diff options
Diffstat (limited to 'base/tks/shared')
| -rw-r--r-- | base/tks/shared/conf/acl.ldif | 3 | ||||
| -rw-r--r-- | base/tks/shared/webapps/tks/WEB-INF/auth.properties | 2 | ||||
| -rw-r--r-- | base/tks/shared/webapps/tks/WEB-INF/web.xml | 36 |
3 files changed, 40 insertions, 1 deletions
diff --git a/base/tks/shared/conf/acl.ldif b/base/tks/shared/conf/acl.ldif index b38b5963f..bed8ba7cb 100644 --- a/base/tks/shared/conf/acl.ldif +++ b/base/tks/shared/conf/acl.ldif @@ -28,3 +28,6 @@ resourceACLS: certServer.tks.randomdata:execute:allow (execute) group="Token Key resourceACLS: certServer.tks.registerUser:read,modify:allow (modify,read) group="Enterprise CA Administrators" || group="Enterprise KRA Administrators" || group="Enterprise OCSP Administrators" || group="Enterprise TKS Administrators" || group="Enterprise TPS Administrators":Only Enterprise Administrators are allowed to register a new agent resourceACLS: certServer.tks.importTransportCert:read,modify:allow (modify,read) group="Enterprise CA Administrators" || group="Enterprise KRA Administrators" || group="Enterprise OCSP Administrators" || group="Enterprise TKS Administrators" || group="Enterprise TPS Administrators":Only Enterprise Administrators are allowed to import transport certificate resourceACLS: certServer.clone.configuration:read,modify:allow (modify,read) group="Enterprise CA Administrators" || group="Enterprise KRA Administrators" || group="Enterprise OCSP Administrators" || group="Enterprise TKS Administrators":Only Enterprise Administrators are allowed to clone the configuration. +resourceACLS: certServer.tks.account:login,logout:allow (login,logout) user="anybody":Anybody can login and logout +resourceACLS: certServer.tks.groups:execute:allow (execute) group="Administrators":Admins may execute group operations +resourceACLS: certServer.tks.users:execute:allow (execute) group="Administrators":Admins may execute user operations diff --git a/base/tks/shared/webapps/tks/WEB-INF/auth.properties b/base/tks/shared/webapps/tks/WEB-INF/auth.properties index 29dc9f3fc..90897683e 100644 --- a/base/tks/shared/webapps/tks/WEB-INF/auth.properties +++ b/base/tks/shared/webapps/tks/WEB-INF/auth.properties @@ -4,5 +4,7 @@ # <Rest API URL> = <ACL Resource ID>,<ACL resource operation> # ex: /kra/pki/key/retrieve = certServer.kra.pki.key.retrieve,execute +/tks/rest/account/login = certServer.tks.account,login +/tks/rest/account/logout = certServer.tks.account,logout /tks/rest/admin/users = certServer.tks.users,execute /tks/rest/admin/groups = certServer.tks.groups,execute diff --git a/base/tks/shared/webapps/tks/WEB-INF/web.xml b/base/tks/shared/webapps/tks/WEB-INF/web.xml index a06b2f213..b1958c033 100644 --- a/base/tks/shared/webapps/tks/WEB-INF/web.xml +++ b/base/tks/shared/webapps/tks/WEB-INF/web.xml @@ -417,5 +417,39 @@ <session-config> <session-timeout>30</session-timeout> </session-config> -</web-app> + <security-constraint> + <web-resource-collection> + <web-resource-name>Account Services</web-resource-name> + <url-pattern>/rest/account/*</url-pattern> + </web-resource-collection> + <auth-constraint> + <role-name>*</role-name> + </auth-constraint> + <user-data-constraint> + <transport-guarantee>CONFIDENTIAL</transport-guarantee> + </user-data-constraint> + </security-constraint> + + <security-constraint> + <web-resource-collection> + <web-resource-name>Admin Services</web-resource-name> + <url-pattern>/rest/admin/*</url-pattern> + </web-resource-collection> + <auth-constraint> + <role-name>*</role-name> + </auth-constraint> + <user-data-constraint> + <transport-guarantee>CONFIDENTIAL</transport-guarantee> + </user-data-constraint> + </security-constraint> + + <login-config> + <realm-name>Token Key Service</realm-name> + </login-config> + + <security-role> + <role-name>*</role-name> + </security-role> + +</web-app> |