diff options
| author | Matthew Harmsen <mharmsen@redhat.com> | 2012-07-03 17:52:33 -0700 |
|---|---|---|
| committer | Matthew Harmsen <mharmsen@redhat.com> | 2012-07-19 10:15:56 -0700 |
| commit | 0ce6c97e4fe0e36786b78c273833b8f1dfbc12b4 (patch) | |
| tree | 79c0152be9f49069e977d0156283dbed746e7cfb /base/common/src/com | |
| parent | 32b2670ba16084896e10ae27f7ce7b50313e375a (diff) | |
| download | pki-0ce6c97e4fe0e36786b78c273833b8f1dfbc12b4.tar.gz pki-0ce6c97e4fe0e36786b78c273833b8f1dfbc12b4.tar.xz pki-0ce6c97e4fe0e36786b78c273833b8f1dfbc12b4.zip | |
PKI Deployment Scriptlets
* Integration of Tomcat 7
* Introduction of dependency upon tomcatjss 7.0
* Removal of http filtering configuration mechanisms
* Introduction of additional slot substitution to
support revised filesystem layout
* Addition of 'pkiuser' uid:gid creation methods
* Inclusion of per instance '*.profile' files
* Introduction of configurable 'configurationRoot'
parameter
* Introduction of default configuration of 'log4j'
mechanism (alee)
* Modify web.xml to use new Application classes to
bootstrap servers (alee)
* Introduction of "Wrapper" logic to support
Tomcat 6 --> Tomcat 7 API change (jmagne)
* Added jython helper function to allow attaching
a remote java debugger (e. g. - eclipse)
Diffstat (limited to 'base/common/src/com')
| -rw-r--r-- | base/common/src/com/netscape/cms/servlet/csadmin/CertUtil.java | 4 | ||||
| -rw-r--r-- | base/common/src/com/netscape/cmscore/realm/PKIJNDIRealm.java | 21 |
2 files changed, 15 insertions, 10 deletions
diff --git a/base/common/src/com/netscape/cms/servlet/csadmin/CertUtil.java b/base/common/src/com/netscape/cms/servlet/csadmin/CertUtil.java index 35ec7c515..6ad9e7680 100644 --- a/base/common/src/com/netscape/cms/servlet/csadmin/CertUtil.java +++ b/base/common/src/com/netscape/cms/servlet/csadmin/CertUtil.java @@ -371,8 +371,10 @@ public class CertUtil { String instanceRoot = config.getString("instanceRoot"); + String configurationRoot = config.getString("configurationRoot"); + CertInfoProfile processor = new CertInfoProfile( - instanceRoot + "/conf/" + profile); + instanceRoot + configurationRoot + profile); // cfu - create request to enable renewal try { diff --git a/base/common/src/com/netscape/cmscore/realm/PKIJNDIRealm.java b/base/common/src/com/netscape/cmscore/realm/PKIJNDIRealm.java index 86debf3da..bd551baf0 100644 --- a/base/common/src/com/netscape/cmscore/realm/PKIJNDIRealm.java +++ b/base/common/src/com/netscape/cmscore/realm/PKIJNDIRealm.java @@ -28,6 +28,7 @@ import org.apache.catalina.connector.Request; import org.apache.catalina.connector.Response; import org.apache.catalina.deploy.SecurityConstraint; import org.apache.catalina.realm.JNDIRealm; +import org.apache.catalina.Wrapper; /* * Self contained PKI JNDI Real that overrides the standard JNDI Realm @@ -206,6 +207,8 @@ public class PKIJNDIRealm extends JNDIRealm { boolean allowed = super.hasResourcePermission(request, response, constraints, context); + Wrapper wrapper = request.getWrapper(); + if (allowed == true && hasResourceACLS()) { loadAuthzProperties(context); @@ -238,7 +241,7 @@ public class PKIJNDIRealm extends JNDIRealm { } } - allowed = checkACLPermission(principal, resourceID, operation); + allowed = checkACLPermission(principal, resourceID, operation, wrapper); logDebug("resourceID: " + resourceID + " operation: " + operation + " allowed: " + allowed); } } @@ -351,7 +354,7 @@ public class PKIJNDIRealm extends JNDIRealm { // Check a PKI ACL resourceID and operation for permissions // If the check fails the user (principal) is not authorized to access the resource - private boolean checkACLPermission(Principal principal, String resourceId, String operation) { + private boolean checkACLPermission(Principal principal, String resourceId, String operation, Wrapper wrapper) { boolean allowed = true; @@ -378,7 +381,7 @@ public class PKIJNDIRealm extends JNDIRealm { String expressions = entry.getAttributeExpressions(); - allowed = evaluateExpressions(principal, expressions); + allowed = evaluateExpressions(principal, expressions, wrapper); if (isEntryNegative) { allowed = !allowed; @@ -400,7 +403,7 @@ public class PKIJNDIRealm extends JNDIRealm { // Evaluate an expression as part of a PKI ACL // Ex: user=anybody , group=Data Recovery Manager Agents - private boolean evaluateExpression(Principal principal, String expression) { + private boolean evaluateExpression(Principal principal, String expression, Wrapper wrapper) { boolean allowed = true; if (principal == null || expression == null) { @@ -445,7 +448,7 @@ public class PKIJNDIRealm extends JNDIRealm { allowed = false; if (left.equals(PROP_GROUP)) { // Check JNDI to see if the user has this role/group - if (hasRole(principal, right)) { + if (hasRole(wrapper, principal, right)) { allowed = true; } } else if (left.equals(PROP_USER)) { @@ -482,7 +485,7 @@ public class PKIJNDIRealm extends JNDIRealm { } // Take a set of expressions in an ACL and evaluate it - private boolean evaluateExpressions(Principal principal, String s) { + private boolean evaluateExpressions(Principal principal, String s, Wrapper wrapper) { Vector<Object> v = new Vector<Object>(); @@ -492,7 +495,7 @@ public class PKIJNDIRealm extends JNDIRealm { // this is the last expression if (orIndex == -1 && andIndex == -1) { - boolean passed = evaluateExpression(principal, s.trim()); + boolean passed = evaluateExpression(principal, s.trim(), wrapper); v.addElement(Boolean.valueOf(passed)); break; @@ -500,7 +503,7 @@ public class PKIJNDIRealm extends JNDIRealm { // || first } else if (andIndex == -1 || (orIndex != -1 && orIndex < andIndex)) { String s1 = s.substring(0, orIndex); - boolean passed = evaluateExpression(principal, s1.trim()); + boolean passed = evaluateExpression(principal, s1.trim(), wrapper); v.addElement(Boolean.valueOf(passed)); v.addElement("||"); @@ -508,7 +511,7 @@ public class PKIJNDIRealm extends JNDIRealm { // && first } else { String s1 = s.substring(0, andIndex); - boolean passed = evaluateExpression(principal, s1.trim()); + boolean passed = evaluateExpression(principal, s1.trim(), wrapper); v.addElement(Boolean.valueOf(passed)); v.addElement("&&"); |