Affects Version/s: None
Fix Version/s: EJBCA 6.12.0
Issue discovered during:Customer
Sprint:EJBCA Sprint 9
Running WS through an RA (certreq which is one of the calls that are supported) will fail with the error:
Error : Administrator is not authorized to resource /administrator.
Unless there is a Role on the RA that has a rule for "/administrator: allow" for the client certificate used to make the WS call, for example using clientToolBox:
./ejbcaClientToolBox.sh EjbcaWsRaCli certreq ratest1 "CN=ratest1" NULL "3GPP CA" EMPTY ENDUSER 1.csr PKCS10 PEM NONE .
There is a workaround to simply create a role on the RA (called "WS RA" for example) with a single allow rule for "/administrator/".
This should however not be needed as the roles should all be used from the CA.
The issue is that EjbcaWsHelperSessionBean.getAdmin makes a call to:
Simply replacing the local call to authorizationSession with raMasterApiProxyBean.isAuthorizedNoLogging will fix the issue and let it check this on the CA role through the Peer.