diff --git a/components/security/auth-filter/src/main/java/com/wso2telco/core/authfilter/authentication/BearerAuthenticator.java b/components/security/auth-filter/src/main/java/com/wso2telco/core/authfilter/authentication/BearerAuthenticator.java
new file mode 100644
index 00000000..f56e5c06
--- /dev/null
+++ b/components/security/auth-filter/src/main/java/com/wso2telco/core/authfilter/authentication/BearerAuthenticator.java
@@ -0,0 +1,84 @@
+/**
+ * Copyright (c) 2016, WSO2.Telco Inc. (http://www.wso2telco.com) All Rights Reserved.
+ *
+ * WSO2.Telco Inc. licences this file to you under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package com.wso2telco.core.authfilter.authentication;
+
+import com.wso2telco.core.authfilter.util.AuthFilterParam;
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
+import org.wso2.carbon.apimgt.api.APIManagementException;
+import org.wso2.carbon.apimgt.api.model.AccessTokenInfo;
+import org.wso2.carbon.apimgt.impl.APIConstants;
+import org.wso2.carbon.apimgt.impl.factory.KeyManagerHolder;
+import org.wso2.carbon.apimgt.impl.utils.APIUtil;
+import org.wso2.carbon.context.PrivilegedCarbonContext;
+import org.wso2.carbon.user.core.service.RealmService;
+import org.wso2.carbon.utils.multitenancy.MultitenantConstants;
+import org.wso2.carbon.utils.multitenancy.MultitenantUtils;
+
+import javax.ws.rs.container.ContainerRequestContext;
+import java.lang.reflect.Method;
+
+public class BearerAuthenticator {
+ private static final String SUPER_TENANT_SUFFIX =
+ APIConstants.EMAIL_DOMAIN_SEPARATOR + MultitenantConstants.SUPER_TENANT_DOMAIN_NAME;
+ private static final Log log = LogFactory.getLog(BearerAuthenticator.class);
+
+ /**
+ * @param authorizationHeader Authorization Header value
+ * @return boolean
+ */
+ public boolean isAuthenticatedUser(ContainerRequestContext requestContext, Method method, String
+ authorizationHeader) {
+ String accessToken = authorizationHeader
+ .replaceFirst(AuthFilterParam.AUTHENTICATION_SCHEME_BEARER.getTObject() + " ", "");
+ AccessTokenInfo tokenInfo = null;
+ try {
+ tokenInfo = KeyManagerHolder.getKeyManagerInstance().getTokenMetaData(accessToken);
+ } catch (APIManagementException e) {
+ log.error("Error while retrieving token information for token: " + accessToken, e);
+ }
+ // if we got valid access token we will proceed with next
+ if (tokenInfo != null && tokenInfo.isTokenValid()) {
+
+ //If scope validation successful then set tenant name and user name to current context
+ String tenantDomain = MultitenantUtils.getTenantDomain(tokenInfo.getEndUserName());
+ int tenantId;
+ PrivilegedCarbonContext carbonContext = PrivilegedCarbonContext.getThreadLocalCarbonContext();
+ RealmService realmService = (RealmService) carbonContext.getOSGiService(RealmService.class, null);
+ try {
+ String username = tokenInfo.getEndUserName();
+ if (MultitenantConstants.SUPER_TENANT_DOMAIN_NAME.equals(tenantDomain)) {
+ if (username.endsWith(SUPER_TENANT_SUFFIX)) {
+ username = username.substring(0, username.length() - SUPER_TENANT_SUFFIX.length());
+ }
+ }
+ tenantId = realmService.getTenantManager().getTenantId(tenantDomain);
+ carbonContext.setTenantDomain(tenantDomain);
+ carbonContext.setTenantId(tenantId);
+ carbonContext.setUsername(username);
+ if (!tenantDomain.equals(MultitenantConstants.SUPER_TENANT_DOMAIN_NAME)) {
+ APIUtil.loadTenantConfigBlockingMode(tenantDomain);
+ }
+ return true;
+ } catch (org.wso2.carbon.user.api.UserStoreException e) {
+ log.error("Error while retrieving tenant id for tenant domain: " + tenantDomain, e);
+ }
+ } else {
+ log.error("Authentication failed. Please check your token");
+ }
+ return false;
+ }
+}
diff --git a/components/security/auth-filter/src/main/java/com/wso2telco/core/authfilter/authorization/UserAuthorizationValidator.java b/components/security/auth-filter/src/main/java/com/wso2telco/core/authfilter/authorization/UserAuthorizationValidator.java
index 5cf5d6e9..ccd89f2f 100644
--- a/components/security/auth-filter/src/main/java/com/wso2telco/core/authfilter/authorization/UserAuthorizationValidator.java
+++ b/components/security/auth-filter/src/main/java/com/wso2telco/core/authfilter/authorization/UserAuthorizationValidator.java
@@ -60,4 +60,35 @@ public boolean isAuthorizedRole(String userName, Set allowedRolesSet) {
log.error("authorization failed for user : " + userName);
return false;
}
+
+ /**
+ * Checks the list of allowed scopes for a api resource against the scopes
+ * granted to a token
+ *
+ * @param currentTokenScopes Scopes granted to the token being evaluated
+ * @param allowedScopeSet Scopes allowed to access the APIs resource
+ * @return Boolean
+ *
+ */
+ public Boolean isAuthorizedScope(String[] currentTokenScopes, Set allowedScopeSet){
+
+ List currentTokenScopesList = Arrays.asList(currentTokenScopes);
+
+ Iterator iterator = allowedScopeSet.iterator();
+ while (iterator.hasNext()) {
+
+ String allowedScope = iterator.next();
+ if (currentTokenScopesList.contains(allowedScope)) {
+
+ return true;
+ }
+ }
+
+ if(log.isDebugEnabled()){
+ log.debug("Required OAuth Scopes: " + allowedScopeSet);
+ log.debug("Available OAuth Scopes: " + currentTokenScopesList);
+ }
+
+ return false;
+ }
}
diff --git a/components/security/auth-filter/src/main/java/com/wso2telco/core/authfilter/impl/authorization/AuthorizationFilterFactory.java b/components/security/auth-filter/src/main/java/com/wso2telco/core/authfilter/impl/authorization/AuthorizationFilterFactory.java
index 96ae1e7f..3f4c8c56 100644
--- a/components/security/auth-filter/src/main/java/com/wso2telco/core/authfilter/impl/authorization/AuthorizationFilterFactory.java
+++ b/components/security/auth-filter/src/main/java/com/wso2telco/core/authfilter/impl/authorization/AuthorizationFilterFactory.java
@@ -23,14 +23,18 @@ public class AuthorizationFilterFactory extends AuthenticationProsser{
@Override
protected AuthenticationFilter loadFilter(String header) {
-
+
AuthenticationFilter authenticationFilter = null;
-
+
if (header.contains(AuthFilterParam.AUTHENTICATION_SCHEME_BASIC.getTObject())) {
authenticationFilter = new BasicAuthenticationFilter();
}
-
+
+ if (header.contains(AuthFilterParam.AUTHENTICATION_SCHEME_BEARER.getTObject())){
+ authenticationFilter = new BearerAuthenticationFilter();
+ }
+
return authenticationFilter;
}
}
diff --git a/components/security/auth-filter/src/main/java/com/wso2telco/core/authfilter/impl/authorization/BasicAuthenticationFilter.java b/components/security/auth-filter/src/main/java/com/wso2telco/core/authfilter/impl/authorization/BasicAuthenticationFilter.java
index f2d7503f..f551d861 100644
--- a/components/security/auth-filter/src/main/java/com/wso2telco/core/authfilter/impl/authorization/BasicAuthenticationFilter.java
+++ b/components/security/auth-filter/src/main/java/com/wso2telco/core/authfilter/impl/authorization/BasicAuthenticationFilter.java
@@ -15,106 +15,107 @@
******************************************************************************/
package com.wso2telco.core.authfilter.impl.authorization;
-import java.lang.reflect.Method;
-import java.util.Arrays;
-import java.util.HashSet;
-import java.util.Set;
-import java.util.StringTokenizer;
-import javax.annotation.security.RolesAllowed;
-import javax.ws.rs.container.ContainerRequestContext;
-import javax.ws.rs.core.Response;
-import org.apache.commons.codec.binary.Base64;
-import org.apache.commons.logging.Log;
-import org.apache.commons.logging.LogFactory;
import com.wso2telco.core.authfilter.authentication.BasicAuthenticator;
import com.wso2telco.core.authfilter.authorization.UserAuthorizationValidator;
import com.wso2telco.core.authfilter.impl.AuthenticationFilter;
import com.wso2telco.core.authfilter.util.AuthFilterParam;
import com.wso2telco.core.authfilter.util.HeaderParam;
+import org.apache.commons.codec.binary.Base64;
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
+
+import javax.annotation.security.RolesAllowed;
+import javax.ws.rs.container.ContainerRequestContext;
+import javax.ws.rs.core.Response;
+import java.lang.reflect.Method;
+import java.util.Arrays;
+import java.util.HashSet;
+import java.util.Set;
+import java.util.StringTokenizer;
public class BasicAuthenticationFilter implements AuthenticationFilter {
- private final Log log = LogFactory.getLog(BasicAuthenticationFilter.class);
+ private final Log log = LogFactory.getLog(BasicAuthenticationFilter.class);
+
+ Response accessDenied = Response.status(Response.Status.UNAUTHORIZED).entity("You cannot access this resource")
+ .build();
+ private BasicAuthenticator userAuthentication = new BasicAuthenticator();
+ private UserAuthorizationValidator userAuthorizationValidator = new UserAuthorizationValidator();
+
+ private String userName = null;
+
+ @Override
+ public boolean isAuthenticated(ContainerRequestContext requestContext, Method method, String authorizationHeader) {
- Response accessDenied = Response.status(Response.Status.UNAUTHORIZED).entity("You cannot access this resource")
- .build();
- private BasicAuthenticator userAuthentication = new BasicAuthenticator();
- private UserAuthorizationValidator userAuthorizationValidator = new UserAuthorizationValidator();
+ String password = null;
+ boolean isAuthenticated = false;
- private String userName = null;
+ // get base 64 encoded username and password
+ final String encodedUserPassword = authorizationHeader
+ .replaceFirst(AuthFilterParam.AUTHENTICATION_SCHEME_BASIC.getTObject() + " ", "");
- @Override
- public boolean isAuthenticated(ContainerRequestContext requestContext, Method method, String authorizationHeader) {
+ log.debug("base64 encoded username and password : " + encodedUserPassword);
- String password = null;
- boolean isAuthenticated = false;
-
- // get base 64 encoded username and password
- final String encodedUserPassword = authorizationHeader
- .replaceFirst(AuthFilterParam.AUTHENTICATION_SCHEME_BASIC.getTObject() + " ", "");
+ if (encodedUserPassword != null && encodedUserPassword.trim().length() > 0) {
- log.debug("base64 encoded username and password : " + encodedUserPassword);
+ // decode username and password
+ String usernameAndPassword = new String(Base64.decodeBase64(encodedUserPassword.getBytes()));
- if (encodedUserPassword != null && encodedUserPassword.trim().length() > 0) {
+ // split username and password by :
+ final StringTokenizer tokenizer = new StringTokenizer(usernameAndPassword, ":");
- // decode username and password
- String usernameAndPassword = new String(Base64.decodeBase64(encodedUserPassword.getBytes()));
+ if (tokenizer.countTokens() > 1) {
- // split username and password by :
- final StringTokenizer tokenizer = new StringTokenizer(usernameAndPassword, ":");
+ userName = tokenizer.nextToken();
+ password = tokenizer.nextToken();
- if (tokenizer.countTokens() > 1) {
+ log.debug("username : " + userName);
+ log.debug("password : " + password);
- userName = tokenizer.nextToken();
- password = tokenizer.nextToken();
+ // validate user authentication
+ isAuthenticated = userAuthentication.isAuthenticatedUser(userName, password);
- log.debug("username : " + userName);
- log.debug("password : " + password);
+ if (!isAuthenticated) {
- // validate user authentication
- isAuthenticated = userAuthentication.isAuthenticatedUser(userName, password);
+ requestContext.abortWith(accessDenied);
+ return false;
+ }
+ } else {
- if (!isAuthenticated) {
+ requestContext.abortWith(accessDenied);
+ return false;
+ }
+ } else {
- requestContext.abortWith(accessDenied);
- return false;
- }
- } else {
+ requestContext.abortWith(accessDenied);
+ return false;
+ }
- requestContext.abortWith(accessDenied);
- return false;
- }
- } else {
+ return true;
+ }
- requestContext.abortWith(accessDenied);
- return false;
- }
+ @Override
+ public boolean isAuthorized(ContainerRequestContext requestContext, Method method) {
- return true;
- }
+ boolean isAuthorized = false;
- @Override
- public boolean isAuthorized(ContainerRequestContext requestContext, Method method) {
+ requestContext.getHeaders().add(HeaderParam.USER_NAME.getTObject(), userName);
- boolean isAuthorized = false;
-
- requestContext.getHeaders().add(HeaderParam.USER_NAME.getTObject(), userName);
-
- // validate user authorization by using user roles
- if (method.isAnnotationPresent(RolesAllowed.class)) {
+ // validate user authorization by using user roles
+ if (method.isAnnotationPresent(RolesAllowed.class)) {
- RolesAllowed rolesAnnotation = method.getAnnotation(RolesAllowed.class);
- Set allowedRolesSet = new HashSet<>(Arrays.asList(rolesAnnotation.value()));
+ RolesAllowed rolesAnnotation = method.getAnnotation(RolesAllowed.class);
+ Set allowedRolesSet = new HashSet<>(Arrays.asList(rolesAnnotation.value()));
- isAuthorized = userAuthorizationValidator.isAuthorizedRole(userName, allowedRolesSet);
+ isAuthorized = userAuthorizationValidator.isAuthorizedRole(userName, allowedRolesSet);
- if (!isAuthorized) {
+ if (!isAuthorized) {
- requestContext.abortWith(accessDenied);
- return false;
- }
- }
+ requestContext.abortWith(accessDenied);
+ return false;
+ }
+ }
- return true;
- }
+ return true;
+ }
}
diff --git a/components/security/auth-filter/src/main/java/com/wso2telco/core/authfilter/impl/authorization/BearerAuthenticationFilter.java b/components/security/auth-filter/src/main/java/com/wso2telco/core/authfilter/impl/authorization/BearerAuthenticationFilter.java
new file mode 100644
index 00000000..94468614
--- /dev/null
+++ b/components/security/auth-filter/src/main/java/com/wso2telco/core/authfilter/impl/authorization/BearerAuthenticationFilter.java
@@ -0,0 +1,94 @@
+/**
+ * Copyright (c) 2016, WSO2.Telco Inc. (http://www.wso2telco.com) All Rights Reserved.
+ *
+ * WSO2.Telco Inc. licences this file to you under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package com.wso2telco.core.authfilter.impl.authorization;
+
+import com.wso2telco.core.authfilter.authentication.BearerAuthenticator;
+import com.wso2telco.core.authfilter.authorization.UserAuthorizationValidator;
+import com.wso2telco.core.authfilter.impl.AuthenticationFilter;
+import com.wso2telco.core.authfilter.util.AuthFilterParam;
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
+import org.springframework.context.annotation.Scope;
+import org.wso2.carbon.apimgt.api.APIManagementException;
+import org.wso2.carbon.apimgt.api.model.AccessTokenInfo;
+import org.wso2.carbon.apimgt.impl.factory.KeyManagerHolder;
+
+import javax.ws.rs.container.ContainerRequestContext;
+import javax.ws.rs.core.Response;
+import java.lang.reflect.Method;
+import java.util.Arrays;
+import java.util.HashSet;
+import java.util.Set;
+import java.util.regex.Pattern;
+
+public class BearerAuthenticationFilter implements AuthenticationFilter {
+
+ private static final Log log = LogFactory.getLog(BearerAuthenticationFilter.class);
+ private static final String REGEX_BEARER_PATTERN = "Bearer\\s";
+ private static final Pattern PATTERN = Pattern.compile(REGEX_BEARER_PATTERN);
+ Response accessDenied = Response.status(Response.Status.UNAUTHORIZED).entity("You cannot access this resource")
+ .build();
+ private UserAuthorizationValidator userAuthorizationValidator = new UserAuthorizationValidator();
+ private BearerAuthenticator bearerAuthenticator = new BearerAuthenticator();
+ private String authorizationHeader = null;
+
+ @Override
+ public boolean isAuthenticated(ContainerRequestContext requestContext, Method method, String authorizationHeader) {
+ Boolean isAuthenticated = false;
+ this.authorizationHeader = authorizationHeader;
+
+ isAuthenticated = bearerAuthenticator.isAuthenticatedUser(requestContext, method, authorizationHeader);
+
+ if (!isAuthenticated) {
+ requestContext.abortWith(accessDenied);
+ return false;
+ }
+
+ return true;
+ }
+
+ @Override
+ public boolean isAuthorized(ContainerRequestContext requestContext, Method method) {
+ Boolean isAuthorized = false;
+ if (authorizationHeader != null && method.isAnnotationPresent(Scope.class)) {
+
+ String accessToken = authorizationHeader
+ .replaceFirst(AuthFilterParam.AUTHENTICATION_SCHEME_BEARER.getTObject() + " ", "");
+ AccessTokenInfo tokenInfo = null;
+ try {
+ tokenInfo = KeyManagerHolder.getKeyManagerInstance().getTokenMetaData(accessToken);
+ } catch (APIManagementException e) {
+ log.error("Error while retrieving token information for token: " + accessToken, e);
+ }
+ if (tokenInfo.getScopes() != null) {
+ Scope scopeAnnotation = method.getAnnotation(Scope.class);
+ Set allowedScopeSet = new HashSet<>(Arrays.asList(scopeAnnotation.value().split(" ")));
+ if (log.isDebugEnabled()) {
+ log.debug("Access Token: " + tokenInfo.getAccessToken());
+ }
+ isAuthorized = userAuthorizationValidator.isAuthorizedScope(tokenInfo.getScopes(), allowedScopeSet);
+
+ if (isAuthorized) {
+ return true;
+ }
+ }
+ }
+ log.error("Authorization failed : Invalid OAuth token scope");
+
+ requestContext.abortWith(accessDenied);
+ return false;
+ }
+}
\ No newline at end of file
diff --git a/components/security/auth-filter/src/main/java/com/wso2telco/core/authfilter/util/AuthFilterParam.java b/components/security/auth-filter/src/main/java/com/wso2telco/core/authfilter/util/AuthFilterParam.java
index 68f24e02..2a79a9e0 100644
--- a/components/security/auth-filter/src/main/java/com/wso2telco/core/authfilter/util/AuthFilterParam.java
+++ b/components/security/auth-filter/src/main/java/com/wso2telco/core/authfilter/util/AuthFilterParam.java
@@ -19,6 +19,7 @@ public enum AuthFilterParam {
AUTHORIZATION_PROPERTY("Authorization"),
AUTHENTICATION_SCHEME_BASIC("Basic"),
+ AUTHENTICATION_SCHEME_BEARER("Bearer"),
COOKIE("Cookie"),
JSESSION_ID("JSESSIONID=");
diff --git a/components/security/user-profile/src/main/java/com/wso2telco/core/userprofile/permission/impl/UserRolePermissionFactory.java b/components/security/user-profile/src/main/java/com/wso2telco/core/userprofile/permission/impl/UserRolePermissionFactory.java
index a0ef5103..c407f86b 100644
--- a/components/security/user-profile/src/main/java/com/wso2telco/core/userprofile/permission/impl/UserRolePermissionFactory.java
+++ b/components/security/user-profile/src/main/java/com/wso2telco/core/userprofile/permission/impl/UserRolePermissionFactory.java
@@ -22,29 +22,40 @@
import com.wso2telco.core.userprofile.util.UserRolePermissionType;
public class UserRolePermissionFactory {
- private static UserRolePermissionFactory instance;
-
- public static UserRolePermissionFactory getInstance() {
- if(instance==null) {
- instance= new UserRolePermissionFactory();
- }
- return instance;
- }
-
-
- public UserRolePermission getUserRolePermissionExecuter(UserRolePermissionType userRolePermissionType) throws BusinessException {
-
- UserRolePermission userRolePermission = null;
-
- switch (userRolePermissionType) {
- case UI_PERMISSION:{
- userRolePermission = new WSO2PermissionBuilder();
- }
- break;
- default:
- break;
- }
-
- return userRolePermission;
- }
+ private static UserRolePermissionFactory instance;
+
+ private Map permissionBuilderMap;
+
+ private UserRolePermissionFactory() {
+ permissionBuilderMap = new HashMap();
+ }
+
+ public static UserRolePermissionFactory getInstance() {
+ if (instance == null) {
+ instance = new UserRolePermissionFactory();
+ }
+ return instance;
+ }
+
+
+ public UserRolePermission getUserRolePermissionExecuter(UserRolePermissionType userRolePermissionType) throws BusinessException {
+
+ UserRolePermission userRolePermission = null;
+
+ switch (userRolePermissionType) {
+ case UI_PERMISSION: {
+ if (permissionBuilderMap.containsKey(userRolePermissionType)) {
+ userRolePermission = permissionBuilderMap.get(userRolePermissionType);
+ } else {
+ userRolePermission = new WSO2PermissionBuilder();
+ permissionBuilderMap.put(userRolePermissionType, userRolePermission);
+ }
+ }
+ break;
+ default:
+ break;
+ }
+
+ return userRolePermission;
+ }
}
diff --git a/components/security/user-profile/src/main/java/com/wso2telco/core/userprofile/permission/impl/WSO2PermissionBuilder.java b/components/security/user-profile/src/main/java/com/wso2telco/core/userprofile/permission/impl/WSO2PermissionBuilder.java
index fd4b3a82..95184edb 100644
--- a/components/security/user-profile/src/main/java/com/wso2telco/core/userprofile/permission/impl/WSO2PermissionBuilder.java
+++ b/components/security/user-profile/src/main/java/com/wso2telco/core/userprofile/permission/impl/WSO2PermissionBuilder.java
@@ -15,17 +15,11 @@
******************************************************************************/
package com.wso2telco.core.userprofile.permission.impl;
-import java.rmi.RemoteException;
-import java.util.Arrays;
-import java.util.Collections;
-import java.util.HashMap;
-import java.util.HashSet;
-import java.util.Iterator;
-import java.util.List;
-import java.util.Map;
-import java.util.Optional;
-import java.util.Set;
-
+import com.wso2telco.core.dbutils.exception.BusinessException;
+import com.wso2telco.core.dbutils.exception.GenaralError;
+import com.wso2telco.core.userprofile.prosser.UserRoleProsser;
+import com.wso2telco.core.userprofile.util.AdminServicePath;
+import com.wso2telco.core.userprofile.util.UserRolePermissionType;
import org.apache.axis2.AxisFault;
import org.apache.axis2.transport.http.HTTPConstants;
import org.apache.commons.lang.StringUtils;
@@ -39,169 +33,165 @@
import org.wso2.carbon.user.mgt.stub.types.carbon.UIPermissionNode;
import org.wso2.carbon.utils.CarbonUtils;
-import com.wso2telco.core.dbutils.exception.BusinessException;
-import com.wso2telco.core.dbutils.exception.GenaralError;
-import com.wso2telco.core.userprofile.prosser.UserRoleProsser;
-import com.wso2telco.core.userprofile.util.AdminServicePath;
-import com.wso2telco.core.userprofile.util.UserRolePermissionType;
+import java.rmi.RemoteException;
+import java.util.*;
class WSO2PermissionBuilder implements UserRolePermission {
- private final Log log = LogFactory.getLog(WSO2PermissionBuilder.class);
- private UserAdminStub userAdminStub;
- private static final Integer DEFAULT_SO_TIMEOUT=1000*60*2;//2mins as default
- private static final Integer DEFAULT_CONNECTION_TIMEOUT= 1000*60*2;
-
- public WSO2PermissionBuilder() throws BusinessException {
- APIManagerConfiguration config = HostObjectComponent.getAPIManagerConfiguration();
- String userAdminServiceEndpoint = config.getFirstProperty(APIConstants.AUTH_MANAGER_URL)
- + AdminServicePath.USER_ADMIN.getTObject();
- String adminUsername = config.getFirstProperty(APIConstants.AUTH_MANAGER_USERNAME);
- String adminPassword = config.getFirstProperty(APIConstants.AUTH_MANAGER_PASSWORD);
- try {
- userAdminStub = new UserAdminStub(userAdminServiceEndpoint);
- userAdminStub._getServiceClient().getOptions().setProperty(HTTPConstants.SO_TIMEOUT, DEFAULT_SO_TIMEOUT); //set so time out and connection timeout to 2min
- userAdminStub._getServiceClient().getOptions().setProperty(HTTPConstants.CONNECTION_TIMEOUT, DEFAULT_CONNECTION_TIMEOUT);
- } catch (AxisFault e) {
- log.error("", e);
- throw new BusinessException(GenaralError.INTERNAL_SERVER_ERROR);
- }
- CarbonUtils.setBasicAccessSecurityHeaders(adminUsername, adminPassword, userAdminStub._getServiceClient());
- }
-
- /**
- * This will build the permision tree using given users name
- */
- public Map build(final String userName) throws BusinessException {
- Map permisionTree = Collections.emptyMap();
- RetunEntitiy retunItem = new RetunEntitiy();
- try {
- UserRoleProsser userRoleRetriever = new UserRoleProsser();
- UIPermissionNode uiPermissionTree = null;
-
-
- List currentUserRoleList = userRoleRetriever.getRolesByUserName(userName);
- /**
- * None of the roles are assign for the user
- */
- if (currentUserRoleList.isEmpty()) {
- throw new BusinessException("No roles assigned for user :" + userName);
- }
-
- for (Iterator iterator = currentUserRoleList.iterator(); iterator.hasNext();) {
-
- String roleName = iterator.next();
-
- UIPermissionNode rolePermissions = userAdminStub.getRolePermissions(roleName);
- /**
- * if the permission node is empty
- */
- if (rolePermissions == null || rolePermissions.getNodeList() == null) {
- continue;
- }
-
- /**
- * filter out ui permission only
- */
- Optional optNode = Arrays.stream(rolePermissions.getNodeList())
- .filter(rowItem -> rowItem.getDisplayName()
- .equalsIgnoreCase(UserRolePermissionType.UI_PERMISSION.getTObject()))
- .findFirst();
-
- /**
- * check for existence of node
- */
- if (optNode.isPresent()) {
- uiPermissionTree = optNode.get();
-
- if (uiPermissionTree.getNodeList() != null && uiPermissionTree.getNodeList().length > 0) {
- retunItem = popUserRolePermissions(uiPermissionTree.getNodeList());
- if (retunItem.atLeastOneSelected) {
- break;
- }
- } else {
- /**
- * if the current role does not contain Ui permission then continue
- */
- continue;
- }
- }
-
- }
-
- if (retunItem.returnMap.isEmpty()) {
- throw new BusinessException(
- UserRolePermissionType.UI_PERMISSION.getTObject() + " not assigned for the user :" + userName
- + " , assigned roles :[ " + StringUtils.join(currentUserRoleList, ",") + "]");
- }
-
- } catch (RemoteException | UserAdminUserAdminException e) {
- log.error("UIPermission.build", e);
- throw new BusinessException(GenaralError.INTERNAL_SERVER_ERROR);
- }
- if (retunItem.returnMap.isEmpty()) {
- log.warn(" No ui permission tree found for " + userName);
- return Collections.emptyMap();
- } else {
- return retunItem.returnMap;
- }
-
- }
-
- /**
- * recuresvly build the permission tree and return as tree of maps
- *
- * @param rootPermissionTree
- * @return
- */
-
- private RetunEntitiy popUserRolePermissions(UIPermissionNode[] rootPermissionTree) {
- RetunEntitiy entity = new RetunEntitiy();
- Arrays.stream(rootPermissionTree).forEach(item -> {
- /**
- * if node has child elements
- */
- UIPermissionNode[] uiPermissionArray = item.getNodeList();
- if (uiPermissionArray != null && uiPermissionArray.length > 0) {
-
- RetunEntitiy temp = popUserRolePermissions(uiPermissionArray);
- entity.mergeMapEntry(item.getResourcePath(), temp);
-
- } else {
- /**
- * node don't have children
- */
-
- entity.mergeMapEntry(item);
- }
-
- });
-
- return entity;
- }
-
- class RetunEntitiy {
- private boolean atLeastOneSelected = false;
- private Map returnMap = new HashMap<>();
-
- public void setEntryName(String key,Object value ) {
- returnMap.put(key, value);
- }
- public void mergeMapEntry(UIPermissionNode item) {
- String[] resourcePathSplit = item.getResourcePath().split("/");
- this.returnMap.put(resourcePathSplit[resourcePathSplit.length-1],item.getSelected());
- if(item.getSelected()) {
- atLeastOneSelected=true;
- }
- }
-
- public void mergeMapEntry(String resourcePath, RetunEntitiy mergeEntry) {
- String[] resourcePathSplit = resourcePath.split("/");
- this.returnMap.put(resourcePathSplit[resourcePathSplit.length-1], mergeEntry.returnMap);
- if(mergeEntry.atLeastOneSelected) {
- this.atLeastOneSelected = mergeEntry.atLeastOneSelected;
- }
- }
-
- }
+ private final Log log = LogFactory.getLog(WSO2PermissionBuilder.class);
+ private UserAdminStub userAdminStub;
+ private static final Integer DEFAULT_SO_TIMEOUT = 1000 * 60 * 2;//2mins as default
+ private static final Integer DEFAULT_CONNECTION_TIMEOUT = 1000 * 60 * 2;
+
+ public WSO2PermissionBuilder() throws BusinessException {
+ APIManagerConfiguration config = HostObjectComponent.getAPIManagerConfiguration();
+ String userAdminServiceEndpoint = config.getFirstProperty(APIConstants.AUTH_MANAGER_URL)
+ + AdminServicePath.USER_ADMIN.getTObject();
+ String adminUsername = config.getFirstProperty(APIConstants.AUTH_MANAGER_USERNAME);
+ String adminPassword = config.getFirstProperty(APIConstants.AUTH_MANAGER_PASSWORD);
+ try {
+ userAdminStub = new UserAdminStub(userAdminServiceEndpoint);
+ userAdminStub._getServiceClient().getOptions().setProperty(HTTPConstants.SO_TIMEOUT, DEFAULT_SO_TIMEOUT); //set so time out and connection timeout to 2min
+ userAdminStub._getServiceClient().getOptions().setProperty(HTTPConstants.CONNECTION_TIMEOUT, DEFAULT_CONNECTION_TIMEOUT);
+ } catch (AxisFault e) {
+ log.error("", e);
+ throw new BusinessException(GenaralError.INTERNAL_SERVER_ERROR);
+ }
+ CarbonUtils.setBasicAccessSecurityHeaders(adminUsername, adminPassword, userAdminStub._getServiceClient());
+ }
+
+ /**
+ * This will build the permision tree using given users name
+ */
+ public Map build(final String userName) throws BusinessException {
+ Map permisionTree = Collections.emptyMap();
+ RetunEntitiy retunItem = new RetunEntitiy();
+ try {
+ UserRoleProsser userRoleRetriever = new UserRoleProsser();
+ UIPermissionNode uiPermissionTree = null;
+
+
+ List currentUserRoleList = userRoleRetriever.getRolesByUserName(userName);
+ /**
+ * None of the roles are assign for the user
+ */
+ if (currentUserRoleList.isEmpty()) {
+ throw new BusinessException("No roles assigned for user :" + userName);
+ }
+
+ for (Iterator iterator = currentUserRoleList.iterator(); iterator.hasNext(); ) {
+
+ String roleName = iterator.next();
+
+ UIPermissionNode rolePermissions = userAdminStub.getRolePermissions(roleName);
+ /**
+ * if the permission node is empty
+ */
+ if (rolePermissions == null || rolePermissions.getNodeList() == null) {
+ continue;
+ }
+
+ /**
+ * filter out ui permission only
+ */
+ Optional optNode = Arrays.stream(rolePermissions.getNodeList())
+ .filter(rowItem -> rowItem.getDisplayName()
+ .equalsIgnoreCase(UserRolePermissionType.UI_PERMISSION.getTObject()))
+ .findFirst();
+
+ /**
+ * check for existence of node
+ */
+ if (optNode.isPresent()) {
+ uiPermissionTree = optNode.get();
+
+ if (uiPermissionTree.getNodeList() != null && uiPermissionTree.getNodeList().length > 0) {
+ retunItem = popUserRolePermissions(uiPermissionTree.getNodeList());
+ if (retunItem.atLeastOneSelected) {
+ break;
+ }
+ } else {
+ /**
+ * if the current role does not contain Ui permission then continue
+ */
+ continue;
+ }
+ }
+
+ }
+
+ if (retunItem.returnMap.isEmpty()) {
+ throw new BusinessException(
+ UserRolePermissionType.UI_PERMISSION.getTObject() + " not assigned for the user :" + userName
+ + " , assigned roles :[ " + StringUtils.join(currentUserRoleList, ",") + "]");
+ }
+
+ } catch (RemoteException | UserAdminUserAdminException e) {
+ log.error("UIPermission.build", e);
+ throw new BusinessException(GenaralError.INTERNAL_SERVER_ERROR);
+ }
+ if (retunItem.returnMap.isEmpty()) {
+ log.warn(" No ui permission tree found for " + userName);
+ return Collections.emptyMap();
+ } else {
+ return retunItem.returnMap;
+ }
+
+ }
+
+ /**
+ * recuresvly build the permission tree and return as tree of maps
+ *
+ * @param rootPermissionTree
+ * @return
+ */
+
+ private RetunEntitiy popUserRolePermissions(UIPermissionNode[] rootPermissionTree) {
+ RetunEntitiy entity = new RetunEntitiy();
+ Arrays.stream(rootPermissionTree).forEach(item -> {
+ /**
+ * if node has child elements
+ */
+ UIPermissionNode[] uiPermissionArray = item.getNodeList();
+ if (uiPermissionArray != null && uiPermissionArray.length > 0) {
+
+ RetunEntitiy temp = popUserRolePermissions(uiPermissionArray);
+ entity.mergeMapEntry(item.getDisplayName(), temp);
+
+ } else {
+ /**
+ * node don't have children
+ */
+
+ entity.mergeMapEntry(item);
+ }
+
+ });
+
+ return entity;
+ }
+
+ class RetunEntitiy {
+ private boolean atLeastOneSelected = false;
+ private Map returnMap = new HashMap<>();
+
+ public void setEntryName(String key, Object value) {
+ returnMap.put(key, value);
+ }
+
+ public void mergeMapEntry(UIPermissionNode item) {
+ this.returnMap.put(item.getDisplayName(), item.getSelected());
+ if (item.getSelected()) {
+ atLeastOneSelected = true;
+ }
+ }
+
+ public void mergeMapEntry(String entryName, RetunEntitiy mergeEntry) {
+ this.returnMap.put(entryName, mergeEntry.returnMap);
+ if (mergeEntry.atLeastOneSelected) {
+ this.atLeastOneSelected = mergeEntry.atLeastOneSelected;
+ }
+ }
+
+ }
}
diff --git a/components/security/user-profile/src/main/resources/META-INF/component.xml b/components/security/user-profile/src/main/resources/META-INF/component.xml
index 9cfb72e2..bf380df1 100644
--- a/components/security/user-profile/src/main/resources/META-INF/component.xml
+++ b/components/security/user-profile/src/main/resources/META-INF/component.xml
@@ -92,5 +92,9 @@
Whitelist
/permission/UIModulePermission/whiteList
+
+ User Mask
+ /permission/UIModulePermission/user-mask
+
\ No newline at end of file