diff options
Diffstat (limited to 'base/server/cmscore/src/com')
-rw-r--r-- | base/server/cmscore/src/com/netscape/cmscore/authorization/AuthzSubsystem.java | 40 |
1 files changed, 39 insertions, 1 deletions
diff --git a/base/server/cmscore/src/com/netscape/cmscore/authorization/AuthzSubsystem.java b/base/server/cmscore/src/com/netscape/cmscore/authorization/AuthzSubsystem.java index a6019730a..8b126d2da 100644 --- a/base/server/cmscore/src/com/netscape/cmscore/authorization/AuthzSubsystem.java +++ b/base/server/cmscore/src/com/netscape/cmscore/authorization/AuthzSubsystem.java @@ -21,11 +21,14 @@ import java.util.Enumeration; import java.util.Hashtable; import java.util.Vector; +import org.apache.commons.codec.binary.StringUtils; + import com.netscape.certsrv.apps.CMS; import com.netscape.certsrv.authentication.IAuthToken; import com.netscape.certsrv.authorization.AuthzManagerProxy; import com.netscape.certsrv.authorization.AuthzMgrPlugin; import com.netscape.certsrv.authorization.AuthzToken; +import com.netscape.certsrv.authorization.EAuthzAccessDenied; import com.netscape.certsrv.authorization.EAuthzException; import com.netscape.certsrv.authorization.EAuthzMgrNotFound; import com.netscape.certsrv.authorization.EAuthzMgrPluginNotFound; @@ -156,6 +159,7 @@ public class AuthzSubsystem implements IAuthzSubsystem { // it is mis-configurated. This give // administrator another chance to // fix the problem via console + CMS.debug(e); } catch (Throwable e) { log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_AUTHZ_PLUGIN_INIT_FAILED", insName, e.toString())); @@ -163,6 +167,7 @@ public class AuthzSubsystem implements IAuthzSubsystem { // it is mis-configurated. This give // administrator another chance to // fix the problem via console + CMS.debug(e); } // add manager instance to list. mAuthzMgrInsts.put(insName, new @@ -212,7 +217,7 @@ public class AuthzSubsystem implements IAuthzSubsystem { * Authorization to the named authorization manager instance * * @param authzMgrName The authorization manager name - * @param authToken the authenticaton token associated with a user + * @param authToken the authentication token associated with a user * @param resource the resource protected by the authorization system * @param operation the operation for resource protected by the authoriz * n system @@ -465,4 +470,37 @@ public class AuthzSubsystem implements IAuthzSubsystem { level, msg); } + @Override + public void checkRealm(String realm, IAuthToken authToken, String owner, String resource, String operation) + throws EBaseException { + // if no realm entry, SUCCESS by default + if (realm == null) return; + + // if record owner == requester, SUCCESS + if ((owner != null) && owner.equals(authToken.getInString(IAuthToken.USER_ID))) return; + + String mgrName = getAuthzManagerByRealm(realm); + // if no authz manager for this realm, SUCCESS by default + if (mgrName == null) return; + + AuthzToken authzToken = authorize(mgrName, authToken, resource, operation); + if (authzToken == null) { + throw new EAuthzAccessDenied("Not authorized by ACL realm"); + } + } + + public String getAuthzManagerByRealm(String realm) throws EBaseException { + for (AuthzManagerProxy proxy : mAuthzMgrInsts.values()) { + IAuthzManager mgr = proxy.getAuthzManager(); + if (mgr != null) { + IConfigStore cfg = mgr.getConfigStore(); + String mgrRealm = cfg.getString(PROP_REALM, null); + if (StringUtils.equals(mgrRealm, realm)) { + return mgr.getName(); + } + } + } + return null; + } + } |