diff --git a/components/org.wso2.carbon.identity.auth.service/src/main/java/org/wso2/carbon/identity/auth/service/module/ResourceConfig.java b/components/org.wso2.carbon.identity.auth.service/src/main/java/org/wso2/carbon/identity/auth/service/module/ResourceConfig.java index d573fde9..e158901d 100644 --- a/components/org.wso2.carbon.identity.auth.service/src/main/java/org/wso2/carbon/identity/auth/service/module/ResourceConfig.java +++ b/components/org.wso2.carbon.identity.auth.service/src/main/java/org/wso2/carbon/identity/auth/service/module/ResourceConfig.java @@ -31,6 +31,7 @@ public class ResourceConfig implements Serializable { private boolean isCrossTenantAllowed; private String permissions; private List scopes; + private String accessControl; // Comma separated list of allowed authentication handler names. If all handlers are engaged the value is 'all' private String allowedAuthHandlers; private List crossAccessAllowedTenants; @@ -104,4 +105,12 @@ public void setScopes(List scopes) { this.scopes = scopes; } + + public String getAccessControl() { + return accessControl; + } + + public void setAccessControl(String accessControl) { + this.accessControl = accessControl; + } } diff --git a/components/org.wso2.carbon.identity.auth.service/src/main/java/org/wso2/carbon/identity/auth/service/util/AuthConfigurationUtil.java b/components/org.wso2.carbon.identity.auth.service/src/main/java/org/wso2/carbon/identity/auth/service/util/AuthConfigurationUtil.java index 3cb98204..7785888a 100644 --- a/components/org.wso2.carbon.identity.auth.service/src/main/java/org/wso2/carbon/identity/auth/service/util/AuthConfigurationUtil.java +++ b/components/org.wso2.carbon.identity.auth.service/src/main/java/org/wso2/carbon/identity/auth/service/util/AuthConfigurationUtil.java @@ -107,6 +107,8 @@ public void buildResourceAccessControlData() { String isCrossTenantAllowed = resource.getAttributeValue(new QName(Constants.RESOURCE_CROSS_TENANT_ATTR)); String allowedAuthHandlers = resource.getAttributeValue(new QName(Constants.RESOURCE_ALLOWED_AUTH_HANDLERS)); + String accessControl = resource.getAttributeValue( + new QName(Constants.RESOURCE_ACCESS_CONTROL)); StringBuilder permissionBuilder = new StringBuilder(); Iterator permissionsIterator = resource.getChildrenWithName( @@ -137,6 +139,7 @@ public void buildResourceAccessControlData() { resourceConfig.setContext(context); resourceConfig.setHttpMethod(httpMethod); + resourceConfig.setAccessControl(accessControl); if ( StringUtils.isNotEmpty(isSecured) && (Boolean.TRUE.toString().equals(isSecured) || Boolean.FALSE.toString().equals(isSecured)) ) { resourceConfig.setIsSecured(Boolean.parseBoolean(isSecured)); diff --git a/components/org.wso2.carbon.identity.auth.service/src/main/java/org/wso2/carbon/identity/auth/service/util/Constants.java b/components/org.wso2.carbon.identity.auth.service/src/main/java/org/wso2/carbon/identity/auth/service/util/Constants.java index 7c925f73..aef4a783 100644 --- a/components/org.wso2.carbon.identity.auth.service/src/main/java/org/wso2/carbon/identity/auth/service/util/Constants.java +++ b/components/org.wso2.carbon.identity.auth.service/src/main/java/org/wso2/carbon/identity/auth/service/util/Constants.java @@ -10,6 +10,7 @@ public class Constants { public final static String RESOURCE_CONTEXT_ATTR = "context"; public final static String RESOURCE_SECURED_ATTR = "secured"; public final static String RESOURCE_HTTP_METHOD_ATTR = "http-method"; + public final static String RESOURCE_ACCESS_CONTROL = "access-control"; public final static String RESOURCE_PERMISSION_ELE = "Permissions"; public final static String RESOURCE_SCOPE_ELE = "Scopes"; public final static String OAUTH2_ALLOWED_SCOPES = "oauth2-allowed-scopes"; @@ -33,6 +34,7 @@ public class Constants { public final static String CONTEXT_ELE = "Context"; public final static String CERT_AUTHENTICATION_ENABLE_ATTR = "enable"; public final static String DENY_DEFAULT_ACCESS = "deny"; + private final static String ACCESS_CONTROL_STATUS_DENY = "deny"; public final static String COOKIE_BASED_TOKEN_BINDING = "cookie"; public final static String COOKIE_BASED_TOKEN_BINDING_EXT_PARAM = "atbv"; diff --git a/components/org.wso2.carbon.identity.authz.service/src/main/java/org/wso2/carbon/identity/authz/service/AuthorizationContext.java b/components/org.wso2.carbon.identity.authz.service/src/main/java/org/wso2/carbon/identity/authz/service/AuthorizationContext.java index a355c562..1a3636c5 100644 --- a/components/org.wso2.carbon.identity.authz.service/src/main/java/org/wso2/carbon/identity/authz/service/AuthorizationContext.java +++ b/components/org.wso2.carbon.identity.authz.service/src/main/java/org/wso2/carbon/identity/authz/service/AuthorizationContext.java @@ -28,6 +28,7 @@ public class AuthorizationContext extends MessageContext { private String context; private String httpMethods; + private String accessControl; private User user; private String permissionString; @@ -107,4 +108,12 @@ public void setRequiredScopes(List requiredScopes) { this.requiredScopes = requiredScopes; } + + public String getAccessControl() { + return accessControl; + } + + public void setAccessControl(String accessControl) { + this.accessControl = accessControl; + } } diff --git a/components/org.wso2.carbon.identity.authz.service/src/main/java/org/wso2/carbon/identity/authz/service/AuthorizationManager.java b/components/org.wso2.carbon.identity.authz.service/src/main/java/org/wso2/carbon/identity/authz/service/AuthorizationManager.java index e3ed1f9f..52c25da9 100644 --- a/components/org.wso2.carbon.identity.authz.service/src/main/java/org/wso2/carbon/identity/authz/service/AuthorizationManager.java +++ b/components/org.wso2.carbon.identity.authz.service/src/main/java/org/wso2/carbon/identity/authz/service/AuthorizationManager.java @@ -31,6 +31,7 @@ public class AuthorizationManager implements IdentityHandler { private static AuthorizationManager authorizationManager = new AuthorizationManager(); + private static String ACCESS_CONTROL_STATUS_DENY = "deny"; private AuthorizationManager() { } @@ -43,6 +44,7 @@ public AuthorizationResult authorize(AuthorizationContext authorizationContext) AuthorizationResult authorizationResult = new AuthorizationResult(AuthorizationStatus.DENY); boolean isResourceHandlerAvailableToHandleAuthorization = false; + if (StringUtils.isEmpty(authorizationContext.getPermissionString()) && authorizationContext.getRequiredScopes().size() == 0) { // If the permission string is empty or not scope is defined then we check the registered available // external resource handlers. @@ -67,6 +69,8 @@ public AuthorizationResult authorize(AuthorizationContext authorizationContext) .getFirstPriorityHandler(getAuthorizationHandlerList, true); authorizationResult = authorizationHandler.handleAuthorization(authorizationContext); + } else if (ACCESS_CONTROL_STATUS_DENY.equalsIgnoreCase(authorizationContext.getAccessControl())) { + authorizationResult.setAuthorizationStatus(AuthorizationStatus.DENY); } else { authorizationResult.setAuthorizationStatus(AuthorizationStatus.GRANT); } diff --git a/components/org.wso2.carbon.identity.authz.service/src/main/java/org/wso2/carbon/identity/authz/service/handler/AuthorizationHandler.java b/components/org.wso2.carbon.identity.authz.service/src/main/java/org/wso2/carbon/identity/authz/service/handler/AuthorizationHandler.java index 17379c84..e3cf4eaf 100644 --- a/components/org.wso2.carbon.identity.authz.service/src/main/java/org/wso2/carbon/identity/authz/service/handler/AuthorizationHandler.java +++ b/components/org.wso2.carbon.identity.authz.service/src/main/java/org/wso2/carbon/identity/authz/service/handler/AuthorizationHandler.java @@ -54,7 +54,7 @@ public class AuthorizationHandler extends AbstractIdentityHandler { private static final Log log = LogFactory.getLog(AuthorizationHandler.class); private static final String RESOURCE_PERMISSION_NONE = "none"; - + private static final String ACCESS_CONTROL_STATUS = "deny"; /** * Handle Authorization. @@ -65,7 +65,11 @@ public class AuthorizationHandler extends AbstractIdentityHandler { */ public AuthorizationResult handleAuthorization(AuthorizationContext authorizationContext) throws AuthzServiceServerException { + AuthorizationResult authorizationResult = new AuthorizationResult(AuthorizationStatus.DENY); + if (ACCESS_CONTROL_STATUS.equalsIgnoreCase(authorizationContext.getAccessControl())) { + return authorizationResult; + } try { User user = authorizationContext.getUser(); String userDomain = user.getTenantDomain(); diff --git a/components/org.wso2.carbon.identity.authz.valve/src/main/java/org/wso2/carbon/identity/authz/valve/AuthorizationValve.java b/components/org.wso2.carbon.identity.authz.valve/src/main/java/org/wso2/carbon/identity/authz/valve/AuthorizationValve.java index e30f3cfc..32960973 100644 --- a/components/org.wso2.carbon.identity.authz.valve/src/main/java/org/wso2/carbon/identity/authz/valve/AuthorizationValve.java +++ b/components/org.wso2.carbon.identity.authz.valve/src/main/java/org/wso2/carbon/identity/authz/valve/AuthorizationValve.java @@ -113,6 +113,9 @@ public void invoke(Request request, Response response) throws IOException, Servl if (resourceConfig != null && CollectionUtils.isNotEmpty(resourceConfig.getScopes())) { authorizationContext.setRequiredScopes(resourceConfig.getScopes()); } + if (resourceConfig != null && StringUtils.isNotEmpty(resourceConfig.getAccessControl())) { + authorizationContext.setAccessControl(resourceConfig.getAccessControl()); + } String contextPath = request.getContextPath(); String httpMethod = request.getMethod(); authorizationContext.setContext(contextPath);