From cb209df95c4dee11f2a912e20b417fa3bc41c88f Mon Sep 17 00:00:00 2001
From: Endi Sukma Dewata <edewata@redhat.com>
Date: Wed, 10 Oct 2012 04:38:05 -0500
Subject: Added ACLInterceptor.

Previously ACL checking was done in PKIRealm by matching the URL.
This code has been replaced by ACLInterceptor which will intercept
RESTEasy method invocations. This allows more precise mapping of
REST methods to ACL entries in acl.ldif.

Ticket #287
---
 base/ocsp/shared/webapps/ocsp/WEB-INF/auth.properties | 12 ++++++------
 base/ocsp/src/com/netscape/ocsp/OCSPApplication.java  |  4 ++++
 2 files changed, 10 insertions(+), 6 deletions(-)

(limited to 'base/ocsp')

diff --git a/base/ocsp/shared/webapps/ocsp/WEB-INF/auth.properties b/base/ocsp/shared/webapps/ocsp/WEB-INF/auth.properties
index 8eda09bc3..cd2e14058 100644
--- a/base/ocsp/shared/webapps/ocsp/WEB-INF/auth.properties
+++ b/base/ocsp/shared/webapps/ocsp/WEB-INF/auth.properties
@@ -1,10 +1,10 @@
 # Restful API auth/authz mapping info
 #
 # Format:
-# <Rest API URL> = <ACL Resource ID>,<ACL resource operation>
-# ex:      /kra/pki/key/retrieve = certServer.kra.pki.key.retrieve,execute
+# <ACL Mapping> = <ACL Resource ID>,<ACL Resource Operation>
+# ex:      admin.users = certServer.ca.users,read
 
-/ocsp/rest/account/login = certServer.ocsp.account,login
-/ocsp/rest/account/logout = certServer.ocsp.account,logout
-/ocsp/rest/admin/users = certServer.ocsp.users,execute
-/ocsp/rest/admin/groups = certServer.ocsp.groups,execute
+account.login = certServer.ocsp.account,login
+account.logout = certServer.ocsp.account,logout
+admin.users = certServer.ocsp.users,execute
+admin.groups = certServer.ocsp.groups,execute
diff --git a/base/ocsp/src/com/netscape/ocsp/OCSPApplication.java b/base/ocsp/src/com/netscape/ocsp/OCSPApplication.java
index e6816721c..21b37f801 100644
--- a/base/ocsp/src/com/netscape/ocsp/OCSPApplication.java
+++ b/base/ocsp/src/com/netscape/ocsp/OCSPApplication.java
@@ -5,6 +5,7 @@ import java.util.Set;
 
 import javax.ws.rs.core.Application;
 
+import com.netscape.certsrv.acls.ACLInterceptor;
 import com.netscape.certsrv.base.PKIException;
 import com.netscape.cms.servlet.account.AccountService;
 import com.netscape.cms.servlet.admin.GroupMemberService;
@@ -38,6 +39,9 @@ public class OCSPApplication extends Application {
 
         // exception mapper
         classes.add(PKIException.Mapper.class);
+
+        // ACL interceptor
+        singletons.add(new ACLInterceptor());
     }
 
     public Set<Class<?>> getClasses() {
-- 
cgit