Allow admin users to get tokens using credentials when SSO providers other than Usergrid is enabled.
Project: http://git-wip-us.apache.org/repos/asf/usergrid/repo Commit: http://git-wip-us.apache.org/repos/asf/usergrid/commit/a3e8946f Tree: http://git-wip-us.apache.org/repos/asf/usergrid/tree/a3e8946f Diff: http://git-wip-us.apache.org/repos/asf/usergrid/diff/a3e8946f Branch: refs/heads/master Commit: a3e8946fa275253c47bce93a98c6cfe058d4ceb1 Parents: 4b01bc8 Author: Michael Russo <[email protected]> Authored: Tue Aug 30 13:42:51 2016 -0700 Committer: Michael Russo <[email protected]> Committed: Tue Aug 30 13:42:51 2016 -0700 ---------------------------------------------------------------------- .../usergrid/rest/management/ManagementResource.java | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/usergrid/blob/a3e8946f/stack/rest/src/main/java/org/apache/usergrid/rest/management/ManagementResource.java ---------------------------------------------------------------------- diff --git a/stack/rest/src/main/java/org/apache/usergrid/rest/management/ManagementResource.java b/stack/rest/src/main/java/org/apache/usergrid/rest/management/ManagementResource.java index 9ef67c9..4f8b456 100644 --- a/stack/rest/src/main/java/org/apache/usergrid/rest/management/ManagementResource.java +++ b/stack/rest/src/main/java/org/apache/usergrid/rest/management/ManagementResource.java @@ -395,6 +395,7 @@ public class ManagementResource extends AbstractContextResource { //moved the check for sso enabled form MangementServiceImpl since was unable to get the current user there to check if its super user. if( tokens.isExternalSSOProviderEnabled() + && properties.getProperty(TokenServiceImpl.USERGRID_EXTERNAL_SSO_PROVIDER).equalsIgnoreCase("usergrid") && !userServiceAdmin(username) ){ OAuthResponse response = OAuthResponse.errorResponse( SC_BAD_REQUEST ).setError( OAuthError.TokenResponse.INVALID_GRANT ) @@ -625,13 +626,14 @@ public class ManagementResource extends AbstractContextResource { return; // we only care about username/password auth } - if ( tokens.isExternalSSOProviderEnabled() ) { - // when external tokens enabled then only superuser can obtain an access token - if ( !userServiceAdmin(username)) { - // this guy is not the superuser + // when external tokens enabled with Usergrid provider then only superuser can obtain an access token + if ( tokens.isExternalSSOProviderEnabled() + && properties.getProperty(TokenServiceImpl.USERGRID_EXTERNAL_SSO_PROVIDER).equalsIgnoreCase("usergrid") + && !userServiceAdmin(username) ) { + throw new IllegalArgumentException( "External SSO integration is enabled, admin users must login via provider: "+ properties.getProperty(TokenServiceImpl.USERGRID_EXTERNAL_SSO_PROVIDER) ); - } + } }
