POC for login only mode option

components/org.wso2.carbon.identity.auth.service/src/main/java/org/wso2/carbon/identity/auth/service/module/ResourceConfig.java

@@ -31,6 +31,7 @@ public class ResourceConfig implements Serializable {
     private boolean isCrossTenantAllowed;
     private String permissions;
     private List<String> scopes;
+    private String accessControl;
     // Comma separated list of allowed authentication handler names. If all handlers are engaged the value is 'all'
     private String allowedAuthHandlers;
     private List<String> crossAccessAllowedTenants;
@@ -104,4 +105,12 @@ public void setScopes(List<String> scopes) {
 
         this.scopes = scopes;
     }
+
+    public String getAccessControl() {
+        return accessControl;
+    }
+
+    public void setAccessControl(String accessControl) {
+        this.accessControl = accessControl;
+    }
 }

components/org.wso2.carbon.identity.auth.service/src/main/java/org/wso2/carbon/identity/auth/service/util/AuthConfigurationUtil.java

@@ -107,6 +107,8 @@ public void buildResourceAccessControlData() {
                     String isCrossTenantAllowed = resource.getAttributeValue(new QName(Constants.RESOURCE_CROSS_TENANT_ATTR));
                     String allowedAuthHandlers =
                             resource.getAttributeValue(new QName(Constants.RESOURCE_ALLOWED_AUTH_HANDLERS));
+                    String accessControl = resource.getAttributeValue(
+                            new QName(Constants.RESOURCE_ACCESS_CONTROL));
 
                     StringBuilder permissionBuilder = new StringBuilder();
                     Iterator<OMElement> permissionsIterator = resource.getChildrenWithName(
@@ -137,6 +139,7 @@ public void buildResourceAccessControlData() {
 
                     resourceConfig.setContext(context);
                     resourceConfig.setHttpMethod(httpMethod);
+                    resourceConfig.setAccessControl(accessControl);
                     if ( StringUtils.isNotEmpty(isSecured) && (Boolean.TRUE.toString().equals(isSecured) ||
                             Boolean.FALSE.toString().equals(isSecured)) ) {
                         resourceConfig.setIsSecured(Boolean.parseBoolean(isSecured));

components/org.wso2.carbon.identity.auth.service/src/main/java/org/wso2/carbon/identity/auth/service/util/Constants.java

@@ -10,6 +10,7 @@ public class Constants {
     public final static String RESOURCE_CONTEXT_ATTR = "context";
     public final static String RESOURCE_SECURED_ATTR = "secured";
     public final static String RESOURCE_HTTP_METHOD_ATTR = "http-method";
+    public final static String RESOURCE_ACCESS_CONTROL = "access-control";
     public final static String RESOURCE_PERMISSION_ELE = "Permissions";
     public final static String RESOURCE_SCOPE_ELE = "Scopes";
     public final static String OAUTH2_ALLOWED_SCOPES = "oauth2-allowed-scopes";
@@ -33,6 +34,7 @@ public class Constants {
     public final static String CONTEXT_ELE = "Context";
     public final static String CERT_AUTHENTICATION_ENABLE_ATTR = "enable";
     public final static String DENY_DEFAULT_ACCESS = "deny";
+    private final static String ACCESS_CONTROL_STATUS_DENY = "deny";
 
     public final static String COOKIE_BASED_TOKEN_BINDING = "cookie";
     public final static String COOKIE_BASED_TOKEN_BINDING_EXT_PARAM = "atbv";

components/org.wso2.carbon.identity.authz.service/src/main/java/org/wso2/carbon/identity/authz/service/AuthorizationContext.java

@@ -28,6 +28,7 @@ public class AuthorizationContext extends MessageContext {
 
     private String context;
     private String httpMethods;
+    private String accessControl;
 
     private User user;
     private String permissionString;
@@ -107,4 +108,12 @@ public void setRequiredScopes(List<String> requiredScopes) {
 
         this.requiredScopes = requiredScopes;
     }
+
+    public String getAccessControl() {
+        return accessControl;
+    }
+
+    public void setAccessControl(String accessControl) {
+        this.accessControl = accessControl;
+    }
 }

components/org.wso2.carbon.identity.authz.service/src/main/java/org/wso2/carbon/identity/authz/service/AuthorizationManager.java

@@ -31,6 +31,7 @@
 public class AuthorizationManager implements IdentityHandler {
 
     private static AuthorizationManager authorizationManager = new AuthorizationManager();
+    private static String ACCESS_CONTROL_STATUS_DENY = "deny";
 
     private AuthorizationManager() {
     }
@@ -43,6 +44,7 @@ public AuthorizationResult authorize(AuthorizationContext authorizationContext)
 
         AuthorizationResult authorizationResult = new AuthorizationResult(AuthorizationStatus.DENY);
         boolean isResourceHandlerAvailableToHandleAuthorization = false;
+
         if (StringUtils.isEmpty(authorizationContext.getPermissionString()) && authorizationContext.getRequiredScopes().size() == 0) {
             // If the permission string is empty or not scope is defined then we check the registered available
             // external resource handlers.
@@ -67,6 +69,8 @@ public AuthorizationResult authorize(AuthorizationContext authorizationContext)
                     .getFirstPriorityHandler(getAuthorizationHandlerList, true);
             authorizationResult = authorizationHandler.handleAuthorization(authorizationContext);
 
+        } else if (ACCESS_CONTROL_STATUS_DENY.equalsIgnoreCase(authorizationContext.getAccessControl())) {
+            authorizationResult.setAuthorizationStatus(AuthorizationStatus.DENY);
         } else {
             authorizationResult.setAuthorizationStatus(AuthorizationStatus.GRANT);
         }

components/org.wso2.carbon.identity.authz.service/src/main/java/org/wso2/carbon/identity/authz/service/handler/AuthorizationHandler.java

@@ -54,7 +54,7 @@ public class AuthorizationHandler extends AbstractIdentityHandler {
     private static final Log log = LogFactory.getLog(AuthorizationHandler.class);
 
     private static final String RESOURCE_PERMISSION_NONE = "none";
-
+    private static final String ACCESS_CONTROL_STATUS = "deny";
 
     /**
      * Handle Authorization.
@@ -65,7 +65,11 @@ public class AuthorizationHandler extends AbstractIdentityHandler {
      */
     public AuthorizationResult handleAuthorization(AuthorizationContext authorizationContext)
             throws AuthzServiceServerException {
+
         AuthorizationResult authorizationResult = new AuthorizationResult(AuthorizationStatus.DENY);
+        if (ACCESS_CONTROL_STATUS.equalsIgnoreCase(authorizationContext.getAccessControl())) {
+            return authorizationResult;
+        }
         try {
             User user = authorizationContext.getUser();
             String userDomain = user.getTenantDomain();

components/org.wso2.carbon.identity.authz.valve/src/main/java/org/wso2/carbon/identity/authz/valve/AuthorizationValve.java

@@ -113,6 +113,9 @@ public void invoke(Request request, Response response) throws IOException, Servl
                 if (resourceConfig != null && CollectionUtils.isNotEmpty(resourceConfig.getScopes())) {
                     authorizationContext.setRequiredScopes(resourceConfig.getScopes());
                 }
+                if (resourceConfig != null && StringUtils.isNotEmpty(resourceConfig.getAccessControl())) {
+                    authorizationContext.setAccessControl(resourceConfig.getAccessControl());
+                }
                 String contextPath = request.getContextPath();
                 String httpMethod = request.getMethod();
                 authorizationContext.setContext(contextPath);