From 8eb2eac080c2e9595b506f49f25d2c1718453bbc Mon Sep 17 00:00:00 2001 From: Endi Sukma Dewata Date: Tue, 21 Aug 2012 17:38:29 -0500 Subject: Added proxy realm. CMS engine is a singleton and it's used by PKI realm to authenticate users accessing the subsystem. Since a Tomcat instance may contain multiple subsystems, each having separate realm, the PKI JAR links need to be moved into WEB-INF/lib so that they will run inside separate class loaders. Tomcat also requires that the authenticator and realm classes be available in common/lib. To address this a new package pki-tomcat.jar has been added. The package contains the authenticator and a proxy realm. When the subsystems start running, they will register their own realms into the proxy realms such that the authentications will be forwarded to the appropriate subsystems. Ticket #89 --- base/deploy/scripts/operations | 52 +++++++++++----- base/deploy/src/scriptlets/instance_layout.py | 14 +---- base/deploy/src/scriptlets/pkiparser.py | 83 +++++++++++-------------- base/deploy/src/scriptlets/webapp_deployment.py | 12 ++++ 4 files changed, 88 insertions(+), 73 deletions(-) (limited to 'base/deploy') diff --git a/base/deploy/scripts/operations b/base/deploy/scripts/operations index bb573fcaf..61e4e5de9 100644 --- a/base/deploy/scripts/operations +++ b/base/deploy/scripts/operations @@ -951,11 +951,10 @@ verify_symlinks() pki_registry_dir="/etc/sysconfig/pki/${PKI_WEB_SERVER_TYPE}/${PKI_INSTANCE_ID}" pki_systemd_dir="/etc/systemd/system/pki-tomcatd.target.wants" pki_systemd_link="pki-${PKI_WEB_SERVER_TYPE}d@${PKI_INSTANCE_ID}.service" - # FUTURE: "pki__webapps_jar_dir" directories - pki_ca_jar_dir="${pki_common_jar_dir}" - pki_kra_jar_dir="${pki_common_jar_dir}" - pki_ocsp_jar_dir="${pki_common_jar_dir}" - pki_tks_jar_dir="${pki_common_jar_dir}" + pki_ca_jar_dir="${PKI_INSTANCE_PATH}/webapps/ca/WEB-INF/lib" + pki_kra_jar_dir="${PKI_INSTANCE_PATH}/webapps/kra/WEB-INF/lib" + pki_ocsp_jar_dir="${PKI_INSTANCE_PATH}/webapps/ocsp/WEB-INF/lib" + pki_tks_jar_dir="${PKI_INSTANCE_PATH}/webapps/tks/WEB-INF/lib" # '${PKI_INSTANCE_PATH}' symlinks base_symlinks=( @@ -977,7 +976,14 @@ verify_symlinks() [webapps]=${PKI_INSTANCE_PATH}/webapps) # '${pki_ca_jar_dir}' symlinks - ca_jar_symlinks[pki-ca.jar]=/usr/share/java/pki/pki-ca.jar + ca_jar_symlinks=( + [pki-certsrv.jar]=${java_dir}/pki/pki-certsrv.jar + [pki-cms.jar]=${java_dir}/pki/pki-cms.jar + [pki-cmsbundle.jar]=${java_dir}/pki/pki-cmsbundle.jar + [pki-cmscore.jar]=${java_dir}/pki/pki-cmscore.jar + [pki-cmsutil.jar]=${java_dir}/pki/pki-cmsutil.jar + [pki-nsutil.jar]=${java_dir}/pki/pki-nsutil.jar + [pki-ca.jar]=${java_dir}/pki/pki-ca.jar) # '${PKI_INSTANCE_PATH}/kra' symlinks kra_symlinks=( @@ -988,7 +994,14 @@ verify_symlinks() [webapps]=${PKI_INSTANCE_PATH}/webapps) # '${pki_kra_jar_dir}' symlinks - kra_jar_symlinks[pki-kra.jar]=/usr/share/java/pki/pki-kra.jar + kra_jar_symlinks=( + [pki-certsrv.jar]=${java_dir}/pki/pki-certsrv.jar + [pki-cms.jar]=${java_dir}/pki/pki-cms.jar + [pki-cmsbundle.jar]=${java_dir}/pki/pki-cmsbundle.jar + [pki-cmscore.jar]=${java_dir}/pki/pki-cmscore.jar + [pki-cmsutil.jar]=${java_dir}/pki/pki-cmsutil.jar + [pki-nsutil.jar]=${java_dir}/pki/pki-nsutil.jar + [pki-kra.jar]=${java_dir}/pki/pki-kra.jar) # '${PKI_INSTANCE_PATH}/ocsp' symlinks ocsp_symlinks=( @@ -999,7 +1012,14 @@ verify_symlinks() [webapps]=${PKI_INSTANCE_PATH}/webapps) # '${pki_ocsp_jar_dir}' symlinks - ocsp_jar_symlinks[pki-ocsp.jar]=/usr/share/java/pki/pki-ocsp.jar + ocsp_jar_symlinks=( + [pki-certsrv.jar]=${java_dir}/pki/pki-certsrv.jar + [pki-cms.jar]=${java_dir}/pki/pki-cms.jar + [pki-cmsbundle.jar]=${java_dir}/pki/pki-cmsbundle.jar + [pki-cmscore.jar]=${java_dir}/pki/pki-cmscore.jar + [pki-cmsutil.jar]=${java_dir}/pki/pki-cmsutil.jar + [pki-nsutil.jar]=${java_dir}/pki/pki-nsutil.jar + [pki-ocsp.jar]=${java_dir}/pki/pki-ocsp.jar) # '${PKI_INSTANCE_PATH}/tks' symlinks tks_symlinks=( @@ -1010,7 +1030,14 @@ verify_symlinks() [webapps]=${PKI_INSTANCE_PATH}/webapps) # '${pki_tks_jar_dir}' symlinks - tks_jar_symlinks[pki-tks.jar]=/usr/share/java/pki/pki-tks.jar + tks_jar_symlinks=( + [pki-certsrv.jar]=${java_dir}/pki/pki-certsrv.jar + [pki-cms.jar]=${java_dir}/pki/pki-cms.jar + [pki-cmsbundle.jar]=${java_dir}/pki/pki-cmsbundle.jar + [pki-cmscore.jar]=${java_dir}/pki/pki-cmscore.jar + [pki-cmsutil.jar]=${java_dir}/pki/pki-cmsutil.jar + [pki-nsutil.jar]=${java_dir}/pki/pki-nsutil.jar + [pki-tks.jar]=${java_dir}/pki/pki-tks.jar) # '${pki_common_jar_dir}' symlinks common_jar_symlinks=( @@ -1025,12 +1052,7 @@ verify_symlinks() [jettison.jar]=${java_dir}/jettison.jar [jss4.jar]=${jni_dir}/jss4.jar [ldapjdk.jar]=${java_dir}/ldapjdk.jar - [pki-certsrv.jar]=/usr/share/java/pki/pki-certsrv.jar - [pki-cms.jar]=/usr/share/java/pki/pki-cms.jar - [pki-cmsbundle.jar]=/usr/share/java/pki/pki-cmsbundle.jar - [pki-cmscore.jar]=/usr/share/java/pki/pki-cmscore.jar - [pki-cmsutil.jar]=/usr/share/java/pki/pki-cmsutil.jar - [pki-nsutil.jar]=/usr/share/java/pki/pki-nsutil.jar + [pki-tomcat.jar]=${java_dir}/pki/pki-tomcat.jar [resteasy-atom-provider.jar]=${resteasy_java_dir}/resteasy-atom-provider.jar [resteasy-jaxb-provider.jar]=${resteasy_java_dir}/resteasy-jaxb-provider.jar [resteasy-jaxrs.jar]=${resteasy_java_dir}/resteasy-jaxrs.jar diff --git a/base/deploy/src/scriptlets/instance_layout.py b/base/deploy/src/scriptlets/instance_layout.py index d29b2d2d2..8fd0396bc 100644 --- a/base/deploy/src/scriptlets/instance_layout.py +++ b/base/deploy/src/scriptlets/instance_layout.py @@ -97,18 +97,8 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): master['pki_jss_jar_link']) util.symlink.create(master['pki_ldapjdk_jar'], master['pki_ldapjdk_jar_link']) - util.symlink.create(master['pki_certsrv_jar'], - master['pki_certsrv_jar_link']) - util.symlink.create(master['pki_cmsbundle'], - master['pki_cmsbundle_jar_link']) - util.symlink.create(master['pki_cmscore'], - master['pki_cmscore_jar_link']) - util.symlink.create(master['pki_cms'], - master['pki_cms_jar_link']) - util.symlink.create(master['pki_cmsutil'], - master['pki_cmsutil_jar_link']) - util.symlink.create(master['pki_nsutil'], - master['pki_nsutil_jar_link']) + util.symlink.create(master['pki_tomcat_jar'], + master['pki_tomcat_jar_link']) util.symlink.create(master['pki_resteasy_atom_provider_jar'], master['pki_resteasy_atom_provider_jar_link']) util.symlink.create(master['pki_resteasy_jaxb_provider_jar'], diff --git a/base/deploy/src/scriptlets/pkiparser.py b/base/deploy/src/scriptlets/pkiparser.py index 09424120c..b1daa3b21 100644 --- a/base/deploy/src/scriptlets/pkiparser.py +++ b/base/deploy/src/scriptlets/pkiparser.py @@ -689,6 +689,9 @@ def compose_pki_master_dictionary(): config.pki_master_dict['pki_nsutil'] =\ os.path.join(config.PKI_DEPLOYMENT_PKI_JAR_SOURCE_ROOT, "pki-nsutil.jar") + config.pki_master_dict['pki_tomcat_jar'] =\ + os.path.join(config.PKI_DEPLOYMENT_PKI_JAR_SOURCE_ROOT, + "pki-tomcat.jar") config.pki_master_dict['pki_resteasy_atom_provider_jar'] =\ os.path.join(config.PKI_DEPLOYMENT_RESTEASY_JAR_SOURCE_ROOT, "resteasy-atom-provider.jar") @@ -768,30 +771,10 @@ def compose_pki_master_dictionary(): os.path.join( config.pki_master_dict['pki_tomcat_common_lib_path'], "ldapjdk.jar") - config.pki_master_dict['pki_certsrv_jar_link'] =\ - os.path.join( - config.pki_master_dict['pki_tomcat_common_lib_path'], - "pki-certsrv.jar") - config.pki_master_dict['pki_cmsbundle_jar_link'] =\ + config.pki_master_dict['pki_tomcat_jar_link'] =\ os.path.join( config.pki_master_dict['pki_tomcat_common_lib_path'], - "pki-cmsbundle.jar") - config.pki_master_dict['pki_cmscore_jar_link'] =\ - os.path.join( - config.pki_master_dict['pki_tomcat_common_lib_path'], - "pki-cmscore.jar") - config.pki_master_dict['pki_cms_jar_link'] =\ - os.path.join( - config.pki_master_dict['pki_tomcat_common_lib_path'], - "pki-cms.jar") - config.pki_master_dict['pki_cmsutil_jar_link'] =\ - os.path.join( - config.pki_master_dict['pki_tomcat_common_lib_path'], - "pki-cmsutil.jar") - config.pki_master_dict['pki_nsutil_jar_link'] =\ - os.path.join( - config.pki_master_dict['pki_tomcat_common_lib_path'], - "pki-nsutil.jar") + "pki-tomcat.jar") config.pki_master_dict['pki_resteasy_atom_provider_jar_link'] =\ os.path.join( config.pki_master_dict['pki_tomcat_common_lib_path'], @@ -931,58 +914,66 @@ def compose_pki_master_dictionary(): config.pki_master_dict['pki_tomcat_webapps_subsystem_path'], "WEB-INF", "lib") + config.pki_master_dict['pki_certsrv_jar_link'] =\ + os.path.join( + config.pki_master_dict['pki_tomcat_webapps_subsystem_webinf_lib_path'], + "pki-certsrv.jar") + config.pki_master_dict['pki_cmsbundle_jar_link'] =\ + os.path.join( + config.pki_master_dict['pki_tomcat_webapps_subsystem_webinf_lib_path'], + "pki-cmsbundle.jar") + config.pki_master_dict['pki_cmscore_jar_link'] =\ + os.path.join( + config.pki_master_dict['pki_tomcat_webapps_subsystem_webinf_lib_path'], + "pki-cmscore.jar") + config.pki_master_dict['pki_cms_jar_link'] =\ + os.path.join( + config.pki_master_dict['pki_tomcat_webapps_subsystem_webinf_lib_path'], + "pki-cms.jar") + config.pki_master_dict['pki_cmsutil_jar_link'] =\ + os.path.join( + config.pki_master_dict['pki_tomcat_webapps_subsystem_webinf_lib_path'], + "pki-cmsutil.jar") + config.pki_master_dict['pki_nsutil_jar_link'] =\ + os.path.join( + config.pki_master_dict['pki_tomcat_webapps_subsystem_webinf_lib_path'], + "pki-nsutil.jar") # Tomcat PKI subsystem war file convenience symbolic links if config.pki_master_dict['pki_subsystem'] == "CA": config.pki_master_dict['pki_ca_jar'] =\ os.path.join(config.PKI_DEPLOYMENT_PKI_JAR_SOURCE_ROOT, "pki-ca.jar") - # config.pki_master_dict['pki_ca_jar_link'] =\ - # os.path.join( - # config.pki_master_dict\ - # ['pki_tomcat_webapps_subsystem_webinf_lib_path'], - # "pki-ca.jar") config.pki_master_dict['pki_ca_jar_link'] =\ os.path.join( - config.pki_master_dict['pki_tomcat_common_lib_path'], + config.pki_master_dict\ + ['pki_tomcat_webapps_subsystem_webinf_lib_path'], "pki-ca.jar") elif config.pki_master_dict['pki_subsystem'] == "KRA": config.pki_master_dict['pki_kra_jar'] =\ os.path.join(config.PKI_DEPLOYMENT_PKI_JAR_SOURCE_ROOT, "pki-kra.jar") - # config.pki_master_dict['pki_kra_jar_link'] =\ - # os.path.join( - # config.pki_master_dict\ - # ['pki_tomcat_webapps_subsystem_webinf_lib_path'], - # "pki-kra.jar") config.pki_master_dict['pki_kra_jar_link'] =\ os.path.join( - config.pki_master_dict['pki_tomcat_common_lib_path'], + config.pki_master_dict\ + ['pki_tomcat_webapps_subsystem_webinf_lib_path'], "pki-kra.jar") elif config.pki_master_dict['pki_subsystem'] == "OCSP": config.pki_master_dict['pki_ocsp_jar'] =\ os.path.join(config.PKI_DEPLOYMENT_PKI_JAR_SOURCE_ROOT, "pki-ocsp.jar") - # config.pki_master_dict['pki_ocsp_jar_link'] =\ - # os.path.join( - # config.pki_master_dict\ - # ['pki_tomcat_webapps_subsystem_webinf_lib_path'], - # "pki-ocsp.jar") config.pki_master_dict['pki_ocsp_jar_link'] =\ os.path.join( - config.pki_master_dict['pki_tomcat_common_lib_path'], + config.pki_master_dict\ + ['pki_tomcat_webapps_subsystem_webinf_lib_path'], "pki-ocsp.jar") elif config.pki_master_dict['pki_subsystem'] == "TKS": config.pki_master_dict['pki_tks_jar'] =\ os.path.join(config.PKI_DEPLOYMENT_PKI_JAR_SOURCE_ROOT, "pki-tks.jar") - # config.pki_master_dict['pki_tks_jar_link'] =\ - # os.path.join( - # config.pki_master_dict\ - # ['pki_tomcat_webapps_subsystem_webinf_lib_path'], - # "pki-tks.jar") config.pki_master_dict['pki_tks_jar_link'] =\ os.path.join( - config.pki_master_dict['pki_tomcat_common_lib_path'], + config.pki_master_dict\ + ['pki_tomcat_webapps_subsystem_webinf_lib_path'], "pki-tks.jar") # PKI Target (slot substitution) name/value pairs config.pki_master_dict['pki_target_cs_cfg'] =\ diff --git a/base/deploy/src/scriptlets/webapp_deployment.py b/base/deploy/src/scriptlets/webapp_deployment.py index 17b1bc349..cc2086fc7 100644 --- a/base/deploy/src/scriptlets/webapp_deployment.py +++ b/base/deploy/src/scriptlets/webapp_deployment.py @@ -68,6 +68,18 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): util.directory.create( master['pki_tomcat_webapps_subsystem_webinf_lib_path']) # establish Tomcat webapps subsystem WEB-INF lib symbolic links + util.symlink.create(master['pki_certsrv_jar'], + master['pki_certsrv_jar_link']) + util.symlink.create(master['pki_cmsbundle'], + master['pki_cmsbundle_jar_link']) + util.symlink.create(master['pki_cmscore'], + master['pki_cmscore_jar_link']) + util.symlink.create(master['pki_cms'], + master['pki_cms_jar_link']) + util.symlink.create(master['pki_cmsutil'], + master['pki_cmsutil_jar_link']) + util.symlink.create(master['pki_nsutil'], + master['pki_nsutil_jar_link']) if master['pki_subsystem'] == "CA": util.symlink.create(master['pki_ca_jar'], master['pki_ca_jar_link']) -- cgit