diff options
author | Endi S. Dewata <edewata@redhat.com> | 2013-08-16 11:50:15 -0400 |
---|---|---|
committer | Endi S. Dewata <edewata@redhat.com> | 2013-08-20 14:23:12 -0400 |
commit | 4a2880f466451d8089409d83474a7339bffffe25 (patch) | |
tree | 0e2523ab44a17a2c0ebe928e3b7395691dd7fd27 /base/common/src/com/netscape/certsrv/acls | |
parent | 443bffbe31971a66ce7b83c3f447057957b121cb (diff) | |
download | pki-4a2880f466451d8089409d83474a7339bffffe25.tar.gz pki-4a2880f466451d8089409d83474a7339bffffe25.tar.xz pki-4a2880f466451d8089409d83474a7339bffffe25.zip |
Reorganized interceptors.
The ACLInterceptor and AuthMethodInterceptor interceptors only run
on the server, so they have been moved from the base package into
the server package.
Diffstat (limited to 'base/common/src/com/netscape/certsrv/acls')
-rw-r--r-- | base/common/src/com/netscape/certsrv/acls/ACLInterceptor.java | 153 |
1 files changed, 0 insertions, 153 deletions
diff --git a/base/common/src/com/netscape/certsrv/acls/ACLInterceptor.java b/base/common/src/com/netscape/certsrv/acls/ACLInterceptor.java deleted file mode 100644 index c30740260..000000000 --- a/base/common/src/com/netscape/certsrv/acls/ACLInterceptor.java +++ /dev/null @@ -1,153 +0,0 @@ -//--- BEGIN COPYRIGHT BLOCK --- -//This program is free software; you can redistribute it and/or modify -//it under the terms of the GNU General Public License as published by -//the Free Software Foundation; version 2 of the License. -// -//This program is distributed in the hope that it will be useful, -//but WITHOUT ANY WARRANTY; without even the implied warranty of -//MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -//GNU General Public License for more details. -// -//You should have received a copy of the GNU General Public License along -//with this program; if not, write to the Free Software Foundation, Inc., -//51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. -// -//(C) 2012 Red Hat, Inc. -//All rights reserved. -//--- END COPYRIGHT BLOCK --- -package com.netscape.certsrv.acls; - -import java.io.IOException; -import java.lang.reflect.Method; -import java.net.URL; -import java.security.Principal; -import java.util.Properties; - -import javax.servlet.ServletContext; -import javax.ws.rs.core.Context; -import javax.ws.rs.core.SecurityContext; -import javax.ws.rs.ext.Provider; - -import org.jboss.resteasy.annotations.interception.Precedence; -import org.jboss.resteasy.annotations.interception.ServerInterceptor; -import org.jboss.resteasy.core.ResourceMethod; -import org.jboss.resteasy.core.ServerResponse; -import org.jboss.resteasy.spi.Failure; -import org.jboss.resteasy.spi.HttpRequest; -import org.jboss.resteasy.spi.interception.PreProcessInterceptor; - -import com.netscape.certsrv.apps.CMS; -import com.netscape.certsrv.authentication.IAuthToken; -import com.netscape.certsrv.authorization.AuthzToken; -import com.netscape.certsrv.authorization.EAuthzAccessDenied; -import com.netscape.certsrv.authorization.IAuthzSubsystem; -import com.netscape.certsrv.base.EBaseException; -import com.netscape.certsrv.base.ForbiddenException; -import com.netscape.cmscore.realm.PKIPrincipal; - - -/** - * @author Endi S. Dewata - */ -@Provider -@ServerInterceptor -@Precedence("SECURITY") -public class ACLInterceptor implements PreProcessInterceptor { - - Properties authProperties; - - @Context - ServletContext servletContext; - - @Context - SecurityContext securityContext; - - public synchronized void loadAuthProperties() throws IOException { - - if (authProperties != null) return; - - URL url = servletContext.getResource("/WEB-INF/auth.properties"); - authProperties = new Properties(); - authProperties.load(url.openStream()); - } - - @Override - public ServerResponse preProcess( - HttpRequest request, - ResourceMethod resourceMethod - ) throws Failure, ForbiddenException { - - // Get ACL mapping for the method. - Method method = resourceMethod.getMethod(); - ACLMapping aclMapping = method.getAnnotation(ACLMapping.class); - - // If not available, get ACL mapping for the class. - if (aclMapping == null) { - Class<?> clazz = method.getDeclaringClass(); - aclMapping = clazz.getAnnotation(ACLMapping.class); - } - - // If still not available, it's unprotected, allow request. - if (aclMapping == null) return null; - - Principal principal = securityContext.getUserPrincipal(); - - // If unauthenticated, reject request. - if (principal == null) { - throw new ForbiddenException("No user principal provided."); - } - - // If unrecognized principal, reject request. - if (!(principal instanceof PKIPrincipal)) { - throw new ForbiddenException("Invalid user principal"); - } - - PKIPrincipal pkiPrincipal = (PKIPrincipal)principal; - IAuthToken authToken = pkiPrincipal.getAuthToken(); - - // If missing auth token, reject request. - if (authToken == null) { - throw new ForbiddenException("No authorization token present."); - } - - try { - loadAuthProperties(); - - String name = aclMapping.value(); - String value = authProperties.getProperty(name); - - // If no property defined, allow request. - if (value == null) return null; - - String values[] = value.split(","); - - // If invalid mapping, reject request. - if (values.length != 2) { - throw new ForbiddenException("Invalid ACL mapping."); - } - - // Check authorization. - IAuthzSubsystem mAuthz = (IAuthzSubsystem) CMS.getSubsystem(CMS.SUBSYSTEM_AUTHZ); - AuthzToken authzToken = mAuthz.authorize( - "DirAclAuthz", - authToken, - values[0], // resource - values[1]); // operation - - // If not authorized, reject request. - if (authzToken == null) { - throw new ForbiddenException("No authorization token present."); - } - - } catch (EAuthzAccessDenied e) { - throw new ForbiddenException(e.toString()); - - } catch (IOException|EBaseException e) { - e.printStackTrace(); - throw new Failure(e); - } - - // Allow request. - return null; - } -} |