diff options
Diffstat (limited to 'base/common/src')
-rw-r--r-- | base/common/src/CMakeLists.txt | 11 | ||||
-rw-r--r-- | base/common/src/com/netscape/cms/servlet/csadmin/CertUtil.java | 4 | ||||
-rw-r--r-- | base/common/src/com/netscape/cmscore/realm/PKIJNDIRealm.java | 21 |
3 files changed, 24 insertions, 12 deletions
diff --git a/base/common/src/CMakeLists.txt b/base/common/src/CMakeLists.txt index eab5db24c..0505c7e74 100644 --- a/base/common/src/CMakeLists.txt +++ b/base/common/src/CMakeLists.txt @@ -48,7 +48,14 @@ find_file(TOMCAT_CATALINA_JAR NAMES catalina.jar PATHS - /usr/share/java/tomcat6 + /usr/share/java/tomcat +) + +find_file(TOMCAT_UTIL_JAR + NAMES + tomcat-util.jar + PATHS + /usr/share/java/tomcat ) find_file(SERVLET_JAR @@ -1193,7 +1200,7 @@ set(CMAKE_JAVA_INCLUDE_PATH ${LDAPJDK_JAR} ${SERVLET_JAR} ${VELOCITY_JAR} ${XALAN_JAR} ${XERCES_JAR} ${JSS_JAR} ${COMMONS_CODEC_JAR} ${COMMONS_HTTPCLIENT_JAR} ${APACHE_COMMONS_CLI_JAR} ${APACHE_COMMONS_LANG_JAR} - ${TOMCAT_CATALINA_JAR} ${SYMKEY_JAR} + ${TOMCAT_CATALINA_JAR} ${TOMCAT_UTIL_JAR} ${SYMKEY_JAR} ${JAXRS_API_JAR} ${RESTEASY_JAXRS_JAR} ${RESTEASY_ATOM_PROVIDER_JAR} ${HTTPCLIENT_JAR} ${HTTPCORE_JAR}) diff --git a/base/common/src/com/netscape/cms/servlet/csadmin/CertUtil.java b/base/common/src/com/netscape/cms/servlet/csadmin/CertUtil.java index 35ec7c515..6ad9e7680 100644 --- a/base/common/src/com/netscape/cms/servlet/csadmin/CertUtil.java +++ b/base/common/src/com/netscape/cms/servlet/csadmin/CertUtil.java @@ -371,8 +371,10 @@ public class CertUtil { String instanceRoot = config.getString("instanceRoot"); + String configurationRoot = config.getString("configurationRoot"); + CertInfoProfile processor = new CertInfoProfile( - instanceRoot + "/conf/" + profile); + instanceRoot + configurationRoot + profile); // cfu - create request to enable renewal try { diff --git a/base/common/src/com/netscape/cmscore/realm/PKIJNDIRealm.java b/base/common/src/com/netscape/cmscore/realm/PKIJNDIRealm.java index 86debf3da..bd551baf0 100644 --- a/base/common/src/com/netscape/cmscore/realm/PKIJNDIRealm.java +++ b/base/common/src/com/netscape/cmscore/realm/PKIJNDIRealm.java @@ -28,6 +28,7 @@ import org.apache.catalina.connector.Request; import org.apache.catalina.connector.Response; import org.apache.catalina.deploy.SecurityConstraint; import org.apache.catalina.realm.JNDIRealm; +import org.apache.catalina.Wrapper; /* * Self contained PKI JNDI Real that overrides the standard JNDI Realm @@ -206,6 +207,8 @@ public class PKIJNDIRealm extends JNDIRealm { boolean allowed = super.hasResourcePermission(request, response, constraints, context); + Wrapper wrapper = request.getWrapper(); + if (allowed == true && hasResourceACLS()) { loadAuthzProperties(context); @@ -238,7 +241,7 @@ public class PKIJNDIRealm extends JNDIRealm { } } - allowed = checkACLPermission(principal, resourceID, operation); + allowed = checkACLPermission(principal, resourceID, operation, wrapper); logDebug("resourceID: " + resourceID + " operation: " + operation + " allowed: " + allowed); } } @@ -351,7 +354,7 @@ public class PKIJNDIRealm extends JNDIRealm { // Check a PKI ACL resourceID and operation for permissions // If the check fails the user (principal) is not authorized to access the resource - private boolean checkACLPermission(Principal principal, String resourceId, String operation) { + private boolean checkACLPermission(Principal principal, String resourceId, String operation, Wrapper wrapper) { boolean allowed = true; @@ -378,7 +381,7 @@ public class PKIJNDIRealm extends JNDIRealm { String expressions = entry.getAttributeExpressions(); - allowed = evaluateExpressions(principal, expressions); + allowed = evaluateExpressions(principal, expressions, wrapper); if (isEntryNegative) { allowed = !allowed; @@ -400,7 +403,7 @@ public class PKIJNDIRealm extends JNDIRealm { // Evaluate an expression as part of a PKI ACL // Ex: user=anybody , group=Data Recovery Manager Agents - private boolean evaluateExpression(Principal principal, String expression) { + private boolean evaluateExpression(Principal principal, String expression, Wrapper wrapper) { boolean allowed = true; if (principal == null || expression == null) { @@ -445,7 +448,7 @@ public class PKIJNDIRealm extends JNDIRealm { allowed = false; if (left.equals(PROP_GROUP)) { // Check JNDI to see if the user has this role/group - if (hasRole(principal, right)) { + if (hasRole(wrapper, principal, right)) { allowed = true; } } else if (left.equals(PROP_USER)) { @@ -482,7 +485,7 @@ public class PKIJNDIRealm extends JNDIRealm { } // Take a set of expressions in an ACL and evaluate it - private boolean evaluateExpressions(Principal principal, String s) { + private boolean evaluateExpressions(Principal principal, String s, Wrapper wrapper) { Vector<Object> v = new Vector<Object>(); @@ -492,7 +495,7 @@ public class PKIJNDIRealm extends JNDIRealm { // this is the last expression if (orIndex == -1 && andIndex == -1) { - boolean passed = evaluateExpression(principal, s.trim()); + boolean passed = evaluateExpression(principal, s.trim(), wrapper); v.addElement(Boolean.valueOf(passed)); break; @@ -500,7 +503,7 @@ public class PKIJNDIRealm extends JNDIRealm { // || first } else if (andIndex == -1 || (orIndex != -1 && orIndex < andIndex)) { String s1 = s.substring(0, orIndex); - boolean passed = evaluateExpression(principal, s1.trim()); + boolean passed = evaluateExpression(principal, s1.trim(), wrapper); v.addElement(Boolean.valueOf(passed)); v.addElement("||"); @@ -508,7 +511,7 @@ public class PKIJNDIRealm extends JNDIRealm { // && first } else { String s1 = s.substring(0, andIndex); - boolean passed = evaluateExpression(principal, s1.trim()); + boolean passed = evaluateExpression(principal, s1.trim(), wrapper); v.addElement(Boolean.valueOf(passed)); v.addElement("&&"); |