Authorization via EJBCA-WS API v. 4.0.15

Help
Daniel
2013-10-23
2013-10-24
  • Daniel
    Daniel
    2013-10-23

    Hi,

    I am using classes EjbcaWS and EJBCAHelper from ejbca-ws module in my own stub project. I had to remove @WebService and @Resource annotation form EjbcaWS class and and now cant refer to wsContext object and execute the following original code, to obtain certificate to execute getAdmin method :

            MessageContext msgContext = wsContext.getMessageContext();
            HttpServletRequest request = (HttpServletRequest) msgContext.get(MessageContext.SERVLET_REQUEST);
            X509Certificate[] certificates = (X509Certificate[]) request.getAttribute("javax.servlet.request.X509Certificate");
    

    Instead of this I am trying to load this certificate from local drive :

            FileInputStream fin = new FileInputStream(fileName);
            java.security.KeyStore ks = java.security.KeyStore.getInstance("PKCS12");
            ks.load(fin, password.toCharArray());
            cert = (X509Certificate) ks.getCertificate(alias);
    

    I tried to load superadmin.p12 certificate from %EJBCA_HOME%/p12 and also create jks certificate for user with admin privileges usuing EJBCA GUI ("Create Browser Certificate")

    I faild in both cases. I got an error : org.ejbca.core.model.authorization.AuthorizationDeniedException: Admin CLIENTCERT was not authorized to resource /administrator.

    I done this same for ejbca v. 3.11.5 (copied EjbcaWS, EJBCAHelper ; load cert form local drive) and its works. I cant do this same with version 4.0.15

    Can you advice me what I am doing wrong ?

     
  • Daniel
    Daniel
    2013-10-24

    My problem occured since adminInformation field was signed transient in org.ejbca.core.model.log.Admin class.

    Now method

    org.ejbca.core.model.authorization.AuthorizationProxy.isAuthorized(AdminInformation admin, String resource)

    can not check that the admin object was not created outside of EJBCA.

     
  • Nice that you fixed it.

     
  • Daniel
    Daniel
    2013-10-24

    Tomas, can you tell me its look like general bug and I can expect fixing this it in next release, or my promblem was only caused becouse I am trying to develop my own project basing on already mentioned classes ?

     
  • It does not look like a general bug. You are somehow serializing the object in the wrong place, in EJBCA it is used internally and not serialized. It may even be a feature.
    In the next release the authorization is anyhow rewritten based on CESecore.