Hi,
I was able to resolve the issue with the support of IS team.
The problem has occurred because I was trying to authenticate a user of a
different tenant domain using an admin of super tenant.
IS maintains tenant isolation, therefore it cannot be done.
So for each tenant domain we need to start a separate tenant flow and do
the authentication within the flow of the tenant domain of the current user.
After authentication, I retrieved all roles of the authenticated user and
checked whether he has admin role.
Following is the implementation.
String tenantDomain = MultitenantUtils.getTenantDomain(username);
PrivilegedCarbonContext.startTenantFlow();
PrivilegedCarbonContext.getThreadLocalCarbonContext()
.setTenantDomain(tenantDomain, true);
UserStoreManager userstoremanager =
CarbonContext.getThreadLocalCarbonContext().getUserRealm()
.getUserStoreManager();
String tenantAwareUsername = MultitenantUtils.getTenantAwareUsername(username);
//authenticate user provided credentials
if (userstoremanager.authenticate(tenantAwareUsername, password)) {
log.info(username + " user authenticated successfully");
//Get admin role name of the current domain
String adminRoleName =
CarbonContext.getCurrentContext().getUserRealm().getRealmConfiguration()
.getAdminRoleName();
String[] userRoles = userstoremanager.getRoleListOfUser(tenantAwareUsername);
//user is only authorized for exporting and importing if he is an
admin of his
// domain
if (Arrays.asList(userRoles).contains(adminRoleName)) {
log.info(username + " is authorized to import and export APIs");
}
}
Thanks.
On Thu, May 14, 2015 at 8:15 PM, Darshana Gunawardana <[email protected]>
wrote:
> On Thu, May 14, 2015 at 6:38 PM, Thilini Cooray <[email protected]> wrote:
>
>> Hi,
>>
>> I am implementing API export feature for APIM.
>>
>> I want to check whether a logged in user has admin role, because we are
>> going to allow only admin users to export and import APIs.
>>
>
> If a particular feature needed to restricted, we usually done using
> permission based manner. ie. To access RemoteUserStoreManager
> functionalities, user needed to have /permission/admin/configure/security"
> permission.
>
>
>> Following is the source which I tried. But
>> userStoreManager.authenticate(username,
>> password) does not authenticate tenant admins.
>>
>
> The authenticate method of the remote RemoteUserStoreManagerService does
> not create a session for given username password, rather just check whether
> given credentials are correct.
>
> The sample [1] can use as a reference to authenticate and invoke methods
> in RemoteUserStoreManagerService.
>
> [1]
> https://svn.wso2.org/repos/wso2/carbon/platform/branches/turing/products/is/5.0.0/modules/samples/user-mgt/remote-user-mgt/src/main/java/org/wso2/remoteum/sample/RemoteUMClient.java
>
> Thanks,
> Darshana.
>
>
>> I get the session cookie by login using super tenant credentials.
>>
>> Any help is appreciated.
>>
>> Thank you.
>>
>>
>> ServiceClient serviceClient;
>> Options option;
>>
>> RemoteUserStoreManagerServiceStub userStoreManager =
>> new RemoteUserStoreManagerServiceStub(null, SERVICE_URL +
>>
>> "RemoteUserStoreManagerService");
>>
>> serviceClient = userStoreManager._getServiceClient();
>> option = serviceClient.getOptions();
>> option.setManageSession(true);
>>
>> option.setProperty(org.apache.axis2.transport.http.HTTPConstants.COOKIE_STRING,
>> sessionCookie);
>>
>> //Checking whether current user is authenticated and he has admin role
>> if (userStoreManager.authenticate(username, password)) {
>>
>> String adminRoleName =
>>
>> CarbonContext.getCurrentContext().getUserRealm().getRealmConfiguration()
>> .getAdminRoleName();
>>
>> if (userStoreManager.isExistingRole(adminRoleName)) {
>> userName = username;
>> LOG.info(username + " user authenticated successfully");
>> return true;
>> }
>> }
>>
>>
>> --
>> Best Regards,
>>
>> *Thilini Cooray*
>> Software Engineer
>> Mobile : +94 (0) 774 570 112 <%2B94%20%280%29%20773%20451194>
>> E-mail : [email protected]
>>
>> WSO2 Inc. www.wso2.com
>> lean.enterprise.middleware
>>
>> _______________________________________________
>> Dev mailing list
>> [email protected]
>> http://wso2.org/cgi-bin/mailman/listinfo/dev
>>
>>
>
>
> --
> Regards,
>
>
> *Darshana Gunawardana*Software Engineer
> WSO2 Inc.; http://wso2.com
>
> *E-mail: [email protected] <[email protected]>*
> *Mobile: +94718566859 <%2B94718566859>*Lean . Enterprise . Middleware
>
--
Best Regards,
*Thilini Cooray*
Software Engineer
Mobile : +94 (0) 774 570 112 <%2B94%20%280%29%20773%20451194>
E-mail : [email protected]
WSO2 Inc. www.wso2.com
lean.enterprise.middleware
_______________________________________________
Dev mailing list
[email protected]
http://wso2.org/cgi-bin/mailman/listinfo/dev
