summaryrefslogtreecommitdiffstats
path: root/base/ca
diff options
context:
space:
mode:
authorEndi S. Dewata <edewata@redhat.com>2013-11-25 12:36:05 -0500
committerEndi S. Dewata <edewata@redhat.com>2013-12-05 15:24:01 -0500
commit7944522cac99d91ac05c743661af68a2ed43df9b (patch)
treedb738116a98b18025ab42b008a9b132779e63009 /base/ca
parent00bb577863e057dc29697c73b03b2e3948808a54 (diff)
downloadpki-7944522cac99d91ac05c743661af68a2ed43df9b.tar.gz
pki-7944522cac99d91ac05c743661af68a2ed43df9b.tar.xz
pki-7944522cac99d91ac05c743661af68a2ed43df9b.zip
Added ACL for selftests.
New ACL has been added to allow only the administrators in each subsystem to access the selftests. Ticket #652
Diffstat (limited to 'base/ca')
-rw-r--r--base/ca/shared/conf/acl.ldif1
-rw-r--r--base/ca/shared/conf/acl.properties2
-rw-r--r--base/ca/shared/webapps/ca/WEB-INF/web.xml13
3 files changed, 16 insertions, 0 deletions
diff --git a/base/ca/shared/conf/acl.ldif b/base/ca/shared/conf/acl.ldif
index d5385e8e2..0da10939f 100644
--- a/base/ca/shared/conf/acl.ldif
+++ b/base/ca/shared/conf/acl.ldif
@@ -55,4 +55,5 @@ resourceACLS: certServer.ca.account:login,logout:allow (login,logout) user="anyb
resourceACLS: certServer.ca.certrequests:execute:allow (execute) group="Certificate Manager Agents":Agents may execute cert request operations
resourceACLS: certServer.ca.certs:execute:allow (execute) group="Certificate Manager Agents":Agents may execute cert operations
resourceACLS: certServer.ca.groups:execute:allow (execute) group="Administrators":Admins may execute group operations
+resourceACLS: certServer.ca.selftests:read,execute:allow (read,execute) group="Administrators":Only admins can access selftests.
resourceACLS: certServer.ca.users:execute:allow (execute) group="Administrators":Admins may execute user operations
diff --git a/base/ca/shared/conf/acl.properties b/base/ca/shared/conf/acl.properties
index 1c6651e4f..d14d1832c 100644
--- a/base/ca/shared/conf/acl.properties
+++ b/base/ca/shared/conf/acl.properties
@@ -18,4 +18,6 @@ profiles.list = certServer.ee.profiles,list
profiles.modify = certServer.profile.configuration,modify
profiles.read = certServer.profile.configuration,read
securityDomain.installToken = certServer.securitydomain.domainxml,read
+selftests.read = certServer.ca.selftests,read
+selftests.execute = certServer.ca.selftests,execute
users = certServer.ca.users,execute
diff --git a/base/ca/shared/webapps/ca/WEB-INF/web.xml b/base/ca/shared/webapps/ca/WEB-INF/web.xml
index 32f5786a1..6bf137ca7 100644
--- a/base/ca/shared/webapps/ca/WEB-INF/web.xml
+++ b/base/ca/shared/webapps/ca/WEB-INF/web.xml
@@ -2463,6 +2463,19 @@
<security-constraint>
<web-resource-collection>
+ <web-resource-name>Self Tests</web-resource-name>
+ <url-pattern>/rest/selftests/*</url-pattern>
+ </web-resource-collection>
+ <auth-constraint>
+ <role-name>*</role-name>
+ </auth-constraint>
+ <user-data-constraint>
+ <transport-guarantee>CONFIDENTIAL</transport-guarantee>
+ </user-data-constraint>
+ </security-constraint>
+
+ <security-constraint>
+ <web-resource-collection>
<web-resource-name>Profile Services</web-resource-name>
<url-pattern>/rest/profiles/*</url-pattern>
</web-resource-collection>