Re: [Dev] Validate user against given user store and save correct user domain in saml2-bearer grant type.

2016-12-14 Thread Rajith Vitharana 
On 15 December 2016 at 01:11, Farasath Ahamed  wrote:

>
>
> On Thu, Dec 15, 2016 at 12:33 PM, Rajith Vitharana 
> wrote:
>
>>
>>
>> On 15 December 2016 at 00:59, Farasath Ahamed  wrote:
>>
>>> On Wed, Dec 14, 2016 at 8:59 PM, Rajith Vitharana 
>>> wrote:
>>>
 Hi IS team,

 In [1] when getting the user, it doesn't validate whether the user is
 in a user store or not. (This happens in saml2-bearer grant type and IS
 trust the saml assertion. It's totally valid not doing this)

 but can we give the user the freedom to choose whether to validate the
 user in saml assertion against a given user store or not?

>>>
>>>
>>> If we let the user to choose to validate the user against a user store
>>> or not, the assertions coming from trusted IDP for a federated users will
>>> fail if he chooses to validate the user in userstore?
>>>
>> Yes, we can make this configurable and use current behavior as default,
>> If user needs this behavior, he will need to provide the userstore details
>> which he needs the user to be validated against.
>>
>
>
> Hmm that makes sense. But once he enables this option he will no longer be
> able to accept SAML bearer tokens from Federated IDPs (say like Google)
> right?
>
we can make this per IDP right? without making this a global config. so
that he can disable this for google right?

>
>
> What i mean is, when user enables that option, he would only be able to
>>> use assertions issued by IS or a federated IDP that shares a userstore with
>>> IS.
>>>
>>> Instead wouldn't it be better if we only check the user in the user
>>> store if the assertion was issued by us (by us I mean IS that is validating
>>> the SAML assertion). We can check this using the SAML IdpEntityId. For
>>> those assertions not issued by us, we could treat them as coming from a
>>> federated IDP for a federated user.
>>>
>>> In which case it will actually have a valid user and correct user domain
 in the token table, in which case he can generate jwt tokens with required
 claims for that user. Is this a valid scenario? if so can we support this?

 Note that since we are taking the user domain from the
 username(subject) in [1], we can send username(saml assertion subject) with
 correct domain(ex: Secondary/username1) in which case it will save the
 correct domain in token table. Hence jwt flow works fine. But I feel like
 it's kind of a hack for this.

 I have created a public jira for this in [2]

 [1] - https://github.com/wso2/carbon-identity/blob/master/co
 mponents/oauth/org.wso2.carbon.identity.oauth/src/main/java/
 org/wso2/carbon/identity/oauth2/util/OAuth2Util.java#L637

 [2] - https://wso2.org/jira/browse/IDENTITY-5483


 Thanks

 --
 Rajith Vitharana

 Senior Software Engineer,
 WSO2 Inc. : wso2.com
 Mobile : +94715883223
 Blog : http://lankavitharana.blogspot.com/
 

 ___
 Dev mailing list
 Dev@wso2.org
 http://wso2.org/cgi-bin/mailman/listinfo/dev


>>>
>>
>>
>> --
>> Rajith Vitharana
>>
>> Senior Software Engineer,
>> WSO2 Inc. : wso2.com
>> Mobile : +94715883223
>> Blog : http://lankavitharana.blogspot.com/
>> 
>>
>
>


-- 
Rajith Vitharana

Senior Software Engineer,
WSO2 Inc. : wso2.com
Mobile : +94715883223
Blog : http://lankavitharana.blogspot.com/

___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] Validate user against given user store and save correct user domain in saml2-bearer grant type.

2016-12-14 Thread Rajith Vitharana 
On 15 December 2016 at 00:59, Farasath Ahamed  wrote:

> On Wed, Dec 14, 2016 at 8:59 PM, Rajith Vitharana 
> wrote:
>
>> Hi IS team,
>>
>> In [1] when getting the user, it doesn't validate whether the user is in
>> a user store or not. (This happens in saml2-bearer grant type and IS trust
>> the saml assertion. It's totally valid not doing this)
>>
>> but can we give the user the freedom to choose whether to validate the
>> user in saml assertion against a given user store or not?
>>
>
>
> If we let the user to choose to validate the user against a user store or
> not, the assertions coming from trusted IDP for a federated users will fail
> if he chooses to validate the user in userstore?
>
Yes, we can make this configurable and use current behavior as default, If
user needs this behavior, he will need to provide the userstore details
which he needs the user to be validated against.

> What i mean is, when user enables that option, he would only be able to
> use assertions issued by IS or a federated IDP that shares a userstore with
> IS.
>
> Instead wouldn't it be better if we only check the user in the user store
> if the assertion was issued by us (by us I mean IS that is validating the
> SAML assertion). We can check this using the SAML IdpEntityId. For those
> assertions not issued by us, we could treat them as coming from a federated
> IDP for a federated user.
>
> In which case it will actually have a valid user and correct user domain
>> in the token table, in which case he can generate jwt tokens with required
>> claims for that user. Is this a valid scenario? if so can we support this?
>>
>> Note that since we are taking the user domain from the username(subject)
>> in [1], we can send username(saml assertion subject) with correct
>> domain(ex: Secondary/username1) in which case it will save the correct
>> domain in token table. Hence jwt flow works fine. But I feel like it's kind
>> of a hack for this.
>>
>> I have created a public jira for this in [2]
>>
>> [1] - https://github.com/wso2/carbon-identity/blob/master/co
>> mponents/oauth/org.wso2.carbon.identity.oauth/src/main/java/
>> org/wso2/carbon/identity/oauth2/util/OAuth2Util.java#L637
>>
>> [2] - https://wso2.org/jira/browse/IDENTITY-5483
>>
>>
>> Thanks
>>
>> --
>> Rajith Vitharana
>>
>> Senior Software Engineer,
>> WSO2 Inc. : wso2.com
>> Mobile : +94715883223
>> Blog : http://lankavitharana.blogspot.com/
>> 
>>
>> ___
>> Dev mailing list
>> Dev@wso2.org
>> http://wso2.org/cgi-bin/mailman/listinfo/dev
>>
>>
>


-- 
Rajith Vitharana

Senior Software Engineer,
WSO2 Inc. : wso2.com
Mobile : +94715883223
Blog : http://lankavitharana.blogspot.com/

___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

[Dev] Change profile to runtime in product creation pom

2016-12-14 Thread Niranjan Karunanandham 
Hi all,

In C5, the server can have multiple runtimes and for each one will have a
separate directory and contains runtime specific files. But at the time of
product creation, in the pom, we are using tag  to denote the
*runtime*. This tag ("<*profile*>") is required by the* tycho plugin*.
Shall we change this to  and handle the conversion to profile in
the *carbon-feature-plugin* so that outside, this is only known as runtime?

WDYT?

Regards,
Nira

-- 


*Niranjan Karunanandham*
Associate Technical Lead - WSO2 Inc.
WSO2 Inc.: http://www.wso2.com
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

[Dev] Document in code where the config is

2016-12-14 Thread Samisa Abeysinghe 
Hi All
   One of the problems I have is, when we try to debug an issue for a given
exception, it is so hard to map where the config came from.

For example say I get the error below. I look at the code. If I am a user
and want to figure out where the UN/PW came from so that I could double
check, how easy to locate the relevant config in the conf files?


TID: [-1] [] [2016-12-13 15:31:25,880] ERROR
{org.wso2.carbon.databridge.agent.endpoint.DataEndpointConnectionWorker}
-  Error while trying to login to data receiver :/10.83.80.32:9711
{org.wso2.carbon.databridge.agent.endpoint.DataEndpointConnectionWorker}
org.wso2.carbon.databridge.agent.exception.DataEndpointAuthenticationException:
Error while trying to login to data receiver :/10.83.80.32:9711
at 
org.wso2.carbon.databridge.agent.endpoint.binary.BinaryDataEndpoint.login(BinaryDataEndpoint.java:47)
at 
org.wso2.carbon.databridge.agent.endpoint.DataEndpointConnectionWorker.connect(DataEndpointConnectionWorker.java:94)
at 
org.wso2.carbon.databridge.agent.endpoint.DataEndpointConnectionWorker.run(DataEndpointConnectionWorker.java:43)
at 
java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:471)
at java.util.concurrent.FutureTask.run(FutureTask.java:262)
at 
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
at 
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
at java.lang.Thread.run(Thread.java:745)
Caused by: org.wso2.carbon.databridge.commons.exception.AuthenticationException:
wrong userName or password
at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
at 
sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:57)
at 
sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
at java.lang.reflect.Constructor.newInstance(Constructor.java:526)
at 
org.wso2.carbon.databridge.agent.endpoint.binary.BinaryEventSender.processResponse(BinaryEventSender.java:164)
at 
org.wso2.carbon.databridge.agent.endpoint.binary.BinaryDataEndpoint.login(BinaryDataEndpoint.java:42)
... 7 more

Thanks,
Samisa...


Samisa Abeysinghe

Vice President Delivery

WSO2 Inc.
http://wso2.com
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

[Dev] WSO2 IS : Change admin username/password through environment variables

2016-12-14 Thread Hanen Ben Rhouma 
Hello,

We're trying to launch WSO2 IS from a docker image by passing admin
username and password as environment variables:


JAVA_OPTS="-DWSO2_ADMIN_USERNAME=customuser -DWSO2_ADMIN_PASSWORD=custompwd"
./bin/wso2server.sh


while WSO2_ADMIN_USERNAME and WSO2_ADMIN_PASSWORD are declared within
user-mgt.xml as follow

 

23


${WSO2_ADMIN_USERNAME}

24


${WSO2_ADMIN_PASSWORD}

25






We noticed that it's working locally but when we deploy in a centos VM
containing docker, the variables aren't replcaed by their values.


Any ideas why it's not picking up the arguments values?



Regards,

Hanen
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

[Dev] Improvements for the assertion based grant types {was: Re: Validate user against given user store and save correct user domain in saml2-bearer grant type.}

2016-12-14 Thread Prabath Siriwardena 
+1 for the following suggestion also role based scopes are not working for
assertion based grant types - can we add support for that too?

Thanks & regards,
-Prabath

On Wed, Dec 14, 2016 at 7:29 AM, Rajith Vitharana  wrote:

> Hi IS team,
>
> In [1] when getting the user, it doesn't validate whether the user is in
> a user store or not. (This happens in saml2-bearer grant type and IS trust
> the saml assertion. It's totally valid not doing this)
>
> but can we give the user the freedom to choose whether to validate the
> user in saml assertion against a given user store or not? In which case it
> will actually have a valid user and correct user domain in the token table,
> in which case he can generate jwt tokens with required claims for that
> user. Is this a valid scenario? if so can we support this?
>
> Note that since we are taking the user domain from the username(subject)
> in [1], we can send username(saml assertion subject) with correct
> domain(ex: Secondary/username1) in which case it will save the correct
> domain in token table. Hence jwt flow works fine. But I feel like it's kind
> of a hack for this.
>
> I have created a public jira for this in [2]
>
> [1] - https://github.com/wso2/carbon-identity/blob/master/
> components/oauth/org.wso2.carbon.identity.oauth/src/
> main/java/org/wso2/carbon/identity/oauth2/util/OAuth2Util.java#L637
>
> [2] - https://wso2.org/jira/browse/IDENTITY-5483
>
>
> Thanks
>
> --
> Rajith Vitharana
>
> Senior Software Engineer,
> WSO2 Inc. : wso2.com
> Mobile : +94715883223
> Blog : http://lankavitharana.blogspot.com/
> 
>



-- 
Thanks & Regards,
Prabath

Twitter : @prabath
LinkedIn : http://www.linkedin.com/in/prabathsiriwardena

Mobile : +1 650 625 7950

http://facilelogin.com
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

[Dev] Validate user against given user store and save correct user domain in saml2-bearer grant type.

2016-12-14 Thread Rajith Vitharana 
Hi IS team,

In [1] when getting the user, it doesn't validate whether the user is in a
user store or not. (This happens in saml2-bearer grant type and IS trust
the saml assertion. It's totally valid not doing this)

but can we give the user the freedom to choose whether to validate the user
in saml assertion against a given user store or not? In which case it will
actually have a valid user and correct user domain in the token table, in
which case he can generate jwt tokens with required claims for that user.
Is this a valid scenario? if so can we support this?

Note that since we are taking the user domain from the username(subject) in
[1], we can send username(saml assertion subject) with correct domain(ex:
Secondary/username1) in which case it will save the correct domain in token
table. Hence jwt flow works fine. But I feel like it's kind of a hack for
this.

I have created a public jira for this in [2]

[1] -
https://github.com/wso2/carbon-identity/blob/master/components/oauth/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth2/util/OAuth2Util.java#L637

[2] - https://wso2.org/jira/browse/IDENTITY-5483


Thanks

-- 
Rajith Vitharana

Senior Software Engineer,
WSO2 Inc. : wso2.com
Mobile : +94715883223
Blog : http://lankavitharana.blogspot.com/

___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

[Dev] Could not locate library smooks-libs/antlr-2.7.7.jar in bundle org.wso2.developerstudio.eclipse.esb.libraries, when adding library

2016-12-14 Thread Schürpf , Thomas 
We are using the WSO2 ESB Tooling 5.0 and installed it as described at 
https://docs.wso2.com/display/ESB500/Installing+WSO2+ESB+Tooling .



I am using the description from this link: 
https://docs.wso2.com/display/ESB500/Working+with+ESB+Artifacts .


Following the instructions in section "Creating a Smooks configuration 
artifact" I get the following error when trying to add the libraries from the 
Smooks framework to my registry resources project:


"Could not locate library smooks-libs/antlr-2.7.7.jar in bundle 
org.wso2.developerstudio.eclipse.esb.libraries."


I checked each runtime library individually, but each of them resulted in the 
same error.

It is also strange, that the entry "WSO2 Classpath Libraries" is twice in the 
list of the "Add Library" dialogue.


Any information on how to proceed is appreciated .


Regards,

Thomas


___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] WSO2 IS : Create a Tenant

2016-12-14 Thread Hanen Ben Rhouma 
Thanks Ishara for the answer. As I can see in multitenancy-packages.xml the
demo plan offers a limit of one user; what does that mean, are we allowed
to deploy multi-users per tenant on AWS for example even if we have a Demo
plan?

Regards,


*Hanen Ben Rhouma*
*Java Tech Lead*

On Wed, Dec 14, 2016 at 12:56 AM, Ishara Cooray  wrote:

> Hi Hanen,
>
> "Select Usage Plan For Tenant" functionality comes from Stratos. It let
> the admin to choose a subscription packages for the creating tenant. One
> can define subscription packages in "/repository/conf
> /multitenancy/multitenancy-packages.xml" file. However this configuration
> is no longer loaded and the "Demo" package that is shown in the dropdown is
> a hard-coded value. This feature is not used as in standalone products but
> was used with the cloud deployments because this functionality was moved to
> stratos manager.
>
> Thanks & Regards,
> Ishara Cooray
> Senior Software Engineer
> Mobile : +9477 262 9512 <+94%2077%20262%209512>
> WSO2, Inc. | http://wso2.com/
> Lean . Enterprise . Middleware
>
> On Tue, Dec 13, 2016 at 8:07 PM, Hanen Ben Rhouma 
> wrote:
>
>> Hello guys,
>>
>> When trying to create a tenant, there is only one option for usage plan
>> which is "Demo", how can we customize it and what are the other options?
>>
>>
>> Regards,
>> Hanen
>>
>> ___
>> Dev mailing list
>> Dev@wso2.org
>> http://wso2.org/cgi-bin/mailman/listinfo/dev
>>
>>
>
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] Please merge the PR

2016-12-14 Thread Supun Sethunga 
Thanks Thusitha and Maheshika!

On Wed, Dec 14, 2016 at 1:15 PM, Maheshika Goonetilleke 
wrote:

> Hi Thusitha
>
> Deployed successfully.
>
>
> On Wed, Dec 14, 2016 at 12:21 PM, Thusitha Thilina Dayaratne <
> thusit...@wso2.com> wrote:
>
>> PR Merged.
>>
>> @Maheshika, could you please release the bundle?
>>
>> Thanks
>> Thusitha
>>
>> On Sat, Dec 10, 2016 at 7:56 PM, Supun Sethunga  wrote:
>>
>>> Hi Thusitha
>>>
>>> Made the changes. Can you please review and merge?
>>>
>>> Thanks,
>>> SupunS
>>>
>>> On Sat, Dec 10, 2016 at 7:46 PM, Thusitha Thilina Dayaratne <
>>> thusit...@wso2.com> wrote:
>>>
 Hi Supun,

 I've put some comments on the PR. Could you please check on them?

 Thanks
 Thusitha

 On Sat, Dec 10, 2016 at 7:28 PM, Supun Sethunga 
 wrote:

> Hi,
>
> Can you please review and merge the PR [1].
>
> [1] https://github.com/wso2/orbit/pull/253
>
> Regards,
> SupunS
>
> --
> *Supun Sethunga*
> Senior Software Engineer
> WSO2, Inc.
> http://wso2.com/
> lean | enterprise | middleware
> Mobile : +94 716546324 <+94%2071%20654%206324>
> Blog: http://supunsetunga.blogspot.com
>
> ___
> Dev mailing list
> Dev@wso2.org
> http://wso2.org/cgi-bin/mailman/listinfo/dev
>
>


 --
 Thusitha Dayaratne
 Software Engineer
 WSO2 Inc. - lean . enterprise . middleware |  wso2.com

 Mobile  +94712756809 <+94%2071%20275%206809>
 Blog  alokayasoya.blogspot.com
 Abouthttp://about.me/thusithathilina
 


>>>
>>>
>>> --
>>> *Supun Sethunga*
>>> Senior Software Engineer
>>> WSO2, Inc.
>>> http://wso2.com/
>>> lean | enterprise | middleware
>>> Mobile : +94 716546324 <+94%2071%20654%206324>
>>> Blog: http://supunsetunga.blogspot.com
>>>
>>
>>
>>
>> --
>> Thusitha Dayaratne
>> Software Engineer
>> WSO2 Inc. - lean . enterprise . middleware |  wso2.com
>>
>> Mobile  +94712756809 <+94%2071%20275%206809>
>> Blog  alokayasoya.blogspot.com
>> Abouthttp://about.me/thusithathilina
>> 
>>
>>
>
>
> --
>
> Thanks & Best Regards,
>
> Maheshika Goonetilleke
> Senior Engineering Process Coordinator
>
> *WSO2 Inc*
> *email   : mahesh...@wso2.com *
> *mobile : +94 773 596707 <+94%2077%20359%206707>*
> *www: :http://wso2.com *lean . enterprise . middleware
>
>
>
>
>


-- 
*Supun Sethunga*
Senior Software Engineer
WSO2, Inc.
http://wso2.com/
lean | enterprise | middleware
Mobile : +94 716546324
Blog: http://supunsetunga.blogspot.com
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev