Realm: allow auth instances to support multiple realms

In practice, most folks will use something like DirAclAuthz
to manage their realm.  Rather than requiring a new authz plugin
for each realm, we allow the authz plugin to support multiple
realms (as a comma separated list).

For the Acl plugins in particular, we expand the authorize call
to allow the caller to pass in the realm as well as the resource
and operation.  The resource queried would then be constructed on
the fly as realm.resource

Examples will be provided in the wiki page.

Trac Ticket 2041

1 files changed, 6 insertions, 6 deletions

diff --git a/base/server/cms/src/com/netscape/cms/servlet/key/KeyRequestDAO.java b/base/server/cms/src/com/netscape/cms/servlet/key/KeyRequestDAO.java
index 04bb6f2ec..00e313a80 100644
--- a/base/server/cms/src/com/netscape/cms/servlet/key/KeyRequestDAO.java
+++ b/base/server/cms/src/com/netscape/cms/servlet/key/KeyRequestDAO.java
@@ -169,7 +169,7 @@ public class KeyRequestDAO extends CMSRequestDAO {
         }
 
         authz.checkRealm(request.getRealm(), authToken, request.getExtDataInString(IRequest.ATTR_REQUEST_OWNER),
-                "keyRequest", "read");
+                "certServer.kra.request", "read");
 
         KeyRequestInfo info = createKeyRequestInfo(request, uriInfo);
         return info;
@@ -264,7 +264,7 @@ public class KeyRequestDAO extends CMSRequestDAO {
         }
 
         try {
-            authz.checkRealm(rec.getRealm(), authToken, rec.getOwnerName(), "key", "recover");
+            authz.checkRealm(rec.getRealm(), authToken, rec.getOwnerName(), "certServer.kra.key", "recover");
         } catch (EAuthzUnknownRealm e) {
             throw new UnauthorizedException("Invalid realm", e);
         } catch (EBaseException e) {
@@ -322,7 +322,7 @@ public class KeyRequestDAO extends CMSRequestDAO {
         }
 
         try {
-            authz.checkRealm(rec.getRealm(), authToken, rec.getOwnerName(), "key", "recover");
+            authz.checkRealm(rec.getRealm(), authToken, rec.getOwnerName(), "certServer.kra.key", "recover");
         } catch (EAuthzUnknownRealm e) {
             throw new UnauthorizedException("Invalid realm", e);
         } catch (EBaseException e) {
@@ -504,7 +504,7 @@ public class KeyRequestDAO extends CMSRequestDAO {
         IRequest request = queue.findRequest(id);
         authz.checkRealm(request.getRealm(), authToken,
                 request.getExtDataInString(IRequest.ATTR_REQUEST_OWNER),
-                "keyRequest", "approve");
+                "certServer.kra.requests", "execute");
 
         service.addAgentAsyncKeyRecovery(id.toString(), requestor);
     }
@@ -514,7 +514,7 @@ public class KeyRequestDAO extends CMSRequestDAO {
         String realm = request.getRealm();
         authz.checkRealm(realm, authToken,
                 request.getExtDataInString(IRequest.ATTR_REQUEST_OWNER),
-                "keyRequest", "reject");
+                "certServer.kra.requests", "execute");
         request.setRequestStatus(RequestStatus.REJECTED);
         queue.updateRequest(request);
     }
@@ -524,7 +524,7 @@ public class KeyRequestDAO extends CMSRequestDAO {
         String realm = request.getRealm();
         authz.checkRealm(realm, authToken,
                 request.getExtDataInString(IRequest.ATTR_REQUEST_OWNER),
-                "keyRequest", "cancel");
+                "certServer.kra.requests", "execute");
         request.setRequestStatus(RequestStatus.CANCELED);
         queue.updateRequest(request);
     }