diff options
| author | Endi Sukma Dewata <edewata@redhat.com> | 2012-10-10 04:38:05 -0500 |
|---|---|---|
| committer | Endi Sukma Dewata <edewata@redhat.com> | 2012-11-08 00:29:16 -0500 |
| commit | 7a533307bd03b6aa5853f32654db3bba7a2d26cb (patch) | |
| tree | e22c98540243eeb3e30d77f027f0e7948b1a3326 /base/kra | |
| parent | e5db248fb62510737b7ec17de0d4b27a2dcf8707 (diff) | |
| download | pki-ticket-400-1.tar.gz pki-ticket-400-1.tar.xz pki-ticket-400-1.zip | |
Added ACLInterceptor.ticket-400-1
Previously ACL checking was done in PKIRealm by matching the URL.
This code has been replaced by ACLInterceptor which will intercept
RESTEasy method invocations. This allows more precise mapping of
REST methods to ACL entries in acl.ldif.
Ticket #287
Diffstat (limited to 'base/kra')
| -rw-r--r-- | base/kra/shared/webapps/kra/WEB-INF/auth.properties | 16 | ||||
| -rw-r--r-- | base/kra/src/com/netscape/kra/KeyRecoveryAuthorityApplication.java | 3 |
2 files changed, 11 insertions, 8 deletions
diff --git a/base/kra/shared/webapps/kra/WEB-INF/auth.properties b/base/kra/shared/webapps/kra/WEB-INF/auth.properties index 0a529f060..567747f5b 100644 --- a/base/kra/shared/webapps/kra/WEB-INF/auth.properties +++ b/base/kra/shared/webapps/kra/WEB-INF/auth.properties @@ -1,12 +1,12 @@ # Restful API auth/authz mapping info # # Format: -# <Rest API URL> = <ACL Resource ID>,<ACL resource operation> -# ex: /kra/pki/key/retrieve = certServer.kra.pki.key.retrieve,execute +# <ACL Mapping> = <ACL Resource ID>,<ACL Resource Operation> +# ex: admin.users = certServer.ca.users,read -/kra/rest/account/login = certServer.kra.account,login -/kra/rest/account/logout = certServer.kra.account,logout -/kra/rest/admin/users = certServer.kra.users,execute -/kra/rest/admin/groups = certServer.kra.groups,execute -/kra/rest/agent/keys = certServer.kra.keys,execute -/kra/rest/agent/keyrequests = certServer.kra.keyrequests,execute +account.login = certServer.kra.account,login +account.logout = certServer.kra.account,logout +admin.users = certServer.kra.users,execute +admin.groups = certServer.kra.groups,execute +agent.keys = certServer.kra.keys,execute +agent.keyrequests = certServer.kra.keyrequests,execute diff --git a/base/kra/src/com/netscape/kra/KeyRecoveryAuthorityApplication.java b/base/kra/src/com/netscape/kra/KeyRecoveryAuthorityApplication.java index 280ffe1dc..0ed23f697 100644 --- a/base/kra/src/com/netscape/kra/KeyRecoveryAuthorityApplication.java +++ b/base/kra/src/com/netscape/kra/KeyRecoveryAuthorityApplication.java @@ -5,6 +5,7 @@ import java.util.Set; import javax.ws.rs.core.Application; +import com.netscape.certsrv.acls.ACLInterceptor; import com.netscape.certsrv.base.PKIException; import com.netscape.cms.servlet.account.AccountService; import com.netscape.cms.servlet.admin.GroupMemberService; @@ -45,6 +46,8 @@ public class KeyRecoveryAuthorityApplication extends Application { // exception mapper classes.add(PKIException.Mapper.class); + // ACL interceptor + singletons.add(new ACLInterceptor()); } public Set<Class<?>> getClasses() { |