diff options
| author | Ade Lee <alee@redhat.com> | 2016-05-25 18:53:22 -0400 |
|---|---|---|
| committer | Ade Lee <alee@redhat.com> | 2016-06-02 19:44:38 -0400 |
| commit | 2c8418e962148abbd45f51f968bb1dbc826a641d (patch) | |
| tree | cc55a0a7703147dc03a3f2ce513b6076dab40a92 /base | |
| parent | f51278ca75c028b7658caa2052d435c488eebe92 (diff) | |
| download | pki-2c8418e962148abbd45f51f968bb1dbc826a641d.tar.gz pki-2c8418e962148abbd45f51f968bb1dbc826a641d.tar.xz pki-2c8418e962148abbd45f51f968bb1dbc826a641d.zip | |
Change legacy requests servlet to check realm
The legacy KRA servlet has been modified to check the realm
if present in the request, or only return non-realm requests
if not present.
No attempt is made to fix the error reporting of the servlet.
As such, an authz failure due to the realm check is handled
in the same way that other authz failures are handled.
Diffstat (limited to 'base')
| -rw-r--r-- | base/server/cms/src/com/netscape/cms/servlet/request/QueryReq.java | 26 |
1 files changed, 26 insertions, 0 deletions
diff --git a/base/server/cms/src/com/netscape/cms/servlet/request/QueryReq.java b/base/server/cms/src/com/netscape/cms/servlet/request/QueryReq.java index 09bf3a0b8..146db7b3b 100644 --- a/base/server/cms/src/com/netscape/cms/servlet/request/QueryReq.java +++ b/base/server/cms/src/com/netscape/cms/servlet/request/QueryReq.java @@ -32,6 +32,7 @@ import com.netscape.certsrv.apps.CMS; import com.netscape.certsrv.authentication.IAuthToken; import com.netscape.certsrv.authorization.AuthzToken; import com.netscape.certsrv.authorization.EAuthzAccessDenied; +import com.netscape.certsrv.authorization.EAuthzException; import com.netscape.certsrv.base.EBaseException; import com.netscape.certsrv.base.IArgBlock; import com.netscape.certsrv.common.ICMSRequest; @@ -45,6 +46,7 @@ import com.netscape.cms.servlet.common.CMSRequest; import com.netscape.cms.servlet.common.CMSTemplate; import com.netscape.cms.servlet.common.CMSTemplateParams; import com.netscape.cms.servlet.common.ECMSGWException; +import com.netscape.cmsutil.ldap.LDAPUtil; /** * Show paged list of requests matching search criteria @@ -67,6 +69,7 @@ public class QueryReq extends CMSServlet { private final static String IN_MAXCOUNT = "maxCount"; private final static String IN_TOTALCOUNT = "totalRecordCount"; private final static String PROP_PARSER = "parser"; + private final static String REALM = "realm"; private final static String TPL_FILE = "queryReq.template"; @@ -232,6 +235,20 @@ public class QueryReq extends CMSServlet { return; } + String realm = null; + if (mAuthority.getId().equals("kra")) { + // for the KRA, check the realm (if present) + realm = req.getParameter(REALM); + try { + mAuthz.checkRealm(realm, authToken, null, mAuthzResourceName, "list"); + } catch (EAuthzException e) { + log(ILogger.LL_FAILURE, + CMS.getLogMessage("ADMIN_SRVLT_AUTH_FAILURE", e.toString())); + cmsReq.setStatus(ICMSRequest.UNAUTHORIZED); + return; + } + } + CMSTemplate form = null; Locale[] locale = new Locale[1]; @@ -269,6 +286,15 @@ public class QueryReq extends CMSServlet { getRequestType(reqType) + ")"; } + if (mAuthority.getId().equals("kra")) { + // add realm to filter for KRA requests + if (realm != null) { + filter = "(&" + filter + "(realm=" + LDAPUtil.escapeFilter(realm) +"))"; + } else { + filter = "(&" + filter + "(!(realm=*)))"; + } + } + String direction = "begin"; if (req.getParameter("direction") != null) { direction = req.getParameter("direction").trim(); |