diff options
author | Endi Sukma Dewata <edewata@redhat.com> | 2012-10-23 18:05:50 -0500 |
---|---|---|
committer | Endi Sukma Dewata <edewata@redhat.com> | 2012-10-25 23:36:42 -0500 |
commit | 6359021315622e97ae3c074752548f915e4af00d (patch) | |
tree | 6fa92b4c2ac48d469b9fea0970931b005e3903ba /base/ocsp/shared | |
parent | 7c105a64f41000737b85de832522738fd9af4200 (diff) | |
download | pki-6359021315622e97ae3c074752548f915e4af00d.tar.gz pki-6359021315622e97ae3c074752548f915e4af00d.tar.xz pki-6359021315622e97ae3c074752548f915e4af00d.zip |
Enabled account service for TKS and OCSP.
The REST account service has been added to TKS and OCSP to enable
authentication.
Ticket #375
Diffstat (limited to 'base/ocsp/shared')
-rw-r--r-- | base/ocsp/shared/conf/acl.ldif | 3 | ||||
-rw-r--r-- | base/ocsp/shared/webapps/ocsp/WEB-INF/auth.properties | 2 | ||||
-rw-r--r-- | base/ocsp/shared/webapps/ocsp/WEB-INF/web.xml | 35 |
3 files changed, 40 insertions, 0 deletions
diff --git a/base/ocsp/shared/conf/acl.ldif b/base/ocsp/shared/conf/acl.ldif index 94a102b48..b1dbc4c5b 100644 --- a/base/ocsp/shared/conf/acl.ldif +++ b/base/ocsp/shared/conf/acl.ldif @@ -27,3 +27,6 @@ resourceACLS: certServer.ocsp.cas:list:allow (list) group="Online Certificate St resourceACLS: certServer.ocsp.certificate:validate:allow (validate) group="Online Certificate Status Manager Agents":Online Certificate Status Manager agents may validate certificate status resourceACLS: certServer.ocsp.group:read,modify:allow (modify,read) group="Administrators":Only administrators are allowed to read and modify groups resourceACLS: certServer.clone.configuration:read,modify:allow (modify,read) group="Enterprise CA Administrators" || group="Enterprise KRA Administrators" || group="Enterprise OCSP Administrators" || group="Enterprise TKS Administrators":Only Enterprise Administrators are allowed to clone the configuration. +resourceACLS: certServer.ocsp.account:login,logout:allow (login,logout) user="anybody":Anybody can login and logout +resourceACLS: certServer.ocsp.groups:execute:allow (execute) group="Administrators":Admins may execute group operations +resourceACLS: certServer.ocsp.users:execute:allow (execute) group="Administrators":Admins may execute user operations diff --git a/base/ocsp/shared/webapps/ocsp/WEB-INF/auth.properties b/base/ocsp/shared/webapps/ocsp/WEB-INF/auth.properties index 3a85e209f..8eda09bc3 100644 --- a/base/ocsp/shared/webapps/ocsp/WEB-INF/auth.properties +++ b/base/ocsp/shared/webapps/ocsp/WEB-INF/auth.properties @@ -4,5 +4,7 @@ # <Rest API URL> = <ACL Resource ID>,<ACL resource operation> # ex: /kra/pki/key/retrieve = certServer.kra.pki.key.retrieve,execute +/ocsp/rest/account/login = certServer.ocsp.account,login +/ocsp/rest/account/logout = certServer.ocsp.account,logout /ocsp/rest/admin/users = certServer.ocsp.users,execute /ocsp/rest/admin/groups = certServer.ocsp.groups,execute diff --git a/base/ocsp/shared/webapps/ocsp/WEB-INF/web.xml b/base/ocsp/shared/webapps/ocsp/WEB-INF/web.xml index 040e7f7ed..1deadc9dc 100644 --- a/base/ocsp/shared/webapps/ocsp/WEB-INF/web.xml +++ b/base/ocsp/shared/webapps/ocsp/WEB-INF/web.xml @@ -587,5 +587,40 @@ <session-config> <session-timeout>30</session-timeout> </session-config> + + <security-constraint> + <web-resource-collection> + <web-resource-name>Account Services</web-resource-name> + <url-pattern>/rest/account/*</url-pattern> + </web-resource-collection> + <auth-constraint> + <role-name>*</role-name> + </auth-constraint> + <user-data-constraint> + <transport-guarantee>CONFIDENTIAL</transport-guarantee> + </user-data-constraint> + </security-constraint> + + <security-constraint> + <web-resource-collection> + <web-resource-name>Admin Services</web-resource-name> + <url-pattern>/rest/admin/*</url-pattern> + </web-resource-collection> + <auth-constraint> + <role-name>*</role-name> + </auth-constraint> + <user-data-constraint> + <transport-guarantee>CONFIDENTIAL</transport-guarantee> + </user-data-constraint> + </security-constraint> + + <login-config> + <realm-name>Online Certificate Status Protocol Manager</realm-name> + </login-config> + + <security-role> + <role-name>*</role-name> + </security-role> + </web-app> |