diff options
author | Endi S. Dewata <edewata@redhat.com> | 2013-11-13 23:38:25 -0500 |
---|---|---|
committer | Endi S. Dewata <edewata@redhat.com> | 2013-11-14 16:55:06 -0500 |
commit | 815cdd900d29e3cc633f20aea6b82e2db69c04c5 (patch) | |
tree | c96e5ee9104cc62b4dcb60aeb7215f65b162c9b5 /base | |
parent | c694fde37b64d2d5a58f0146e0a8db47bec5be14 (diff) | |
download | pki-815cdd900d29e3cc633f20aea6b82e2db69c04c5.tar.gz pki-815cdd900d29e3cc633f20aea6b82e2db69c04c5.tar.xz pki-815cdd900d29e3cc633f20aea6b82e2db69c04c5.zip |
Added ACL for TPS connections.
New ACL has been added to allow only the administrators to access
TPS connections.
Ticket #652
Diffstat (limited to 'base')
5 files changed, 27 insertions, 0 deletions
diff --git a/base/common/src/com/netscape/certsrv/tps/connection/ConnectionResource.java b/base/common/src/com/netscape/certsrv/tps/connection/ConnectionResource.java index 928dabae7..e1be5c6b4 100644 --- a/base/common/src/com/netscape/certsrv/tps/connection/ConnectionResource.java +++ b/base/common/src/com/netscape/certsrv/tps/connection/ConnectionResource.java @@ -31,11 +31,16 @@ import javax.ws.rs.core.Response; import org.jboss.resteasy.annotations.ClientResponseType; +import com.netscape.certsrv.acls.ACLMapping; +import com.netscape.certsrv.authentication.AuthMethodMapping; + /** * @author Endi S. Dewata */ @Path("connections") +@AuthMethodMapping("connections") +@ACLMapping("connections.read") public interface ConnectionResource { @GET @@ -53,6 +58,7 @@ public interface ConnectionResource { @ClientResponseType(entityType=ConnectionData.class) @Consumes({ MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON }) @Produces({ MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON }) + @ACLMapping("connections.add") public Response addConnection(ConnectionData connectionData); @PUT @@ -60,6 +66,7 @@ public interface ConnectionResource { @ClientResponseType(entityType=ConnectionData.class) @Consumes({ MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON }) @Produces({ MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON }) + @ACLMapping("connections.modify") public Response updateConnection( @PathParam("connectionID") String connectionID, ConnectionData connectionData); @@ -67,5 +74,6 @@ public interface ConnectionResource { @DELETE @Path("{connectionID}") @Produces({ MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON }) + @ACLMapping("connections.remove") public void removeConnection(@PathParam("connectionID") String connectionID); } diff --git a/base/server/cms/src/com/netscape/cms/authorization/AuthMethodInterceptor.java b/base/server/cms/src/com/netscape/cms/authorization/AuthMethodInterceptor.java index afcc17514..a7c0c74f4 100644 --- a/base/server/cms/src/com/netscape/cms/authorization/AuthMethodInterceptor.java +++ b/base/server/cms/src/com/netscape/cms/authorization/AuthMethodInterceptor.java @@ -71,6 +71,7 @@ public class AuthMethodInterceptor implements ContainerRequestFilter { authMethodProperties.put("admin", "certUserDBAuthMgr"); authMethodProperties.put("agent", "certUserDBAuthMgr"); authMethodProperties.put("config", "certUserDBAuthMgr"); + authMethodProperties.put("connections", "certUserDBAuthMgr"); authMethodProperties.put("authenticators", "certUserDBAuthMgr"); authMethodProperties.put("profiles", "certUserDBAuthMgr"); authMethodProperties.put("securityDomain.installToken", "passwdUserDBAuthMgr"); diff --git a/base/tps-tomcat/shared/conf/acl.ldif b/base/tps-tomcat/shared/conf/acl.ldif index b5bbdf7a2..7cd81bbdb 100644 --- a/base/tps-tomcat/shared/conf/acl.ldif +++ b/base/tps-tomcat/shared/conf/acl.ldif @@ -23,6 +23,7 @@ resourceACLS: certServer.clone.configuration:read,modify:allow (modify,read) gro resourceACLS: certServer.tps.account:login,logout:allow (login,logout) user="anybody":Anybody can login and logout resourceACLS: certServer.tps.authenticators:read,add,modify,remove:allow (read,add,modify,remove) group="TUS Administrators":Only admins can access authenticators. resourceACLS: certServer.tps.config:read,modify:allow (read,modify) group="TUS Administrators":Only admins can access configuration. +resourceACLS: certServer.tps.connections:read,add,modify,remove:allow (read,add,modify,remove) group="TUS Administrators":Only admins can access configuration. resourceACLS: certServer.tps.groups:execute:allow (execute) group="TUS Administrators":Admins may execute group operations resourceACLS: certServer.tps.users:execute:allow (execute) group="TUS Administrators":Admins may execute user operations resourceACLS: certServer.tps.profiles:read,add,modify,approve,remove:allow (read) group="TUS Administrators" || group="TUS Agents" ; allow (add,remove,modify) group="TUS Administrators" ; allow (approve) group="TUS Agents":Admins, agents, and operators can read profiles, but only admins can add, modify, and remove profiles, and only agents can approve profiles. diff --git a/base/tps-tomcat/shared/webapps/tps/WEB-INF/auth.properties b/base/tps-tomcat/shared/webapps/tps/WEB-INF/auth.properties index b21a0e03a..941bedd17 100644 --- a/base/tps-tomcat/shared/webapps/tps/WEB-INF/auth.properties +++ b/base/tps-tomcat/shared/webapps/tps/WEB-INF/auth.properties @@ -14,6 +14,10 @@ authenticators.modify = certServer.tps.authenticators,modify authenticators.remove = certServer.tps.authenticators,remove config.read = certServer.tps.config,read config.modify = certServer.tps.config,modify +connections.read = certServer.tps.connections,read +connections.add = certServer.tps.connections,add +connections.modify = certServer.tps.connections,modify +connections.remove = certServer.tps.connections,remove profiles.read = certServer.tps.profiles,read profiles.add = certServer.tps.profiles,add profiles.modify = certServer.tps.profiles,modify diff --git a/base/tps-tomcat/shared/webapps/tps/WEB-INF/web.xml b/base/tps-tomcat/shared/webapps/tps/WEB-INF/web.xml index bd8958201..d80aab955 100644 --- a/base/tps-tomcat/shared/webapps/tps/WEB-INF/web.xml +++ b/base/tps-tomcat/shared/webapps/tps/WEB-INF/web.xml @@ -227,6 +227,19 @@ <security-constraint> <web-resource-collection> + <web-resource-name>Connections</web-resource-name> + <url-pattern>/rest/connections/*</url-pattern> + </web-resource-collection> + <auth-constraint> + <role-name>*</role-name> + </auth-constraint> + <user-data-constraint> + <transport-guarantee>CONFIDENTIAL</transport-guarantee> + </user-data-constraint> + </security-constraint> + + <security-constraint> + <web-resource-collection> <web-resource-name>Profiles</web-resource-name> <url-pattern>/rest/profiles/*</url-pattern> </web-resource-collection> |