diff options
Diffstat (limited to 'base/ca')
-rw-r--r-- | base/ca/shared/conf/acl.ldif | 1 | ||||
-rw-r--r-- | base/ca/shared/webapps/ca/WEB-INF/auth.properties | 2 | ||||
-rw-r--r-- | base/ca/shared/webapps/ca/WEB-INF/web.xml | 13 | ||||
-rw-r--r-- | base/ca/src/com/netscape/ca/CertificateAuthorityApplication.java | 5 |
4 files changed, 21 insertions, 0 deletions
diff --git a/base/ca/shared/conf/acl.ldif b/base/ca/shared/conf/acl.ldif index aec1447e5..4807a4dcf 100644 --- a/base/ca/shared/conf/acl.ldif +++ b/base/ca/shared/conf/acl.ldif @@ -51,6 +51,7 @@ resourceACLS: certServer.ca.connectorInfo:read,modify:allow (modify,read) group= resourceACLS: certServer.ca.registerUser:read,modify:allow (modify,read) group="Enterprise CA Administrators" || group="Enterprise KRA Administrators" || group="Enterprise RA Administrators" || group="Enterprise OCSP Administrators" || group="Enterprise TKS Administrators" || group="Enterprise TPS Administrators":Only Enterprise Administrators are allowed to register a new agent resourceACLS: certServer.clone.configuration:read,modify:allow (modify,read) group="Enterprise CA Administrators" || group="Enterprise KRA Administrators" || group="Enterprise RA Administrators" || group="Enterprise OCSP Administrators" || group="Enterprise TKS Administrators":Only Enterprise Administrators are allowed to clone the configuration. resourceACLS: certServer.admin.ocsp:read,modify:allow (modify,read) group="Enterprise OCSP Administrators":Only Enterprise Administrators are allowed to read or update the OCSP configuration. +resourceACLS: certServer.ca.account:login,logout:allow (login,logout) user="anybody":Anybody can login and logout resourceACLS: certServer.ca.certs:execute:allow (execute) group="Certificate Manager Agents":Agents may execute cert operations resourceACLS: certServer.ca.groups:execute:allow (execute) group="Administrators":Admins may execute group operations resourceACLS: certServer.ca.users:execute:allow (execute) group="Administrators":Admins may execute user operations diff --git a/base/ca/shared/webapps/ca/WEB-INF/auth.properties b/base/ca/shared/webapps/ca/WEB-INF/auth.properties index b13795760..21ec281da 100644 --- a/base/ca/shared/webapps/ca/WEB-INF/auth.properties +++ b/base/ca/shared/webapps/ca/WEB-INF/auth.properties @@ -4,6 +4,8 @@ # <Rest API URL> = <ACL Resource ID>,<ACL resource operation> # ex: /ca/pki/users = certServer.ca.users,read +/ca/rest/account/login = certServer.ca.account,login +/ca/rest/account/logout = certServer.ca.account,logout /ca/rest/admin/users = certServer.ca.users,execute /ca/rest/admin/groups = certServer.ca.groups,execute /ca/rest/agent/certs = certServer.ca.certs,execute diff --git a/base/ca/shared/webapps/ca/WEB-INF/web.xml b/base/ca/shared/webapps/ca/WEB-INF/web.xml index 9f876e5c2..47ad924c5 100644 --- a/base/ca/shared/webapps/ca/WEB-INF/web.xml +++ b/base/ca/shared/webapps/ca/WEB-INF/web.xml @@ -2387,6 +2387,19 @@ <security-constraint> <web-resource-collection> + <web-resource-name>Account Services</web-resource-name> + <url-pattern>/rest/account/*</url-pattern> + </web-resource-collection> + <auth-constraint> + <role-name>*</role-name> + </auth-constraint> + <user-data-constraint> + <transport-guarantee>CONFIDENTIAL</transport-guarantee> + </user-data-constraint> + </security-constraint> + + <security-constraint> + <web-resource-collection> <web-resource-name>Admin Services</web-resource-name> <url-pattern>/rest/admin/*</url-pattern> </web-resource-collection> diff --git a/base/ca/src/com/netscape/ca/CertificateAuthorityApplication.java b/base/ca/src/com/netscape/ca/CertificateAuthorityApplication.java index 51d48cf5e..dc23042a2 100644 --- a/base/ca/src/com/netscape/ca/CertificateAuthorityApplication.java +++ b/base/ca/src/com/netscape/ca/CertificateAuthorityApplication.java @@ -9,6 +9,7 @@ import com.netscape.certsrv.apps.CMS; import com.netscape.certsrv.base.EBaseException; import com.netscape.certsrv.base.IConfigStore; import com.netscape.certsrv.base.PKIException; +import com.netscape.cms.servlet.account.AccountService; import com.netscape.cms.servlet.admin.GroupMemberService; import com.netscape.cms.servlet.admin.GroupService; import com.netscape.cms.servlet.admin.SystemCertService; @@ -25,6 +26,10 @@ public class CertificateAuthorityApplication extends Application { private Set<Class<?>> classes = new HashSet<Class<?>>(); public CertificateAuthorityApplication() { + + // account + classes.add(AccountService.class); + // installer classes.add(SystemConfigService.class); |