Some comments inline, although most of this was discussed on #irc.
I have added two additional patches which are to be applied on top
of 258=293.
294: This patch fixes the problems identified in this review. In
particular:
Review comments addressed:
1. when archiving or generating keys, realm is checked
2. when no plugin is found for a realm, access is denied.
3. rename mFoo to foo for new variables.
4. add chaining of exceptions
5. remove attributes from KeyArchivalRequest etc. when realm is
null
6. Add more detail to denial in BasicGroupAuthz
295 - Adds the ability for authz plugins to support multiple realms.
In particular, the authorize() command has been extended to allow
the realm to be passed in, and the ACL plugins have been modified
to account for the realm.
Please review,
Thanks,
Ade
On Mon, 2016-04-18 at 18:28 -0500, Endi Sukma Dewata wrote:
> On 4/18/2016 12:09 PM, Ade Lee wrote:
> > As promised, wiki documentation for this feature provided below:
> >
> > http://pki.fedoraproject.org/wiki/Kra_authz_realm
> >
> > Ade
> >
> > On Sat, 2016-04-16 at 17:24 -0400, Ade Lee wrote:
> > > This is the main series of patches that implements fine grained
> > > authorization in the KRA as described in :
> > >
> > > https://pagure.io/test_dogtag_designs/pull-request/5
> > >
> > > I'll be moving this design to the wiki and adding some additional
> > > documentation and test scripts shortly.
> > >
> > > More to come including :
> > > 1. authz for the modify method in the Key service.
> > > 2. new VLV indexes
> > > 3. database migration script
> > > 4. Man page updates
> > > 5. Python unit tests for the Python CLI changes
> > >
> > > Please review,
> > >
> > > Thanks,
> > > Ade
>
> Here are some initial questions/comments (I have not tested the
> code):
>
> 1. According to the design agent1 is not in barbican realm but it can
> create secrets in that realm. So agent1 is like a non-agent user in
> barbican realm, but right now we don't really have a regular user
> role
> in KRA. Should we, at least for now, require realm membership to
> create/access the secrets in the realm?
>
Done - page updated. This actually makes things simpler. As things
were before, it was possible to create a secret - and then not be able
to list it if you were not part of the realm. You could retrieve it by
ID (because you owned it), but not list it.
With the above requirement in place, this confusing scenario no longer
exists.
> 2. In the design could you specify which command generates which
> key/request ID? It would make it easier to understand the example.
Done
>
> 3. To simplify the terminology, can we call the non-barbican realm
> the
> "default/common" realm? So all agents belong to the default realm and
> they can access common secrets.
>
> 4. Let's remove the "m" prefix for the newly added fields in
> ARequestRecord, KeyRecord, and BasicGroupAuthz.
>
Done
> 5. The null assignments for BasicGroupAuthz's fields are redundant.
>
Done
> 6. To help troubleshooting the exception in BasicGroupAuthz we should
> clarify why the access was denied.
>
> if (!group.isMember(user)) {
> throw new EAuthzAccessDenied("Access denied");
> }
>
Added debug statement
> 7. As mentioned in #1, we probably should validate the ownership only
> after we validate the realm membership.
>
> // if record owner == requester, SUCCESS
> if ((owner != null) &&
> owner.equals(authToken.getInString(IAuthToken.USER_ID)))
> return;
>
Incorrect - as we discussed.
> 8. This code is a bit risky since a typo will allow any agent to
> access
> the secrets in the realm.
>
> String mgrName = getAuthzManagerByRealm(realm);
> // if no authz manager for this realm, SUCCESS by default
> if (mgrName == null) return;
>
> I think if realm is specified it must have a corresponding plugin.
>
Done
> 9. In setRealm() in KeyArchivalRequest/KeyGenerationRequest we
> probably
> want to remove the attribute if realm is null.
>
Done
> 10. With #9 it's no longer necessary to check if realm is null in
> KeyClient:
>
> if (realm != null) {
> data.setRealm(realm);
> }
>
Done
> 11. The original exception should be chained to help troubleshooting:
>
> } catch (EDBRecordNotFoundException e) {
> throw new KeyNotFoundException(keyId);
> }
>
> } catch (EAuthzAccessDenied e) {
> throw new UnauthorizedException("Not authorized to get
> request");
> }
>
> There are a few of these in some of the patches.
>
Done
> 12. It's probably an existing code, but I think we can remove the
> try-catch block:
>
> IRequest request = null;
> try {
> request = queue.findRequest(new RequestId(requestId));
> } catch (EBaseException e) {
> }
>
> I think the issues that require some consideration are #1, #7, an
> d#8.
> If we agree on those I'd ACK the patches. The others are minor.
> From 06661a298272a3773bc3b276280f983f2146d097 Mon Sep 17 00:00:00 2001
From: Ade Lee <[email protected]>
Date: Tue, 19 Apr 2016 22:32:33 -0400
Subject: [PATCH 295/295] Realm: allow auth instances to support multiple
realms
In practice, most folks will use something like DirAclAuthz
to manage their realm. Rather than requiring a new authz plugin
for each realm, we allow the authz plugin to support multiple
realms (as a comma separated list).
For the Acl plugins in particular, we expand the authorize call
to allow the caller to pass in the realm as well as the resource
and operation. The resource queried would then be constructed on
the fly as realm.resource
Examples will be provided in the wiki page.
Trac Ticket 2041
---
.../certsrv/authorization/IAuthzSubsystem.java | 3 +++
.../server/kra/rest/KeyRequestService.java | 8 +++----
.../org/dogtagpki/server/kra/rest/KeyService.java | 6 ++---
.../netscape/cms/servlet/key/KeyRequestDAO.java | 12 +++++-----
.../cmscore/authorization/AuthzSubsystem.java | 27 ++++++++++++++++++----
5 files changed, 38 insertions(+), 18 deletions(-)
diff --git a/base/common/src/com/netscape/certsrv/authorization/IAuthzSubsystem.java b/base/common/src/com/netscape/certsrv/authorization/IAuthzSubsystem.java
index 156643897a07890eb7edd9555b3061a720322b71..c7d8df56bbfb1bf8af6c51ce491fc1384560b4a8 100644
--- a/base/common/src/com/netscape/certsrv/authorization/IAuthzSubsystem.java
+++ b/base/common/src/com/netscape/certsrv/authorization/IAuthzSubsystem.java
@@ -80,6 +80,9 @@ public interface IAuthzSubsystem extends ISubsystem {
public AuthzToken authorize(String authzMgrName, IAuthToken authToken,
String exp) throws EBaseException;
+ public AuthzToken authorize(String authzMgrName, IAuthToken authToken,
+ String resource, String operation, String realm) throws EBaseException;
+
/**
* Authorize the user against the specified realm. Looks for authz manager
* associated with the plugin and authenticates if present.
diff --git a/base/kra/src/org/dogtagpki/server/kra/rest/KeyRequestService.java b/base/kra/src/org/dogtagpki/server/kra/rest/KeyRequestService.java
index 41d78af533b8e94c3e82f6b79d688e32cf3a07e3..103b78923ee9200bed2e0c8608168f35c311df9c 100644
--- a/base/kra/src/org/dogtagpki/server/kra/rest/KeyRequestService.java
+++ b/base/kra/src/org/dogtagpki/server/kra/rest/KeyRequestService.java
@@ -175,7 +175,7 @@ public class KeyRequestService extends PKIService implements KeyRequestResource
String realm = data.getRealm();
if (realm != null) {
- authz.checkRealm(realm, getAuthToken(), null, "keyRequest", "archive");
+ authz.checkRealm(realm, getAuthToken(), null, "certServer.kra.requests.archival", "execute");
}
response = dao.submitRequest(data, uriInfo, getRequestor());
auditArchivalRequestMade(response.getRequestInfo().getRequestId(), ILogger.SUCCESS, data.getClientKeyId());
@@ -304,7 +304,7 @@ public class KeyRequestService extends PKIService implements KeyRequestResource
RequestId start, Integer pageSize, Integer maxResults, Integer maxTime, String realm) {
if (realm != null) {
try {
- authz.checkRealm(realm, getAuthToken(), null, "keyRequests", "list");
+ authz.checkRealm(realm, getAuthToken(), null, "certServer.kra.requests", "list");
} catch (EAuthzAccessDenied e) {
throw new UnauthorizedException("Not authorized to list these requests", e);
} catch (EAuthzUnknownRealm e) {
@@ -468,7 +468,7 @@ public class KeyRequestService extends PKIService implements KeyRequestResource
}
String realm = data.getRealm();
if (realm != null) {
- authz.checkRealm(realm, getAuthToken(), null, "keyRequest", "generateSymkey");
+ authz.checkRealm(realm, getAuthToken(), null, "certServer.kra.requests.symkey", "execute");
}
response = dao.submitRequest(data, uriInfo, getRequestor());
@@ -502,7 +502,7 @@ public class KeyRequestService extends PKIService implements KeyRequestResource
}
String realm = data.getRealm();
if (realm != null) {
- authz.checkRealm(realm, getAuthToken(), null, "keyRequest", "generateAsymkey");
+ authz.checkRealm(realm, getAuthToken(), null, "certServer.kra.requests.asymkey", "execute");
}
response = dao.submitRequest(data, uriInfo, getRequestor());
diff --git a/base/kra/src/org/dogtagpki/server/kra/rest/KeyService.java b/base/kra/src/org/dogtagpki/server/kra/rest/KeyService.java
index 255d8d614aba2126c1ed89cd952e6cf9f5de3231..74b58b8a2e3c036925e12114d578a4069b136c74 100644
--- a/base/kra/src/org/dogtagpki/server/kra/rest/KeyService.java
+++ b/base/kra/src/org/dogtagpki/server/kra/rest/KeyService.java
@@ -422,7 +422,7 @@ public class KeyService extends PKIService implements KeyResource {
if (realm != null) {
try {
- authz.checkRealm(realm, getAuthToken(), null, "keys", "list");
+ authz.checkRealm(realm, getAuthToken(), null, "certServer.kra.keys", "list");
} catch (EAuthzAccessDenied e) {
throw new UnauthorizedException("Not authorized to list these keys", e);
} catch (EAuthzUnknownRealm e) {
@@ -509,7 +509,7 @@ public class KeyService extends PKIService implements KeyResource {
if (info != null) {
// return the first one, but first confirm that the requester has access to this key
try {
- authz.checkRealm(info.getRealm(), getAuthToken(), info.getOwnerName(), "key", "read");
+ authz.checkRealm(info.getRealm(), getAuthToken(), info.getOwnerName(), "certServer.kra.key", "read");
} catch (EAuthzAccessDenied e) {
throw new UnauthorizedException("Not authorized to read this key", e);
} catch (EBaseException e) {
@@ -681,7 +681,7 @@ public class KeyService extends PKIService implements KeyResource {
IKeyRecord rec = null;
try {
rec = repo.readKeyRecord(keyId.toBigInteger());
- authz.checkRealm(rec.getRealm(), getAuthToken(), rec.getOwnerName(), "key", "read");
+ authz.checkRealm(rec.getRealm(), getAuthToken(), rec.getOwnerName(), "certServer.kra.key", "read");
KeyInfo info = createKeyDataInfo(rec, true);
auditRetrieveKey(ILogger.SUCCESS, null, keyId, auditInfo);
diff --git a/base/server/cms/src/com/netscape/cms/servlet/key/KeyRequestDAO.java b/base/server/cms/src/com/netscape/cms/servlet/key/KeyRequestDAO.java
index 04bb6f2ec35e82fba53e67b661a50c9745285dc7..00e313a80da008ed84f5990cb29680192c3c6cba 100644
--- a/base/server/cms/src/com/netscape/cms/servlet/key/KeyRequestDAO.java
+++ b/base/server/cms/src/com/netscape/cms/servlet/key/KeyRequestDAO.java
@@ -169,7 +169,7 @@ public class KeyRequestDAO extends CMSRequestDAO {
}
authz.checkRealm(request.getRealm(), authToken, request.getExtDataInString(IRequest.ATTR_REQUEST_OWNER),
- "keyRequest", "read");
+ "certServer.kra.request", "read");
KeyRequestInfo info = createKeyRequestInfo(request, uriInfo);
return info;
@@ -264,7 +264,7 @@ public class KeyRequestDAO extends CMSRequestDAO {
}
try {
- authz.checkRealm(rec.getRealm(), authToken, rec.getOwnerName(), "key", "recover");
+ authz.checkRealm(rec.getRealm(), authToken, rec.getOwnerName(), "certServer.kra.key", "recover");
} catch (EAuthzUnknownRealm e) {
throw new UnauthorizedException("Invalid realm", e);
} catch (EBaseException e) {
@@ -322,7 +322,7 @@ public class KeyRequestDAO extends CMSRequestDAO {
}
try {
- authz.checkRealm(rec.getRealm(), authToken, rec.getOwnerName(), "key", "recover");
+ authz.checkRealm(rec.getRealm(), authToken, rec.getOwnerName(), "certServer.kra.key", "recover");
} catch (EAuthzUnknownRealm e) {
throw new UnauthorizedException("Invalid realm", e);
} catch (EBaseException e) {
@@ -504,7 +504,7 @@ public class KeyRequestDAO extends CMSRequestDAO {
IRequest request = queue.findRequest(id);
authz.checkRealm(request.getRealm(), authToken,
request.getExtDataInString(IRequest.ATTR_REQUEST_OWNER),
- "keyRequest", "approve");
+ "certServer.kra.requests", "execute");
service.addAgentAsyncKeyRecovery(id.toString(), requestor);
}
@@ -514,7 +514,7 @@ public class KeyRequestDAO extends CMSRequestDAO {
String realm = request.getRealm();
authz.checkRealm(realm, authToken,
request.getExtDataInString(IRequest.ATTR_REQUEST_OWNER),
- "keyRequest", "reject");
+ "certServer.kra.requests", "execute");
request.setRequestStatus(RequestStatus.REJECTED);
queue.updateRequest(request);
}
@@ -524,7 +524,7 @@ public class KeyRequestDAO extends CMSRequestDAO {
String realm = request.getRealm();
authz.checkRealm(realm, authToken,
request.getExtDataInString(IRequest.ATTR_REQUEST_OWNER),
- "keyRequest", "cancel");
+ "certServer.kra.requests", "execute");
request.setRequestStatus(RequestStatus.CANCELED);
queue.updateRequest(request);
}
diff --git a/base/server/cmscore/src/com/netscape/cmscore/authorization/AuthzSubsystem.java b/base/server/cmscore/src/com/netscape/cmscore/authorization/AuthzSubsystem.java
index 3544858979ba349dc1506d46193f00b0eeec6449..378777f99d8ffd647a4d4a183c8e96ab11722a9b 100644
--- a/base/server/cmscore/src/com/netscape/cmscore/authorization/AuthzSubsystem.java
+++ b/base/server/cmscore/src/com/netscape/cmscore/authorization/AuthzSubsystem.java
@@ -17,8 +17,10 @@
// --- END COPYRIGHT BLOCK ---
package com.netscape.cmscore.authorization;
+import java.util.Arrays;
import java.util.Enumeration;
import java.util.Hashtable;
+import java.util.List;
import java.util.Vector;
import org.apache.commons.codec.binary.StringUtils;
@@ -227,7 +229,7 @@ public class AuthzSubsystem implements IAuthzSubsystem {
*/
public AuthzToken authorize(
String authzMgrInstName, IAuthToken authToken,
- String resource, String operation)
+ String resource, String operation, String realm)
throws EAuthzMgrNotFound, EBaseException {
AuthzManagerProxy proxy = mAuthzMgrInsts.get(authzMgrInstName);
@@ -243,9 +245,20 @@ public class AuthzSubsystem implements IAuthzSubsystem {
if (authzMgrInst == null) {
throw new EAuthzMgrNotFound(CMS.getUserMessage("CMS_AUTHORIZATION_AUTHZMGR_NOT_FOUND", authzMgrInstName));
}
+
+ if ((realm != null) && (resource != null)) {
+ resource = realm + "." + resource;
+ }
return (authzMgrInst.authorize(authToken, resource, operation));
}
+ @Override
+ public AuthzToken authorize(String authzMgrName, IAuthToken authToken, String resource, String operation)
+ throws EBaseException {
+ return authorize(authzMgrName, authToken, resource, operation, null);
+ }
+
+ @Override
public AuthzToken authorize(
String authzMgrInstName, IAuthToken authToken, String exp)
throws EAuthzMgrNotFound, EBaseException {
@@ -485,7 +498,7 @@ public class AuthzSubsystem implements IAuthzSubsystem {
throw new EAuthzUnknownRealm("Realm not found");
}
- AuthzToken authzToken = authorize(mgrName, authToken, resource, operation);
+ AuthzToken authzToken = authorize(mgrName, authToken, resource, operation, realm);
if (authzToken == null) {
throw new EAuthzAccessDenied("Not authorized by ACL realm");
}
@@ -496,9 +509,13 @@ public class AuthzSubsystem implements IAuthzSubsystem {
IAuthzManager mgr = proxy.getAuthzManager();
if (mgr != null) {
IConfigStore cfg = mgr.getConfigStore();
- String mgrRealm = cfg.getString(PROP_REALM, null);
- if (StringUtils.equals(mgrRealm, realm)) {
- return mgr.getName();
+ String mgrRealmString = cfg.getString(PROP_REALM, null);
+ if (mgrRealmString == null) continue;
+
+ List<String> mgrRealms = Arrays.asList(mgrRealmString.split(","));
+ for (String mgrRealm : mgrRealms) {
+ if (StringUtils.equals(mgrRealm, realm))
+ return mgr.getName();
}
}
}
--
2.4.3
From 46f415e72f86dd05dd8a9976979e397ede540191 Mon Sep 17 00:00:00 2001
From: Ade Lee <[email protected]>
Date: Tue, 19 Apr 2016 14:52:40 -0400
Subject: [PATCH 294/295] Realms - Address comments from review
Review comments addressed:
1. when archiving or generating keys, realm is checked
2. when no plugin is found for a realm, access is denied.
3. rename mFoo to foo for new variables.
4. add chaining of exceptions
5. remove attributes from KeyArchivalRequest etc. when realm is null
6. Add more detail to denial in BasicGroupAuthz
Part of Trac Ticket 2041
---
.../certsrv/authorization/EAuthzUnknownRealm.java} | 31 +++-------
.../netscape/certsrv/key/KeyArchivalRequest.java | 6 +-
.../src/com/netscape/certsrv/key/KeyClient.java | 19 ++----
.../netscape/certsrv/key/KeyGenerationRequest.java | 6 +-
.../server/kra/rest/KeyRequestService.java | 67 ++++++++++++++++------
.../org/dogtagpki/server/kra/rest/KeyService.java | 32 ++++++-----
.../cms/authorization/BasicGroupAuthz.java | 21 +++----
.../netscape/cms/servlet/key/KeyRequestDAO.java | 15 +++--
.../cmscore/authorization/AuthzSubsystem.java | 6 +-
.../src/com/netscape/cmscore/dbs/KeyRecord.java | 8 +--
.../netscape/cmscore/request/ARequestRecord.java | 2 +-
.../netscape/cmscore/request/RequestRecord.java | 8 +--
12 files changed, 123 insertions(+), 98 deletions(-)
copy base/{server/cmscore/src/com/netscape/cmscore/request/ARequestRecord.java => common/src/com/netscape/certsrv/authorization/EAuthzUnknownRealm.java} (54%)
diff --git a/base/server/cmscore/src/com/netscape/cmscore/request/ARequestRecord.java b/base/common/src/com/netscape/certsrv/authorization/EAuthzUnknownRealm.java
similarity index 54%
copy from base/server/cmscore/src/com/netscape/cmscore/request/ARequestRecord.java
copy to base/common/src/com/netscape/certsrv/authorization/EAuthzUnknownRealm.java
index 418422a9b0b233c959a189a80a390d54709edb9c..1be1577b37fa3b0f55eb6d7c5a6675be06fde799 100644
--- a/base/server/cmscore/src/com/netscape/cmscore/request/ARequestRecord.java
+++ b/base/common/src/com/netscape/certsrv/authorization/EAuthzUnknownRealm.java
@@ -15,29 +15,14 @@
// (C) 2007 Red Hat, Inc.
// All rights reserved.
// --- END COPYRIGHT BLOCK ---
-package com.netscape.cmscore.request;
+package com.netscape.certsrv.authorization;
-import java.util.Date;
-import java.util.Hashtable;
+public class EAuthzUnknownRealm extends EAuthzException {
-import com.netscape.certsrv.request.RequestId;
-import com.netscape.certsrv.request.RequestStatus;
+ private static final long serialVersionUID = 2288587364467614277L;
-/**
- * The low level (attributes only) version of the database
- * record object. This exists so that RecordAttr methods can use
- * this type definition,
- *
- * RequestRecord refers both to this class and to RecordAttr objects.
- */
-class ARequestRecord {
- RequestId mRequestId;
- RequestStatus mRequestState;
- Date mCreateTime;
- Date mModifyTime;
- String mSourceId;
- String mOwner;
- String mRequestType;
- Hashtable<String, Object> mExtData;
- String mRealm;
-};
+ public EAuthzUnknownRealm(String errorString) {
+ super(errorString);
+ }
+
+}
diff --git a/base/common/src/com/netscape/certsrv/key/KeyArchivalRequest.java b/base/common/src/com/netscape/certsrv/key/KeyArchivalRequest.java
index d2a7749b3f8aac2c9025e48bce5aff727923c286..67810a02f0847942fee7466553363ae9e75c8a13 100644
--- a/base/common/src/com/netscape/certsrv/key/KeyArchivalRequest.java
+++ b/base/common/src/com/netscape/certsrv/key/KeyArchivalRequest.java
@@ -214,7 +214,11 @@ public class KeyArchivalRequest extends ResourceMessage {
* @param realm - the authentication realm
*/
public void setRealm(String realm) {
- attributes.put(REALM, realm);
+ if (realm != null) {
+ attributes.put(REALM, realm);
+ } else {
+ attributes.remove(REALM);
+ }
}
public String toString() {
diff --git a/base/common/src/com/netscape/certsrv/key/KeyClient.java b/base/common/src/com/netscape/certsrv/key/KeyClient.java
index 1c8a76bfee645851991140823f0d740643fdeefb..cb35922f6978b87823d3033a4b807f945842712a 100644
--- a/base/common/src/com/netscape/certsrv/key/KeyClient.java
+++ b/base/common/src/com/netscape/certsrv/key/KeyClient.java
@@ -653,10 +653,7 @@ public class KeyClient extends Client {
String req1 = Utils.base64encode(encryptedData);
data.setWrappedPrivateData(req1);
data.setTransWrappedSessionKey(Utils.base64encode(transWrappedSessionKey));
-
- if (realm != null) {
- data.setRealm(realm);
- }
+ data.setRealm(realm);
return submitRequest(data);
}
@@ -708,10 +705,7 @@ public class KeyClient extends Client {
String options = Utils.base64encode(pkiArchiveOptions);
data.setPKIArchiveOptions(options);
-
- if (realm != null) {
- data.setRealm(realm);
- }
+ data.setRealm(realm);
return submitRequest(data);
}
@@ -757,9 +751,7 @@ public class KeyClient extends Client {
data.setUsages(usages);
data.setTransWrappedSessionKey(transWrappedSessionKey);
- if (realm != null) {
- data.setRealm(realm);
- }
+ data.setRealm(realm);
return submitRequest(data);
}
@@ -829,10 +821,7 @@ public class KeyClient extends Client {
data.setKeySize(keySize);
data.setUsages(usages);
data.setTransWrappedSessionKey(Utils.base64encode(transWrappedSessionKey));
-
- if (realm != null) {
- data.setRealm(realm);
- }
+ data.setRealm(realm);
return submitRequest(data);
}
diff --git a/base/common/src/com/netscape/certsrv/key/KeyGenerationRequest.java b/base/common/src/com/netscape/certsrv/key/KeyGenerationRequest.java
index 37fc1c2b2775c4ce4da7eab81caf42ff39d2045f..50946bb9fbda4807c7de07bfec803505d22cda64 100644
--- a/base/common/src/com/netscape/certsrv/key/KeyGenerationRequest.java
+++ b/base/common/src/com/netscape/certsrv/key/KeyGenerationRequest.java
@@ -134,6 +134,10 @@ public class KeyGenerationRequest extends ResourceMessage{
* @param realm - authorization realm to set
*/
public void setRealm(String realm) {
- attributes.put(REALM, realm);
+ if (realm != null) {
+ attributes.put(REALM, realm);
+ } else {
+ attributes.remove(REALM);
+ }
}
}
diff --git a/base/kra/src/org/dogtagpki/server/kra/rest/KeyRequestService.java b/base/kra/src/org/dogtagpki/server/kra/rest/KeyRequestService.java
index 8504f0ea2b5c713f99fc171e9ad8b65c9fe291bb..41d78af533b8e94c3e82f6b79d688e32cf3a07e3 100644
--- a/base/kra/src/org/dogtagpki/server/kra/rest/KeyRequestService.java
+++ b/base/kra/src/org/dogtagpki/server/kra/rest/KeyRequestService.java
@@ -38,6 +38,7 @@ import org.mozilla.jss.crypto.SymmetricKey;
import com.netscape.certsrv.apps.CMS;
import com.netscape.certsrv.authentication.IAuthToken;
import com.netscape.certsrv.authorization.EAuthzAccessDenied;
+import com.netscape.certsrv.authorization.EAuthzUnknownRealm;
import com.netscape.certsrv.base.BadRequestException;
import com.netscape.certsrv.base.EBaseException;
import com.netscape.certsrv.base.PKIException;
@@ -171,15 +172,25 @@ public class KeyRequestService extends PKIService implements KeyRequestResource
if (getRequestor() == null) {
throw new UnauthorizedException("Archival must be performed by an agent");
}
+
+ String realm = data.getRealm();
+ if (realm != null) {
+ authz.checkRealm(realm, getAuthToken(), null, "keyRequest", "archive");
+ }
response = dao.submitRequest(data, uriInfo, getRequestor());
auditArchivalRequestMade(response.getRequestInfo().getRequestId(), ILogger.SUCCESS, data.getClientKeyId());
return createCreatedResponse(response, new URI(response.getRequestInfo().getRequestURL()));
-
+ } catch (EAuthzAccessDenied e) {
+ auditArchivalRequestMade(null, ILogger.FAILURE, data.getClientKeyId());
+ throw new UnauthorizedException("Not authorized to generate request in this realm", e);
+ } catch (EAuthzUnknownRealm e) {
+ auditArchivalRequestMade(null, ILogger.FAILURE, data.getClientKeyId());
+ throw new BadRequestException("Invalid realm", e);
} catch (EBaseException | URISyntaxException e) {
e.printStackTrace();
auditArchivalRequestMade(null, ILogger.FAILURE, data.getClientKeyId());
- throw new PKIException(e.toString());
+ throw new PKIException(e.toString(), e);
}
}
@@ -216,7 +227,7 @@ public class KeyRequestService extends PKIService implements KeyRequestResource
} catch (EBaseException | URISyntaxException e) {
e.printStackTrace();
auditRecoveryRequestMade(null, ILogger.FAILURE, data.getKeyId());
- throw new PKIException(e.toString());
+ throw new PKIException(e.toString(), e);
}
}
@@ -233,11 +244,11 @@ public class KeyRequestService extends PKIService implements KeyRequestResource
dao.approveRequest(id, getRequestor(), getAuthToken());
auditRecoveryRequestChange(id, ILogger.SUCCESS, "approve");
} catch (EAuthzAccessDenied e) {
- throw new UnauthorizedException("Not authorized to approve request");
+ throw new UnauthorizedException("Not authorized to approve request", e);
} catch (EBaseException e) {
e.printStackTrace();
auditRecoveryRequestChange(id, ILogger.FAILURE, "approve");
- throw new PKIException(e.toString());
+ throw new PKIException(e.toString(), e);
}
return createNoContentResponse();
@@ -254,11 +265,11 @@ public class KeyRequestService extends PKIService implements KeyRequestResource
dao.rejectRequest(id, getAuthToken());
auditRecoveryRequestChange(id, ILogger.SUCCESS, "reject");
}catch (EAuthzAccessDenied e) {
- throw new UnauthorizedException("Not authorized to reject request");
+ throw new UnauthorizedException("Not authorized to reject request", e);
} catch (EBaseException e) {
e.printStackTrace();
auditRecoveryRequestChange(id, ILogger.FAILURE, "reject");
- throw new PKIException(e.toString());
+ throw new PKIException(e.toString(), e);
}
return createNoContentResponse();
@@ -275,11 +286,11 @@ public class KeyRequestService extends PKIService implements KeyRequestResource
dao.cancelRequest(id, getAuthToken());
auditRecoveryRequestChange(id, ILogger.SUCCESS, "cancel");
} catch (EAuthzAccessDenied e) {
- throw new UnauthorizedException("Not authorized to cancel request");
+ throw new UnauthorizedException("Not authorized to cancel request", e);
} catch (EBaseException e) {
e.printStackTrace();
auditRecoveryRequestChange(id, ILogger.FAILURE, "cancel");
- throw new PKIException(e.toString());
+ throw new PKIException(e.toString(), e);
}
return createNoContentResponse();
@@ -295,10 +306,12 @@ public class KeyRequestService extends PKIService implements KeyRequestResource
try {
authz.checkRealm(realm, getAuthToken(), null, "keyRequests", "list");
} catch (EAuthzAccessDenied e) {
- throw new UnauthorizedException("Not authorized to list these requests");
+ throw new UnauthorizedException("Not authorized to list these requests", e);
+ } catch (EAuthzUnknownRealm e) {
+ throw new BadRequestException("Invalid realm", e);
} catch (EBaseException e) {
CMS.debug("listRequests: unable to authorize realm" + e);
- throw new PKIException(e.toString());
+ throw new PKIException(e.toString(), e);
}
}
// get ldap filter
@@ -317,7 +330,7 @@ public class KeyRequestService extends PKIService implements KeyRequestResource
} catch (EBaseException e) {
CMS.debug("listRequests: error in obtaining request results" + e);
e.printStackTrace();
- throw new PKIException(e.toString());
+ throw new PKIException(e.toString(), e);
}
return createOKResponse(requests);
}
@@ -426,7 +439,7 @@ public class KeyRequestService extends PKIService implements KeyRequestResource
request = requestClazz.getDeclaredConstructor(ResourceMessage.class).newInstance(data);
} catch (ClassNotFoundException | NoSuchMethodException | SecurityException | InstantiationException
| IllegalAccessException | IllegalArgumentException | InvocationTargetException e) {
- throw new BadRequestException("Invalid request class." + e);
+ throw new BadRequestException("Invalid request class." + e, e);
}
if (request instanceof KeyArchivalRequest) {
@@ -453,16 +466,26 @@ public class KeyRequestService extends PKIService implements KeyRequestResource
if (getRequestor() == null) {
throw new UnauthorizedException("Key generation must be performed by an agent");
}
+ String realm = data.getRealm();
+ if (realm != null) {
+ authz.checkRealm(realm, getAuthToken(), null, "keyRequest", "generateSymkey");
+ }
+
response = dao.submitRequest(data, uriInfo, getRequestor());
auditSymKeyGenRequestMade(response.getRequestInfo().getRequestId(), ILogger.SUCCESS,
data.getClientKeyId());
return createCreatedResponse(response, new URI(response.getRequestInfo().getRequestURL()));
-
+ } catch (EAuthzAccessDenied e) {
+ auditSymKeyGenRequestMade(null, ILogger.FAILURE, data.getClientKeyId());
+ throw new UnauthorizedException("Not authorized to generate request in this realm", e);
+ } catch (EAuthzUnknownRealm e) {
+ auditSymKeyGenRequestMade(null, ILogger.FAILURE, data.getClientKeyId());
+ throw new BadRequestException("Invalid realm", e);
} catch (EBaseException | URISyntaxException e) {
e.printStackTrace();
auditSymKeyGenRequestMade(null, ILogger.FAILURE, data.getClientKeyId());
- throw new PKIException(e.toString());
+ throw new PKIException(e.toString(), e);
}
}
@@ -477,16 +500,26 @@ public class KeyRequestService extends PKIService implements KeyRequestResource
if (getRequestor() == null) {
throw new UnauthorizedException("Key generation must be performed by an agent");
}
+ String realm = data.getRealm();
+ if (realm != null) {
+ authz.checkRealm(realm, getAuthToken(), null, "keyRequest", "generateAsymkey");
+ }
+
response = dao.submitRequest(data, uriInfo, getRequestor());
auditAsymKeyGenRequestMade(response.getRequestInfo().getRequestId(), ILogger.SUCCESS,
data.getClientKeyId());
return createCreatedResponse(response, new URI(response.getRequestInfo().getRequestURL()));
-
+ } catch (EAuthzAccessDenied e) {
+ auditAsymKeyGenRequestMade(null, ILogger.FAILURE, data.getClientKeyId());
+ throw new UnauthorizedException("Not authorized to generate request in this realm", e);
+ } catch (EAuthzUnknownRealm e) {
+ auditAsymKeyGenRequestMade(null, ILogger.FAILURE, data.getClientKeyId());
+ throw new BadRequestException("Invalid realm", e);
} catch (EBaseException | URISyntaxException e) {
e.printStackTrace();
auditAsymKeyGenRequestMade(null, ILogger.FAILURE, data.getClientKeyId());
- throw new PKIException(e.toString());
+ throw new PKIException(e.toString(), e);
}
}
diff --git a/base/kra/src/org/dogtagpki/server/kra/rest/KeyService.java b/base/kra/src/org/dogtagpki/server/kra/rest/KeyService.java
index 52df7696ff36e6a59592970b1e4bd6bc4080b258..255d8d614aba2126c1ed89cd952e6cf9f5de3231 100644
--- a/base/kra/src/org/dogtagpki/server/kra/rest/KeyService.java
+++ b/base/kra/src/org/dogtagpki/server/kra/rest/KeyService.java
@@ -44,6 +44,7 @@ import org.jboss.resteasy.plugins.providers.atom.Link;
import com.netscape.certsrv.apps.CMS;
import com.netscape.certsrv.authentication.IAuthToken;
import com.netscape.certsrv.authorization.EAuthzAccessDenied;
+import com.netscape.certsrv.authorization.EAuthzUnknownRealm;
import com.netscape.certsrv.base.BadRequestException;
import com.netscape.certsrv.base.EBaseException;
import com.netscape.certsrv.base.HTTPGoneException;
@@ -150,7 +151,7 @@ public class KeyService extends PKIService implements KeyResource {
} catch (EBaseException e) {
CMS.debug(e);
auditRetrieveKey(ILogger.FAILURE, requestID, null, auditInfo + ";" + e.getMessage());
- throw new PKIException(e.getMessage());
+ throw new PKIException(e.getMessage(), e);
}
String type = request.getRequestType();
@@ -170,7 +171,7 @@ public class KeyService extends PKIService implements KeyResource {
} catch (Exception e) {
CMS.debug(e);
auditRetrieveKey(ILogger.FAILURE, requestID, keyId, auditInfo + ";" + e.getMessage());
- throw new PKIException(e.getMessage());
+ throw new PKIException(e.getMessage(), e);
}
if (keyData == null) {
@@ -348,7 +349,7 @@ public class KeyService extends PKIService implements KeyResource {
CMS.debug(logMessage);
e1.printStackTrace();
- throw new PKIException(logMessage + e1.getMessage());
+ throw new PKIException(logMessage + e1.getMessage(), e1);
}
if (reqInfo == null) {
// request not found
@@ -377,7 +378,7 @@ public class KeyService extends PKIService implements KeyResource {
logMessage = e.getMessage();
CMS.debug(logMessage);
- throw new PKIException(logMessage);
+ throw new PKIException(logMessage, e);
}
String originator = request.getExtDataInString(IRequest.ATTR_REQUEST_OWNER);
if (! originator.equals(retriever)) {
@@ -423,10 +424,12 @@ public class KeyService extends PKIService implements KeyResource {
try {
authz.checkRealm(realm, getAuthToken(), null, "keys", "list");
} catch (EAuthzAccessDenied e) {
- throw new UnauthorizedException("Not authorized to list these keys");
+ throw new UnauthorizedException("Not authorized to list these keys", e);
+ } catch (EAuthzUnknownRealm e) {
+ throw new BadRequestException("Invalid realm", e);
} catch (EBaseException e) {
CMS.debug("listRequests: unable to authorize realm" + e);
- throw new PKIException(e.toString());
+ throw new PKIException(e.toString(), e);
}
}
@@ -475,7 +478,7 @@ public class KeyService extends PKIService implements KeyResource {
auditRetrieveKey(ILogger.FAILURE, null, clientKeyID, e.getMessage() + auditInfo);
e.printStackTrace();
- throw new PKIException(e.getMessage());
+ throw new PKIException(e.getMessage(), e);
}
auditRetrieveKey(ILogger.SUCCESS, null, clientKeyID, auditInfo);
@@ -508,10 +511,10 @@ public class KeyService extends PKIService implements KeyResource {
try {
authz.checkRealm(info.getRealm(), getAuthToken(), info.getOwnerName(), "key", "read");
} catch (EAuthzAccessDenied e) {
- throw new UnauthorizedException("Not authorized to read this key");
+ throw new UnauthorizedException("Not authorized to read this key", e);
} catch (EBaseException e) {
CMS.debug("listRequests: unable to authorize realm" + e);
- throw new PKIException(e.toString());
+ throw new PKIException(e.toString(), e);
}
auditRetrieveKey(ILogger.SUCCESS, null, clientKeyID, auditInfo);
@@ -686,18 +689,17 @@ public class KeyService extends PKIService implements KeyResource {
} catch (EAuthzAccessDenied e) {
auditInfo = method + "Unauthorized access for key record";
auditRetrieveKey(ILogger.FAILURE, null, keyId, auditInfo);
- throw new UnauthorizedException(auditInfo);
+ throw new UnauthorizedException(auditInfo, e);
} catch (EDBRecordNotFoundException e) {
auditInfo = method + e.getMessage();
auditRetrieveKey(ILogger.FAILURE, null, keyId, auditInfo);
-
- throw new KeyNotFoundException(keyId);
+ throw new KeyNotFoundException(keyId, "key not found", e);
} catch (Exception e) {
auditInfo = method + "Unable to retrieve key record: " + e.getMessage();
auditRetrieveKey(ILogger.FAILURE, null, keyId, auditInfo);
CMS.debug(auditInfo);
e.printStackTrace();
- throw new PKIException(e.getMessage());
+ throw new PKIException(e.getMessage(), e);
}
}
@@ -735,14 +737,14 @@ public class KeyService extends PKIService implements KeyResource {
CMS.debug(auditInfo);
auditKeyStatusChange(ILogger.FAILURE, keyId.toString(),
(info!=null)?info.getStatus():null, status, auditInfo);
- throw new KeyNotFoundException(keyId);
+ throw new KeyNotFoundException(keyId, "key not found to modify", e);
} catch (Exception e) {
auditInfo = auditInfo + ":" + e.getMessage();
CMS.debug(auditInfo);
auditKeyStatusChange(ILogger.FAILURE, keyId.toString(),
(info!=null)?info.getStatus():null, status, auditInfo);
e.printStackTrace();
- throw new PKIException(e.getMessage());
+ throw new PKIException(e.getMessage(), e);
}
}
diff --git a/base/server/cms/src/com/netscape/cms/authorization/BasicGroupAuthz.java b/base/server/cms/src/com/netscape/cms/authorization/BasicGroupAuthz.java
index 1908e3c690a93af99a1cfde8f7d139e6e49ba1b1..0bf24311fd2335d9288bc75eba012460c9d37731 100644
--- a/base/server/cms/src/com/netscape/cms/authorization/BasicGroupAuthz.java
+++ b/base/server/cms/src/com/netscape/cms/authorization/BasicGroupAuthz.java
@@ -44,35 +44,35 @@ public class BasicGroupAuthz implements IAuthzManager, IExtendedPluginInfo {
private static final String GROUP = "group";
/* name of this authorization manager instance */
- private String name = null;
+ private String name;
/* name of the authorization manager plugin */
- private String implName = null;
+ private String implName;
/* configuration store */
private IConfigStore config;
/* group that is allowed to access resources */
- private String groupName = null;
+ private String groupName;
/* Vector of extendedPluginInfo strings */
- protected static Vector<String> mExtendedPluginInfo = null;
+ protected static Vector<String> extendedPluginInfo;
- protected static String[] mConfigParams = null;
+ protected static String[] configParams;
static {
- mExtendedPluginInfo = new Vector<String>();
- mExtendedPluginInfo.add("group;string,required;" +
+ extendedPluginInfo = new Vector<String>();
+ extendedPluginInfo.add("group;string,required;" +
"Group to permit access");
}
public BasicGroupAuthz() {
- mConfigParams = new String[] {"group"};
+ configParams = new String[] {"group"};
}
@Override
public String[] getExtendedPluginInfo(Locale locale) {
- String[] s = Utils.getStringArrayFromVector(mExtendedPluginInfo);
+ String[] s = Utils.getStringArrayFromVector(extendedPluginInfo);
return s;
}
@@ -103,6 +103,7 @@ public class BasicGroupAuthz implements IAuthzManager, IExtendedPluginInfo {
IUGSubsystem ug = (IUGSubsystem) CMS.getSubsystem(CMS.SUBSYSTEM_UG);
IGroup group = ug.getGroupFromName(groupName);
if (!group.isMember(user)) {
+ CMS.debug("BasicGroupAuthz: access denied. User: " + user + " is not a member of group: " + groupName);
throw new EAuthzAccessDenied("Access denied");
}
@@ -139,7 +140,7 @@ public class BasicGroupAuthz implements IAuthzManager, IExtendedPluginInfo {
@Override
public String[] getConfigParams() throws EBaseException {
- return mConfigParams;
+ return configParams;
}
@Override
diff --git a/base/server/cms/src/com/netscape/cms/servlet/key/KeyRequestDAO.java b/base/server/cms/src/com/netscape/cms/servlet/key/KeyRequestDAO.java
index 8aa0d21eeb6386c06f55553eef811522ff006106..04bb6f2ec35e82fba53e67b661a50c9745285dc7 100644
--- a/base/server/cms/src/com/netscape/cms/servlet/key/KeyRequestDAO.java
+++ b/base/server/cms/src/com/netscape/cms/servlet/key/KeyRequestDAO.java
@@ -37,6 +37,7 @@ import org.mozilla.jss.crypto.KeyPairAlgorithm;
import com.netscape.certsrv.apps.CMS;
import com.netscape.certsrv.authentication.IAuthToken;
+import com.netscape.certsrv.authorization.EAuthzUnknownRealm;
import com.netscape.certsrv.base.BadRequestException;
import com.netscape.certsrv.base.EBaseException;
import com.netscape.certsrv.base.PKIException;
@@ -259,13 +260,15 @@ public class KeyRequestDAO extends CMSRequestDAO {
try {
rec = repo.readKeyRecord(keyId.toBigInteger());
} catch (EDBRecordNotFoundException e) {
- throw new KeyNotFoundException(keyId);
+ throw new KeyNotFoundException(keyId, "key not found to recover", e);
}
try {
authz.checkRealm(rec.getRealm(), authToken, rec.getOwnerName(), "key", "recover");
+ } catch (EAuthzUnknownRealm e) {
+ throw new UnauthorizedException("Invalid realm", e);
} catch (EBaseException e) {
- throw new UnauthorizedException("Agent not authorized by realm");
+ throw new UnauthorizedException("Agent not authorized by realm", e);
}
Hashtable<String, Object> requestParams;
@@ -315,13 +318,15 @@ public class KeyRequestDAO extends CMSRequestDAO {
try {
rec = repo.readKeyRecord(keyId.toBigInteger());
} catch (EDBRecordNotFoundException e) {
- throw new KeyNotFoundException(keyId);
+ throw new KeyNotFoundException(keyId, "key not found to recover", e);
}
try {
authz.checkRealm(rec.getRealm(), authToken, rec.getOwnerName(), "key", "recover");
+ } catch (EAuthzUnknownRealm e) {
+ throw new UnauthorizedException("Invalid realm", e);
} catch (EBaseException e) {
- throw new UnauthorizedException("Agent not authorized by realm");
+ throw new UnauthorizedException("Agent not authorized by realm", e);
}
String b64Certificate = data.getCertificate();
@@ -332,7 +337,7 @@ public class KeyRequestDAO extends CMSRequestDAO {
// TODO - update request with realm
} catch (EBaseException | CertificateException e) {
e.printStackTrace();
- throw new PKIException(e.toString());
+ throw new PKIException(e.toString(), e);
}
IRequest request = null;
try {
diff --git a/base/server/cmscore/src/com/netscape/cmscore/authorization/AuthzSubsystem.java b/base/server/cmscore/src/com/netscape/cmscore/authorization/AuthzSubsystem.java
index 8b126d2dac047b450e7a90fcf27263628b169c90..3544858979ba349dc1506d46193f00b0eeec6449 100644
--- a/base/server/cmscore/src/com/netscape/cmscore/authorization/AuthzSubsystem.java
+++ b/base/server/cmscore/src/com/netscape/cmscore/authorization/AuthzSubsystem.java
@@ -32,6 +32,7 @@ import com.netscape.certsrv.authorization.EAuthzAccessDenied;
import com.netscape.certsrv.authorization.EAuthzException;
import com.netscape.certsrv.authorization.EAuthzMgrNotFound;
import com.netscape.certsrv.authorization.EAuthzMgrPluginNotFound;
+import com.netscape.certsrv.authorization.EAuthzUnknownRealm;
import com.netscape.certsrv.authorization.IAuthzManager;
import com.netscape.certsrv.authorization.IAuthzSubsystem;
import com.netscape.certsrv.base.EBaseException;
@@ -480,8 +481,9 @@ public class AuthzSubsystem implements IAuthzSubsystem {
if ((owner != null) && owner.equals(authToken.getInString(IAuthToken.USER_ID))) return;
String mgrName = getAuthzManagerByRealm(realm);
- // if no authz manager for this realm, SUCCESS by default
- if (mgrName == null) return;
+ if (mgrName == null) {
+ throw new EAuthzUnknownRealm("Realm not found");
+ }
AuthzToken authzToken = authorize(mgrName, authToken, resource, operation);
if (authzToken == null) {
diff --git a/base/server/cmscore/src/com/netscape/cmscore/dbs/KeyRecord.java b/base/server/cmscore/src/com/netscape/cmscore/dbs/KeyRecord.java
index fbf2ee227a4f629506337be63c28c6c8d2d72d48..90050132b60131b37d59581203c2774af7e93b37 100644
--- a/base/server/cmscore/src/com/netscape/cmscore/dbs/KeyRecord.java
+++ b/base/server/cmscore/src/com/netscape/cmscore/dbs/KeyRecord.java
@@ -56,7 +56,7 @@ public class KeyRecord implements IDBObj, IKeyRecord {
private String mClientId = null;
private String mStatus = null;
private String mDataType = null;
- private String mRealm = null;
+ private String realm = null;
protected static Vector<String> mNames = new Vector<String>();
@@ -141,7 +141,7 @@ public class KeyRecord implements IDBObj, IKeyRecord {
} else if (name.equalsIgnoreCase(ATTR_STATUS)) {
mStatus = (String) object;
} else if (name.equalsIgnoreCase(ATTR_REALM)) {
- mRealm = (String) object;
+ realm = (String) object;
} else {
throw new EBaseException(com.netscape.certsrv.apps.CMS.getUserMessage("CMS_BASE_INVALID_ATTRIBUTE", name));
}
@@ -183,7 +183,7 @@ public class KeyRecord implements IDBObj, IKeyRecord {
} else if (name.equalsIgnoreCase(ATTR_STATUS)) {
return mStatus;
} else if (name.equalsIgnoreCase(ATTR_REALM)) {
- return mRealm;
+ return realm;
} else {
throw new EBaseException(com.netscape.certsrv.apps.CMS.getUserMessage("CMS_BASE_INVALID_ATTRIBUTE", name));
}
@@ -395,6 +395,6 @@ public class KeyRecord implements IDBObj, IKeyRecord {
@Override
public String getRealm() throws EBaseException {
- return mRealm;
+ return realm;
}
}
diff --git a/base/server/cmscore/src/com/netscape/cmscore/request/ARequestRecord.java b/base/server/cmscore/src/com/netscape/cmscore/request/ARequestRecord.java
index 418422a9b0b233c959a189a80a390d54709edb9c..6592b0148e1b08f4c7d156cfad02c1bf4ffd29b9 100644
--- a/base/server/cmscore/src/com/netscape/cmscore/request/ARequestRecord.java
+++ b/base/server/cmscore/src/com/netscape/cmscore/request/ARequestRecord.java
@@ -39,5 +39,5 @@ class ARequestRecord {
String mOwner;
String mRequestType;
Hashtable<String, Object> mExtData;
- String mRealm;
+ String realm;
};
diff --git a/base/server/cmscore/src/com/netscape/cmscore/request/RequestRecord.java b/base/server/cmscore/src/com/netscape/cmscore/request/RequestRecord.java
index 38060c2f2e9e70c9ed6bc977c58c710fecfb34f6..074bff41c8090f6d998e3c879b06d3518550ce70 100644
--- a/base/server/cmscore/src/com/netscape/cmscore/request/RequestRecord.java
+++ b/base/server/cmscore/src/com/netscape/cmscore/request/RequestRecord.java
@@ -93,7 +93,7 @@ public class RequestRecord
else if (name.equals(IRequestRecord.ATTR_EXT_DATA))
return mExtData;
else if (name.equals(IRequestRecord.ATTR_REALM))
- return mRealm;
+ return realm;
else {
RequestAttr ra = mAttrTable.get(name);
@@ -122,7 +122,7 @@ public class RequestRecord
else if (name.equals(IRequestRecord.ATTR_REQUEST_OWNER))
mOwner = (String) o;
else if (name.equals(IRequestRecord.ATTR_REALM))
- mRealm = (String) o;
+ realm = (String) o;
else if (name.equals(IRequestRecord.ATTR_EXT_DATA))
mExtData = (Hashtable<String, Object>) o;
else {
@@ -159,7 +159,7 @@ public class RequestRecord
mOwner = r.getRequestOwner();
mCreateTime = r.getCreationTime();
mModifyTime = r.getModificationTime();
- mRealm = r.getRealm();
+ realm = r.getRealm();
mExtData = loadExtDataFromRequest(r);
for (int i = 0; i < mRequestA.length; i++) {
@@ -173,7 +173,7 @@ public class RequestRecord
r.setRequestOwner(mOwner);
a.modModificationTime(r, mModifyTime);
a.modCreationTime(r, mCreateTime);
- r.setRealm(mRealm);
+ r.setRealm(realm);
storeExtDataIntoRequest(r);
for (int i = 0; i < mRequestA.length; i++) {
--
2.4.3
_______________________________________________
Pki-devel mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/pki-devel
