diff options
27 files changed, 340 insertions, 67 deletions
diff --git a/base/ca/shared/webapps/ca/WEB-INF/acl.properties b/base/ca/shared/webapps/ca/WEB-INF/acl.properties new file mode 100644 index 000000000..20f3dd864 --- /dev/null +++ b/base/ca/shared/webapps/ca/WEB-INF/acl.properties @@ -0,0 +1,14 @@ +# Restful API authorization mapping info +# +# Format: +# <mapping name> = <resource ID>,<operation> +# ex: admin.users = certServer.ca.users,read + +account.login = certServer.ca.account,login +account.logout = certServer.ca.account,logout +admin.users = certServer.ca.users,execute +admin.groups = certServer.ca.groups,execute +admin.kraconnector = certServer.ca.connectorInfo,modify +agent.certrequests = certServer.ca.certrequests,execute +agent.certs = certServer.ca.certs,execute +securityDomain.installToken = certServer.securitydomain.domainxml,read diff --git a/base/ca/shared/webapps/ca/WEB-INF/auth.properties b/base/ca/shared/webapps/ca/WEB-INF/auth.properties index b73b9ac10..3a6658765 100644 --- a/base/ca/shared/webapps/ca/WEB-INF/auth.properties +++ b/base/ca/shared/webapps/ca/WEB-INF/auth.properties @@ -1,14 +1,11 @@ -# Restful API auth/authz mapping info +# Restful API auth mapping info # # Format: -# <ACL Mapping> = <ACL Resource ID>,<ACL Resource Operation> -# ex: admin.users = certServer.ca.users,read +# <mapping name> = <allowed auth methods> +# ex: admin.users = certUserDBAuthMgr,passwdUserDBAuthMgr -account.login = certServer.ca.account,login -account.logout = certServer.ca.account,logout -admin.users = certServer.ca.users,execute -admin.groups = certServer.ca.groups,execute -admin.kraconnector = certServer.ca.connectorInfo,modify -agent.certrequests = certServer.ca.certrequests,execute -agent.certs = certServer.ca.certs,execute -securityDomain.installToken = certServer.securitydomain.domainxml,read +default = * +account = certUserDBAuthMgr,passwdUserDBAuthMgr +admin = certUserDBAuthMgr +agent = certUserDBAuthMgr +securityDomain.installToken = passwdUserDBAuthMgr diff --git a/base/ca/src/com/netscape/ca/CertificateAuthorityApplication.java b/base/ca/src/com/netscape/ca/CertificateAuthorityApplication.java index 14b44e5d7..35e93811c 100644 --- a/base/ca/src/com/netscape/ca/CertificateAuthorityApplication.java +++ b/base/ca/src/com/netscape/ca/CertificateAuthorityApplication.java @@ -7,6 +7,7 @@ import javax.ws.rs.core.Application; import com.netscape.certsrv.acls.ACLInterceptor; import com.netscape.certsrv.apps.CMS; +import com.netscape.certsrv.authentication.AuthInterceptor; import com.netscape.certsrv.base.EBaseException; import com.netscape.certsrv.base.IConfigStore; import com.netscape.certsrv.base.PKIException; @@ -85,7 +86,8 @@ public class CertificateAuthorityApplication extends Application { // exception mapper classes.add(PKIException.Mapper.class); - // ACL interceptor + // interceptors + singletons.add(new AuthInterceptor()); singletons.add(new ACLInterceptor()); } diff --git a/base/common/src/com/netscape/certsrv/account/AccountResource.java b/base/common/src/com/netscape/certsrv/account/AccountResource.java index a69a3d122..cbe061b5a 100644 --- a/base/common/src/com/netscape/certsrv/account/AccountResource.java +++ b/base/common/src/com/netscape/certsrv/account/AccountResource.java @@ -22,11 +22,13 @@ import javax.ws.rs.GET; import javax.ws.rs.Path; import com.netscape.certsrv.acls.ACLMapping; +import com.netscape.certsrv.authentication.AuthMapping; /** * @author Endi S. Dewata */ @Path("account") +@AuthMapping("account") public interface AccountResource { @GET diff --git a/base/common/src/com/netscape/certsrv/acls/ACLInterceptor.java b/base/common/src/com/netscape/certsrv/acls/ACLInterceptor.java index c30740260..dd4985eab 100644 --- a/base/common/src/com/netscape/certsrv/acls/ACLInterceptor.java +++ b/base/common/src/com/netscape/certsrv/acls/ACLInterceptor.java @@ -54,7 +54,7 @@ import com.netscape.cmscore.realm.PKIPrincipal; @Precedence("SECURITY") public class ACLInterceptor implements PreProcessInterceptor { - Properties authProperties; + Properties aclProperties; @Context ServletContext servletContext; @@ -62,13 +62,13 @@ public class ACLInterceptor implements PreProcessInterceptor { @Context SecurityContext securityContext; - public synchronized void loadAuthProperties() throws IOException { + public synchronized void loadACLProperties() throws IOException { - if (authProperties != null) return; + if (aclProperties != null) return; - URL url = servletContext.getResource("/WEB-INF/auth.properties"); - authProperties = new Properties(); - authProperties.load(url.openStream()); + URL url = servletContext.getResource("/WEB-INF/acl.properties"); + aclProperties = new Properties(); + aclProperties.load(url.openStream()); } @Override @@ -111,10 +111,10 @@ public class ACLInterceptor implements PreProcessInterceptor { } try { - loadAuthProperties(); + loadACLProperties(); String name = aclMapping.value(); - String value = authProperties.getProperty(name); + String value = aclProperties.getProperty(name); // If no property defined, allow request. if (value == null) return null; diff --git a/base/common/src/com/netscape/certsrv/authentication/AuthInterceptor.java b/base/common/src/com/netscape/certsrv/authentication/AuthInterceptor.java new file mode 100644 index 000000000..6fd7cdd31 --- /dev/null +++ b/base/common/src/com/netscape/certsrv/authentication/AuthInterceptor.java @@ -0,0 +1,159 @@ +//--- BEGIN COPYRIGHT BLOCK --- +//This program is free software; you can redistribute it and/or modify +//it under the terms of the GNU General Public License as published by +//the Free Software Foundation; version 2 of the License. +// +//This program is distributed in the hope that it will be useful, +//but WITHOUT ANY WARRANTY; without even the implied warranty of +//MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +//GNU General Public License for more details. +// +//You should have received a copy of the GNU General Public License along +//with this program; if not, write to the Free Software Foundation, Inc., +//51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +// +//(C) 2013 Red Hat, Inc. +//All rights reserved. +//--- END COPYRIGHT BLOCK --- +package com.netscape.certsrv.authentication; + +import java.io.IOException; +import java.lang.reflect.Method; +import java.net.URL; +import java.security.Principal; +import java.util.Collection; +import java.util.HashSet; +import java.util.Properties; + +import javax.servlet.ServletContext; +import javax.ws.rs.core.Context; +import javax.ws.rs.core.SecurityContext; +import javax.ws.rs.ext.Provider; + +import org.jboss.resteasy.annotations.interception.Precedence; +import org.jboss.resteasy.annotations.interception.ServerInterceptor; +import org.jboss.resteasy.core.ResourceMethod; +import org.jboss.resteasy.core.ServerResponse; +import org.jboss.resteasy.spi.Failure; +import org.jboss.resteasy.spi.HttpRequest; +import org.jboss.resteasy.spi.interception.PreProcessInterceptor; + +import com.netscape.certsrv.base.ForbiddenException; +import com.netscape.cmscore.realm.PKIPrincipal; + + +/** + * @author Endi S. Dewata + */ +@Provider +@ServerInterceptor +@Precedence("SECURITY") +public class AuthInterceptor implements PreProcessInterceptor { + + Properties authProperties; + + @Context + ServletContext servletContext; + + @Context + SecurityContext securityContext; + + public synchronized void loadAuthProperties() throws IOException { + + if (authProperties != null) return; + + URL url = servletContext.getResource("/WEB-INF/auth.properties"); + authProperties = new Properties(); + authProperties.load(url.openStream()); + } + + @Override + public ServerResponse preProcess( + HttpRequest request, + ResourceMethod resourceMethod + ) throws Failure, ForbiddenException { + + Class<?> clazz = resourceMethod.getResourceClass(); + Method method = resourceMethod.getMethod(); + System.out.println("AuthInterceptor: "+clazz.getSimpleName()+"."+method.getName()+"()"); + + // Get authentication mapping for the method. + AuthMapping authMapping = method.getAnnotation(AuthMapping.class); + + // If not available, get authentication mapping for the class. + if (authMapping == null) { + authMapping = clazz.getAnnotation(AuthMapping.class); + } + + String name; + if (authMapping == null) { + // If not available, use the default mapping. + name = "default"; + } else { + // Get the method label + name = authMapping.value(); + } + + System.out.println("AuthInterceptor: mapping name: "+name); + + try { + loadAuthProperties(); + + String value = authProperties.getProperty(name); + Collection<String> authMethods = new HashSet<String>(); + if (value != null) { + for (String v : value.split(",")) { + authMethods.add(v.trim()); + } + } + + System.out.println("AuthInterceptor: required auth methods: "+authMethods); + + Principal principal = securityContext.getUserPrincipal(); + + // If unauthenticated, reject request. + if (principal == null) { + if (authMethods.isEmpty() || authMethods.contains("anonymous") || authMethods.contains("*")) { + System.out.println("AuthInterceptor: anonymous access allowed"); + return null; + } + System.out.println("AuthInterceptor: anonymous access not allowed"); + throw new ForbiddenException("Anonymous access not allowed."); + } + + // If unrecognized principal, reject request. + if (!(principal instanceof PKIPrincipal)) { + System.out.println("AuthInterceptor: unknown principal"); + throw new ForbiddenException("Unknown user principal"); + } + + PKIPrincipal pkiPrincipal = (PKIPrincipal)principal; + IAuthToken authToken = pkiPrincipal.getAuthToken(); + + // If missing auth token, reject request. + if (authToken == null) { + System.out.println("AuthInterceptor: missing authentication token"); + throw new ForbiddenException("Missing authentication token."); + } + + String authManager = (String)authToken.get(AuthToken.TOKEN_AUTHMGR_INST_NAME); + System.out.println("AuthInterceptor: authentication manager: "+authManager); + + if (authManager == null) { + System.out.println("AuthInterceptor: missing authentication manager"); + throw new ForbiddenException("Missing authentication manager."); + } + + if (authMethods.isEmpty() || authMethods.contains(authManager) || authMethods.contains("*")) { + System.out.println("AuthInterceptor: "+authManager+" allowed"); + return null; + } + + throw new ForbiddenException("Authentication method not allowed."); + + } catch (IOException e) { + e.printStackTrace(); + throw new Failure(e); + } + } +} diff --git a/base/common/src/com/netscape/certsrv/authentication/AuthMapping.java b/base/common/src/com/netscape/certsrv/authentication/AuthMapping.java new file mode 100644 index 000000000..e00cc9d63 --- /dev/null +++ b/base/common/src/com/netscape/certsrv/authentication/AuthMapping.java @@ -0,0 +1,31 @@ +// --- BEGIN COPYRIGHT BLOCK --- +// This program is free software; you can redistribute it and/or modify +// it under the terms of the GNU General Public License as published by +// the Free Software Foundation; version 2 of the License. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +// +// (C) 2013 Red Hat, Inc. +// All rights reserved. +// --- END COPYRIGHT BLOCK --- + +package com.netscape.certsrv.authentication; + +import java.lang.annotation.Retention; +import java.lang.annotation.RetentionPolicy; + + +/** + * @author Endi S. Dewata + */ +@Retention(RetentionPolicy.RUNTIME) +public @interface AuthMapping { + public String value(); +} diff --git a/base/common/src/com/netscape/certsrv/cert/CertRequestResource.java b/base/common/src/com/netscape/certsrv/cert/CertRequestResource.java index 0bd285136..901104cad 100644 --- a/base/common/src/com/netscape/certsrv/cert/CertRequestResource.java +++ b/base/common/src/com/netscape/certsrv/cert/CertRequestResource.java @@ -28,11 +28,33 @@ import javax.ws.rs.core.MediaType; import javax.ws.rs.core.MultivaluedMap; import com.netscape.certsrv.acls.ACLMapping; +import com.netscape.certsrv.authentication.AuthMapping; import com.netscape.certsrv.request.RequestId; @Path("") public interface CertRequestResource { + // Enrollment - used to test integration with a browser + @POST + @Path("certrequests") + @Produces({ MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON }) + @Consumes({ MediaType.APPLICATION_FORM_URLENCODED }) + public CertRequestInfos enrollCert(MultivaluedMap<String, String> form); + + @POST + @Path("certrequests") + @Produces({ MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON }) + @Consumes({ MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON }) + public CertRequestInfos enrollCert(CertEnrollmentRequest data); + + /** + * Used to retrieve cert request info for a specific request + */ + @GET + @Path("certrequests/{id}") + @Produces({ MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON }) + public CertRequestInfo getRequestInfo(@PathParam("id") RequestId id); + /** * Used to generate list of cert requests based on the search parameters */ @@ -40,6 +62,7 @@ public interface CertRequestResource { @Path("agent/certrequests") @Produces({ MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON }) @ACLMapping("agent.certrequests") + @AuthMapping("agent") public CertRequestInfos listRequests(@QueryParam("requestState") String requestState, @QueryParam("requestType") String requestType, @QueryParam("start") RequestId start, @@ -47,72 +70,59 @@ public interface CertRequestResource { @QueryParam("maxResults") Integer maxResults, @QueryParam("maxTime") Integer maxTime); - /** - * Used to retrieve cert request info for a specific request - */ - @GET - @Path("certrequests/{id}") - @Produces({ MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON }) - public CertRequestInfo getRequestInfo(@PathParam("id") RequestId id); - @GET @Path("agent/certrequests/{id}") @Produces({ MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON }) @ACLMapping("agent.certrequests") + @AuthMapping("agent") public CertReviewResponse reviewRequest(@PathParam("id") RequestId id); - // Enrollment - used to test integration with a browser - @POST - @Path("certrequests") - @Produces({ MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON }) - @Consumes({ MediaType.APPLICATION_FORM_URLENCODED }) - public CertRequestInfos enrollCert(MultivaluedMap<String, String> form); - - @POST - @Path("certrequests") - @Produces({ MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON }) - @Consumes({ MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON }) - public CertRequestInfos enrollCert(CertEnrollmentRequest data); - @POST @Path("agent/certrequests/{id}/approve") @Consumes({ MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON }) @ACLMapping("agent.certrequests") + @AuthMapping("agent") public void approveRequest(@PathParam("id") RequestId id, CertReviewResponse data); @POST @Path("agent/certrequests/{id}/reject") @Consumes({ MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON }) @ACLMapping("agent.certrequests") + @AuthMapping("agent") public void rejectRequest(@PathParam("id") RequestId id, CertReviewResponse data); @POST @Path("agent/certrequests/{id}/cancel") @Consumes({ MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON }) @ACLMapping("agent.certrequests") + @AuthMapping("agent") public void cancelRequest(@PathParam("id") RequestId id, CertReviewResponse data); @POST @Path("agent/certrequests/{id}/update") @Consumes({ MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON }) @ACLMapping("agent.certrequests") + @AuthMapping("agent") public void updateRequest(@PathParam("id") RequestId id, CertReviewResponse data); @POST @Path("agent/certrequests/{id}/validate") @Consumes({ MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON }) @ACLMapping("agent.certrequests") + @AuthMapping("agent") public void validateRequest(@PathParam("id") RequestId id, CertReviewResponse data); @POST @Path("agent/certrequests/{id}/unassign") @Consumes({ MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON }) @ACLMapping("agent.certrequests") + @AuthMapping("agent") public void unassignRequest(@PathParam("id") RequestId id, CertReviewResponse data); @POST @Path("agent/certrequests/{id}/assign") @Consumes({ MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON }) @ACLMapping("agent.certrequests") + @AuthMapping("agent") public void assignRequest(@PathParam("id") RequestId id, CertReviewResponse data); } diff --git a/base/common/src/com/netscape/certsrv/cert/CertResource.java b/base/common/src/com/netscape/certsrv/cert/CertResource.java index 17395032d..d7e2c0fb1 100644 --- a/base/common/src/com/netscape/certsrv/cert/CertResource.java +++ b/base/common/src/com/netscape/certsrv/cert/CertResource.java @@ -11,6 +11,7 @@ import javax.ws.rs.QueryParam; import javax.ws.rs.core.MediaType; import com.netscape.certsrv.acls.ACLMapping; +import com.netscape.certsrv.authentication.AuthMapping; import com.netscape.certsrv.dbs.certdb.CertId; @Path("") @@ -45,6 +46,7 @@ public interface CertResource { @Path("agent/certs/{id}") @Produces({ MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON }) @ACLMapping("agent.certs") + @AuthMapping("agent") public CertData reviewCert(@PathParam("id") CertId id); @POST @@ -52,6 +54,7 @@ public interface CertResource { @Consumes({ MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON }) @Produces({ MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON }) @ACLMapping("agent.certs") + @AuthMapping("agent") public CertRequestInfo revokeCACert(@PathParam("id") CertId id, CertRevokeRequest request); @POST @@ -59,6 +62,7 @@ public interface CertResource { @Consumes({ MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON }) @Produces({ MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON }) @ACLMapping("agent.certs") + @AuthMapping("agent") public CertRequestInfo revokeCert(@PathParam("id") CertId id, CertRevokeRequest request); @POST @@ -66,5 +70,6 @@ public interface CertResource { @Consumes({ MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON }) @Produces({ MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON }) @ACLMapping("agent.certs") + @AuthMapping("agent") public CertRequestInfo unrevokeCert(@PathParam("id") CertId id, CertUnrevokeRequest request); } diff --git a/base/common/src/com/netscape/certsrv/group/GroupMemberResource.java b/base/common/src/com/netscape/certsrv/group/GroupMemberResource.java index c984daa65..7ebb09c2b 100644 --- a/base/common/src/com/netscape/certsrv/group/GroupMemberResource.java +++ b/base/common/src/com/netscape/certsrv/group/GroupMemberResource.java @@ -32,12 +32,14 @@ import javax.ws.rs.core.Response; import org.jboss.resteasy.annotations.ClientResponseType; import com.netscape.certsrv.acls.ACLMapping; +import com.netscape.certsrv.authentication.AuthMapping; /** * @author Endi S. Dewata */ @Path("admin/groups/{groupID}/members") @ACLMapping("admin.groups") +@AuthMapping("admin") public interface GroupMemberResource { @GET diff --git a/base/common/src/com/netscape/certsrv/group/GroupResource.java b/base/common/src/com/netscape/certsrv/group/GroupResource.java index 17728dd13..8851bdaa0 100644 --- a/base/common/src/com/netscape/certsrv/group/GroupResource.java +++ b/base/common/src/com/netscape/certsrv/group/GroupResource.java @@ -32,12 +32,14 @@ import javax.ws.rs.core.Response; import org.jboss.resteasy.annotations.ClientResponseType; import com.netscape.certsrv.acls.ACLMapping; +import com.netscape.certsrv.authentication.AuthMapping; /** * @author Endi S. Dewata */ @Path("admin/groups") @ACLMapping("admin.groups") +@AuthMapping("admin") public interface GroupResource { @GET diff --git a/base/common/src/com/netscape/certsrv/key/KeyRequestResource.java b/base/common/src/com/netscape/certsrv/key/KeyRequestResource.java index 9f1ffbe02..fc1132f9c 100644 --- a/base/common/src/com/netscape/certsrv/key/KeyRequestResource.java +++ b/base/common/src/com/netscape/certsrv/key/KeyRequestResource.java @@ -11,10 +11,12 @@ import javax.ws.rs.core.MediaType; import javax.ws.rs.core.MultivaluedMap; import com.netscape.certsrv.acls.ACLMapping; +import com.netscape.certsrv.authentication.AuthMapping; import com.netscape.certsrv.request.RequestId; @Path("agent/keyrequests") @ACLMapping("agent.keyrequests") +@AuthMapping("agent") public interface KeyRequestResource { public final String SYMMETRIC_KEY_TYPE = "symmetricKey"; diff --git a/base/common/src/com/netscape/certsrv/key/KeyResource.java b/base/common/src/com/netscape/certsrv/key/KeyResource.java index da7f22031..4a419a8c5 100644 --- a/base/common/src/com/netscape/certsrv/key/KeyResource.java +++ b/base/common/src/com/netscape/certsrv/key/KeyResource.java @@ -10,10 +10,12 @@ import javax.ws.rs.core.MediaType; import javax.ws.rs.core.MultivaluedMap; import com.netscape.certsrv.acls.ACLMapping; +import com.netscape.certsrv.authentication.AuthMapping; @Path("agent/keys") @ACLMapping("agent.keys") +@AuthMapping("agent") public interface KeyResource { @GET diff --git a/base/common/src/com/netscape/certsrv/profile/ProfileResource.java b/base/common/src/com/netscape/certsrv/profile/ProfileResource.java index 6dadef560..93cb6785c 100644 --- a/base/common/src/com/netscape/certsrv/profile/ProfileResource.java +++ b/base/common/src/com/netscape/certsrv/profile/ProfileResource.java @@ -6,8 +6,11 @@ import javax.ws.rs.PathParam; import javax.ws.rs.Produces; import javax.ws.rs.core.MediaType; +import com.netscape.certsrv.authentication.AuthMapping; + @Path("agent/profiles") +@AuthMapping("agent") public interface ProfileResource { @GET diff --git a/base/common/src/com/netscape/certsrv/system/KRAConnectorResource.java b/base/common/src/com/netscape/certsrv/system/KRAConnectorResource.java index 01f159e96..8f34985ac 100644 --- a/base/common/src/com/netscape/certsrv/system/KRAConnectorResource.java +++ b/base/common/src/com/netscape/certsrv/system/KRAConnectorResource.java @@ -26,12 +26,14 @@ import javax.ws.rs.core.MediaType; import javax.ws.rs.core.MultivaluedMap; import com.netscape.certsrv.acls.ACLMapping; +import com.netscape.certsrv.authentication.AuthMapping; /** * @author Ade Lee */ @Path("admin/kraconnector") @ACLMapping("admin.kraconnector") +@AuthMapping("admin") public interface KRAConnectorResource { @POST diff --git a/base/common/src/com/netscape/certsrv/system/SecurityDomainResource.java b/base/common/src/com/netscape/certsrv/system/SecurityDomainResource.java index b34d9fe13..dd9693eaa 100644 --- a/base/common/src/com/netscape/certsrv/system/SecurityDomainResource.java +++ b/base/common/src/com/netscape/certsrv/system/SecurityDomainResource.java @@ -24,6 +24,7 @@ import javax.ws.rs.QueryParam; import javax.ws.rs.core.MediaType; import com.netscape.certsrv.acls.ACLMapping; +import com.netscape.certsrv.authentication.AuthMapping; /** * @author alee @@ -35,6 +36,7 @@ public interface SecurityDomainResource { @Path("installToken") @Produces({ MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON }) @ACLMapping("securityDomain.installToken") + @AuthMapping("securityDomain.installToken") public InstallToken getInstallToken( @QueryParam("hostname") String hostname, @QueryParam("subsystem") String subsystem); diff --git a/base/common/src/com/netscape/certsrv/user/UserCertResource.java b/base/common/src/com/netscape/certsrv/user/UserCertResource.java index d85abd6e0..67159c5ff 100644 --- a/base/common/src/com/netscape/certsrv/user/UserCertResource.java +++ b/base/common/src/com/netscape/certsrv/user/UserCertResource.java @@ -32,12 +32,14 @@ import javax.ws.rs.core.Response; import org.jboss.resteasy.annotations.ClientResponseType; import com.netscape.certsrv.acls.ACLMapping; +import com.netscape.certsrv.authentication.AuthMapping; /** * @author Endi S. Dewata */ @Path("admin/users/{userID}/certs") @ACLMapping("admin.users") +@AuthMapping("admin") public interface UserCertResource { @GET diff --git a/base/common/src/com/netscape/certsrv/user/UserResource.java b/base/common/src/com/netscape/certsrv/user/UserResource.java index e72bb0cef..b00278aea 100644 --- a/base/common/src/com/netscape/certsrv/user/UserResource.java +++ b/base/common/src/com/netscape/certsrv/user/UserResource.java @@ -32,12 +32,14 @@ import javax.ws.rs.core.Response; import org.jboss.resteasy.annotations.ClientResponseType; import com.netscape.certsrv.acls.ACLMapping; +import com.netscape.certsrv.authentication.AuthMapping; /** * @author Endi S. Dewata */ @Path("admin/users") @ACLMapping("admin.users") +@AuthMapping("admin") public interface UserResource { @GET diff --git a/base/kra/shared/webapps/kra/WEB-INF/acl.properties b/base/kra/shared/webapps/kra/WEB-INF/acl.properties new file mode 100644 index 000000000..952bdad33 --- /dev/null +++ b/base/kra/shared/webapps/kra/WEB-INF/acl.properties @@ -0,0 +1,12 @@ +# Restful API authorization mapping info +# +# Format: +# <mapping name> = <resource ID>,<operation> +# ex: admin.users = certServer.ca.users,read + +account.login = certServer.kra.account,login +account.logout = certServer.kra.account,logout +admin.users = certServer.kra.users,execute +admin.groups = certServer.kra.groups,execute +agent.keys = certServer.kra.keys,execute +agent.keyrequests = certServer.kra.keyrequests,execute diff --git a/base/kra/shared/webapps/kra/WEB-INF/auth.properties b/base/kra/shared/webapps/kra/WEB-INF/auth.properties index 567747f5b..29a2f2381 100644 --- a/base/kra/shared/webapps/kra/WEB-INF/auth.properties +++ b/base/kra/shared/webapps/kra/WEB-INF/auth.properties @@ -1,12 +1,10 @@ -# Restful API auth/authz mapping info +# Restful API auth mapping info # # Format: -# <ACL Mapping> = <ACL Resource ID>,<ACL Resource Operation> -# ex: admin.users = certServer.ca.users,read +# <mapping name> = <allowed auth methods> +# ex: admin.users = certUserDBAuthMgr,passwdUserDBAuthMgr -account.login = certServer.kra.account,login -account.logout = certServer.kra.account,logout -admin.users = certServer.kra.users,execute -admin.groups = certServer.kra.groups,execute -agent.keys = certServer.kra.keys,execute -agent.keyrequests = certServer.kra.keyrequests,execute +default = * +account = certUserDBAuthMgr,passwdUserDBAuthMgr +admin = certUserDBAuthMgr +agent = certUserDBAuthMgr diff --git a/base/kra/src/com/netscape/kra/KeyRecoveryAuthorityApplication.java b/base/kra/src/com/netscape/kra/KeyRecoveryAuthorityApplication.java index 0ed23f697..d256c0438 100644 --- a/base/kra/src/com/netscape/kra/KeyRecoveryAuthorityApplication.java +++ b/base/kra/src/com/netscape/kra/KeyRecoveryAuthorityApplication.java @@ -6,6 +6,7 @@ import java.util.Set; import javax.ws.rs.core.Application; import com.netscape.certsrv.acls.ACLInterceptor; +import com.netscape.certsrv.authentication.AuthInterceptor; import com.netscape.certsrv.base.PKIException; import com.netscape.cms.servlet.account.AccountService; import com.netscape.cms.servlet.admin.GroupMemberService; @@ -46,7 +47,8 @@ public class KeyRecoveryAuthorityApplication extends Application { // exception mapper classes.add(PKIException.Mapper.class); - // ACL interceptor + // interceptors + singletons.add(new AuthInterceptor()); singletons.add(new ACLInterceptor()); } diff --git a/base/ocsp/shared/webapps/ocsp/WEB-INF/acl.properties b/base/ocsp/shared/webapps/ocsp/WEB-INF/acl.properties new file mode 100644 index 000000000..95fabba72 --- /dev/null +++ b/base/ocsp/shared/webapps/ocsp/WEB-INF/acl.properties @@ -0,0 +1,10 @@ +# Restful API authorization mapping info +# +# Format: +# <mapping name> = <resource ID>,<operation> +# ex: admin.users = certServer.ca.users,read + +account.login = certServer.ocsp.account,login +account.logout = certServer.ocsp.account,logout +admin.users = certServer.ocsp.users,execute +admin.groups = certServer.ocsp.groups,execute diff --git a/base/ocsp/shared/webapps/ocsp/WEB-INF/auth.properties b/base/ocsp/shared/webapps/ocsp/WEB-INF/auth.properties index cd2e14058..81e24403f 100644 --- a/base/ocsp/shared/webapps/ocsp/WEB-INF/auth.properties +++ b/base/ocsp/shared/webapps/ocsp/WEB-INF/auth.properties @@ -1,10 +1,9 @@ -# Restful API auth/authz mapping info +# Restful API auth mapping info # # Format: -# <ACL Mapping> = <ACL Resource ID>,<ACL Resource Operation> -# ex: admin.users = certServer.ca.users,read +# <mapping name> = <allowed auth methods> +# ex: admin.users = certUserDBAuthMgr,passwdUserDBAuthMgr -account.login = certServer.ocsp.account,login -account.logout = certServer.ocsp.account,logout -admin.users = certServer.ocsp.users,execute -admin.groups = certServer.ocsp.groups,execute +default = * +account = certUserDBAuthMgr,passwdUserDBAuthMgr +admin = certUserDBAuthMgr diff --git a/base/ocsp/src/com/netscape/ocsp/OCSPApplication.java b/base/ocsp/src/com/netscape/ocsp/OCSPApplication.java index 21b37f801..6a5f60f6e 100644 --- a/base/ocsp/src/com/netscape/ocsp/OCSPApplication.java +++ b/base/ocsp/src/com/netscape/ocsp/OCSPApplication.java @@ -6,6 +6,7 @@ import java.util.Set; import javax.ws.rs.core.Application; import com.netscape.certsrv.acls.ACLInterceptor; +import com.netscape.certsrv.authentication.AuthInterceptor; import com.netscape.certsrv.base.PKIException; import com.netscape.cms.servlet.account.AccountService; import com.netscape.cms.servlet.admin.GroupMemberService; @@ -40,7 +41,8 @@ public class OCSPApplication extends Application { // exception mapper classes.add(PKIException.Mapper.class); - // ACL interceptor + // interceptors + singletons.add(new AuthInterceptor()); singletons.add(new ACLInterceptor()); } diff --git a/base/tks/shared/webapps/tks/WEB-INF/acl.properties b/base/tks/shared/webapps/tks/WEB-INF/acl.properties new file mode 100644 index 000000000..62367135e --- /dev/null +++ b/base/tks/shared/webapps/tks/WEB-INF/acl.properties @@ -0,0 +1,10 @@ +# Restful API authorization mapping info +# +# Format: +# <mapping name> = <resource ID>,<operation> +# ex: admin.users = certServer.ca.users,read + +account.login = certServer.tks.account,login +account.logout = certServer.tks.account,logout +admin.users = certServer.tks.users,execute +admin.groups = certServer.tks.groups,execute diff --git a/base/tks/shared/webapps/tks/WEB-INF/auth.properties b/base/tks/shared/webapps/tks/WEB-INF/auth.properties index 6de7f08e5..81e24403f 100644 --- a/base/tks/shared/webapps/tks/WEB-INF/auth.properties +++ b/base/tks/shared/webapps/tks/WEB-INF/auth.properties @@ -1,10 +1,9 @@ -# Restful API auth/authz mapping info +# Restful API auth mapping info # # Format: -# <ACL Mapping> = <ACL Resource ID>,<ACL Resource Operation> -# ex: admin.users = certServer.ca.users,read +# <mapping name> = <allowed auth methods> +# ex: admin.users = certUserDBAuthMgr,passwdUserDBAuthMgr -account.login = certServer.tks.account,login -account.logout = certServer.tks.account,logout -admin.users = certServer.tks.users,execute -admin.groups = certServer.tks.groups,execute +default = * +account = certUserDBAuthMgr,passwdUserDBAuthMgr +admin = certUserDBAuthMgr diff --git a/base/tks/src/com/netscape/tks/TKSApplication.java b/base/tks/src/com/netscape/tks/TKSApplication.java index 229a64c95..c79e0d0f2 100644 --- a/base/tks/src/com/netscape/tks/TKSApplication.java +++ b/base/tks/src/com/netscape/tks/TKSApplication.java @@ -6,6 +6,7 @@ import java.util.Set; import javax.ws.rs.core.Application; import com.netscape.certsrv.acls.ACLInterceptor; +import com.netscape.certsrv.authentication.AuthInterceptor; import com.netscape.certsrv.base.PKIException; import com.netscape.cms.servlet.account.AccountService; import com.netscape.cms.servlet.admin.GroupMemberService; @@ -40,7 +41,8 @@ public class TKSApplication extends Application { // exception mapper classes.add(PKIException.Mapper.class); - // ACL interceptor + // interceptors + singletons.add(new AuthInterceptor()); singletons.add(new ACLInterceptor()); } |