-
Notifications
You must be signed in to change notification settings - Fork 137
REST API Authorization
PKI uses Tomcat and RESTEasy to provide REST API authorization.
PKI executes several pre-process interceptors before executing a REST method to verify whether the user has the required authorization:
-
authentication method verification
-
group membership (access control list) verification
See also PreProcessInterceptor.
The @AuthMethodMapping
annotation is used to map a REST method to a list of allowed authentication methods.
@Path("") public interface CertResource { @GET @Path("agent/certs/{id}") @Produces({ MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON }) @ACLMapping("agent.certs") @AuthMethodMapping("agent") public CertData reviewCert(@PathParam("id") CertId id); }
The list can be stored in <instance>/<subsystem>/conf/auth-method.properties
. By default it will use the following configuration:
default = * account = certUserDBAuthMgr,passwdUserDBAuthMgr admin = certUserDBAuthMgr agent = certUserDBAuthMgr securityDomain.installToken = passwdUserDBAuthMgr
The AuthMethodInterceptor
will validate the actual authentication method used by the user against the list.
The @ACLMapping
annotation is used to map a REST method to a list of ACL’s. The list is stored in WEB-INF/auth.properties
, for example:
account.login = certServer.ca.account,login account.logout = certServer.ca.account,logout admin.users = certServer.ca.users,execute admin.groups = certServer.ca.groups,execute admin.kraconnector = certServer.ca.connectorInfo,modify agent.certrequests = certServer.ca.certrequests,execute agent.certs = certServer.ca.certs,execute securityDomain.installToken = certServer.securitydomain.domainxml,read
The ACLInterceptor
will validate whether the user belongs to the group specified in the ACL and has permission to execute the operation.
Tip
|
To find a page in the Wiki, enter the keywords in search field, press Enter, then click Wikis. |