I am using classes EjbcaWS and EJBCAHelper from ejbca-ws module in my own stub project. I had to remove @WebService and @Resource annotation form EjbcaWS class and and now cant refer to wsContext object and execute the following original code, to obtain certificate to execute getAdmin method :
MessageContext msgContext = wsContext.getMessageContext();
HttpServletRequest request = (HttpServletRequest) msgContext.get(MessageContext.SERVLET_REQUEST);
X509Certificate certificates = (X509Certificate) request.getAttribute("javax.servlet.request.X509Certificate");
Instead of this I am trying to load this certificate from local drive :
FileInputStream fin = new FileInputStream(fileName);
java.security.KeyStore ks = java.security.KeyStore.getInstance("PKCS12");
cert = (X509Certificate) ks.getCertificate(alias);
I tried to load superadmin.p12 certificate from %EJBCA_HOME%/p12 and also create jks certificate for user with admin privileges usuing EJBCA GUI ("Create Browser Certificate")
I faild in both cases. I got an error : org.ejbca.core.model.authorization.AuthorizationDeniedException: Admin CLIENTCERT was not authorized to resource /administrator.
I done this same for ejbca v. 3.11.5 (copied EjbcaWS, EJBCAHelper ; load cert form local drive) and its works. I cant do this same with version 4.0.15
Can you advice me what I am doing wrong ?
My problem occured since adminInformation field was signed transient in org.ejbca.core.model.log.Admin class.
org.ejbca.core.model.authorization.AuthorizationProxy.isAuthorized(AdminInformation admin, String resource)
can not check that the admin object was not created outside of EJBCA.
Nice that you fixed it.
Tomas, can you tell me its look like general bug and I can expect fixing this it in next release, or my promblem was only caused becouse I am trying to develop my own project basing on already mentioned classes ?
It does not look like a general bug. You are somehow serializing the object in the wrong place, in EJBCA it is used internally and not serialized. It may even be a feature.
In the next release the authorization is anyhow rewritten based on CESecore.