diff --git a/components/webapp-authenticator-framework/org.wso2.carbon.webapp.authenticator.framework/src/main/java/org/wso2/carbon/webapp/authenticator/framework/WebappAuthenticationValve.java b/components/webapp-authenticator-framework/org.wso2.carbon.webapp.authenticator.framework/src/main/java/org/wso2/carbon/webapp/authenticator/framework/WebappAuthenticationValve.java index b701b9bf966..f7211fef132 100644 --- a/components/webapp-authenticator-framework/org.wso2.carbon.webapp.authenticator.framework/src/main/java/org/wso2/carbon/webapp/authenticator/framework/WebappAuthenticationValve.java +++ b/components/webapp-authenticator-framework/org.wso2.carbon.webapp.authenticator.framework/src/main/java/org/wso2/carbon/webapp/authenticator/framework/WebappAuthenticationValve.java @@ -26,6 +26,7 @@ import org.wso2.carbon.context.PrivilegedCarbonContext; import org.wso2.carbon.tomcat.ext.valves.CarbonTomcatValve; import org.wso2.carbon.tomcat.ext.valves.CompositeValve; import org.wso2.carbon.webapp.authenticator.framework.authenticator.WebappAuthenticator; +import org.wso2.carbon.webapp.authenticator.framework.authorizer.WebappTenantAuthorizer; import javax.servlet.http.HttpServletResponse; import java.util.HashMap; @@ -44,6 +45,8 @@ public class WebappAuthenticationValve extends CarbonTomcatValve { return; } + + WebappAuthenticator authenticator = WebappAuthenticatorFactory.getAuthenticator(request); if (authenticator == null) { String msg = "Failed to load an appropriate authenticator to authenticate the request"; @@ -51,6 +54,11 @@ public class WebappAuthenticationValve extends CarbonTomcatValve { return; } AuthenticationInfo authenticationInfo = authenticator.authenticate(request, response); + if (isManagedAPI(request) && (authenticationInfo.getStatus() == WebappAuthenticator.Status.CONTINUE || + authenticationInfo.getStatus() == WebappAuthenticator.Status.SUCCESS)) { + WebappAuthenticator.Status status = WebappTenantAuthorizer.authorize(request, authenticationInfo); + authenticationInfo.setStatus(status); + } if (authenticationInfo.getTenantId() != -1) { try { PrivilegedCarbonContext.startTenantFlow(); @@ -77,6 +85,11 @@ public class WebappAuthenticationValve extends CarbonTomcatValve { return (param == null || !Boolean.parseBoolean(param) || isNonSecuredEndPoint(request)); } + private boolean isManagedAPI(Request request) { + String param = request.getContext().findParameter("managed-api-enabled"); + return (param != null && Boolean.parseBoolean(param)); + } + private boolean isContextSkipped(Request request) { String ctx = request.getContext().getPath(); if (ctx == null || "".equals(ctx)) { diff --git a/components/webapp-authenticator-framework/org.wso2.carbon.webapp.authenticator.framework/src/main/java/org/wso2/carbon/webapp/authenticator/framework/authorizer/WebappTenantAuthorizer.java b/components/webapp-authenticator-framework/org.wso2.carbon.webapp.authenticator.framework/src/main/java/org/wso2/carbon/webapp/authenticator/framework/authorizer/WebappTenantAuthorizer.java new file mode 100644 index 00000000000..e6a55eba89d --- /dev/null +++ b/components/webapp-authenticator-framework/org.wso2.carbon.webapp.authenticator.framework/src/main/java/org/wso2/carbon/webapp/authenticator/framework/authorizer/WebappTenantAuthorizer.java @@ -0,0 +1,49 @@ +/* + * Copyright (c) 2015, WSO2 Inc. (http://www.wso2.org) All Rights Reserved. + * + * WSO2 Inc. licenses this file to you under the Apache License, + * Version 2.0 (the "License"); you may not use this file except + * in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +package org.wso2.carbon.webapp.authenticator.framework.authorizer; + +import org.apache.catalina.connector.Request; +import org.wso2.carbon.webapp.authenticator.framework.AuthenticationInfo; +import org.wso2.carbon.webapp.authenticator.framework.authenticator.WebappAuthenticator; + +/** + * This class represents the methods that are used to authorize requests based on the tenant subscription. + */ +public class WebappTenantAuthorizer { + private static final String SHARED_WITH_ALL_TENANTS_PARAM_NAME = "isSharedWithAllTenants"; + private static final String PROVIDER_TENANT_DOMAIN_PARAM_NAME = "providerTenantDomain"; + + public static WebappAuthenticator.Status authorize(Request request, AuthenticationInfo authenticationInfo) { + String tenantDomain = authenticationInfo.getTenantDomain(); + if (tenantDomain != null && isSharedWithAllTenants(request) || isProviderTenant(request, tenantDomain)) { + return WebappAuthenticator.Status.CONTINUE; + } + return WebappAuthenticator.Status.FAILURE; + } + + private static boolean isSharedWithAllTenants(Request request) { + String param = request.getContext().findParameter(SHARED_WITH_ALL_TENANTS_PARAM_NAME); + return (param == null || Boolean.parseBoolean(param)); + } + + private static boolean isProviderTenant(Request request, String requestTenantDomain) { + String param = request.getContext().findParameter(PROVIDER_TENANT_DOMAIN_PARAM_NAME); + return (param == null || requestTenantDomain.equals(param)); + } +}