diff options
author | Endi Sukma Dewata <edewata@redhat.com> | 2012-07-26 20:40:08 -0500 |
---|---|---|
committer | Endi Sukma Dewata <edewata@redhat.com> | 2012-08-03 17:07:13 -0500 |
commit | eca4d635e67eaf3c6878d35acfaaf11df53151e2 (patch) | |
tree | 32d947e0eeec6a36ea9cc1e7ebf0804b487da7e2 /base/kra/shared/webapps | |
parent | 1d85941aa2f80f3da619504fe4310fe47cb5b036 (diff) | |
download | pki-eca4d635e67eaf3c6878d35acfaaf11df53151e2.tar.gz pki-eca4d635e67eaf3c6878d35acfaaf11df53151e2.tar.xz pki-eca4d635e67eaf3c6878d35acfaaf11df53151e2.zip |
Moved REST services into separate URLs.
To support different access control configurations the REST
services have been separated by roles. Services that don't
need authentication will be available under /rest. Services
that require agent rights will be available under /rest/agent.
Services that require admin rights will be available under
/rest/admin.
Ticket #107
Diffstat (limited to 'base/kra/shared/webapps')
-rw-r--r-- | base/kra/shared/webapps/kra/WEB-INF/auth.properties | 14 | ||||
-rw-r--r-- | base/kra/shared/webapps/kra/WEB-INF/web.xml | 117 |
2 files changed, 43 insertions, 88 deletions
diff --git a/base/kra/shared/webapps/kra/WEB-INF/auth.properties b/base/kra/shared/webapps/kra/WEB-INF/auth.properties index a206aa9e4..d2ba3075e 100644 --- a/base/kra/shared/webapps/kra/WEB-INF/auth.properties +++ b/base/kra/shared/webapps/kra/WEB-INF/auth.properties @@ -4,13 +4,7 @@ # <Rest API URL> = <ACL Resource ID>,<ACL resource operation> # ex: /kra/pki/key/retrieve = certServer.kra.pki.key.retrieve,execute -/kra/pki/key/retrieve = certServer.kra.pki.key.retrieve,execute -/kra/pki/keyrequests = certServer.kra.pki.keyrequests,read -/kra/pki/keyrequest = certServer.kra.pki.keyrequest,read -/kra/pki/keyrequest/archive = certServer.kra.pki.keyrequest.archive,execute -/kra/pki/keyrequest/recover = certServer.kra.pki.keyrequest.recover,execute -/kra/pki/keyrequest/approve = certServer.kra.pki.keyrequest.approve,execute -/kra/pki/keyrequest/reject = certServer.kra.pki.keyrequest.reject,execute -/kra/pki/keyrequest/cancel = certServer.kra.pki.keyrequest.cancel,execute -/kra/pki/keys = certServer.kra.pki.keys,read -/kra/pki/config/cert/transport = certServer.kra.pki.config.cert.transport,read +/kra/rest/admin/users = certServer.kra.users,execute +/kra/rest/admin/groups = certServer.kra.groups,execute +/kra/rest/agent/keys = certServer.kra.keys,execute +/kra/rest/agent/keyrequests = certServer.kra.keyrequests,execute diff --git a/base/kra/shared/webapps/kra/WEB-INF/web.xml b/base/kra/shared/webapps/kra/WEB-INF/web.xml index 7b4072085..9208507c3 100644 --- a/base/kra/shared/webapps/kra/WEB-INF/web.xml +++ b/base/kra/shared/webapps/kra/WEB-INF/web.xml @@ -691,13 +691,15 @@ <param-value> ee </param-value> </init-param> </servlet> + <!-- ==================== RESTEasy Configuration =============== --> + <listener> <listener-class> org.jboss.resteasy.plugins.server.servlet.ResteasyBootstrap </listener-class> </listener> <context-param> <param-name>resteasy.servlet.mapping.prefix</param-name> - <param-value>/pki</param-value> + <param-value>/rest</param-value> </context-param> <context-param> @@ -718,7 +720,7 @@ <servlet-mapping> <servlet-name>Resteasy</servlet-name> - <url-pattern>/pki/*</url-pattern> + <url-pattern>/rest/*</url-pattern> </servlet-mapping> <servlet-mapping> @@ -950,81 +952,40 @@ <session-timeout>30</session-timeout> </session-config> -<!-- Default login configuration uses form-based authentication --> -<!-- Security Constraint for agent access to the Security Data Rest Interface --> - -<!-- Uncomment to activate PKIJNDI realm as in conf/server.xml --> -<!-- -<security-constraint> - <display-name>KRA Top Level Constraint</display-name> - <web-resource-collection> - <web-resource-name>KRA Protected Area</web-resource-name> - <url-pattern>/pki/* - </url-pattern> - </web-resource-collection> - <user-data-constraint> - <transport-guarantee>CONFIDENTIAL</transport-guarantee> - </user-data-constraint> - <auth-constraint> - <role-name>*</role-name> - </auth-constraint> -</security-constraint> ---> - -<!-- Security Constraint to deny certain http methods for key/retrieve --> -<!-- Uncomment to activate PKIJNDI realm as in conf/server.xml --> -<!-- -<security-constraint> -<display-name>Key forbidden</display-name> -<web-resource-collection> - <web-resource-name>Key forbidden</web-resource-name> - <url-pattern>/pki/key/retrieve</url-pattern> - <http-method>GET</http-method> - <http-method>PUT</http-method> - <http-method>DELETE</http-method> -</web-resource-collection> -<auth-constraint/> -</security-constraint> ---> - -<!-- Security Constraint to deny certain http methods for keyrequest/* --> -<!-- Uncomment to activate PKIJNDI realm as in conf/server.xml --> - -<!-- -<security-constraint> -<display-name>KeyRequest forbidden</display-name> -<web-resource-collection> - <web-resource-name>KeyRequest forbidden</web-resource-name> - <url-pattern>/pki/keyrequest/archive</url-pattern> - <url-pattern>/pki/keyrequest/recover</url-pattern> - <url-pattern>/pki/keyrequest/approve/*</url-pattern> - <url-pattern>/pki/keyrequest/reject/*</url-pattern> - <url-pattern>/pki/keyrequest/cancel/*</url-pattern> - <http-method>GET</http-method> - <http-method>PUT</http-method> - <http-method>DELETE</http-method> -</web-resource-collection> -<auth-constraint/> -</security-constraint> ---> - - -<!-- Customized SSL Client auth login config - uncomment to activate PKI realm as in conf/server.xml ---> - -<!-- - -<login-config> - <realm-name>PKIRealm</realm-name> - <auth-method>CLIENT-CERT</auth-method> - <realm-name>Client Cert Protected Area</realm-name> -</login-config> - -<security-role> - <role-name>*</role-name> -</security-role> - ---> + <!-- + <security-constraint> + <web-resource-collection> + <web-resource-name>Admin Services</web-resource-name> + <url-pattern>/rest/admin/*</url-pattern> + </web-resource-collection> + <auth-constraint> + <role-name>*</role-name> + </auth-constraint> + <user-data-constraint> + <transport-guarantee>CONFIDENTIAL</transport-guarantee> + </user-data-constraint> + </security-constraint> + + <security-constraint> + <web-resource-collection> + <web-resource-name>Agent Services</web-resource-name> + <url-pattern>/rest/agent/*</url-pattern> + </web-resource-collection> + <auth-constraint> + <role-name>*</role-name> + </auth-constraint> + <user-data-constraint> + <transport-guarantee>CONFIDENTIAL</transport-guarantee> + </user-data-constraint> + </security-constraint> + + <login-config> + <realm-name>Key Recovery Authority</realm-name> + </login-config> + + <security-role> + <role-name>*</role-name> + </security-role> + --> </web-app> |