summaryrefslogtreecommitdiffstats
path: root/base/server
diff options
context:
space:
mode:
Diffstat (limited to 'base/server')
-rw-r--r--base/server/cms/src/com/netscape/cms/servlet/key/KeyRequestDAO.java12
-rw-r--r--base/server/cmscore/src/com/netscape/cmscore/authorization/AuthzSubsystem.java27
2 files changed, 28 insertions, 11 deletions
diff --git a/base/server/cms/src/com/netscape/cms/servlet/key/KeyRequestDAO.java b/base/server/cms/src/com/netscape/cms/servlet/key/KeyRequestDAO.java
index 04bb6f2ec..00e313a80 100644
--- a/base/server/cms/src/com/netscape/cms/servlet/key/KeyRequestDAO.java
+++ b/base/server/cms/src/com/netscape/cms/servlet/key/KeyRequestDAO.java
@@ -169,7 +169,7 @@ public class KeyRequestDAO extends CMSRequestDAO {
}
authz.checkRealm(request.getRealm(), authToken, request.getExtDataInString(IRequest.ATTR_REQUEST_OWNER),
- "keyRequest", "read");
+ "certServer.kra.request", "read");
KeyRequestInfo info = createKeyRequestInfo(request, uriInfo);
return info;
@@ -264,7 +264,7 @@ public class KeyRequestDAO extends CMSRequestDAO {
}
try {
- authz.checkRealm(rec.getRealm(), authToken, rec.getOwnerName(), "key", "recover");
+ authz.checkRealm(rec.getRealm(), authToken, rec.getOwnerName(), "certServer.kra.key", "recover");
} catch (EAuthzUnknownRealm e) {
throw new UnauthorizedException("Invalid realm", e);
} catch (EBaseException e) {
@@ -322,7 +322,7 @@ public class KeyRequestDAO extends CMSRequestDAO {
}
try {
- authz.checkRealm(rec.getRealm(), authToken, rec.getOwnerName(), "key", "recover");
+ authz.checkRealm(rec.getRealm(), authToken, rec.getOwnerName(), "certServer.kra.key", "recover");
} catch (EAuthzUnknownRealm e) {
throw new UnauthorizedException("Invalid realm", e);
} catch (EBaseException e) {
@@ -504,7 +504,7 @@ public class KeyRequestDAO extends CMSRequestDAO {
IRequest request = queue.findRequest(id);
authz.checkRealm(request.getRealm(), authToken,
request.getExtDataInString(IRequest.ATTR_REQUEST_OWNER),
- "keyRequest", "approve");
+ "certServer.kra.requests", "execute");
service.addAgentAsyncKeyRecovery(id.toString(), requestor);
}
@@ -514,7 +514,7 @@ public class KeyRequestDAO extends CMSRequestDAO {
String realm = request.getRealm();
authz.checkRealm(realm, authToken,
request.getExtDataInString(IRequest.ATTR_REQUEST_OWNER),
- "keyRequest", "reject");
+ "certServer.kra.requests", "execute");
request.setRequestStatus(RequestStatus.REJECTED);
queue.updateRequest(request);
}
@@ -524,7 +524,7 @@ public class KeyRequestDAO extends CMSRequestDAO {
String realm = request.getRealm();
authz.checkRealm(realm, authToken,
request.getExtDataInString(IRequest.ATTR_REQUEST_OWNER),
- "keyRequest", "cancel");
+ "certServer.kra.requests", "execute");
request.setRequestStatus(RequestStatus.CANCELED);
queue.updateRequest(request);
}
diff --git a/base/server/cmscore/src/com/netscape/cmscore/authorization/AuthzSubsystem.java b/base/server/cmscore/src/com/netscape/cmscore/authorization/AuthzSubsystem.java
index 354485897..378777f99 100644
--- a/base/server/cmscore/src/com/netscape/cmscore/authorization/AuthzSubsystem.java
+++ b/base/server/cmscore/src/com/netscape/cmscore/authorization/AuthzSubsystem.java
@@ -17,8 +17,10 @@
// --- END COPYRIGHT BLOCK ---
package com.netscape.cmscore.authorization;
+import java.util.Arrays;
import java.util.Enumeration;
import java.util.Hashtable;
+import java.util.List;
import java.util.Vector;
import org.apache.commons.codec.binary.StringUtils;
@@ -227,7 +229,7 @@ public class AuthzSubsystem implements IAuthzSubsystem {
*/
public AuthzToken authorize(
String authzMgrInstName, IAuthToken authToken,
- String resource, String operation)
+ String resource, String operation, String realm)
throws EAuthzMgrNotFound, EBaseException {
AuthzManagerProxy proxy = mAuthzMgrInsts.get(authzMgrInstName);
@@ -243,9 +245,20 @@ public class AuthzSubsystem implements IAuthzSubsystem {
if (authzMgrInst == null) {
throw new EAuthzMgrNotFound(CMS.getUserMessage("CMS_AUTHORIZATION_AUTHZMGR_NOT_FOUND", authzMgrInstName));
}
+
+ if ((realm != null) && (resource != null)) {
+ resource = realm + "." + resource;
+ }
return (authzMgrInst.authorize(authToken, resource, operation));
}
+ @Override
+ public AuthzToken authorize(String authzMgrName, IAuthToken authToken, String resource, String operation)
+ throws EBaseException {
+ return authorize(authzMgrName, authToken, resource, operation, null);
+ }
+
+ @Override
public AuthzToken authorize(
String authzMgrInstName, IAuthToken authToken, String exp)
throws EAuthzMgrNotFound, EBaseException {
@@ -485,7 +498,7 @@ public class AuthzSubsystem implements IAuthzSubsystem {
throw new EAuthzUnknownRealm("Realm not found");
}
- AuthzToken authzToken = authorize(mgrName, authToken, resource, operation);
+ AuthzToken authzToken = authorize(mgrName, authToken, resource, operation, realm);
if (authzToken == null) {
throw new EAuthzAccessDenied("Not authorized by ACL realm");
}
@@ -496,9 +509,13 @@ public class AuthzSubsystem implements IAuthzSubsystem {
IAuthzManager mgr = proxy.getAuthzManager();
if (mgr != null) {
IConfigStore cfg = mgr.getConfigStore();
- String mgrRealm = cfg.getString(PROP_REALM, null);
- if (StringUtils.equals(mgrRealm, realm)) {
- return mgr.getName();
+ String mgrRealmString = cfg.getString(PROP_REALM, null);
+ if (mgrRealmString == null) continue;
+
+ List<String> mgrRealms = Arrays.asList(mgrRealmString.split(","));
+ for (String mgrRealm : mgrRealms) {
+ if (StringUtils.equals(mgrRealm, realm))
+ return mgr.getName();
}
}
}
generated by cgit (git 2.34.1) at 2024-05-03 05:16:50 +0000