All WSO2 servers by default support user management features where the users and their details are stored in userstores (eg: LDAP, Active Directory, Database etc.). These userstores expose operations for managing users, user claims [1, 2], user roles and user credentials.
When considering an operation exposed by the userstores, there are use cases where we have to do certain tasks before executing the operation or after executing the operation. An example for this would be the authenticate operation. In that, before doing the authentication (pre-authenticate), we may need to check if the user account is locked or not for proceeding further. Then we can do the actual authenticate operation. After the authenticate operation, we may need to keep track of the timestamp of the last successful login attempt [3]. For that we can use the post-authenticate operation and store the timestamp for the user login. Similarly there can be various usecases where we have do before and after operations for a particular operation exposed by the userstores.
In WSO2 servers, there are User Store Manager Java classes that expose the user management operations. The before (pre) and after (post) operations for these user management operations are available in User Operation Event Listener class.
The top level abstract class for user store management is the AbstractUserStoreManager [4] class that exposes the user management operations. Other userstore managers (LDAP, JDBC) extend this class and override the required methods.
Then, the top level abstract class for user operation event listening (pre and post operations) is the AbstractUserOperationEventListener [5] class. We can extend this class and write our own user operation event listener for satisfying our required usecases.
The diagram below shows the interaction where an operation is called in the userstore manager at the top level and in sequence, it would trigger the Pre operation in the listener, then call the actual operation in the particular userstore manager and finally trigger the Post operation.
An example for the above flow would be calling the authenticate operation in AbstractUserStoreManager and it would trigger the doPreAuthenticate event in AbstractUserOperationEventListener (or any other event listener that extends this class). Then it would call the doAuthenticate operation in the particular userstore manager (eg: in the JDBCUserStoreManager for databases) and finally it would trigger the doPostAuthenticate event in AbstractUserOperationEventListener (or any other event listener that extends this class). (Please find the official documentation in [6])
Now you should have the understanding of the connection between the userstore managers and user operation event listeners.
Following is the list of supported Pre and Post operations of AbstractUserOperationEventListener which can be extended for your requirements.
Operation
|
Description
|
doPreAuthenticate
|
Triggered before authenticating a user
|
doPostAuthenticate
|
Triggered after authenticating a user
|
doPreAddUser
|
Triggered before adding a new user
|
doPostAddUser
|
Triggered after adding a new user
|
doPreUpdateCredential
|
Triggered before updating the credentials of a user account when the account owner tries to reset credentials
|
doPostUpdateCredential
|
Triggered after updating the credentials of a user account when the account owner tries to reset credentials
|
doPreUpdateCredentialByAdmin
|
Triggered before updating the credentials of a user account when the admin tries to reset credentials
|
doPostUpdateCredentialByAdmin
|
Triggered after updating the credentials of a user account when the admin tries to reset credentials
|
doPreDeleteUser
|
Triggered before deleting a user account
|
doPostDeleteUser
|
Triggered after deleting a user account
|
doPreSetUserClaimValue
|
Triggered before setting a single user claim value
|
doPostSetUserClaimValue
|
Triggered after setting a single user claim value
|
doPreSetUserClaimValues
|
Triggered before setting multiple user claim values together
|
doPostSetUserClaimValues
|
Triggered after setting multiple user claim values together
|
doPreDeleteUserClaimValues
|
Triggered before deleting multiple user claim values together
|
doPostDeleteUserClaimValues
|
Triggered after deleting multiple user claim values together
|
doPreDeleteUserClaimValue
|
Triggered before deleting a single user claim value
|
doPostDeleteUserClaimValue
|
Triggered after deleting a single user claim value
|
doPreAddRole
|
Triggered before adding a user role
|
doPostAddRole
|
Triggered after adding a user role
|
doPreDeleteRole
|
Triggered before deleting a user role
|
doPostDeleteRole
|
Triggered after deleting a user role
|
doPreUpdateRoleName
|
Triggered before renaming a user role name
|
doPostUpdateRoleName
|
Triggered after renaming a user role name
|
doPreUpdateUserListOfRole
|
Triggered before modifying the list of users assigned to a particular role
|
doPostUpdateUserListOfRole
|
Triggered after modifying the list of users assigned to a particular role
|
doPreUpdateRoleListOfUser
|
Triggered before modifying the list of roles assigned to a particular user
|
doPostUpdateRoleListOfUser
|
Triggered after modifying the list of roles assigned to a particular user
|
doPreGetUserClaimValue
|
Triggered before retrieving a single user claim value
|
doPostGetUserClaimValue
|
Triggered after retrieving a single user claim value
|
doPreGetUserClaimValues
|
Triggered before retrieving multiple user claim values together
|
doPostGetUserClaimValues
|
Triggered after retrieving multiple user claim values together
|
Now that you know the usage of user store operation event listeners, you can try to write your own event listener for your usecases. From my next blog post, I will show you how to implement your own user operation event listener for a real world scenario.
References
[6] https://docs.wso2.com/display/IS510/User+Store+Listeners
Tharindu Edirisinghe
Platform Security Team
WSO2
No comments:
Post a Comment