parent
c0240c5cbc
commit
ba47af3186
@ -0,0 +1,118 @@
|
|||||||
|
package org.wso2.carbon.apimgt.application.extension.api.filter;
|
||||||
|
|
||||||
|
import org.apache.commons.logging.Log;
|
||||||
|
import org.apache.commons.logging.LogFactory;
|
||||||
|
import org.wso2.carbon.apimgt.application.extension.api.util.APIUtil;
|
||||||
|
import org.wso2.carbon.context.PrivilegedCarbonContext;
|
||||||
|
import org.wso2.carbon.user.api.UserRealm;
|
||||||
|
import org.wso2.carbon.user.api.UserStoreException;
|
||||||
|
|
||||||
|
import javax.servlet.*;
|
||||||
|
import javax.servlet.http.HttpServletRequest;
|
||||||
|
import javax.servlet.http.HttpServletResponse;
|
||||||
|
import javax.xml.bind.JAXBContext;
|
||||||
|
import javax.xml.bind.JAXBException;
|
||||||
|
import javax.xml.bind.Unmarshaller;
|
||||||
|
import java.io.File;
|
||||||
|
import java.io.IOException;
|
||||||
|
import java.io.InputStream;
|
||||||
|
import java.util.List;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* this filter check for permission for the request
|
||||||
|
*/
|
||||||
|
public class ApiPermissionFilter implements Filter{
|
||||||
|
private static final Log log = LogFactory.getLog(ApiPermissionFilter.class);
|
||||||
|
private static final String UI_EXECUTE = "ui.execute";
|
||||||
|
private static final String PERMISSION_CONFIG_PATH = File.separator + "META-INF" + File.separator
|
||||||
|
+ "permissions.xml";
|
||||||
|
private static final String PERMISSION_PREFIX = "/permission/admin";
|
||||||
|
private static List<Permission> permissions;
|
||||||
|
private static final String WEBAPP_CONTEXT = "/api-application-registration";
|
||||||
|
@Override
|
||||||
|
public void init(FilterConfig filterConfig) throws ServletException {
|
||||||
|
InputStream permissionStream = filterConfig.getServletContext().getResourceAsStream(PERMISSION_CONFIG_PATH);
|
||||||
|
if (permissionStream != null) {
|
||||||
|
try {
|
||||||
|
JAXBContext cdmContext = JAXBContext.newInstance(PermissionConfiguration.class);
|
||||||
|
Unmarshaller unmarshaller = cdmContext.createUnmarshaller();
|
||||||
|
PermissionConfiguration permissionConfiguration = (PermissionConfiguration)
|
||||||
|
unmarshaller.unmarshal(permissionStream);
|
||||||
|
permissions = permissionConfiguration.getPermissions();
|
||||||
|
} catch (JAXBException e) {
|
||||||
|
log.error("invalid permissions.xml", e);
|
||||||
|
}
|
||||||
|
|
||||||
|
}
|
||||||
|
|
||||||
|
}
|
||||||
|
|
||||||
|
@Override
|
||||||
|
public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain)
|
||||||
|
throws IOException, ServletException {
|
||||||
|
if (servletRequest instanceof HttpServletRequest) {
|
||||||
|
String uri = ((HttpServletRequest)servletRequest).getRequestURI();
|
||||||
|
boolean status = false;
|
||||||
|
if (uri.contains("register/tenants")) {
|
||||||
|
String urlPermission = getPermission("/register/tenants/*");
|
||||||
|
if (urlPermission != null) {
|
||||||
|
status = isUserAuthorized(PERMISSION_PREFIX + urlPermission, UI_EXECUTE);
|
||||||
|
}
|
||||||
|
} else {
|
||||||
|
String urlPermission = getPermission(uri);
|
||||||
|
if (urlPermission != null) {
|
||||||
|
status = isUserAuthorized(PERMISSION_PREFIX + urlPermission, UI_EXECUTE);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
if (status) {
|
||||||
|
filterChain.doFilter(servletRequest, servletResponse);
|
||||||
|
} else {
|
||||||
|
HttpServletResponse res = (HttpServletResponse) servletResponse;
|
||||||
|
res.setStatus(HttpServletResponse.SC_FORBIDDEN);
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
} else {
|
||||||
|
HttpServletResponse res = (HttpServletResponse) servletResponse;
|
||||||
|
res.setStatus(HttpServletResponse.SC_FORBIDDEN);
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
@Override
|
||||||
|
public void destroy() {
|
||||||
|
//do nothing
|
||||||
|
}
|
||||||
|
|
||||||
|
private static String getPermission(String url) {
|
||||||
|
if (permissions != null) {
|
||||||
|
for (int i = 0; i < permissions.size(); i++) {
|
||||||
|
Permission permission = permissions.get(i);
|
||||||
|
if ((WEBAPP_CONTEXT + permission.getUrl()).equals(url)) {
|
||||||
|
return permission.getPath();
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
return null;
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Check whether the client is authorized with the given permission and action.
|
||||||
|
* @param permission Carbon permission that requires for the use
|
||||||
|
* @param action Carbon permission action that requires for the given permission.
|
||||||
|
* @return boolean - true if user is authorized else return false.
|
||||||
|
*/
|
||||||
|
private boolean isUserAuthorized(String permission, String action) {
|
||||||
|
PrivilegedCarbonContext context = PrivilegedCarbonContext.getThreadLocalCarbonContext();
|
||||||
|
String username = context.getUsername();
|
||||||
|
try {
|
||||||
|
UserRealm userRealm = APIUtil.getRealmService().getTenantUserRealm(PrivilegedCarbonContext
|
||||||
|
.getThreadLocalCarbonContext().getTenantId());
|
||||||
|
return userRealm.getAuthorizationManager().isUserAuthorized(username, permission, action);
|
||||||
|
} catch (UserStoreException e) {
|
||||||
|
String errorMsg = String.format("Unable to authorize the user : %s", username, e);
|
||||||
|
log.error(errorMsg, e);
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
}
|
@ -0,0 +1,60 @@
|
|||||||
|
/*
|
||||||
|
* Copyright (c) 2015, WSO2 Inc. (http://www.wso2.org) All Rights Reserved.
|
||||||
|
*
|
||||||
|
* WSO2 Inc. licenses this file to you under the Apache License,
|
||||||
|
* Version 2.0 (the "License"); you may not use this file except
|
||||||
|
* in compliance with the License.
|
||||||
|
* you may obtain a copy of the License at
|
||||||
|
*
|
||||||
|
* http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
*
|
||||||
|
* Unless required by applicable law or agreed to in writing,
|
||||||
|
* software distributed under the License is distributed on an
|
||||||
|
* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
|
||||||
|
* KIND, either express or implied. See the License for the
|
||||||
|
* specific language governing permissions and limitations
|
||||||
|
* under the License.
|
||||||
|
*/
|
||||||
|
|
||||||
|
package org.wso2.carbon.apimgt.application.extension.api.filter;
|
||||||
|
|
||||||
|
import javax.xml.bind.annotation.XmlElement;
|
||||||
|
import javax.xml.bind.annotation.XmlRootElement;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* This class represents the information related to permission.
|
||||||
|
*/
|
||||||
|
@XmlRootElement (name = "Permission")
|
||||||
|
public class Permission {
|
||||||
|
|
||||||
|
private String path; // permission string
|
||||||
|
private String url; // url of the resource
|
||||||
|
private String method; // http method
|
||||||
|
|
||||||
|
public String getPath() {
|
||||||
|
return path;
|
||||||
|
}
|
||||||
|
|
||||||
|
@XmlElement (name = "path", required = true)
|
||||||
|
public void setPath(String path) {
|
||||||
|
this.path = path;
|
||||||
|
}
|
||||||
|
|
||||||
|
public String getUrl() {
|
||||||
|
return url;
|
||||||
|
}
|
||||||
|
|
||||||
|
@XmlElement (name = "url", required = true)
|
||||||
|
public void setUrl(String url) {
|
||||||
|
this.url = url;
|
||||||
|
}
|
||||||
|
|
||||||
|
public String getMethod() {
|
||||||
|
return method;
|
||||||
|
}
|
||||||
|
|
||||||
|
@XmlElement (name = "method", required = true)
|
||||||
|
public void setMethod(String method) {
|
||||||
|
this.method = method;
|
||||||
|
}
|
||||||
|
}
|
@ -0,0 +1,41 @@
|
|||||||
|
/*
|
||||||
|
* Copyright (c) 2015, WSO2 Inc. (http://www.wso2.org) All Rights Reserved.
|
||||||
|
*
|
||||||
|
* WSO2 Inc. licenses this file to you under the Apache License,
|
||||||
|
* Version 2.0 (the "License"); you may not use this file except
|
||||||
|
* in compliance with the License.
|
||||||
|
* you may obtain a copy of the License at
|
||||||
|
*
|
||||||
|
* http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
*
|
||||||
|
* Unless required by applicable law or agreed to in writing,
|
||||||
|
* software distributed under the License is distributed on an
|
||||||
|
* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
|
||||||
|
* KIND, either express or implied. See the License for the
|
||||||
|
* specific language governing permissions and limitations
|
||||||
|
* under the License.
|
||||||
|
*/
|
||||||
|
|
||||||
|
package org.wso2.carbon.apimgt.application.extension.api.filter;
|
||||||
|
|
||||||
|
import javax.xml.bind.annotation.XmlElement;
|
||||||
|
import javax.xml.bind.annotation.XmlRootElement;
|
||||||
|
import java.util.List;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* This class represents the information related to permission configuration.
|
||||||
|
*/
|
||||||
|
@XmlRootElement (name = "PermissionConfiguration")
|
||||||
|
public class PermissionConfiguration {
|
||||||
|
|
||||||
|
private List<Permission> permissions;
|
||||||
|
|
||||||
|
public List<Permission> getPermissions() {
|
||||||
|
return permissions;
|
||||||
|
}
|
||||||
|
|
||||||
|
@XmlElement (name = "Permission", required = true)
|
||||||
|
public void setPermissions(List<Permission> permissions) {
|
||||||
|
this.permissions = permissions;
|
||||||
|
}
|
||||||
|
}
|
Loading…
Reference in new issue