From bdcfb92bbc03dd40c1052bf2e6ad372e4daf134a Mon Sep 17 00:00:00 2001
From: "Endi S. Dewata" <edewata@redhat.com>
Date: Fri, 11 Oct 2013 14:51:57 -0400
Subject: Added access control for TPS token.

The TPS token REST interface has been modified to require client certificate
authentication. TPS admins, agents, and operators are allowed to view tokens,
but only admins are allowed to add and remove tokens, and only agents are
allowed to modify tokens.
---
 .../cms/authorization/AuthMethodInterceptor.java   | 24 ++++++++++++----------
 1 file changed, 13 insertions(+), 11 deletions(-)

(limited to 'base/server/cms/src/com')

diff --git a/base/server/cms/src/com/netscape/cms/authorization/AuthMethodInterceptor.java b/base/server/cms/src/com/netscape/cms/authorization/AuthMethodInterceptor.java
index c42ba26d0..fa2648bc7 100644
--- a/base/server/cms/src/com/netscape/cms/authorization/AuthMethodInterceptor.java
+++ b/base/server/cms/src/com/netscape/cms/authorization/AuthMethodInterceptor.java
@@ -48,7 +48,7 @@ import com.netscape.cms.realm.PKIPrincipal;
 @Provider
 public class AuthMethodInterceptor implements ContainerRequestFilter {
 
-    Properties authProperties;
+    Properties authMethodProperties;
 
     @Context
     ServletContext servletContext;
@@ -58,22 +58,24 @@ public class AuthMethodInterceptor implements ContainerRequestFilter {
 
     public synchronized void loadAuthProperties() throws IOException {
 
-        if (authProperties != null)
+        if (authMethodProperties != null)
             return;
 
-        authProperties = new Properties();
+        authMethodProperties = new Properties();
 
         URL url = servletContext.getResource("/WEB-INF/auth-method.properties");
 
         if (url == null) {
-            authProperties.put("default", "*");
-            authProperties.put("account", "certUserDBAuthMgr,passwdUserDBAuthMgr");
-            authProperties.put("admin", "certUserDBAuthMgr");
-            authProperties.put("agent", "certUserDBAuthMgr");
-            authProperties.put("profiles", "certUserDBAuthMgr");
-            authProperties.put("securityDomain.installToken", "passwdUserDBAuthMgr");
+            authMethodProperties.put("default", "*");
+            authMethodProperties.put("account", "certUserDBAuthMgr,passwdUserDBAuthMgr");
+            authMethodProperties.put("admin", "certUserDBAuthMgr");
+            authMethodProperties.put("agent", "certUserDBAuthMgr");
+            authMethodProperties.put("profiles", "certUserDBAuthMgr");
+            authMethodProperties.put("securityDomain.installToken", "passwdUserDBAuthMgr");
+            authMethodProperties.put("tokens", "certUserDBAuthMgr");
+
         } else {
-            authProperties.load(url.openStream());
+            authMethodProperties.load(url.openStream());
         }
     }
 
@@ -108,7 +110,7 @@ public class AuthMethodInterceptor implements ContainerRequestFilter {
         try {
             loadAuthProperties();
 
-            String value = authProperties.getProperty(name);
+            String value = authMethodProperties.getProperty(name);
             Collection<String> authMethods = new HashSet<String>();
             if (value != null) {
                 for (String v : value.split(",")) {
-- 
cgit