diff options
Diffstat (limited to 'base/ca/src/org/dogtagpki')
-rw-r--r-- | base/ca/src/org/dogtagpki/server/ca/rest/CertService.java | 8 | ||||
-rw-r--r-- | base/ca/src/org/dogtagpki/server/ca/rest/ProfileService.java | 28 |
2 files changed, 22 insertions, 14 deletions
diff --git a/base/ca/src/org/dogtagpki/server/ca/rest/CertService.java b/base/ca/src/org/dogtagpki/server/ca/rest/CertService.java index 440f756de..f219db63e 100644 --- a/base/ca/src/org/dogtagpki/server/ca/rest/CertService.java +++ b/base/ca/src/org/dogtagpki/server/ca/rest/CertService.java @@ -50,6 +50,7 @@ import netscape.security.x509.RevocationReason; import netscape.security.x509.X509CertImpl; import netscape.security.x509.X509Key; +import org.apache.catalina.realm.GenericPrincipal; import org.jboss.resteasy.plugins.providers.atom.Link; import com.netscape.certsrv.apps.CMS; @@ -75,7 +76,6 @@ import com.netscape.certsrv.dbs.certdb.ICertificateRepository; import com.netscape.certsrv.logging.AuditFormat; import com.netscape.certsrv.logging.ILogger; import com.netscape.certsrv.request.IRequest; -import com.netscape.cms.realm.PKIPrincipal; import com.netscape.cms.servlet.base.PKIService; import com.netscape.cms.servlet.cert.CertRequestDAO; import com.netscape.cms.servlet.cert.FilterBuilder; @@ -242,8 +242,10 @@ public class CertService extends PKIService implements CertResource { processor.createCRLExtension(); - PKIPrincipal principal = (PKIPrincipal)servletRequest.getUserPrincipal(); - // TODO: do not hard-code role name + // TODO remove hardcoded role names and consult authzmgr + // (so that we can handle externally-authenticated principals) + GenericPrincipal principal = + (GenericPrincipal) servletRequest.getUserPrincipal(); String subjectDN = principal.hasRole("Certificate Manager Agents") ? null : clientSubjectDN; diff --git a/base/ca/src/org/dogtagpki/server/ca/rest/ProfileService.java b/base/ca/src/org/dogtagpki/server/ca/rest/ProfileService.java index 08496f309..7029ea7fe 100644 --- a/base/ca/src/org/dogtagpki/server/ca/rest/ProfileService.java +++ b/base/ca/src/org/dogtagpki/server/ca/rest/ProfileService.java @@ -41,6 +41,7 @@ import javax.ws.rs.core.Response; import javax.ws.rs.core.UriBuilder; import javax.ws.rs.core.UriInfo; +import org.apache.catalina.realm.GenericPrincipal; import org.apache.commons.lang.StringUtils; import org.jboss.resteasy.plugins.providers.atom.Link; @@ -77,7 +78,6 @@ import com.netscape.certsrv.profile.ProfileResource; import com.netscape.certsrv.property.EPropertyException; import com.netscape.certsrv.registry.IPluginInfo; import com.netscape.certsrv.registry.IPluginRegistry; -import com.netscape.cms.realm.PKIPrincipal; import com.netscape.cms.servlet.base.PKIService; import com.netscape.cms.servlet.profile.PolicyConstraintFactory; import com.netscape.cms.servlet.profile.PolicyDefaultFactory; @@ -125,11 +125,14 @@ public class ProfileService extends PKIService implements ProfileResource { throw new PKIException("Error listing profiles. Profile Service not available"); } - PKIPrincipal principal = (PKIPrincipal) servletRequest.getUserPrincipal(); - if ((principal != null) && - (principal.hasRole("Certificate Manager Agents") || - principal.hasRole("Certificate Manager Administrators"))) { - visibleOnly = false; + // TODO remove hardcoded role names and consult authzmgr + // (so that we can handle externally-authenticated principals) + Principal principal = servletRequest.getUserPrincipal(); + if (principal != null && principal instanceof GenericPrincipal) { + GenericPrincipal genPrincipal = (GenericPrincipal) principal; + if (genPrincipal.hasRole("Certificate Manager Agents") || + genPrincipal.hasRole("Certificate Manager Administrators")) + visibleOnly = false; } Enumeration<String> e = ps.getProfileIds(); @@ -182,11 +185,14 @@ public class ProfileService extends PKIService implements ProfileResource { throw new PKIException("Error retrieving profile. Profile Service not available"); } - PKIPrincipal principal = (PKIPrincipal) servletRequest.getUserPrincipal(); - if ((principal != null) && - (principal.hasRole("Certificate Manager Agents") || - principal.hasRole("Certificate Manager Administrators"))) { - visibleOnly = false; + // TODO remove hardcoded role names and consult authzmgr + // (so that we can handle externally-authenticated principals) + Principal principal = servletRequest.getUserPrincipal(); + if (principal != null && principal instanceof GenericPrincipal) { + GenericPrincipal genPrincipal = (GenericPrincipal) principal; + if (genPrincipal.hasRole("Certificate Manager Agents") || + genPrincipal.hasRole("Certificate Manager Administrators")) + visibleOnly = false; } IProfile profile; |