Added ACL for TPS connections.

New ACL has been added to allow only the administrators to access TPS connections. Ticket #652
author: Endi S. Dewata <edewata@redhat.com> 2013-11-13 23:38:25 -0500
committer: Endi S. Dewata <edewata@redhat.com> 2013-11-14 16:55:06 -0500
commit: 815cdd900d29e3cc633f20aea6b82e2db69c04c5 (patch)
tree: c96e5ee9104cc62b4dcb60aeb7215f65b162c9b5 /base
parent: c694fde37b64d2d5a58f0146e0a8db47bec5be14 (diff)
download: pki-815cdd900d29e3cc633f20aea6b82e2db69c04c5.tar.gz
pki-815cdd900d29e3cc633f20aea6b82e2db69c04c5.tar.xz
pki-815cdd900d29e3cc633f20aea6b82e2db69c04c5.zip
5 files changed, 27 insertions, 0 deletions
diff --git a/base/common/src/com/netscape/certsrv/tps/connection/ConnectionResource.java b/base/common/src/com/netscape/certsrv/tps/connection/ConnectionResource.java
index 928dabae7..e1be5c6b4 100644
--- a/base/common/src/com/netscape/certsrv/tps/connection/ConnectionResource.java
+++ b/base/common/src/com/netscape/certsrv/tps/connection/ConnectionResource.java
@@ -31,11 +31,16 @@ import javax.ws.rs.core.Response;
 
 import org.jboss.resteasy.annotations.ClientResponseType;
 
+import com.netscape.certsrv.acls.ACLMapping;
+import com.netscape.certsrv.authentication.AuthMethodMapping;
+
 
 /**
  * @author Endi S. Dewata
  */
 @Path("connections")
+@AuthMethodMapping("connections")
+@ACLMapping("connections.read")
 public interface ConnectionResource {
 
     @GET
@@ -53,6 +58,7 @@ public interface ConnectionResource {
     @ClientResponseType(entityType=ConnectionData.class)
     @Consumes({ MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON })
     @Produces({ MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON })
+    @ACLMapping("connections.add")
     public Response addConnection(ConnectionData connectionData);
 
     @PUT
@@ -60,6 +66,7 @@ public interface ConnectionResource {
     @ClientResponseType(entityType=ConnectionData.class)
     @Consumes({ MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON })
     @Produces({ MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON })
+    @ACLMapping("connections.modify")
     public Response updateConnection(
             @PathParam("connectionID") String connectionID,
             ConnectionData connectionData);
@@ -67,5 +74,6 @@ public interface ConnectionResource {
     @DELETE
     @Path("{connectionID}")
     @Produces({ MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON })
+    @ACLMapping("connections.remove")
     public void removeConnection(@PathParam("connectionID") String connectionID);
 }
diff --git a/base/server/cms/src/com/netscape/cms/authorization/AuthMethodInterceptor.java b/base/server/cms/src/com/netscape/cms/authorization/AuthMethodInterceptor.java
index afcc17514..a7c0c74f4 100644
--- a/base/server/cms/src/com/netscape/cms/authorization/AuthMethodInterceptor.java
+++ b/base/server/cms/src/com/netscape/cms/authorization/AuthMethodInterceptor.java
@@ -71,6 +71,7 @@ public class AuthMethodInterceptor implements ContainerRequestFilter {
             authMethodProperties.put("admin", "certUserDBAuthMgr");
             authMethodProperties.put("agent", "certUserDBAuthMgr");
             authMethodProperties.put("config", "certUserDBAuthMgr");
+            authMethodProperties.put("connections", "certUserDBAuthMgr");
             authMethodProperties.put("authenticators", "certUserDBAuthMgr");
             authMethodProperties.put("profiles", "certUserDBAuthMgr");
             authMethodProperties.put("securityDomain.installToken", "passwdUserDBAuthMgr");
diff --git a/base/tps-tomcat/shared/conf/acl.ldif b/base/tps-tomcat/shared/conf/acl.ldif
index b5bbdf7a2..7cd81bbdb 100644
--- a/base/tps-tomcat/shared/conf/acl.ldif
+++ b/base/tps-tomcat/shared/conf/acl.ldif
@@ -23,6 +23,7 @@ resourceACLS: certServer.clone.configuration:read,modify:allow (modify,read) gro
 resourceACLS: certServer.tps.account:login,logout:allow (login,logout) user="anybody":Anybody can login and logout
 resourceACLS: certServer.tps.authenticators:read,add,modify,remove:allow (read,add,modify,remove) group="TUS Administrators":Only admins can access authenticators.
 resourceACLS: certServer.tps.config:read,modify:allow (read,modify) group="TUS Administrators":Only admins can access configuration.
+resourceACLS: certServer.tps.connections:read,add,modify,remove:allow (read,add,modify,remove) group="TUS Administrators":Only admins can access configuration.
 resourceACLS: certServer.tps.groups:execute:allow (execute) group="TUS Administrators":Admins may execute group operations
 resourceACLS: certServer.tps.users:execute:allow (execute) group="TUS Administrators":Admins may execute user operations
 resourceACLS: certServer.tps.profiles:read,add,modify,approve,remove:allow (read) group="TUS Administrators" || group="TUS Agents" ; allow (add,remove,modify) group="TUS Administrators" ; allow (approve) group="TUS Agents":Admins, agents, and operators can read profiles, but only admins can add, modify, and remove profiles, and only agents can approve profiles.
diff --git a/base/tps-tomcat/shared/webapps/tps/WEB-INF/auth.properties b/base/tps-tomcat/shared/webapps/tps/WEB-INF/auth.properties
index b21a0e03a..941bedd17 100644
--- a/base/tps-tomcat/shared/webapps/tps/WEB-INF/auth.properties
+++ b/base/tps-tomcat/shared/webapps/tps/WEB-INF/auth.properties
@@ -14,6 +14,10 @@ authenticators.modify = certServer.tps.authenticators,modify
 authenticators.remove = certServer.tps.authenticators,remove
 config.read = certServer.tps.config,read
 config.modify = certServer.tps.config,modify
+connections.read = certServer.tps.connections,read
+connections.add = certServer.tps.connections,add
+connections.modify = certServer.tps.connections,modify
+connections.remove = certServer.tps.connections,remove
 profiles.read = certServer.tps.profiles,read
 profiles.add = certServer.tps.profiles,add
 profiles.modify = certServer.tps.profiles,modify
diff --git a/base/tps-tomcat/shared/webapps/tps/WEB-INF/web.xml b/base/tps-tomcat/shared/webapps/tps/WEB-INF/web.xml
index bd8958201..d80aab955 100644
--- a/base/tps-tomcat/shared/webapps/tps/WEB-INF/web.xml
+++ b/base/tps-tomcat/shared/webapps/tps/WEB-INF/web.xml
@@ -227,6 +227,19 @@
 
     <security-constraint>
         <web-resource-collection>
+            <web-resource-name>Connections</web-resource-name>
+            <url-pattern>/rest/connections/*</url-pattern>
+        </web-resource-collection>
+        <auth-constraint>
+            <role-name>*</role-name>
+        </auth-constraint>
+        <user-data-constraint>
+            <transport-guarantee>CONFIDENTIAL</transport-guarantee>
+        </user-data-constraint>
+    </security-constraint>
+
+    <security-constraint>
+        <web-resource-collection>
             <web-resource-name>Profiles</web-resource-name>
             <url-pattern>/rest/profiles/*</url-pattern>
         </web-resource-collection>
author	Endi S. Dewata <edewata@redhat.com>	2013-11-13 23:38:25 -0500
committer	Endi S. Dewata <edewata@redhat.com>	2013-11-14 16:55:06 -0500
commit	815cdd900d29e3cc633f20aea6b82e2db69c04c5 (patch)
tree	c96e5ee9104cc62b4dcb60aeb7215f65b162c9b5 /base
parent	c694fde37b64d2d5a58f0146e0a8db47bec5be14 (diff)
download	pki-815cdd900d29e3cc633f20aea6b82e2db69c04c5.tar.gz pki-815cdd900d29e3cc633f20aea6b82e2db69c04c5.tar.xz pki-815cdd900d29e3cc633f20aea6b82e2db69c04c5.zip