summaryrefslogtreecommitdiffstats
path: root/base/kra
diff options
context:
space:
mode:
authorEndi Sukma Dewata <edewata@redhat.com>2012-07-30 19:50:23 -0500
committerEndi Sukma Dewata <edewata@redhat.com>2012-07-31 23:16:34 -0500
commit7d4a40bdd6bf6ef37705be7131fdc179bb5c1e7d (patch)
treebe962766b1f7afa710650322a436251d2ead963d /base/kra
parent0d2ce4c6a9a4c05a0098b13cf6743cfe7f2fc6e5 (diff)
downloadpki-7d4a40bdd6bf6ef37705be7131fdc179bb5c1e7d.tar.gz
pki-7d4a40bdd6bf6ef37705be7131fdc179bb5c1e7d.tar.xz
pki-7d4a40bdd6bf6ef37705be7131fdc179bb5c1e7d.zip
Refactored PKI JNDI realm.
The PKI JNDI realm has been modified to utilize the authentication and authorization subsystems in PKI engine directly. It's no longer necessary to define the LDAP connection settings in Tomcat's configuration files. Ticket #126
Diffstat (limited to 'base/kra')
-rw-r--r--base/kra/shared/conf/server.xml45
-rw-r--r--base/kra/shared/webapps/kra/WEB-INF/web.xml4
2 files changed, 3 insertions, 46 deletions
diff --git a/base/kra/shared/conf/server.xml b/base/kra/shared/conf/server.xml
index 96e396b72..54ba3272b 100644
--- a/base/kra/shared/conf/server.xml
+++ b/base/kra/shared/conf/server.xml
@@ -235,51 +235,8 @@ Tomcat Port = [TOMCAT_SERVER_PORT] (for shutdown)
resourceName="UserDatabase"/>
-->
- <!-- Custom PKIJNDI realm
-
- Example:
-
- <Realm className="com.netscape.cmscore.realm.PKIJNDIRealm" : classpath to realm
- connectionURL="ldap://localhost:389" : standard JNDI connection URL
- userBase="ou=people,dc=localhost-pki-kra" : standard JNDI userBase property
- userSearch="(description={0})" : Attribute to search for user of incoming client auth certificate
- : Use userSearch="(UID={0})" if wanting to search isolate user based on UID
- : Also set the following: certUIDLabel="UID" or whatever the field containing
- : the user's UID happens to be. This will cause the incoming's cert dn to be
- : be searched for <certUIDLabel>=<uid value>
-
- certAttrName="userCertificate" : Attribute containing user's client auth certificate
- roleBase="ou=groups,dc=localhost-pki-kra" : Standard JNDI search base for roles or groups
- roleName="cn" : Standard attribute name containg roles or groups
- roleSubtree="true" : Standard JNDI roleSubtree property
- roleSearch="(uniqueMember={0})" : How to search for a user in a specific role or group
- connectionName="cn=Directory Manager" : Connection name, needs elevated privileges
- connectionPassword="secret123" : Password for elevated user
- aclBase ="cn=aclResources,dc=localhost-pki-kra" : Custom base location of PKI ACL's in directory
- aclAttrName="resourceACLS" : Name of attribute containing PKI ACL's
- />
-
- Uncomment and customize below to activate Realm.
- Also umcomment Security Constraints and login config values
- in WEB-INF/web.xml as well.
- -->
-
<!--
- <Realm className="com.netscape.cmscore.realm.PKIJNDIRealm"
- connectionURL="ldap://localhost:389"
- userBase="ou=people,dc=localhost-pki-kra"
- userSearch="(description={0})"
- certAttrName="userCertificate"
- roleBase="ou=groups,dc=localhost-pki-kra"
- roleName="cn"
- roleSubtree="true"
- roleSearch="(uniqueMember={0})"
- connectionName="cn=Directory Manager"
- connectionPassword="netscape"
- aclBase ="cn=aclResources,dc=localhost-pki-kra"
- aclAttrName="resourceACLS"
- />
-
+ <Realm className="com.netscape.cmscore.realm.PKIRealm" />
-->
<!-- Define the default virtual host
diff --git a/base/kra/shared/webapps/kra/WEB-INF/web.xml b/base/kra/shared/webapps/kra/WEB-INF/web.xml
index 273ca1fa4..7b4072085 100644
--- a/base/kra/shared/webapps/kra/WEB-INF/web.xml
+++ b/base/kra/shared/webapps/kra/WEB-INF/web.xml
@@ -1010,13 +1010,13 @@
<!-- Customized SSL Client auth login config
- uncomment to activate PKIJNDI realm as in conf/server.xml
+ uncomment to activate PKI realm as in conf/server.xml
-->
<!--
<login-config>
- <realm-name>PKIJNDIRealm</realm-name>
+ <realm-name>PKIRealm</realm-name>
<auth-method>CLIENT-CERT</auth-method>
<realm-name>Client Cert Protected Area</realm-name>
</login-config>