Realm: allow auth instances to support multiple realms

In practice, most folks will use something like DirAclAuthz
to manage their realm.  Rather than requiring a new authz plugin
for each realm, we allow the authz plugin to support multiple
realms (as a comma separated list).

For the Acl plugins in particular, we expand the authorize call
to allow the caller to pass in the realm as well as the resource
and operation.  The resource queried would then be constructed on
the fly as realm.resource

Examples will be provided in the wiki page.

Trac Ticket 2041

1 files changed, 22 insertions, 5 deletions

diff --git a/base/server/cmscore/src/com/netscape/cmscore/authorization/AuthzSubsystem.java b/base/server/cmscore/src/com/netscape/cmscore/authorization/AuthzSubsystem.java
index 354485897..378777f99 100644
--- a/base/server/cmscore/src/com/netscape/cmscore/authorization/AuthzSubsystem.java
+++ b/base/server/cmscore/src/com/netscape/cmscore/authorization/AuthzSubsystem.java
@@ -17,8 +17,10 @@
 // --- END COPYRIGHT BLOCK ---
 package com.netscape.cmscore.authorization;
 
+import java.util.Arrays;
 import java.util.Enumeration;
 import java.util.Hashtable;
+import java.util.List;
 import java.util.Vector;
 
 import org.apache.commons.codec.binary.StringUtils;
@@ -227,7 +229,7 @@ public class AuthzSubsystem implements IAuthzSubsystem {
      */
     public AuthzToken authorize(
             String authzMgrInstName, IAuthToken authToken,
-            String resource, String operation)
+            String resource, String operation, String realm)
             throws EAuthzMgrNotFound, EBaseException {
 
         AuthzManagerProxy proxy = mAuthzMgrInsts.get(authzMgrInstName);
@@ -243,9 +245,20 @@ public class AuthzSubsystem implements IAuthzSubsystem {
         if (authzMgrInst == null) {
             throw new EAuthzMgrNotFound(CMS.getUserMessage("CMS_AUTHORIZATION_AUTHZMGR_NOT_FOUND", authzMgrInstName));
         }
+
+        if ((realm != null) && (resource != null)) {
+            resource = realm + "." + resource;
+        }
         return (authzMgrInst.authorize(authToken, resource, operation));
     }
 
+    @Override
+    public AuthzToken authorize(String authzMgrName, IAuthToken authToken, String resource, String operation)
+            throws EBaseException {
+        return authorize(authzMgrName, authToken, resource, operation, null);
+    }
+
+    @Override
     public AuthzToken authorize(
             String authzMgrInstName, IAuthToken authToken, String exp)
             throws EAuthzMgrNotFound, EBaseException {
@@ -485,7 +498,7 @@ public class AuthzSubsystem implements IAuthzSubsystem {
             throw new EAuthzUnknownRealm("Realm not found");
         }
 
-        AuthzToken authzToken = authorize(mgrName, authToken, resource, operation);
+        AuthzToken authzToken = authorize(mgrName, authToken, resource, operation, realm);
         if (authzToken == null) {
             throw new EAuthzAccessDenied("Not authorized by ACL realm");
         }
@@ -496,9 +509,13 @@ public class AuthzSubsystem implements IAuthzSubsystem {
             IAuthzManager mgr = proxy.getAuthzManager();
             if (mgr != null) {
                 IConfigStore cfg = mgr.getConfigStore();
-                String mgrRealm = cfg.getString(PROP_REALM, null);
-                if (StringUtils.equals(mgrRealm, realm)) {
-                    return mgr.getName();
+                String mgrRealmString = cfg.getString(PROP_REALM, null);
+                if (mgrRealmString == null) continue;
+
+                List<String> mgrRealms = Arrays.asList(mgrRealmString.split(","));
+                for (String mgrRealm : mgrRealms) {
+                    if (StringUtils.equals(mgrRealm, realm))
+                        return mgr.getName();
                 }
             }
         }