Hi Shashika,

There were some exception handling implementation is around above mentioned
implementation and I put PrivilegedCarbonContext.endTenantFlow() inside the
finally block.

Thanks.

On Thu, May 21, 2015 at 9:58 AM, Shashika Karunatilaka <shashi...@wso2.com>
wrote:

> HI Thilini,
>
> Did you ended this started tenant flow
>
> Thanks
>
> On Thu, May 21, 2015 at 9:53 AM, Thilini Cooray <thili...@wso2.com> wrote:
>
>> Hi,
>>
>> I was able to resolve the issue with the support of IS team.
>>
>> The problem has occurred because I was trying to authenticate a user of a
>> different tenant domain using an admin of super tenant.
>> IS maintains tenant isolation, therefore it cannot be done.
>>
>> So for each tenant domain we need to start a separate tenant flow and do
>> the authentication within the flow of the tenant domain of the current user.
>> After authentication, I retrieved all roles of the authenticated user and
>> checked whether he has admin role.
>>
>> Following is the implementation.
>>
>> String tenantDomain = MultitenantUtils.getTenantDomain(username);
>> PrivilegedCarbonContext.startTenantFlow();
>> PrivilegedCarbonContext.getThreadLocalCarbonContext()
>>                        .setTenantDomain(tenantDomain, true);
>>
>> UserStoreManager userstoremanager =
>>       CarbonContext.getThreadLocalCarbonContext().getUserRealm()
>>                    .getUserStoreManager();
>>
>> String tenantAwareUsername = 
>> MultitenantUtils.getTenantAwareUsername(username);
>>
>> //authenticate user provided credentials
>> if (userstoremanager.authenticate(tenantAwareUsername, password)) {
>>    log.info(username + " user authenticated successfully");
>>    //Get admin role name of the current domain
>>    String adminRoleName =
>>          
>> CarbonContext.getCurrentContext().getUserRealm().getRealmConfiguration()
>>                       .getAdminRoleName();
>>
>>    String[] userRoles = 
>> userstoremanager.getRoleListOfUser(tenantAwareUsername);
>>
>>    //user is only authorized for exporting and importing if he is an admin 
>> of his
>>    // domain
>>    if (Arrays.asList(userRoles).contains(adminRoleName)) {
>>       log.info(username + " is authorized to import and export APIs");
>>    }
>> }
>>
>> Thanks.
>>
>>
>> On Thu, May 14, 2015 at 8:15 PM, Darshana Gunawardana <darsh...@wso2.com>
>> wrote:
>>
>>> On Thu, May 14, 2015 at 6:38 PM, Thilini Cooray <thili...@wso2.com>
>>> wrote:
>>>
>>>> Hi,
>>>>
>>>> I am implementing API export feature for APIM.
>>>>
>>>> I want to check whether a logged in user has admin role, because we are
>>>> going to allow only admin users to export and import APIs.
>>>>
>>>
>>> If a particular feature needed to restricted, we usually done using
>>> permission based manner. ie. To access RemoteUserStoreManager
>>> functionalities, user needed to have /permission/admin/configure/security"
>>> permission.
>>>
>>>
>>>> Following is the source which I tried. But 
>>>> userStoreManager.authenticate(username,
>>>> password) does not authenticate tenant admins.
>>>>
>>>
>>> The authenticate method of the remote RemoteUserStoreManagerService does
>>> not create a session for given username password, rather just check whether
>>> given credentials are correct.
>>>
>>> The sample [1] can use as a reference to authenticate and invoke methods
>>> in RemoteUserStoreManagerService.
>>>
>>> [1]
>>> https://svn.wso2.org/repos/wso2/carbon/platform/branches/turing/products/is/5.0.0/modules/samples/user-mgt/remote-user-mgt/src/main/java/org/wso2/remoteum/sample/RemoteUMClient.java
>>>
>>> Thanks,
>>> Darshana.
>>>
>>>
>>>> I get the session cookie by login using super tenant credentials.
>>>>
>>>> Any help is appreciated.
>>>>
>>>> Thank you.
>>>>
>>>>
>>>> ServiceClient serviceClient;
>>>> Options option;
>>>>
>>>>    RemoteUserStoreManagerServiceStub userStoreManager =
>>>>          new RemoteUserStoreManagerServiceStub(null, SERVICE_URL +
>>>>                                                      
>>>> "RemoteUserStoreManagerService");
>>>>
>>>>    serviceClient = userStoreManager._getServiceClient();
>>>>    option = serviceClient.getOptions();
>>>>    option.setManageSession(true);
>>>>    
>>>> option.setProperty(org.apache.axis2.transport.http.HTTPConstants.COOKIE_STRING,
>>>>                       sessionCookie);
>>>>
>>>>    //Checking whether current user is authenticated and he has admin role
>>>>    if (userStoreManager.authenticate(username, password)) {
>>>>
>>>>       String adminRoleName =
>>>>             
>>>> CarbonContext.getCurrentContext().getUserRealm().getRealmConfiguration()
>>>>                          .getAdminRoleName();
>>>>
>>>>       if (userStoreManager.isExistingRole(adminRoleName)) {
>>>>          userName = username;
>>>>          LOG.info(username + " user authenticated successfully");
>>>>          return true;
>>>>       }
>>>>    }
>>>>
>>>>
>>>> --
>>>> Best Regards,
>>>>
>>>> *Thilini Cooray*
>>>> Software Engineer
>>>> Mobile : +94 (0) 774 570 112 <%2B94%20%280%29%20773%20451194>
>>>> E-mail : thili...@wso2.com
>>>>
>>>> WSO2 Inc. www.wso2.com
>>>> lean.enterprise.middleware
>>>>
>>>> _______________________________________________
>>>> Dev mailing list
>>>> Dev@wso2.org
>>>> http://wso2.org/cgi-bin/mailman/listinfo/dev
>>>>
>>>>
>>>
>>>
>>> --
>>> Regards,
>>>
>>>
>>> *Darshana Gunawardana*Software Engineer
>>> WSO2 Inc.; http://wso2.com
>>>
>>> *E-mail: darsh...@wso2.com <darsh...@wso2.com>*
>>> *Mobile: +94718566859 <%2B94718566859>*Lean . Enterprise . Middleware
>>>
>>
>>
>>
>> --
>> Best Regards,
>>
>> *Thilini Cooray*
>> Software Engineer
>> Mobile : +94 (0) 774 570 112 <%2B94%20%280%29%20773%20451194>
>> E-mail : thili...@wso2.com
>>
>> WSO2 Inc. www.wso2.com
>> lean.enterprise.middleware
>>
>> _______________________________________________
>> Dev mailing list
>> Dev@wso2.org
>> http://wso2.org/cgi-bin/mailman/listinfo/dev
>>
>>
>
>
> --
> Shashika Prabath Karunatilaka,
> Software Engineer,
> WSO2, Inc: http://wso2.com/
> mobile : +94 77 7487792
>



-- 
Best Regards,

*Thilini Cooray*
Software Engineer
Mobile : +94 (0) 774 570 112 <%2B94%20%280%29%20773%20451194>
E-mail : thili...@wso2.com

WSO2 Inc. www.wso2.com
lean.enterprise.middleware
_______________________________________________
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Reply via email to