From 2c8418e962148abbd45f51f968bb1dbc826a641d Mon Sep 17 00:00:00 2001 From: Ade Lee Date: Wed, 25 May 2016 18:53:22 -0400 Subject: Change legacy requests servlet to check realm The legacy KRA servlet has been modified to check the realm if present in the request, or only return non-realm requests if not present. No attempt is made to fix the error reporting of the servlet. As such, an authz failure due to the realm check is handled in the same way that other authz failures are handled. --- .../com/netscape/cms/servlet/request/QueryReq.java | 26 ++++++++++++++++++++++ 1 file changed, 26 insertions(+) (limited to 'base/server/cms/src/com') diff --git a/base/server/cms/src/com/netscape/cms/servlet/request/QueryReq.java b/base/server/cms/src/com/netscape/cms/servlet/request/QueryReq.java index 09bf3a0b8..146db7b3b 100644 --- a/base/server/cms/src/com/netscape/cms/servlet/request/QueryReq.java +++ b/base/server/cms/src/com/netscape/cms/servlet/request/QueryReq.java @@ -32,6 +32,7 @@ import com.netscape.certsrv.apps.CMS; import com.netscape.certsrv.authentication.IAuthToken; import com.netscape.certsrv.authorization.AuthzToken; import com.netscape.certsrv.authorization.EAuthzAccessDenied; +import com.netscape.certsrv.authorization.EAuthzException; import com.netscape.certsrv.base.EBaseException; import com.netscape.certsrv.base.IArgBlock; import com.netscape.certsrv.common.ICMSRequest; @@ -45,6 +46,7 @@ import com.netscape.cms.servlet.common.CMSRequest; import com.netscape.cms.servlet.common.CMSTemplate; import com.netscape.cms.servlet.common.CMSTemplateParams; import com.netscape.cms.servlet.common.ECMSGWException; +import com.netscape.cmsutil.ldap.LDAPUtil; /** * Show paged list of requests matching search criteria @@ -67,6 +69,7 @@ public class QueryReq extends CMSServlet { private final static String IN_MAXCOUNT = "maxCount"; private final static String IN_TOTALCOUNT = "totalRecordCount"; private final static String PROP_PARSER = "parser"; + private final static String REALM = "realm"; private final static String TPL_FILE = "queryReq.template"; @@ -232,6 +235,20 @@ public class QueryReq extends CMSServlet { return; } + String realm = null; + if (mAuthority.getId().equals("kra")) { + // for the KRA, check the realm (if present) + realm = req.getParameter(REALM); + try { + mAuthz.checkRealm(realm, authToken, null, mAuthzResourceName, "list"); + } catch (EAuthzException e) { + log(ILogger.LL_FAILURE, + CMS.getLogMessage("ADMIN_SRVLT_AUTH_FAILURE", e.toString())); + cmsReq.setStatus(ICMSRequest.UNAUTHORIZED); + return; + } + } + CMSTemplate form = null; Locale[] locale = new Locale[1]; @@ -269,6 +286,15 @@ public class QueryReq extends CMSServlet { getRequestType(reqType) + ")"; } + if (mAuthority.getId().equals("kra")) { + // add realm to filter for KRA requests + if (realm != null) { + filter = "(&" + filter + "(realm=" + LDAPUtil.escapeFilter(realm) +"))"; + } else { + filter = "(&" + filter + "(!(realm=*)))"; + } + } + String direction = "begin"; if (req.getParameter("direction") != null) { direction = req.getParameter("direction").trim(); -- cgit