor
+@Precedence("SECURITY")
+public class AuthMethodInterceptor implements PreProcessInterceptor {
+
+ Properties authProperties;
+
+ @Context
+ ServletContext servletContext;
+
+ @Context
+ SecurityContext securityContext;
+
+ public synchronized void loadAuthProperties() throws IOException {
+
+ if (authProperties != null) return;
+
+ authProperties = new Properties();
+
+ URL url = servletContext.getResource("/WEB-INF/auth-method.properties");
+
+ if (url == null) {
+ authProperties.put("default", "*");
+ authProperties.put("account", "certUserDBAuthMgr,passwdUserDBAuthMgr");
+ authProperties.put("admin", "certUserDBAuthMgr");
+ authProperties.put("agent", "certUserDBAuthMgr");
+ authProperties.put("securityDomain.installToken", "passwdUserDBAuthMgr");
+
+ } else {
+ authProperties.load(url.openStream());
+ }
+ }
+
+ @Override
+ public ServerResponse preProcess(
+ HttpRequest request,
+ ResourceMethod resourceMethod
+ ) throws Failure, ForbiddenException {
+
+ Class<?> clazz = resourceMethod.getResourceClass();
+ Method method = resourceMethod.getMethod();
+ System.out.println("AuthInterceptor: "+clazz.getSimpleName()+"."+method.getName()+"()");
+
+ // Get authentication mapping for the method.
+ AuthMethodMapping authMapping = method.getAnnotation(AuthMethodMapping.class);
+
+ // If not available, get authentication mapping for the class.
+ if (authMapping == null) {
+ authMapping = clazz.getAnnotation(AuthMethodMapping.class);
+ }
+
+ String name;
+ if (authMapping == null) {
+ // If not available, use the default mapping.
+ name = "default";
+ } else {
+ // Get the method label
+ name = authMapping.value();
+ }
+
+ System.out.println("AuthInterceptor: mapping name: "+name);
+
+ try {
+ loadAuthProperties();
+
+ String value = authProperties.getProperty(name);
+ Collection<String> authMethods = new HashSet<String>();
+ if (value != null) {
+ for (String v : value.split(",")) {
+ authMethods.add(v.trim());
+ }
+ }
+
+ System.out.println("AuthInterceptor: required auth methods: "+authMethods);
+
+ Principal principal = securityContext.getUserPrincipal();
+
+ // If unauthenticated, reject request.
+ if (principal == null) {
+ if (authMethods.isEmpty() || authMethods.contains("anonymous") || authMethods.contains("*")) {
+ System.out.println("AuthInterceptor: anonymous access allowed");
+ return null;
+ }
+ System.out.println("AuthInterceptor: anonymous access not allowed");
+ throw new ForbiddenException("Anonymous access not allowed.");
+ }
+
+ // If unrecognized principal, reject request.
+ if (!(principal instanceof PKIPrincipal)) {
+ System.out.println("AuthInterceptor: unknown principal");
+ throw new ForbiddenException("Unknown user principal");
+ }
+
+ PKIPrincipal pkiPrincipal = (PKIPrincipal)principal;
+ IAuthToken authToken = pkiPrincipal.getAuthToken();
+
+ // If missing auth token, reject request.
+ if (authToken == null) {
+ System.out.println("AuthInterceptor: missing authentication token");
+ throw new ForbiddenException("Missing authentication token.");
+ }
+
+ String authManager = (String)authToken.get(AuthToken.TOKEN_AUTHMGR_INST_NAME);
+ System.out.println("AuthInterceptor: authentication manager: "+authManager);
+
+ if (authManager == null) {
+ System.out.println("AuthInterceptor: missing authentication manager");
+ throw new ForbiddenException("Missing authentication manager.");
+ }
+
+ if (authMethods.isEmpty() || authMethods.contains(authManager) || authMethods.contains("*")) {
+ System.out.println("AuthInterceptor: "+authManager+" allowed");
+ return null;
+ }
+
+ throw new ForbiddenException("Authentication method not allowed.");
+
+ } catch (IOException e) {
+ e.printStackTrace();
+ throw new Failure(e);
+ }
+ }
+}
diff --git a/base/common/src/com/netscape/certsrv/authentication/AuthMethodMapping.java b/base/common/src/com/netscape/certsrv/authentication/AuthMethodMapping.java
new file mode 100644
index 0000000..6170c0f
--- /dev/null
+++ b/base/common/src/com/netscape/certsrv/authentication/AuthMethodMapping.java
@@ -0,0 +1,31 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2013 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+
+package com.netscape.certsrv.authentication;
+
+import java.lang.annotation.Retention;
+import java.lang.annotation.RetentionPolicy;
+
+
+/**
+ * @author Endi S. Dewata
+ */
+@Retention(RetentionPolicy.RUNTIME)
+public @interface AuthMethodMapping {
+ public String value();
+}
diff --git a/base/common/src/com/netscape/certsrv/cert/CertRequestResource.java b/base/common/src/com/netscape/certsrv/cert/CertRequestResource.java
index 0bd2851..2c103f7 100644
--- a/base/common/src/com/netscape/certsrv/cert/CertRequestResource.java
+++ b/base/common/src/com/netscape/certsrv/cert/CertRequestResource.java
@@ -28,11 +28,33 @@ import javax.ws.rs.core.MediaType;
import javax.ws.rs.core.MultivaluedMap;
import com.netscape.certsrv.acls.ACLMapping;
+import com.netscape.certsrv.authentication.AuthMethodMapping;
import com.netscape.certsrv.request.RequestId;
@Path("")
public interface CertRequestResource {
+ // Enrollment - used to test integration with a browser
+ @POST
+ @Path("certrequests")
+ @Produces({ MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON })
+ @Consumes({ MediaType.APPLICATION_FORM_URLENCODED })
+ public CertRequestInfos enrollCert(MultivaluedMap<String, String> form);
+
+ @POST
+ @Path("certrequests")
+ @Produces({ MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON })
+ @Consumes({ MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON })
+ public CertRequestInfos enrollCert(CertEnrollmentRequest data);
+
+ /**
+ * Used to retrieve cert request info for a specific request
+ */
+ @GET
+ @Path("certrequests/{id}")
+ @Produces({ MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON })
+ public CertRequestInfo getRequestInfo(@PathParam("id") RequestId id);
+
/**
* Used to generate list of cert requests based on the search parameters
*/
@@ -40,6 +62,7 @@ public interface CertRequestResource {
@Path("agent/certrequests")
@Produces({ MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON })
@ACLMapping("agent.certrequests")
+ @AuthMethodMapping("agent")
public CertRequestInfos listRequests(@QueryParam("requestState") String requestState,
@QueryParam("requestType") String requestType,
@QueryParam("start") RequestId start,
@@ -47,72 +70,59 @@ public interface CertRequestResource {
@QueryParam("maxResults") Integer maxResults,
@QueryParam("maxTime") Integer maxTime);
- /**
- * Used to retrieve cert request info for a specific request
- */
- @GET
- @Path("certrequests/{id}")
- @Produces({ MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON })
- public CertRequestInfo getRequestInfo(@PathParam("id") RequestId id);
-
@GET
@Path("agent/certrequests/{id}")
@Produces({ MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON })
@ACLMapping("agent.certrequests")
+ @AuthMethodMapping("agent")
public CertReviewResponse reviewRequest(@PathParam("id") RequestId id);
- // Enrollment - used to test integration with a browser
- @POST
- @Path("certrequests")
- @Produces({ MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON })
- @Consumes({ MediaType.APPLICATION_FORM_URLENCODED })
- public CertRequestInfos enrollCert(MultivaluedMap<String, String> form);
-
- @POST
- @Path("certrequests")
- @Produces({ MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON })
- @Consumes({ MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON })
- public CertRequestInfos enrollCert(CertEnrollmentRequest data);
-
@POST
@Path("agent/certrequests/{id}/approve")
@Consumes({ MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON })
@ACLMapping("agent.certrequests")
+ @AuthMethodMapping("agent")
public void approveRequest(@PathParam("id") RequestId id, CertReviewResponse data);
@POST
@Path("agent/certrequests/{id}/reject")
@Consumes({ MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON })
@ACLMapping("agent.certrequests")
+ @AuthMethodMapping("agent")
public void rejectRequest(@PathParam("id") RequestId id, CertReviewResponse data);
@POST
@Path("agent/certrequests/{id}/cancel")
@Consumes({ MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON })
@ACLMapping("agent.certrequests")
+ @AuthMethodMapping("agent")
public void cancelRequest(@PathParam("id") RequestId id, CertReviewResponse data);
@POST
@Path("agent/certrequests/{id}/update")
@Consumes({ MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON })
@ACLMapping("agent.certrequests")
+ @AuthMethodMapping("agent")
public void updateRequest(@PathParam("id") RequestId id, CertReviewResponse data);
@POST
@Path("agent/certrequests/{id}/validate")
@Consumes({ MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON })
@ACLMapping("agent.certrequests")
+ @AuthMethodMapping("agent")
public void validateRequest(@PathParam("id") RequestId id, CertReviewResponse data);
@POST
@Path("agent/certrequests/{id}/unassign")
@Consumes({ MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON })
@ACLMapping("agent.certrequests")
+ @AuthMethodMapping("agent")
public void unassignRequest(@PathParam("id") RequestId id, CertReviewResponse data);
@POST
@Path("agent/certrequests/{id}/assign")
@Consumes({ MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON })
@ACLMapping("agent.certrequests")
+ @AuthMethodMapping("agent")
public void assignRequest(@PathParam("id") RequestId id, CertReviewResponse data);
}
diff --git a/base/common/src/com/netscape/certsrv/cert/CertResource.java b/base/common/src/com/netscape/certsrv/cert/CertResource.java
index 1739503..a667fdc 100644
--- a/base/common/src/com/netscape/certsrv/cert/CertResource.java
+++ b/base/common/src/com/netscape/certsrv/cert/CertResource.java
@@ -11,6 +11,7 @@ import javax.ws.rs.QueryParam;
import javax.ws.rs.core.MediaType;
import com.netscape.certsrv.acls.ACLMapping;
+import com.netscape.certsrv.authentication.AuthMethodMapping;
import com.netscape.certsrv.dbs.certdb.CertId;
@Path("")
@@ -45,6 +46,7 @@ public interface CertResource {
@Path("agent/certs/{id}")
@Produces({ MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON })
@ACLMapping("agent.certs")
+ @AuthMethodMapping("agent")
public CertData reviewCert(@PathParam("id") CertId id);
@POST
@@ -52,6 +54,7 @@ public interface CertResource {
@Consumes({ MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON })
@Produces({ MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON })
@ACLMapping("agent.certs")
+ @AuthMethodMapping("agent")
public CertRequestInfo revokeCACert(@PathParam("id") CertId id, CertRevokeRequest request);
@POST
@@ -59,6 +62,7 @@ public interface CertResource {
@Consumes({ MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON })
@Produces({ MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON })
@ACLMapping("agent.certs")
+ @AuthMethodMapping("agent")
public CertRequestInfo revokeCert(@PathParam("id") CertId id, CertRevokeRequest request);
@POST
@@ -66,5 +70,6 @@ public interface CertResource {
@Consumes({ MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON })
@Produces({ MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON })
@ACLMapping("agent.certs")
+ @AuthMethodMapping("agent")
public CertRequestInfo unrevokeCert(@PathParam("id") CertId id, CertUnrevokeRequest request);
}
diff --git a/base/common/src/com/netscape/certsrv/group/GroupMemberResource.java b/base/common/src/com/netscape/certsrv/group/GroupMemberResource.java
index c984daa..cd4d2eb 100644
--- a/base/common/src/com/netscape/certsrv/group/GroupMemberResource.java
+++ b/base/common/src/com/netscape/certsrv/group/GroupMemberResource.java
@@ -32,12 +32,14 @@ import javax.ws.rs.core.Response;
import org.jboss.resteasy.annotations.ClientResponseType;
import com.netscape.certsrv.acls.ACLMapping;
+import com.netscape.certsrv.authentication.AuthMethodMapping;
/**
* @author Endi S. Dewata
*/
@Path("admin/groups/{groupID}/members")
@ACLMapping("admin.groups")
+@AuthMethodMapping("admin")
public interface GroupMemberResource {
@GET
diff --git a/base/common/src/com/netscape/certsrv/group/GroupResource.java b/base/common/src/com/netscape/certsrv/group/GroupResource.java
index 17728dd..ffe32e2 100644
--- a/base/common/src/com/netscape/certsrv/group/GroupResource.java
+++ b/base/common/src/com/netscape/certsrv/group/GroupResource.java
@@ -32,12 +32,14 @@ import javax.ws.rs.core.Response;
import org.jboss.resteasy.annotations.ClientResponseType;
import com.netscape.certsrv.acls.ACLMapping;
+import com.netscape.certsrv.authentication.AuthMethodMapping;
/**
* @author Endi S. Dewata
*/
@Path("admin/groups")
@ACLMapping("admin.groups")
+@AuthMethodMapping("admin")
public interface GroupResource {
@GET
diff --git a/base/common/src/com/netscape/certsrv/key/KeyRequestResource.java b/base/common/src/com/netscape/certsrv/key/KeyRequestResource.java
index 9f1ffbe..6fc12d5 100644
--- a/base/common/src/com/netscape/certsrv/key/KeyRequestResource.java
+++ b/base/common/src/com/netscape/certsrv/key/KeyRequestResource.java
@@ -11,10 +11,12 @@ import javax.ws.rs.core.MediaType;
import javax.ws.rs.core.MultivaluedMap;
import com.netscape.certsrv.acls.ACLMapping;
+import com.netscape.certsrv.authentication.AuthMethodMapping;
import com.netscape.certsrv.request.RequestId;
@Path("agent/keyrequests")
@ACLMapping("agent.keyrequests")
+@AuthMethodMapping("agent")
public interface KeyRequestResource {
public final String SYMMETRIC_KEY_TYPE = "symmetricKey";
diff --git a/base/common/src/com/netscape/certsrv/key/KeyResource.java b/base/common/src/com/netscape/certsrv/key/KeyResource.java
index da7f220..bcca6bb 100644
--- a/base/common/src/com/netscape/certsrv/key/KeyResource.java
+++ b/base/common/src/com/netscape/certsrv/key/KeyResource.java
@@ -10,10 +10,12 @@ import javax.ws.rs.core.MediaType;
import javax.ws.rs.core.MultivaluedMap;
import com.netscape.certsrv.acls.ACLMapping;
+import com.netscape.certsrv.authentication.AuthMethodMapping;
@Path("agent/keys")
@ACLMapping("agent.keys")
+@AuthMethodMapping("agent")
public interface KeyResource {
@GET
diff --git a/base/common/src/com/netscape/certsrv/profile/ProfileResource.java b/base/common/src/com/netscape/certsrv/profile/ProfileResource.java
index 6dadef5..572e6eb 100644
--- a/base/common/src/com/netscape/certsrv/profile/ProfileResource.java
+++ b/base/common/src/com/netscape/certsrv/profile/ProfileResource.java
@@ -6,8 +6,11 @@ import javax.ws.rs.PathParam;
import javax.ws.rs.Produces;
import javax.ws.rs.core.MediaType;
+import com.netscape.certsrv.authentication.AuthMethodMapping;
+
@Path("agent/profiles")
+@AuthMethodMapping("agent")
public interface ProfileResource {
@GET
diff --git a/base/common/src/com/netscape/certsrv/system/KRAConnectorResource.java b/base/common/src/com/netscape/certsrv/system/KRAConnectorResource.java
index 01f159e..0799b55 100644
--- a/base/common/src/com/netscape/certsrv/system/KRAConnectorResource.java
+++ b/base/common/src/com/netscape/certsrv/system/KRAConnectorResource.java
@@ -26,12 +26,14 @@ import javax.ws.rs.core.MediaType;
import javax.ws.rs.core.MultivaluedMap;
import com.netscape.certsrv.acls.ACLMapping;
+import com.netscape.certsrv.authentication.AuthMethodMapping;
/**
* @author Ade Lee
*/
@Path("admin/kraconnector")
@ACLMapping("admin.kraconnector")
+@AuthMethodMapping("admin")
public interface KRAConnectorResource {
@POST
diff --git a/base/common/src/com/netscape/certsrv/system/SecurityDomainResource.java b/base/common/src/com/netscape/certsrv/system/SecurityDomainResource.java
index b34d9fe..740786f 100644
--- a/base/common/src/com/netscape/certsrv/system/SecurityDomainResource.java
+++ b/base/common/src/com/netscape/certsrv/system/SecurityDomainResource.java
@@ -24,6 +24,7 @@ import javax.ws.rs.QueryParam;
import javax.ws.rs.core.MediaType;
import com.netscape.certsrv.acls.ACLMapping;
+import com.netscape.certsrv.authentication.AuthMethodMapping;
/**
* @author alee
@@ -35,6 +36,7 @@ public interface SecurityDomainResource {
@Path("installToken")
@Produces({ MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON })
@ACLMapping("securityDomain.installToken")
+ @AuthMethodMapping("securityDomain.installToken")
public InstallToken getInstallToken(
@QueryParam("hostname") String hostname,
@QueryParam("subsystem") String subsystem);
diff --git a/base/common/src/com/netscape/certsrv/user/UserCertResource.java b/base/common/src/com/netscape/certsrv/user/UserCertResource.java
index d85abd6..81133df 100644
--- a/base/common/src/com/netscape/certsrv/user/UserCertResource.java
+++ b/base/common/src/com/netscape/certsrv/user/UserCertResource.java
@@ -32,12 +32,14 @@ import javax.ws.rs.core.Response;
import org.jboss.resteasy.annotations.ClientResponseType;
import com.netscape.certsrv.acls.ACLMapping;
+import com.netscape.certsrv.authentication.AuthMethodMapping;
/**
* @author Endi S. Dewata
*/
@Path("admin/users/{userID}/certs")
@ACLMapping("admin.users")
+@AuthMethodMapping("admin")
public interface UserCertResource {
@GET
diff --git a/base/common/src/com/netscape/certsrv/user/UserMembershipResource.java b/base/common/src/com/netscape/certsrv/user/UserMembershipResource.java
index eedc2c9..665a419 100644
--- a/base/common/src/com/netscape/certsrv/user/UserMembershipResource.java
+++ b/base/common/src/com/netscape/certsrv/user/UserMembershipResource.java
@@ -32,12 +32,14 @@ import javax.ws.rs.core.Response;
import org.jboss.resteasy.annotations.ClientResponseType;
import com.netscape.certsrv.acls.ACLMapping;
+import com.netscape.certsrv.authentication.AuthMethodMapping;
/**
* @author Endi S. Dewata
*/
@Path("admin/users/{userID}/memberships")
@ACLMapping("admin.users")
+@AuthMethodMapping("admin")
public interface UserMembershipResource {
@GET
diff --git a/base/common/src/com/netscape/certsrv/user/UserResource.java b/base/common/src/com/netscape/certsrv/user/UserResource.java
index e72bb0c..0789928 100644
--- a/base/common/src/com/netscape/certsrv/user/UserResource.java
+++ b/base/common/src/com/netscape/certsrv/user/UserResource.java
@@ -32,12 +32,14 @@ import javax.ws.rs.core.Response;
import org.jboss.resteasy.annotations.ClientResponseType;
import com.netscape.certsrv.acls.ACLMapping;
+import com.netscape.certsrv.authentication.AuthMethodMapping;
/**
* @author Endi S. Dewata
*/
@Path("admin/users")
@ACLMapping("admin.users")
+@AuthMethodMapping("admin")
public interface UserResource {
@GET
diff --git a/base/deploy/src/scriptlets/pkiparser.py b/base/deploy/src/scriptlets/pkiparser.py
index 7f2d585..aec1250 100644
--- a/base/deploy/src/scriptlets/pkiparser.py
+++ b/base/deploy/src/scriptlets/pkiparser.py
@@ -434,11 +434,6 @@ class PKIConfigParser:
config.pki_master_dict['pki_instance_configuration_path'],
"tomcat.conf")
# in-place slot substitution name/value pairs
- config.pki_master_dict['pki_target_auth_properties'] =\
- os.path.join(
- config.pki_master_dict['pki_tomcat_webapps_subsystem_path'],
- "WEB-INF",
- "auth.properties")
config.pki_master_dict['pki_target_velocity_properties'] =\
os.path.join(
config.pki_master_dict['pki_tomcat_webapps_subsystem_path'],
diff --git a/base/deploy/src/scriptlets/slot_substitution.py b/base/deploy/src/scriptlets/slot_substitution.py
index 055908b..205ed49 100644
--- a/base/deploy/src/scriptlets/slot_substitution.py
+++ b/base/deploy/src/scriptlets/slot_substitution.py
@@ -70,8 +70,6 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
master['pki_target_tomcat_conf'],
overwrite_flag=True)
util.file.apply_slot_substitution(
- master['pki_target_auth_properties'])
- util.file.apply_slot_substitution(
master['pki_target_velocity_properties'])
util.file.apply_slot_substitution(
master['pki_target_subsystem_web_xml'])
diff --git a/base/kra/shared/webapps/kra/WEB-INF/auth.properties b/base/kra/shared/webapps/kra/WEB-INF/auth.properties
index 567747f..952bdad 100644
--- a/base/kra/shared/webapps/kra/WEB-INF/auth.properties
+++ b/base/kra/shared/webapps/kra/WEB-INF/auth.properties
@@ -1,8 +1,8 @@
-# Restful API auth/authz mapping info
+# Restful API authorization mapping info
#
# Format:
-# <ACL Mapping> = <ACL Resource ID>,<ACL Resource Operation>
-# ex: admin.users = certServer.ca.users,read
+# <mapping name> = <resource ID>,<operation>
+# ex: admin.users = certServer.ca.users,read
account.login = certServer.kra.account,login
account.logout = certServer.kra.account,logout
diff --git a/base/kra/src/com/netscape/kra/KeyRecoveryAuthorityApplication.java b/base/kra/src/com/netscape/kra/KeyRecoveryAuthorityApplication.java
index b205c6a..6b7f3e2 100644
--- a/base/kra/src/com/netscape/kra/KeyRecoveryAuthorityApplication.java
+++ b/base/kra/src/com/netscape/kra/KeyRecoveryAuthorityApplication.java
@@ -6,6 +6,7 @@ import java.util.Set;
import javax.ws.rs.core.Application;
import com.netscape.certsrv.acls.ACLInterceptor;
+import com.netscape.certsrv.authentication.AuthMethodInterceptor;
import com.netscape.certsrv.base.PKIException;
import com.netscape.cms.servlet.account.AccountService;
import com.netscape.cms.servlet.admin.GroupMemberService;
@@ -48,7 +49,8 @@ public class KeyRecoveryAuthorityApplication extends Application {
// exception mapper
classes.add(PKIException.Mapper.class);
- // ACL interceptor
+ // interceptors
+ singletons.add(new AuthMethodInterceptor());
singletons.add(new ACLInterceptor());
}
diff --git a/base/ocsp/shared/webapps/ocsp/WEB-INF/auth.properties b/base/ocsp/shared/webapps/ocsp/WEB-INF/auth.properties
index cd2e140..95fabba 100644
--- a/base/ocsp/shared/webapps/ocsp/WEB-INF/auth.properties
+++ b/base/ocsp/shared/webapps/ocsp/WEB-INF/auth.properties
@@ -1,8 +1,8 @@
-# Restful API auth/authz mapping info
+# Restful API authorization mapping info
#
# Format:
-# <ACL Mapping> = <ACL Resource ID>,<ACL Resource Operation>
-# ex: admin.users = certServer.ca.users,read
+# <mapping name> = <resource ID>,<operation>
+# ex: admin.users = certServer.ca.users,read
account.login = certServer.ocsp.account,login
account.logout = certServer.ocsp.account,logout
diff --git a/base/ocsp/src/com/netscape/ocsp/OCSPApplication.java b/base/ocsp/src/com/netscape/ocsp/OCSPApplication.java
index f9995c1..3a87378 100644
--- a/base/ocsp/src/com/netscape/ocsp/OCSPApplication.java
+++ b/base/ocsp/src/com/netscape/ocsp/OCSPApplication.java
@@ -6,6 +6,7 @@ import java.util.Set;
import javax.ws.rs.core.Application;
import com.netscape.certsrv.acls.ACLInterceptor;
+import com.netscape.certsrv.authentication.AuthMethodInterceptor;
import com.netscape.certsrv.base.PKIException;
import com.netscape.cms.servlet.account.AccountService;
import com.netscape.cms.servlet.admin.GroupMemberService;
@@ -42,7 +43,8 @@ public class OCSPApplication extends Application {
// exception mapper
classes.add(PKIException.Mapper.class);
- // ACL interceptor
+ // interceptors
+ singletons.add(new AuthMethodInterceptor());
singletons.add(new ACLInterceptor());
}
diff --git a/base/tks/shared/webapps/tks/WEB-INF/auth.properties b/base/tks/shared/webapps/tks/WEB-INF/auth.properties
index 6de7f08..6236713 100644
--- a/base/tks/shared/webapps/tks/WEB-INF/auth.properties
+++ b/base/tks/shared/webapps/tks/WEB-INF/auth.properties
@@ -1,8 +1,8 @@
-# Restful API auth/authz mapping info
+# Restful API authorization mapping info
#
# Format:
-# <ACL Mapping> = <ACL Resource ID>,<ACL Resource Operation>
-# ex: admin.users = certServer.ca.users,read
+# <mapping name> = <resource ID>,<operation>
+# ex: admin.users = certServer.ca.users,read
account.login = certServer.tks.account,login
account.logout = certServer.tks.account,logout
diff --git a/base/tks/src/com/netscape/tks/TKSApplication.java b/base/tks/src/com/netscape/tks/TKSApplication.java
index 0939d1c..1ff1930 100644
--- a/base/tks/src/com/netscape/tks/TKSApplication.java
+++ b/base/tks/src/com/netscape/tks/TKSApplication.java
@@ -6,6 +6,7 @@ import java.util.Set;
import javax.ws.rs.core.Application;
import com.netscape.certsrv.acls.ACLInterceptor;
+import com.netscape.certsrv.authentication.AuthMethodInterceptor;
import com.netscape.certsrv.base.PKIException;
import com.netscape.cms.servlet.account.AccountService;
import com.netscape.cms.servlet.admin.GroupMemberService;
@@ -42,7 +43,8 @@ public class TKSApplication extends Application {
// exception mapper
classes.add(PKIException.Mapper.class);
- // ACL interceptor
+ // interceptors
+ singletons.add(new AuthMethodInterceptor());
singletons.add(new ACLInterceptor());
}