diff --git a/modules/distribution/src/repository/conf/broker.xml b/modules/distribution/src/repository/conf/broker.xml
index b5c41b47..f7bacf1d 100644
--- a/modules/distribution/src/repository/conf/broker.xml
+++ b/modules/distribution/src/repository/conf/broker.xml
@@ -136,15 +136,14 @@ This file is ciphertool compliant. Refer PRODUCT_HOME/repository/conf/security/c
REQUIRED: Clients will authorized before publishing. this will execute the class given in authorzier
Note: authentication should be REQUIRED for authorization to be REQUIRED.
-->
- NOT_REQUIRED
+ REQUIRED
-
- /permission/admin/mqtt/connect
+
diff --git a/modules/iot-extensions/components/mb-extensions/org.wso2.carbon.andes.extensions.device.mgt.mqtt.authorization/pom.xml b/modules/iot-extensions/components/mb-extensions/org.wso2.carbon.andes.extensions.device.mgt.mqtt.authorization/pom.xml
new file mode 100644
index 00000000..02887f66
--- /dev/null
+++ b/modules/iot-extensions/components/mb-extensions/org.wso2.carbon.andes.extensions.device.mgt.mqtt.authorization/pom.xml
@@ -0,0 +1,100 @@
+
+
+
+
+
+
+ mb-extensions
+ org.wso2.iot
+ 1.0.0-SNAPSHOT
+ ../pom.xml
+
+
+ 4.0.0
+ org.wso2.carbon.andes.extensions.device.mgt.mqtt.authorization
+ bundle
+ WSO2 Carbon - Component - MQTT - Authorization Manager
+ MQTT authorization manager based on Carbon device manager
+ http://wso2.org
+
+
+
+ org.wso2.carbon
+ org.wso2.carbon.utils
+
+
+ org.wso2.carbon
+ org.wso2.carbon.core
+
+
+ org.wso2.andes.wso2
+ andes
+
+
+ org.wso2.carbon.devicemgt
+ org.wso2.carbon.device.mgt.core
+
+
+ org.wso2.carbon.devicemgt
+ org.wso2.carbon.device.mgt.common
+
+
+
+
+
+
+ org.apache.felix
+ maven-scr-plugin
+
+
+ org.apache.felix
+ maven-bundle-plugin
+ true
+
+
+ ${project.artifactId}
+ ${project.artifactId}
+
+ org.wso2.carbon.andes.extensions.device.mgt.mqtt.authorization.internal
+
+
+ !org.wso2.carbon.andes.extensions.device.mgt.mqtt.authorization.internal,
+ org.wso2.carbon.andes.extensions.device.mgt.mqtt.authorization.*
+
+
+ org.apache.log4j,
+ org.dna.mqtt.moquette.server,
+ org.wso2.andes.configuration.enums,
+ org.wso2.andes.mqtt,
+ org.wso2.carbon.context,
+ org.wso2.carbon.device.mgt.common,
+ org.wso2.carbon.device.mgt.common.authorization,
+ org.apache.commons.logging,
+ org.osgi.service.component,
+ org.wso2.carbon.user.core.service,
+ org.wso2.carbon.user.core.tenant
+
+
+
+
+
+
+
+
+
diff --git a/modules/iot-extensions/components/mb-extensions/org.wso2.carbon.andes.extensions.device.mgt.mqtt.authorization/src/main/java/org/wso2/carbon/andes/extensions/device/mgt/mqtt/authorization/DeviceAccessBasedMQTTAuthorizer.java b/modules/iot-extensions/components/mb-extensions/org.wso2.carbon.andes.extensions.device.mgt.mqtt.authorization/src/main/java/org/wso2/carbon/andes/extensions/device/mgt/mqtt/authorization/DeviceAccessBasedMQTTAuthorizer.java
new file mode 100644
index 00000000..4afc5e1c
--- /dev/null
+++ b/modules/iot-extensions/components/mb-extensions/org.wso2.carbon.andes.extensions.device.mgt.mqtt.authorization/src/main/java/org/wso2/carbon/andes/extensions/device/mgt/mqtt/authorization/DeviceAccessBasedMQTTAuthorizer.java
@@ -0,0 +1,76 @@
+/*
+ * Copyright (c) 2015, WSO2 Inc. (http://www.wso2.org) All Rights Reserved.
+ *
+ * WSO2 Inc. licenses this file to you under the Apache License,
+ * Version 2.0 (the "License"); you may not use this file except
+ * in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.wso2.carbon.andes.extensions.device.mgt.mqtt.authorization;
+
+import org.apache.log4j.Logger;
+import org.dna.mqtt.moquette.server.IAuthorizer;
+import org.wso2.andes.configuration.enums.MQTTAuthoriztionPermissionLevel;
+import org.wso2.andes.mqtt.MQTTAuthorizationSubject;
+import org.wso2.carbon.andes.extensions.device.mgt.mqtt.authorization.internal.AuthorizationDataHolder;
+import org.wso2.carbon.context.PrivilegedCarbonContext;
+import org.wso2.carbon.device.mgt.common.DeviceIdentifier;
+import org.wso2.carbon.device.mgt.common.authorization.DeviceAccessAuthorizationException;
+
+/**
+ * Authorize the connecting users against Carbon Permission Model. Intended usage is
+ * via providing fully qualified class name in broker.xml
+ *
+ * This is just a simple authorization model. For dynamic topics use an implementation based on IAuthorizer
+ */
+public class DeviceAccessBasedMQTTAuthorizer implements IAuthorizer {
+ private static final Logger logger = Logger.getLogger(DeviceAccessBasedMQTTAuthorizer.class);
+ /**
+ * {@inheritDoc} Authorize the user against carbon device mgt model.
+ */
+ @Override
+ public boolean isAuthorizedForTopic(MQTTAuthorizationSubject authorizationSubject, String topic,
+ MQTTAuthoriztionPermissionLevel permissionLevel) {
+ try {
+ String topics[] = topic.split("/");
+ if (topics.length < 3) {
+ return false;
+ }
+ String tenantIdFromTopic = topics[0];
+ if (!tenantIdFromTopic.equals(authorizationSubject.getTenantDomain())) {
+ return false;
+ }
+ String deviceTypeFromTopic = topics[1];
+ String deviceIdFromTopic = topics[2];
+ PrivilegedCarbonContext.startTenantFlow();
+ PrivilegedCarbonContext.getThreadLocalCarbonContext().setTenantDomain(
+ authorizationSubject.getTenantDomain(), true);
+ PrivilegedCarbonContext.getThreadLocalCarbonContext().setUsername(authorizationSubject.getUsername());
+ return AuthorizationDataHolder.getInstance().getDeviceAccessAuthorizationService().isUserAuthorized(
+ new DeviceIdentifier(deviceIdFromTopic, deviceTypeFromTopic));
+ } catch (DeviceAccessAuthorizationException e) {
+ logger.error("Failed on Device Access Authorization for user " + authorizationSubject.getUsername(), e);
+ } finally {
+ PrivilegedCarbonContext.endTenantFlow();
+ }
+ return false;
+ }
+
+ /**
+ * {@inheritDoc} Authorized the user against carbon device mgt model.
+ */
+ @Override
+ public boolean isAuthorizedToConnect(MQTTAuthorizationSubject authorizationSubject) {
+ return true;
+ }
+}
\ No newline at end of file
diff --git a/modules/iot-extensions/components/mb-extensions/org.wso2.carbon.andes.extensions.device.mgt.mqtt.authorization/src/main/java/org/wso2/carbon/andes/extensions/device/mgt/mqtt/authorization/internal/AuthorizationDataHolder.java b/modules/iot-extensions/components/mb-extensions/org.wso2.carbon.andes.extensions.device.mgt.mqtt.authorization/src/main/java/org/wso2/carbon/andes/extensions/device/mgt/mqtt/authorization/internal/AuthorizationDataHolder.java
new file mode 100644
index 00000000..e14e4cdd
--- /dev/null
+++ b/modules/iot-extensions/components/mb-extensions/org.wso2.carbon.andes.extensions.device.mgt.mqtt.authorization/src/main/java/org/wso2/carbon/andes/extensions/device/mgt/mqtt/authorization/internal/AuthorizationDataHolder.java
@@ -0,0 +1,67 @@
+/*
+ * Copyright (c) 2014, WSO2 Inc. (http://www.wso2.org) All Rights Reserved.
+ *
+ * WSO2 Inc. licenses this file to you under the Apache License,
+ * Version 2.0 (the "License"); you may not use this file except
+ * in compliance with the License.
+ * you may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.wso2.carbon.andes.extensions.device.mgt.mqtt.authorization.internal;
+
+import org.wso2.carbon.device.mgt.common.authorization.DeviceAccessAuthorizationService;
+import org.wso2.carbon.user.core.service.RealmService;
+import org.wso2.carbon.user.core.tenant.TenantManager;
+
+public class AuthorizationDataHolder {
+
+ private RealmService realmService;
+ private TenantManager tenantManager;
+ private DeviceAccessAuthorizationService deviceAccessAuthorizationService;
+
+ private static AuthorizationDataHolder thisInstance = new AuthorizationDataHolder();
+
+ private AuthorizationDataHolder() {}
+
+ public static AuthorizationDataHolder getInstance() {
+ return thisInstance;
+ }
+
+ public RealmService getRealmService() {
+ return realmService;
+ }
+
+ public void setRealmService(RealmService realmService) {
+ this.realmService = realmService;
+ this.setTenantManager(realmService);
+ }
+
+ private void setTenantManager(RealmService realmService) {
+ if (realmService == null) {
+ throw new IllegalStateException("Realm service is not initialized properly");
+ }
+ this.tenantManager = realmService.getTenantManager();
+ }
+
+ public TenantManager getTenantManager() {
+ return tenantManager;
+ }
+
+ public DeviceAccessAuthorizationService getDeviceAccessAuthorizationService() {
+ return deviceAccessAuthorizationService;
+ }
+
+ public void setDeviceAccessAuthorizationService(DeviceAccessAuthorizationService deviceAccessAuthorizationService) {
+ this.deviceAccessAuthorizationService = deviceAccessAuthorizationService;
+ }
+
+}
diff --git a/modules/iot-extensions/components/mb-extensions/org.wso2.carbon.andes.extensions.device.mgt.mqtt.authorization/src/main/java/org/wso2/carbon/andes/extensions/device/mgt/mqtt/authorization/internal/AuthorizationServiceComponent.java b/modules/iot-extensions/components/mb-extensions/org.wso2.carbon.andes.extensions.device.mgt.mqtt.authorization/src/main/java/org/wso2/carbon/andes/extensions/device/mgt/mqtt/authorization/internal/AuthorizationServiceComponent.java
new file mode 100644
index 00000000..3ebb099e
--- /dev/null
+++ b/modules/iot-extensions/components/mb-extensions/org.wso2.carbon.andes.extensions.device.mgt.mqtt.authorization/src/main/java/org/wso2/carbon/andes/extensions/device/mgt/mqtt/authorization/internal/AuthorizationServiceComponent.java
@@ -0,0 +1,93 @@
+/*
+ * Copyright (c) 2014, WSO2 Inc. (http://www.wso2.org) All Rights Reserved.
+ *
+ * WSO2 Inc. licenses this file to you under the Apache License,
+ * Version 2.0 (the "License"); you may not use this file except
+ * in compliance with the License.
+ * you may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.wso2.carbon.andes.extensions.device.mgt.mqtt.authorization.internal;
+
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
+import org.osgi.service.component.ComponentContext;
+import org.wso2.carbon.device.mgt.common.authorization.DeviceAccessAuthorizationService;
+import org.wso2.carbon.user.core.service.RealmService;
+
+/**
+ * @scr.component name="org.wso2.carbon.devicemgt.policy.manager" immediate="true"
+ * @scr.reference name="user.realmservice.default"
+ * interface="org.wso2.carbon.user.core.service.RealmService"
+ * cardinality="1..1"
+ * policy="dynamic"
+ * bind="setRealmService"
+ * unbind="unsetRealmService"
+ * @scr.reference name="org.wso2.carbon.device.access.authorization"
+ * interface="org.wso2.carbon.device.mgt.common.authorization.DeviceAccessAuthorizationService"
+ * cardinality="1..1"
+ * policy="dynamic"
+ * bind="setDeviceAccessAuthorizationService"
+ * unbind="unsetDeviceAccessAuthorizationService"
+ */
+@SuppressWarnings("unused")
+public class AuthorizationServiceComponent {
+
+ private static Log log = LogFactory.getLog(AuthorizationServiceComponent.class);
+
+ protected void activate(ComponentContext componentContext) {
+ }
+
+ @SuppressWarnings("unused")
+ protected void deactivate(ComponentContext componentContext) {
+ }
+
+
+ /**
+ * Sets Realm Service
+ *
+ * @param realmService An instance of RealmService
+ */
+ protected void setRealmService(RealmService realmService) {
+ if (log.isDebugEnabled()) {
+ log.debug("Setting Realm Service");
+ }
+ AuthorizationDataHolder.getInstance().setRealmService(realmService);
+ }
+
+ /**
+ * Unsets Realm Service
+ *
+ * @param realmService An instance of RealmService
+ */
+ protected void unsetRealmService(RealmService realmService) {
+ if (log.isDebugEnabled()) {
+ log.debug("Unsetting Realm Service");
+ }
+ AuthorizationDataHolder.getInstance().setRealmService(null);
+ }
+
+ protected void setDeviceAccessAuthorizationService(DeviceAccessAuthorizationService deviceAccessAuthorizationService) {
+ if (log.isDebugEnabled()) {
+ log.debug("Setting Device Access Authorization Service");
+ }
+ AuthorizationDataHolder.getInstance().setDeviceAccessAuthorizationService(deviceAccessAuthorizationService);
+ }
+
+ protected void unsetDeviceAccessAuthorizationService(DeviceAccessAuthorizationService deviceAccessAuthorizationService) {
+ if (log.isDebugEnabled()) {
+ log.debug("Removing Device Access Authorization Service");
+ }
+ AuthorizationDataHolder.getInstance().setDeviceAccessAuthorizationService(null);
+ }
+
+}
diff --git a/modules/iot-extensions/components/mb-extensions/pom.xml b/modules/iot-extensions/components/mb-extensions/pom.xml
new file mode 100644
index 00000000..5538ae32
--- /dev/null
+++ b/modules/iot-extensions/components/mb-extensions/pom.xml
@@ -0,0 +1,38 @@
+
+
+
+
+
+
+ org.wso2.iot
+ iot-extensions
+ 1.0.0-SNAPSHOT
+ ../../pom.xml
+
+
+ 4.0.0
+ mb-extensions
+ pom
+ WSO2 Carbon - MB Extension
+ http://wso2.org
+
+
+ org.wso2.carbon.andes.extensions.device.mgt.mqtt.authorization
+
+
diff --git a/modules/iot-extensions/features/mb-extensions-feature/org.wso2.carbon.andes.extensions.device.mgt.mqtt.authorization.feature/pom.xml b/modules/iot-extensions/features/mb-extensions-feature/org.wso2.carbon.andes.extensions.device.mgt.mqtt.authorization.feature/pom.xml
new file mode 100644
index 00000000..41fba9b0
--- /dev/null
+++ b/modules/iot-extensions/features/mb-extensions-feature/org.wso2.carbon.andes.extensions.device.mgt.mqtt.authorization.feature/pom.xml
@@ -0,0 +1,81 @@
+
+
+
+
+
+
+
+ mb-extensions-feature
+ org.wso2.iot
+ 1.0.0-SNAPSHOT
+ ../pom.xml
+
+
+ 4.0.0
+ org.wso2.carbon.andes.extensions.device.mgt.mqtt.authorization.feature
+ pom
+ WSO2 Carbon - MQTT Authorization Feature
+ http://wso2.org
+ This feature contains the bundles required for mqtt authorization
+
+
+
+ org.wso2.iot
+ org.wso2.carbon.andes.extensions.device.mgt.mqtt.authorization
+
+
+
+
+
+ org.wso2.maven
+ carbon-p2-plugin
+ ${carbon.p2.plugin.version}
+
+
+ 4-p2-feature-generation
+ package
+
+ p2-feature-gen
+
+
+ org.wso2.carbon.andes.extensions.device.mgt.mqtt.authorization
+ ../../etc/feature.properties
+
+
+ org.wso2.carbon.p2.category.type:server
+ org.eclipse.equinox.p2.type.group:true
+
+
+
+
+ org.wso2.iot:org.wso2.carbon.andes.extensions.device.mgt.mqtt.authorization:${carbon.iot.device.mgt.version}
+
+
+
+ org.wso2.carbon.core.server:${carbon.kernel.version}
+ org.wso2.carbon.device.mgt.server:${carbon.device.mgt.version}
+
+
+
+
+
+
+
+
+
diff --git a/modules/iot-extensions/features/mb-extensions-feature/org.wso2.carbon.andes.extensions.device.mgt.mqtt.authorization.feature/src/main/resources/build.properties b/modules/iot-extensions/features/mb-extensions-feature/org.wso2.carbon.andes.extensions.device.mgt.mqtt.authorization.feature/src/main/resources/build.properties
new file mode 100644
index 00000000..ddedd58d
--- /dev/null
+++ b/modules/iot-extensions/features/mb-extensions-feature/org.wso2.carbon.andes.extensions.device.mgt.mqtt.authorization.feature/src/main/resources/build.properties
@@ -0,0 +1,19 @@
+#
+# Copyright (c) 2005-2014, WSO2 Inc. (http://www.wso2.org) All Rights Reserved.
+#
+# WSO2 Inc. licenses this file to you under the Apache License,
+# Version 2.0 (the "License"); you may not use this file except
+# in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations
+# under the License.
+#
+
+custom = true
diff --git a/modules/iot-extensions/features/mb-extensions-feature/org.wso2.carbon.andes.extensions.device.mgt.mqtt.authorization.feature/src/main/resources/p2.inf b/modules/iot-extensions/features/mb-extensions-feature/org.wso2.carbon.andes.extensions.device.mgt.mqtt.authorization.feature/src/main/resources/p2.inf
new file mode 100644
index 00000000..7ab37b9d
--- /dev/null
+++ b/modules/iot-extensions/features/mb-extensions-feature/org.wso2.carbon.andes.extensions.device.mgt.mqtt.authorization.feature/src/main/resources/p2.inf
@@ -0,0 +1 @@
+instructions.configure = \
\ No newline at end of file
diff --git a/modules/iot-extensions/features/mb-extensions-feature/pom.xml b/modules/iot-extensions/features/mb-extensions-feature/pom.xml
new file mode 100644
index 00000000..d4e4f32e
--- /dev/null
+++ b/modules/iot-extensions/features/mb-extensions-feature/pom.xml
@@ -0,0 +1,40 @@
+
+
+
+
+
+
+ org.wso2.iot
+ iot-extensions
+ 1.0.0-SNAPSHOT
+ ../../pom.xml
+
+
+ 4.0.0
+ mb-extensions-feature
+ 1.0.0-SNAPSHOT
+ pom
+ WSO2 Carbon - Device Management, MB Extensions Feature
+ http://wso2.org
+
+
+ org.wso2.carbon.andes.extensions.device.mgt.mqtt.authorization.feature
+
+
+
diff --git a/modules/iot-extensions/pom.xml b/modules/iot-extensions/pom.xml
index d6dcaf7d..0d7fef92 100644
--- a/modules/iot-extensions/pom.xml
+++ b/modules/iot-extensions/pom.xml
@@ -34,7 +34,9 @@
components/das-extensions
+ components/mb-extensions
features/das-extensions-feature
+ features/mb-extensions-feature
diff --git a/modules/p2-profile-gen/pom.xml b/modules/p2-profile-gen/pom.xml
index da918ec5..36dbc5e7 100644
--- a/modules/p2-profile-gen/pom.xml
+++ b/modules/p2-profile-gen/pom.xml
@@ -157,6 +157,9 @@
org.wso2.carbon.devicemgt-plugins:org.wso2.carbon.device.mgt.iot.feature:${carbon.device.mgt.plugin.version}
+
+ org.wso2.carbon.devicemgt-plugins:org.wso2.carbon.device.mgt.iot.adapter.feature:${carbon.device.mgt.plugin.version}
+
org.wso2.carbon.devicemgt-plugins:org.wso2.carbon.device.mgt.iot.androidsense.feature:${carbon.device.mgt.plugin.version}
@@ -389,6 +392,9 @@
org.wso2.iot:org.wso2.carbon.event.adapter.extensions.server.feature:${carbon.iot.device.mgt.version}
+
+ org.wso2.iot:org.wso2.carbon.andes.extensions.device.mgt.mqtt.authorization.feature:${carbon.iot.device.mgt.version}
+
@@ -783,6 +789,10 @@
org.wso2.carbon.event.adapter.extensions.server.feature.group
${carbon.iot.device.mgt.version}
+
+ org.wso2.carbon.andes.extensions.device.mgt.mqtt.authorization.feature.group
+ ${carbon.iot.device.mgt.version}
+
@@ -853,6 +863,10 @@
org.wso2.carbon.device.mgt.iot.feature.group
${carbon.device.mgt.plugin.version}
+
+ org.wso2.carbon.device.mgt.iot.adapter.feature.group
+ ${carbon.device.mgt.plugin.version}
+
org.wso2.carbon.device.mgt.iot.androidsense.feature.group
${carbon.device.mgt.plugin.version}
diff --git a/pom.xml b/pom.xml
index a3f9434f..2fd4e319 100644
--- a/pom.xml
+++ b/pom.xml
@@ -1041,12 +1041,21 @@
${carbon.iot.device.mgt.version}
+
+ org.wso2.iot
+ org.wso2.carbon.andes.extensions.device.mgt.mqtt.authorization
+ ${carbon.iot.device.mgt.version}
+
org.eclipse.paho
org.eclipse.paho.client.mqttv3
${eclipse.paho.version}
-
+
+ org.wso2.andes.wso2
+ andes
+ ${carbon.messaging.version}
+