Added RBAC for REST APIs.
- admin role required for POST, PUT, DELETE & PATCH
- viewer role required for all other requests
- cleaned up all web.xml files for consistency and correctness
Change-Id: I33bad5cec0fb0f4285eed84173025b0a107b5aec
diff --git a/apps/yang/web/src/main/webapp/WEB-INF/web.xml b/apps/yang/web/src/main/webapp/WEB-INF/web.xml
index 90f85fd..063aa5c 100644
--- a/apps/yang/web/src/main/webapp/WEB-INF/web.xml
+++ b/apps/yang/web/src/main/webapp/WEB-INF/web.xml
@@ -15,19 +15,38 @@
~ limitations under the License.
-->
<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
- xmlns="http://java.sun.com/xml/ns/javaee"
+ xmlns:web="http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"
id="ONOS" version="2.5">
- <display-name>YANG LIVE COMPILER REST API v1.0</display-name>
+ <display-name>YANG Live Compiler REST API v1.0</display-name>
+
+ <security-constraint>
+ <web-resource-collection>
+ <web-resource-name>Secured</web-resource-name>
+ <url-pattern>/*</url-pattern>
+ </web-resource-collection>
+ <auth-constraint>
+ <role-name>admin</role-name>
+ <role-name>viewer</role-name>
+ </auth-constraint>
+ </security-constraint>
+
+ <security-role>
+ <role-name>admin</role-name>
+ <role-name>viewer</role-name>
+ </security-role>
+
+ <login-config>
+ <auth-method>BASIC</auth-method>
+ <realm-name>karaf</realm-name>
+ </login-config>
<servlet>
<servlet-name>JAX-RS Service</servlet-name>
- <servlet-class>org.glassfish.jersey.servlet.ServletContainer
- </servlet-class>
+ <servlet-class>org.glassfish.jersey.servlet.ServletContainer</servlet-class>
<init-param>
<param-name>javax.ws.rs.Application</param-name>
- <param-value>org.onosproject.yang.web.YangWebApplication
- </param-value>
+ <param-value>org.onosproject.yang.web.YangWebApplication</param-value>
</init-param>
<init-param>
<param-name>jersey.config.server.provider.classnames</param-name>