Added user REST service.

The user REST service is based on UsrGrpAdminServlet. It provides an interface
to manage users and user certificates.

Ticket #160

13 files changed, 1842 insertions, 5 deletions

diff --git a/base/common/src/CMakeLists.txt b/base/common/src/CMakeLists.txt
index 8ca357c7f..2b9f76e4c 100644
--- a/base/common/src/CMakeLists.txt
+++ b/base/common/src/CMakeLists.txt
@@ -23,6 +23,20 @@ find_file(COMMONS_CODEC_JAR
         /usr/share/java
 )
 
+find_file(COMMONS_HTTPCLIENT_JAR
+    NAMES
+        commons-httpclient.jar
+    PATHS
+        /usr/share/java
+)
+
+find_file(APACHE_COMMONS_LANG_JAR
+    NAMES
+        apache-commons-lang.jar
+    PATHS
+        /usr/share/java
+)
+
 find_file(TOMCAT_CATALINA_JAR
     NAMES
         catalina.jar
@@ -76,6 +90,13 @@ find_file(RESTEASY_JAXRS_JAR
         /usr/share/java/resteasy
 )
 
+find_file(RESTEASY_ATOM_PROVIDER_JAR
+    NAMES
+        resteasy-atom-provider.jar
+    PATHS
+        /usr/share/java/resteasy
+)
+
 find_file(HTTPCLIENT_JAR
     NAMES
         httpclient.jar
@@ -113,6 +134,12 @@ set(pki-certsrv_java_SRCS
     com/netscape/certsrv/common/ConfigConstants.java
     com/netscape/certsrv/common/OpDef.java
     com/netscape/certsrv/common/Constants.java
+    com/netscape/certsrv/user/UserCertCollection.java
+    com/netscape/certsrv/user/UserCertData.java
+    com/netscape/certsrv/user/UserCertResource.java
+    com/netscape/certsrv/user/UserCollection.java
+    com/netscape/certsrv/user/UserData.java
+    com/netscape/certsrv/user/UserResource.java
     com/netscape/certsrv/usrgrp/EUsrGrpException.java
     com/netscape/certsrv/usrgrp/IGroupConstants.java
     com/netscape/certsrv/usrgrp/Certificates.java
@@ -575,6 +602,8 @@ set(pki-cms_java_SRCS
     com/netscape/cms/servlet/admin/AdminResources.java
     com/netscape/cms/servlet/admin/SystemCertificateResource.java
     com/netscape/cms/servlet/admin/SystemCertificateResourceService.java
+    com/netscape/cms/servlet/admin/UserCertResourceService.java
+    com/netscape/cms/servlet/admin/UserResourceService.java
     com/netscape/cms/servlet/key/DisplayBySerial.java
     com/netscape/cms/servlet/key/SrchKey.java
     com/netscape/cms/servlet/key/DisplayTransport.java
@@ -1090,7 +1119,10 @@ set(pki-cmsbundle_RCS
 set(CMAKE_JAVA_INCLUDE_PATH
     ${PKI_NSUTIL_JAR} ${PKI_CMSUTIL_JAR}
     ${LDAPJDK_JAR} ${SERVLET_JAR} ${VELOCITY_JAR} ${XALAN_JAR} ${XERCES_JAR}
-    ${JSS_JAR} ${COMMONS_CODEC_JAR} ${TOMCAT_CATALINA_JAR} ${SYMKEY_JAR} ${JAXRS_API_JAR} ${RESTEASY_JAXRS_JAR} ${HTTPCLIENT_JAR} ${HTTPCORE_JAR})
+    ${JSS_JAR} ${COMMONS_CODEC_JAR} ${COMMONS_HTTPCLIENT_JAR} ${APACHE_COMMONS_LANG_JAR}
+    ${TOMCAT_CATALINA_JAR} ${SYMKEY_JAR}
+    ${JAXRS_API_JAR} ${RESTEASY_JAXRS_JAR} ${RESTEASY_ATOM_PROVIDER_JAR}
+    ${HTTPCLIENT_JAR} ${HTTPCORE_JAR})
 
 set(CMAKE_JAVA_TARGET_VERSION ${APPLICATION_VERSION})
 
diff --git a/base/common/src/LogMessages.properties b/base/common/src/LogMessages.properties
index bd108bf80..550df1b5e 100644
--- a/base/common/src/LogMessages.properties
+++ b/base/common/src/LogMessages.properties
@@ -491,8 +491,9 @@ CMSCORE_USRGRP_LIST_USERS=List Users Error {0}
 CMSCORE_USRGRP_BUILD_USER=DN not found {0}
 CMSCORE_USRGRP_ADD_USER=add User: Could not get connection to internaldb. Error {0}
 CMSCORE_USRGRP_ADD_USER_CERT=add User Certificate {0}
-CMSCORE_USRGRP_REMOVE_USER=remove User {0}
-CMSCORE_USRGRP_REMOVE_USER_FROM_GROUP=remove User From Group {0}
+CMSCORE_USRGRP_ADD_USER_TO_GROUP=Add User To Group {0}
+CMSCORE_USRGRP_REMOVE_USER=Remove User {0}
+CMSCORE_USRGRP_REMOVE_USER_FROM_GROUP=Remove User From Group {0}
 CMSCORE_USRGRP_FIND_GROUPS=Find Group {0}
 CMSCORE_USRGRP_LIST_GROUPS=List Group {0}
 CMSCORE_USRGRP_BUILD_GROUP=Build Group {0}
diff --git a/base/common/src/com/netscape/certsrv/user/UserCertCollection.java b/base/common/src/com/netscape/certsrv/user/UserCertCollection.java
new file mode 100644
index 000000000..a395ed73c
--- /dev/null
+++ b/base/common/src/com/netscape/certsrv/user/UserCertCollection.java
@@ -0,0 +1,60 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2012 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+
+package com.netscape.certsrv.user;
+
+import java.util.ArrayList;
+import java.util.Collection;
+import java.util.List;
+
+import javax.xml.bind.annotation.XmlElement;
+import javax.xml.bind.annotation.XmlRootElement;
+
+import org.jboss.resteasy.plugins.providers.atom.Link;
+
+/**
+ * @author Endi S. Dewata
+ */
+@XmlRootElement(name="UserCerts")
+public class UserCertCollection {
+
+    List<UserCertData> certs = new ArrayList<UserCertData>();
+    Collection<Link> links = new ArrayList<Link>();
+
+    @XmlElement(name="Cert")
+    public Collection<UserCertData> getCerts() {
+        return certs;
+    }
+
+    public void addCert(UserCertData cert) {
+        certs.add(cert);
+    }
+
+    @XmlElement(name="Link")
+    public Collection<Link> getLinks() {
+        return links;
+    }
+
+    public void setLink(Collection<Link> links) {
+        this.links = links;
+    }
+
+    public void addLink(Link link) {
+        links.add(link);
+    }
+}
diff --git a/base/common/src/com/netscape/certsrv/user/UserCertData.java b/base/common/src/com/netscape/certsrv/user/UserCertData.java
new file mode 100644
index 000000000..d77e1dc8b
--- /dev/null
+++ b/base/common/src/com/netscape/certsrv/user/UserCertData.java
@@ -0,0 +1,254 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2012 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+
+package com.netscape.certsrv.user;
+
+import java.io.PrintWriter;
+import java.io.StringReader;
+import java.io.StringWriter;
+import java.math.BigInteger;
+import java.util.StringTokenizer;
+
+import javax.ws.rs.FormParam;
+import javax.xml.bind.JAXBContext;
+import javax.xml.bind.Marshaller;
+import javax.xml.bind.Unmarshaller;
+import javax.xml.bind.annotation.XmlAttribute;
+import javax.xml.bind.annotation.XmlElement;
+import javax.xml.bind.annotation.XmlRootElement;
+
+import org.jboss.resteasy.plugins.providers.atom.Link;
+
+import com.netscape.certsrv.common.Constants;
+
+/**
+ * @author Endi S. Dewata
+ */
+@XmlRootElement(name="UserCert")
+public class UserCertData {
+
+    public static Marshaller marshaller;
+    public static Unmarshaller unmarshaller;
+
+    static {
+        try {
+            marshaller = JAXBContext.newInstance(UserCertData.class).createMarshaller();
+            marshaller.setProperty(Marshaller.JAXB_FORMATTED_OUTPUT, true);
+            unmarshaller = JAXBContext.newInstance(UserCertData.class).createUnmarshaller();
+        } catch (Exception e) {
+            e.printStackTrace();
+        }
+    }
+
+    Integer version;
+    BigInteger serialNumber;
+    String issuerDN;
+    String subjectDN;
+    String prettyPrint;
+    String encoded;
+
+    Link link;
+
+    @XmlAttribute(name="id")
+    public String getID() {
+        if (version == null && serialNumber == null && issuerDN == null && subjectDN == null) {
+            return null;
+        } else {
+            return version + ";" + serialNumber + ";" + issuerDN + ";" + subjectDN;
+        }
+    }
+
+    public void setID(String id) {
+        StringTokenizer st = new StringTokenizer(id, ";");
+        version = Integer.valueOf(st.nextToken());
+        serialNumber = new BigInteger(st.nextToken());
+        issuerDN = st.nextToken();
+        subjectDN = st.nextToken();
+    }
+
+    @XmlElement(name="Version")
+    public Integer getVersion() {
+        return version;
+    }
+
+    public void setVersion(Integer version) {
+        this.version = version;
+    }
+
+    @XmlElement(name="SerialNumber")
+    public BigInteger getSerialNumber() {
+        return serialNumber;
+    }
+
+    public void setSerialNumber(BigInteger serialNumber) {
+        this.serialNumber = serialNumber;
+    }
+
+    @XmlElement(name="IssuerDN")
+    public String getIssuerDN() {
+        return issuerDN;
+    }
+
+    public void setIssuerDN(String issuerDN) {
+        this.issuerDN = issuerDN;
+    }
+
+    @XmlElement(name="SubjectDN")
+    public String getSubjectDN() {
+        return subjectDN;
+    }
+
+    public void setSubjectDN(String subjectDN) {
+        this.subjectDN = subjectDN;
+    }
+
+    @XmlElement(name="PrettyPrint")
+    public String getPrettyPrint() {
+        return prettyPrint;
+    }
+
+    public void setPrettyPrint(String prettyPrint) {
+        this.prettyPrint = prettyPrint;
+    }
+
+    @FormParam(Constants.PR_USER_CERT)
+    @XmlElement(name="Encoded")
+    public String getEncoded() {
+        return encoded;
+    }
+
+    public void setEncoded(String encoded) {
+        this.encoded = encoded;
+    }
+
+    @XmlElement(name="Link")
+    public Link getLink() {
+        return link;
+    }
+
+    public void setLink(Link link) {
+        this.link = link;
+    }
+
+    @Override
+    public int hashCode() {
+        final int prime = 31;
+        int result = 1;
+        result = prime * result + ((encoded == null) ? 0 : encoded.hashCode());
+        result = prime * result + ((issuerDN == null) ? 0 : issuerDN.hashCode());
+        result = prime * result + ((prettyPrint == null) ? 0 : prettyPrint.hashCode());
+        result = prime * result + ((serialNumber == null) ? 0 : serialNumber.hashCode());
+        result = prime * result + ((subjectDN == null) ? 0 : subjectDN.hashCode());
+        result = prime * result + ((version == null) ? 0 : version.hashCode());
+        return result;
+    }
+
+    @Override
+    public boolean equals(Object obj) {
+        if (this == obj)
+            return true;
+        if (obj == null)
+            return false;
+        if (getClass() != obj.getClass())
+            return false;
+        UserCertData other = (UserCertData) obj;
+        if (encoded == null) {
+            if (other.encoded != null)
+                return false;
+        } else if (!encoded.equals(other.encoded))
+            return false;
+        if (issuerDN == null) {
+            if (other.issuerDN != null)
+                return false;
+        } else if (!issuerDN.equals(other.issuerDN))
+            return false;
+        if (prettyPrint == null) {
+            if (other.prettyPrint != null)
+                return false;
+        } else if (!prettyPrint.equals(other.prettyPrint))
+            return false;
+        if (serialNumber == null) {
+            if (other.serialNumber != null)
+                return false;
+        } else if (!serialNumber.equals(other.serialNumber))
+            return false;
+        if (subjectDN == null) {
+            if (other.subjectDN != null)
+                return false;
+        } else if (!subjectDN.equals(other.subjectDN))
+            return false;
+        if (version == null) {
+            if (other.version != null)
+                return false;
+        } else if (!version.equals(other.version))
+            return false;
+        return true;
+    }
+
+    public String toString() {
+        try {
+            StringWriter sw = new StringWriter();
+            marshaller.marshal(this, sw);
+            return sw.toString();
+
+        } catch (Exception e) {
+            return super.toString();
+        }
+    }
+
+    public static UserCertData valueOf(String string) throws Exception {
+        try {
+            return (UserCertData)unmarshaller.unmarshal(new StringReader(string));
+        } catch (Exception e) {
+            return null;
+        }
+    }
+
+    public static void main(String args[]) throws Exception {
+
+        StringWriter sw = new StringWriter();
+        PrintWriter out = new PrintWriter(sw, true);
+
+        out.println("-----BEGIN CERTIFICATE-----");
+        out.println("MIIB/zCCAWgCCQCtpWH58pqsejANBgkqhkiG9w0BAQUFADBEMRQwEgYDVQQKDAtF");
+        out.println("WEFNUExFLUNPTTEYMBYGCgmSJomT8ixkAQEMCHRlc3R1c2VyMRIwEAYDVQQDDAlU");
+        out.println("ZXN0IFVzZXIwHhcNMTIwNTE0MTcxNzI3WhcNMTMwNTE0MTcxNzI3WjBEMRQwEgYD");
+        out.println("VQQKDAtFWEFNUExFLUNPTTEYMBYGCgmSJomT8ixkAQEMCHRlc3R1c2VyMRIwEAYD");
+        out.println("VQQDDAlUZXN0IFVzZXIwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAKmmiPJp");
+        out.println("Agh/gPUAZjfgJ3a8QiHvpMzZ/hZy1FVP3+2sNhCkMv+D/I8Y7AsrbJGxxvD7bTDm");
+        out.println("zQYtYx2ryGyOgY7KBRxEj/IrNVHIkJMYq5G/aIU4FAzpc6ntNSwUQBYUAamfK8U6");
+        out.println("Wo4Cp6rLePXIDE6sfGn3VX6IeSJ8U2V+vwtzAgMBAAEwDQYJKoZIhvcNAQEFBQAD");
+        out.println("gYEAY9bjcD/7Z+oX6gsJtX6Rd79E7X5IBdOdArYzHNE4vjdaQrZw6oCxrY8ffpKC");
+        out.println("0T0q5PX9I7er+hx/sQjGPMrJDEN+vFBSNrZE7sTeLRgkyiqGvChSyuG05GtGzXO4");
+        out.println("bFBr+Gwk2VF2wJvOhTXU2hN8sfkkd9clzIXuL8WCDhWk1bY=");
+        out.println("-----END CERTIFICATE-----");
+
+        UserCertData before = new UserCertData();
+        before.setVersion(1);
+        before.setSerialNumber(new BigInteger("12512514865863765114"));
+        before.setIssuerDN("CN=Test User,UID=testuser,O=EXAMPLE-COM");
+        before.setSubjectDN("CN=Test User,UID=testuser,O=EXAMPLE-COM");
+        before.setEncoded(sw.toString());
+
+        String string = before.toString();
+        System.out.println(string);
+
+        UserCertData after = UserCertData.valueOf(string);
+        System.out.println(before.equals(after));
+    }
+}
diff --git a/base/common/src/com/netscape/certsrv/user/UserCertResource.java b/base/common/src/com/netscape/certsrv/user/UserCertResource.java
new file mode 100644
index 000000000..b9339bc33
--- /dev/null
+++ b/base/common/src/com/netscape/certsrv/user/UserCertResource.java
@@ -0,0 +1,63 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2012 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+
+package com.netscape.certsrv.user;
+
+import javax.ws.rs.Consumes;
+import javax.ws.rs.DELETE;
+import javax.ws.rs.GET;
+import javax.ws.rs.POST;
+import javax.ws.rs.Path;
+import javax.ws.rs.PathParam;
+import javax.ws.rs.Produces;
+import javax.ws.rs.QueryParam;
+import javax.ws.rs.core.MediaType;
+import javax.ws.rs.core.Response;
+
+import org.jboss.resteasy.annotations.ClientResponseType;
+
+/**
+ * @author Endi S. Dewata
+ */
+@Path("/users/{userID}/certs")
+public interface UserCertResource {
+
+    @GET
+    @Produces({ MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON })
+    public UserCertCollection findUserCerts(
+            @PathParam("userID") String userID,
+            @QueryParam("start") Integer start,
+            @QueryParam("size") Integer size);
+
+
+    @POST
+    @ClientResponseType(entityType=UserCertData.class)
+    @Consumes({ MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON })
+    @Produces({ MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON })
+    public Response addUserCert(@PathParam("userID") String userID, UserCertData userCertData);
+
+    @GET
+    @Path("/{certID}")
+    @Produces({ MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON })
+    public UserCertData getUserCert(@PathParam("userID") String userID, @PathParam("certID") String certID);
+
+    @DELETE
+    @Path("/{certID}")
+    @Produces({ MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON })
+    public void removeUserCert(@PathParam("userID") String userID, @PathParam("certID") String certID);
+}
diff --git a/base/common/src/com/netscape/certsrv/user/UserCollection.java b/base/common/src/com/netscape/certsrv/user/UserCollection.java
new file mode 100644
index 000000000..d92ecc208
--- /dev/null
+++ b/base/common/src/com/netscape/certsrv/user/UserCollection.java
@@ -0,0 +1,65 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2012 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+
+package com.netscape.certsrv.user;
+
+import java.util.ArrayList;
+import java.util.Collection;
+
+import javax.xml.bind.annotation.XmlElement;
+import javax.xml.bind.annotation.XmlElementRef;
+import javax.xml.bind.annotation.XmlRootElement;
+
+import org.jboss.resteasy.plugins.providers.atom.Link;
+
+
+/**
+ * @author Endi S. Dewata
+ */
+@XmlRootElement(name="Users")
+public class UserCollection {
+
+    Collection<UserData> users = new ArrayList<UserData>();
+    Collection<Link> links = new ArrayList<Link>();
+
+    @XmlElementRef
+    public Collection<UserData> getUsers() {
+        return users;
+    }
+
+    public void setUsers(Collection<UserData> users) {
+        this.users = users;
+    }
+
+    public void addUser(UserData userData) {
+        users.add(userData);
+    }
+
+    @XmlElement(name="Link")
+    public Collection<Link> getLinks() {
+        return links;
+    }
+
+    public void setLink(Collection<Link> links) {
+        this.links = links;
+    }
+
+    public void addLink(Link link) {
+        links.add(link);
+    }
+}
diff --git a/base/common/src/com/netscape/certsrv/user/UserData.java b/base/common/src/com/netscape/certsrv/user/UserData.java
new file mode 100644
index 000000000..b62d02231
--- /dev/null
+++ b/base/common/src/com/netscape/certsrv/user/UserData.java
@@ -0,0 +1,239 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2012 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+
+package com.netscape.certsrv.user;
+
+import java.io.StringReader;
+import java.io.StringWriter;
+
+import javax.ws.rs.FormParam;
+import javax.xml.bind.JAXBContext;
+import javax.xml.bind.Marshaller;
+import javax.xml.bind.Unmarshaller;
+import javax.xml.bind.annotation.XmlAttribute;
+import javax.xml.bind.annotation.XmlElement;
+import javax.xml.bind.annotation.XmlRootElement;
+
+import org.jboss.resteasy.plugins.providers.atom.Link;
+
+import com.netscape.certsrv.common.Constants;
+
+/**
+ * @author Endi S. Dewata
+ */
+@XmlRootElement(name="User")
+public class UserData {
+
+    public static Marshaller marshaller;
+    public static Unmarshaller unmarshaller;
+
+    static {
+        try {
+            marshaller = JAXBContext.newInstance(UserData.class).createMarshaller();
+            marshaller.setProperty(Marshaller.JAXB_FORMATTED_OUTPUT, true);
+            unmarshaller = JAXBContext.newInstance(UserData.class).createUnmarshaller();
+        } catch (Exception e) {
+            e.printStackTrace();
+        }
+    }
+
+    String id;
+    String fullName;
+    String email;
+    String password;
+    String phone;
+    String type;
+    String state;
+
+    Link link;
+
+    @XmlAttribute(name="id")
+    public String getID() {
+        return id;
+    }
+
+    public void setID(String id) {
+        this.id = id;
+    }
+
+    @FormParam(Constants.PR_USER_FULLNAME)
+    @XmlElement(name="FullName")
+    public String getFullName() {
+        return fullName;
+    }
+
+    public void setFullName(String fullName) {
+        this.fullName = fullName;
+    }
+
+    @FormParam(Constants.PR_USER_EMAIL)
+    @XmlElement(name="Email")
+    public String getEmail() {
+        return email;
+    }
+
+    public void setEmail(String email) {
+        this.email = email;
+    }
+
+    @FormParam(Constants.PR_USER_PASSWORD)
+    @XmlElement(name="Password")
+    public String getPassword() {
+        return password;
+    }
+
+    public void setPassword(String password) {
+        this.password = password;
+    }
+
+    @FormParam(Constants.PR_USER_PHONE)
+    @XmlElement(name="Phone")
+    public String getPhone() {
+        return phone;
+    }
+
+    public void setPhone(String phone) {
+        this.phone = phone;
+    }
+
+    @FormParam(Constants.PR_USER_TYPE)
+    @XmlElement(name="Type")
+    public String getType() {
+        return type;
+    }
+
+    public void setType(String type) {
+        this.type = type;
+    }
+
+    @FormParam(Constants.PR_USER_STATE)
+    @XmlElement(name="State")
+    public String getState() {
+        return state;
+    }
+
+    public void setState(String state) {
+        this.state = state;
+    }
+
+    @XmlElement(name="Link")
+    public Link getLink() {
+        return link;
+    }
+
+    public void setLink(Link link) {
+        this.link = link;
+    }
+
+    @Override
+    public int hashCode() {
+        final int prime = 31;
+        int result = 1;
+        result = prime * result + ((email == null) ? 0 : email.hashCode());
+        result = prime * result + ((fullName == null) ? 0 : fullName.hashCode());
+        result = prime * result + ((id == null) ? 0 : id.hashCode());
+        result = prime * result + ((password == null) ? 0 : password.hashCode());
+        result = prime * result + ((phone == null) ? 0 : phone.hashCode());
+        result = prime * result + ((state == null) ? 0 : state.hashCode());
+        result = prime * result + ((type == null) ? 0 : type.hashCode());
+        return result;
+    }
+
+    @Override
+    public boolean equals(Object obj) {
+        if (this == obj)
+            return true;
+        if (obj == null)
+            return false;
+        if (getClass() != obj.getClass())
+            return false;
+        UserData other = (UserData) obj;
+        if (email == null) {
+            if (other.email != null)
+                return false;
+        } else if (!email.equals(other.email))
+            return false;
+        if (fullName == null) {
+            if (other.fullName != null)
+                return false;
+        } else if (!fullName.equals(other.fullName))
+            return false;
+        if (id == null) {
+            if (other.id != null)
+                return false;
+        } else if (!id.equals(other.id))
+            return false;
+        if (password == null) {
+            if (other.password != null)
+                return false;
+        } else if (!password.equals(other.password))
+            return false;
+        if (phone == null) {
+            if (other.phone != null)
+                return false;
+        } else if (!phone.equals(other.phone))
+            return false;
+        if (state == null) {
+            if (other.state != null)
+                return false;
+        } else if (!state.equals(other.state))
+            return false;
+        if (type == null) {
+            if (other.type != null)
+                return false;
+        } else if (!type.equals(other.type))
+            return false;
+        return true;
+    }
+
+    public String toString() {
+        try {
+            StringWriter sw = new StringWriter();
+            marshaller.marshal(this, sw);
+            return sw.toString();
+
+        } catch (Exception e) {
+            return super.toString();
+        }
+    }
+
+    public static UserData valueOf(String string) throws Exception {
+        try {
+            return (UserData)unmarshaller.unmarshal(new StringReader(string));
+        } catch (Exception e) {
+            return null;
+        }
+    }
+
+    public static void main(String args[]) throws Exception {
+
+        UserData before = new UserData();
+        before.setID("testuser");
+        before.setFullName("Test User");
+        before.setEmail("testuser@example.com");
+        before.setPassword("12345");
+        before.setPhone("1234567890");
+        before.setState("1");
+
+        String string = before.toString();
+        System.out.println(string);
+
+        UserData after = UserData.valueOf(string);
+        System.out.println(before.equals(after));
+    }
+}
diff --git a/base/common/src/com/netscape/certsrv/user/UserResource.java b/base/common/src/com/netscape/certsrv/user/UserResource.java
new file mode 100644
index 000000000..fae700bc3
--- /dev/null
+++ b/base/common/src/com/netscape/certsrv/user/UserResource.java
@@ -0,0 +1,69 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2012 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+
+package com.netscape.certsrv.user;
+
+import javax.ws.rs.Consumes;
+import javax.ws.rs.DELETE;
+import javax.ws.rs.GET;
+import javax.ws.rs.POST;
+import javax.ws.rs.Path;
+import javax.ws.rs.PathParam;
+import javax.ws.rs.Produces;
+import javax.ws.rs.QueryParam;
+import javax.ws.rs.core.MediaType;
+import javax.ws.rs.core.Response;
+
+import org.jboss.resteasy.annotations.ClientResponseType;
+
+/**
+ * @author Endi S. Dewata
+ */
+@Path("/users")
+public interface UserResource {
+
+    @GET
+    @Produces({ MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON })
+    public UserCollection findUsers(
+            @QueryParam("filter") String filter,
+            @QueryParam("start") Integer start,
+            @QueryParam("size") Integer size);
+
+    @POST
+    @ClientResponseType(entityType=UserData.class)
+    @Consumes({ MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON })
+    @Produces({ MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON })
+    public Response addUser(UserData userData);
+
+    @GET
+    @Path("/{userID}")
+    @Produces({ MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON })
+    public UserData getUser(@PathParam("userID") String userID);
+
+    @POST
+    @Path("/{userID}")
+    @ClientResponseType(entityType=UserData.class)
+    @Consumes({ MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON })
+    @Produces({ MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON })
+    public Response modifyUser(@PathParam("userID") String userID, UserData userData);
+
+    @DELETE
+    @Path("/{userID}")
+    @Produces({ MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON })
+    public void removeUser(@PathParam("userID") String userID);
+}
diff --git a/base/common/src/com/netscape/certsrv/usrgrp/IUGSubsystem.java b/base/common/src/com/netscape/certsrv/usrgrp/IUGSubsystem.java
index aa8b65575..60a1f70ea 100644
--- a/base/common/src/com/netscape/certsrv/usrgrp/IUGSubsystem.java
+++ b/base/common/src/com/netscape/certsrv/usrgrp/IUGSubsystem.java
@@ -240,6 +240,11 @@ public interface IUGSubsystem extends ISubsystem, IUsrGrp {
     public String getCertificateString(X509Certificate cert);
 
     /**
+     * Searchs for identities that matches the filter.
+     */
+    public Enumeration<IUser> findUsers(String filter) throws EUsrGrpException;
+
+    /**
      * Searchs for identities that matches the certificate locater
      * generated filter.
      *
diff --git a/base/common/src/com/netscape/cms/servlet/admin/UserCertResourceService.java b/base/common/src/com/netscape/cms/servlet/admin/UserCertResourceService.java
new file mode 100644
index 000000000..ebeb5b134
--- /dev/null
+++ b/base/common/src/com/netscape/cms/servlet/admin/UserCertResourceService.java
@@ -0,0 +1,484 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2012 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+
+package com.netscape.cms.servlet.admin;
+
+import java.net.URI;
+import java.net.URLDecoder;
+import java.net.URLEncoder;
+import java.security.cert.CertificateException;
+import java.security.cert.CertificateExpiredException;
+import java.security.cert.CertificateNotYetValidException;
+import java.security.cert.X509Certificate;
+import java.util.Map;
+
+import javax.ws.rs.core.MediaType;
+import javax.ws.rs.core.Response;
+
+import netscape.ldap.LDAPException;
+import netscape.security.pkcs.PKCS7;
+import netscape.security.x509.X509CertImpl;
+
+import org.jboss.resteasy.plugins.providers.atom.Link;
+import org.mozilla.jss.CryptoManager;
+import org.mozilla.jss.crypto.InternalCertificate;
+
+import com.netscape.certsrv.apps.CMS;
+import com.netscape.certsrv.base.ICertPrettyPrint;
+import com.netscape.certsrv.common.OpDef;
+import com.netscape.certsrv.common.ScopeDef;
+import com.netscape.certsrv.logging.IAuditor;
+import com.netscape.certsrv.logging.ILogger;
+import com.netscape.certsrv.user.UserCertCollection;
+import com.netscape.certsrv.user.UserCertData;
+import com.netscape.certsrv.user.UserCertResource;
+import com.netscape.certsrv.usrgrp.IUGSubsystem;
+import com.netscape.certsrv.usrgrp.IUser;
+import com.netscape.cms.servlet.base.CMSException;
+import com.netscape.cms.servlet.base.CMSResourceService;
+import com.netscape.cmsutil.util.Cert;
+import com.netscape.cmsutil.util.Utils;
+
+/**
+ * @author Endi S. Dewata
+ */
+public class UserCertResourceService extends CMSResourceService implements UserCertResource {
+
+    public final static int DEFAULT_SIZE = 20;
+
+    public IUGSubsystem userGroupManager = (IUGSubsystem) CMS.getSubsystem(CMS.SUBSYSTEM_UG);
+
+    public UserCertData createUserCertData(String userID, X509Certificate cert) throws Exception {
+
+        UserCertData userCertData = new UserCertData();
+
+        userCertData.setVersion(cert.getVersion());
+        userCertData.setSerialNumber(cert.getSerialNumber());
+        userCertData.setIssuerDN(cert.getIssuerDN().toString());
+        userCertData.setSubjectDN(cert.getSubjectDN().toString());
+
+        userID = URLEncoder.encode(userID, "UTF-8");
+        String certID = URLEncoder.encode(userCertData.getID(), "UTF-8");
+        URI uri = uriInfo.getBaseUriBuilder().path(UserCertResource.class).path("{certID}").build(userID, certID);
+        userCertData.setLink(new Link("self", uri));
+
+        return userCertData;
+    }
+
+    /**
+     * List user certificate(s)
+     *
+     * Request/Response Syntax:
+     * http://warp.mcom.com/server/certificate/columbo/design/
+     * ui/admin-protocol-definition.html#user-admin
+     */
+    @Override
+    public UserCertCollection findUserCerts(String userID, Integer start, Integer size) {
+        try {
+            start = start == null ? 0 : start;
+            size = size == null ? DEFAULT_SIZE : size;
+
+            if (userID == null) {
+                log(ILogger.LL_FAILURE, CMS.getLogMessage("ADMIN_SRVLT_NULL_RS_ID"));
+                throw new CMSException(getUserMessage("CMS_ADMIN_SRVLT_NULL_RS_ID"));
+            }
+
+            IUser user = null;
+
+            try {
+                user = userGroupManager.getUser(userID);
+            } catch (Exception e) {
+                throw new CMSException(getUserMessage("CMS_USRGRP_SRVLT_USER_NOT_EXIST"));
+            }
+
+            if (user == null) {
+                log(ILogger.LL_FAILURE, CMS.getLogMessage("USRGRP_SRVLT_USER_NOT_EXIST"));
+                throw new CMSException(getUserMessage("CMS_USRGRP_SRVLT_USER_NOT_EXIST"));
+            }
+
+            UserCertCollection response = new UserCertCollection();
+
+            X509Certificate[] certs = user.getX509Certificates();
+            if (certs != null) {
+                for (int i=start; i<start+size && i<certs.length; i++) {
+                    X509Certificate cert = certs[i];
+                    response.addCert(createUserCertData(userID, cert));
+                }
+
+                if (start > 0) {
+                    URI uri = uriInfo.getRequestUriBuilder().replaceQueryParam("start", Math.max(start-size, 0)).build();
+                    response.addLink(new Link("prev", uri));
+                }
+
+                if (start+size < certs.length) {
+                    URI uri = uriInfo.getRequestUriBuilder().replaceQueryParam("start", start+size).build();
+                    response.addLink(new Link("next", uri));
+                }
+            }
+
+            return response;
+
+        } catch (CMSException e) {
+            throw e;
+
+        } catch (Exception e) {
+            throw new CMSException(e.getMessage());
+        }
+    }
+
+    @Override
+    public UserCertData getUserCert(String userID, String certID) {
+        try {
+            if (userID == null) {
+                log(ILogger.LL_FAILURE, CMS.getLogMessage("ADMIN_SRVLT_NULL_RS_ID"));
+
+                throw new CMSException(getUserMessage("CMS_ADMIN_SRVLT_NULL_RS_ID"));
+            }
+
+            IUser user = null;
+
+            try {
+                user = userGroupManager.getUser(userID);
+            } catch (Exception e) {
+                throw new CMSException(getUserMessage("CMS_USRGRP_SRVLT_USER_NOT_EXIST"));
+            }
+
+            if (user == null) {
+                log(ILogger.LL_FAILURE, CMS.getLogMessage("USRGRP_SRVLT_USER_NOT_EXIST"));
+                throw new CMSException(getUserMessage("CMS_USRGRP_SRVLT_USER_NOT_EXIST"));
+            }
+
+            X509Certificate[] certs = user.getX509Certificates();
+
+            if (certs == null) {
+                throw new CMSException("Certificate not found");
+            }
+
+            try {
+                certID = URLDecoder.decode(certID, "UTF-8");
+            } catch (Exception e) {
+                throw new CMSException(e.getMessage());
+            }
+
+            for (X509Certificate cert : certs) {
+
+                UserCertData userCertData = createUserCertData(userID, cert);
+
+                if (!userCertData.getID().equals(certID)) continue;
+
+                ICertPrettyPrint print = CMS.getCertPrettyPrint(cert);
+                userCertData.setPrettyPrint(print.toString(getLocale()));
+
+                // add base64 encoding
+                String base64 = CMS.getEncodedCert(cert);
+                userCertData.setEncoded(base64);
+
+                return userCertData;
+            }
+
+            throw new CMSException("Certificate not found");
+
+        } catch (CMSException e) {
+            throw e;
+
+        } catch (Exception e) {
+            throw new CMSException(e.getMessage());
+        }
+    }
+
+    /**
+     * Adds a certificate to a user
+     * <P>
+     *
+     * Request/Response Syntax: http://warp.mcom.com/server/certificate/columbo/design/
+     * ui/admin-protocol-definition.html#user-admin
+     * <P>
+     *
+     * <ul>
+     * <li>signed.audit LOGGING_SIGNED_AUDIT_CONFIG_ROLE used when configuring role information (anything under
+     * users/groups)
+     * </ul>
+     */
+    @Override
+    public Response addUserCert(String userID, UserCertData userCertData) {
+
+        // ensure that any low-level exceptions are reported
+        // to the signed audit log and stored as failures
+        try {
+            if (userID == null) {
+                log(ILogger.LL_FAILURE, CMS.getLogMessage("ADMIN_SRVLT_NULL_RS_ID"));
+                throw new CMSException(getUserMessage("CMS_ADMIN_SRVLT_NULL_RS_ID"));
+            }
+
+            IUser user = userGroupManager.createUser(userID);
+
+            String encoded = userCertData.getEncoded();
+            encoded = Cert.normalizeCertStrAndReq(encoded);
+            encoded = Cert.stripBrackets(encoded);
+
+            // no cert is a success
+            if (encoded == null) {
+                auditAddUserCert(userID, userCertData, ILogger.SUCCESS);
+                return Response.ok().build();
+            }
+
+            // only one cert added per operation
+            X509Certificate cert = null;
+
+            // Base64 decode cert
+            byte binaryCert[] = Utils.base64decode(encoded);
+
+            try {
+                cert = new X509CertImpl(binaryCert);
+
+            } catch (CertificateException e) {
+                // ignore
+            }
+
+            if (cert == null) {
+                // cert chain direction
+                boolean assending = true;
+
+                // could it be a pkcs7 blob?
+                CMS.debug("UserCertResourceService: " + CMS.getLogMessage("ADMIN_SRVLT_IS_PK_BLOB"));
+
+                try {
+                    CryptoManager manager = CryptoManager.getInstance();
+
+                    PKCS7 pkcs7 = new PKCS7(binaryCert);
+
+                    X509Certificate p7certs[] = pkcs7.getCertificates();
+
+                    if (p7certs.length == 0) {
+                        throw new CMSException(getUserMessage("CMS_USRGRP_SRVLT_CERT_ERROR"));
+                    }
+
+                    // fix for 370099 - cert ordering can not be assumed
+                    // find out the ordering ...
+
+                    // self-signed and alone? take it. otherwise test
+                    // the ordering
+                    if (p7certs[0].getSubjectDN().toString().equals(
+                            p7certs[0].getIssuerDN().toString()) &&
+                            (p7certs.length == 1)) {
+                        cert = p7certs[0];
+                        CMS.debug("UserCertResourceService: " + CMS.getLogMessage("ADMIN_SRVLT_SINGLE_CERT_IMPORT"));
+
+                    } else if (p7certs[0].getIssuerDN().toString().equals(p7certs[1].getSubjectDN().toString())) {
+                        cert = p7certs[0];
+                        CMS.debug("UserCertResourceService: " + CMS.getLogMessage("ADMIN_SRVLT_CERT_CHAIN_ACEND_ORD"));
+
+                    } else if (p7certs[1].getIssuerDN().toString().equals(p7certs[0].getSubjectDN().toString())) {
+                        assending = false;
+                        CMS.debug("UserCertResourceService: " + CMS.getLogMessage("ADMIN_SRVLT_CERT_CHAIN_DESC_ORD"));
+                        cert = p7certs[p7certs.length - 1];
+
+                    } else {
+                        // not a chain, or in random order
+                        CMS.debug("UserCertResourceService: " + CMS.getLogMessage("ADMIN_SRVLT_CERT_BAD_CHAIN"));
+                        throw new CMSException(getUserMessage("CMS_USRGRP_SRVLT_CERT_ERROR"));
+                    }
+
+                    CMS.debug("UserCertResourceService: "
+                            + CMS.getLogMessage("ADMIN_SRVLT_CHAIN_STORED_DB", String.valueOf(p7certs.length)));
+
+                    int j = 0;
+                    int jBegin = 0;
+                    int jEnd = 0;
+
+                    if (assending == true) {
+                        jBegin = 1;
+                        jEnd = p7certs.length;
+                    } else {
+                        jBegin = 0;
+                        jEnd = p7certs.length - 1;
+                    }
+
+                    // store the chain into cert db, except for the user cert
+                    for (j = jBegin; j < jEnd; j++) {
+                        CMS.debug("UserCertResourceService: "
+                                + CMS.getLogMessage("ADMIN_SRVLT_CERT_IN_CHAIN", String.valueOf(j),
+                                        String.valueOf(p7certs[j].getSubjectDN())));
+                        org.mozilla.jss.crypto.X509Certificate leafCert =
+                                manager.importCACertPackage(p7certs[j].getEncoded());
+
+                        if (leafCert == null) {
+                            log(ILogger.LL_FAILURE, CMS.getLogMessage("ADMIN_SRVLT_LEAF_CERT_NULL"));
+                        } else {
+                            CMS.debug("UserCertResourceService: " + CMS.getLogMessage("ADMIN_SRVLT_LEAF_CERT_NON_NULL"));
+                        }
+
+                        if (leafCert instanceof InternalCertificate) {
+                            ((InternalCertificate) leafCert).setSSLTrust(
+                                    InternalCertificate.VALID_CA |
+                                            InternalCertificate.TRUSTED_CA |
+                                            InternalCertificate.TRUSTED_CLIENT_CA);
+                        } else {
+                            log(ILogger.LL_FAILURE, CMS.getLogMessage("ADMIN_SRVLT_NOT_INTERNAL_CERT",
+                                    String.valueOf(p7certs[j].getSubjectDN())));
+                        }
+                    }
+
+                /*
+                } catch (CryptoManager.UserCertConflictException e) {
+                    // got a "user cert" in the chain, most likely the CA
+                    // cert of this instance, which has a private key.  Ignore
+                    log(ILogger.LL_FAILURE, CMS.getLogMessage("ADMIN_SRVLT_PKS7_IGNORED", e.toString()));
+                */
+                } catch (Exception e) {
+                    log(ILogger.LL_FAILURE, CMS.getLogMessage("USRGRP_SRVLT_CERT_ERROR", e.toString()));
+                    throw new CMSException(getUserMessage("CMS_USRGRP_SRVLT_CERT_ERROR"));
+                }
+            }
+
+            try {
+                CMS.debug("UserCertResourceService: " + CMS.getLogMessage("ADMIN_SRVLT_BEFORE_VALIDITY"));
+                cert.checkValidity(); // throw exception if fails
+
+                user.setX509Certificates(new X509Certificate[] { cert });
+                userGroupManager.addUserCert(user);
+
+                auditAddUserCert(userID, userCertData, ILogger.SUCCESS);
+
+                // read the data back
+
+                userCertData.setVersion(cert.getVersion());
+                userCertData.setSerialNumber(cert.getSerialNumber());
+                userCertData.setIssuerDN(cert.getIssuerDN().toString());
+                userCertData.setSubjectDN(cert.getSubjectDN().toString());
+                String certID = userCertData.getID();
+
+                userCertData = getUserCert(userID, URLEncoder.encode(certID, "UTF-8"));
+
+                return Response
+                        .created(userCertData.getLink().getHref())
+                        .entity(userCertData)
+                        .type(MediaType.APPLICATION_XML)
+                        .build();
+
+            } catch (CertificateExpiredException e) {
+                log(ILogger.LL_FAILURE, CMS.getLogMessage("ADMIN_SRVLT_ADD_CERT_EXPIRED",
+                        String.valueOf(cert.getSubjectDN())));
+                throw new CMSException(getUserMessage("CMS_USRGRP_SRVLT_CERT_EXPIRED"));
+
+            } catch (CertificateNotYetValidException e) {
+                log(ILogger.LL_FAILURE, CMS.getLogMessage("USRGRP_SRVLT_CERT_NOT_YET_VALID",
+                        String.valueOf(cert.getSubjectDN())));
+                throw new CMSException(getUserMessage("CMS_USRGRP_SRVLT_CERT_NOT_YET_VALID"));
+
+            } catch (LDAPException e) {
+                if (e.getLDAPResultCode() == LDAPException.ATTRIBUTE_OR_VALUE_EXISTS) {
+                    throw new CMSException(getUserMessage("CMS_USRGRP_SRVLT_USER_CERT_EXISTS"));
+                } else {
+                    throw new CMSException(getUserMessage("CMS_USRGRP_USER_MOD_FAILED"));
+                }
+            }
+
+        } catch (CMSException e) {
+            auditAddUserCert(userID, userCertData, ILogger.FAILURE);
+            throw e;
+
+        } catch (Exception e) {
+            log(ILogger.LL_FAILURE, e.toString());
+            auditAddUserCert(userID, userCertData, ILogger.FAILURE);
+            throw new CMSException(getUserMessage("CMS_USRGRP_USER_MOD_FAILED"));
+        }
+    }
+
+    /**
+     * Removes a certificate for a user
+     * <P>
+     *
+     * Request/Response Syntax: http://warp.mcom.com/server/certificate/columbo/design/
+     * ui/admin-protocol-definition.html#user-admin
+     * <P>
+     *
+     * In this method, "certDN" is actually a combination of version, serialNumber, issuerDN, and SubjectDN.
+     * <P>
+     *
+     * <ul>
+     * <li>signed.audit LOGGING_SIGNED_AUDIT_CONFIG_ROLE used when configuring role information (anything under
+     * users/groups)
+     * </ul>
+     */
+    @Override
+    public void removeUserCert(String userID, String certID) {
+
+        try {
+            certID = URLDecoder.decode(certID, "UTF-8");
+        } catch (Exception e) {
+            throw new CMSException(e.getMessage());
+        }
+
+        UserCertData userCertData = new UserCertData();
+        userCertData.setID(certID);
+        removeUserCert(userID, userCertData);
+    }
+
+    public void removeUserCert(String userID, UserCertData userCertData) {
+
+        // ensure that any low-level exceptions are reported
+        // to the signed audit log and stored as failures
+        try {
+            if (userID == null) {
+                log(ILogger.LL_FAILURE, CMS.getLogMessage("ADMIN_SRVLT_NULL_RS_ID"));
+                throw new CMSException(getUserMessage("CMS_ADMIN_SRVLT_NULL_RS_ID"));
+            }
+
+            IUser user = userGroupManager.createUser(userID);
+            String certID = userCertData.getID();
+
+            // no certDN is a success
+            if (certID == null) {
+                auditDeleteUserCert(userID, userCertData, ILogger.SUCCESS);
+                return;
+            }
+
+            user.setCertDN(certID);
+
+            userGroupManager.removeUserCert(user);
+
+            auditDeleteUserCert(userID, userCertData, ILogger.SUCCESS);
+
+        } catch (CMSException e) {
+            auditDeleteUserCert(userID, userCertData, ILogger.FAILURE);
+            throw e;
+
+        } catch (Exception e) {
+            log(ILogger.LL_FAILURE, e.toString());
+            auditDeleteUserCert(userID, userCertData, ILogger.FAILURE);
+            throw new CMSException(getUserMessage("CMS_USRGRP_USER_MOD_FAILED"));
+        }
+    }
+
+    public void log(int level, String message) {
+        log(ILogger.S_USRGRP, level, message);
+    }
+
+    public void auditAddUserCert(String id, UserCertData userCertData, String status) {
+        audit(OpDef.OP_ADD, id, getParams(userCertData), status);
+    }
+
+    public void auditDeleteUserCert(String id, UserCertData userCertData, String status) {
+        audit(OpDef.OP_DELETE, id, getParams(userCertData), status);
+    }
+
+    public void audit(String type, String id, Map<String, String> params, String status) {
+        audit(IAuditor.LOGGING_SIGNED_AUDIT_CONFIG_ROLE, ScopeDef.SC_USER_CERTS, type, id, params, status);
+    }
+}
diff --git a/base/common/src/com/netscape/cms/servlet/admin/UserResourceService.java b/base/common/src/com/netscape/cms/servlet/admin/UserResourceService.java
new file mode 100644
index 000000000..1639c5912
--- /dev/null
+++ b/base/common/src/com/netscape/cms/servlet/admin/UserResourceService.java
@@ -0,0 +1,483 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2012 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+
+package com.netscape.cms.servlet.admin;
+
+import java.net.URI;
+import java.net.URLEncoder;
+import java.util.Enumeration;
+import java.util.Map;
+
+import javax.ws.rs.core.MediaType;
+import javax.ws.rs.core.Response;
+
+import netscape.ldap.LDAPException;
+
+import org.apache.commons.lang.StringUtils;
+import org.jboss.resteasy.plugins.providers.atom.Link;
+
+import com.netscape.certsrv.apps.CMS;
+import com.netscape.certsrv.base.EBaseException;
+import com.netscape.certsrv.common.OpDef;
+import com.netscape.certsrv.common.ScopeDef;
+import com.netscape.certsrv.logging.IAuditor;
+import com.netscape.certsrv.logging.ILogger;
+import com.netscape.certsrv.password.IPasswordCheck;
+import com.netscape.certsrv.user.UserCollection;
+import com.netscape.certsrv.user.UserData;
+import com.netscape.certsrv.user.UserResource;
+import com.netscape.certsrv.usrgrp.EUsrGrpException;
+import com.netscape.certsrv.usrgrp.IGroup;
+import com.netscape.certsrv.usrgrp.IUGSubsystem;
+import com.netscape.certsrv.usrgrp.IUser;
+import com.netscape.cms.servlet.base.CMSException;
+import com.netscape.cms.servlet.base.CMSResourceService;
+import com.netscape.cmsutil.ldap.LDAPUtil;
+
+/**
+ * @author Endi S. Dewata
+ */
+public class UserResourceService extends CMSResourceService implements UserResource {
+
+    public final static int DEFAULT_SIZE = 20;
+
+    public final static String BACK_SLASH = "\\";
+    public final static String SYSTEM_USER = "$System$";
+
+    public IUGSubsystem userGroupManager = (IUGSubsystem) CMS.getSubsystem(CMS.SUBSYSTEM_UG);
+
+    public UserData createUserData(IUser user) throws Exception {
+
+        UserData userData = new UserData();
+
+        String id = user.getUserID();
+        if (!StringUtils.isEmpty(id)) userData.setID(id);
+
+        String fullName = user.getFullName();
+        if (!StringUtils.isEmpty(fullName)) userData.setFullName(fullName);
+
+        String userID = URLEncoder.encode(id, "UTF-8");
+        URI uri = uriInfo.getBaseUriBuilder().path(UserResource.class).path("{userID}").build(userID);
+        userData.setLink(new Link("self", uri));
+
+        return userData;
+    }
+
+    /**
+     * Searches for users in LDAP directory.
+     *
+     * Request/Response Syntax:
+     * http://warp.mcom.com/server/certificate/columbo/design/
+     * ui/admin-protocol-definition.html#user-admin
+     */
+    @Override
+    public UserCollection findUsers(String filter, Integer start, Integer size) {
+        try {
+            filter = StringUtils.isEmpty(filter) ? "*" : "*"+LDAPUtil.escapeFilter(filter)+"*";
+            start = start == null ? 0 : start;
+            size = size == null ? DEFAULT_SIZE : size;
+
+            Enumeration<IUser> users = userGroupManager.findUsers(filter);
+
+            UserCollection response = new UserCollection();
+
+            int i = 0;
+
+            // skip to the start of the page
+            for ( ; i<start && users.hasMoreElements(); i++) users.nextElement();
+
+            // return entries up to the page size
+            for ( ; i<start+size && users.hasMoreElements(); i++) {
+                IUser user = users.nextElement();
+                response.addUser(createUserData(user));
+            }
+
+            // count the total entries
+            for ( ; users.hasMoreElements(); i++) users.nextElement();
+
+            if (start > 0) {
+                URI uri = uriInfo.getRequestUriBuilder().replaceQueryParam("start", Math.max(start-size, 0)).build();
+                response.addLink(new Link("prev", uri));
+            }
+
+            if (start+size < i) {
+                URI uri = uriInfo.getRequestUriBuilder().replaceQueryParam("start", start+size).build();
+                response.addLink(new Link("next", uri));
+            }
+
+            return response;
+
+        } catch (Exception e) {
+            throw new CMSException(getUserMessage("CMS_INTERNAL_ERROR"));
+        }
+    }
+
+    /**
+     * List user information. Certificates covered in a separate
+     * protocol for findUserCerts(). List of group memberships are
+     * also provided.
+     *
+     * Request/Response Syntax:
+     * http://warp.mcom.com/server/certificate/columbo/design/
+     * ui/admin-protocol-definition.html#user-admin
+     */
+    @Override
+    public UserData getUser(String userID) {
+        try {
+            if (userID == null) {
+                log(ILogger.LL_FAILURE, CMS.getLogMessage("ADMIN_SRVLT_NULL_RS_ID"));
+
+                throw new CMSException(getUserMessage("CMS_ADMIN_SRVLT_NULL_RS_ID"));
+            }
+
+            IUser user;
+
+            try {
+                user = userGroupManager.getUser(userID);
+            } catch (Exception e) {
+                throw new CMSException(getUserMessage("CMS_INTERNAL_ERROR"));
+            }
+
+            if (user == null) {
+                log(ILogger.LL_FAILURE, CMS.getLogMessage("USRGRP_SRVLT_USER_NOT_EXIST"));
+
+                throw new CMSException(getUserMessage("CMS_USRGRP_SRVLT_USER_NOT_EXIST"));
+            }
+
+            UserData userData = createUserData(user);
+
+            String email = user.getEmail();
+            if (!StringUtils.isEmpty(email)) userData.setEmail(email);
+
+            String phone = user.getPhone();
+            if (!StringUtils.isEmpty(phone)) userData.setPhone(phone);
+
+            String state = user.getState();
+            if (!StringUtils.isEmpty(state)) userData.setState(state);
+
+            String type = user.getUserType();
+            if (!StringUtils.isEmpty(type)) userData.setType(type);
+
+            return userData;
+
+        } catch (CMSException e) {
+            throw e;
+
+        } catch (Exception e) {
+            throw new CMSException(e.getMessage());
+        }
+    }
+
+    /**
+     * Adds a new user to LDAP server
+     * <P>
+     *
+     * Request/Response Syntax: http://warp.mcom.com/server/certificate/columbo/design/
+     * ui/admin-protocol-definition.html#user-admin
+     * <P>
+     *
+     * <ul>
+     * <li>signed.audit LOGGING_SIGNED_AUDIT_CONFIG_ROLE used when configuring role information (anything under
+     * users/groups)
+     * </ul>
+     */
+
+    @Override
+    public Response addUser(UserData userData) {
+
+        String userID = userData.getID();
+
+        // ensure that any low-level exceptions are reported
+        // to the signed audit log and stored as failures
+        try {
+            if (userID == null) {
+                log(ILogger.LL_FAILURE, CMS.getLogMessage("ADMIN_SRVLT_NULL_RS_ID"));
+                throw new CMSException(getUserMessage("CMS_ADMIN_SRVLT_NULL_RS_ID"));
+            }
+
+            if (userID.indexOf(BACK_SLASH) != -1) {
+                // backslashes (BS) are not allowed
+                log(ILogger.LL_FAILURE, CMS.getLogMessage("ADMIN_SRVLT_RS_ID_BS"));
+                throw new CMSException(getUserMessage("CMS_ADMIN_SRVLT_RS_ID_BS"));
+            }
+
+            if (userID.equals(SYSTEM_USER)) {
+                // backslashes (BS) are not allowed
+                log(ILogger.LL_FAILURE, CMS.getLogMessage("ADMIN_SRVLT_SPECIAL_ID", userID));
+                throw new CMSException(getUserMessage("CMS_ADMIN_SRVLT_SPECIAL_ID", userID));
+            }
+
+            IUser user = userGroupManager.createUser(userID);
+
+            String fname = userData.getFullName();
+            if (fname == null || fname.length() == 0) {
+                String msg = getUserMessage("CMS_USRGRP_USER_ADD_FAILED_1", "full name");
+
+                log(ILogger.LL_FAILURE, msg);
+                throw new CMSException(msg);
+
+            } else {
+                user.setFullName(fname);
+            }
+
+            String email = userData.getEmail();
+            if (email != null) {
+                user.setEmail(email);
+            } else {
+                user.setEmail("");
+            }
+
+            String pword = userData.getPassword();
+            if (pword != null && !pword.equals("")) {
+                IPasswordCheck passwdCheck = CMS.getPasswordChecker();
+
+                if (!passwdCheck.isGoodPassword(pword)) {
+                    throw new EUsrGrpException(passwdCheck.getReason(pword));
+                }
+
+                user.setPassword(pword);
+            } else {
+                user.setPassword("");
+            }
+
+            String phone = userData.getPhone();
+            if (phone != null) {
+                user.setPhone(phone);
+            } else {
+                user.setPhone("");
+            }
+
+            String type = userData.getType();
+            if (type != null) {
+                user.setUserType(type);
+            } else {
+                user.setUserType("");
+            }
+
+            String state = userData.getState();
+            if (state != null) {
+                user.setState(state);
+            }
+
+            try {
+                userGroupManager.addUser(user);
+
+                auditAddUser(userID, userData, ILogger.SUCCESS);
+
+                // read the data back
+                userData = getUser(userID);
+
+                return Response
+                        .created(userData.getLink().getHref())
+                        .entity(userData)
+                        .type(MediaType.APPLICATION_XML)
+                        .build();
+
+            } catch (EUsrGrpException e) {
+                log(ILogger.LL_FAILURE, e.toString());
+
+                if (user.getUserID() == null) {
+                    throw new CMSException(getUserMessage("CMS_USRGRP_USER_ADD_FAILED_1", "uid"));
+                } else {
+                    throw new CMSException(getUserMessage("CMS_USRGRP_USER_ADD_FAILED"));
+                }
+
+            } catch (LDAPException e) {
+                log(ILogger.LL_FAILURE, CMS.getLogMessage("ADMIN_SRVLT_ADD_USER_FAIL", e.toString()));
+                throw new CMSException(getUserMessage("CMS_USRGRP_USER_ADD_FAILED"));
+
+            } catch (Exception e) {
+                log(ILogger.LL_FAILURE, e.toString());
+                throw new CMSException(getUserMessage("CMS_USRGRP_USER_ADD_FAILED"));
+            }
+
+        } catch (CMSException e) {
+            auditAddUser(userID, userData, ILogger.FAILURE);
+            throw e;
+
+        } catch (EBaseException e) {
+            auditAddUser(userID, userData, ILogger.FAILURE);
+            throw new CMSException(e.getMessage());
+        }
+    }
+
+    /**
+     * Modifies an existing user in local scope.
+     * <P>
+     *
+     * Request/Response Syntax: http://warp.mcom.com/server/certificate/columbo/design/
+     * ui/admin-protocol-definition.html#user-admin
+     * <P>
+     *
+     * <ul>
+     * <li>signed.audit LOGGING_SIGNED_AUDIT_CONFIG_ROLE used when configuring role information (anything under
+     * users/groups)
+     * </ul>
+     */
+    @Override
+    public Response modifyUser(String userID, UserData userData) {
+
+        // ensure that any low-level exceptions are reported
+        // to the signed audit log and stored as failures
+        try {
+            if (userID == null) {
+                log(ILogger.LL_FAILURE, CMS.getLogMessage("ADMIN_SRVLT_NULL_RS_ID"));
+                throw new CMSException(getUserMessage("CMS_ADMIN_SRVLT_NULL_RS_ID"));
+            }
+
+            IUser user = userGroupManager.createUser(userID);
+
+            String fullName = userData.getFullName();
+            if (fullName != null) {
+                user.setFullName(fullName);
+            }
+
+            String email = userData.getEmail();
+            if (email != null) {
+                user.setEmail(email);
+            }
+
+            String pword = userData.getPassword();
+            if (pword != null && !pword.equals("")) {
+                IPasswordCheck passwdCheck = CMS.getPasswordChecker();
+
+                if (!passwdCheck.isGoodPassword(pword)) {
+                    throw new EUsrGrpException(passwdCheck.getReason(pword));
+                }
+
+                user.setPassword(pword);
+            }
+
+            String phone = userData.getPhone();
+            if (phone != null) {
+                user.setPhone(phone);
+            }
+
+            String state = userData.getState();
+            if (state != null) {
+                user.setState(state);
+            }
+
+            try {
+                userGroupManager.modifyUser(user);
+
+                auditModifyUser(userID, userData, ILogger.SUCCESS);
+
+                // read the data back
+                userData = getUser(userID);
+
+                return Response
+                        .ok(userData)
+                        .type(MediaType.APPLICATION_XML)
+                        .build();
+
+            } catch (Exception e) {
+                log(ILogger.LL_FAILURE, e.toString());
+                throw new CMSException(getUserMessage("CMS_USRGRP_USER_MOD_FAILED"));
+            }
+
+        } catch (CMSException e) {
+            auditModifyUser(userID, userData, ILogger.FAILURE);
+            throw e;
+
+        } catch (EBaseException e) {
+            auditModifyUser(userID, userData, ILogger.FAILURE);
+            throw new CMSException(e.getMessage());
+        }
+    }
+
+    /**
+     * removes a user. user not removed if belongs to any group
+     * (Administrators should remove the user from "uniquemember" of
+     * any group he/she belongs to before trying to remove the user
+     * itself.
+     * <P>
+     *
+     * Request/Response Syntax: http://warp.mcom.com/server/certificate/columbo/design/
+     * ui/admin-protocol-definition.html#user-admin
+     * <P>
+     *
+     * <ul>
+     * <li>signed.audit LOGGING_SIGNED_AUDIT_CONFIG_ROLE used when configuring role information (anything under
+     * users/groups)
+     * </ul>
+     */
+    @Override
+    public void removeUser(String userID) {
+
+        // ensure that any low-level exceptions are reported
+        // to the signed audit log and stored as failures
+        try {
+            if (userID == null) {
+                log(ILogger.LL_FAILURE, CMS.getLogMessage("ADMIN_SRVLT_NULL_RS_ID"));
+                throw new CMSException(getUserMessage("CMS_ADMIN_SRVLT_NULL_RS_ID"));
+            }
+
+            // get list of groups, and see if uid belongs to any
+            Enumeration<IGroup> groups;
+
+            try {
+                groups = userGroupManager.findGroups("*");
+
+            } catch (Exception e) {
+                throw new CMSException(getUserMessage("CMS_INTERNAL_ERROR"));
+            }
+
+            try {
+                while (groups.hasMoreElements()) {
+                    IGroup group = groups.nextElement();
+                    if (!group.isMember(userID)) continue;
+
+                    userGroupManager.removeUserFromGroup(group, userID);
+                }
+
+                // comes out clean of group membership...now remove user
+                userGroupManager.removeUser(userID);
+
+                auditDeleteUser(userID, ILogger.SUCCESS);
+
+            } catch (Exception e) {
+                throw new CMSException(getUserMessage("CMS_USRGRP_SRVLT_FAIL_USER_RMV"));
+            }
+
+        } catch (CMSException e) {
+            auditDeleteUser(userID, ILogger.FAILURE);
+            throw e;
+        }
+    }
+
+    public void log(int level, String message) {
+        log(ILogger.S_USRGRP, level, message);
+    }
+
+    public void auditAddUser(String id, UserData userData, String status) {
+        audit(OpDef.OP_ADD, id, getParams(userData), status);
+    }
+
+    public void auditModifyUser(String id, UserData userData, String status) {
+        audit(OpDef.OP_MODIFY, id, getParams(userData), status);
+    }
+
+    public void auditDeleteUser(String id, String status) {
+        audit(OpDef.OP_DELETE, id, null, status);
+    }
+
+    public void audit(String type, String id, Map<String, String> params, String status) {
+        audit(IAuditor.LOGGING_SIGNED_AUDIT_CONFIG_ROLE, ScopeDef.SC_USERS, type, id, params, status);
+    }
+}
diff --git a/base/common/src/com/netscape/cms/servlet/base/CMSResourceService.java b/base/common/src/com/netscape/cms/servlet/base/CMSResourceService.java
index 36f33b6f8..85ccbf9f7 100644
--- a/base/common/src/com/netscape/cms/servlet/base/CMSResourceService.java
+++ b/base/common/src/com/netscape/cms/servlet/base/CMSResourceService.java
@@ -17,17 +17,26 @@
 // --- END COPYRIGHT BLOCK ---
 package com.netscape.cms.servlet.base;
 
+import java.lang.reflect.Method;
 import java.security.cert.CertificateEncodingException;
+import java.util.HashMap;
+import java.util.List;
+import java.util.Locale;
+import java.util.Map;
 
+import javax.ws.rs.FormParam;
 import javax.ws.rs.core.CacheControl;
 import javax.ws.rs.core.Context;
 import javax.ws.rs.core.EntityTag;
+import javax.ws.rs.core.HttpHeaders;
 import javax.ws.rs.core.Request;
 import javax.ws.rs.core.Response;
-import javax.ws.rs.core.UriInfo;
 import javax.ws.rs.core.Response.ResponseBuilder;
+import javax.ws.rs.core.UriInfo;
 
 import com.netscape.certsrv.apps.CMS;
+import com.netscape.certsrv.logging.IAuditor;
+import com.netscape.certsrv.logging.ILogger;
 import com.netscape.cms.servlet.cert.model.CertificateData;
 
 /**
@@ -48,8 +57,14 @@ public class CMSResourceService {
     protected UriInfo uriInfo;
 
     @Context
+    protected HttpHeaders headers;
+
+    @Context
     protected Request request;
 
+    public ILogger logger = CMS.getLogger();
+    public IAuditor auditor = CMS.getAuditor();
+
     public Response createOKResponse(Object object) {
         return Response.ok(object).build();
     }
@@ -79,4 +94,71 @@ public class CMSResourceService {
         return data;
     }
 
+    public Locale getLocale() {
+
+        if (headers == null) return Locale.getDefault();
+
+        List<Locale> locales = headers.getAcceptableLanguages();
+        if (locales == null || locales.isEmpty()) return Locale.getDefault();
+
+        return locales.get(0);
+    }
+
+    public String getUserMessage(String messageId, String... params) {
+        return CMS.getUserMessage(getLocale(), messageId, params);
+    }
+
+    public void log(int source, int level, String message) {
+
+        if (logger == null) return;
+
+        logger.log(ILogger.EV_SYSTEM,
+                null,
+                source,
+                level,
+                getClass().getSimpleName()+": " + message);
+    }
+
+    public void audit(String message, String scope, String type, String id, Map<String, String> params, String status) {
+
+        if (auditor == null) return;
+
+        String auditMessage = CMS.getLogMessage(
+                message,
+                auditor.getSubjectID(),
+                status,
+                auditor.getParamString(scope, type, id, params));
+
+        auditor.log(auditMessage);
+    }
+
+    /**
+     * Get the values of the fields annotated with @FormParam.
+     */
+    public Map<String, String> getParams(Object object) {
+
+        Map<String, String> map = new HashMap<String, String>();
+
+        // for each fields in the object
+        for (Method method : object.getClass().getMethods()) {
+            FormParam element = method.getAnnotation(FormParam.class);
+            if (element == null) continue;
+
+            String name = element.value();
+
+            try {
+                // get the value from the object
+                Object value = method.invoke(object);
+
+                // put the value in the map
+                map.put(name, value == null ? null : value.toString());
+
+            } catch (Exception e) {
+                // ignore inaccessible fields
+                e.printStackTrace();
+            }
+        }
+
+        return map;
+    }
 }
diff --git a/base/common/src/com/netscape/cmscore/apps/CMSEngine.java b/base/common/src/com/netscape/cmscore/apps/CMSEngine.java
index 72e8c49e8..4eacf2236 100644
--- a/base/common/src/com/netscape/cmscore/apps/CMSEngine.java
+++ b/base/common/src/com/netscape/cmscore/apps/CMSEngine.java
@@ -1415,7 +1415,7 @@ public class CMSEngine implements ICMSEngine {
         try {
             return "-----BEGIN CERTIFICATE-----\n" +
                     CMS.BtoA(cert.getEncoded()) +
-                    "\n-----END CERTIFICATE-----\n";
+                    "-----END CERTIFICATE-----\n";
         } catch (Exception e) {
             return null;
         }