Moved REST services into separate URLs.

To support different access control configurations the REST services have been separated by roles. Services that don't need authentication will be available under /rest. Services that require agent rights will be available under /rest/agent. Services that require admin rights will be available under /rest/admin. Ticket #107
author: Endi Sukma Dewata <edewata@redhat.com> 2012-07-26 20:40:08 -0500
committer: Endi Sukma Dewata <edewata@redhat.com> 2012-08-03 17:07:13 -0500
commit: eca4d635e67eaf3c6878d35acfaaf11df53151e2 (patch)
tree: 32d947e0eeec6a36ea9cc1e7ebf0804b487da7e2 /base/kra/shared/webapps/kra/WEB-INF
parent: 1d85941aa2f80f3da619504fe4310fe47cb5b036 (diff)
download: pki-eca4d635e67eaf3c6878d35acfaaf11df53151e2.tar.gz
pki-eca4d635e67eaf3c6878d35acfaaf11df53151e2.tar.xz
pki-eca4d635e67eaf3c6878d35acfaaf11df53151e2.zip
2 files changed, 43 insertions, 88 deletions
diff --git a/base/kra/shared/webapps/kra/WEB-INF/auth.properties b/base/kra/shared/webapps/kra/WEB-INF/auth.properties
index a206aa9e4..d2ba3075e 100644
--- a/base/kra/shared/webapps/kra/WEB-INF/auth.properties
+++ b/base/kra/shared/webapps/kra/WEB-INF/auth.properties
@@ -4,13 +4,7 @@
 # <Rest API URL> = <ACL Resource ID>,<ACL resource operation>
 # ex:      /kra/pki/key/retrieve = certServer.kra.pki.key.retrieve,execute
 
-/kra/pki/key/retrieve = certServer.kra.pki.key.retrieve,execute
-/kra/pki/keyrequests = certServer.kra.pki.keyrequests,read
-/kra/pki/keyrequest = certServer.kra.pki.keyrequest,read
-/kra/pki/keyrequest/archive = certServer.kra.pki.keyrequest.archive,execute
-/kra/pki/keyrequest/recover = certServer.kra.pki.keyrequest.recover,execute
-/kra/pki/keyrequest/approve = certServer.kra.pki.keyrequest.approve,execute
-/kra/pki/keyrequest/reject = certServer.kra.pki.keyrequest.reject,execute
-/kra/pki/keyrequest/cancel = certServer.kra.pki.keyrequest.cancel,execute
-/kra/pki/keys = certServer.kra.pki.keys,read
-/kra/pki/config/cert/transport = certServer.kra.pki.config.cert.transport,read
+/kra/rest/admin/users = certServer.kra.users,execute
+/kra/rest/admin/groups = certServer.kra.groups,execute
+/kra/rest/agent/keys = certServer.kra.keys,execute
+/kra/rest/agent/keyrequests = certServer.kra.keyrequests,execute
diff --git a/base/kra/shared/webapps/kra/WEB-INF/web.xml b/base/kra/shared/webapps/kra/WEB-INF/web.xml
index 7b4072085..9208507c3 100644
--- a/base/kra/shared/webapps/kra/WEB-INF/web.xml
+++ b/base/kra/shared/webapps/kra/WEB-INF/web.xml
@@ -691,13 +691,15 @@
                          <param-value> ee          </param-value> </init-param>
    </servlet>
 
+   <!-- ==================== RESTEasy Configuration =============== -->
+
    <listener>
       <listener-class> org.jboss.resteasy.plugins.server.servlet.ResteasyBootstrap </listener-class>
    </listener>
 
    <context-param>
       <param-name>resteasy.servlet.mapping.prefix</param-name>
-      <param-value>/pki</param-value>
+      <param-value>/rest</param-value>
    </context-param>
 
    <context-param>
@@ -718,7 +720,7 @@
 
    <servlet-mapping>
       <servlet-name>Resteasy</servlet-name>
-      <url-pattern>/pki/*</url-pattern>
+      <url-pattern>/rest/*</url-pattern>
    </servlet-mapping>
 
    <servlet-mapping>
@@ -950,81 +952,40 @@
         <session-timeout>30</session-timeout>
    </session-config>
 
-<!-- Default login configuration uses form-based authentication -->
-<!-- Security Constraint for agent access to the Security Data Rest Interface -->
-
-<!-- Uncomment to activate PKIJNDI realm as in conf/server.xml -->
-<!--
-<security-constraint>
-   <display-name>KRA Top Level Constraint</display-name>
-   <web-resource-collection>
-      <web-resource-name>KRA Protected Area</web-resource-name>
-         <url-pattern>/pki/*
-         </url-pattern>
-      </web-resource-collection>
-   <user-data-constraint>
-        <transport-guarantee>CONFIDENTIAL</transport-guarantee>
-    </user-data-constraint>
-   <auth-constraint>
-      <role-name>*</role-name>
-   </auth-constraint>
-</security-constraint>
--->
-
-<!-- Security Constraint to deny certain http methods for key/retrieve -->
-<!-- Uncomment to activate PKIJNDI realm as in conf/server.xml -->
-<!--
-<security-constraint>
-<display-name>Key forbidden</display-name>
-<web-resource-collection>
-  <web-resource-name>Key forbidden</web-resource-name>
-      <url-pattern>/pki/key/retrieve</url-pattern>
-  <http-method>GET</http-method>
-  <http-method>PUT</http-method>
-  <http-method>DELETE</http-method>
-</web-resource-collection>
-<auth-constraint/>
-</security-constraint>
--->
-
-<!-- Security Constraint to deny certain http methods for keyrequest/* -->
-<!-- Uncomment to activate PKIJNDI realm as in conf/server.xml -->
-
-<!--
-<security-constraint>
-<display-name>KeyRequest forbidden</display-name>
-<web-resource-collection>
-  <web-resource-name>KeyRequest forbidden</web-resource-name>
-      <url-pattern>/pki/keyrequest/archive</url-pattern>
-      <url-pattern>/pki/keyrequest/recover</url-pattern>
-      <url-pattern>/pki/keyrequest/approve/*</url-pattern>
-      <url-pattern>/pki/keyrequest/reject/*</url-pattern>
-      <url-pattern>/pki/keyrequest/cancel/*</url-pattern>
-  <http-method>GET</http-method>
-  <http-method>PUT</http-method>
-  <http-method>DELETE</http-method>
-</web-resource-collection>
-<auth-constraint/>
-</security-constraint>
--->
-
-
-<!-- Customized SSL Client auth login config 
-      uncomment to activate PKI realm as in conf/server.xml
--->
-
-<!--
-
-<login-config>
-   <realm-name>PKIRealm</realm-name>
-   <auth-method>CLIENT-CERT</auth-method>
-   <realm-name>Client Cert Protected Area</realm-name>
-</login-config>
-
-<security-role>
-   <role-name>*</role-name>
-</security-role>
-
--->
+    <!--
+    <security-constraint>
+        <web-resource-collection>
+            <web-resource-name>Admin Services</web-resource-name>
+            <url-pattern>/rest/admin/*</url-pattern>
+        </web-resource-collection>
+        <auth-constraint>
+            <role-name>*</role-name>
+        </auth-constraint>
+        <user-data-constraint>
+            <transport-guarantee>CONFIDENTIAL</transport-guarantee>
+        </user-data-constraint>
+    </security-constraint>
+
+    <security-constraint>
+        <web-resource-collection>
+            <web-resource-name>Agent Services</web-resource-name>
+            <url-pattern>/rest/agent/*</url-pattern>
+        </web-resource-collection>
+        <auth-constraint>
+            <role-name>*</role-name>
+        </auth-constraint>
+        <user-data-constraint>
+            <transport-guarantee>CONFIDENTIAL</transport-guarantee>
+        </user-data-constraint>
+    </security-constraint>
+
+    <login-config>
+        <realm-name>Key Recovery Authority</realm-name>
+    </login-config>
+
+    <security-role>
+        <role-name>*</role-name>
+    </security-role>
+    -->
 
 </web-app>
author	Endi Sukma Dewata <edewata@redhat.com>	2012-07-26 20:40:08 -0500
committer	Endi Sukma Dewata <edewata@redhat.com>	2012-08-03 17:07:13 -0500
commit	eca4d635e67eaf3c6878d35acfaaf11df53151e2 (patch)
tree	32d947e0eeec6a36ea9cc1e7ebf0804b487da7e2 /base/kra/shared/webapps/kra/WEB-INF
parent	1d85941aa2f80f3da619504fe4310fe47cb5b036 (diff)
download	pki-eca4d635e67eaf3c6878d35acfaaf11df53151e2.tar.gz pki-eca4d635e67eaf3c6878d35acfaaf11df53151e2.tar.xz pki-eca4d635e67eaf3c6878d35acfaaf11df53151e2.zip