diff options
Diffstat (limited to 'base/server/cms/src/com/netscape/cms/authorization/ACLInterceptor.java')
-rw-r--r-- | base/server/cms/src/com/netscape/cms/authorization/ACLInterceptor.java | 189 |
1 files changed, 0 insertions, 189 deletions
diff --git a/base/server/cms/src/com/netscape/cms/authorization/ACLInterceptor.java b/base/server/cms/src/com/netscape/cms/authorization/ACLInterceptor.java deleted file mode 100644 index c4b890e12..000000000 --- a/base/server/cms/src/com/netscape/cms/authorization/ACLInterceptor.java +++ /dev/null @@ -1,189 +0,0 @@ -//--- BEGIN COPYRIGHT BLOCK --- -//This program is free software; you can redistribute it and/or modify -//it under the terms of the GNU General Public License as published by -//the Free Software Foundation; version 2 of the License. -// -//This program is distributed in the hope that it will be useful, -//but WITHOUT ANY WARRANTY; without even the implied warranty of -//MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -//GNU General Public License for more details. -// -//You should have received a copy of the GNU General Public License along -//with this program; if not, write to the Free Software Foundation, Inc., -//51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. -// -//(C) 2012 Red Hat, Inc. -//All rights reserved. -//--- END COPYRIGHT BLOCK --- -package com.netscape.cms.authorization; - -import java.io.File; -import java.io.FileReader; -import java.io.IOException; -import java.lang.reflect.Method; -import java.security.Principal; -import java.util.Properties; - -import javax.servlet.ServletContext; -import javax.ws.rs.container.ContainerRequestContext; -import javax.ws.rs.container.ContainerRequestFilter; -import javax.ws.rs.core.Context; -import javax.ws.rs.core.SecurityContext; -import javax.ws.rs.ext.Provider; - -import org.jboss.resteasy.core.ResourceMethodInvoker; -import org.jboss.resteasy.spi.Failure; - -import com.netscape.certsrv.acls.ACLMapping; -import com.netscape.certsrv.apps.CMS; -import com.netscape.certsrv.authentication.IAuthToken; -import com.netscape.certsrv.authorization.AuthzToken; -import com.netscape.certsrv.authorization.EAuthzAccessDenied; -import com.netscape.certsrv.authorization.IAuthzSubsystem; -import com.netscape.certsrv.base.EBaseException; -import com.netscape.certsrv.base.ForbiddenException; -import com.netscape.cms.realm.PKIPrincipal; - -/** - * @author Endi S. Dewata - */ -@Provider -public class ACLInterceptor implements ContainerRequestFilter { - - Properties properties; - - @Context - ServletContext servletContext; - - @Context - SecurityContext securityContext; - - public synchronized void loadProperties() throws IOException { - - if (properties != null) - return; - - properties = new Properties(); - - String context = servletContext.getContextPath(); - String subsystem = context.startsWith("/") ? context.substring(1) : context; - - // load default mapping - String defaultMapping = "/usr/share/pki/" + subsystem + "/conf/acl.properties"; - CMS.debug("ACLInterceptor: loading " + defaultMapping); - try (FileReader in = new FileReader(defaultMapping)) { - properties.load(in); - } - - // load custom mapping - File customMapping = new File(System.getProperty("catalina.base") - + "/" + subsystem + "/conf/acl.properties"); - CMS.debug("ACLInterceptor: checking " + customMapping); - if (customMapping.exists()) { - CMS.debug("ACLInterceptor: loading " + customMapping); - try (FileReader in = new FileReader(customMapping)) { - properties.load(in); - } - } - } - - @Override - public void filter(ContainerRequestContext requestContext) throws IOException { - ResourceMethodInvoker methodInvoker = (ResourceMethodInvoker) requestContext - .getProperty("org.jboss.resteasy.core.ResourceMethodInvoker"); - Method method = methodInvoker.getMethod(); - Class<?> clazz = methodInvoker.getResourceClass(); - - CMS.debug("ACLInterceptor: " + clazz.getSimpleName() + "." + method.getName() + "()"); - - ACLMapping aclMapping = method.getAnnotation(ACLMapping.class); - - // If not available, get ACL mapping for the class. - if (aclMapping == null) { - aclMapping = clazz.getAnnotation(ACLMapping.class); - } - - // If still not available, it's unprotected, allow request. - if (aclMapping == null) { - CMS.debug("ACLInterceptor: No ACL mapping."); - return; - } - - String name = aclMapping.value(); - CMS.debug("ACLInterceptor: mapping: " + name); - - Principal principal = securityContext.getUserPrincipal(); - - // If unauthenticated, reject request. - if (principal == null) { - CMS.debug("ACLInterceptor: No user principal provided."); - throw new ForbiddenException("No user principal provided."); - } - - CMS.debug("ACLInterceptor: principal: " + principal.getName()); - - // If unrecognized principal, reject request. - if (!(principal instanceof PKIPrincipal)) { - CMS.debug("ACLInterceptor: Invalid user principal."); - throw new ForbiddenException("Invalid user principal."); - } - - PKIPrincipal pkiPrincipal = (PKIPrincipal) principal; - IAuthToken authToken = pkiPrincipal.getAuthToken(); - - // If missing auth token, reject request. - if (authToken == null) { - CMS.debug("ACLInterceptor: No authorization token present."); - throw new ForbiddenException("No authorization token present."); - } - - try { - loadProperties(); - - String value = properties.getProperty(name); - - // If no property defined, allow request. - if (value == null) { - CMS.debug("ACLInterceptor: No ACL configuration."); - return; - } - - String values[] = value.split(","); - - // If invalid mapping, reject request. - if (values.length != 2) { - CMS.debug("ACLInterceptor: Invalid ACL mapping."); - throw new ForbiddenException("Invalid ACL mapping."); - } - - CMS.debug("ACLInterceptor: ACL: " + value); - - // Check authorization. - IAuthzSubsystem mAuthz = (IAuthzSubsystem) CMS.getSubsystem(CMS.SUBSYSTEM_AUTHZ); - AuthzToken authzToken = mAuthz.authorize( - "DirAclAuthz", - authToken, - values[0], // resource - values[1]); // operation - - // If not authorized, reject request. - if (authzToken == null) { - CMS.debug("ACLInterceptor: No authorization token present."); - throw new ForbiddenException("No authorization token present."); - } - - CMS.debug("ACLInterceptor: access granted"); - - } catch (EAuthzAccessDenied e) { - CMS.debug("ACLInterceptor: " + e.getMessage()); - throw new ForbiddenException(e.toString()); - - } catch (IOException | EBaseException e) { - e.printStackTrace(); - throw new Failure(e); - } - - // Allow request. - return; - } -} |