diff --git a/components/apimgt-extensions/org.wso2.carbon.apimgt.application.extension.api/pom.xml b/components/apimgt-extensions/org.wso2.carbon.apimgt.application.extension.api/pom.xml
index b1c7c57bcbd..14379e2e3b2 100644
--- a/components/apimgt-extensions/org.wso2.carbon.apimgt.application.extension.api/pom.xml
+++ b/components/apimgt-extensions/org.wso2.carbon.apimgt.application.extension.api/pom.xml
@@ -157,6 +157,16 @@
org.wso2.carbon.apimgt.application.extension
provided
+
+ org.wso2.carbon
+ org.wso2.carbon.user.core
+ provided
+
+
+ org.wso2.carbon
+ org.wso2.carbon.user.api
+ provided
+
diff --git a/components/apimgt-extensions/org.wso2.carbon.apimgt.application.extension.api/src/main/java/org/wso2/carbon/apimgt/application/extension/api/ApiApplicationRegistrationServiceImpl.java b/components/apimgt-extensions/org.wso2.carbon.apimgt.application.extension.api/src/main/java/org/wso2/carbon/apimgt/application/extension/api/ApiApplicationRegistrationServiceImpl.java
index 7c24b40ffdd..cc0bb20a9f7 100644
--- a/components/apimgt-extensions/org.wso2.carbon.apimgt.application.extension.api/src/main/java/org/wso2/carbon/apimgt/application/extension/api/ApiApplicationRegistrationServiceImpl.java
+++ b/components/apimgt-extensions/org.wso2.carbon.apimgt.application.extension.api/src/main/java/org/wso2/carbon/apimgt/application/extension/api/ApiApplicationRegistrationServiceImpl.java
@@ -59,6 +59,7 @@ public class ApiApplicationRegistrationServiceImpl implements ApiApplicationRegi
}
String username = PrivilegedCarbonContext.getThreadLocalCarbonContext().getUserRealm()
.getRealmConfiguration().getAdminUserName();
+ username = username + "@" + APIUtil.getTenantDomainOftheUser();
PrivilegedCarbonContext.getThreadLocalCarbonContext().setUsername(username);
APIManagementProviderService apiManagementProviderService = APIUtil.getAPIManagementProviderService();
ApiApplicationKey apiApplicationKey = apiManagementProviderService.generateAndRetrieveApplicationKeys(
@@ -81,7 +82,7 @@ public class ApiApplicationRegistrationServiceImpl implements ApiApplicationRegi
@POST
public Response register(RegistrationProfile registrationProfile) {
try {
- String username = APIUtil.getAuthenticatedUser();
+ String username = APIUtil.getAuthenticatedUser() + "@" + APIUtil.getTenantDomainOftheUser();
APIManagementProviderService apiManagementProviderService = APIUtil.getAPIManagementProviderService();
if (registrationProfile.isMappingAnExistingOAuthApp()) {
JSONObject jsonStringObject = new JSONObject();
@@ -116,7 +117,7 @@ public class ApiApplicationRegistrationServiceImpl implements ApiApplicationRegi
@DELETE
public Response unregister(@QueryParam("applicationName") String applicationName) {
try {
- String username = APIUtil.getAuthenticatedUser();
+ String username = APIUtil.getAuthenticatedUser() + "@" + APIUtil.getTenantDomainOftheUser();
APIManagementProviderService apiManagementProviderService = APIUtil.getAPIManagementProviderService();
apiManagementProviderService.removeAPIApplication(applicationName, username);
return Response.status(Response.Status.ACCEPTED).build();
diff --git a/components/apimgt-extensions/org.wso2.carbon.apimgt.application.extension.api/src/main/java/org/wso2/carbon/apimgt/application/extension/api/filter/ApiPermissionFilter.java b/components/apimgt-extensions/org.wso2.carbon.apimgt.application.extension.api/src/main/java/org/wso2/carbon/apimgt/application/extension/api/filter/ApiPermissionFilter.java
new file mode 100644
index 00000000000..1395566b70b
--- /dev/null
+++ b/components/apimgt-extensions/org.wso2.carbon.apimgt.application.extension.api/src/main/java/org/wso2/carbon/apimgt/application/extension/api/filter/ApiPermissionFilter.java
@@ -0,0 +1,118 @@
+package org.wso2.carbon.apimgt.application.extension.api.filter;
+
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
+import org.wso2.carbon.apimgt.application.extension.api.util.APIUtil;
+import org.wso2.carbon.context.PrivilegedCarbonContext;
+import org.wso2.carbon.user.api.UserRealm;
+import org.wso2.carbon.user.api.UserStoreException;
+
+import javax.servlet.*;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import javax.xml.bind.JAXBContext;
+import javax.xml.bind.JAXBException;
+import javax.xml.bind.Unmarshaller;
+import java.io.File;
+import java.io.IOException;
+import java.io.InputStream;
+import java.util.List;
+
+/**
+ * this filter check for permission for the request
+ */
+public class ApiPermissionFilter implements Filter{
+ private static final Log log = LogFactory.getLog(ApiPermissionFilter.class);
+ private static final String UI_EXECUTE = "ui.execute";
+ private static final String PERMISSION_CONFIG_PATH = File.separator + "META-INF" + File.separator
+ + "permissions.xml";
+ private static final String PERMISSION_PREFIX = "/permission/admin";
+ private static List permissions;
+ private static final String WEBAPP_CONTEXT = "/api-application-registration";
+ @Override
+ public void init(FilterConfig filterConfig) throws ServletException {
+ InputStream permissionStream = filterConfig.getServletContext().getResourceAsStream(PERMISSION_CONFIG_PATH);
+ if (permissionStream != null) {
+ try {
+ JAXBContext cdmContext = JAXBContext.newInstance(PermissionConfiguration.class);
+ Unmarshaller unmarshaller = cdmContext.createUnmarshaller();
+ PermissionConfiguration permissionConfiguration = (PermissionConfiguration)
+ unmarshaller.unmarshal(permissionStream);
+ permissions = permissionConfiguration.getPermissions();
+ } catch (JAXBException e) {
+ log.error("invalid permissions.xml", e);
+ }
+
+ }
+
+ }
+
+ @Override
+ public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain)
+ throws IOException, ServletException {
+ if (servletRequest instanceof HttpServletRequest) {
+ String uri = ((HttpServletRequest)servletRequest).getRequestURI();
+ boolean status = false;
+ if (uri.contains("register/tenants")) {
+ String urlPermission = getPermission("/register/tenants/*");
+ if (urlPermission != null) {
+ status = isUserAuthorized(PERMISSION_PREFIX + urlPermission, UI_EXECUTE);
+ }
+ } else {
+ String urlPermission = getPermission(uri);
+ if (urlPermission != null) {
+ status = isUserAuthorized(PERMISSION_PREFIX + urlPermission, UI_EXECUTE);
+ }
+ }
+ if (status) {
+ filterChain.doFilter(servletRequest, servletResponse);
+ } else {
+ HttpServletResponse res = (HttpServletResponse) servletResponse;
+ res.setStatus(HttpServletResponse.SC_FORBIDDEN);
+ return;
+ }
+ } else {
+ HttpServletResponse res = (HttpServletResponse) servletResponse;
+ res.setStatus(HttpServletResponse.SC_FORBIDDEN);
+ return;
+ }
+ }
+
+ @Override
+ public void destroy() {
+ //do nothing
+ }
+
+ private static String getPermission(String url) {
+ if (permissions != null) {
+ for (int i = 0; i < permissions.size(); i++) {
+ Permission permission = permissions.get(i);
+ if ((WEBAPP_CONTEXT + permission.getUrl()).equals(url)) {
+ return permission.getPath();
+ }
+ }
+ }
+ return null;
+ }
+
+ /**
+ * Check whether the client is authorized with the given permission and action.
+ * @param permission Carbon permission that requires for the use
+ * @param action Carbon permission action that requires for the given permission.
+ * @return boolean - true if user is authorized else return false.
+ */
+ private boolean isUserAuthorized(String permission, String action) {
+ PrivilegedCarbonContext context = PrivilegedCarbonContext.getThreadLocalCarbonContext();
+ String username = context.getUsername();
+ try {
+ UserRealm userRealm = APIUtil.getRealmService().getTenantUserRealm(PrivilegedCarbonContext
+ .getThreadLocalCarbonContext().getTenantId());
+ return userRealm.getAuthorizationManager().isUserAuthorized(username, permission, action);
+ } catch (UserStoreException e) {
+ String errorMsg = String.format("Unable to authorize the user : %s", username, e);
+ log.error(errorMsg, e);
+ return false;
+ }
+ }
+
+}
diff --git a/components/apimgt-extensions/org.wso2.carbon.apimgt.application.extension.api/src/main/java/org/wso2/carbon/apimgt/application/extension/api/filter/Permission.java b/components/apimgt-extensions/org.wso2.carbon.apimgt.application.extension.api/src/main/java/org/wso2/carbon/apimgt/application/extension/api/filter/Permission.java
new file mode 100644
index 00000000000..069e94473cd
--- /dev/null
+++ b/components/apimgt-extensions/org.wso2.carbon.apimgt.application.extension.api/src/main/java/org/wso2/carbon/apimgt/application/extension/api/filter/Permission.java
@@ -0,0 +1,60 @@
+/*
+ * Copyright (c) 2015, WSO2 Inc. (http://www.wso2.org) All Rights Reserved.
+ *
+ * WSO2 Inc. licenses this file to you under the Apache License,
+ * Version 2.0 (the "License"); you may not use this file except
+ * in compliance with the License.
+ * you may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.wso2.carbon.apimgt.application.extension.api.filter;
+
+import javax.xml.bind.annotation.XmlElement;
+import javax.xml.bind.annotation.XmlRootElement;
+
+/**
+ * This class represents the information related to permission.
+ */
+@XmlRootElement (name = "Permission")
+public class Permission {
+
+ private String path; // permission string
+ private String url; // url of the resource
+ private String method; // http method
+
+ public String getPath() {
+ return path;
+ }
+
+ @XmlElement (name = "path", required = true)
+ public void setPath(String path) {
+ this.path = path;
+ }
+
+ public String getUrl() {
+ return url;
+ }
+
+ @XmlElement (name = "url", required = true)
+ public void setUrl(String url) {
+ this.url = url;
+ }
+
+ public String getMethod() {
+ return method;
+ }
+
+ @XmlElement (name = "method", required = true)
+ public void setMethod(String method) {
+ this.method = method;
+ }
+}
diff --git a/components/apimgt-extensions/org.wso2.carbon.apimgt.application.extension.api/src/main/java/org/wso2/carbon/apimgt/application/extension/api/filter/PermissionConfiguration.java b/components/apimgt-extensions/org.wso2.carbon.apimgt.application.extension.api/src/main/java/org/wso2/carbon/apimgt/application/extension/api/filter/PermissionConfiguration.java
new file mode 100644
index 00000000000..22a416873aa
--- /dev/null
+++ b/components/apimgt-extensions/org.wso2.carbon.apimgt.application.extension.api/src/main/java/org/wso2/carbon/apimgt/application/extension/api/filter/PermissionConfiguration.java
@@ -0,0 +1,41 @@
+/*
+ * Copyright (c) 2015, WSO2 Inc. (http://www.wso2.org) All Rights Reserved.
+ *
+ * WSO2 Inc. licenses this file to you under the Apache License,
+ * Version 2.0 (the "License"); you may not use this file except
+ * in compliance with the License.
+ * you may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.wso2.carbon.apimgt.application.extension.api.filter;
+
+import javax.xml.bind.annotation.XmlElement;
+import javax.xml.bind.annotation.XmlRootElement;
+import java.util.List;
+
+/**
+ * This class represents the information related to permission configuration.
+ */
+@XmlRootElement (name = "PermissionConfiguration")
+public class PermissionConfiguration {
+
+ private List permissions;
+
+ public List getPermissions() {
+ return permissions;
+ }
+
+ @XmlElement (name = "Permission", required = true)
+ public void setPermissions(List permissions) {
+ this.permissions = permissions;
+ }
+}
diff --git a/components/apimgt-extensions/org.wso2.carbon.apimgt.application.extension.api/src/main/java/org/wso2/carbon/apimgt/application/extension/api/util/APIUtil.java b/components/apimgt-extensions/org.wso2.carbon.apimgt.application.extension.api/src/main/java/org/wso2/carbon/apimgt/application/extension/api/util/APIUtil.java
index b15bcd1944f..299ff01c3df 100644
--- a/components/apimgt-extensions/org.wso2.carbon.apimgt.application.extension.api/src/main/java/org/wso2/carbon/apimgt/application/extension/api/util/APIUtil.java
+++ b/components/apimgt-extensions/org.wso2.carbon.apimgt.application.extension.api/src/main/java/org/wso2/carbon/apimgt/application/extension/api/util/APIUtil.java
@@ -22,6 +22,7 @@ import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.wso2.carbon.apimgt.application.extension.APIManagementProviderService;
import org.wso2.carbon.context.PrivilegedCarbonContext;
+import org.wso2.carbon.user.core.service.RealmService;
/**
* This class provides utility functions used by REST-API.
@@ -57,4 +58,16 @@ public class APIUtil {
}
return apiManagementProviderService;
}
+
+ public static RealmService getRealmService() {
+ PrivilegedCarbonContext ctx = PrivilegedCarbonContext.getThreadLocalCarbonContext();
+ RealmService realmService =
+ (RealmService) ctx.getOSGiService(RealmService.class, null);
+ if (realmService == null) {
+ String msg = "Device Management service has not initialized.";
+ log.error(msg);
+ throw new IllegalStateException(msg);
+ }
+ return realmService;
+ }
}
diff --git a/components/apimgt-extensions/org.wso2.carbon.apimgt.application.extension.api/src/main/webapp/META-INF/permissions.xml b/components/apimgt-extensions/org.wso2.carbon.apimgt.application.extension.api/src/main/webapp/META-INF/permissions.xml
index 213141cc67b..1feabf39250 100644
--- a/components/apimgt-extensions/org.wso2.carbon.apimgt.application.extension.api/src/main/webapp/META-INF/permissions.xml
+++ b/components/apimgt-extensions/org.wso2.carbon.apimgt.application.extension.api/src/main/webapp/META-INF/permissions.xml
@@ -30,21 +30,21 @@
Register tenant specific application
- /device-mgt
+ /device-mgt/admin
/register/tenants/*
POST
super_admin_user
Register application
- /device-mgt/api/application/add
+ /device-mgt/user/api/application
/register
POST
application_user
Delete application
- /device-mgt/api/application/remove
+ /device-mgt/user/api/application
/unregister
DELETE
application_user
diff --git a/components/apimgt-extensions/org.wso2.carbon.apimgt.application.extension.api/src/main/webapp/WEB-INF/web.xml b/components/apimgt-extensions/org.wso2.carbon.apimgt.application.extension.api/src/main/webapp/WEB-INF/web.xml
index 7aaaf3002db..549bf4c1bd4 100644
--- a/components/apimgt-extensions/org.wso2.carbon.apimgt.application.extension.api/src/main/webapp/WEB-INF/web.xml
+++ b/components/apimgt-extensions/org.wso2.carbon.apimgt.application.extension.api/src/main/webapp/WEB-INF/web.xml
@@ -49,4 +49,14 @@
managed-api-enabled
false
+
+
+ ApiPermissionFilter
+ org.wso2.carbon.apimgt.application.extension.api.filter.ApiPermissionFilter
+
+
+ ApiPermissionFilter
+ /*
+
+
diff --git a/components/device-mgt/org.wso2.carbon.device.mgt.ui/src/main/resources/jaggeryapps/devicemgt/app/modules/init.js b/components/device-mgt/org.wso2.carbon.device.mgt.ui/src/main/resources/jaggeryapps/devicemgt/app/modules/init.js
index 9474dd26976..8d2b0c197f1 100644
--- a/components/device-mgt/org.wso2.carbon.device.mgt.ui/src/main/resources/jaggeryapps/devicemgt/app/modules/init.js
+++ b/components/device-mgt/org.wso2.carbon.device.mgt.ui/src/main/resources/jaggeryapps/devicemgt/app/modules/init.js
@@ -29,6 +29,6 @@ var utility = require("/app/modules/utility.js")["utility"];
var permissions = {
'/permission/admin/device-mgt/user': ['ui.execute'],
- '/permission/admin/device-mgt/api/application': ['ui.execute']
+ '/permission/admin/manage/api/subscribe': ['ui.execute']
};
userModule.addRole("internal/devicemgt-user", ["admin"], permissions);