Added authentication method validation.ticket-477-5

A new mechanism has been added to limit the authentication methods that
can be used to invoke the REST methods. The AuthMethodMapping annotation
maps each REST method to a list of allowed authentication methods defined
auth-method.properties. When a client calls a REST method, the AuthMethod-
Interceptor will intercept the call and verify that the client uses an
allowed authentication method.

For security reason, most REST methods that require authentication have been
configured to require client certificate authentication. Authentication using
username and password will only be used to get the installation token from
security domain.

The auth.properties have been renamed to acl.properties since it's used to
store ACL mappings.

Ticket #477

2 files changed, 12 insertions, 3 deletions

diff --git a/base/tks/shared/webapps/tks/WEB-INF/auth.properties b/base/tks/shared/webapps/tks/WEB-INF/acl.properties
index 6de7f08e5..62367135e 100644
--- a/base/tks/shared/webapps/tks/WEB-INF/auth.properties
+++ b/base/tks/shared/webapps/tks/WEB-INF/acl.properties
@@ -1,8 +1,8 @@
-# Restful API auth/authz mapping info
+# Restful API authorization mapping info
 #
 # Format:
-# <ACL Mapping> = <ACL Resource ID>,<ACL Resource Operation>
-# ex:      admin.users = certServer.ca.users,read
+# <mapping name> = <resource ID>,<operation>
+# ex: admin.users = certServer.ca.users,read
 
 account.login = certServer.tks.account,login
 account.logout = certServer.tks.account,logout
diff --git a/base/tks/shared/webapps/tks/WEB-INF/auth-method.properties b/base/tks/shared/webapps/tks/WEB-INF/auth-method.properties
new file mode 100644
index 000000000..81e24403f
--- /dev/null
+++ b/base/tks/shared/webapps/tks/WEB-INF/auth-method.properties
@@ -0,0 +1,9 @@
+# Restful API auth mapping info
+#
+# Format:
+# <mapping name> = <allowed auth methods>
+# ex: admin.users = certUserDBAuthMgr,passwdUserDBAuthMgr
+
+default = *
+account = certUserDBAuthMgr,passwdUserDBAuthMgr
+admin = certUserDBAuthMgr