summaryrefslogtreecommitdiffstats
path: root/base/kra
diff options
context:
space:
mode:
authorEndi Sukma Dewata <edewata@redhat.com>2012-10-08 14:50:26 -0500
committerEndi Sukma Dewata <edewata@redhat.com>2012-10-22 17:12:20 -0500
commit1723a2ecd9d4d741ecd6d292712eeaea9d19bde9 (patch)
treef9812748c4d5c8895a8da7be352983eb792ed000 /base/kra
parent1c45197227a0d54b525d4b40f66aa96aeb4f2e6a (diff)
downloadpki-1723a2ecd9d4d741ecd6d292712eeaea9d19bde9.tar.gz
pki-1723a2ecd9d4d741ecd6d292712eeaea9d19bde9.tar.xz
pki-1723a2ecd9d4d741ecd6d292712eeaea9d19bde9.zip
Added REST account service.
A REST account service has been added to allow client to login to establish a session and to logout to destroy the session. This way multiple operations can be executed using the same session without having to re-authenticate. Ticket #357
Diffstat (limited to 'base/kra')
-rw-r--r--base/kra/shared/conf/acl.ldif1
-rw-r--r--base/kra/shared/webapps/kra/WEB-INF/auth.properties2
-rw-r--r--base/kra/shared/webapps/kra/WEB-INF/web.xml13
-rw-r--r--base/kra/src/com/netscape/kra/KeyRecoveryAuthorityApplication.java5
4 files changed, 21 insertions, 0 deletions
diff --git a/base/kra/shared/conf/acl.ldif b/base/kra/shared/conf/acl.ldif
index ea70ffd21..c3eae7596 100644
--- a/base/kra/shared/conf/acl.ldif
+++ b/base/kra/shared/conf/acl.ldif
@@ -30,6 +30,7 @@ resourceACLS: certServer.kra.TokenKeyRecovery:submit:allow (submit) group="Data
resourceACLS: certServer.kra.registerUser:read,modify:allow (modify,read) group="Enterprise CA Administrators" || group="Enterprise KRA Administrators" || group="Enterprise OCSP Administrators" || group="Enterprise TKS Administrators" || group="Enterprise TPS Administrators":Only Enterprise Administrators are allowed to register a new agent
resourceACLS: certServer.kra.getTransportCert:read:allow (read) group="Enterprise CA Administrators" || group="Enterprise KRA Administrators" || group="Enterprise OCSP Administrators" || group="Enterprise TKS Administrators" || group="Enterprise TPS Administrators":Only Enterprise Administrators are allowed to retrieve the transport cert
resourceACLS: certServer.clone.configuration:read,modify:allow (modify,read) group="Enterprise CA Administrators" || group="Enterprise KRA Administrators" || group="Enterprise OCSP Administrators" || group="Enterprise TKS Administrators":Only Enterprise Administrators are allowed to clone the configuration.
+resourceACLS: certServer.kra.account:login,logout:allow (login,logout) user="anybody":Anybody can login and logout
resourceACLS: certServer.kra.groups:execute:allow (execute) group="Administrators":Admins may execute group operations
resourceACLS: certServer.kra.keys:execute:allow (execute) group="Data Recovery Manager Agents":Agents may execute key operations
resourceACLS: certServer.kra.keyrequests:execute:allow (execute) group="Data Recovery Manager Agents":Agents may execute key request operations
diff --git a/base/kra/shared/webapps/kra/WEB-INF/auth.properties b/base/kra/shared/webapps/kra/WEB-INF/auth.properties
index d2ba3075e..0a529f060 100644
--- a/base/kra/shared/webapps/kra/WEB-INF/auth.properties
+++ b/base/kra/shared/webapps/kra/WEB-INF/auth.properties
@@ -4,6 +4,8 @@
# <Rest API URL> = <ACL Resource ID>,<ACL resource operation>
# ex: /kra/pki/key/retrieve = certServer.kra.pki.key.retrieve,execute
+/kra/rest/account/login = certServer.kra.account,login
+/kra/rest/account/logout = certServer.kra.account,logout
/kra/rest/admin/users = certServer.kra.users,execute
/kra/rest/admin/groups = certServer.kra.groups,execute
/kra/rest/agent/keys = certServer.kra.keys,execute
diff --git a/base/kra/shared/webapps/kra/WEB-INF/web.xml b/base/kra/shared/webapps/kra/WEB-INF/web.xml
index 1a5b6aaf5..03def86c7 100644
--- a/base/kra/shared/webapps/kra/WEB-INF/web.xml
+++ b/base/kra/shared/webapps/kra/WEB-INF/web.xml
@@ -954,6 +954,19 @@
<session-timeout>30</session-timeout>
</session-config>
+ <security-constraint>
+ <web-resource-collection>
+ <web-resource-name>Account Services</web-resource-name>
+ <url-pattern>/rest/account/*</url-pattern>
+ </web-resource-collection>
+ <auth-constraint>
+ <role-name>*</role-name>
+ </auth-constraint>
+ <user-data-constraint>
+ <transport-guarantee>CONFIDENTIAL</transport-guarantee>
+ </user-data-constraint>
+ </security-constraint>
+
<!--
<security-constraint>
<web-resource-collection>
diff --git a/base/kra/src/com/netscape/kra/KeyRecoveryAuthorityApplication.java b/base/kra/src/com/netscape/kra/KeyRecoveryAuthorityApplication.java
index f972fe4b5..280ffe1dc 100644
--- a/base/kra/src/com/netscape/kra/KeyRecoveryAuthorityApplication.java
+++ b/base/kra/src/com/netscape/kra/KeyRecoveryAuthorityApplication.java
@@ -6,6 +6,7 @@ import java.util.Set;
import javax.ws.rs.core.Application;
import com.netscape.certsrv.base.PKIException;
+import com.netscape.cms.servlet.account.AccountService;
import com.netscape.cms.servlet.admin.GroupMemberService;
import com.netscape.cms.servlet.admin.GroupService;
import com.netscape.cms.servlet.admin.SystemCertService;
@@ -21,6 +22,10 @@ public class KeyRecoveryAuthorityApplication extends Application {
private Set<Class<?>> classes = new HashSet<Class<?>>();
public KeyRecoveryAuthorityApplication() {
+
+ // account
+ classes.add(AccountService.class);
+
// installer
classes.add(SystemConfigService.class);