WSO2 Message Broker - Authorization - wso2

I am trying to implement an authorization mechanism on WSO2 Message Broker, but I am pretty new to WSO2 products. My goal is to implement MQTT Topic Authorization in the same manner it is implemented for JMS topics. Actually I am looking the code on the "andes" repository and "carbon-business-messaging" repository, and I would be very grateful if you can suggest me where to start. (that's a lot of code to look at)
What I want to do is to allow a particular user to publish/subscribe topics using the User Role permissions, so that even if someone connects to the Broker, he/she can't subscribe or publish without permission.

You can see how the Authentication is happening in MQTT from here.
You can look at the following method in ProtocolProcessor.java class. This is located in andes core.
processSubscribe(ServerChannel session, SubscribeMessage msg, String clientID, boolean cleanSession)
Also to get an idea about the how authorization Done in JMS messaging you can refer AndesAuthorizationHandler.java Class from here. This is located in carbon-business-messaging repository.

Related

DialogFlow, modify user request

for my dialogflow project I would like to intercept the user request before the dialogflow responds with the appropriated intent.
My goal:
-The user sends a request with an input message
-I access this message, I transform it (I apply a function to it) and then it is delivered to the dialogflow (so dialog.
I'm using a webhook linked to an specific intent. I'm using cloud functions to handle the webhook.
I would like to access the request using this webhook, modify the original request and allow dialogflow to respond according to this new modified request.
I hope I've made myself clear.
Thank you very much in advance!
I think it is not possible using a webhook, I suggest you to take a look at the Dialogflow fulfillment documentation. As you can see in the architecture representation, your webhook is behind of the intent matched, so the user request has been processed by Dialogflow and the fulfillment will perform actions based on the matched intent, so you only be able to modify the task on the service that you defined within the fulfillment and its response.
You could be able to do this according to your use-case, if you're using a custom development to make calls to the Dialogflow API, you can add an additional step between End-User and Dialogflow where you could intercept the user request, modify it and then send it to the Dialogflow API.
If you’re using any integrations such as Action on Google or Dialogflow Hangouts, this will not be possible since these services are the ones that manage the calls to the Dialogflow API.

"intercept" login & registration events in WSO2 Identity Server

Is there a way to "intercept" login or registration event in WSO2 Identity Server?
I know that wso2is architecture is quite complex, also there are some extension points, but I didn't find any information regarding how intercept those events.
I'd like to replicate something available in Gigya that allows to configure an API endpoint to call when one of those events happen (passing some information regarding the user)
Thanks
You can write a userstore listener to get this done. More details are available on wso2 official documentation.
https://docs.wso2.com/display/IS530/User+Store+Listeners

WSO2 IoT server connected cup sample agent failing to connect to MQTT broker

I have imported the WSO2 IoT server Connected Cup sample device agent into Eclipse IDE, and when it tries to connect to MQTT broker a MQTTSecurityException is thrown which states that the user name or password in not valid. I see that user name is created from the token attribute in the request, but I don’t know how to support a right one, i.e. one that would be accepted by the OAuth2 service. There isn’t any hint in the documentation on this topic, so I would appreciate any advice.
Also, I would like to take a more deep insight into the VirtualFireAlarm sample code, so please could you tell me where to find the code?
MQTT broker in wso2 IoT Server has a pluggable authentication and authorization, by default it comes with an OAuth based authentication, where it uses an empty password and uses an OAuth token for the username. You can generate a token by following the docs in https://docs.wso2.com/display/AM200/Password+Grant.
Implementation of this extension is explained in https://medium.com/#ayyoobhamza/authentication-and-authorization-extension-for-mqtt-wso2-message-broker-2495fb2fa56e and https://medium.com/#ayyoobhamza/oauth-authentication-and-authorization-with-mqtt-for-iot-devices-a42019187a05
Implementation of the virtual firealarm can be found in https://github.com/wso2/carbon-device-mgt-plugins/tree/master/components/device-types/virtual-fire-alarm-plugin

wso2 identity server - sending email when user changed password

I am using WSO2 IS 5.3.0 server and I am wondering if it is possible to send an email when user changes his password or any other attribute, etc., email.? Is this feature already built in WSO2 IS (I couldn't find anything in WSDL services) or is it then possible to extend something?
Any comments about this issue would be appreciated.
Please do the following steps to achieve this task.
Write a custom user operation event listener extending the AbstractUserOperationEventListener.java
Implement the doPostUpdateCredential method. doPostUpdateCredential
Trigger notification event handler to send a notification to the user. EventHandlerNotification

Do we absolutely need a STS for SAML?

I am trying to implement SAML enabled SOAP services for the first time and I have some conceptual questions regarding the role of a Secure Token Service (STS) in a SAML implementation.
User ---> Web Application ---SOAP/SAML--> Messaging Application
Basically the scenario is that the user logs into the Web application using his user name and password, web application in turn authenticate and authorize the user with an external service, on successful authentication/authorization, Web application creates a Sender Vouches SAML assertion with user as subject, signs the assertion with its private key, packages the assertion in a soap envelope using WS-S and makes a SOAP call to the messaging application. Once messaging application receive the request, it verifies the signature with the public key of the web application, pull the authentication and attribute statements out of the SAML assertion and based on them enforce auth policy on the end point.
As you can see in the above scenario there was no external STS involved however most literature I have read on SAML suggest that an STS is absolutely required. The question I have is that am I doing anything wrong with the above scenario since I cannot see any reason why I would absolutely need an STS. Sure it would be nice to have a STS but at least in my opinion, absence of it does not stop me from implementing SAML for my use case.
No, you don't need an STS for SAML tokens in web services. The STS exchanges one token (where 'token' includes things like username+password) for another, so it's useful in that your web service consumer can send some input token (typically username+password or a signature+X.509 cert for simple use cases) to the STS and get back a SAML assertion all ready to go.
Now, if you have the capability to create SAML tokens that will be accepted by your web service provider, have at it! No STS necessary - the actual SOAP message on the wire is identical whether or not an STS was involved in its creation.
I wrote a couple of blog entries a few years ago that detail some of this:
Access Manager 7.1 Beta in Java EE Tools/NetBeans 5.5 Enterprise Pack
Anatomy of a SAML-Secured SOAP Message
Sun Access Manager 7.1 has been superseded by OpenAM, but the principles remain the same. In particular, the second entry is independent of any actual product.
You can leverage any of the open source SAML toolkits. If your application is written in Java and you are running on either JBoss or Weblogic, SAML support is built-in.