fixed tenant enrol issue

kernel-4.6.x
Amalka Subasinghe 3 years ago
parent eae469fbc5
commit 4203226aa5

@ -122,7 +122,7 @@ public class ApiApplicationRegistrationServiceImpl implements ApiApplicationRegi
synchronized (ApiApplicationRegistrationServiceImpl.class) { synchronized (ApiApplicationRegistrationServiceImpl.class) {
ApiApplicationKey apiApplicationKey = apiManagementProviderService.generateAndRetrieveApplicationKeys( ApiApplicationKey apiApplicationKey = apiManagementProviderService.generateAndRetrieveApplicationKeys(
applicationName, registrationProfile.getTags(), applicationName, registrationProfile.getTags(),
ApiApplicationConstants.DEFAULT_TOKEN_TYPE, username, ApiApplicationConstants.DEFAULT_TOKEN_TYPE, registrationProfile.getUsername(),
registrationProfile.isAllowedToAllDomains(), validityPeriod); registrationProfile.isAllowedToAllDomains(), validityPeriod);
return Response.status(Response.Status.CREATED).entity(apiApplicationKey.toString()).build(); return Response.status(Response.Status.CREATED).entity(apiApplicationKey.toString()).build();
} }

@ -37,7 +37,7 @@
</servlet-mapping> </servlet-mapping>
<context-param> <context-param>
<param-name>doAuthentication</param-name> <param-name>doAuthentication</param-name>
<param-value>false</param-value> <param-value>true</param-value>
</context-param> </context-param>
<!--This is to support basic auth.--> <!--This is to support basic auth.-->
<context-param> <context-param>
@ -54,6 +54,10 @@
<param-name>managed-api-owner</param-name> <param-name>managed-api-owner</param-name>
<param-value>admin</param-value> <param-value>admin</param-value>
</context-param> </context-param>
<context-param>
<param-name>resource-permission-validate</param-name>
<param-value>false</param-value>
</context-param>
<filter> <filter>
<filter-name>ApiPermissionFilter</filter-name> <filter-name>ApiPermissionFilter</filter-name>

@ -18,6 +18,7 @@
*/ */
package org.wso2.carbon.webapp.authenticator.framework; package org.wso2.carbon.webapp.authenticator.framework;
import com.google.gson.Gson;
import org.apache.catalina.Context; import org.apache.catalina.Context;
import org.apache.catalina.connector.Request; import org.apache.catalina.connector.Request;
import org.apache.catalina.connector.Response; import org.apache.catalina.connector.Response;
@ -48,6 +49,9 @@ public class WebappAuthenticationValve extends CarbonTomcatValve {
private static final Log log = LogFactory.getLog(WebappAuthenticationValve.class); private static final Log log = LogFactory.getLog(WebappAuthenticationValve.class);
private static final TreeMap<String, String> nonSecuredEndpoints = new TreeMap<>(); private static final TreeMap<String, String> nonSecuredEndpoints = new TreeMap<>();
private static final String PERMISSION_PREFIX = "/permission/admin";
public static final String AUTHORIZE_PERMISSION = "Authorize-Permission";
private static InetAddress inetAddress = null; private static InetAddress inetAddress = null;
@Override @Override
@ -78,7 +82,8 @@ public class WebappAuthenticationValve extends CarbonTomcatValve {
} }
} }
if ((this.isContextSkipped(request) || this.skipAuthentication(request))) { if ((this.isContextSkipped(request) || this.skipAuthentication(request))
&& (StringUtils.isEmpty(request.getHeader(AUTHORIZE_PERMISSION)))) {
this.getNext().invoke(request, response, compositeValve); this.getNext().invoke(request, response, compositeValve);
return; return;
} }
@ -99,6 +104,39 @@ public class WebappAuthenticationValve extends CarbonTomcatValve {
// This section will allow to validate a given access token is authenticated to access given // This section will allow to validate a given access token is authenticated to access given
// resource(permission) // resource(permission)
if (request.getCoyoteRequest() != null if (request.getCoyoteRequest() != null
&& StringUtils.isNotEmpty(request.getHeader(AUTHORIZE_PERMISSION))
&& (authenticationInfo.getStatus() == WebappAuthenticator.Status.CONTINUE ||
authenticationInfo.getStatus() == WebappAuthenticator.Status.SUCCESS)) {
boolean isAllowed;
try {
isAllowed = AuthenticationFrameworkUtil.isUserAuthorized(
authenticationInfo.getTenantId(), authenticationInfo.getTenantDomain(),
authenticationInfo.getUsername(),
PERMISSION_PREFIX + request.getHeader (AUTHORIZE_PERMISSION));
} catch (AuthenticationException e) {
String msg = "Could not authorize permission";
log.error(msg);
AuthenticationFrameworkUtil.handleResponse(request, response,
HttpServletResponse.SC_INTERNAL_SERVER_ERROR, msg);
return;
}
if (isAllowed) {
Gson gson = new Gson();
AuthenticationFrameworkUtil.handleResponse(request, response, HttpServletResponse.SC_OK,
gson.toJson(authenticationInfo));
return;
} else {
log.error("Unauthorized message from user " + authenticationInfo.getUsername());
AuthenticationFrameworkUtil.handleResponse(request, response,
HttpServletResponse.SC_FORBIDDEN, "Unauthorized to access the API");
return;
}
}
// This section will allow to validate a given access token is authenticated to access permission defined per API
if (request.getCoyoteRequest() != null
&& isResourcePermissionValidate(request)
&& (authenticationInfo.getStatus() == WebappAuthenticator.Status.CONTINUE || && (authenticationInfo.getStatus() == WebappAuthenticator.Status.CONTINUE ||
authenticationInfo.getStatus() == WebappAuthenticator.Status.SUCCESS)) { authenticationInfo.getStatus() == WebappAuthenticator.Status.SUCCESS)) {
boolean isAllowed; boolean isAllowed;
@ -112,7 +150,7 @@ public class WebappAuthenticationValve extends CarbonTomcatValve {
} }
} }
Tenant tenant = null; Tenant tenant = null;
if (authenticationInfo.getTenantId() != -1) { if (authenticationInfo.getTenantId() != -1) {
try { try {
PrivilegedCarbonContext.startTenantFlow(); PrivilegedCarbonContext.startTenantFlow();
@ -178,6 +216,11 @@ public class WebappAuthenticationValve extends CarbonTomcatValve {
return (param != null && Boolean.parseBoolean(param)); return (param != null && Boolean.parseBoolean(param));
} }
private boolean isResourcePermissionValidate(Request request) {
String param = request.getContext().findParameter("resource-permission-validate");
return (param == null) || Boolean.parseBoolean(param);
}
private boolean isContextSkipped(Request request) { private boolean isContextSkipped(Request request) {
Context context = request.getContext(); Context context = request.getContext();
String ctx = context == null ? null :context.getPath(); String ctx = context == null ? null :context.getPath();

Loading…
Cancel
Save