From 0ce6c97e4fe0e36786b78c273833b8f1dfbc12b4 Mon Sep 17 00:00:00 2001 From: Matthew Harmsen Date: Tue, 3 Jul 2012 17:52:33 -0700 Subject: PKI Deployment Scriptlets * Integration of Tomcat 7 * Introduction of dependency upon tomcatjss 7.0 * Removal of http filtering configuration mechanisms * Introduction of additional slot substitution to support revised filesystem layout * Addition of 'pkiuser' uid:gid creation methods * Inclusion of per instance '*.profile' files * Introduction of configurable 'configurationRoot' parameter * Introduction of default configuration of 'log4j' mechanism (alee) * Modify web.xml to use new Application classes to bootstrap servers (alee) * Introduction of "Wrapper" logic to support Tomcat 6 --> Tomcat 7 API change (jmagne) * Added jython helper function to allow attaching a remote java debugger (e. g. - eclipse) --- .../com/netscape/cms/servlet/csadmin/CertUtil.java | 4 +++- .../com/netscape/cmscore/realm/PKIJNDIRealm.java | 21 ++++++++++++--------- 2 files changed, 15 insertions(+), 10 deletions(-) (limited to 'base/common/src/com') diff --git a/base/common/src/com/netscape/cms/servlet/csadmin/CertUtil.java b/base/common/src/com/netscape/cms/servlet/csadmin/CertUtil.java index 35ec7c515..6ad9e7680 100644 --- a/base/common/src/com/netscape/cms/servlet/csadmin/CertUtil.java +++ b/base/common/src/com/netscape/cms/servlet/csadmin/CertUtil.java @@ -371,8 +371,10 @@ public class CertUtil { String instanceRoot = config.getString("instanceRoot"); + String configurationRoot = config.getString("configurationRoot"); + CertInfoProfile processor = new CertInfoProfile( - instanceRoot + "/conf/" + profile); + instanceRoot + configurationRoot + profile); // cfu - create request to enable renewal try { diff --git a/base/common/src/com/netscape/cmscore/realm/PKIJNDIRealm.java b/base/common/src/com/netscape/cmscore/realm/PKIJNDIRealm.java index 86debf3da..bd551baf0 100644 --- a/base/common/src/com/netscape/cmscore/realm/PKIJNDIRealm.java +++ b/base/common/src/com/netscape/cmscore/realm/PKIJNDIRealm.java @@ -28,6 +28,7 @@ import org.apache.catalina.connector.Request; import org.apache.catalina.connector.Response; import org.apache.catalina.deploy.SecurityConstraint; import org.apache.catalina.realm.JNDIRealm; +import org.apache.catalina.Wrapper; /* * Self contained PKI JNDI Real that overrides the standard JNDI Realm @@ -206,6 +207,8 @@ public class PKIJNDIRealm extends JNDIRealm { boolean allowed = super.hasResourcePermission(request, response, constraints, context); + Wrapper wrapper = request.getWrapper(); + if (allowed == true && hasResourceACLS()) { loadAuthzProperties(context); @@ -238,7 +241,7 @@ public class PKIJNDIRealm extends JNDIRealm { } } - allowed = checkACLPermission(principal, resourceID, operation); + allowed = checkACLPermission(principal, resourceID, operation, wrapper); logDebug("resourceID: " + resourceID + " operation: " + operation + " allowed: " + allowed); } } @@ -351,7 +354,7 @@ public class PKIJNDIRealm extends JNDIRealm { // Check a PKI ACL resourceID and operation for permissions // If the check fails the user (principal) is not authorized to access the resource - private boolean checkACLPermission(Principal principal, String resourceId, String operation) { + private boolean checkACLPermission(Principal principal, String resourceId, String operation, Wrapper wrapper) { boolean allowed = true; @@ -378,7 +381,7 @@ public class PKIJNDIRealm extends JNDIRealm { String expressions = entry.getAttributeExpressions(); - allowed = evaluateExpressions(principal, expressions); + allowed = evaluateExpressions(principal, expressions, wrapper); if (isEntryNegative) { allowed = !allowed; @@ -400,7 +403,7 @@ public class PKIJNDIRealm extends JNDIRealm { // Evaluate an expression as part of a PKI ACL // Ex: user=anybody , group=Data Recovery Manager Agents - private boolean evaluateExpression(Principal principal, String expression) { + private boolean evaluateExpression(Principal principal, String expression, Wrapper wrapper) { boolean allowed = true; if (principal == null || expression == null) { @@ -445,7 +448,7 @@ public class PKIJNDIRealm extends JNDIRealm { allowed = false; if (left.equals(PROP_GROUP)) { // Check JNDI to see if the user has this role/group - if (hasRole(principal, right)) { + if (hasRole(wrapper, principal, right)) { allowed = true; } } else if (left.equals(PROP_USER)) { @@ -482,7 +485,7 @@ public class PKIJNDIRealm extends JNDIRealm { } // Take a set of expressions in an ACL and evaluate it - private boolean evaluateExpressions(Principal principal, String s) { + private boolean evaluateExpressions(Principal principal, String s, Wrapper wrapper) { Vector v = new Vector(); @@ -492,7 +495,7 @@ public class PKIJNDIRealm extends JNDIRealm { // this is the last expression if (orIndex == -1 && andIndex == -1) { - boolean passed = evaluateExpression(principal, s.trim()); + boolean passed = evaluateExpression(principal, s.trim(), wrapper); v.addElement(Boolean.valueOf(passed)); break; @@ -500,7 +503,7 @@ public class PKIJNDIRealm extends JNDIRealm { // || first } else if (andIndex == -1 || (orIndex != -1 && orIndex < andIndex)) { String s1 = s.substring(0, orIndex); - boolean passed = evaluateExpression(principal, s1.trim()); + boolean passed = evaluateExpression(principal, s1.trim(), wrapper); v.addElement(Boolean.valueOf(passed)); v.addElement("||"); @@ -508,7 +511,7 @@ public class PKIJNDIRealm extends JNDIRealm { // && first } else { String s1 = s.substring(0, andIndex); - boolean passed = evaluateExpression(principal, s1.trim()); + boolean passed = evaluateExpression(principal, s1.trim(), wrapper); v.addElement(Boolean.valueOf(passed)); v.addElement("&&"); -- cgit