From 67484d9008eb427b7e221ec688902bf1ce80664a Mon Sep 17 00:00:00 2001
From: Thomas Vachuska <tom@opennetworking.org>
Date: Tue, 17 Jul 2018 11:51:54 -0700
Subject: [PATCH] Added RBAC for REST APIs.

- admin role required for POST, PUT, DELETE & PATCH
- viewer role required for all other requests
- cleaned up all web.xml files for consistency and correctness

Change-Id: I33bad5cec0fb0f4285eed84173025b0a107b5aec
---
 apps/acl/src/main/webapp/WEB-INF/web.xml      |  2 +
 apps/castor/src/main/webapp/WEB-INF/web.xml   |  2 +
 apps/cfm/nbi/src/main/webapp/WEB-INF/web.xml  |  2 +
 .../src/main/webapp/WEB-INF/web.xml           |  2 +
 .../cpman/app/src/main/webapp/WEB-INF/web.xml |  2 +
 apps/dhcp/app/src/main/webapp/WEB-INF/web.xml |  2 +
 .../fmweb/src/main/webapp/WEB-INF/web.xml     | 21 +++++++
 apps/imr/api/src/main/webapp/WEB-INF/web.xml  |  2 +
 .../app/src/main/webapp/WEB-INF/web.xml       | 21 +++++++
 .../web/src/main/webapp/WEB-INF/web.xml       |  2 +
 .../mcast/web/src/main/webapp/WEB-INF/web.xml |  2 +
 apps/mfwd/src/main/webapp/WEB-INF/web.xml     | 21 +++++++
 apps/ofagent/src/main/webapp/WEB-INF/web.xml  |  2 +
 .../app/src/main/webapp/WEB-INF/web.xml       |  2 +
 .../src/main/webapp/WEB-INF/web.xml           | 21 +++++++
 .../app/src/main/webapp/WEB-INF/web.xml       |  2 +
 .../app/src/main/webapp/WEB-INF/web.xml       |  2 +
 .../app/src/main/webapp/WEB-INF/web.xml       |  2 +
 .../src/main/webapp/WEB-INF/web.xml           |  2 +
 apps/pce/pcerest/pom.xml                      | 13 +++-
 .../src/main/resources/WEB-INF/web.xml        | 21 +++++++
 .../onosproject/pcerest/PceResourceTest.java  |  2 +
 .../src/main/webapp/WEB-INF/web.xml           |  2 +
 .../app/src/main/webapp/WEB-INF/web.xml       |  2 +
 .../web/src/main/webapp/WEB-INF/web.xml       |  2 +
 .../src/main/webapp/WEB-INF/web.xml           |  2 +
 apps/t3/web/src/main/webapp/WEB-INF/web.xml   |  2 +
 .../test/demo/src/main/webapp/WEB-INF/web.xml | 21 +++++++
 .../src/main/webapp/WEB-INF/web.xml           | 21 +++++++
 .../vtnweb/src/main/webapp/WEB-INF/web.xml    |  4 +-
 apps/yang/web/src/main/webapp/WEB-INF/web.xml | 31 ++++++++--
 .../src/main/webapp/WEB-INF/web.xml           |  2 +
 tools/package/runtime/bin/onos-compile-yang   |  3 +-
 .../onlab/rest/AbstractWebApplication.java    |  5 +-
 .../org/onlab/rest/AuthorizationFilter.java   | 59 +++++++++++++++++++
 .../rest/exceptions/ForbiddenMapper.java      | 32 ++++++++++
 web/api/src/main/webapp/WEB-INF/web.xml       |  2 +
 .../rest/resources/ResourceTest.java          |  2 +
 38 files changed, 330 insertions(+), 12 deletions(-)
 create mode 100644 utils/rest/src/main/java/org/onlab/rest/AuthorizationFilter.java
 create mode 100644 utils/rest/src/main/java/org/onlab/rest/exceptions/ForbiddenMapper.java

diff --git a/apps/acl/src/main/webapp/WEB-INF/web.xml b/apps/acl/src/main/webapp/WEB-INF/web.xml
index 27d9cc745a..68b2485a78 100644
--- a/apps/acl/src/main/webapp/WEB-INF/web.xml
+++ b/apps/acl/src/main/webapp/WEB-INF/web.xml
@@ -31,11 +31,13 @@
         </web-resource-collection>
         <auth-constraint>
             <role-name>admin</role-name>
+            <role-name>viewer</role-name>
         </auth-constraint>
     </security-constraint>
 
     <security-role>
         <role-name>admin</role-name>
+        <role-name>viewer</role-name>
     </security-role>
 
     <login-config>
diff --git a/apps/castor/src/main/webapp/WEB-INF/web.xml b/apps/castor/src/main/webapp/WEB-INF/web.xml
index 1c8762ed8c..8ce51f76fb 100644
--- a/apps/castor/src/main/webapp/WEB-INF/web.xml
+++ b/apps/castor/src/main/webapp/WEB-INF/web.xml
@@ -28,11 +28,13 @@
         </web-resource-collection>
         <auth-constraint>
             <role-name>admin</role-name>
+            <role-name>viewer</role-name>
         </auth-constraint>
     </security-constraint>
 
     <security-role>
         <role-name>admin</role-name>
+        <role-name>viewer</role-name>
     </security-role>
 
     <login-config>
diff --git a/apps/cfm/nbi/src/main/webapp/WEB-INF/web.xml b/apps/cfm/nbi/src/main/webapp/WEB-INF/web.xml
index b4fb8f0a4f..f8355c7640 100644
--- a/apps/cfm/nbi/src/main/webapp/WEB-INF/web.xml
+++ b/apps/cfm/nbi/src/main/webapp/WEB-INF/web.xml
@@ -28,11 +28,13 @@
         </web-resource-collection>
         <auth-constraint>
             <role-name>admin</role-name>
+            <role-name>viewer</role-name>
         </auth-constraint>
     </security-constraint>
 
     <security-role>
         <role-name>admin</role-name>
+        <role-name>viewer</role-name>
     </security-role>
 
     <login-config>
diff --git a/apps/cord-support/src/main/webapp/WEB-INF/web.xml b/apps/cord-support/src/main/webapp/WEB-INF/web.xml
index caf7a5d010..c204451e70 100644
--- a/apps/cord-support/src/main/webapp/WEB-INF/web.xml
+++ b/apps/cord-support/src/main/webapp/WEB-INF/web.xml
@@ -28,11 +28,13 @@
         </web-resource-collection>
         <auth-constraint>
             <role-name>admin</role-name>
+            <role-name>viewer</role-name>
         </auth-constraint>
     </security-constraint>
 
     <security-role>
         <role-name>admin</role-name>
+        <role-name>viewer</role-name>
     </security-role>
 
     <login-config>
diff --git a/apps/cpman/app/src/main/webapp/WEB-INF/web.xml b/apps/cpman/app/src/main/webapp/WEB-INF/web.xml
index dceaf96578..74e321e83e 100644
--- a/apps/cpman/app/src/main/webapp/WEB-INF/web.xml
+++ b/apps/cpman/app/src/main/webapp/WEB-INF/web.xml
@@ -28,11 +28,13 @@
         </web-resource-collection>
         <auth-constraint>
             <role-name>admin</role-name>
+            <role-name>viewer</role-name>
         </auth-constraint>
     </security-constraint>
 
     <security-role>
         <role-name>admin</role-name>
+        <role-name>viewer</role-name>
     </security-role>
 
     <login-config>
diff --git a/apps/dhcp/app/src/main/webapp/WEB-INF/web.xml b/apps/dhcp/app/src/main/webapp/WEB-INF/web.xml
index 30bd18648a..257119eee9 100644
--- a/apps/dhcp/app/src/main/webapp/WEB-INF/web.xml
+++ b/apps/dhcp/app/src/main/webapp/WEB-INF/web.xml
@@ -28,11 +28,13 @@
         </web-resource-collection>
         <auth-constraint>
             <role-name>admin</role-name>
+            <role-name>viewer</role-name>
         </auth-constraint>
     </security-constraint>
 
     <security-role>
         <role-name>admin</role-name>
+        <role-name>viewer</role-name>
     </security-role>
 
     <login-config>
diff --git a/apps/faultmanagement/fmweb/src/main/webapp/WEB-INF/web.xml b/apps/faultmanagement/fmweb/src/main/webapp/WEB-INF/web.xml
index 9430499774..6a172d0cd8 100644
--- a/apps/faultmanagement/fmweb/src/main/webapp/WEB-INF/web.xml
+++ b/apps/faultmanagement/fmweb/src/main/webapp/WEB-INF/web.xml
@@ -20,6 +20,27 @@
          id="ONOS" version="2.5">
     <display-name>FM2 REST API v1.0</display-name>
 
+    <security-constraint>
+        <web-resource-collection>
+            <web-resource-name>Secured</web-resource-name>
+            <url-pattern>/*</url-pattern>
+        </web-resource-collection>
+        <auth-constraint>
+            <role-name>admin</role-name>
+            <role-name>viewer</role-name>
+        </auth-constraint>
+    </security-constraint>
+
+    <security-role>
+        <role-name>admin</role-name>
+        <role-name>viewer</role-name>
+    </security-role>
+
+    <login-config>
+        <auth-method>BASIC</auth-method>
+        <realm-name>karaf</realm-name>
+    </login-config>
+
     <servlet>
         <servlet-name>JAX-RS Service</servlet-name>
         <servlet-class>org.glassfish.jersey.servlet.ServletContainer</servlet-class>
diff --git a/apps/imr/api/src/main/webapp/WEB-INF/web.xml b/apps/imr/api/src/main/webapp/WEB-INF/web.xml
index ce093c0e93..2288b7f102 100644
--- a/apps/imr/api/src/main/webapp/WEB-INF/web.xml
+++ b/apps/imr/api/src/main/webapp/WEB-INF/web.xml
@@ -28,11 +28,13 @@
         </web-resource-collection>
         <auth-constraint>
             <role-name>admin</role-name>
+            <role-name>viewer</role-name>
         </auth-constraint>
     </security-constraint>
 
     <security-role>
         <role-name>admin</role-name>
+        <role-name>viewer</role-name>
     </security-role>
 
     <login-config>
diff --git a/apps/kafka-integration/app/src/main/webapp/WEB-INF/web.xml b/apps/kafka-integration/app/src/main/webapp/WEB-INF/web.xml
index 3ad1602f49..d30a300bb4 100644
--- a/apps/kafka-integration/app/src/main/webapp/WEB-INF/web.xml
+++ b/apps/kafka-integration/app/src/main/webapp/WEB-INF/web.xml
@@ -20,6 +20,27 @@
          id="ONOS" version="2.5">
     <display-name>Event Exporter REST API</display-name>
 
+    <security-constraint>
+        <web-resource-collection>
+            <web-resource-name>Secured</web-resource-name>
+            <url-pattern>/*</url-pattern>
+        </web-resource-collection>
+        <auth-constraint>
+            <role-name>admin</role-name>
+            <role-name>viewer</role-name>
+        </auth-constraint>
+    </security-constraint>
+
+    <security-role>
+        <role-name>admin</role-name>
+        <role-name>viewer</role-name>
+    </security-role>
+
+    <login-config>
+        <auth-method>BASIC</auth-method>
+        <realm-name>karaf</realm-name>
+    </login-config>
+
     <servlet>
         <servlet-name>JAX-RS Service</servlet-name>
         <servlet-class>org.glassfish.jersey.servlet.ServletContainer</servlet-class>
diff --git a/apps/mappingmanagement/web/src/main/webapp/WEB-INF/web.xml b/apps/mappingmanagement/web/src/main/webapp/WEB-INF/web.xml
index 8fe01702db..800f5231eb 100644
--- a/apps/mappingmanagement/web/src/main/webapp/WEB-INF/web.xml
+++ b/apps/mappingmanagement/web/src/main/webapp/WEB-INF/web.xml
@@ -27,11 +27,13 @@
         </web-resource-collection>
         <auth-constraint>
             <role-name>admin</role-name>
+            <role-name>viewer</role-name>
         </auth-constraint>
     </security-constraint>
 
     <security-role>
         <role-name>admin</role-name>
+        <role-name>viewer</role-name>
     </security-role>
 
     <login-config>
diff --git a/apps/mcast/web/src/main/webapp/WEB-INF/web.xml b/apps/mcast/web/src/main/webapp/WEB-INF/web.xml
index d1f8718db2..b382fb6fe6 100644
--- a/apps/mcast/web/src/main/webapp/WEB-INF/web.xml
+++ b/apps/mcast/web/src/main/webapp/WEB-INF/web.xml
@@ -27,11 +27,13 @@
         </web-resource-collection>
         <auth-constraint>
             <role-name>admin</role-name>
+            <role-name>viewer</role-name>
         </auth-constraint>
     </security-constraint>
 
     <security-role>
         <role-name>admin</role-name>
+        <role-name>viewer</role-name>
     </security-role>
 
     <login-config>
diff --git a/apps/mfwd/src/main/webapp/WEB-INF/web.xml b/apps/mfwd/src/main/webapp/WEB-INF/web.xml
index 9757ff4c3a..19afe5ee0a 100644
--- a/apps/mfwd/src/main/webapp/WEB-INF/web.xml
+++ b/apps/mfwd/src/main/webapp/WEB-INF/web.xml
@@ -20,6 +20,27 @@
          id="ONOS" version="2.5">
     <display-name>ONOS APP MFWD</display-name>
 
+    <security-constraint>
+        <web-resource-collection>
+            <web-resource-name>Secured</web-resource-name>
+            <url-pattern>/*</url-pattern>
+        </web-resource-collection>
+        <auth-constraint>
+            <role-name>admin</role-name>
+            <role-name>viewer</role-name>
+        </auth-constraint>
+    </security-constraint>
+
+    <security-role>
+        <role-name>admin</role-name>
+        <role-name>viewer</role-name>
+    </security-role>
+
+    <login-config>
+        <auth-method>BASIC</auth-method>
+        <realm-name>karaf</realm-name>
+    </login-config>
+
     <servlet>
         <servlet-name>JAX-RS Service</servlet-name>
         <servlet-class>org.glassfish.jersey.servlet.ServletContainer</servlet-class>
diff --git a/apps/ofagent/src/main/webapp/WEB-INF/web.xml b/apps/ofagent/src/main/webapp/WEB-INF/web.xml
index cc3d463e33..b71cf1db38 100644
--- a/apps/ofagent/src/main/webapp/WEB-INF/web.xml
+++ b/apps/ofagent/src/main/webapp/WEB-INF/web.xml
@@ -28,11 +28,13 @@
         </web-resource-collection>
         <auth-constraint>
             <role-name>admin</role-name>
+            <role-name>viewer</role-name>
         </auth-constraint>
     </security-constraint>
 
     <security-role>
         <role-name>admin</role-name>
+        <role-name>viewer</role-name>
     </security-role>
 
     <login-config>
diff --git a/apps/openstacknetworking/app/src/main/webapp/WEB-INF/web.xml b/apps/openstacknetworking/app/src/main/webapp/WEB-INF/web.xml
index 9194183730..017ef9c919 100644
--- a/apps/openstacknetworking/app/src/main/webapp/WEB-INF/web.xml
+++ b/apps/openstacknetworking/app/src/main/webapp/WEB-INF/web.xml
@@ -27,11 +27,13 @@
         </web-resource-collection>
         <auth-constraint>
             <role-name>admin</role-name>
+            <role-name>viewer</role-name>
         </auth-constraint>
     </security-constraint>
 
     <security-role>
         <role-name>admin</role-name>
+        <role-name>viewer</role-name>
     </security-role>
 
     <login-config>
diff --git a/apps/openstacknetworkingui/src/main/webapp/WEB-INF/web.xml b/apps/openstacknetworkingui/src/main/webapp/WEB-INF/web.xml
index 616ad86566..d5d4006848 100644
--- a/apps/openstacknetworkingui/src/main/webapp/WEB-INF/web.xml
+++ b/apps/openstacknetworkingui/src/main/webapp/WEB-INF/web.xml
@@ -20,6 +20,27 @@
          id="ONOS" version="2.5">
     <display-name>SONA GUI REST API v1.0</display-name>
 
+    <security-constraint>
+        <web-resource-collection>
+            <web-resource-name>Secured</web-resource-name>
+            <url-pattern>/*</url-pattern>
+        </web-resource-collection>
+        <auth-constraint>
+            <role-name>admin</role-name>
+            <role-name>viewer</role-name>
+        </auth-constraint>
+    </security-constraint>
+
+    <security-role>
+        <role-name>admin</role-name>
+        <role-name>viewer</role-name>
+    </security-role>
+
+    <login-config>
+        <auth-method>BASIC</auth-method>
+        <realm-name>karaf</realm-name>
+    </login-config>
+
     <servlet>
         <servlet-name>JAX-RS Service</servlet-name>
         <servlet-class>org.glassfish.jersey.servlet.ServletContainer</servlet-class>
diff --git a/apps/openstacknode/app/src/main/webapp/WEB-INF/web.xml b/apps/openstacknode/app/src/main/webapp/WEB-INF/web.xml
index e1f7ceb310..ed670ddc4a 100644
--- a/apps/openstacknode/app/src/main/webapp/WEB-INF/web.xml
+++ b/apps/openstacknode/app/src/main/webapp/WEB-INF/web.xml
@@ -28,11 +28,13 @@
         </web-resource-collection>
         <auth-constraint>
             <role-name>admin</role-name>
+            <role-name>viewer</role-name>
         </auth-constraint>
     </security-constraint>
 
     <security-role>
         <role-name>admin</role-name>
+        <role-name>viewer</role-name>
     </security-role>
 
     <login-config>
diff --git a/apps/openstacktelemetry/app/src/main/webapp/WEB-INF/web.xml b/apps/openstacktelemetry/app/src/main/webapp/WEB-INF/web.xml
index 92cd1c4856..1181c43848 100644
--- a/apps/openstacktelemetry/app/src/main/webapp/WEB-INF/web.xml
+++ b/apps/openstacktelemetry/app/src/main/webapp/WEB-INF/web.xml
@@ -27,11 +27,13 @@
         </web-resource-collection>
         <auth-constraint>
             <role-name>admin</role-name>
+            <role-name>viewer</role-name>
         </auth-constraint>
     </security-constraint>
 
     <security-role>
         <role-name>admin</role-name>
+        <role-name>viewer</role-name>
     </security-role>
 
     <login-config>
diff --git a/apps/openstackvtap/app/src/main/webapp/WEB-INF/web.xml b/apps/openstackvtap/app/src/main/webapp/WEB-INF/web.xml
index c309d1dcd7..8b445374fa 100644
--- a/apps/openstackvtap/app/src/main/webapp/WEB-INF/web.xml
+++ b/apps/openstackvtap/app/src/main/webapp/WEB-INF/web.xml
@@ -27,11 +27,13 @@
         </web-resource-collection>
         <auth-constraint>
             <role-name>admin</role-name>
+            <role-name>viewer</role-name>
         </auth-constraint>
     </security-constraint>
 
     <security-role>
         <role-name>admin</role-name>
+        <role-name>viewer</role-name>
     </security-role>
 
     <login-config>
diff --git a/apps/optical-rest/src/main/webapp/WEB-INF/web.xml b/apps/optical-rest/src/main/webapp/WEB-INF/web.xml
index 1437d86426..a55f02b3aa 100644
--- a/apps/optical-rest/src/main/webapp/WEB-INF/web.xml
+++ b/apps/optical-rest/src/main/webapp/WEB-INF/web.xml
@@ -28,11 +28,13 @@
         </web-resource-collection>
         <auth-constraint>
             <role-name>admin</role-name>
+            <role-name>viewer</role-name>
         </auth-constraint>
     </security-constraint>
 
     <security-role>
         <role-name>admin</role-name>
+        <role-name>viewer</role-name>
     </security-role>
 
     <login-config>
diff --git a/apps/pce/pcerest/pom.xml b/apps/pce/pcerest/pom.xml
index 634ec38661..c288e110ef 100644
--- a/apps/pce/pcerest/pom.xml
+++ b/apps/pce/pcerest/pom.xml
@@ -96,7 +96,18 @@
             <artifactId>onos-apps-pce-app</artifactId>
             <version>${project.version}</version>
         </dependency>
-
+        <dependency>
+            <groupId>org.onosproject</groupId>
+            <artifactId>onos-rest</artifactId>
+            <version>${project.version}</version>
+        </dependency>
+        <dependency>
+            <groupId>org.onosproject</groupId>
+            <artifactId>onos-rest</artifactId>
+            <version>${project.version}</version>
+            <scope>test</scope>
+            <classifier>tests</classifier>
+        </dependency>
     </dependencies>
     <build>
         <plugins>
diff --git a/apps/pce/pcerest/src/main/resources/WEB-INF/web.xml b/apps/pce/pcerest/src/main/resources/WEB-INF/web.xml
index ae129fc75a..388044aa24 100644
--- a/apps/pce/pcerest/src/main/resources/WEB-INF/web.xml
+++ b/apps/pce/pcerest/src/main/resources/WEB-INF/web.xml
@@ -20,6 +20,27 @@
          id="ONOS" version="2.5">
     <display-name>PCE REST API v1.0</display-name>
 
+    <security-constraint>
+        <web-resource-collection>
+            <web-resource-name>Secured</web-resource-name>
+            <url-pattern>/*</url-pattern>
+        </web-resource-collection>
+        <auth-constraint>
+            <role-name>admin</role-name>
+            <role-name>viewer</role-name>
+        </auth-constraint>
+    </security-constraint>
+
+    <security-role>
+        <role-name>admin</role-name>
+        <role-name>viewer</role-name>
+    </security-role>
+
+    <login-config>
+        <auth-method>BASIC</auth-method>
+        <realm-name>karaf</realm-name>
+    </login-config>
+
     <servlet>
         <servlet-name>JAX-RS Service</servlet-name>
         <servlet-class>org.glassfish.jersey.servlet.ServletContainer</servlet-class>
diff --git a/apps/pce/pcerest/src/test/java/org/onosproject/pcerest/PceResourceTest.java b/apps/pce/pcerest/src/test/java/org/onosproject/pcerest/PceResourceTest.java
index 1f6980158a..a24c874b99 100644
--- a/apps/pce/pcerest/src/test/java/org/onosproject/pcerest/PceResourceTest.java
+++ b/apps/pce/pcerest/src/test/java/org/onosproject/pcerest/PceResourceTest.java
@@ -18,6 +18,7 @@ package org.onosproject.pcerest;
 import org.glassfish.jersey.server.ResourceConfig;
 import org.glassfish.jersey.test.JerseyTest;
 import org.glassfish.jersey.test.TestProperties;
+import org.onlab.rest.AuthorizationFilter;
 
 /**
  * Base class for pce rest api tests.  Performs common configuration operations.
@@ -29,6 +30,7 @@ public class PceResourceTest extends JerseyTest {
      */
     public PceResourceTest() {
         super(ResourceConfig.forApplicationClass(PceWebApplication.class));
+        AuthorizationFilter.disableForTests();
         set(TestProperties.CONTAINER_PORT, 0);
     }
 }
diff --git a/apps/powermanagement/src/main/webapp/WEB-INF/web.xml b/apps/powermanagement/src/main/webapp/WEB-INF/web.xml
index f3440eeeae..7a6e3be2bf 100644
--- a/apps/powermanagement/src/main/webapp/WEB-INF/web.xml
+++ b/apps/powermanagement/src/main/webapp/WEB-INF/web.xml
@@ -28,11 +28,13 @@
         </web-resource-collection>
         <auth-constraint>
             <role-name>admin</role-name>
+            <role-name>viewer</role-name>
         </auth-constraint>
     </security-constraint>
 
     <security-role>
         <role-name>admin</role-name>
+        <role-name>viewer</role-name>
     </security-role>
 
     <login-config>
diff --git a/apps/route-service/app/src/main/webapp/WEB-INF/web.xml b/apps/route-service/app/src/main/webapp/WEB-INF/web.xml
index 6b1d27a16e..1c3d2b0513 100644
--- a/apps/route-service/app/src/main/webapp/WEB-INF/web.xml
+++ b/apps/route-service/app/src/main/webapp/WEB-INF/web.xml
@@ -28,11 +28,13 @@
         </web-resource-collection>
         <auth-constraint>
             <role-name>admin</role-name>
+            <role-name>viewer</role-name>
         </auth-constraint>
     </security-constraint>
 
     <security-role>
         <role-name>admin</role-name>
+        <role-name>viewer</role-name>
     </security-role>
 
     <login-config>
diff --git a/apps/segmentrouting/web/src/main/webapp/WEB-INF/web.xml b/apps/segmentrouting/web/src/main/webapp/WEB-INF/web.xml
index 73154e3393..1362728a97 100644
--- a/apps/segmentrouting/web/src/main/webapp/WEB-INF/web.xml
+++ b/apps/segmentrouting/web/src/main/webapp/WEB-INF/web.xml
@@ -28,11 +28,13 @@
         </web-resource-collection>
         <auth-constraint>
             <role-name>admin</role-name>
+            <role-name>viewer</role-name>
         </auth-constraint>
     </security-constraint>
 
     <security-role>
         <role-name>admin</role-name>
+        <role-name>viewer</role-name>
     </security-role>
 
     <login-config>
diff --git a/apps/simplefabric/src/main/webapp/WEB-INF/web.xml b/apps/simplefabric/src/main/webapp/WEB-INF/web.xml
index a0e0004874..e1366710f7 100644
--- a/apps/simplefabric/src/main/webapp/WEB-INF/web.xml
+++ b/apps/simplefabric/src/main/webapp/WEB-INF/web.xml
@@ -27,11 +27,13 @@
         </web-resource-collection>
         <auth-constraint>
             <role-name>admin</role-name>
+            <role-name>viewer</role-name>
         </auth-constraint>
     </security-constraint>
 
     <security-role>
         <role-name>admin</role-name>
+        <role-name>viewer</role-name>
     </security-role>
 
     <login-config>
diff --git a/apps/t3/web/src/main/webapp/WEB-INF/web.xml b/apps/t3/web/src/main/webapp/WEB-INF/web.xml
index d99a6ae524..9bed96956c 100644
--- a/apps/t3/web/src/main/webapp/WEB-INF/web.xml
+++ b/apps/t3/web/src/main/webapp/WEB-INF/web.xml
@@ -28,11 +28,13 @@
         </web-resource-collection>
         <auth-constraint>
             <role-name>admin</role-name>
+            <role-name>viewer</role-name>
         </auth-constraint>
     </security-constraint>
 
     <security-role>
         <role-name>admin</role-name>
+        <role-name>viewer</role-name>
     </security-role>
 
     <login-config>
diff --git a/apps/test/demo/src/main/webapp/WEB-INF/web.xml b/apps/test/demo/src/main/webapp/WEB-INF/web.xml
index acc738e6b0..04701ab5a4 100644
--- a/apps/test/demo/src/main/webapp/WEB-INF/web.xml
+++ b/apps/test/demo/src/main/webapp/WEB-INF/web.xml
@@ -20,6 +20,27 @@
          id="ONOS" version="2.5">
     <display-name>ONOS DEMO APP API v1.0</display-name>
 
+    <security-constraint>
+        <web-resource-collection>
+            <web-resource-name>Secured</web-resource-name>
+            <url-pattern>/*</url-pattern>
+        </web-resource-collection>
+        <auth-constraint>
+            <role-name>admin</role-name>
+            <role-name>viewer</role-name>
+        </auth-constraint>
+    </security-constraint>
+
+    <security-role>
+        <role-name>admin</role-name>
+        <role-name>viewer</role-name>
+    </security-role>
+
+    <login-config>
+        <auth-method>BASIC</auth-method>
+        <realm-name>karaf</realm-name>
+    </login-config>
+
     <servlet>
         <servlet-name>JAX-RS Service</servlet-name>
         <servlet-class>org.glassfish.jersey.servlet.ServletContainer</servlet-class>
diff --git a/apps/virtualbng/src/main/webapp/WEB-INF/web.xml b/apps/virtualbng/src/main/webapp/WEB-INF/web.xml
index b66d9bf20d..d395d3d3af 100644
--- a/apps/virtualbng/src/main/webapp/WEB-INF/web.xml
+++ b/apps/virtualbng/src/main/webapp/WEB-INF/web.xml
@@ -20,6 +20,27 @@
          id="ONOS" version="2.5">
     <display-name>ONOS Virtual BNG APP REST API</display-name>
 
+    <security-constraint>
+        <web-resource-collection>
+            <web-resource-name>Secured</web-resource-name>
+            <url-pattern>/*</url-pattern>
+        </web-resource-collection>
+        <auth-constraint>
+            <role-name>admin</role-name>
+            <role-name>viewer</role-name>
+        </auth-constraint>
+    </security-constraint>
+
+    <security-role>
+        <role-name>admin</role-name>
+        <role-name>viewer</role-name>
+    </security-role>
+
+    <login-config>
+        <auth-method>BASIC</auth-method>
+        <realm-name>karaf</realm-name>
+    </login-config>
+
     <servlet>
         <servlet-name>JAX-RS Service</servlet-name>
         <servlet-class>org.glassfish.jersey.servlet.ServletContainer</servlet-class>
diff --git a/apps/vtn/vtnweb/src/main/webapp/WEB-INF/web.xml b/apps/vtn/vtnweb/src/main/webapp/WEB-INF/web.xml
index f83ad87f69..8c368d904e 100644
--- a/apps/vtn/vtnweb/src/main/webapp/WEB-INF/web.xml
+++ b/apps/vtn/vtnweb/src/main/webapp/WEB-INF/web.xml
@@ -20,7 +20,6 @@
          id="ONOS" version="2.5">
     <display-name>VTNRSC REST API v1.0</display-name>
 
-    <!-- TODO: this should be uncommented
     <security-constraint>
         <web-resource-collection>
             <web-resource-name>Secured</web-resource-name>
@@ -28,18 +27,19 @@
         </web-resource-collection>
         <auth-constraint>
             <role-name>admin</role-name>
+            <role-name>viewer</role-name>
         </auth-constraint>
     </security-constraint>
 
     <security-role>
         <role-name>admin</role-name>
+        <role-name>viewer</role-name>
     </security-role>
 
     <login-config>
         <auth-method>BASIC</auth-method>
         <realm-name>karaf</realm-name>
     </login-config>
-    -->
 
     <servlet>
         <servlet-name>JAX-RS Service</servlet-name>
diff --git a/apps/yang/web/src/main/webapp/WEB-INF/web.xml b/apps/yang/web/src/main/webapp/WEB-INF/web.xml
index 90f85fd017..063aa5c975 100644
--- a/apps/yang/web/src/main/webapp/WEB-INF/web.xml
+++ b/apps/yang/web/src/main/webapp/WEB-INF/web.xml
@@ -15,19 +15,38 @@
   ~ limitations under the License.
   -->
 <web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-         xmlns="http://java.sun.com/xml/ns/javaee"
+         xmlns:web="http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"
          xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"
          id="ONOS" version="2.5">
-    <display-name>YANG LIVE COMPILER REST API v1.0</display-name>
+    <display-name>YANG Live Compiler REST API v1.0</display-name>
+
+    <security-constraint>
+        <web-resource-collection>
+            <web-resource-name>Secured</web-resource-name>
+            <url-pattern>/*</url-pattern>
+        </web-resource-collection>
+        <auth-constraint>
+            <role-name>admin</role-name>
+            <role-name>viewer</role-name>
+        </auth-constraint>
+    </security-constraint>
+
+    <security-role>
+        <role-name>admin</role-name>
+        <role-name>viewer</role-name>
+    </security-role>
+
+    <login-config>
+        <auth-method>BASIC</auth-method>
+        <realm-name>karaf</realm-name>
+    </login-config>
 
     <servlet>
         <servlet-name>JAX-RS Service</servlet-name>
-        <servlet-class>org.glassfish.jersey.servlet.ServletContainer
-        </servlet-class>
+        <servlet-class>org.glassfish.jersey.servlet.ServletContainer</servlet-class>
         <init-param>
             <param-name>javax.ws.rs.Application</param-name>
-            <param-value>org.onosproject.yang.web.YangWebApplication
-            </param-value>
+            <param-value>org.onosproject.yang.web.YangWebApplication</param-value>
         </init-param>
         <init-param>
             <param-name>jersey.config.server.provider.classnames</param-name>
diff --git a/tools/package/archetypes/rest/src/main/resources/archetype-resources/src/main/webapp/WEB-INF/web.xml b/tools/package/archetypes/rest/src/main/resources/archetype-resources/src/main/webapp/WEB-INF/web.xml
index 015f85e906..f2b06c7353 100644
--- a/tools/package/archetypes/rest/src/main/resources/archetype-resources/src/main/webapp/WEB-INF/web.xml
+++ b/tools/package/archetypes/rest/src/main/resources/archetype-resources/src/main/webapp/WEB-INF/web.xml
@@ -28,11 +28,13 @@
         </web-resource-collection>
         <auth-constraint>
             <role-name>admin</role-name>
+            <role-name>viewer</role-name>
         </auth-constraint>
     </security-constraint>
 
     <security-role>
         <role-name>admin</role-name>
+        <role-name>viewer</role-name>
     </security-role>
 
     <login-config>
diff --git a/tools/package/runtime/bin/onos-compile-yang b/tools/package/runtime/bin/onos-compile-yang
index 22044b5af7..943716dcc1 100755
--- a/tools/package/runtime/bin/onos-compile-yang
+++ b/tools/package/runtime/bin/onos-compile-yang
@@ -1,5 +1,4 @@
 #!/bin/bash
-
 #
 # Copyright 2015-present Open Networking Foundation
 #
@@ -44,4 +43,4 @@ fi
 
 file=$(basename $yang)
 modelId="$(echo $file | sed -E 's/(.zip|.jar|.yang)$//g')"
-curl $URL?modelId=$modelId -F"file=@$yang"
+$curl $URL?modelId=$modelId -F"file=@$yang"
diff --git a/utils/rest/src/main/java/org/onlab/rest/AbstractWebApplication.java b/utils/rest/src/main/java/org/onlab/rest/AbstractWebApplication.java
index f744929cd9..41839c75e9 100644
--- a/utils/rest/src/main/java/org/onlab/rest/AbstractWebApplication.java
+++ b/utils/rest/src/main/java/org/onlab/rest/AbstractWebApplication.java
@@ -19,6 +19,7 @@ package org.onlab.rest;
 import com.google.common.collect.ImmutableSet;
 import org.onlab.rest.exceptions.BadRequestMapper;
 import org.onlab.rest.exceptions.EntityNotFoundMapper;
+import org.onlab.rest.exceptions.ForbiddenMapper;
 import org.onlab.rest.exceptions.IllegalArgumentExceptionMapper;
 import org.onlab.rest.exceptions.IllegalStateExceptionMapper;
 import org.onlab.rest.exceptions.NotFoundMapper;
@@ -43,7 +44,9 @@ public abstract class AbstractWebApplication extends Application {
      */
     protected Set<Class<?>> getClasses(Class<?>... classes) {
         ImmutableSet.Builder<Class<?>> builder = ImmutableSet.builder();
-        builder.add(ServiceNotFoundMapper.class,
+        builder.add(AuthorizationFilter.class,
+                    ForbiddenMapper.class,
+                    ServiceNotFoundMapper.class,
                     EntityNotFoundMapper.class,
                     NotFoundMapper.class,
                     ServerErrorMapper.class,
diff --git a/utils/rest/src/main/java/org/onlab/rest/AuthorizationFilter.java b/utils/rest/src/main/java/org/onlab/rest/AuthorizationFilter.java
new file mode 100644
index 0000000000..6bf8a2f7e5
--- /dev/null
+++ b/utils/rest/src/main/java/org/onlab/rest/AuthorizationFilter.java
@@ -0,0 +1,59 @@
+/*
+ * Copyright 2018-present Open Networking Foundation
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.onlab.rest;
+
+import com.google.common.collect.ImmutableSet;
+
+import javax.ws.rs.ForbiddenException;
+import javax.ws.rs.container.ContainerRequestContext;
+import javax.ws.rs.container.ContainerRequestFilter;
+import java.io.IOException;
+import java.util.Set;
+
+/**
+ * Filter that performs authorization checks on all incoming REST API requests.
+ * Methods with modify semantics require 'admin' role; all others require 'viewer' role.
+ */
+public class AuthorizationFilter implements ContainerRequestFilter {
+
+    private static final String ADMIN = "admin";
+    private static final String VIEWER = "viewer";
+
+    private static final String FORBIDDEN_MSG =
+            "User has insufficient privilege for this request";
+
+    private static final Set<String> PRIVILEGED_METHODS =
+            ImmutableSet.of("POST", "PUT", "DELETE", "PATCH");
+
+    private static boolean disableForTests = false;
+
+    @Override
+    public void filter(ContainerRequestContext requestContext) throws IOException {
+        if (disableForTests) {
+            return;
+        }
+        if ((PRIVILEGED_METHODS.contains(requestContext.getMethod()) &&
+                !requestContext.getSecurityContext().isUserInRole(ADMIN)) ||
+                !requestContext.getSecurityContext().isUserInRole(VIEWER)) {
+            throw new ForbiddenException(FORBIDDEN_MSG);
+        }
+    }
+
+    public static void disableForTests() {
+        disableForTests = true;
+    }
+}
diff --git a/utils/rest/src/main/java/org/onlab/rest/exceptions/ForbiddenMapper.java b/utils/rest/src/main/java/org/onlab/rest/exceptions/ForbiddenMapper.java
new file mode 100644
index 0000000000..63c8960ddf
--- /dev/null
+++ b/utils/rest/src/main/java/org/onlab/rest/exceptions/ForbiddenMapper.java
@@ -0,0 +1,32 @@
+/*
+ * Copyright 2018-present Open Networking Foundation
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.onlab.rest.exceptions;
+
+import javax.ws.rs.ForbiddenException;
+import javax.ws.rs.core.Response;
+import javax.ws.rs.ext.Provider;
+
+/**
+ * Mapper for service not found exceptions to the NOT_FOUND response code.
+ */
+@Provider
+public class ForbiddenMapper extends AbstractMapper<ForbiddenException> {
+    @Override
+    protected Response.Status responseStatus() {
+        return Response.Status.FORBIDDEN;
+    }
+}
diff --git a/web/api/src/main/webapp/WEB-INF/web.xml b/web/api/src/main/webapp/WEB-INF/web.xml
index 381868eeb3..324d46d957 100644
--- a/web/api/src/main/webapp/WEB-INF/web.xml
+++ b/web/api/src/main/webapp/WEB-INF/web.xml
@@ -29,11 +29,13 @@
         </web-resource-collection>
         <auth-constraint>
             <role-name>admin</role-name>
+            <role-name>viewer</role-name>
         </auth-constraint>
     </security-constraint>
 
     <security-role>
         <role-name>admin</role-name>
+        <role-name>viewer</role-name>
     </security-role>
 
     <login-config>
diff --git a/web/api/src/test/java/org/onosproject/rest/resources/ResourceTest.java b/web/api/src/test/java/org/onosproject/rest/resources/ResourceTest.java
index 24036f6f66..9f809f35b4 100644
--- a/web/api/src/test/java/org/onosproject/rest/resources/ResourceTest.java
+++ b/web/api/src/test/java/org/onosproject/rest/resources/ResourceTest.java
@@ -23,6 +23,7 @@ import org.glassfish.jersey.test.spi.TestContainerException;
 import org.glassfish.jersey.test.spi.TestContainerFactory;
 import org.onlab.junit.TestUtils;
 import org.onlab.osgi.ServiceDirectory;
+import org.onlab.rest.AuthorizationFilter;
 import org.onlab.rest.BaseResource;
 
 /**
@@ -49,6 +50,7 @@ public class ResourceTest extends JerseyTest {
 
     private void configureProperties() {
         set(TestProperties.CONTAINER_PORT, 0);
+        AuthorizationFilter.disableForTests();
     }
 
     /**