Uploaded image for project: 'EJBCA'
  1. EJBCA
  2. ECA-6641

WS through Peer RA does not work without a local Role on the RA

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: EJBCA 6.12.0
    • Component/s: None
    • Labels:
      None
    • Issue discovered during:
      Customer
    • Sprint:
      EJBCA Sprint 9

      Description

      Running WS through an RA (certreq which is one of the calls that are supported) will fail with the error:
      Error : Administrator is not authorized to resource /administrator.

      Unless there is a Role on the RA that has a rule for "/administrator: allow" for the client certificate used to make the WS call, for example using clientToolBox:

      ./ejbcaClientToolBox.sh EjbcaWsRaCli certreq ratest1 "CN=ratest1" NULL "3GPP CA" EMPTY ENDUSER 1.csr PKCS10 PEM NONE .

      There is a workaround to simply create a role on the RA (called "WS RA" for example) with a single allow rule for "/administrator/".

      This should however not be needed as the roles should all be used from the CA.

      The issue is that EjbcaWsHelperSessionBean.getAdmin makes a call to:
      authorizationSession.isAuthorizedNoLogging(admin, AccessRulesConstants.ROLE_ADMINISTRATOR

      Simply replacing the local call to authorizationSession with raMasterApiProxyBean.isAuthorizedNoLogging will fix the issue and let it check this on the CA role through the Peer.

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              tomas Tomas Gustavsson
              Reporter:
              tomas Tomas Gustavsson
              Verified by:
              Henrik Sunmark
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: