summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
Diffstat
-rw-r--r--base/common/src/com/netscape/certsrv/tps/config/ConfigResource.java6
-rw-r--r--base/server/cms/src/com/netscape/cms/authorization/AuthMethodInterceptor.java1
-rw-r--r--base/tps-tomcat/shared/conf/acl.ldif1
-rw-r--r--base/tps-tomcat/shared/webapps/tps/WEB-INF/auth.properties2
-rw-r--r--base/tps-tomcat/shared/webapps/tps/WEB-INF/web.xml13
5 files changed, 23 insertions, 0 deletions
diff --git a/base/common/src/com/netscape/certsrv/tps/config/ConfigResource.java b/base/common/src/com/netscape/certsrv/tps/config/ConfigResource.java
index e1076a48e..21cb3f0b1 100644
--- a/base/common/src/com/netscape/certsrv/tps/config/ConfigResource.java
+++ b/base/common/src/com/netscape/certsrv/tps/config/ConfigResource.java
@@ -27,11 +27,16 @@ import javax.ws.rs.core.Response;
import org.jboss.resteasy.annotations.ClientResponseType;
+import com.netscape.certsrv.acls.ACLMapping;
+import com.netscape.certsrv.authentication.AuthMethodMapping;
+
/**
* @author Endi S. Dewata
*/
@Path("config")
+@AuthMethodMapping("config")
+@ACLMapping("config.read")
public interface ConfigResource {
@GET
@@ -42,5 +47,6 @@ public interface ConfigResource {
@ClientResponseType(entityType=ConfigData.class)
@Consumes({ MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON })
@Produces({ MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON })
+ @ACLMapping("config.modify")
public Response updateConfig(ConfigData configData);
}
diff --git a/base/server/cms/src/com/netscape/cms/authorization/AuthMethodInterceptor.java b/base/server/cms/src/com/netscape/cms/authorization/AuthMethodInterceptor.java
index a656b4596..afcc17514 100644
--- a/base/server/cms/src/com/netscape/cms/authorization/AuthMethodInterceptor.java
+++ b/base/server/cms/src/com/netscape/cms/authorization/AuthMethodInterceptor.java
@@ -70,6 +70,7 @@ public class AuthMethodInterceptor implements ContainerRequestFilter {
authMethodProperties.put("account", "certUserDBAuthMgr,passwdUserDBAuthMgr");
authMethodProperties.put("admin", "certUserDBAuthMgr");
authMethodProperties.put("agent", "certUserDBAuthMgr");
+ authMethodProperties.put("config", "certUserDBAuthMgr");
authMethodProperties.put("authenticators", "certUserDBAuthMgr");
authMethodProperties.put("profiles", "certUserDBAuthMgr");
authMethodProperties.put("securityDomain.installToken", "passwdUserDBAuthMgr");
diff --git a/base/tps-tomcat/shared/conf/acl.ldif b/base/tps-tomcat/shared/conf/acl.ldif
index db7dbe357..b5bbdf7a2 100644
--- a/base/tps-tomcat/shared/conf/acl.ldif
+++ b/base/tps-tomcat/shared/conf/acl.ldif
@@ -22,6 +22,7 @@ resourceACLS: certServer.admin.request.enrollment:submit,read,execute:allow (sub
resourceACLS: certServer.clone.configuration:read,modify:allow (modify,read) group="Enterprise CA Administrators" || group="Enterprise KRA Administrators" || group="Enterprise OCSP Administrators" || group="Enterprise TPS Administrators":Only Enterprise Administrators are allowed to clone the configuration.
resourceACLS: certServer.tps.account:login,logout:allow (login,logout) user="anybody":Anybody can login and logout
resourceACLS: certServer.tps.authenticators:read,add,modify,remove:allow (read,add,modify,remove) group="TUS Administrators":Only admins can access authenticators.
+resourceACLS: certServer.tps.config:read,modify:allow (read,modify) group="TUS Administrators":Only admins can access configuration.
resourceACLS: certServer.tps.groups:execute:allow (execute) group="TUS Administrators":Admins may execute group operations
resourceACLS: certServer.tps.users:execute:allow (execute) group="TUS Administrators":Admins may execute user operations
resourceACLS: certServer.tps.profiles:read,add,modify,approve,remove:allow (read) group="TUS Administrators" || group="TUS Agents" ; allow (add,remove,modify) group="TUS Administrators" ; allow (approve) group="TUS Agents":Admins, agents, and operators can read profiles, but only admins can add, modify, and remove profiles, and only agents can approve profiles.
diff --git a/base/tps-tomcat/shared/webapps/tps/WEB-INF/auth.properties b/base/tps-tomcat/shared/webapps/tps/WEB-INF/auth.properties
index 7e219d78a..b21a0e03a 100644
--- a/base/tps-tomcat/shared/webapps/tps/WEB-INF/auth.properties
+++ b/base/tps-tomcat/shared/webapps/tps/WEB-INF/auth.properties
@@ -12,6 +12,8 @@ authenticators.read = certServer.tps.authenticators,read
authenticators.add = certServer.tps.authenticators,add
authenticators.modify = certServer.tps.authenticators,modify
authenticators.remove = certServer.tps.authenticators,remove
+config.read = certServer.tps.config,read
+config.modify = certServer.tps.config,modify
profiles.read = certServer.tps.profiles,read
profiles.add = certServer.tps.profiles,add
profiles.modify = certServer.tps.profiles,modify
diff --git a/base/tps-tomcat/shared/webapps/tps/WEB-INF/web.xml b/base/tps-tomcat/shared/webapps/tps/WEB-INF/web.xml
index eb0b7195b..bd8958201 100644
--- a/base/tps-tomcat/shared/webapps/tps/WEB-INF/web.xml
+++ b/base/tps-tomcat/shared/webapps/tps/WEB-INF/web.xml
@@ -214,6 +214,19 @@
<security-constraint>
<web-resource-collection>
+ <web-resource-name>Configuration</web-resource-name>
+ <url-pattern>/rest/config/*</url-pattern>
+ </web-resource-collection>
+ <auth-constraint>
+ <role-name>*</role-name>
+ </auth-constraint>
+ <user-data-constraint>
+ <transport-guarantee>CONFIDENTIAL</transport-guarantee>
+ </user-data-constraint>
+ </security-constraint>
+
+ <security-constraint>
+ <web-resource-collection>
<web-resource-name>Profiles</web-resource-name>
<url-pattern>/rest/profiles/*</url-pattern>
</web-resource-collection>
generated by cgit (git 2.34.1) at 2024-09-30 22:06:44 +0000