On Thu, May 19, 2016 at 11:49 AM, Isuru Haththotuwa <isu...@wso2.com> wrote:
> HI Kicha, > > On Fri, May 6, 2016 at 3:58 PM, Kishanthan Thangarajah < > kishant...@wso2.com> wrote: > >> CarbonContext is the API to store and retrieve data which are thread >> local. >> >> - There are two API classes, CarbonContext [1] >> and PrivilegedCarbonContext [2]. >> - CarbonContext (CC) is the ReadOnly API, which is basically the user >> level API and PrivilegedCarbonContext will be the ReadWrite API which is >> secured using java security permission. >> - From CarbonContext, a user can get the "Principal", which is the >> currently logged-in users' JAAS principal for authorization. >> >> If so, can someone deploy a bundle that can access the currently logged > user's Principal information and use it to authorize an action with that? > If its possible, it is a security problem. > The properties of the principal is used with evaluating wether an action can be authorized or not for the currently logged in user. It will not have any sensitive information rather it would have the logged in user name and the users' attributes. Also on the other hand, any component should first be trusted (signed) and then it should get invoked in the currently executing thread for it to access CarbonContext. Even if the component has access to the principal, it will only gain access to some attributes that does not have any sensitive information. This is same behaviour as what we had in C4 based CarbonContext access. Tomcat also provide a similar API - https://tomcat.apache.org/tomcat-7.0-doc/api/org/apache/catalina/connector/Request.html#getUserPrincipal() > - CarbonContext API also has the ability to set and get properties, > which is to support setting any properties that can be later used within a > thread execution flow. > > >> *Retrieving Tenant Information* >> In C5 based products, a server instance will be dedicated to a tenant. >> From the CarbonContext API, a user can get the tenant name to which the >> server is bound to. There will not be any setter API for setting tenant >> name as we will read the tenant name from either carbon.yml configuration >> file [3] or from a system/environment variable. >> > What is the order we are enforcing here? IMHO it should be first the > environment variable and then the carbon.yaml. > Currently when we build the configuration, we search for first env and then system properties only when the specific property configured to use place holder like ${PROP_KEY}. So there is no order here. If a value is there, then it is used. Or of a place holder is given, then we search for env and then system properties. >> *Usage* >> CarbonContext carbonContext = CarbonContext.getCurrentContext(); >> String tenant = carbonContext.getTenant(); >> Principal principal = carbonContext.getUserPrincipal(); >> Object propertyValue = carbonContext.getProperty("PROPERTY_KEY"); >> >> PrivilegedCarbonContext privilegedCarbonContext = >> PrivilegedCarbonContext.getCurrentContext(); >> privilegedCarbonContext.setUserPrincipal(userPrincipal); >> privilegedCarbonContext.setProperty("PROPERTY_KEY", propertyValue); >> >> Thanks, >> Kishanthan. >> [1] >> https://github.com/wso2/carbon-kernel/blob/master/core/src/main/java/org/wso2/carbon/kernel/context/CarbonContext.java >> [2] >> https://github.com/wso2/carbon-kernel/blob/master/core/src/main/java/org/wso2/carbon/kernel/context/PrivilegedCarbonContext.java >> [3] >> https://github.com/wso2/carbon-kernel/blob/master/features/org.wso2.carbon.kernel.feature/resources/conf/carbon.yml#L20 >> >> -- >> *Kishanthan Thangarajah* >> Associate Technical Lead, >> Platform Technologies Team, >> WSO2, Inc. >> lean.enterprise.middleware >> >> Mobile - +94773426635 >> Blog - *http://kishanthan.wordpress.com >> <http://kishanthan.wordpress.com>* >> Twitter - *http://twitter.com/kishanthan <http://twitter.com/kishanthan>* >> >> _______________________________________________ >> Architecture mailing list >> Architecture@wso2.org >> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >> >> > > > -- > Thanks and Regards, > > Isuru H. > +94 716 358 048* <http://wso2.com/>* > > > > _______________________________________________ > Architecture mailing list > Architecture@wso2.org > https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture > > -- *Kishanthan Thangarajah* Associate Technical Lead, Platform Technologies Team, WSO2, Inc. lean.enterprise.middleware Mobile - +94773426635 Blog - *http://kishanthan.wordpress.com <http://kishanthan.wordpress.com>* Twitter - *http://twitter.com/kishanthan <http://twitter.com/kishanthan>*
_______________________________________________ Architecture mailing list Architecture@wso2.org https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
