diff --git a/components/apimgt-extensions/org.wso2.carbon.apimgt.application.extension.api/src/main/java/org/wso2/carbon/apimgt/application/extension/api/ApiApplicationRegistrationServiceImpl.java b/components/apimgt-extensions/org.wso2.carbon.apimgt.application.extension.api/src/main/java/org/wso2/carbon/apimgt/application/extension/api/ApiApplicationRegistrationServiceImpl.java index 702db645279..471136864a2 100644 --- a/components/apimgt-extensions/org.wso2.carbon.apimgt.application.extension.api/src/main/java/org/wso2/carbon/apimgt/application/extension/api/ApiApplicationRegistrationServiceImpl.java +++ b/components/apimgt-extensions/org.wso2.carbon.apimgt.application.extension.api/src/main/java/org/wso2/carbon/apimgt/application/extension/api/ApiApplicationRegistrationServiceImpl.java @@ -122,7 +122,7 @@ public class ApiApplicationRegistrationServiceImpl implements ApiApplicationRegi synchronized (ApiApplicationRegistrationServiceImpl.class) { ApiApplicationKey apiApplicationKey = apiManagementProviderService.generateAndRetrieveApplicationKeys( applicationName, registrationProfile.getTags(), - ApiApplicationConstants.DEFAULT_TOKEN_TYPE, username, + ApiApplicationConstants.DEFAULT_TOKEN_TYPE, registrationProfile.getUsername(), registrationProfile.isAllowedToAllDomains(), validityPeriod); return Response.status(Response.Status.CREATED).entity(apiApplicationKey.toString()).build(); } diff --git a/components/apimgt-extensions/org.wso2.carbon.apimgt.application.extension.api/src/main/webapp/WEB-INF/web.xml b/components/apimgt-extensions/org.wso2.carbon.apimgt.application.extension.api/src/main/webapp/WEB-INF/web.xml index b2d4acf3c43..ab313685bfb 100644 --- a/components/apimgt-extensions/org.wso2.carbon.apimgt.application.extension.api/src/main/webapp/WEB-INF/web.xml +++ b/components/apimgt-extensions/org.wso2.carbon.apimgt.application.extension.api/src/main/webapp/WEB-INF/web.xml @@ -37,7 +37,7 @@ doAuthentication - false + true @@ -54,6 +54,10 @@ managed-api-owner admin + + resource-permission-validate + false + ApiPermissionFilter diff --git a/components/webapp-authenticator-framework/org.wso2.carbon.webapp.authenticator.framework/src/main/java/org/wso2/carbon/webapp/authenticator/framework/WebappAuthenticationValve.java b/components/webapp-authenticator-framework/org.wso2.carbon.webapp.authenticator.framework/src/main/java/org/wso2/carbon/webapp/authenticator/framework/WebappAuthenticationValve.java index 9e73d08ffb3..3864954fe92 100644 --- a/components/webapp-authenticator-framework/org.wso2.carbon.webapp.authenticator.framework/src/main/java/org/wso2/carbon/webapp/authenticator/framework/WebappAuthenticationValve.java +++ b/components/webapp-authenticator-framework/org.wso2.carbon.webapp.authenticator.framework/src/main/java/org/wso2/carbon/webapp/authenticator/framework/WebappAuthenticationValve.java @@ -18,6 +18,7 @@ */ package org.wso2.carbon.webapp.authenticator.framework; +import com.google.gson.Gson; import org.apache.catalina.Context; import org.apache.catalina.connector.Request; import org.apache.catalina.connector.Response; @@ -48,6 +49,9 @@ public class WebappAuthenticationValve extends CarbonTomcatValve { private static final Log log = LogFactory.getLog(WebappAuthenticationValve.class); private static final TreeMap nonSecuredEndpoints = new TreeMap<>(); + private static final String PERMISSION_PREFIX = "/permission/admin"; + public static final String AUTHORIZE_PERMISSION = "Authorize-Permission"; + private static InetAddress inetAddress = null; @Override @@ -78,7 +82,8 @@ public class WebappAuthenticationValve extends CarbonTomcatValve { } } - if ((this.isContextSkipped(request) || this.skipAuthentication(request))) { + if ((this.isContextSkipped(request) || this.skipAuthentication(request)) + && (StringUtils.isEmpty(request.getHeader(AUTHORIZE_PERMISSION)))) { this.getNext().invoke(request, response, compositeValve); return; } @@ -99,6 +104,39 @@ public class WebappAuthenticationValve extends CarbonTomcatValve { // This section will allow to validate a given access token is authenticated to access given // resource(permission) if (request.getCoyoteRequest() != null + && StringUtils.isNotEmpty(request.getHeader(AUTHORIZE_PERMISSION)) + && (authenticationInfo.getStatus() == WebappAuthenticator.Status.CONTINUE || + authenticationInfo.getStatus() == WebappAuthenticator.Status.SUCCESS)) { + boolean isAllowed; + try { + isAllowed = AuthenticationFrameworkUtil.isUserAuthorized( + authenticationInfo.getTenantId(), authenticationInfo.getTenantDomain(), + authenticationInfo.getUsername(), + PERMISSION_PREFIX + request.getHeader (AUTHORIZE_PERMISSION)); + } catch (AuthenticationException e) { + String msg = "Could not authorize permission"; + log.error(msg); + AuthenticationFrameworkUtil.handleResponse(request, response, + HttpServletResponse.SC_INTERNAL_SERVER_ERROR, msg); + return; + } + + if (isAllowed) { + Gson gson = new Gson(); + AuthenticationFrameworkUtil.handleResponse(request, response, HttpServletResponse.SC_OK, + gson.toJson(authenticationInfo)); + return; + } else { + log.error("Unauthorized message from user " + authenticationInfo.getUsername()); + AuthenticationFrameworkUtil.handleResponse(request, response, + HttpServletResponse.SC_FORBIDDEN, "Unauthorized to access the API"); + return; + } + } + + // This section will allow to validate a given access token is authenticated to access permission defined per API + if (request.getCoyoteRequest() != null + && isResourcePermissionValidate(request) && (authenticationInfo.getStatus() == WebappAuthenticator.Status.CONTINUE || authenticationInfo.getStatus() == WebappAuthenticator.Status.SUCCESS)) { boolean isAllowed; @@ -112,7 +150,7 @@ public class WebappAuthenticationValve extends CarbonTomcatValve { } } - Tenant tenant = null; + Tenant tenant = null; if (authenticationInfo.getTenantId() != -1) { try { PrivilegedCarbonContext.startTenantFlow(); @@ -178,6 +216,11 @@ public class WebappAuthenticationValve extends CarbonTomcatValve { return (param != null && Boolean.parseBoolean(param)); } + private boolean isResourcePermissionValidate(Request request) { + String param = request.getContext().findParameter("resource-permission-validate"); + return (param == null) || Boolean.parseBoolean(param); + } + private boolean isContextSkipped(Request request) { Context context = request.getContext(); String ctx = context == null ? null :context.getPath();