Re: [Dev] How to check whether a logged in user has admin role
Hi Shashika,
There were some exception handling implementation is around above mentioned
implementation and I put PrivilegedCarbonContext.endTenantFlow() inside the
finally block.
Thanks.
On Thu, May 21, 2015 at 9:58 AM, Shashika Karunatilaka
wrote:
> HI Thilini,
>
> Did you ended this started tenant flow
>
> Thanks
>
> On Thu, May 21, 2015 at 9:53 AM, Thilini Cooray wrote:
>
>> Hi,
>>
>> I was able to resolve the issue with the support of IS team.
>>
>> The problem has occurred because I was trying to authenticate a user of a
>> different tenant domain using an admin of super tenant.
>> IS maintains tenant isolation, therefore it cannot be done.
>>
>> So for each tenant domain we need to start a separate tenant flow and do
>> the authentication within the flow of the tenant domain of the current user.
>> After authentication, I retrieved all roles of the authenticated user and
>> checked whether he has admin role.
>>
>> Following is the implementation.
>>
>> String tenantDomain = MultitenantUtils.getTenantDomain(username);
>> PrivilegedCarbonContext.startTenantFlow();
>> PrivilegedCarbonContext.getThreadLocalCarbonContext()
>>.setTenantDomain(tenantDomain, true);
>>
>> UserStoreManager userstoremanager =
>> CarbonContext.getThreadLocalCarbonContext().getUserRealm()
>>.getUserStoreManager();
>>
>> String tenantAwareUsername =
>> MultitenantUtils.getTenantAwareUsername(username);
>>
>> //authenticate user provided credentials
>> if (userstoremanager.authenticate(tenantAwareUsername, password)) {
>>log.info(username + " user authenticated successfully");
>>//Get admin role name of the current domain
>>String adminRoleName =
>>
>> CarbonContext.getCurrentContext().getUserRealm().getRealmConfiguration()
>> .getAdminRoleName();
>>
>>String[] userRoles =
>> userstoremanager.getRoleListOfUser(tenantAwareUsername);
>>
>>//user is only authorized for exporting and importing if he is an admin
>> of his
>>// domain
>>if (Arrays.asList(userRoles).contains(adminRoleName)) {
>> log.info(username + " is authorized to import and export APIs");
>>}
>> }
>>
>> Thanks.
>>
>>
>> On Thu, May 14, 2015 at 8:15 PM, Darshana Gunawardana
>> wrote:
>>
>>> On Thu, May 14, 2015 at 6:38 PM, Thilini Cooray
>>> wrote:
>>>
Hi,
I am implementing API export feature for APIM.
I want to check whether a logged in user has admin role, because we are
going to allow only admin users to export and import APIs.
>>>
>>> If a particular feature needed to restricted, we usually done using
>>> permission based manner. ie. To access RemoteUserStoreManager
>>> functionalities, user needed to have /permission/admin/configure/security"
>>> permission.
>>>
>>>
Following is the source which I tried. But
userStoreManager.authenticate(username,
password) does not authenticate tenant admins.
>>>
>>> The authenticate method of the remote RemoteUserStoreManagerService does
>>> not create a session for given username password, rather just check whether
>>> given credentials are correct.
>>>
>>> The sample [1] can use as a reference to authenticate and invoke methods
>>> in RemoteUserStoreManagerService.
>>>
>>> [1]
>>> https://svn.wso2.org/repos/wso2/carbon/platform/branches/turing/products/is/5.0.0/modules/samples/user-mgt/remote-user-mgt/src/main/java/org/wso2/remoteum/sample/RemoteUMClient.java
>>>
>>> Thanks,
>>> Darshana.
>>>
>>>
I get the session cookie by login using super tenant credentials.
Any help is appreciated.
Thank you.
ServiceClient serviceClient;
Options option;
RemoteUserStoreManagerServiceStub userStoreManager =
new RemoteUserStoreManagerServiceStub(null, SERVICE_URL +
"RemoteUserStoreManagerService");
serviceClient = userStoreManager._getServiceClient();
option = serviceClient.getOptions();
option.setManageSession(true);
option.setProperty(org.apache.axis2.transport.http.HTTPConstants.COOKIE_STRING,
sessionCookie);
//Checking whether current user is authenticated and he has admin role
if (userStoreManager.authenticate(username, password)) {
String adminRoleName =
CarbonContext.getCurrentContext().getUserRealm().getRealmConfiguration()
.getAdminRoleName();
if (userStoreManager.isExistingRole(adminRoleName)) {
userName = username;
LOG.info(username + " user authenticated successfully");
return true;
}
}
--
Best Regards,
*Thilini Cooray*
Software Engineer
Mobile : +94 (0) 774 570 112 <%2B94%20%280%29%20773%20451194>
E-mail : thili...@wso2.com
W
Re: [Dev] How to check whether a logged in user has admin role
HI Thilini,
Did you ended this started tenant flow
Thanks
On Thu, May 21, 2015 at 9:53 AM, Thilini Cooray wrote:
> Hi,
>
> I was able to resolve the issue with the support of IS team.
>
> The problem has occurred because I was trying to authenticate a user of a
> different tenant domain using an admin of super tenant.
> IS maintains tenant isolation, therefore it cannot be done.
>
> So for each tenant domain we need to start a separate tenant flow and do
> the authentication within the flow of the tenant domain of the current user.
> After authentication, I retrieved all roles of the authenticated user and
> checked whether he has admin role.
>
> Following is the implementation.
>
> String tenantDomain = MultitenantUtils.getTenantDomain(username);
> PrivilegedCarbonContext.startTenantFlow();
> PrivilegedCarbonContext.getThreadLocalCarbonContext()
>.setTenantDomain(tenantDomain, true);
>
> UserStoreManager userstoremanager =
> CarbonContext.getThreadLocalCarbonContext().getUserRealm()
>.getUserStoreManager();
>
> String tenantAwareUsername =
> MultitenantUtils.getTenantAwareUsername(username);
>
> //authenticate user provided credentials
> if (userstoremanager.authenticate(tenantAwareUsername, password)) {
>log.info(username + " user authenticated successfully");
>//Get admin role name of the current domain
>String adminRoleName =
>
> CarbonContext.getCurrentContext().getUserRealm().getRealmConfiguration()
> .getAdminRoleName();
>
>String[] userRoles =
> userstoremanager.getRoleListOfUser(tenantAwareUsername);
>
>//user is only authorized for exporting and importing if he is an admin of
> his
>// domain
>if (Arrays.asList(userRoles).contains(adminRoleName)) {
> log.info(username + " is authorized to import and export APIs");
>}
> }
>
> Thanks.
>
>
> On Thu, May 14, 2015 at 8:15 PM, Darshana Gunawardana
> wrote:
>
>> On Thu, May 14, 2015 at 6:38 PM, Thilini Cooray
>> wrote:
>>
>>> Hi,
>>>
>>> I am implementing API export feature for APIM.
>>>
>>> I want to check whether a logged in user has admin role, because we are
>>> going to allow only admin users to export and import APIs.
>>>
>>
>> If a particular feature needed to restricted, we usually done using
>> permission based manner. ie. To access RemoteUserStoreManager
>> functionalities, user needed to have /permission/admin/configure/security"
>> permission.
>>
>>
>>> Following is the source which I tried. But
>>> userStoreManager.authenticate(username,
>>> password) does not authenticate tenant admins.
>>>
>>
>> The authenticate method of the remote RemoteUserStoreManagerService does
>> not create a session for given username password, rather just check whether
>> given credentials are correct.
>>
>> The sample [1] can use as a reference to authenticate and invoke methods
>> in RemoteUserStoreManagerService.
>>
>> [1]
>> https://svn.wso2.org/repos/wso2/carbon/platform/branches/turing/products/is/5.0.0/modules/samples/user-mgt/remote-user-mgt/src/main/java/org/wso2/remoteum/sample/RemoteUMClient.java
>>
>> Thanks,
>> Darshana.
>>
>>
>>> I get the session cookie by login using super tenant credentials.
>>>
>>> Any help is appreciated.
>>>
>>> Thank you.
>>>
>>>
>>> ServiceClient serviceClient;
>>> Options option;
>>>
>>>RemoteUserStoreManagerServiceStub userStoreManager =
>>> new RemoteUserStoreManagerServiceStub(null, SERVICE_URL +
>>>
>>> "RemoteUserStoreManagerService");
>>>
>>>serviceClient = userStoreManager._getServiceClient();
>>>option = serviceClient.getOptions();
>>>option.setManageSession(true);
>>>
>>> option.setProperty(org.apache.axis2.transport.http.HTTPConstants.COOKIE_STRING,
>>> sessionCookie);
>>>
>>>//Checking whether current user is authenticated and he has admin role
>>>if (userStoreManager.authenticate(username, password)) {
>>>
>>> String adminRoleName =
>>>
>>> CarbonContext.getCurrentContext().getUserRealm().getRealmConfiguration()
>>> .getAdminRoleName();
>>>
>>> if (userStoreManager.isExistingRole(adminRoleName)) {
>>> userName = username;
>>> LOG.info(username + " user authenticated successfully");
>>> return true;
>>> }
>>>}
>>>
>>>
>>> --
>>> Best Regards,
>>>
>>> *Thilini Cooray*
>>> Software Engineer
>>> Mobile : +94 (0) 774 570 112 <%2B94%20%280%29%20773%20451194>
>>> E-mail : thili...@wso2.com
>>>
>>> WSO2 Inc. www.wso2.com
>>> lean.enterprise.middleware
>>>
>>> ___
>>> Dev mailing list
>>> Dev@wso2.org
>>> http://wso2.org/cgi-bin/mailman/listinfo/dev
>>>
>>>
>>
>>
>> --
>> Regards,
>>
>>
>> *Darshana Gunawardana*Software Engineer
>> WSO2 Inc.; http://wso2.com
>>
>> *E-mail: darsh...@wso2.com *
>> *Mobile: +94718566859 <%2B94718566859>*Lean . Enterprise .
Re: [Dev] How to check whether a logged in user has admin role
Hi,
I was able to resolve the issue with the support of IS team.
The problem has occurred because I was trying to authenticate a user of a
different tenant domain using an admin of super tenant.
IS maintains tenant isolation, therefore it cannot be done.
So for each tenant domain we need to start a separate tenant flow and do
the authentication within the flow of the tenant domain of the current user.
After authentication, I retrieved all roles of the authenticated user and
checked whether he has admin role.
Following is the implementation.
String tenantDomain = MultitenantUtils.getTenantDomain(username);
PrivilegedCarbonContext.startTenantFlow();
PrivilegedCarbonContext.getThreadLocalCarbonContext()
.setTenantDomain(tenantDomain, true);
UserStoreManager userstoremanager =
CarbonContext.getThreadLocalCarbonContext().getUserRealm()
.getUserStoreManager();
String tenantAwareUsername = MultitenantUtils.getTenantAwareUsername(username);
//authenticate user provided credentials
if (userstoremanager.authenticate(tenantAwareUsername, password)) {
log.info(username + " user authenticated successfully");
//Get admin role name of the current domain
String adminRoleName =
CarbonContext.getCurrentContext().getUserRealm().getRealmConfiguration()
.getAdminRoleName();
String[] userRoles = userstoremanager.getRoleListOfUser(tenantAwareUsername);
//user is only authorized for exporting and importing if he is an
admin of his
// domain
if (Arrays.asList(userRoles).contains(adminRoleName)) {
log.info(username + " is authorized to import and export APIs");
}
}
Thanks.
On Thu, May 14, 2015 at 8:15 PM, Darshana Gunawardana
wrote:
> On Thu, May 14, 2015 at 6:38 PM, Thilini Cooray wrote:
>
>> Hi,
>>
>> I am implementing API export feature for APIM.
>>
>> I want to check whether a logged in user has admin role, because we are
>> going to allow only admin users to export and import APIs.
>>
>
> If a particular feature needed to restricted, we usually done using
> permission based manner. ie. To access RemoteUserStoreManager
> functionalities, user needed to have /permission/admin/configure/security"
> permission.
>
>
>> Following is the source which I tried. But
>> userStoreManager.authenticate(username,
>> password) does not authenticate tenant admins.
>>
>
> The authenticate method of the remote RemoteUserStoreManagerService does
> not create a session for given username password, rather just check whether
> given credentials are correct.
>
> The sample [1] can use as a reference to authenticate and invoke methods
> in RemoteUserStoreManagerService.
>
> [1]
> https://svn.wso2.org/repos/wso2/carbon/platform/branches/turing/products/is/5.0.0/modules/samples/user-mgt/remote-user-mgt/src/main/java/org/wso2/remoteum/sample/RemoteUMClient.java
>
> Thanks,
> Darshana.
>
>
>> I get the session cookie by login using super tenant credentials.
>>
>> Any help is appreciated.
>>
>> Thank you.
>>
>>
>> ServiceClient serviceClient;
>> Options option;
>>
>>RemoteUserStoreManagerServiceStub userStoreManager =
>> new RemoteUserStoreManagerServiceStub(null, SERVICE_URL +
>>
>> "RemoteUserStoreManagerService");
>>
>>serviceClient = userStoreManager._getServiceClient();
>>option = serviceClient.getOptions();
>>option.setManageSession(true);
>>
>> option.setProperty(org.apache.axis2.transport.http.HTTPConstants.COOKIE_STRING,
>> sessionCookie);
>>
>>//Checking whether current user is authenticated and he has admin role
>>if (userStoreManager.authenticate(username, password)) {
>>
>> String adminRoleName =
>>
>> CarbonContext.getCurrentContext().getUserRealm().getRealmConfiguration()
>> .getAdminRoleName();
>>
>> if (userStoreManager.isExistingRole(adminRoleName)) {
>> userName = username;
>> LOG.info(username + " user authenticated successfully");
>> return true;
>> }
>>}
>>
>>
>> --
>> Best Regards,
>>
>> *Thilini Cooray*
>> Software Engineer
>> Mobile : +94 (0) 774 570 112 <%2B94%20%280%29%20773%20451194>
>> E-mail : thili...@wso2.com
>>
>> WSO2 Inc. www.wso2.com
>> lean.enterprise.middleware
>>
>> ___
>> Dev mailing list
>> Dev@wso2.org
>> http://wso2.org/cgi-bin/mailman/listinfo/dev
>>
>>
>
>
> --
> Regards,
>
>
> *Darshana Gunawardana*Software Engineer
> WSO2 Inc.; http://wso2.com
>
> *E-mail: darsh...@wso2.com *
> *Mobile: +94718566859 <%2B94718566859>*Lean . Enterprise . Middleware
>
--
Best Regards,
*Thilini Cooray*
Software Engineer
Mobile : +94 (0) 774 570 112 <%2B94%20%280%29%20773%20451194>
E-mail : thili...@wso2.com
WSO2 Inc. www.wso2.com
lean.enterprise.middleware
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mail
Re: [Dev] How to check whether a logged in user has admin role
On Thu, May 14, 2015 at 6:38 PM, Thilini Cooray wrote:
> Hi,
>
> I am implementing API export feature for APIM.
>
> I want to check whether a logged in user has admin role, because we are
> going to allow only admin users to export and import APIs.
>
If a particular feature needed to restricted, we usually done using
permission based manner. ie. To access RemoteUserStoreManager
functionalities, user needed to have /permission/admin/configure/security"
permission.
> Following is the source which I tried. But
> userStoreManager.authenticate(username,
> password) does not authenticate tenant admins.
>
The authenticate method of the remote RemoteUserStoreManagerService does
not create a session for given username password, rather just check whether
given credentials are correct.
The sample [1] can use as a reference to authenticate and invoke methods in
RemoteUserStoreManagerService.
[1]
https://svn.wso2.org/repos/wso2/carbon/platform/branches/turing/products/is/5.0.0/modules/samples/user-mgt/remote-user-mgt/src/main/java/org/wso2/remoteum/sample/RemoteUMClient.java
Thanks,
Darshana.
> I get the session cookie by login using super tenant credentials.
>
> Any help is appreciated.
>
> Thank you.
>
>
> ServiceClient serviceClient;
> Options option;
>
>RemoteUserStoreManagerServiceStub userStoreManager =
> new RemoteUserStoreManagerServiceStub(null, SERVICE_URL +
>
> "RemoteUserStoreManagerService");
>
>serviceClient = userStoreManager._getServiceClient();
>option = serviceClient.getOptions();
>option.setManageSession(true);
>
> option.setProperty(org.apache.axis2.transport.http.HTTPConstants.COOKIE_STRING,
> sessionCookie);
>
>//Checking whether current user is authenticated and he has admin role
>if (userStoreManager.authenticate(username, password)) {
>
> String adminRoleName =
>
> CarbonContext.getCurrentContext().getUserRealm().getRealmConfiguration()
> .getAdminRoleName();
>
> if (userStoreManager.isExistingRole(adminRoleName)) {
> userName = username;
> LOG.info(username + " user authenticated successfully");
> return true;
> }
>}
>
>
> --
> Best Regards,
>
> *Thilini Cooray*
> Software Engineer
> Mobile : +94 (0) 774 570 112 <%2B94%20%280%29%20773%20451194>
> E-mail : thili...@wso2.com
>
> WSO2 Inc. www.wso2.com
> lean.enterprise.middleware
>
> ___
> Dev mailing list
> Dev@wso2.org
> http://wso2.org/cgi-bin/mailman/listinfo/dev
>
>
--
Regards,
*Darshana Gunawardana*Software Engineer
WSO2 Inc.; http://wso2.com
*E-mail: darsh...@wso2.com *
*Mobile: +94718566859*Lean . Enterprise . Middleware
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev
