3 files changed, 24 insertions, 12 deletions

diff --git a/base/common/src/CMakeLists.txt b/base/common/src/CMakeLists.txt
index eab5db24c..0505c7e74 100644
--- a/base/common/src/CMakeLists.txt
+++ b/base/common/src/CMakeLists.txt
@@ -48,7 +48,14 @@ find_file(TOMCAT_CATALINA_JAR
     NAMES
         catalina.jar
     PATHS
-        /usr/share/java/tomcat6
+        /usr/share/java/tomcat
+)
+
+find_file(TOMCAT_UTIL_JAR
+    NAMES
+        tomcat-util.jar
+    PATHS
+        /usr/share/java/tomcat
 )
 
 find_file(SERVLET_JAR
@@ -1193,7 +1200,7 @@ set(CMAKE_JAVA_INCLUDE_PATH
     ${LDAPJDK_JAR} ${SERVLET_JAR} ${VELOCITY_JAR} ${XALAN_JAR} ${XERCES_JAR}
     ${JSS_JAR} ${COMMONS_CODEC_JAR} ${COMMONS_HTTPCLIENT_JAR}
     ${APACHE_COMMONS_CLI_JAR} ${APACHE_COMMONS_LANG_JAR}
-    ${TOMCAT_CATALINA_JAR} ${SYMKEY_JAR}
+    ${TOMCAT_CATALINA_JAR} ${TOMCAT_UTIL_JAR} ${SYMKEY_JAR}
     ${JAXRS_API_JAR} ${RESTEASY_JAXRS_JAR} ${RESTEASY_ATOM_PROVIDER_JAR}
     ${HTTPCLIENT_JAR} ${HTTPCORE_JAR})
 
diff --git a/base/common/src/com/netscape/cms/servlet/csadmin/CertUtil.java b/base/common/src/com/netscape/cms/servlet/csadmin/CertUtil.java
index 35ec7c515..6ad9e7680 100644
--- a/base/common/src/com/netscape/cms/servlet/csadmin/CertUtil.java
+++ b/base/common/src/com/netscape/cms/servlet/csadmin/CertUtil.java
@@ -371,8 +371,10 @@ public class CertUtil {
 
             String instanceRoot = config.getString("instanceRoot");
 
+            String configurationRoot = config.getString("configurationRoot");
+
             CertInfoProfile processor = new CertInfoProfile(
-                    instanceRoot + "/conf/" + profile);
+                    instanceRoot + configurationRoot + profile);
 
             // cfu - create request to enable renewal
             try {
diff --git a/base/common/src/com/netscape/cmscore/realm/PKIJNDIRealm.java b/base/common/src/com/netscape/cmscore/realm/PKIJNDIRealm.java
index 86debf3da..bd551baf0 100644
--- a/base/common/src/com/netscape/cmscore/realm/PKIJNDIRealm.java
+++ b/base/common/src/com/netscape/cmscore/realm/PKIJNDIRealm.java
@@ -28,6 +28,7 @@ import org.apache.catalina.connector.Request;
 import org.apache.catalina.connector.Response;
 import org.apache.catalina.deploy.SecurityConstraint;
 import org.apache.catalina.realm.JNDIRealm;
+import org.apache.catalina.Wrapper;
 
 /*
  *  Self contained PKI JNDI Real that overrides the standard JNDI Realm
@@ -206,6 +207,8 @@ public class PKIJNDIRealm extends JNDIRealm {
 
         boolean allowed = super.hasResourcePermission(request, response, constraints, context);
 
+        Wrapper wrapper = request.getWrapper();
+
         if (allowed == true && hasResourceACLS()) {
 
             loadAuthzProperties(context);
@@ -238,7 +241,7 @@ public class PKIJNDIRealm extends JNDIRealm {
                         }
                     }
 
-                    allowed = checkACLPermission(principal, resourceID, operation);
+                    allowed = checkACLPermission(principal, resourceID, operation, wrapper);
                     logDebug("resourceID: " + resourceID + " operation: " + operation + " allowed: " + allowed);
                 }
             }
@@ -351,7 +354,7 @@ public class PKIJNDIRealm extends JNDIRealm {
 
     // Check a PKI  ACL resourceID and operation for permissions
     // If the check fails the user (principal) is not authorized to access the resource
-    private boolean checkACLPermission(Principal principal, String resourceId, String operation) {
+    private boolean checkACLPermission(Principal principal, String resourceId, String operation, Wrapper wrapper) {
 
         boolean allowed = true;
 
@@ -378,7 +381,7 @@ public class PKIJNDIRealm extends JNDIRealm {
 
             String expressions = entry.getAttributeExpressions();
 
-            allowed = evaluateExpressions(principal, expressions);
+            allowed = evaluateExpressions(principal, expressions, wrapper);
 
             if (isEntryNegative) {
                 allowed = !allowed;
@@ -400,7 +403,7 @@ public class PKIJNDIRealm extends JNDIRealm {
 
     // Evaluate an expression as part of a PKI ACL
     // Ex: user=anybody , group=Data Recovery Manager Agents
-    private boolean evaluateExpression(Principal principal, String expression) {
+    private boolean evaluateExpression(Principal principal, String expression, Wrapper wrapper) {
 
         boolean allowed = true;
         if (principal == null || expression == null) {
@@ -445,7 +448,7 @@ public class PKIJNDIRealm extends JNDIRealm {
         allowed = false;
         if (left.equals(PROP_GROUP)) {
             // Check JNDI to see if the user has this role/group
-            if (hasRole(principal, right)) {
+            if (hasRole(wrapper, principal, right)) {
                 allowed = true;
             }
         } else if (left.equals(PROP_USER)) {
@@ -482,7 +485,7 @@ public class PKIJNDIRealm extends JNDIRealm {
     }
 
     // Take a set of expressions in an ACL and evaluate it
-    private boolean evaluateExpressions(Principal principal, String s) {
+    private boolean evaluateExpressions(Principal principal, String s, Wrapper wrapper) {
 
         Vector<Object> v = new Vector<Object>();
 
@@ -492,7 +495,7 @@ public class PKIJNDIRealm extends JNDIRealm {
 
             // this is the last expression
             if (orIndex == -1 && andIndex == -1) {
-                boolean passed = evaluateExpression(principal, s.trim());
+                boolean passed = evaluateExpression(principal, s.trim(), wrapper);
 
                 v.addElement(Boolean.valueOf(passed));
                 break;
@@ -500,7 +503,7 @@ public class PKIJNDIRealm extends JNDIRealm {
                 // || first
             } else if (andIndex == -1 || (orIndex != -1 && orIndex < andIndex)) {
                 String s1 = s.substring(0, orIndex);
-                boolean passed = evaluateExpression(principal, s1.trim());
+                boolean passed = evaluateExpression(principal, s1.trim(), wrapper);
 
                 v.addElement(Boolean.valueOf(passed));
                 v.addElement("||");
@@ -508,7 +511,7 @@ public class PKIJNDIRealm extends JNDIRealm {
                 // && first
             } else {
                 String s1 = s.substring(0, andIndex);
-                boolean passed = evaluateExpression(principal, s1.trim());
+                boolean passed = evaluateExpression(principal, s1.trim(), wrapper);
 
                 v.addElement(Boolean.valueOf(passed));
                 v.addElement("&&");