Java Code Examples for org.wso2.carbon.user.core.AuthorizationManager#authorizeRole()
The following examples show how to use
org.wso2.carbon.user.core.AuthorizationManager#authorizeRole() .
You can vote up the ones you like or vote down the ones you don't like,
and go to the original project or source file by following the links above each example. You may check out the related API usage on the sidebar.
Example 1
Source File: CaptchaUtil.java From carbon-identity-framework with Apache License 2.0 | 6 votes |
public static void setAnonAuthorization(String path, UserRealm userRealm) throws RegistryException { if (userRealm == null) { return; } try { AuthorizationManager accessControlAdmin = userRealm.getAuthorizationManager(); String everyoneRole = CarbonConstants.REGISTRY_ANONNYMOUS_ROLE_NAME; accessControlAdmin.authorizeRole(everyoneRole, path, ActionConstants.GET); accessControlAdmin.denyRole(everyoneRole, path, ActionConstants.PUT); accessControlAdmin.denyRole(everyoneRole, path, ActionConstants.DELETE); accessControlAdmin.denyRole(everyoneRole, path, AccessControlConstants.AUTHORIZE); } catch (UserStoreException e) { String msg = "Could not set authorizations for the " + path + "."; log.error(msg, e); throw new RegistryException(msg); } }
Example 2
Source File: CommonUtil.java From carbon-commons with Apache License 2.0 | 6 votes |
public static void setAnonAuthorization(String path, UserRealm userRealm) throws RegistryException { if (userRealm == null) { return; } try { AuthorizationManager accessControlAdmin = userRealm.getAuthorizationManager(); String everyoneRole = CarbonConstants.REGISTRY_ANONNYMOUS_ROLE_NAME; accessControlAdmin.authorizeRole(everyoneRole, path, ActionConstants.GET); accessControlAdmin.denyRole(everyoneRole, path, ActionConstants.PUT); accessControlAdmin.denyRole(everyoneRole, path, ActionConstants.DELETE); accessControlAdmin.denyRole(everyoneRole, path, AccessControlConstants.AUTHORIZE); } catch (UserStoreException e) { String msg = "Could not set authorizations for the " + path + "."; log.error(msg, e); throw new RegistryException(msg); } }
Example 3
Source File: CommonUtil.java From attic-stratos with Apache License 2.0 | 6 votes |
public static void setAnonAuthorization(String path, UserRealm userRealm) throws RegistryException { if (userRealm == null) { return; } try { AuthorizationManager accessControlAdmin = userRealm.getAuthorizationManager(); String everyoneRole = CarbonConstants.REGISTRY_ANONNYMOUS_ROLE_NAME; accessControlAdmin.authorizeRole(everyoneRole, path, ActionConstants.GET); accessControlAdmin.denyRole(everyoneRole, path, ActionConstants.PUT); accessControlAdmin.denyRole(everyoneRole, path, ActionConstants.DELETE); accessControlAdmin.denyRole(everyoneRole, path, AccessControlConstants.AUTHORIZE); } catch (UserStoreException e) { String msg = "Could not set authorizations for the " + path + "."; log.error(msg, e); throw new RegistryException(msg); } }
Example 4
Source File: UserRealmProxy.java From carbon-identity with Apache License 2.0 | 5 votes |
public void setRoleUIPermission(String roleName, String[] rawResources) throws UserAdminException { try { if (((AbstractUserStoreManager) realm.getUserStoreManager()).isOthersSharedRole(roleName)) { throw new UserAdminException("Logged in user is not authorized to assign " + "permissions to a role belong to another tenant"); } if (realm.getRealmConfiguration().getAdminRoleName().equalsIgnoreCase(roleName)) { String msg = "UI permissions of Admin is not allowed to change"; log.error(msg); throw new UserAdminException(msg); } String loggedInUserName = addPrimaryDomainIfNotExists(getLoggedInUser()); String adminUser = addPrimaryDomainIfNotExists(realm.getRealmConfiguration().getAdminUserName()); if (rawResources != null && !adminUser.equalsIgnoreCase(loggedInUserName)) { Arrays.sort(rawResources); if (Arrays.binarySearch(rawResources, PERMISSION_ADMIN) > -1 || Arrays.binarySearch(rawResources, "/permission/protected") > -1 || Arrays.binarySearch(rawResources, PERMISSION) > -1) { log.warn("An attempt to Assign admin permission for role by user : " + loggedInUserName); throw new UserStoreException("Can not assign Admin for permission role"); } } String[] optimizedList = UserCoreUtil.optimizePermissions(rawResources); AuthorizationManager authMan = realm.getAuthorizationManager(); authMan.clearRoleActionOnAllResources(roleName, UserMgtConstants.EXECUTE_ACTION); for (String path : optimizedList) { authMan.authorizeRole(roleName, path, UserMgtConstants.EXECUTE_ACTION); } } catch (UserStoreException e) { log.error(e.getMessage(), e); throw new UserAdminException(e.getMessage(), e); } }
Example 5
Source File: UserRealmProxy.java From carbon-identity-framework with Apache License 2.0 | 4 votes |
public void setRoleUIPermission(String roleName, String[] rawResources) throws UserAdminException { Permission[] permissions = null; UserStoreManager userStoreManager = null; try { if (((AbstractUserStoreManager) realm.getUserStoreManager()).isOthersSharedRole(roleName)) { throw new UserAdminException("Logged in user is not authorized to assign " + "permissions to a role belong to another tenant"); } if (realm.getRealmConfiguration().getAdminRoleName().equalsIgnoreCase(roleName)) { String msg = "UI permissions of Admin is not allowed to change"; log.error(msg); throw new UserAdminException(msg); } String loggedInUserName = addPrimaryDomainIfNotExists(getLoggedInUser()); String adminUser = addPrimaryDomainIfNotExists(realm.getRealmConfiguration().getAdminUserName()); if (rawResources != null && !adminUser.equalsIgnoreCase(loggedInUserName)) { Arrays.sort(rawResources); if (Arrays.binarySearch(rawResources, PERMISSION_ADMIN) > -1 || Arrays.binarySearch(rawResources, "/permission/protected") > -1 || Arrays.binarySearch(rawResources, PERMISSION) > -1) { log.warn("An attempt to Assign admin permission for role by user : " + loggedInUserName); throw new UserStoreException("Can not assign Admin for permission role"); } } String[] optimizedList = UserCoreUtil.optimizePermissions(rawResources); AuthorizationManager authMan = realm.getAuthorizationManager(); authMan.clearRoleActionOnAllResources(roleName, UserMgtConstants.EXECUTE_ACTION); permissions = new Permission[optimizedList.length]; for (int i = 0; i < optimizedList.length; i++) { authMan.authorizeRole(roleName, optimizedList[i], UserMgtConstants.EXECUTE_ACTION); permissions[i] = new Permission(optimizedList[i], UserMgtConstants.EXECUTE_ACTION); } userStoreManager = realm.getUserStoreManager(); ManagementPermissionUtil.handlePostUpdatePermissionsOfRole(roleName, permissions, userStoreManager); } catch (UserStoreException e) { ManagementPermissionUtil .handleOnUpdatePermissionsOfRoleFailure(e.getMessage(), roleName, permissions, userStoreManager); log.error(e.getMessage(), e); throw new UserAdminException(e.getMessage(), e); } }
Example 6
Source File: SecurityConfigAdmin.java From carbon-identity with Apache License 2.0 | 4 votes |
public void applySecurity(String serviceName, String scenarioId, String policyPath, String[] trustedStores, String privateStore, String[] userGroups) throws SecurityConfigException { AxisService service = axisConfig.getServiceForActivation(serviceName); OMElement carbonSecConfigs = null; if (service == null) { throw new SecurityConfigException("Service not available."); } if (userGroups != null) { Arrays.sort(userGroups); if (Arrays.binarySearch(userGroups, CarbonConstants.REGISTRY_ANONNYMOUS_ROLE_NAME) > -1) { log.error("Security breach. A user is attempting to enable anonymous for UT access"); throw new SecurityConfigException("Invalid data provided"); // obscure error message } } // First disable security and remove all applied policies before applying a new policy this.disableSecurityOnService(serviceName); OMElement policyElement = loadPolicyAsXML(scenarioId, policyPath); SecurityScenario scenario = SecurityScenarioDatabase.get(scenarioId); boolean isTrustEnabled = scenario.getModules().contains(SecurityConstants.TRUST_MODULE); if ((isTrustEnabled || (userGroups != null && userGroups.length > 0))) { carbonSecConfigs = addUserParameters(policyElement, trustedStores, privateStore, userGroups, null, isTrustEnabled, policyPath); } // If policy is taken from registry (custom policy) it needs to have rampartConfigs defined it. if (StringUtils.isNotBlank(policyPath)) { policyElement.addChild(buildRampartConfigXML(privateStore, trustedStores, null)); } Policy policy = PolicyEngine.getPolicy(policyElement); try { persistPolicy(service, policyElement, policy.getId()); applyPolicy(service, policy, carbonSecConfigs); String serviceGroupId = service.getAxisServiceGroup().getServiceGroupName(); if (userGroups != null) { for (String value : userGroups) { AuthorizationManager acAdmin = realm.getAuthorizationManager(); acAdmin.authorizeRole(value, serviceGroupId + "/" + service.getName(), UserCoreConstants.INVOKE_SERVICE_PERMISSION); } } if (policyPath != null && scenarioId.equals(SecurityConstants.POLICY_FROM_REG_SCENARIO)) { Parameter pathParam = new Parameter(SecurityConstants.SECURITY_POLICY_PATH, policyPath); service.addParameter(pathParam); } } catch (Exception e) { throw new SecurityConfigException("Error while persisting policy in registry", e); } }