REST API Authorization - dogtagpki/pki GitHub Wiki
PKI uses Tomcat and RESTEasy to provide REST API authorization.
PKI executes several pre-process interceptors before executing a REST method to verify whether the user has the required authorization:
-
authentication method verification
-
group membership (access control list) verification
See also PreProcessInterceptor.
The @AuthMethodMapping annotation is used to map a REST method to a list of allowed authentication methods.
@Path("")
public interface CertResource {
@GET
@Path("agent/certs/{id}")
@Produces({ MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON })
@ACLMapping("agent.certs")
@AuthMethodMapping("agent")
public CertData reviewCert(@PathParam("id") CertId id);
}
The list can be stored in <instance>/<subsystem>/conf/auth-method.properties. By default it will use the following configuration:
default = * account = certUserDBAuthMgr,passwdUserDBAuthMgr admin = certUserDBAuthMgr agent = certUserDBAuthMgr securityDomain.installToken = passwdUserDBAuthMgr
The AuthMethodInterceptor will validate the actual authentication method used by the user against the list.
The @ACLMapping annotation is used to map a REST method to a list of ACL’s. The list is stored in WEB-INF/auth.properties, for example:
account.login = certServer.ca.account,login account.logout = certServer.ca.account,logout admin.users = certServer.ca.users,execute admin.groups = certServer.ca.groups,execute admin.kraconnector = certServer.ca.connectorInfo,modify agent.certrequests = certServer.ca.certrequests,execute agent.certs = certServer.ca.certs,execute securityDomain.installToken = certServer.securitydomain.domainxml,read
The ACLInterceptor will validate whether the user belongs to the group specified in the ACL and has permission to execute the operation.