Enabled SSL authenticator and PKI realm.

The SSL connection has been configured with clientAuth="want" so users can choose whether to provide a client certificate or username and password. The authentication and authorization will be handled by the SSL authenticator with fallback and PKI realm. New access control rules have been added for users, groups, and certs REST services. Ticket #107
author: Endi Sukma Dewata <edewata@redhat.com> 2012-07-26 20:40:08 -0500
committer: Endi Sukma Dewata <edewata@redhat.com> 2012-08-03 17:07:20 -0500
commit: 9ca367e9c16273af11909f4c72f9c5cf5ddb0b4d (patch)
tree: d6ea91b97102cb948b7c767c08e96f50951aa720 /base/ca
parent: eca4d635e67eaf3c6878d35acfaaf11df53151e2 (diff)
download: pki-9ca367e9c16273af11909f4c72f9c5cf5ddb0b4d.tar.gz
pki-9ca367e9c16273af11909f4c72f9c5cf5ddb0b4d.tar.xz
pki-9ca367e9c16273af11909f4c72f9c5cf5ddb0b4d.zip
4 files changed, 48 insertions, 1 deletions
diff --git a/base/ca/shared/conf/acl.ldif b/base/ca/shared/conf/acl.ldif
index ceea1f27a..aec1447e5 100644
--- a/base/ca/shared/conf/acl.ldif
+++ b/base/ca/shared/conf/acl.ldif
@@ -51,3 +51,6 @@ resourceACLS: certServer.ca.connectorInfo:read,modify:allow (modify,read) group=
 resourceACLS: certServer.ca.registerUser:read,modify:allow (modify,read) group="Enterprise CA Administrators" || group="Enterprise KRA Administrators" || group="Enterprise RA Administrators" || group="Enterprise OCSP Administrators" || group="Enterprise TKS Administrators" || group="Enterprise TPS Administrators":Only Enterprise Administrators are allowed to register a new agent
 resourceACLS: certServer.clone.configuration:read,modify:allow (modify,read) group="Enterprise CA Administrators" || group="Enterprise KRA Administrators" || group="Enterprise RA Administrators" || group="Enterprise OCSP Administrators" || group="Enterprise TKS Administrators":Only Enterprise Administrators are allowed to clone the configuration.
 resourceACLS: certServer.admin.ocsp:read,modify:allow (modify,read) group="Enterprise OCSP Administrators":Only Enterprise Administrators are allowed to read or update the OCSP configuration.
+resourceACLS: certServer.ca.certs:execute:allow (execute) group="Certificate Manager Agents":Agents may execute cert operations
+resourceACLS: certServer.ca.groups:execute:allow (execute) group="Administrators":Admins may execute group operations
+resourceACLS: certServer.ca.users:execute:allow (execute) group="Administrators":Admins may execute user operations
diff --git a/base/ca/shared/conf/server.xml b/base/ca/shared/conf/server.xml
index 4056fbbb7..60317d2fa 100644
--- a/base/ca/shared/conf/server.xml
+++ b/base/ca/shared/conf/server.xml
@@ -84,7 +84,7 @@ Tomcat Port         = [TOMCAT_SERVER_PORT] (for shutdown)
     -->
 
     [PKI_UNSECURE_PORT_SERVER_COMMENT]
-    <Connector name="[PKI_UNSECURE_PORT_CONNECTOR_NAME]" port="[PKI_UNSECURE_PORT]" protocol="HTTP/1.1" redirectPort="8443" 
+    <Connector name="[PKI_UNSECURE_PORT_CONNECTOR_NAME]" port="[PKI_UNSECURE_PORT]" protocol="HTTP/1.1" redirectPort="[PKI_SECURE_PORT]"
 	       maxHttpHeaderSize="8192"
 	       acceptCount="100" maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
 	       enableLookups="false" connectionTimeout="20000" disableUploadTimeout="true"
diff --git a/base/ca/shared/webapps/ca/WEB-INF/auth.properties b/base/ca/shared/webapps/ca/WEB-INF/auth.properties
new file mode 100644
index 000000000..ebb1c6c3f
--- /dev/null
+++ b/base/ca/shared/webapps/ca/WEB-INF/auth.properties
@@ -0,0 +1,9 @@
+# Restful API auth/authz mapping info
+#
+# Format:
+# <Rest API URL> = <ACL Resource ID>,<ACL resource operation>
+# ex:      /ca/pki/users = certServer.ca.users,read
+
+/ca/rest/admin/users = certServer.ca.users,execute
+/ca/rest/admin/groups = certServer.ca.groups,execute
+/ca/rest/agent/certs = certServer.ca.certs,execute
diff --git a/base/ca/shared/webapps/ca/WEB-INF/web.xml b/base/ca/shared/webapps/ca/WEB-INF/web.xml
index 7ec3932c9..af474872e 100644
--- a/base/ca/shared/webapps/ca/WEB-INF/web.xml
+++ b/base/ca/shared/webapps/ca/WEB-INF/web.xml
@@ -2382,5 +2382,40 @@
    <session-config>
         <session-timeout>30</session-timeout>
    </session-config>
+
+    <security-constraint>
+        <web-resource-collection>
+            <web-resource-name>Admin Services</web-resource-name>
+            <url-pattern>/rest/admin/*</url-pattern>
+        </web-resource-collection>
+        <auth-constraint>
+            <role-name>*</role-name>
+        </auth-constraint>
+        <user-data-constraint>
+            <transport-guarantee>CONFIDENTIAL</transport-guarantee>
+        </user-data-constraint>
+    </security-constraint>
+
+    <security-constraint>
+        <web-resource-collection>
+            <web-resource-name>Agent Services</web-resource-name>
+            <url-pattern>/rest/agent/certs/*</url-pattern>
+        </web-resource-collection>
+        <auth-constraint>
+            <role-name>*</role-name>
+        </auth-constraint>
+        <user-data-constraint>
+            <transport-guarantee>CONFIDENTIAL</transport-guarantee>
+        </user-data-constraint>
+    </security-constraint>
+
+    <login-config>
+        <realm-name>Certificate Authority</realm-name>
+    </login-config>
+
+    <security-role>
+        <role-name>*</role-name>
+    </security-role>
+
 </web-app>
author	Endi Sukma Dewata <edewata@redhat.com>	2012-07-26 20:40:08 -0500
committer	Endi Sukma Dewata <edewata@redhat.com>	2012-08-03 17:07:20 -0500
commit	9ca367e9c16273af11909f4c72f9c5cf5ddb0b4d (patch)
tree	d6ea91b97102cb948b7c767c08e96f50951aa720 /base/ca
parent	eca4d635e67eaf3c6878d35acfaaf11df53151e2 (diff)
download	pki-9ca367e9c16273af11909f4c72f9c5cf5ddb0b4d.tar.gz pki-9ca367e9c16273af11909f4c72f9c5cf5ddb0b4d.tar.xz pki-9ca367e9c16273af11909f4c72f9c5cf5ddb0b4d.zip