Re: [Dev] How to check whether a logged in user has admin role
Hi Shashika, There were some exception handling implementation is around above mentioned implementation and I put PrivilegedCarbonContext.endTenantFlow() inside the finally block. Thanks. On Thu, May 21, 2015 at 9:58 AM, Shashika Karunatilaka wrote: > HI Thilini, > > Did you ended this started tenant flow > > Thanks > > On Thu, May 21, 2015 at 9:53 AM, Thilini Cooray wrote: > >> Hi, >> >> I was able to resolve the issue with the support of IS team. >> >> The problem has occurred because I was trying to authenticate a user of a >> different tenant domain using an admin of super tenant. >> IS maintains tenant isolation, therefore it cannot be done. >> >> So for each tenant domain we need to start a separate tenant flow and do >> the authentication within the flow of the tenant domain of the current user. >> After authentication, I retrieved all roles of the authenticated user and >> checked whether he has admin role. >> >> Following is the implementation. >> >> String tenantDomain = MultitenantUtils.getTenantDomain(username); >> PrivilegedCarbonContext.startTenantFlow(); >> PrivilegedCarbonContext.getThreadLocalCarbonContext() >>.setTenantDomain(tenantDomain, true); >> >> UserStoreManager userstoremanager = >> CarbonContext.getThreadLocalCarbonContext().getUserRealm() >>.getUserStoreManager(); >> >> String tenantAwareUsername = >> MultitenantUtils.getTenantAwareUsername(username); >> >> //authenticate user provided credentials >> if (userstoremanager.authenticate(tenantAwareUsername, password)) { >>log.info(username + " user authenticated successfully"); >>//Get admin role name of the current domain >>String adminRoleName = >> >> CarbonContext.getCurrentContext().getUserRealm().getRealmConfiguration() >> .getAdminRoleName(); >> >>String[] userRoles = >> userstoremanager.getRoleListOfUser(tenantAwareUsername); >> >>//user is only authorized for exporting and importing if he is an admin >> of his >>// domain >>if (Arrays.asList(userRoles).contains(adminRoleName)) { >> log.info(username + " is authorized to import and export APIs"); >>} >> } >> >> Thanks. >> >> >> On Thu, May 14, 2015 at 8:15 PM, Darshana Gunawardana >> wrote: >> >>> On Thu, May 14, 2015 at 6:38 PM, Thilini Cooray >>> wrote: >>> Hi, I am implementing API export feature for APIM. I want to check whether a logged in user has admin role, because we are going to allow only admin users to export and import APIs. >>> >>> If a particular feature needed to restricted, we usually done using >>> permission based manner. ie. To access RemoteUserStoreManager >>> functionalities, user needed to have /permission/admin/configure/security" >>> permission. >>> >>> Following is the source which I tried. But userStoreManager.authenticate(username, password) does not authenticate tenant admins. >>> >>> The authenticate method of the remote RemoteUserStoreManagerService does >>> not create a session for given username password, rather just check whether >>> given credentials are correct. >>> >>> The sample [1] can use as a reference to authenticate and invoke methods >>> in RemoteUserStoreManagerService. >>> >>> [1] >>> https://svn.wso2.org/repos/wso2/carbon/platform/branches/turing/products/is/5.0.0/modules/samples/user-mgt/remote-user-mgt/src/main/java/org/wso2/remoteum/sample/RemoteUMClient.java >>> >>> Thanks, >>> Darshana. >>> >>> I get the session cookie by login using super tenant credentials. Any help is appreciated. Thank you. ServiceClient serviceClient; Options option; RemoteUserStoreManagerServiceStub userStoreManager = new RemoteUserStoreManagerServiceStub(null, SERVICE_URL + "RemoteUserStoreManagerService"); serviceClient = userStoreManager._getServiceClient(); option = serviceClient.getOptions(); option.setManageSession(true); option.setProperty(org.apache.axis2.transport.http.HTTPConstants.COOKIE_STRING, sessionCookie); //Checking whether current user is authenticated and he has admin role if (userStoreManager.authenticate(username, password)) { String adminRoleName = CarbonContext.getCurrentContext().getUserRealm().getRealmConfiguration() .getAdminRoleName(); if (userStoreManager.isExistingRole(adminRoleName)) { userName = username; LOG.info(username + " user authenticated successfully"); return true; } } -- Best Regards, *Thilini Cooray* Software Engineer Mobile : +94 (0) 774 570 112 <%2B94%20%280%29%20773%20451194> E-mail : thili...@wso2.com W
Re: [Dev] How to check whether a logged in user has admin role
HI Thilini, Did you ended this started tenant flow Thanks On Thu, May 21, 2015 at 9:53 AM, Thilini Cooray wrote: > Hi, > > I was able to resolve the issue with the support of IS team. > > The problem has occurred because I was trying to authenticate a user of a > different tenant domain using an admin of super tenant. > IS maintains tenant isolation, therefore it cannot be done. > > So for each tenant domain we need to start a separate tenant flow and do > the authentication within the flow of the tenant domain of the current user. > After authentication, I retrieved all roles of the authenticated user and > checked whether he has admin role. > > Following is the implementation. > > String tenantDomain = MultitenantUtils.getTenantDomain(username); > PrivilegedCarbonContext.startTenantFlow(); > PrivilegedCarbonContext.getThreadLocalCarbonContext() >.setTenantDomain(tenantDomain, true); > > UserStoreManager userstoremanager = > CarbonContext.getThreadLocalCarbonContext().getUserRealm() >.getUserStoreManager(); > > String tenantAwareUsername = > MultitenantUtils.getTenantAwareUsername(username); > > //authenticate user provided credentials > if (userstoremanager.authenticate(tenantAwareUsername, password)) { >log.info(username + " user authenticated successfully"); >//Get admin role name of the current domain >String adminRoleName = > > CarbonContext.getCurrentContext().getUserRealm().getRealmConfiguration() > .getAdminRoleName(); > >String[] userRoles = > userstoremanager.getRoleListOfUser(tenantAwareUsername); > >//user is only authorized for exporting and importing if he is an admin of > his >// domain >if (Arrays.asList(userRoles).contains(adminRoleName)) { > log.info(username + " is authorized to import and export APIs"); >} > } > > Thanks. > > > On Thu, May 14, 2015 at 8:15 PM, Darshana Gunawardana > wrote: > >> On Thu, May 14, 2015 at 6:38 PM, Thilini Cooray >> wrote: >> >>> Hi, >>> >>> I am implementing API export feature for APIM. >>> >>> I want to check whether a logged in user has admin role, because we are >>> going to allow only admin users to export and import APIs. >>> >> >> If a particular feature needed to restricted, we usually done using >> permission based manner. ie. To access RemoteUserStoreManager >> functionalities, user needed to have /permission/admin/configure/security" >> permission. >> >> >>> Following is the source which I tried. But >>> userStoreManager.authenticate(username, >>> password) does not authenticate tenant admins. >>> >> >> The authenticate method of the remote RemoteUserStoreManagerService does >> not create a session for given username password, rather just check whether >> given credentials are correct. >> >> The sample [1] can use as a reference to authenticate and invoke methods >> in RemoteUserStoreManagerService. >> >> [1] >> https://svn.wso2.org/repos/wso2/carbon/platform/branches/turing/products/is/5.0.0/modules/samples/user-mgt/remote-user-mgt/src/main/java/org/wso2/remoteum/sample/RemoteUMClient.java >> >> Thanks, >> Darshana. >> >> >>> I get the session cookie by login using super tenant credentials. >>> >>> Any help is appreciated. >>> >>> Thank you. >>> >>> >>> ServiceClient serviceClient; >>> Options option; >>> >>>RemoteUserStoreManagerServiceStub userStoreManager = >>> new RemoteUserStoreManagerServiceStub(null, SERVICE_URL + >>> >>> "RemoteUserStoreManagerService"); >>> >>>serviceClient = userStoreManager._getServiceClient(); >>>option = serviceClient.getOptions(); >>>option.setManageSession(true); >>> >>> option.setProperty(org.apache.axis2.transport.http.HTTPConstants.COOKIE_STRING, >>> sessionCookie); >>> >>>//Checking whether current user is authenticated and he has admin role >>>if (userStoreManager.authenticate(username, password)) { >>> >>> String adminRoleName = >>> >>> CarbonContext.getCurrentContext().getUserRealm().getRealmConfiguration() >>> .getAdminRoleName(); >>> >>> if (userStoreManager.isExistingRole(adminRoleName)) { >>> userName = username; >>> LOG.info(username + " user authenticated successfully"); >>> return true; >>> } >>>} >>> >>> >>> -- >>> Best Regards, >>> >>> *Thilini Cooray* >>> Software Engineer >>> Mobile : +94 (0) 774 570 112 <%2B94%20%280%29%20773%20451194> >>> E-mail : thili...@wso2.com >>> >>> WSO2 Inc. www.wso2.com >>> lean.enterprise.middleware >>> >>> ___ >>> Dev mailing list >>> Dev@wso2.org >>> http://wso2.org/cgi-bin/mailman/listinfo/dev >>> >>> >> >> >> -- >> Regards, >> >> >> *Darshana Gunawardana*Software Engineer >> WSO2 Inc.; http://wso2.com >> >> *E-mail: darsh...@wso2.com * >> *Mobile: +94718566859 <%2B94718566859>*Lean . Enterprise .
Re: [Dev] How to check whether a logged in user has admin role
Hi, I was able to resolve the issue with the support of IS team. The problem has occurred because I was trying to authenticate a user of a different tenant domain using an admin of super tenant. IS maintains tenant isolation, therefore it cannot be done. So for each tenant domain we need to start a separate tenant flow and do the authentication within the flow of the tenant domain of the current user. After authentication, I retrieved all roles of the authenticated user and checked whether he has admin role. Following is the implementation. String tenantDomain = MultitenantUtils.getTenantDomain(username); PrivilegedCarbonContext.startTenantFlow(); PrivilegedCarbonContext.getThreadLocalCarbonContext() .setTenantDomain(tenantDomain, true); UserStoreManager userstoremanager = CarbonContext.getThreadLocalCarbonContext().getUserRealm() .getUserStoreManager(); String tenantAwareUsername = MultitenantUtils.getTenantAwareUsername(username); //authenticate user provided credentials if (userstoremanager.authenticate(tenantAwareUsername, password)) { log.info(username + " user authenticated successfully"); //Get admin role name of the current domain String adminRoleName = CarbonContext.getCurrentContext().getUserRealm().getRealmConfiguration() .getAdminRoleName(); String[] userRoles = userstoremanager.getRoleListOfUser(tenantAwareUsername); //user is only authorized for exporting and importing if he is an admin of his // domain if (Arrays.asList(userRoles).contains(adminRoleName)) { log.info(username + " is authorized to import and export APIs"); } } Thanks. On Thu, May 14, 2015 at 8:15 PM, Darshana Gunawardana wrote: > On Thu, May 14, 2015 at 6:38 PM, Thilini Cooray wrote: > >> Hi, >> >> I am implementing API export feature for APIM. >> >> I want to check whether a logged in user has admin role, because we are >> going to allow only admin users to export and import APIs. >> > > If a particular feature needed to restricted, we usually done using > permission based manner. ie. To access RemoteUserStoreManager > functionalities, user needed to have /permission/admin/configure/security" > permission. > > >> Following is the source which I tried. But >> userStoreManager.authenticate(username, >> password) does not authenticate tenant admins. >> > > The authenticate method of the remote RemoteUserStoreManagerService does > not create a session for given username password, rather just check whether > given credentials are correct. > > The sample [1] can use as a reference to authenticate and invoke methods > in RemoteUserStoreManagerService. > > [1] > https://svn.wso2.org/repos/wso2/carbon/platform/branches/turing/products/is/5.0.0/modules/samples/user-mgt/remote-user-mgt/src/main/java/org/wso2/remoteum/sample/RemoteUMClient.java > > Thanks, > Darshana. > > >> I get the session cookie by login using super tenant credentials. >> >> Any help is appreciated. >> >> Thank you. >> >> >> ServiceClient serviceClient; >> Options option; >> >>RemoteUserStoreManagerServiceStub userStoreManager = >> new RemoteUserStoreManagerServiceStub(null, SERVICE_URL + >> >> "RemoteUserStoreManagerService"); >> >>serviceClient = userStoreManager._getServiceClient(); >>option = serviceClient.getOptions(); >>option.setManageSession(true); >> >> option.setProperty(org.apache.axis2.transport.http.HTTPConstants.COOKIE_STRING, >> sessionCookie); >> >>//Checking whether current user is authenticated and he has admin role >>if (userStoreManager.authenticate(username, password)) { >> >> String adminRoleName = >> >> CarbonContext.getCurrentContext().getUserRealm().getRealmConfiguration() >> .getAdminRoleName(); >> >> if (userStoreManager.isExistingRole(adminRoleName)) { >> userName = username; >> LOG.info(username + " user authenticated successfully"); >> return true; >> } >>} >> >> >> -- >> Best Regards, >> >> *Thilini Cooray* >> Software Engineer >> Mobile : +94 (0) 774 570 112 <%2B94%20%280%29%20773%20451194> >> E-mail : thili...@wso2.com >> >> WSO2 Inc. www.wso2.com >> lean.enterprise.middleware >> >> ___ >> Dev mailing list >> Dev@wso2.org >> http://wso2.org/cgi-bin/mailman/listinfo/dev >> >> > > > -- > Regards, > > > *Darshana Gunawardana*Software Engineer > WSO2 Inc.; http://wso2.com > > *E-mail: darsh...@wso2.com * > *Mobile: +94718566859 <%2B94718566859>*Lean . Enterprise . Middleware > -- Best Regards, *Thilini Cooray* Software Engineer Mobile : +94 (0) 774 570 112 <%2B94%20%280%29%20773%20451194> E-mail : thili...@wso2.com WSO2 Inc. www.wso2.com lean.enterprise.middleware ___ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mail
Re: [Dev] How to check whether a logged in user has admin role
On Thu, May 14, 2015 at 6:38 PM, Thilini Cooray wrote: > Hi, > > I am implementing API export feature for APIM. > > I want to check whether a logged in user has admin role, because we are > going to allow only admin users to export and import APIs. > If a particular feature needed to restricted, we usually done using permission based manner. ie. To access RemoteUserStoreManager functionalities, user needed to have /permission/admin/configure/security" permission. > Following is the source which I tried. But > userStoreManager.authenticate(username, > password) does not authenticate tenant admins. > The authenticate method of the remote RemoteUserStoreManagerService does not create a session for given username password, rather just check whether given credentials are correct. The sample [1] can use as a reference to authenticate and invoke methods in RemoteUserStoreManagerService. [1] https://svn.wso2.org/repos/wso2/carbon/platform/branches/turing/products/is/5.0.0/modules/samples/user-mgt/remote-user-mgt/src/main/java/org/wso2/remoteum/sample/RemoteUMClient.java Thanks, Darshana. > I get the session cookie by login using super tenant credentials. > > Any help is appreciated. > > Thank you. > > > ServiceClient serviceClient; > Options option; > >RemoteUserStoreManagerServiceStub userStoreManager = > new RemoteUserStoreManagerServiceStub(null, SERVICE_URL + > > "RemoteUserStoreManagerService"); > >serviceClient = userStoreManager._getServiceClient(); >option = serviceClient.getOptions(); >option.setManageSession(true); > > option.setProperty(org.apache.axis2.transport.http.HTTPConstants.COOKIE_STRING, > sessionCookie); > >//Checking whether current user is authenticated and he has admin role >if (userStoreManager.authenticate(username, password)) { > > String adminRoleName = > > CarbonContext.getCurrentContext().getUserRealm().getRealmConfiguration() > .getAdminRoleName(); > > if (userStoreManager.isExistingRole(adminRoleName)) { > userName = username; > LOG.info(username + " user authenticated successfully"); > return true; > } >} > > > -- > Best Regards, > > *Thilini Cooray* > Software Engineer > Mobile : +94 (0) 774 570 112 <%2B94%20%280%29%20773%20451194> > E-mail : thili...@wso2.com > > WSO2 Inc. www.wso2.com > lean.enterprise.middleware > > ___ > Dev mailing list > Dev@wso2.org > http://wso2.org/cgi-bin/mailman/listinfo/dev > > -- Regards, *Darshana Gunawardana*Software Engineer WSO2 Inc.; http://wso2.com *E-mail: darsh...@wso2.com * *Mobile: +94718566859*Lean . Enterprise . Middleware ___ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev