diff options
6 files changed, 34 insertions, 14 deletions
diff --git a/base/common/src/com/netscape/certsrv/tps/TPSClient.java b/base/common/src/com/netscape/certsrv/tps/TPSClient.java index 38aff46bd..263b92b3a 100644 --- a/base/common/src/com/netscape/certsrv/tps/TPSClient.java +++ b/base/common/src/com/netscape/certsrv/tps/TPSClient.java @@ -23,6 +23,7 @@ import com.netscape.certsrv.client.PKIClient; import com.netscape.certsrv.client.SubsystemClient; import com.netscape.certsrv.logging.ActivityClient; import com.netscape.certsrv.token.TokenClient; +import com.netscape.certsrv.user.UserClient; /** * @author Endi S. Dewata @@ -37,5 +38,6 @@ public class TPSClient extends SubsystemClient { public void init() throws URISyntaxException { addClient(new ActivityClient(client, name)); addClient(new TokenClient(client, name)); + addClient(new UserClient(client, name)); } } diff --git a/base/common/src/com/netscape/cms/authorization/ACLInterceptor.java b/base/common/src/com/netscape/cms/authorization/ACLInterceptor.java index 53160bb8c..1e7adf190 100644 --- a/base/common/src/com/netscape/cms/authorization/ACLInterceptor.java +++ b/base/common/src/com/netscape/cms/authorization/ACLInterceptor.java @@ -89,18 +89,23 @@ public class ACLInterceptor implements PreProcessInterceptor { } // If still not available, it's unprotected, allow request. - if (aclMapping == null) return null; + if (aclMapping == null) { + CMS.debug("ACLInterceptor: No ACL mapping."); + return null; + } Principal principal = securityContext.getUserPrincipal(); // If unauthenticated, reject request. if (principal == null) { + CMS.debug("ACLInterceptor: No user principal provided."); throw new ForbiddenException("No user principal provided."); } // If unrecognized principal, reject request. if (!(principal instanceof PKIPrincipal)) { - throw new ForbiddenException("Invalid user principal"); + CMS.debug("ACLInterceptor: Invalid user principal."); + throw new ForbiddenException("Invalid user principal."); } PKIPrincipal pkiPrincipal = (PKIPrincipal)principal; @@ -108,6 +113,7 @@ public class ACLInterceptor implements PreProcessInterceptor { // If missing auth token, reject request. if (authToken == null) { + CMS.debug("ACLInterceptor: No authorization token present."); throw new ForbiddenException("No authorization token present."); } @@ -118,12 +124,16 @@ public class ACLInterceptor implements PreProcessInterceptor { String value = authProperties.getProperty(name); // If no property defined, allow request. - if (value == null) return null; + if (value == null) { + CMS.debug("ACLInterceptor: No ACL configuration."); + return null; + } String values[] = value.split(","); // If invalid mapping, reject request. if (values.length != 2) { + CMS.debug("ACLInterceptor: Invalid ACL mapping."); throw new ForbiddenException("Invalid ACL mapping."); } @@ -137,10 +147,12 @@ public class ACLInterceptor implements PreProcessInterceptor { // If not authorized, reject request. if (authzToken == null) { + CMS.debug("ACLInterceptor: No authorization token present."); throw new ForbiddenException("No authorization token present."); } } catch (EAuthzAccessDenied e) { + CMS.debug("ACLInterceptor: " + e.getMessage()); throw new ForbiddenException(e.toString()); } catch (IOException|EBaseException e) { diff --git a/base/common/src/com/netscape/cms/authorization/AuthMethodInterceptor.java b/base/common/src/com/netscape/cms/authorization/AuthMethodInterceptor.java index 8d7bcb3c6..c9e442769 100644 --- a/base/common/src/com/netscape/cms/authorization/AuthMethodInterceptor.java +++ b/base/common/src/com/netscape/cms/authorization/AuthMethodInterceptor.java @@ -38,6 +38,7 @@ import org.jboss.resteasy.spi.Failure; import org.jboss.resteasy.spi.HttpRequest; import org.jboss.resteasy.spi.interception.PreProcessInterceptor; +import com.netscape.certsrv.apps.CMS; import com.netscape.certsrv.authentication.AuthMethodMapping; import com.netscape.certsrv.authentication.AuthToken; import com.netscape.certsrv.authentication.IAuthToken; @@ -89,7 +90,7 @@ public class AuthMethodInterceptor implements PreProcessInterceptor { Class<?> clazz = resourceMethod.getResourceClass(); Method method = resourceMethod.getMethod(); - System.out.println("AuthInterceptor: "+clazz.getSimpleName()+"."+method.getName()+"()"); + CMS.debug("AuthMethodInterceptor: "+clazz.getSimpleName()+"."+method.getName()+"()"); // Get authentication mapping for the method. AuthMethodMapping authMapping = method.getAnnotation(AuthMethodMapping.class); @@ -108,7 +109,7 @@ public class AuthMethodInterceptor implements PreProcessInterceptor { name = authMapping.value(); } - System.out.println("AuthInterceptor: mapping name: "+name); + CMS.debug("AuthMethodInterceptor: mapping name: "+name); try { loadAuthProperties(); @@ -121,23 +122,23 @@ public class AuthMethodInterceptor implements PreProcessInterceptor { } } - System.out.println("AuthInterceptor: required auth methods: "+authMethods); + CMS.debug("AuthMethodInterceptor: required auth methods: "+authMethods); Principal principal = securityContext.getUserPrincipal(); // If unauthenticated, reject request. if (principal == null) { if (authMethods.isEmpty() || authMethods.contains("anonymous") || authMethods.contains("*")) { - System.out.println("AuthInterceptor: anonymous access allowed"); + CMS.debug("AuthMethodInterceptor: anonymous access allowed"); return null; } - System.out.println("AuthInterceptor: anonymous access not allowed"); + CMS.debug("AuthMethodInterceptor: anonymous access not allowed"); throw new ForbiddenException("Anonymous access not allowed."); } // If unrecognized principal, reject request. if (!(principal instanceof PKIPrincipal)) { - System.out.println("AuthInterceptor: unknown principal"); + CMS.debug("AuthMethodInterceptor: unknown principal"); throw new ForbiddenException("Unknown user principal"); } @@ -146,20 +147,20 @@ public class AuthMethodInterceptor implements PreProcessInterceptor { // If missing auth token, reject request. if (authToken == null) { - System.out.println("AuthInterceptor: missing authentication token"); + CMS.debug("AuthMethodInterceptor: missing authentication token"); throw new ForbiddenException("Missing authentication token."); } String authManager = (String)authToken.get(AuthToken.TOKEN_AUTHMGR_INST_NAME); - System.out.println("AuthInterceptor: authentication manager: "+authManager); + CMS.debug("AuthMethodInterceptor: authentication manager: "+authManager); if (authManager == null) { - System.out.println("AuthInterceptor: missing authentication manager"); + CMS.debug("AuthMethodInterceptor: missing authentication manager"); throw new ForbiddenException("Missing authentication manager."); } if (authMethods.isEmpty() || authMethods.contains(authManager) || authMethods.contains("*")) { - System.out.println("AuthInterceptor: "+authManager+" allowed"); + CMS.debug("AuthMethodInterceptor: "+authManager+" allowed"); return null; } diff --git a/base/java-tools/src/com/netscape/cmstools/cli/TPSCLI.java b/base/java-tools/src/com/netscape/cmstools/cli/TPSCLI.java index 4c9e501ad..6cd417312 100644 --- a/base/java-tools/src/com/netscape/cmstools/cli/TPSCLI.java +++ b/base/java-tools/src/com/netscape/cmstools/cli/TPSCLI.java @@ -22,6 +22,7 @@ import com.netscape.certsrv.client.Client; import com.netscape.certsrv.tps.TPSClient; import com.netscape.cmstools.logging.ActivityCLI; import com.netscape.cmstools.token.TokenCLI; +import com.netscape.cmstools.user.UserCLI; /** * @author Endi S. Dewata @@ -35,6 +36,7 @@ public class TPSCLI extends SubsystemCLI { addModule(new ActivityCLI(this)); addModule(new TokenCLI(this)); + addModule(new UserCLI(this)); } public String getFullName() { diff --git a/base/tps-tomcat/shared/conf/CS.cfg.in b/base/tps-tomcat/shared/conf/CS.cfg.in index f84b16bf5..087ab483b 100644 --- a/base/tps-tomcat/shared/conf/CS.cfg.in +++ b/base/tps-tomcat/shared/conf/CS.cfg.in @@ -1354,7 +1354,7 @@ preop.configModules.module2.commonName=lunasa preop.configModules.module2.imagePath=/pki/images/clearpixel.gif preop.configModules.module2.userFriendlyName=SafeNet's LunaSA Token Hardware Module preop.hierarchy.profile=caCert.profile -preop.internaldb.data_ldif=/usr/share/pki/tps/conf/db.ldif +preop.internaldb.data_ldif=/usr/share/pki/tps/conf/db.ldif,/usr/share/pki/tps/conf/acl.ldif preop.internaldb.index_ldif=/usr/share/pki/tps/conf/index.ldif preop.internaldb.ldif=/usr/share/pki/tps/conf/database.ldif preop.internaldb.manager_ldif=/usr/share/pki/tps/conf/manager.ldif diff --git a/base/tps-tomcat/shared/conf/acl.ldif b/base/tps-tomcat/shared/conf/acl.ldif index fb63122d1..17d3bad64 100644 --- a/base/tps-tomcat/shared/conf/acl.ldif +++ b/base/tps-tomcat/shared/conf/acl.ldif @@ -20,3 +20,6 @@ resourceACLS: certServer.registry.configuration:read,modify:allow (read) group=" resourceACLS: certServer.admin.certificate:import:allow (import) user="anybody":Any user may import a certificate resourceACLS: certServer.admin.request.enrollment:submit,read,execute:allow (submit) user="anybody":Anybody may submit an enrollment request resourceACLS: certServer.clone.configuration:read,modify:allow (modify,read) group="Enterprise CA Administrators" || group="Enterprise KRA Administrators" || group="Enterprise OCSP Administrators" || group="Enterprise TPS Administrators":Only Enterprise Administrators are allowed to clone the configuration. +resourceACLS: certServer.tps.account:login,logout:allow (login,logout) user="anybody":Anybody can login and logout +resourceACLS: certServer.tps.groups:execute:allow (execute) group="TUS Administrators":Admins may execute group operations +resourceACLS: certServer.tps.users:execute:allow (execute) group="TUS Administrators":Admins may execute user operations |