diff options
author | Fraser Tweedale <ftweedal@redhat.com> | 2016-11-29 18:24:53 +1000 |
---|---|---|
committer | Fraser Tweedale <ftweedal@redhat.com> | 2017-03-16 17:46:18 +1000 |
commit | 76f60251f7e1b2f1f9ad1752121c0c5cb1cb5b8b (patch) | |
tree | c64a4f54592349b6f9e007267b0cd2703544a004 /base/server/cms/src/org | |
parent | 433c7b70d7dd8609dea31b28aee042e48a41ac9f (diff) | |
download | pki-76f60251f7e1b2f1f9ad1752121c0c5cb1cb5b8b.tar.gz pki-76f60251f7e1b2f1f9ad1752121c0c5cb1cb5b8b.tar.xz pki-76f60251f7e1b2f1f9ad1752121c0c5cb1cb5b8b.zip |
Update AuthMethodInterceptor to handle external principals
Update AuthMethodInterceptor to handle externally authenticated
principals. For now, access is unconditionally granted.
Part of: https://pagure.io/dogtagpki/issue/1359
Diffstat (limited to 'base/server/cms/src/org')
-rw-r--r-- | base/server/cms/src/org/dogtagpki/server/rest/AuthMethodInterceptor.java | 27 |
1 files changed, 16 insertions, 11 deletions
diff --git a/base/server/cms/src/org/dogtagpki/server/rest/AuthMethodInterceptor.java b/base/server/cms/src/org/dogtagpki/server/rest/AuthMethodInterceptor.java index ac0b2518c..8571ad6b1 100644 --- a/base/server/cms/src/org/dogtagpki/server/rest/AuthMethodInterceptor.java +++ b/base/server/cms/src/org/dogtagpki/server/rest/AuthMethodInterceptor.java @@ -33,12 +33,14 @@ import javax.ws.rs.core.Context; import javax.ws.rs.core.SecurityContext; import javax.ws.rs.ext.Provider; +import org.apache.catalina.realm.GenericPrincipal; + import org.jboss.resteasy.core.ResourceMethodInvoker; import org.jboss.resteasy.spi.Failure; import com.netscape.certsrv.apps.CMS; import com.netscape.certsrv.authentication.AuthMethodMapping; -import com.netscape.certsrv.authentication.AuthToken; +import com.netscape.certsrv.authentication.ExternalAuthToken; import com.netscape.certsrv.authentication.IAuthToken; import com.netscape.certsrv.base.ForbiddenException; import com.netscape.cms.realm.PKIPrincipal; @@ -139,14 +141,11 @@ public class AuthMethodInterceptor implements ContainerRequestFilter { throw new ForbiddenException("Anonymous access not allowed."); } - // If unrecognized principal, reject request. - if (!(principal instanceof PKIPrincipal)) { - CMS.debug("AuthMethodInterceptor: unknown principal"); - throw new ForbiddenException("Unknown user principal"); - } - - PKIPrincipal pkiPrincipal = (PKIPrincipal) principal; - IAuthToken authToken = pkiPrincipal.getAuthToken(); + IAuthToken authToken = null; + if (principal instanceof PKIPrincipal) + authToken = ((PKIPrincipal) principal).getAuthToken(); + else if (principal instanceof GenericPrincipal) + authToken = new ExternalAuthToken((GenericPrincipal) principal); // If missing auth token, reject request. if (authToken == null) { @@ -154,7 +153,8 @@ public class AuthMethodInterceptor implements ContainerRequestFilter { throw new ForbiddenException("Missing authentication token."); } - String authManager = (String) authToken.get(AuthToken.TOKEN_AUTHMGR_INST_NAME); + String authManager = authToken.getInString(IAuthToken.TOKEN_AUTHMGR_INST_NAME); + CMS.debug("AuthMethodInterceptor: authentication manager: " + authManager); if (authManager == null) { @@ -162,7 +162,12 @@ public class AuthMethodInterceptor implements ContainerRequestFilter { throw new ForbiddenException("Missing authentication manager."); } - if (authMethods.isEmpty() || authMethods.contains(authManager) || authMethods.contains("*")) { + if ( + authMethods.isEmpty() + || authManager.equals("external") + || authMethods.contains(authManager) + || authMethods.contains("*") + ) { CMS.debug("AuthMethodInterceptor: access granted"); return; } |