Replaced auth.properties with acl.properties.

The ACL mapping files have been renamed from auth.properties to
acl.properties to match the actual content and moved into the
subsystem conf folder. The authentication method mapping files
have been extracted from the interceptor into actual files.

The ACLInterceptor and AuthMethodInterceptors have been modified to read
the default mapping first, then overwrite it with custom mapping if it
exists in the subsystem folder.

The UpdateAuthzProperties upgrade script has been replaced with
RemoveAuthProperties that will remove the old auth.properties.

2 files changed, 56 insertions, 40 deletions

diff --git a/base/server/cms/src/com/netscape/cms/authorization/ACLInterceptor.java b/base/server/cms/src/com/netscape/cms/authorization/ACLInterceptor.java
index b43eb3cbe..c4b890e12 100644
--- a/base/server/cms/src/com/netscape/cms/authorization/ACLInterceptor.java
+++ b/base/server/cms/src/com/netscape/cms/authorization/ACLInterceptor.java
@@ -17,9 +17,10 @@
 //--- END COPYRIGHT BLOCK ---
 package com.netscape.cms.authorization;
 
+import java.io.File;
+import java.io.FileReader;
 import java.io.IOException;
 import java.lang.reflect.Method;
-import java.net.URL;
 import java.security.Principal;
 import java.util.Properties;
 
@@ -49,7 +50,7 @@ import com.netscape.cms.realm.PKIPrincipal;
 @Provider
 public class ACLInterceptor implements ContainerRequestFilter {
 
-    Properties authProperties;
+    Properties properties;
 
     @Context
     ServletContext servletContext;
@@ -57,14 +58,33 @@ public class ACLInterceptor implements ContainerRequestFilter {
     @Context
     SecurityContext securityContext;
 
-    public synchronized void loadAuthProperties() throws IOException {
+    public synchronized void loadProperties() throws IOException {
 
-        if (authProperties != null)
+        if (properties != null)
             return;
 
-        URL url = servletContext.getResource("/WEB-INF/auth.properties");
-        authProperties = new Properties();
-        authProperties.load(url.openStream());
+        properties = new Properties();
+
+        String context = servletContext.getContextPath();
+        String subsystem = context.startsWith("/") ? context.substring(1) : context;
+
+        // load default mapping
+        String defaultMapping = "/usr/share/pki/" + subsystem + "/conf/acl.properties";
+        CMS.debug("ACLInterceptor: loading " + defaultMapping);
+        try (FileReader in = new FileReader(defaultMapping)) {
+            properties.load(in);
+        }
+
+        // load custom mapping
+        File customMapping = new File(System.getProperty("catalina.base")
+                + "/" + subsystem + "/conf/acl.properties");
+        CMS.debug("ACLInterceptor: checking " + customMapping);
+        if (customMapping.exists()) {
+            CMS.debug("ACLInterceptor: loading " + customMapping);
+            try (FileReader in = new FileReader(customMapping)) {
+                properties.load(in);
+            }
+        }
     }
 
     @Override
@@ -118,9 +138,9 @@ public class ACLInterceptor implements ContainerRequestFilter {
         }
 
         try {
-            loadAuthProperties();
+            loadProperties();
 
-            String value = authProperties.getProperty(name);
+            String value = properties.getProperty(name);
 
             // If no property defined, allow request.
             if (value == null) {
diff --git a/base/server/cms/src/com/netscape/cms/authorization/AuthMethodInterceptor.java b/base/server/cms/src/com/netscape/cms/authorization/AuthMethodInterceptor.java
index 2e6b68955..6d26840b6 100644
--- a/base/server/cms/src/com/netscape/cms/authorization/AuthMethodInterceptor.java
+++ b/base/server/cms/src/com/netscape/cms/authorization/AuthMethodInterceptor.java
@@ -17,9 +17,10 @@
 //--- END COPYRIGHT BLOCK ---
 package com.netscape.cms.authorization;
 
+import java.io.File;
+import java.io.FileReader;
 import java.io.IOException;
 import java.lang.reflect.Method;
-import java.net.URL;
 import java.security.Principal;
 import java.util.Collection;
 import java.util.HashSet;
@@ -48,7 +49,7 @@ import com.netscape.cms.realm.PKIPrincipal;
 @Provider
 public class AuthMethodInterceptor implements ContainerRequestFilter {
 
-    Properties authMethodProperties;
+    Properties properties;
 
     @Context
     ServletContext servletContext;
@@ -56,37 +57,32 @@ public class AuthMethodInterceptor implements ContainerRequestFilter {
     @Context
     SecurityContext securityContext;
 
-    public synchronized void loadAuthProperties() throws IOException {
+    public synchronized void loadProperties() throws IOException {
 
-        if (authMethodProperties != null)
+        if (properties != null)
             return;
 
-        authMethodProperties = new Properties();
-
-        URL url = servletContext.getResource("/WEB-INF/auth-method.properties");
-
-        if (url == null) {
-            authMethodProperties.put("default", "*");
-            authMethodProperties.put("account", "certUserDBAuthMgr,passwdUserDBAuthMgr");
-            authMethodProperties.put("authenticators", "certUserDBAuthMgr");
-            authMethodProperties.put("certs", "certUserDBAuthMgr");
-            authMethodProperties.put("certrequests", "certUserDBAuthMgr");
-            authMethodProperties.put("config", "certUserDBAuthMgr");
-            authMethodProperties.put("connections", "certUserDBAuthMgr");
-            authMethodProperties.put("groups", "certUserDBAuthMgr");
-            authMethodProperties.put("keys", "certUserDBAuthMgr");
-            authMethodProperties.put("keyrequests", "certUserDBAuthMgr");
-            authMethodProperties.put("kraconnectors", "certUserDBAuthMgr");
-            authMethodProperties.put("profiles", "certUserDBAuthMgr");
-            authMethodProperties.put("profile-mappings", "certUserDBAuthMgr");
-            authMethodProperties.put("securityDomain.installToken", "passwdUserDBAuthMgr");
-            authMethodProperties.put("selftests", "certUserDBAuthMgr");
-            authMethodProperties.put("tokens", "certUserDBAuthMgr");
-            authMethodProperties.put("tpsconnectors", "certUserDBAuthMgr");
-            authMethodProperties.put("users", "certUserDBAuthMgr");
+        properties = new Properties();
 
-        } else {
-            authMethodProperties.load(url.openStream());
+        String context = servletContext.getContextPath();
+        String subsystem = context.startsWith("/") ? context.substring(1) : context;
+
+        // load default mapping
+        String defaultMapping = "/usr/share/pki/" + subsystem + "/conf/auth-method.properties";
+        CMS.debug("AuthMethodInterceptor: loading " + defaultMapping);
+        try (FileReader in = new FileReader(defaultMapping)) {
+            properties.load(in);
+        }
+
+        // load custom mapping
+        File customMapping = new File(System.getProperty("catalina.base") +
+                "/" + subsystem + "/conf/auth-method.properties");
+        CMS.debug("AuthMethodInterceptor: checking " + customMapping);
+        if (customMapping.exists()) {
+            CMS.debug("AuthMethodInterceptor: loading " + customMapping);
+            try (FileReader in = new FileReader(customMapping)) {
+                properties.load(in);
+            }
         }
     }
 
@@ -119,9 +115,9 @@ public class AuthMethodInterceptor implements ContainerRequestFilter {
         CMS.debug("AuthMethodInterceptor: mapping: " + name);
 
         try {
-            loadAuthProperties();
+            loadProperties();
 
-            String value = authMethodProperties.getProperty(name);
+            String value = properties.getProperty(name);
             Collection<String> authMethods = new HashSet<String>();
             if (value != null) {
                 for (String v : value.split(",")) {