From 154bb05e9bbd45eaa3ca8bef8d2a6af076b1790c Mon Sep 17 00:00:00 2001 From: Endi Sukma Dewata Date: Fri, 1 Feb 2013 13:05:38 -0500 Subject: Added AuthMapping annotation. A new AuthMapping annotation has been added to configure the required authentication methods to acces each REST method. The annotation maps each method into a list of authentication methods in auth.properties. For security reason, most REST methods that require authentication have been configured to require client certificate authentication. Authentication using username and password will only be used to get installation token from the security domain. Previously the auth.properties files were used to store ACL mappings. Now the ACL mappings have been moved into acl.properties. Ticket #477 --- base/ca/shared/webapps/ca/WEB-INF/acl.properties | 14 ++ base/ca/shared/webapps/ca/WEB-INF/auth.properties | 19 ++- .../ca/CertificateAuthorityApplication.java | 4 +- .../netscape/certsrv/account/AccountResource.java | 2 + .../com/netscape/certsrv/acls/ACLInterceptor.java | 16 +-- .../certsrv/authentication/AuthInterceptor.java | 159 +++++++++++++++++++++ .../certsrv/authentication/AuthMapping.java | 31 ++++ .../netscape/certsrv/cert/CertRequestResource.java | 52 ++++--- .../com/netscape/certsrv/cert/CertResource.java | 5 + .../certsrv/group/GroupMemberResource.java | 2 + .../com/netscape/certsrv/group/GroupResource.java | 2 + .../netscape/certsrv/key/KeyRequestResource.java | 2 + .../src/com/netscape/certsrv/key/KeyResource.java | 2 + .../netscape/certsrv/profile/ProfileResource.java | 3 + .../certsrv/system/KRAConnectorResource.java | 2 + .../certsrv/system/SecurityDomainResource.java | 2 + .../netscape/certsrv/user/UserCertResource.java | 2 + .../com/netscape/certsrv/user/UserResource.java | 2 + base/kra/shared/webapps/kra/WEB-INF/acl.properties | 12 ++ .../kra/shared/webapps/kra/WEB-INF/auth.properties | 16 +-- .../kra/KeyRecoveryAuthorityApplication.java | 4 +- .../shared/webapps/ocsp/WEB-INF/acl.properties | 10 ++ .../shared/webapps/ocsp/WEB-INF/auth.properties | 13 +- .../src/com/netscape/ocsp/OCSPApplication.java | 4 +- base/tks/shared/webapps/tks/WEB-INF/acl.properties | 10 ++ .../tks/shared/webapps/tks/WEB-INF/auth.properties | 13 +- base/tks/src/com/netscape/tks/TKSApplication.java | 4 +- 27 files changed, 340 insertions(+), 67 deletions(-) create mode 100644 base/ca/shared/webapps/ca/WEB-INF/acl.properties create mode 100644 base/common/src/com/netscape/certsrv/authentication/AuthInterceptor.java create mode 100644 base/common/src/com/netscape/certsrv/authentication/AuthMapping.java create mode 100644 base/kra/shared/webapps/kra/WEB-INF/acl.properties create mode 100644 base/ocsp/shared/webapps/ocsp/WEB-INF/acl.properties create mode 100644 base/tks/shared/webapps/tks/WEB-INF/acl.properties diff --git a/base/ca/shared/webapps/ca/WEB-INF/acl.properties b/base/ca/shared/webapps/ca/WEB-INF/acl.properties new file mode 100644 index 000000000..20f3dd864 --- /dev/null +++ b/base/ca/shared/webapps/ca/WEB-INF/acl.properties @@ -0,0 +1,14 @@ +# Restful API authorization mapping info +# +# Format: +# = , +# ex: admin.users = certServer.ca.users,read + +account.login = certServer.ca.account,login +account.logout = certServer.ca.account,logout +admin.users = certServer.ca.users,execute +admin.groups = certServer.ca.groups,execute +admin.kraconnector = certServer.ca.connectorInfo,modify +agent.certrequests = certServer.ca.certrequests,execute +agent.certs = certServer.ca.certs,execute +securityDomain.installToken = certServer.securitydomain.domainxml,read diff --git a/base/ca/shared/webapps/ca/WEB-INF/auth.properties b/base/ca/shared/webapps/ca/WEB-INF/auth.properties index b73b9ac10..3a6658765 100644 --- a/base/ca/shared/webapps/ca/WEB-INF/auth.properties +++ b/base/ca/shared/webapps/ca/WEB-INF/auth.properties @@ -1,14 +1,11 @@ -# Restful API auth/authz mapping info +# Restful API auth mapping info # # Format: -# = , -# ex: admin.users = certServer.ca.users,read +# = +# ex: admin.users = certUserDBAuthMgr,passwdUserDBAuthMgr -account.login = certServer.ca.account,login -account.logout = certServer.ca.account,logout -admin.users = certServer.ca.users,execute -admin.groups = certServer.ca.groups,execute -admin.kraconnector = certServer.ca.connectorInfo,modify -agent.certrequests = certServer.ca.certrequests,execute -agent.certs = certServer.ca.certs,execute -securityDomain.installToken = certServer.securitydomain.domainxml,read +default = * +account = certUserDBAuthMgr,passwdUserDBAuthMgr +admin = certUserDBAuthMgr +agent = certUserDBAuthMgr +securityDomain.installToken = passwdUserDBAuthMgr diff --git a/base/ca/src/com/netscape/ca/CertificateAuthorityApplication.java b/base/ca/src/com/netscape/ca/CertificateAuthorityApplication.java index 14b44e5d7..35e93811c 100644 --- a/base/ca/src/com/netscape/ca/CertificateAuthorityApplication.java +++ b/base/ca/src/com/netscape/ca/CertificateAuthorityApplication.java @@ -7,6 +7,7 @@ import javax.ws.rs.core.Application; import com.netscape.certsrv.acls.ACLInterceptor; import com.netscape.certsrv.apps.CMS; +import com.netscape.certsrv.authentication.AuthInterceptor; import com.netscape.certsrv.base.EBaseException; import com.netscape.certsrv.base.IConfigStore; import com.netscape.certsrv.base.PKIException; @@ -85,7 +86,8 @@ public class CertificateAuthorityApplication extends Application { // exception mapper classes.add(PKIException.Mapper.class); - // ACL interceptor + // interceptors + singletons.add(new AuthInterceptor()); singletons.add(new ACLInterceptor()); } diff --git a/base/common/src/com/netscape/certsrv/account/AccountResource.java b/base/common/src/com/netscape/certsrv/account/AccountResource.java index a69a3d122..cbe061b5a 100644 --- a/base/common/src/com/netscape/certsrv/account/AccountResource.java +++ b/base/common/src/com/netscape/certsrv/account/AccountResource.java @@ -22,11 +22,13 @@ import javax.ws.rs.GET; import javax.ws.rs.Path; import com.netscape.certsrv.acls.ACLMapping; +import com.netscape.certsrv.authentication.AuthMapping; /** * @author Endi S. Dewata */ @Path("account") +@AuthMapping("account") public interface AccountResource { @GET diff --git a/base/common/src/com/netscape/certsrv/acls/ACLInterceptor.java b/base/common/src/com/netscape/certsrv/acls/ACLInterceptor.java index c30740260..dd4985eab 100644 --- a/base/common/src/com/netscape/certsrv/acls/ACLInterceptor.java +++ b/base/common/src/com/netscape/certsrv/acls/ACLInterceptor.java @@ -54,7 +54,7 @@ import com.netscape.cmscore.realm.PKIPrincipal; @Precedence("SECURITY") public class ACLInterceptor implements PreProcessInterceptor { - Properties authProperties; + Properties aclProperties; @Context ServletContext servletContext; @@ -62,13 +62,13 @@ public class ACLInterceptor implements PreProcessInterceptor { @Context SecurityContext securityContext; - public synchronized void loadAuthProperties() throws IOException { + public synchronized void loadACLProperties() throws IOException { - if (authProperties != null) return; + if (aclProperties != null) return; - URL url = servletContext.getResource("/WEB-INF/auth.properties"); - authProperties = new Properties(); - authProperties.load(url.openStream()); + URL url = servletContext.getResource("/WEB-INF/acl.properties"); + aclProperties = new Properties(); + aclProperties.load(url.openStream()); } @Override @@ -111,10 +111,10 @@ public class ACLInterceptor implements PreProcessInterceptor { } try { - loadAuthProperties(); + loadACLProperties(); String name = aclMapping.value(); - String value = authProperties.getProperty(name); + String value = aclProperties.getProperty(name); // If no property defined, allow request. if (value == null) return null; diff --git a/base/common/src/com/netscape/certsrv/authentication/AuthInterceptor.java b/base/common/src/com/netscape/certsrv/authentication/AuthInterceptor.java new file mode 100644 index 000000000..6fd7cdd31 --- /dev/null +++ b/base/common/src/com/netscape/certsrv/authentication/AuthInterceptor.java @@ -0,0 +1,159 @@ +//--- BEGIN COPYRIGHT BLOCK --- +//This program is free software; you can redistribute it and/or modify +//it under the terms of the GNU General Public License as published by +//the Free Software Foundation; version 2 of the License. +// +//This program is distributed in the hope that it will be useful, +//but WITHOUT ANY WARRANTY; without even the implied warranty of +//MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +//GNU General Public License for more details. +// +//You should have received a copy of the GNU General Public License along +//with this program; if not, write to the Free Software Foundation, Inc., +//51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +// +//(C) 2013 Red Hat, Inc. +//All rights reserved. +//--- END COPYRIGHT BLOCK --- +package com.netscape.certsrv.authentication; + +import java.io.IOException; +import java.lang.reflect.Method; +import java.net.URL; +import java.security.Principal; +import java.util.Collection; +import java.util.HashSet; +import java.util.Properties; + +import javax.servlet.ServletContext; +import javax.ws.rs.core.Context; +import javax.ws.rs.core.SecurityContext; +import javax.ws.rs.ext.Provider; + +import org.jboss.resteasy.annotations.interception.Precedence; +import org.jboss.resteasy.annotations.interception.ServerInterceptor; +import org.jboss.resteasy.core.ResourceMethod; +import org.jboss.resteasy.core.ServerResponse; +import org.jboss.resteasy.spi.Failure; +import org.jboss.resteasy.spi.HttpRequest; +import org.jboss.resteasy.spi.interception.PreProcessInterceptor; + +import com.netscape.certsrv.base.ForbiddenException; +import com.netscape.cmscore.realm.PKIPrincipal; + + +/** + * @author Endi S. Dewata + */ +@Provider +@ServerInterceptor +@Precedence("SECURITY") +public class AuthInterceptor implements PreProcessInterceptor { + + Properties authProperties; + + @Context + ServletContext servletContext; + + @Context + SecurityContext securityContext; + + public synchronized void loadAuthProperties() throws IOException { + + if (authProperties != null) return; + + URL url = servletContext.getResource("/WEB-INF/auth.properties"); + authProperties = new Properties(); + authProperties.load(url.openStream()); + } + + @Override + public ServerResponse preProcess( + HttpRequest request, + ResourceMethod resourceMethod + ) throws Failure, ForbiddenException { + + Class clazz = resourceMethod.getResourceClass(); + Method method = resourceMethod.getMethod(); + System.out.println("AuthInterceptor: "+clazz.getSimpleName()+"."+method.getName()+"()"); + + // Get authentication mapping for the method. + AuthMapping authMapping = method.getAnnotation(AuthMapping.class); + + // If not available, get authentication mapping for the class. + if (authMapping == null) { + authMapping = clazz.getAnnotation(AuthMapping.class); + } + + String name; + if (authMapping == null) { + // If not available, use the default mapping. + name = "default"; + } else { + // Get the method label + name = authMapping.value(); + } + + System.out.println("AuthInterceptor: mapping name: "+name); + + try { + loadAuthProperties(); + + String value = authProperties.getProperty(name); + Collection authMethods = new HashSet(); + if (value != null) { + for (String v : value.split(",")) { + authMethods.add(v.trim()); + } + } + + System.out.println("AuthInterceptor: required auth methods: "+authMethods); + + Principal principal = securityContext.getUserPrincipal(); + + // If unauthenticated, reject request. + if (principal == null) { + if (authMethods.isEmpty() || authMethods.contains("anonymous") || authMethods.contains("*")) { + System.out.println("AuthInterceptor: anonymous access allowed"); + return null; + } + System.out.println("AuthInterceptor: anonymous access not allowed"); + throw new ForbiddenException("Anonymous access not allowed."); + } + + // If unrecognized principal, reject request. + if (!(principal instanceof PKIPrincipal)) { + System.out.println("AuthInterceptor: unknown principal"); + throw new ForbiddenException("Unknown user principal"); + } + + PKIPrincipal pkiPrincipal = (PKIPrincipal)principal; + IAuthToken authToken = pkiPrincipal.getAuthToken(); + + // If missing auth token, reject request. + if (authToken == null) { + System.out.println("AuthInterceptor: missing authentication token"); + throw new ForbiddenException("Missing authentication token."); + } + + String authManager = (String)authToken.get(AuthToken.TOKEN_AUTHMGR_INST_NAME); + System.out.println("AuthInterceptor: authentication manager: "+authManager); + + if (authManager == null) { + System.out.println("AuthInterceptor: missing authentication manager"); + throw new ForbiddenException("Missing authentication manager."); + } + + if (authMethods.isEmpty() || authMethods.contains(authManager) || authMethods.contains("*")) { + System.out.println("AuthInterceptor: "+authManager+" allowed"); + return null; + } + + throw new ForbiddenException("Authentication method not allowed."); + + } catch (IOException e) { + e.printStackTrace(); + throw new Failure(e); + } + } +} diff --git a/base/common/src/com/netscape/certsrv/authentication/AuthMapping.java b/base/common/src/com/netscape/certsrv/authentication/AuthMapping.java new file mode 100644 index 000000000..e00cc9d63 --- /dev/null +++ b/base/common/src/com/netscape/certsrv/authentication/AuthMapping.java @@ -0,0 +1,31 @@ +// --- BEGIN COPYRIGHT BLOCK --- +// This program is free software; you can redistribute it and/or modify +// it under the terms of the GNU General Public License as published by +// the Free Software Foundation; version 2 of the License. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +// +// (C) 2013 Red Hat, Inc. +// All rights reserved. +// --- END COPYRIGHT BLOCK --- + +package com.netscape.certsrv.authentication; + +import java.lang.annotation.Retention; +import java.lang.annotation.RetentionPolicy; + + +/** + * @author Endi S. Dewata + */ +@Retention(RetentionPolicy.RUNTIME) +public @interface AuthMapping { + public String value(); +} diff --git a/base/common/src/com/netscape/certsrv/cert/CertRequestResource.java b/base/common/src/com/netscape/certsrv/cert/CertRequestResource.java index 0bd285136..901104cad 100644 --- a/base/common/src/com/netscape/certsrv/cert/CertRequestResource.java +++ b/base/common/src/com/netscape/certsrv/cert/CertRequestResource.java @@ -28,11 +28,33 @@ import javax.ws.rs.core.MediaType; import javax.ws.rs.core.MultivaluedMap; import com.netscape.certsrv.acls.ACLMapping; +import com.netscape.certsrv.authentication.AuthMapping; import com.netscape.certsrv.request.RequestId; @Path("") public interface CertRequestResource { + // Enrollment - used to test integration with a browser + @POST + @Path("certrequests") + @Produces({ MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON }) + @Consumes({ MediaType.APPLICATION_FORM_URLENCODED }) + public CertRequestInfos enrollCert(MultivaluedMap form); + + @POST + @Path("certrequests") + @Produces({ MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON }) + @Consumes({ MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON }) + public CertRequestInfos enrollCert(CertEnrollmentRequest data); + + /** + * Used to retrieve cert request info for a specific request + */ + @GET + @Path("certrequests/{id}") + @Produces({ MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON }) + public CertRequestInfo getRequestInfo(@PathParam("id") RequestId id); + /** * Used to generate list of cert requests based on the search parameters */ @@ -40,6 +62,7 @@ public interface CertRequestResource { @Path("agent/certrequests") @Produces({ MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON }) @ACLMapping("agent.certrequests") + @AuthMapping("agent") public CertRequestInfos listRequests(@QueryParam("requestState") String requestState, @QueryParam("requestType") String requestType, @QueryParam("start") RequestId start, @@ -47,72 +70,59 @@ public interface CertRequestResource { @QueryParam("maxResults") Integer maxResults, @QueryParam("maxTime") Integer maxTime); - /** - * Used to retrieve cert request info for a specific request - */ - @GET - @Path("certrequests/{id}") - @Produces({ MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON }) - public CertRequestInfo getRequestInfo(@PathParam("id") RequestId id); - @GET @Path("agent/certrequests/{id}") @Produces({ MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON }) @ACLMapping("agent.certrequests") + @AuthMapping("agent") public CertReviewResponse reviewRequest(@PathParam("id") RequestId id); - // Enrollment - used to test integration with a browser - @POST - @Path("certrequests") - @Produces({ MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON }) - @Consumes({ MediaType.APPLICATION_FORM_URLENCODED }) - public CertRequestInfos enrollCert(MultivaluedMap form); - - @POST - @Path("certrequests") - @Produces({ MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON }) - @Consumes({ MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON }) - public CertRequestInfos enrollCert(CertEnrollmentRequest data); - @POST @Path("agent/certrequests/{id}/approve") @Consumes({ MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON }) @ACLMapping("agent.certrequests") + @AuthMapping("agent") public void approveRequest(@PathParam("id") RequestId id, CertReviewResponse data); @POST @Path("agent/certrequests/{id}/reject") @Consumes({ MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON }) @ACLMapping("agent.certrequests") + @AuthMapping("agent") public void rejectRequest(@PathParam("id") RequestId id, CertReviewResponse data); @POST @Path("agent/certrequests/{id}/cancel") @Consumes({ MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON }) @ACLMapping("agent.certrequests") + @AuthMapping("agent") public void cancelRequest(@PathParam("id") RequestId id, CertReviewResponse data); @POST @Path("agent/certrequests/{id}/update") @Consumes({ MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON }) @ACLMapping("agent.certrequests") + @AuthMapping("agent") public void updateRequest(@PathParam("id") RequestId id, CertReviewResponse data); @POST @Path("agent/certrequests/{id}/validate") @Consumes({ MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON }) @ACLMapping("agent.certrequests") + @AuthMapping("agent") public void validateRequest(@PathParam("id") RequestId id, CertReviewResponse data); @POST @Path("agent/certrequests/{id}/unassign") @Consumes({ MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON }) @ACLMapping("agent.certrequests") + @AuthMapping("agent") public void unassignRequest(@PathParam("id") RequestId id, CertReviewResponse data); @POST @Path("agent/certrequests/{id}/assign") @Consumes({ MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON }) @ACLMapping("agent.certrequests") + @AuthMapping("agent") public void assignRequest(@PathParam("id") RequestId id, CertReviewResponse data); } diff --git a/base/common/src/com/netscape/certsrv/cert/CertResource.java b/base/common/src/com/netscape/certsrv/cert/CertResource.java index 17395032d..d7e2c0fb1 100644 --- a/base/common/src/com/netscape/certsrv/cert/CertResource.java +++ b/base/common/src/com/netscape/certsrv/cert/CertResource.java @@ -11,6 +11,7 @@ import javax.ws.rs.QueryParam; import javax.ws.rs.core.MediaType; import com.netscape.certsrv.acls.ACLMapping; +import com.netscape.certsrv.authentication.AuthMapping; import com.netscape.certsrv.dbs.certdb.CertId; @Path("") @@ -45,6 +46,7 @@ public interface CertResource { @Path("agent/certs/{id}") @Produces({ MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON }) @ACLMapping("agent.certs") + @AuthMapping("agent") public CertData reviewCert(@PathParam("id") CertId id); @POST @@ -52,6 +54,7 @@ public interface CertResource { @Consumes({ MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON }) @Produces({ MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON }) @ACLMapping("agent.certs") + @AuthMapping("agent") public CertRequestInfo revokeCACert(@PathParam("id") CertId id, CertRevokeRequest request); @POST @@ -59,6 +62,7 @@ public interface CertResource { @Consumes({ MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON }) @Produces({ MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON }) @ACLMapping("agent.certs") + @AuthMapping("agent") public CertRequestInfo revokeCert(@PathParam("id") CertId id, CertRevokeRequest request); @POST @@ -66,5 +70,6 @@ public interface CertResource { @Consumes({ MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON }) @Produces({ MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON }) @ACLMapping("agent.certs") + @AuthMapping("agent") public CertRequestInfo unrevokeCert(@PathParam("id") CertId id, CertUnrevokeRequest request); } diff --git a/base/common/src/com/netscape/certsrv/group/GroupMemberResource.java b/base/common/src/com/netscape/certsrv/group/GroupMemberResource.java index c984daa65..7ebb09c2b 100644 --- a/base/common/src/com/netscape/certsrv/group/GroupMemberResource.java +++ b/base/common/src/com/netscape/certsrv/group/GroupMemberResource.java @@ -32,12 +32,14 @@ import javax.ws.rs.core.Response; import org.jboss.resteasy.annotations.ClientResponseType; import com.netscape.certsrv.acls.ACLMapping; +import com.netscape.certsrv.authentication.AuthMapping; /** * @author Endi S. Dewata */ @Path("admin/groups/{groupID}/members") @ACLMapping("admin.groups") +@AuthMapping("admin") public interface GroupMemberResource { @GET diff --git a/base/common/src/com/netscape/certsrv/group/GroupResource.java b/base/common/src/com/netscape/certsrv/group/GroupResource.java index 17728dd13..8851bdaa0 100644 --- a/base/common/src/com/netscape/certsrv/group/GroupResource.java +++ b/base/common/src/com/netscape/certsrv/group/GroupResource.java @@ -32,12 +32,14 @@ import javax.ws.rs.core.Response; import org.jboss.resteasy.annotations.ClientResponseType; import com.netscape.certsrv.acls.ACLMapping; +import com.netscape.certsrv.authentication.AuthMapping; /** * @author Endi S. Dewata */ @Path("admin/groups") @ACLMapping("admin.groups") +@AuthMapping("admin") public interface GroupResource { @GET diff --git a/base/common/src/com/netscape/certsrv/key/KeyRequestResource.java b/base/common/src/com/netscape/certsrv/key/KeyRequestResource.java index 9f1ffbe02..fc1132f9c 100644 --- a/base/common/src/com/netscape/certsrv/key/KeyRequestResource.java +++ b/base/common/src/com/netscape/certsrv/key/KeyRequestResource.java @@ -11,10 +11,12 @@ import javax.ws.rs.core.MediaType; import javax.ws.rs.core.MultivaluedMap; import com.netscape.certsrv.acls.ACLMapping; +import com.netscape.certsrv.authentication.AuthMapping; import com.netscape.certsrv.request.RequestId; @Path("agent/keyrequests") @ACLMapping("agent.keyrequests") +@AuthMapping("agent") public interface KeyRequestResource { public final String SYMMETRIC_KEY_TYPE = "symmetricKey"; diff --git a/base/common/src/com/netscape/certsrv/key/KeyResource.java b/base/common/src/com/netscape/certsrv/key/KeyResource.java index da7f22031..4a419a8c5 100644 --- a/base/common/src/com/netscape/certsrv/key/KeyResource.java +++ b/base/common/src/com/netscape/certsrv/key/KeyResource.java @@ -10,10 +10,12 @@ import javax.ws.rs.core.MediaType; import javax.ws.rs.core.MultivaluedMap; import com.netscape.certsrv.acls.ACLMapping; +import com.netscape.certsrv.authentication.AuthMapping; @Path("agent/keys") @ACLMapping("agent.keys") +@AuthMapping("agent") public interface KeyResource { @GET diff --git a/base/common/src/com/netscape/certsrv/profile/ProfileResource.java b/base/common/src/com/netscape/certsrv/profile/ProfileResource.java index 6dadef560..93cb6785c 100644 --- a/base/common/src/com/netscape/certsrv/profile/ProfileResource.java +++ b/base/common/src/com/netscape/certsrv/profile/ProfileResource.java @@ -6,8 +6,11 @@ import javax.ws.rs.PathParam; import javax.ws.rs.Produces; import javax.ws.rs.core.MediaType; +import com.netscape.certsrv.authentication.AuthMapping; + @Path("agent/profiles") +@AuthMapping("agent") public interface ProfileResource { @GET diff --git a/base/common/src/com/netscape/certsrv/system/KRAConnectorResource.java b/base/common/src/com/netscape/certsrv/system/KRAConnectorResource.java index 01f159e96..8f34985ac 100644 --- a/base/common/src/com/netscape/certsrv/system/KRAConnectorResource.java +++ b/base/common/src/com/netscape/certsrv/system/KRAConnectorResource.java @@ -26,12 +26,14 @@ import javax.ws.rs.core.MediaType; import javax.ws.rs.core.MultivaluedMap; import com.netscape.certsrv.acls.ACLMapping; +import com.netscape.certsrv.authentication.AuthMapping; /** * @author Ade Lee */ @Path("admin/kraconnector") @ACLMapping("admin.kraconnector") +@AuthMapping("admin") public interface KRAConnectorResource { @POST diff --git a/base/common/src/com/netscape/certsrv/system/SecurityDomainResource.java b/base/common/src/com/netscape/certsrv/system/SecurityDomainResource.java index b34d9fe13..dd9693eaa 100644 --- a/base/common/src/com/netscape/certsrv/system/SecurityDomainResource.java +++ b/base/common/src/com/netscape/certsrv/system/SecurityDomainResource.java @@ -24,6 +24,7 @@ import javax.ws.rs.QueryParam; import javax.ws.rs.core.MediaType; import com.netscape.certsrv.acls.ACLMapping; +import com.netscape.certsrv.authentication.AuthMapping; /** * @author alee @@ -35,6 +36,7 @@ public interface SecurityDomainResource { @Path("installToken") @Produces({ MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON }) @ACLMapping("securityDomain.installToken") + @AuthMapping("securityDomain.installToken") public InstallToken getInstallToken( @QueryParam("hostname") String hostname, @QueryParam("subsystem") String subsystem); diff --git a/base/common/src/com/netscape/certsrv/user/UserCertResource.java b/base/common/src/com/netscape/certsrv/user/UserCertResource.java index d85abd6e0..67159c5ff 100644 --- a/base/common/src/com/netscape/certsrv/user/UserCertResource.java +++ b/base/common/src/com/netscape/certsrv/user/UserCertResource.java @@ -32,12 +32,14 @@ import javax.ws.rs.core.Response; import org.jboss.resteasy.annotations.ClientResponseType; import com.netscape.certsrv.acls.ACLMapping; +import com.netscape.certsrv.authentication.AuthMapping; /** * @author Endi S. Dewata */ @Path("admin/users/{userID}/certs") @ACLMapping("admin.users") +@AuthMapping("admin") public interface UserCertResource { @GET diff --git a/base/common/src/com/netscape/certsrv/user/UserResource.java b/base/common/src/com/netscape/certsrv/user/UserResource.java index e72bb0cef..b00278aea 100644 --- a/base/common/src/com/netscape/certsrv/user/UserResource.java +++ b/base/common/src/com/netscape/certsrv/user/UserResource.java @@ -32,12 +32,14 @@ import javax.ws.rs.core.Response; import org.jboss.resteasy.annotations.ClientResponseType; import com.netscape.certsrv.acls.ACLMapping; +import com.netscape.certsrv.authentication.AuthMapping; /** * @author Endi S. Dewata */ @Path("admin/users") @ACLMapping("admin.users") +@AuthMapping("admin") public interface UserResource { @GET diff --git a/base/kra/shared/webapps/kra/WEB-INF/acl.properties b/base/kra/shared/webapps/kra/WEB-INF/acl.properties new file mode 100644 index 000000000..952bdad33 --- /dev/null +++ b/base/kra/shared/webapps/kra/WEB-INF/acl.properties @@ -0,0 +1,12 @@ +# Restful API authorization mapping info +# +# Format: +# = , +# ex: admin.users = certServer.ca.users,read + +account.login = certServer.kra.account,login +account.logout = certServer.kra.account,logout +admin.users = certServer.kra.users,execute +admin.groups = certServer.kra.groups,execute +agent.keys = certServer.kra.keys,execute +agent.keyrequests = certServer.kra.keyrequests,execute diff --git a/base/kra/shared/webapps/kra/WEB-INF/auth.properties b/base/kra/shared/webapps/kra/WEB-INF/auth.properties index 567747f5b..29a2f2381 100644 --- a/base/kra/shared/webapps/kra/WEB-INF/auth.properties +++ b/base/kra/shared/webapps/kra/WEB-INF/auth.properties @@ -1,12 +1,10 @@ -# Restful API auth/authz mapping info +# Restful API auth mapping info # # Format: -# = , -# ex: admin.users = certServer.ca.users,read +# = +# ex: admin.users = certUserDBAuthMgr,passwdUserDBAuthMgr -account.login = certServer.kra.account,login -account.logout = certServer.kra.account,logout -admin.users = certServer.kra.users,execute -admin.groups = certServer.kra.groups,execute -agent.keys = certServer.kra.keys,execute -agent.keyrequests = certServer.kra.keyrequests,execute +default = * +account = certUserDBAuthMgr,passwdUserDBAuthMgr +admin = certUserDBAuthMgr +agent = certUserDBAuthMgr diff --git a/base/kra/src/com/netscape/kra/KeyRecoveryAuthorityApplication.java b/base/kra/src/com/netscape/kra/KeyRecoveryAuthorityApplication.java index 0ed23f697..d256c0438 100644 --- a/base/kra/src/com/netscape/kra/KeyRecoveryAuthorityApplication.java +++ b/base/kra/src/com/netscape/kra/KeyRecoveryAuthorityApplication.java @@ -6,6 +6,7 @@ import java.util.Set; import javax.ws.rs.core.Application; import com.netscape.certsrv.acls.ACLInterceptor; +import com.netscape.certsrv.authentication.AuthInterceptor; import com.netscape.certsrv.base.PKIException; import com.netscape.cms.servlet.account.AccountService; import com.netscape.cms.servlet.admin.GroupMemberService; @@ -46,7 +47,8 @@ public class KeyRecoveryAuthorityApplication extends Application { // exception mapper classes.add(PKIException.Mapper.class); - // ACL interceptor + // interceptors + singletons.add(new AuthInterceptor()); singletons.add(new ACLInterceptor()); } diff --git a/base/ocsp/shared/webapps/ocsp/WEB-INF/acl.properties b/base/ocsp/shared/webapps/ocsp/WEB-INF/acl.properties new file mode 100644 index 000000000..95fabba72 --- /dev/null +++ b/base/ocsp/shared/webapps/ocsp/WEB-INF/acl.properties @@ -0,0 +1,10 @@ +# Restful API authorization mapping info +# +# Format: +# = , +# ex: admin.users = certServer.ca.users,read + +account.login = certServer.ocsp.account,login +account.logout = certServer.ocsp.account,logout +admin.users = certServer.ocsp.users,execute +admin.groups = certServer.ocsp.groups,execute diff --git a/base/ocsp/shared/webapps/ocsp/WEB-INF/auth.properties b/base/ocsp/shared/webapps/ocsp/WEB-INF/auth.properties index cd2e14058..81e24403f 100644 --- a/base/ocsp/shared/webapps/ocsp/WEB-INF/auth.properties +++ b/base/ocsp/shared/webapps/ocsp/WEB-INF/auth.properties @@ -1,10 +1,9 @@ -# Restful API auth/authz mapping info +# Restful API auth mapping info # # Format: -# = , -# ex: admin.users = certServer.ca.users,read +# = +# ex: admin.users = certUserDBAuthMgr,passwdUserDBAuthMgr -account.login = certServer.ocsp.account,login -account.logout = certServer.ocsp.account,logout -admin.users = certServer.ocsp.users,execute -admin.groups = certServer.ocsp.groups,execute +default = * +account = certUserDBAuthMgr,passwdUserDBAuthMgr +admin = certUserDBAuthMgr diff --git a/base/ocsp/src/com/netscape/ocsp/OCSPApplication.java b/base/ocsp/src/com/netscape/ocsp/OCSPApplication.java index 21b37f801..6a5f60f6e 100644 --- a/base/ocsp/src/com/netscape/ocsp/OCSPApplication.java +++ b/base/ocsp/src/com/netscape/ocsp/OCSPApplication.java @@ -6,6 +6,7 @@ import java.util.Set; import javax.ws.rs.core.Application; import com.netscape.certsrv.acls.ACLInterceptor; +import com.netscape.certsrv.authentication.AuthInterceptor; import com.netscape.certsrv.base.PKIException; import com.netscape.cms.servlet.account.AccountService; import com.netscape.cms.servlet.admin.GroupMemberService; @@ -40,7 +41,8 @@ public class OCSPApplication extends Application { // exception mapper classes.add(PKIException.Mapper.class); - // ACL interceptor + // interceptors + singletons.add(new AuthInterceptor()); singletons.add(new ACLInterceptor()); } diff --git a/base/tks/shared/webapps/tks/WEB-INF/acl.properties b/base/tks/shared/webapps/tks/WEB-INF/acl.properties new file mode 100644 index 000000000..62367135e --- /dev/null +++ b/base/tks/shared/webapps/tks/WEB-INF/acl.properties @@ -0,0 +1,10 @@ +# Restful API authorization mapping info +# +# Format: +# = , +# ex: admin.users = certServer.ca.users,read + +account.login = certServer.tks.account,login +account.logout = certServer.tks.account,logout +admin.users = certServer.tks.users,execute +admin.groups = certServer.tks.groups,execute diff --git a/base/tks/shared/webapps/tks/WEB-INF/auth.properties b/base/tks/shared/webapps/tks/WEB-INF/auth.properties index 6de7f08e5..81e24403f 100644 --- a/base/tks/shared/webapps/tks/WEB-INF/auth.properties +++ b/base/tks/shared/webapps/tks/WEB-INF/auth.properties @@ -1,10 +1,9 @@ -# Restful API auth/authz mapping info +# Restful API auth mapping info # # Format: -# = , -# ex: admin.users = certServer.ca.users,read +# = +# ex: admin.users = certUserDBAuthMgr,passwdUserDBAuthMgr -account.login = certServer.tks.account,login -account.logout = certServer.tks.account,logout -admin.users = certServer.tks.users,execute -admin.groups = certServer.tks.groups,execute +default = * +account = certUserDBAuthMgr,passwdUserDBAuthMgr +admin = certUserDBAuthMgr diff --git a/base/tks/src/com/netscape/tks/TKSApplication.java b/base/tks/src/com/netscape/tks/TKSApplication.java index 229a64c95..c79e0d0f2 100644 --- a/base/tks/src/com/netscape/tks/TKSApplication.java +++ b/base/tks/src/com/netscape/tks/TKSApplication.java @@ -6,6 +6,7 @@ import java.util.Set; import javax.ws.rs.core.Application; import com.netscape.certsrv.acls.ACLInterceptor; +import com.netscape.certsrv.authentication.AuthInterceptor; import com.netscape.certsrv.base.PKIException; import com.netscape.cms.servlet.account.AccountService; import com.netscape.cms.servlet.admin.GroupMemberService; @@ -40,7 +41,8 @@ public class TKSApplication extends Application { // exception mapper classes.add(PKIException.Mapper.class); - // ACL interceptor + // interceptors + singletons.add(new AuthInterceptor()); singletons.add(new ACLInterceptor()); } -- cgit