Skip to content

REST API Authorization

Endi S. Dewata edited this page Oct 12, 2021 · 1 revision

Overview

PKI uses Tomcat and RESTEasy to provide REST API authorization.

Interceptor

PKI executes several pre-process interceptors before executing a REST method to verify whether the user has the required authorization:

  • authentication method verification

  • group membership (access control list) verification

Authentication Method Mapping

The @AuthMethodMapping annotation is used to map a REST method to a list of allowed authentication methods.

@Path("")
public interface CertResource {

    @GET
    @Path("agent/certs/{id}")
    @Produces({ MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON })
    @ACLMapping("agent.certs")
    @AuthMethodMapping("agent")
    public CertData reviewCert(@PathParam("id") CertId id);

}

The list can be stored in <instance>/<subsystem>/conf/auth-method.properties. By default it will use the following configuration:

default = *
account = certUserDBAuthMgr,passwdUserDBAuthMgr
admin = certUserDBAuthMgr
agent = certUserDBAuthMgr
securityDomain.installToken = passwdUserDBAuthMgr

The AuthMethodInterceptor will validate the actual authentication method used by the user against the list.

ACL Verification

The @ACLMapping annotation is used to map a REST method to a list of ACL’s. The list is stored in WEB-INF/auth.properties, for example:

account.login = certServer.ca.account,login
account.logout = certServer.ca.account,logout
admin.users = certServer.ca.users,execute
admin.groups = certServer.ca.groups,execute
admin.kraconnector = certServer.ca.connectorInfo,modify
agent.certrequests = certServer.ca.certrequests,execute
agent.certs = certServer.ca.certs,execute
securityDomain.installToken = certServer.securitydomain.domainxml,read

The ACLInterceptor will validate whether the user belongs to the group specified in the ACL and has permission to execute the operation.

Clone this wiki locally