Implemented scope based authorization in device-mgt UI module

4.x.x
mharindu 8 years ago
parent aa7d3385ce
commit bd41e4f4fb

@ -161,6 +161,10 @@
<artifactId>org.wso2.carbon.user.api</artifactId>
<scope>provided</scope>
</dependency>
<dependency>
<groupId>org.wso2.carbon.devicemgt</groupId>
<artifactId>org.wso2.carbon.apimgt.annotations</artifactId>
</dependency>
</dependencies>
<build>

@ -18,20 +18,19 @@
package org.wso2.carbon.apimgt.application.extension.api;
import org.wso2.carbon.apimgt.annotations.api.API;
import org.wso2.carbon.apimgt.application.extension.api.util.RegistrationProfile;
import javax.ws.rs.Consumes;
import javax.ws.rs.DELETE;
import javax.ws.rs.POST;
import javax.ws.rs.PathParam;
import javax.ws.rs.Produces;
import javax.ws.rs.QueryParam;
import javax.ws.rs.*;
import javax.ws.rs.core.MediaType;
import javax.ws.rs.core.Response;
/**
* This is the application registration service that exposed for apimApplicationRegistration
*/
@API(name = "API Registration Service", version = "1.0.0",
context = "api-application-registration",
tags = {"devicemgt_admin"})
public interface ApiApplicationRegistrationService {
/**
@ -40,6 +39,7 @@ public interface ApiApplicationRegistrationService {
@POST
@Produces(MediaType.APPLICATION_JSON)
@Consumes(MediaType.APPLICATION_JSON)
@Path("register/tenants")
Response register(@PathParam("tenantDomain") String tenantDomain,
@QueryParam("applicationName") String applicationName);
@ -51,6 +51,7 @@ public interface ApiApplicationRegistrationService {
@POST
@Produces(MediaType.APPLICATION_JSON)
@Consumes(MediaType.APPLICATION_JSON)
@Path("register")
Response register(RegistrationProfile registrationProfile);
/**
@ -59,5 +60,6 @@ public interface ApiApplicationRegistrationService {
* @return the response status of request.
*/
@DELETE
@Path("unregister")
Response unregister(@QueryParam("applicationName") String applicationName);
}

@ -47,7 +47,11 @@
<!--publish to apim-->
<context-param>
<param-name>managed-api-enabled</param-name>
<param-value>false</param-value>
<param-value>true</param-value>
</context-param>
<context-param>
<param-name>managed-api-owner</param-name>
<param-value>admin</param-value>
</context-param>
<filter>

@ -70,17 +70,53 @@
"copyrightSuffix" : " All Rights Reserved."
},
"scopes" : [
"license-add", "license-view", "device-view",
"device-info", "device-list", "device-view-own", "device-modify", "device-search",
"operation-install", "operation-view", "operation-modify", "operation-uninstall",
"group-add", "group-share", "group-modify", "group-view", "group-remove",
"certificate-modify", "certificate-view",
"configuration-view", "configuration-modify",
"policy-view", "policy-modify",
"device-notification-view", "device-notification-modify",
"feature-view",
"roles-view", "roles-modify", "roles-remove", "roles-add",
"user-password-reset", "user-password-modify", "user-modify", "user-view", "user-invite", "user-remove", "user-add"
"user:manage",
"user:view",
"device-type:admin:view",
"device:view",
"notification:view",
"device:admin:view",
"application:manage",
"activity:view",
"user:admin:reset-password",
"policy:manage",
"policy:view",
"role:manage",
"role:view",
"configuration:view",
"configuration:modify",
"device:android:operation:reboot",
"device:android:operation:camera",
"device:android:operation:vpn",
"device:android:operation:lock",
"device:android:operation:ring",
"device:android:operation:update-app",
"device:android:operation:wipe",
"device:android:operation:encrypt",
"device:android:operation:blacklist-app",
"device:android:operation:applications",
"device:android:operation:enterprise-wipe",
"device:android:operation:info",
"device:android:operation:wifi",
"device:android:operation:uninstall-app",
"device:android:operation:change-lock",
"device:android:operation:notification",
"device:android:operation:upgrade",
"device:android:operation:unlock",
"device:android:operation:mute",
"device:android:operation:location",
"device:android:operation:webclip",
"device:android:operation:clear-password",
"device:android:operation:password-policy",
"device:android:operation:install-app",
"device:android:event:write",
"device:android:event:read",
"device:android:enroll",
"configuration:manage",
"configuration:view",
"device:android:enroll",
"certificate:view",
"certificate:manage"
],
"isOAuthEnabled" : true,
"backendRestEndpoints" : {

@ -83,3 +83,4 @@ var HTTP_CONFLICT = 409;
var HTTP_CREATED = 201;
var CACHED_CREDENTIALS = "tenantBasedCredentials";
var ALLOWED_SCOPES = "scopes";

@ -172,10 +172,11 @@ var utils = function () {
if (xhr["status"] == 200 && xhr["responseText"]) {
var responsePayload = parse(xhr["responseText"]);
var tokenPair = {};
tokenPair["accessToken"] = responsePayload["access_token"];
tokenPair["refreshToken"] = responsePayload["refresh_token"];
return tokenPair;
var tokenData = {};
tokenData["accessToken"] = responsePayload["access_token"];
tokenData["refreshToken"] = responsePayload["refresh_token"];
tokenData["scopes"] = responsePayload["scope"];
return tokenData;
} else {
log.error("{/app/modules/oauth/token-handler-utils.js} Error in retrieving access token " +
"by password grant type - getTokenPairByPasswordGrantType(a, b, c, d)");
@ -224,10 +225,11 @@ var utils = function () {
if (xhr["status"] == 200 && xhr["responseText"]) {
var responsePayload = parse(xhr["responseText"]);
var tokenPair = {};
tokenPair["accessToken"] = responsePayload["access_token"];
tokenPair["refreshToken"] = responsePayload["refresh_token"];
return tokenPair;
var tokenData = {};
tokenData["accessToken"] = responsePayload["access_token"];
tokenData["refreshToken"] = responsePayload["refresh_token"];
tokenData["scopes"] = responsePayload["scope"];
return tokenData;
} else {
log.error("{/app/modules/oauth/token-handler-utils.js} Error in retrieving access token " +
"by password grant type - getTokenPairBySAMLGrantType(x, y, z)");

@ -45,23 +45,30 @@ var handlers = function () {
"password grant type. Encoded client credentials are " +
"missing - setupTokenPairByPasswordGrantType(x, y)");
} else {
var tokenPair;
var tokenData;
// tokenPair will include current access token as well as current refresh token
var arrayOfScopes = devicemgtProps["scopes"];
var stringOfScopes = "";
arrayOfScopes.forEach(function (entry) {
stringOfScopes += entry + " ";
});
tokenPair = tokenUtil.
tokenData = tokenUtil.
getTokenPairByPasswordGrantType(username,
encodeURIComponent(password), encodedClientAppCredentials, stringOfScopes);
if (!tokenPair) {
if (!tokenData) {
throw new Error("{/app/modules/oauth/token-handlers.js} Could not set up " +
"token pair by password grant type. Error in token " +
"retrieval - setupTokenPairByPasswordGrantType(x, y)");
} else {
// setting up access token pair into session context as a string
var tokenPair = {};
tokenPair["accessToken"] = tokenData["accessToken"];
tokenPair["refreshToken"] = tokenData["refreshToken"];
// setting up token pair into session context as a string
session.put(constants["TOKEN_PAIR"], stringify(tokenPair));
var scopes = tokenData.scopes.split(" ");
// adding allowed scopes to the session
session.put(constants["ALLOWED_SCOPES"], scopes);
}
}
}
@ -80,17 +87,24 @@ var handlers = function () {
"by saml grant type. Encoded client credentials are " +
"missing - setupTokenPairByPasswordGrantType(x, y)");
} else {
var tokenPair;
var tokenData;
// accessTokenPair will include current access token as well as current refresh token
tokenPair = tokenUtil.
tokenData = tokenUtil.
getTokenPairBySAMLGrantType(samlToken, encodedClientAppCredentials, "PRODUCTION");
if (!tokenPair) {
if (!tokenData) {
throw new Error("{/app/modules/oauth/token-handlers.js} Could not set up token " +
"pair by password grant type. Error in token " +
"retrieval - setupTokenPairByPasswordGrantType(x, y)");
} else {
var tokenPair = {};
tokenPair["accessToken"] = tokenData["accessToken"];
tokenPair["refreshToken"] = tokenData["refreshToken"];
// setting up access token pair into session context as a string
session.put(constants["TOKEN_PAIR"], stringify(tokenPair));
var scopes = tokenData.scopes.split(" ");
// adding allowed scopes to the session
session.put(constants["ALLOWED_SCOPES"], scopes);
}
}
}

@ -129,7 +129,7 @@ public class OAuthAuthenticator implements WebappAuthenticator {
if (resource == null || resource.isEmpty()) {
authenticationInfo.setStatus(Status.FAILURE);
authenticationInfo.setMessage("Requested resource does not exist");
authenticationInfo.setMessage("Authorization failed. Requested API resource does not exist");
return authenticationInfo;
}

Loading…
Cancel
Save