diff options
author | Endi Sukma Dewata <edewata@redhat.com> | 2012-07-26 20:40:08 -0500 |
---|---|---|
committer | Endi Sukma Dewata <edewata@redhat.com> | 2012-08-03 17:07:20 -0500 |
commit | 9ca367e9c16273af11909f4c72f9c5cf5ddb0b4d (patch) | |
tree | d6ea91b97102cb948b7c767c08e96f50951aa720 /base/ca/shared/webapps/ca | |
parent | eca4d635e67eaf3c6878d35acfaaf11df53151e2 (diff) | |
download | pki-9ca367e9c16273af11909f4c72f9c5cf5ddb0b4d.tar.gz pki-9ca367e9c16273af11909f4c72f9c5cf5ddb0b4d.tar.xz pki-9ca367e9c16273af11909f4c72f9c5cf5ddb0b4d.zip |
Enabled SSL authenticator and PKI realm.
The SSL connection has been configured with clientAuth="want" so
users can choose whether to provide a client certificate or username
and password. The authentication and authorization will be handled
by the SSL authenticator with fallback and PKI realm. New access
control rules have been added for users, groups, and certs REST
services.
Ticket #107
Diffstat (limited to 'base/ca/shared/webapps/ca')
-rw-r--r-- | base/ca/shared/webapps/ca/WEB-INF/auth.properties | 9 | ||||
-rw-r--r-- | base/ca/shared/webapps/ca/WEB-INF/web.xml | 35 |
2 files changed, 44 insertions, 0 deletions
diff --git a/base/ca/shared/webapps/ca/WEB-INF/auth.properties b/base/ca/shared/webapps/ca/WEB-INF/auth.properties new file mode 100644 index 000000000..ebb1c6c3f --- /dev/null +++ b/base/ca/shared/webapps/ca/WEB-INF/auth.properties @@ -0,0 +1,9 @@ +# Restful API auth/authz mapping info +# +# Format: +# <Rest API URL> = <ACL Resource ID>,<ACL resource operation> +# ex: /ca/pki/users = certServer.ca.users,read + +/ca/rest/admin/users = certServer.ca.users,execute +/ca/rest/admin/groups = certServer.ca.groups,execute +/ca/rest/agent/certs = certServer.ca.certs,execute diff --git a/base/ca/shared/webapps/ca/WEB-INF/web.xml b/base/ca/shared/webapps/ca/WEB-INF/web.xml index 7ec3932c9..af474872e 100644 --- a/base/ca/shared/webapps/ca/WEB-INF/web.xml +++ b/base/ca/shared/webapps/ca/WEB-INF/web.xml @@ -2382,5 +2382,40 @@ <session-config> <session-timeout>30</session-timeout> </session-config> + + <security-constraint> + <web-resource-collection> + <web-resource-name>Admin Services</web-resource-name> + <url-pattern>/rest/admin/*</url-pattern> + </web-resource-collection> + <auth-constraint> + <role-name>*</role-name> + </auth-constraint> + <user-data-constraint> + <transport-guarantee>CONFIDENTIAL</transport-guarantee> + </user-data-constraint> + </security-constraint> + + <security-constraint> + <web-resource-collection> + <web-resource-name>Agent Services</web-resource-name> + <url-pattern>/rest/agent/certs/*</url-pattern> + </web-resource-collection> + <auth-constraint> + <role-name>*</role-name> + </auth-constraint> + <user-data-constraint> + <transport-guarantee>CONFIDENTIAL</transport-guarantee> + </user-data-constraint> + </security-constraint> + + <login-config> + <realm-name>Certificate Authority</realm-name> + </login-config> + + <security-role> + <role-name>*</role-name> + </security-role> + </web-app> |