Authorization via EJBCA-WS API v. 4.0.15

  • Daniel

    Daniel - 2013-10-23


    I am using classes EjbcaWS and EJBCAHelper from ejbca-ws module in my own stub project. I had to remove @WebService and @Resource annotation form EjbcaWS class and and now cant refer to wsContext object and execute the following original code, to obtain certificate to execute getAdmin method :

            MessageContext msgContext = wsContext.getMessageContext();
            HttpServletRequest request = (HttpServletRequest) msgContext.get(MessageContext.SERVLET_REQUEST);
            X509Certificate[] certificates = (X509Certificate[]) request.getAttribute("javax.servlet.request.X509Certificate");

    Instead of this I am trying to load this certificate from local drive :

            FileInputStream fin = new FileInputStream(fileName);
   ks ="PKCS12");
            ks.load(fin, password.toCharArray());
            cert = (X509Certificate) ks.getCertificate(alias);

    I tried to load superadmin.p12 certificate from %EJBCA_HOME%/p12 and also create jks certificate for user with admin privileges usuing EJBCA GUI ("Create Browser Certificate")

    I faild in both cases. I got an error : org.ejbca.core.model.authorization.AuthorizationDeniedException: Admin CLIENTCERT was not authorized to resource /administrator.

    I done this same for ejbca v. 3.11.5 (copied EjbcaWS, EJBCAHelper ; load cert form local drive) and its works. I cant do this same with version 4.0.15

    Can you advice me what I am doing wrong ?

  • Daniel

    Daniel - 2013-10-24

    My problem occured since adminInformation field was signed transient in org.ejbca.core.model.log.Admin class.

    Now method

    org.ejbca.core.model.authorization.AuthorizationProxy.isAuthorized(AdminInformation admin, String resource)

    can not check that the admin object was not created outside of EJBCA.

  • Tomas Gustavsson

    Nice that you fixed it.

  • Daniel

    Daniel - 2013-10-24

    Tomas, can you tell me its look like general bug and I can expect fixing this it in next release, or my promblem was only caused becouse I am trying to develop my own project basing on already mentioned classes ?

  • Tomas Gustavsson

    It does not look like a general bug. You are somehow serializing the object in the wrong place, in EJBCA it is used internally and not serialized. It may even be a feature.
    In the next release the authorization is anyhow rewritten based on CESecore.


Log in to post a comment.

Get latest updates about Open Source Projects, Conferences and News.

Sign up for the SourceForge newsletter:

JavaScript is required for this form.

No, thanks