diff options
author | Ade Lee <alee@redhat.com> | 2016-04-16 11:29:37 -0400 |
---|---|---|
committer | Ade Lee <alee@redhat.com> | 2016-04-20 17:29:43 -0400 |
commit | 9a1eabe3ed5332cb5fbd27deecd4193f38e9fbcb (patch) | |
tree | 898e3d9137e9946f396eec1f6554597bf547fd7d /base/server/cmscore/src/com/netscape/cmscore/authorization/AuthzSubsystem.java | |
parent | bb6fd9e1a73e2ee224fc9332681fb59113f94d8f (diff) | |
download | pki-9a1eabe3ed5332cb5fbd27deecd4193f38e9fbcb.tar.gz pki-9a1eabe3ed5332cb5fbd27deecd4193f38e9fbcb.tar.xz pki-9a1eabe3ed5332cb5fbd27deecd4193f38e9fbcb.zip |
Added new authz methods to check realm
* Added method to check realm. This method will look for
an authz instance for a specified realm and invoke it to
determine access.
* Added a basic group based authz plugin mostly for testing.
This plugin simply checks if the requestor is in the correct
group. In practice, customers will probably want something more
complex maybe subclassing BasicAclAuthz.
Part of Trac Ticket #2041
Diffstat (limited to 'base/server/cmscore/src/com/netscape/cmscore/authorization/AuthzSubsystem.java')
-rw-r--r-- | base/server/cmscore/src/com/netscape/cmscore/authorization/AuthzSubsystem.java | 40 |
1 files changed, 39 insertions, 1 deletions
diff --git a/base/server/cmscore/src/com/netscape/cmscore/authorization/AuthzSubsystem.java b/base/server/cmscore/src/com/netscape/cmscore/authorization/AuthzSubsystem.java index a6019730a..8b126d2da 100644 --- a/base/server/cmscore/src/com/netscape/cmscore/authorization/AuthzSubsystem.java +++ b/base/server/cmscore/src/com/netscape/cmscore/authorization/AuthzSubsystem.java @@ -21,11 +21,14 @@ import java.util.Enumeration; import java.util.Hashtable; import java.util.Vector; +import org.apache.commons.codec.binary.StringUtils; + import com.netscape.certsrv.apps.CMS; import com.netscape.certsrv.authentication.IAuthToken; import com.netscape.certsrv.authorization.AuthzManagerProxy; import com.netscape.certsrv.authorization.AuthzMgrPlugin; import com.netscape.certsrv.authorization.AuthzToken; +import com.netscape.certsrv.authorization.EAuthzAccessDenied; import com.netscape.certsrv.authorization.EAuthzException; import com.netscape.certsrv.authorization.EAuthzMgrNotFound; import com.netscape.certsrv.authorization.EAuthzMgrPluginNotFound; @@ -156,6 +159,7 @@ public class AuthzSubsystem implements IAuthzSubsystem { // it is mis-configurated. This give // administrator another chance to // fix the problem via console + CMS.debug(e); } catch (Throwable e) { log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_AUTHZ_PLUGIN_INIT_FAILED", insName, e.toString())); @@ -163,6 +167,7 @@ public class AuthzSubsystem implements IAuthzSubsystem { // it is mis-configurated. This give // administrator another chance to // fix the problem via console + CMS.debug(e); } // add manager instance to list. mAuthzMgrInsts.put(insName, new @@ -212,7 +217,7 @@ public class AuthzSubsystem implements IAuthzSubsystem { * Authorization to the named authorization manager instance * * @param authzMgrName The authorization manager name - * @param authToken the authenticaton token associated with a user + * @param authToken the authentication token associated with a user * @param resource the resource protected by the authorization system * @param operation the operation for resource protected by the authoriz * n system @@ -465,4 +470,37 @@ public class AuthzSubsystem implements IAuthzSubsystem { level, msg); } + @Override + public void checkRealm(String realm, IAuthToken authToken, String owner, String resource, String operation) + throws EBaseException { + // if no realm entry, SUCCESS by default + if (realm == null) return; + + // if record owner == requester, SUCCESS + if ((owner != null) && owner.equals(authToken.getInString(IAuthToken.USER_ID))) return; + + String mgrName = getAuthzManagerByRealm(realm); + // if no authz manager for this realm, SUCCESS by default + if (mgrName == null) return; + + AuthzToken authzToken = authorize(mgrName, authToken, resource, operation); + if (authzToken == null) { + throw new EAuthzAccessDenied("Not authorized by ACL realm"); + } + } + + public String getAuthzManagerByRealm(String realm) throws EBaseException { + for (AuthzManagerProxy proxy : mAuthzMgrInsts.values()) { + IAuthzManager mgr = proxy.getAuthzManager(); + if (mgr != null) { + IConfigStore cfg = mgr.getConfigStore(); + String mgrRealm = cfg.getString(PROP_REALM, null); + if (StringUtils.equals(mgrRealm, realm)) { + return mgr.getName(); + } + } + } + return null; + } + } |