Skip to content

Populate realmconfig on configs response based on user permissions #983

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
AnuradhaSK wants to merge 4 commits into from
Closed

Populate realmconfig on configs response based on user permissions #983

AnuradhaSK wants to merge 4 commits into from

Conversation

@AnuradhaSK
Copy link
Contributor

@AnuradhaSK AnuradhaSK commented Sep 2, 2025

Purpose

This pull request introduces a more secure and robust way to retrieve realm configuration details in the ServerConfigManagementService by adding user authorization checks. Now, only authorized users can view admin user and role information, and sensitive data exposure is minimized. The implementation also introduces helper methods for user authentication and authorization, and updates a dependency version.

Security and Authorization Enhancements

  • Refactored the retrieval of RealmConfig in ServerConfigManagementService to use a new getRealmConfig() method, which checks if the authenticated user is authorized to view admin user name and roles before including them in the response. This prevents unauthorized access to sensitive realm configuration details. [1] [2]
  • Added helper methods: getAuthenticatedUser() to fetch the user from thread-local properties, and checkUserAuthorization() to verify if the user has the required permissions based on the organization context.

Dependency Updates

  • Updated the identity.inbound.oauth2.version in pom.xml from 7.0.302 to 7.0.351 to incorporate the latest fixes and improvements.

Code Maintenance

  • Added necessary imports for new classes and utilities used in the authorization logic, such as AuthenticatedUser, IdentityUtil, IdentityOAuth2Exception, and AuthzUtil. [1] [2]
  • Introduced a constant AUTHENTICATED_USER for use in thread-local property lookups.

Depends on

sadilchamishka
sadilchamishka reviewed Sep 3, 2025
View reviewed changes
.../java/org/wso2/carbon/identity/api/server/configs/v1/core/ServerConfigManagementService.java
import org.apache.commons.lang.StringUtils;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.checkerframework.checker.units.qual.A;
Copy link
Contributor

@sadilchamishka sadilchamishka Sep 3, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should be unnecessary import

@AnuradhaSK AnuradhaSK closed this Nov 12, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@sadilchamishka sadilchamishka sadilchamishka left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@AnuradhaSK @sadilchamishka