diff options
10 files changed, 58 insertions, 17 deletions
diff --git a/base/ca/src/com/netscape/ca/CertificateAuthorityApplication.java b/base/ca/src/com/netscape/ca/CertificateAuthorityApplication.java index b26182dda..b20a544f5 100644 --- a/base/ca/src/com/netscape/ca/CertificateAuthorityApplication.java +++ b/base/ca/src/com/netscape/ca/CertificateAuthorityApplication.java @@ -1,6 +1,6 @@ package com.netscape.ca; -import java.util.HashSet; +import java.util.LinkedHashSet; import java.util.Set; import javax.ws.rs.core.Application; @@ -25,8 +25,9 @@ import com.netscape.cmscore.logging.AuditService; import com.netscape.cmscore.selftests.SelfTestService; public class CertificateAuthorityApplication extends Application { - private Set<Object> singletons = new HashSet<Object>(); - private Set<Class<?>> classes = new HashSet<Class<?>>(); + + private Set<Object> singletons = new LinkedHashSet<Object>(); + private Set<Class<?>> classes = new LinkedHashSet<Class<?>>(); public CertificateAuthorityApplication() { diff --git a/base/common/src/com/netscape/certsrv/tps/authenticator/AuthenticatorResource.java b/base/common/src/com/netscape/certsrv/tps/authenticator/AuthenticatorResource.java index 8e9f7284a..6a2ef0d9a 100644 --- a/base/common/src/com/netscape/certsrv/tps/authenticator/AuthenticatorResource.java +++ b/base/common/src/com/netscape/certsrv/tps/authenticator/AuthenticatorResource.java @@ -31,11 +31,16 @@ import javax.ws.rs.core.Response; import org.jboss.resteasy.annotations.ClientResponseType; +import com.netscape.certsrv.acls.ACLMapping; +import com.netscape.certsrv.authentication.AuthMethodMapping; + /** * @author Endi S. Dewata */ @Path("authenticators") +@AuthMethodMapping("authenticators") +@ACLMapping("authenticators.read") public interface AuthenticatorResource { @GET @@ -53,6 +58,7 @@ public interface AuthenticatorResource { @ClientResponseType(entityType=AuthenticatorData.class) @Consumes({ MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON }) @Produces({ MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON }) + @ACLMapping("authenticators.add") public Response addAuthenticator(AuthenticatorData authenticatorData); @PUT @@ -60,6 +66,7 @@ public interface AuthenticatorResource { @ClientResponseType(entityType=AuthenticatorData.class) @Consumes({ MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON }) @Produces({ MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON }) + @ACLMapping("authenticators.modify") public Response updateAuthenticator( @PathParam("authenticatorID") String authenticatorID, AuthenticatorData authenticatorData); @@ -67,5 +74,6 @@ public interface AuthenticatorResource { @DELETE @Path("{authenticatorID}") @Produces({ MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON }) + @ACLMapping("authenticators.remove") public void removeAuthenticator(@PathParam("authenticatorID") String authenticatorID); } diff --git a/base/kra/src/com/netscape/kra/KeyRecoveryAuthorityApplication.java b/base/kra/src/com/netscape/kra/KeyRecoveryAuthorityApplication.java index 5e6aa048d..0b311427f 100644 --- a/base/kra/src/com/netscape/kra/KeyRecoveryAuthorityApplication.java +++ b/base/kra/src/com/netscape/kra/KeyRecoveryAuthorityApplication.java @@ -1,6 +1,6 @@ package com.netscape.kra; -import java.util.HashSet; +import java.util.LinkedHashSet; import java.util.Set; import javax.ws.rs.core.Application; @@ -15,8 +15,8 @@ import com.netscape.cms.servlet.account.AccountService; import com.netscape.cms.servlet.admin.GroupService; import com.netscape.cms.servlet.admin.SystemCertService; import com.netscape.cms.servlet.admin.UserService; -import com.netscape.cms.servlet.csadmin.SystemConfigService; import com.netscape.cms.servlet.csadmin.SecurityDomainService; +import com.netscape.cms.servlet.csadmin.SystemConfigService; import com.netscape.cms.servlet.key.KeyService; import com.netscape.cms.servlet.request.KeyRequestService; import com.netscape.cmscore.logging.AuditService; @@ -24,8 +24,8 @@ import com.netscape.cmscore.selftests.SelfTestService; public class KeyRecoveryAuthorityApplication extends Application { - private Set<Object> singletons = new HashSet<Object>(); - private Set<Class<?>> classes = new HashSet<Class<?>>(); + private Set<Object> singletons = new LinkedHashSet<Object>(); + private Set<Class<?>> classes = new LinkedHashSet<Class<?>>(); public KeyRecoveryAuthorityApplication() { diff --git a/base/ocsp/src/com/netscape/ocsp/OCSPApplication.java b/base/ocsp/src/com/netscape/ocsp/OCSPApplication.java index a134e5c84..21b81f47f 100644 --- a/base/ocsp/src/com/netscape/ocsp/OCSPApplication.java +++ b/base/ocsp/src/com/netscape/ocsp/OCSPApplication.java @@ -1,6 +1,6 @@ package com.netscape.ocsp; -import java.util.HashSet; +import java.util.LinkedHashSet; import java.util.Set; import javax.ws.rs.core.Application; @@ -15,15 +15,15 @@ import com.netscape.cms.servlet.account.AccountService; import com.netscape.cms.servlet.admin.GroupService; import com.netscape.cms.servlet.admin.SystemCertService; import com.netscape.cms.servlet.admin.UserService; +import com.netscape.cms.servlet.csadmin.SecurityDomainService; import com.netscape.cms.servlet.csadmin.SystemConfigService; import com.netscape.cmscore.logging.AuditService; -import com.netscape.cms.servlet.csadmin.SecurityDomainService; import com.netscape.cmscore.selftests.SelfTestService; public class OCSPApplication extends Application { - private Set<Object> singletons = new HashSet<Object>(); - private Set<Class<?>> classes = new HashSet<Class<?>>(); + private Set<Object> singletons = new LinkedHashSet<Object>(); + private Set<Class<?>> classes = new LinkedHashSet<Class<?>>(); public OCSPApplication() { diff --git a/base/server/cms/src/com/netscape/cms/authorization/AuthMethodInterceptor.java b/base/server/cms/src/com/netscape/cms/authorization/AuthMethodInterceptor.java index 25e24a540..a656b4596 100644 --- a/base/server/cms/src/com/netscape/cms/authorization/AuthMethodInterceptor.java +++ b/base/server/cms/src/com/netscape/cms/authorization/AuthMethodInterceptor.java @@ -70,6 +70,7 @@ public class AuthMethodInterceptor implements ContainerRequestFilter { authMethodProperties.put("account", "certUserDBAuthMgr,passwdUserDBAuthMgr"); authMethodProperties.put("admin", "certUserDBAuthMgr"); authMethodProperties.put("agent", "certUserDBAuthMgr"); + authMethodProperties.put("authenticators", "certUserDBAuthMgr"); authMethodProperties.put("profiles", "certUserDBAuthMgr"); authMethodProperties.put("securityDomain.installToken", "passwdUserDBAuthMgr"); authMethodProperties.put("tokens", "certUserDBAuthMgr"); diff --git a/base/tks/src/com/netscape/tks/TKSApplication.java b/base/tks/src/com/netscape/tks/TKSApplication.java index 1f31bae37..f4a8730d9 100644 --- a/base/tks/src/com/netscape/tks/TKSApplication.java +++ b/base/tks/src/com/netscape/tks/TKSApplication.java @@ -1,6 +1,6 @@ package com.netscape.tks; -import java.util.HashSet; +import java.util.LinkedHashSet; import java.util.Set; import javax.ws.rs.core.Application; @@ -19,8 +19,8 @@ import com.netscape.cmscore.selftests.SelfTestService; public class TKSApplication extends Application { - private Set<Object> singletons = new HashSet<Object>(); - private Set<Class<?>> classes = new HashSet<Class<?>>(); + private Set<Object> singletons = new LinkedHashSet<Object>(); + private Set<Class<?>> classes = new LinkedHashSet<Class<?>>(); public TKSApplication() { diff --git a/base/tps-tomcat/shared/conf/acl.ldif b/base/tps-tomcat/shared/conf/acl.ldif index 1e1d8740c..db7dbe357 100644 --- a/base/tps-tomcat/shared/conf/acl.ldif +++ b/base/tps-tomcat/shared/conf/acl.ldif @@ -21,6 +21,7 @@ resourceACLS: certServer.admin.certificate:import:allow (import) user="anybody": resourceACLS: certServer.admin.request.enrollment:submit,read,execute:allow (submit) user="anybody":Anybody may submit an enrollment request resourceACLS: certServer.clone.configuration:read,modify:allow (modify,read) group="Enterprise CA Administrators" || group="Enterprise KRA Administrators" || group="Enterprise OCSP Administrators" || group="Enterprise TPS Administrators":Only Enterprise Administrators are allowed to clone the configuration. resourceACLS: certServer.tps.account:login,logout:allow (login,logout) user="anybody":Anybody can login and logout +resourceACLS: certServer.tps.authenticators:read,add,modify,remove:allow (read,add,modify,remove) group="TUS Administrators":Only admins can access authenticators. resourceACLS: certServer.tps.groups:execute:allow (execute) group="TUS Administrators":Admins may execute group operations resourceACLS: certServer.tps.users:execute:allow (execute) group="TUS Administrators":Admins may execute user operations resourceACLS: certServer.tps.profiles:read,add,modify,approve,remove:allow (read) group="TUS Administrators" || group="TUS Agents" ; allow (add,remove,modify) group="TUS Administrators" ; allow (approve) group="TUS Agents":Admins, agents, and operators can read profiles, but only admins can add, modify, and remove profiles, and only agents can approve profiles. diff --git a/base/tps-tomcat/shared/webapps/tps/WEB-INF/auth.properties b/base/tps-tomcat/shared/webapps/tps/WEB-INF/auth.properties index 4d18d757a..7e219d78a 100644 --- a/base/tps-tomcat/shared/webapps/tps/WEB-INF/auth.properties +++ b/base/tps-tomcat/shared/webapps/tps/WEB-INF/auth.properties @@ -8,6 +8,10 @@ account.login = certServer.tps.account,login account.logout = certServer.tps.account,logout admin.users = certServer.tps.users,execute admin.groups = certServer.tps.groups,execute +authenticators.read = certServer.tps.authenticators,read +authenticators.add = certServer.tps.authenticators,add +authenticators.modify = certServer.tps.authenticators,modify +authenticators.remove = certServer.tps.authenticators,remove profiles.read = certServer.tps.profiles,read profiles.add = certServer.tps.profiles,add profiles.modify = certServer.tps.profiles,modify diff --git a/base/tps-tomcat/shared/webapps/tps/WEB-INF/web.xml b/base/tps-tomcat/shared/webapps/tps/WEB-INF/web.xml index 056de68e0..eb0b7195b 100644 --- a/base/tps-tomcat/shared/webapps/tps/WEB-INF/web.xml +++ b/base/tps-tomcat/shared/webapps/tps/WEB-INF/web.xml @@ -201,6 +201,32 @@ <security-constraint> <web-resource-collection> + <web-resource-name>Authenticators</web-resource-name> + <url-pattern>/rest/authenticators/*</url-pattern> + </web-resource-collection> + <auth-constraint> + <role-name>*</role-name> + </auth-constraint> + <user-data-constraint> + <transport-guarantee>CONFIDENTIAL</transport-guarantee> + </user-data-constraint> + </security-constraint> + + <security-constraint> + <web-resource-collection> + <web-resource-name>Profiles</web-resource-name> + <url-pattern>/rest/profiles/*</url-pattern> + </web-resource-collection> + <auth-constraint> + <role-name>*</role-name> + </auth-constraint> + <user-data-constraint> + <transport-guarantee>CONFIDENTIAL</transport-guarantee> + </user-data-constraint> + </security-constraint> + + <security-constraint> + <web-resource-collection> <web-resource-name>Token Services</web-resource-name> <url-pattern>/rest/tokens/*</url-pattern> </web-resource-collection> diff --git a/base/tps-tomcat/src/org/dogtagpki/server/tps/TPSApplication.java b/base/tps-tomcat/src/org/dogtagpki/server/tps/TPSApplication.java index 5ec99bc11..2571e2604 100644 --- a/base/tps-tomcat/src/org/dogtagpki/server/tps/TPSApplication.java +++ b/base/tps-tomcat/src/org/dogtagpki/server/tps/TPSApplication.java @@ -17,7 +17,7 @@ // --- END COPYRIGHT BLOCK --- package org.dogtagpki.server.tps; -import java.util.HashSet; +import java.util.LinkedHashSet; import java.util.Set; import javax.ws.rs.core.Application; @@ -47,8 +47,8 @@ import com.netscape.cmscore.selftests.SelfTestService; */ public class TPSApplication extends Application { - private Set<Object> singletons = new HashSet<Object>(); - private Set<Class<?>> classes = new HashSet<Class<?>>(); + private Set<Object> singletons = new LinkedHashSet<Object>(); + private Set<Class<?>> classes = new LinkedHashSet<Class<?>>(); public TPSApplication() { |