Added ACL for TPS authenticators.

New ACL has been added to allow only the administrators to access
TPS authenticators.

The set of interceptors in each application has been modified to
preserve the order.

Ticket #652

10 files changed, 58 insertions, 17 deletions

diff --git a/base/ca/src/com/netscape/ca/CertificateAuthorityApplication.java b/base/ca/src/com/netscape/ca/CertificateAuthorityApplication.java
index b26182dda..b20a544f5 100644
--- a/base/ca/src/com/netscape/ca/CertificateAuthorityApplication.java
+++ b/base/ca/src/com/netscape/ca/CertificateAuthorityApplication.java
@@ -1,6 +1,6 @@
 package com.netscape.ca;
 
-import java.util.HashSet;
+import java.util.LinkedHashSet;
 import java.util.Set;
 
 import javax.ws.rs.core.Application;
@@ -25,8 +25,9 @@ import com.netscape.cmscore.logging.AuditService;
 import com.netscape.cmscore.selftests.SelfTestService;
 
 public class CertificateAuthorityApplication extends Application {
-    private Set<Object> singletons = new HashSet<Object>();
-    private Set<Class<?>> classes = new HashSet<Class<?>>();
+
+    private Set<Object> singletons = new LinkedHashSet<Object>();
+    private Set<Class<?>> classes = new LinkedHashSet<Class<?>>();
 
     public CertificateAuthorityApplication() {
 
diff --git a/base/common/src/com/netscape/certsrv/tps/authenticator/AuthenticatorResource.java b/base/common/src/com/netscape/certsrv/tps/authenticator/AuthenticatorResource.java
index 8e9f7284a..6a2ef0d9a 100644
--- a/base/common/src/com/netscape/certsrv/tps/authenticator/AuthenticatorResource.java
+++ b/base/common/src/com/netscape/certsrv/tps/authenticator/AuthenticatorResource.java
@@ -31,11 +31,16 @@ import javax.ws.rs.core.Response;
 
 import org.jboss.resteasy.annotations.ClientResponseType;
 
+import com.netscape.certsrv.acls.ACLMapping;
+import com.netscape.certsrv.authentication.AuthMethodMapping;
+
 
 /**
  * @author Endi S. Dewata
  */
 @Path("authenticators")
+@AuthMethodMapping("authenticators")
+@ACLMapping("authenticators.read")
 public interface AuthenticatorResource {
 
     @GET
@@ -53,6 +58,7 @@ public interface AuthenticatorResource {
     @ClientResponseType(entityType=AuthenticatorData.class)
     @Consumes({ MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON })
     @Produces({ MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON })
+    @ACLMapping("authenticators.add")
     public Response addAuthenticator(AuthenticatorData authenticatorData);
 
     @PUT
@@ -60,6 +66,7 @@ public interface AuthenticatorResource {
     @ClientResponseType(entityType=AuthenticatorData.class)
     @Consumes({ MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON })
     @Produces({ MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON })
+    @ACLMapping("authenticators.modify")
     public Response updateAuthenticator(
             @PathParam("authenticatorID") String authenticatorID,
             AuthenticatorData authenticatorData);
@@ -67,5 +74,6 @@ public interface AuthenticatorResource {
     @DELETE
     @Path("{authenticatorID}")
     @Produces({ MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON })
+    @ACLMapping("authenticators.remove")
     public void removeAuthenticator(@PathParam("authenticatorID") String authenticatorID);
 }
diff --git a/base/kra/src/com/netscape/kra/KeyRecoveryAuthorityApplication.java b/base/kra/src/com/netscape/kra/KeyRecoveryAuthorityApplication.java
index 5e6aa048d..0b311427f 100644
--- a/base/kra/src/com/netscape/kra/KeyRecoveryAuthorityApplication.java
+++ b/base/kra/src/com/netscape/kra/KeyRecoveryAuthorityApplication.java
@@ -1,6 +1,6 @@
 package com.netscape.kra;
 
-import java.util.HashSet;
+import java.util.LinkedHashSet;
 import java.util.Set;
 
 import javax.ws.rs.core.Application;
@@ -15,8 +15,8 @@ import com.netscape.cms.servlet.account.AccountService;
 import com.netscape.cms.servlet.admin.GroupService;
 import com.netscape.cms.servlet.admin.SystemCertService;
 import com.netscape.cms.servlet.admin.UserService;
-import com.netscape.cms.servlet.csadmin.SystemConfigService;
 import com.netscape.cms.servlet.csadmin.SecurityDomainService;
+import com.netscape.cms.servlet.csadmin.SystemConfigService;
 import com.netscape.cms.servlet.key.KeyService;
 import com.netscape.cms.servlet.request.KeyRequestService;
 import com.netscape.cmscore.logging.AuditService;
@@ -24,8 +24,8 @@ import com.netscape.cmscore.selftests.SelfTestService;
 
 public class KeyRecoveryAuthorityApplication extends Application {
 
-    private Set<Object> singletons = new HashSet<Object>();
-    private Set<Class<?>> classes = new HashSet<Class<?>>();
+    private Set<Object> singletons = new LinkedHashSet<Object>();
+    private Set<Class<?>> classes = new LinkedHashSet<Class<?>>();
 
     public KeyRecoveryAuthorityApplication() {
 
diff --git a/base/ocsp/src/com/netscape/ocsp/OCSPApplication.java b/base/ocsp/src/com/netscape/ocsp/OCSPApplication.java
index a134e5c84..21b81f47f 100644
--- a/base/ocsp/src/com/netscape/ocsp/OCSPApplication.java
+++ b/base/ocsp/src/com/netscape/ocsp/OCSPApplication.java
@@ -1,6 +1,6 @@
 package com.netscape.ocsp;
 
-import java.util.HashSet;
+import java.util.LinkedHashSet;
 import java.util.Set;
 
 import javax.ws.rs.core.Application;
@@ -15,15 +15,15 @@ import com.netscape.cms.servlet.account.AccountService;
 import com.netscape.cms.servlet.admin.GroupService;
 import com.netscape.cms.servlet.admin.SystemCertService;
 import com.netscape.cms.servlet.admin.UserService;
+import com.netscape.cms.servlet.csadmin.SecurityDomainService;
 import com.netscape.cms.servlet.csadmin.SystemConfigService;
 import com.netscape.cmscore.logging.AuditService;
-import com.netscape.cms.servlet.csadmin.SecurityDomainService;
 import com.netscape.cmscore.selftests.SelfTestService;
 
 public class OCSPApplication extends Application {
 
-    private Set<Object> singletons = new HashSet<Object>();
-    private Set<Class<?>> classes = new HashSet<Class<?>>();
+    private Set<Object> singletons = new LinkedHashSet<Object>();
+    private Set<Class<?>> classes = new LinkedHashSet<Class<?>>();
 
     public OCSPApplication() {
 
diff --git a/base/server/cms/src/com/netscape/cms/authorization/AuthMethodInterceptor.java b/base/server/cms/src/com/netscape/cms/authorization/AuthMethodInterceptor.java
index 25e24a540..a656b4596 100644
--- a/base/server/cms/src/com/netscape/cms/authorization/AuthMethodInterceptor.java
+++ b/base/server/cms/src/com/netscape/cms/authorization/AuthMethodInterceptor.java
@@ -70,6 +70,7 @@ public class AuthMethodInterceptor implements ContainerRequestFilter {
             authMethodProperties.put("account", "certUserDBAuthMgr,passwdUserDBAuthMgr");
             authMethodProperties.put("admin", "certUserDBAuthMgr");
             authMethodProperties.put("agent", "certUserDBAuthMgr");
+            authMethodProperties.put("authenticators", "certUserDBAuthMgr");
             authMethodProperties.put("profiles", "certUserDBAuthMgr");
             authMethodProperties.put("securityDomain.installToken", "passwdUserDBAuthMgr");
             authMethodProperties.put("tokens", "certUserDBAuthMgr");
diff --git a/base/tks/src/com/netscape/tks/TKSApplication.java b/base/tks/src/com/netscape/tks/TKSApplication.java
index 1f31bae37..f4a8730d9 100644
--- a/base/tks/src/com/netscape/tks/TKSApplication.java
+++ b/base/tks/src/com/netscape/tks/TKSApplication.java
@@ -1,6 +1,6 @@
 package com.netscape.tks;
 
-import java.util.HashSet;
+import java.util.LinkedHashSet;
 import java.util.Set;
 
 import javax.ws.rs.core.Application;
@@ -19,8 +19,8 @@ import com.netscape.cmscore.selftests.SelfTestService;
 
 public class TKSApplication extends Application {
 
-    private Set<Object> singletons = new HashSet<Object>();
-    private Set<Class<?>> classes = new HashSet<Class<?>>();
+    private Set<Object> singletons = new LinkedHashSet<Object>();
+    private Set<Class<?>> classes = new LinkedHashSet<Class<?>>();
 
     public TKSApplication() {
 
diff --git a/base/tps-tomcat/shared/conf/acl.ldif b/base/tps-tomcat/shared/conf/acl.ldif
index 1e1d8740c..db7dbe357 100644
--- a/base/tps-tomcat/shared/conf/acl.ldif
+++ b/base/tps-tomcat/shared/conf/acl.ldif
@@ -21,6 +21,7 @@ resourceACLS: certServer.admin.certificate:import:allow (import) user="anybody":
 resourceACLS: certServer.admin.request.enrollment:submit,read,execute:allow (submit) user="anybody":Anybody may submit an enrollment request
 resourceACLS: certServer.clone.configuration:read,modify:allow (modify,read) group="Enterprise CA Administrators" || group="Enterprise KRA Administrators" || group="Enterprise OCSP Administrators" || group="Enterprise TPS Administrators":Only Enterprise Administrators are allowed to clone the configuration.
 resourceACLS: certServer.tps.account:login,logout:allow (login,logout) user="anybody":Anybody can login and logout
+resourceACLS: certServer.tps.authenticators:read,add,modify,remove:allow (read,add,modify,remove) group="TUS Administrators":Only admins can access authenticators.
 resourceACLS: certServer.tps.groups:execute:allow (execute) group="TUS Administrators":Admins may execute group operations
 resourceACLS: certServer.tps.users:execute:allow (execute) group="TUS Administrators":Admins may execute user operations
 resourceACLS: certServer.tps.profiles:read,add,modify,approve,remove:allow (read) group="TUS Administrators" || group="TUS Agents" ; allow (add,remove,modify) group="TUS Administrators" ; allow (approve) group="TUS Agents":Admins, agents, and operators can read profiles, but only admins can add, modify, and remove profiles, and only agents can approve profiles.
diff --git a/base/tps-tomcat/shared/webapps/tps/WEB-INF/auth.properties b/base/tps-tomcat/shared/webapps/tps/WEB-INF/auth.properties
index 4d18d757a..7e219d78a 100644
--- a/base/tps-tomcat/shared/webapps/tps/WEB-INF/auth.properties
+++ b/base/tps-tomcat/shared/webapps/tps/WEB-INF/auth.properties
@@ -8,6 +8,10 @@ account.login = certServer.tps.account,login
 account.logout = certServer.tps.account,logout
 admin.users = certServer.tps.users,execute
 admin.groups = certServer.tps.groups,execute
+authenticators.read = certServer.tps.authenticators,read
+authenticators.add = certServer.tps.authenticators,add
+authenticators.modify = certServer.tps.authenticators,modify
+authenticators.remove = certServer.tps.authenticators,remove
 profiles.read = certServer.tps.profiles,read
 profiles.add = certServer.tps.profiles,add
 profiles.modify = certServer.tps.profiles,modify
diff --git a/base/tps-tomcat/shared/webapps/tps/WEB-INF/web.xml b/base/tps-tomcat/shared/webapps/tps/WEB-INF/web.xml
index 056de68e0..eb0b7195b 100644
--- a/base/tps-tomcat/shared/webapps/tps/WEB-INF/web.xml
+++ b/base/tps-tomcat/shared/webapps/tps/WEB-INF/web.xml
@@ -201,6 +201,32 @@
 
     <security-constraint>
         <web-resource-collection>
+            <web-resource-name>Authenticators</web-resource-name>
+            <url-pattern>/rest/authenticators/*</url-pattern>
+        </web-resource-collection>
+        <auth-constraint>
+            <role-name>*</role-name>
+        </auth-constraint>
+        <user-data-constraint>
+            <transport-guarantee>CONFIDENTIAL</transport-guarantee>
+        </user-data-constraint>
+    </security-constraint>
+
+    <security-constraint>
+        <web-resource-collection>
+            <web-resource-name>Profiles</web-resource-name>
+            <url-pattern>/rest/profiles/*</url-pattern>
+        </web-resource-collection>
+        <auth-constraint>
+            <role-name>*</role-name>
+        </auth-constraint>
+        <user-data-constraint>
+            <transport-guarantee>CONFIDENTIAL</transport-guarantee>
+        </user-data-constraint>
+    </security-constraint>
+
+    <security-constraint>
+        <web-resource-collection>
             <web-resource-name>Token Services</web-resource-name>
             <url-pattern>/rest/tokens/*</url-pattern>
         </web-resource-collection>
diff --git a/base/tps-tomcat/src/org/dogtagpki/server/tps/TPSApplication.java b/base/tps-tomcat/src/org/dogtagpki/server/tps/TPSApplication.java
index 5ec99bc11..2571e2604 100644
--- a/base/tps-tomcat/src/org/dogtagpki/server/tps/TPSApplication.java
+++ b/base/tps-tomcat/src/org/dogtagpki/server/tps/TPSApplication.java
@@ -17,7 +17,7 @@
 // --- END COPYRIGHT BLOCK ---
 package org.dogtagpki.server.tps;
 
-import java.util.HashSet;
+import java.util.LinkedHashSet;
 import java.util.Set;
 
 import javax.ws.rs.core.Application;
@@ -47,8 +47,8 @@ import com.netscape.cmscore.selftests.SelfTestService;
  */
 public class TPSApplication extends Application {
 
-    private Set<Object> singletons = new HashSet<Object>();
-    private Set<Class<?>> classes = new HashSet<Class<?>>();
+    private Set<Object> singletons = new LinkedHashSet<Object>();
+    private Set<Class<?>> classes = new LinkedHashSet<Class<?>>();
 
     public TPSApplication() {