Merge branch 'master' of https://github.com/wso2/carbon-device-mgt into scope-impl

components/certificate-mgt/org.wso2.carbon.certificate.mgt.cert.admin.api/src/main/java/org/wso2/carbon/certificate/mgt/cert/jaxrs/api/impl/CertificateManagementAdminServiceImpl.java

@@ -3,7 +3,6 @@ package org.wso2.carbon.certificate.mgt.cert.jaxrs.api.impl;
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
 import org.wso2.carbon.certificate.mgt.cert.jaxrs.api.CertificateManagementAdminService;
-import org.wso2.carbon.certificate.mgt.cert.jaxrs.api.UnexpectedServerErrorException;
 import org.wso2.carbon.certificate.mgt.cert.jaxrs.api.beans.CertificateList;
 import org.wso2.carbon.certificate.mgt.cert.jaxrs.api.beans.EnrollmentCertificate;
 import org.wso2.carbon.certificate.mgt.cert.jaxrs.api.beans.ErrorResponse;
@@ -53,8 +52,8 @@ public class CertificateManagementAdminServiceImpl implements CertificateManagem
         } catch (KeystoreException e) {
             String msg = "Error occurred while converting PEM file to X509Certificate.";
             log.error(msg, e);
-            throw new UnexpectedServerErrorException(
+            return Response.serverError().entity(
-                    new ErrorResponse.ErrorResponseBuilder().setCode(500l).setMessage(msg).build());
+                    new ErrorResponse.ErrorResponseBuilder().setCode(500l).setMessage(msg).build()).build();
         }
     }
 
@@ -79,8 +78,8 @@ public class CertificateManagementAdminServiceImpl implements CertificateManagem
         } catch (CertificateManagementException e) {
             String msg = "Error occurred while converting PEM file to X509Certificate";
             log.error(msg, e);
-            throw new UnexpectedServerErrorException(
+            return Response.serverError().entity(
-                    new ErrorResponse.ErrorResponseBuilder().setCode(500l).setMessage(msg).build());
+                    new ErrorResponse.ErrorResponseBuilder().setCode(500l).setMessage(msg).build()).build();
         }
     }
 
@@ -109,8 +108,8 @@ public class CertificateManagementAdminServiceImpl implements CertificateManagem
         } catch (CertificateManagementException e) {
             String msg = "Error occurred while fetching all certificates.";
             log.error(msg, e);
-            throw new UnexpectedServerErrorException(
+            return Response.serverError().entity(
-                    new ErrorResponse.ErrorResponseBuilder().setCode(500l).setMessage(msg).build());
+                    new ErrorResponse.ErrorResponseBuilder().setMessage(msg).build()).build();
         }
     }
 
@@ -131,8 +130,9 @@ public class CertificateManagementAdminServiceImpl implements CertificateManagem
         } catch (CertificateManagementException e) {
             String msg = "Error occurred while converting PEM file to X509Certificate";
             log.error(msg, e);
-            throw new UnexpectedServerErrorException(
+            return Response.serverError().entity(
-                    new ErrorResponse.ErrorResponseBuilder().setCode(500l).setMessage(msg).build());
+                    new ErrorResponse.ErrorResponseBuilder().setMessage(msg).build()).build();
         }
     }
+
 }

components/certificate-mgt/org.wso2.carbon.certificate.mgt.core/src/main/java/org/wso2/carbon/certificate/mgt/core/dao/CertificateManagementDAOFactory.java

@@ -38,7 +38,12 @@ public class CertificateManagementDAOFactory {
     private static DataSource dataSource;
     private static String databaseEngine;
     private static final Log log = LogFactory.getLog(CertificateManagementDAOFactory.class);
-    private static ThreadLocal<Connection> currentConnection = new ThreadLocal<Connection>();
+    private static ThreadLocal<Connection> currentConnection = new ThreadLocal<>();
+    private static ThreadLocal<TxState> currentTxState = new ThreadLocal<>();
+
+    private enum TxState {
+        CONNECTION_NOT_BORROWED, CONNECTION_BORROWED, CONNECTION_CLOSED
+    }
 
 
     public static CertificateDAO getCertificateDAO() {
@@ -50,7 +55,7 @@ public class CertificateManagementDAOFactory {
         try {
             databaseEngine = dataSource.getConnection().getMetaData().getDatabaseProductName();
         } catch (SQLException e) {
-            log.error(  "Error occurred while retrieving config.datasource connection", e);
+            log.error("Error occurred while retrieving config.datasource connection", e);
         }
     }
 
@@ -85,9 +90,11 @@ public class CertificateManagementDAOFactory {
                 log.warn("Error occurred while closing the borrowed connection. " +
                         "Transaction has ended pre-maturely", e1);
             }
+            currentTxState.set(TxState.CONNECTION_CLOSED);
             throw new TransactionManagementException("Error occurred while setting auto-commit to false", e);
         }
         currentConnection.set(conn);
+        currentTxState.set(TxState.CONNECTION_BORROWED);
     }
 
     public static void openConnection() throws SQLException {
@@ -97,8 +104,14 @@ public class CertificateManagementDAOFactory {
                     "this particular thread. Therefore, calling 'beginTransaction/openConnection' while another " +
                     "transaction is already active is a sign of improper transaction handling");
         }
+        try {
             conn = dataSource.getConnection();
+        } catch (SQLException e) {
+            currentTxState.set(TxState.CONNECTION_NOT_BORROWED);
+            throw e;
+        }
         currentConnection.set(conn);
+        currentTxState.set(TxState.CONNECTION_BORROWED);
     }
 
     public static Connection getConnection() throws SQLException {
@@ -144,6 +157,17 @@ public class CertificateManagementDAOFactory {
     }
 
     public static void closeConnection() {
+        TxState txState = currentTxState.get();
+        if (TxState.CONNECTION_NOT_BORROWED == txState) {
+            if (log.isDebugEnabled()) {
+                log.debug("No successful connection appears to have been borrowed to perform the underlying " +
+                        "transaction even though the 'openConnection' method has been called. Therefore, " +
+                        "'closeConnection' method is returning silently");
+            }
+            currentTxState.remove();
+            return;
+        }
+
         Connection conn = currentConnection.get();
         if (conn == null) {
             throw new IllegalTransactionStateException("No connection is associated with the current transaction. " +
@@ -156,6 +180,7 @@ public class CertificateManagementDAOFactory {
             log.warn("Error occurred while close the connection", e);
         }
         currentConnection.remove();
+        currentTxState.remove();
     }
 
 

components/certificate-mgt/org.wso2.carbon.certificate.mgt.core/src/main/java/org/wso2/carbon/certificate/mgt/core/dao/impl/GenericCertificateDAOImpl.java

@@ -45,6 +45,7 @@ import java.util.ArrayList;
 import java.util.List;
 
 public class GenericCertificateDAOImpl implements CertificateDAO {
+
     private static final Log log = LogFactory.getLog(GenericCertificateDAOImpl.class);
 
     @Override
@@ -103,7 +104,7 @@ public class GenericCertificateDAOImpl implements CertificateDAO {
 
             if (resultSet.next()) {
                 certificateResponse = new CertificateResponse();
-                byte [] certificateBytes = resultSet.getBytes("CERTIFICATE");
+                byte[] certificateBytes = resultSet.getBytes("CERTIFICATE");
                 certificateResponse.setCertificate(certificateBytes);
                 certificateResponse.setSerialNumber(resultSet.getString("SERIAL_NUMBER"));
                 certificateResponse.setTenantId(resultSet.getInt("TENANT_ID"));
@@ -142,7 +143,7 @@ public class GenericCertificateDAOImpl implements CertificateDAO {
 
             while (resultSet.next()) {
                 certificateResponse = new CertificateResponse();
-                byte [] certificateBytes = resultSet.getBytes("CERTIFICATE");
+                byte[] certificateBytes = resultSet.getBytes("CERTIFICATE");
                 certificateResponse.setSerialNumber(resultSet.getString("SERIAL_NUMBER"));
                 certificateResponse.setTenantId(resultSet.getInt("TENANT_ID"));
                 certificateResponse.setUsername(resultSet.getString("USERNAME"));
@@ -181,7 +182,7 @@ public class GenericCertificateDAOImpl implements CertificateDAO {
             int resultCount = 0;
             while (resultSet.next()) {
                 certificateResponse = new CertificateResponse();
-                byte [] certificateBytes = resultSet.getBytes("CERTIFICATE");
+                byte[] certificateBytes = resultSet.getBytes("CERTIFICATE");
                 certificateResponse.setSerialNumber(resultSet.getString("SERIAL_NUMBER"));
                 certificateResponse.setTenantId(resultSet.getInt("TENANT_ID"));
                 certificateResponse.setUsername(resultSet.getString("USERNAME"));
@@ -197,7 +198,7 @@ public class GenericCertificateDAOImpl implements CertificateDAO {
             log.error(errorMsg, e);
             throw new CertificateManagementDAOException(errorMsg, e);
         } finally {
-            OperationManagementDAOUtil.cleanupResources(stmt, resultSet);
+            CertificateManagementDAOUtil.cleanupResources(stmt, resultSet);
         }
         return paginationResult;
     }
@@ -219,7 +220,7 @@ public class GenericCertificateDAOImpl implements CertificateDAO {
 
             while (resultSet.next()) {
                 certificateResponse = new CertificateResponse();
-                byte [] certificateBytes = resultSet.getBytes("CERTIFICATE");
+                byte[] certificateBytes = resultSet.getBytes("CERTIFICATE");
                 certificateResponse.setSerialNumber(resultSet.getString("SERIAL_NUMBER"));
                 certificateResponse.setTenantId(resultSet.getInt("TENANT_ID"));
                 certificateResponse.setUsername(resultSet.getString("USERNAME"));
@@ -231,7 +232,7 @@ public class GenericCertificateDAOImpl implements CertificateDAO {
             log.error(errorMsg, e);
             throw new CertificateManagementDAOException(errorMsg, e);
         } finally {
-            OperationManagementDAOUtil.cleanupResources(stmt, resultSet);
+            CertificateManagementDAOUtil.cleanupResources(stmt, resultSet);
         }
         return certificates;
     }
@@ -253,10 +254,9 @@ public class GenericCertificateDAOImpl implements CertificateDAO {
 
             return stmt.executeUpdate() > 0;
         } catch (SQLException e) {
-            String errorMsg =
+            String msg = "Unable to get the read the certificate with serial" + serialNumber;
-                    "Unable to get the read the certificate with serial" + serialNumber;
+            log.error(msg, e);
-            log.error(errorMsg, e);
+            throw new CertificateManagementDAOException(msg, e);
-            throw new CertificateManagementDAOException(errorMsg, e);
         } finally {
             CertificateManagementDAOUtil.cleanupResources(stmt, resultSet);
         }

components/certificate-mgt/org.wso2.carbon.certificate.mgt.core/src/main/java/org/wso2/carbon/certificate/mgt/core/impl/CertificateGenerator.java

@@ -308,6 +308,10 @@ public class CertificateGenerator {
     }
 
     public CertificateResponse verifyPEMSignature(X509Certificate requestCertificate) throws KeystoreException {
+        if (requestCertificate == null) {
+            throw new IllegalArgumentException("Certificate of which the signature needs to be validated cannot " +
+                    "be null");
+        }
         KeyStoreReader keyStoreReader = new KeyStoreReader();
         CertificateResponse lookUpCertificate;
 

components/certificate-mgt/org.wso2.carbon.certificate.mgt.core/src/test/java/org/wso2/carbon/certificate/mgt/core/impl/CertificateGeneratorTests.java

@@ -0,0 +1,42 @@
+/*
+ *   Copyright (c) 2016, WSO2 Inc. (http://www.wso2.org) All Rights Reserved.
+ *
+ *   WSO2 Inc. licenses this file to you under the Apache License,
+ *   Version 2.0 (the "License"); you may not use this file except
+ *   in compliance with the License.
+ *   You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *   Unless required by applicable law or agreed to in writing,
+ *   software distributed under the License is distributed on an
+ *   "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ *   KIND, either express or implied.  See the License for the
+ *   specific language governing permissions and limitations
+ *   under the License.
+ *
+ */
+package org.wso2.carbon.certificate.mgt.core.impl;
+
+import junit.framework.Assert;
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
+import org.testng.annotations.Test;
+import org.wso2.carbon.certificate.mgt.core.exception.KeystoreException;
+
+public class CertificateGeneratorTests {
+
+    private static final Log log = LogFactory.getLog(CertificateGeneratorTests.class);
+
+    @Test(expectedExceptions = IllegalArgumentException.class)
+    public void testVerifyNullPEMSignature() {
+        CertificateGenerator certGenerator = new CertificateGenerator();
+        try {
+            certGenerator.verifyPEMSignature(null);
+        } catch (KeystoreException e) {
+            log.error("Error occurred while verifying PEM signature", e);
+            Assert.fail();
+        }
+    }
+
+}

components/certificate-mgt/org.wso2.carbon.certificate.mgt.core/src/test/java/org/wso2/carbon/certificate/mgt/core/impl/KeyGeneratorTests.java

@@ -0,0 +1,25 @@
+/*
+ *   Copyright (c) 2016, WSO2 Inc. (http://www.wso2.org) All Rights Reserved.
+ *
+ *   WSO2 Inc. licenses this file to you under the Apache License,
+ *   Version 2.0 (the "License"); you may not use this file except
+ *   in compliance with the License.
+ *   You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *   Unless required by applicable law or agreed to in writing,
+ *   software distributed under the License is distributed on an
+ *   "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ *   KIND, either express or implied.  See the License for the
+ *   specific language governing permissions and limitations
+ *   under the License.
+ *
+ */
+package org.wso2.carbon.certificate.mgt.core.impl;
+
+public class KeyGeneratorTests {
+
+
+
+}

components/certificate-mgt/org.wso2.carbon.certificate.mgt.core/src/test/resources/testng.xml

@@ -5,6 +5,8 @@
         <classes>
             <class name="org.wso2.carbon.certificate.mgt.core.impl.CertificateGeneratorTestSuite"/>
             <class name="org.wso2.carbon.certificate.mgt.core.util.CommonUtil"/>
+            <class name="org.wso2.carbon.certificate.mgt.core.impl.CertificateGeneratorTests"/>
+            <class name="org.wso2.carbon.certificate.mgt.core.impl.KeyGeneratorTests"/>
         </classes>
     </test>
 </suite>

components/device-mgt/org.wso2.carbon.device.mgt.core/src/main/java/org/wso2/carbon/device/mgt/core/authorization/DeviceAccessAuthorizationServiceImpl.java

@@ -202,18 +202,13 @@ public class DeviceAccessAuthorizationServiceImpl implements DeviceAccessAuthori
             throws DeviceAccessAuthorizationException {
         //Check for device ownership. If the user is the owner of the device we allow the access.
         try {
-            Device device = DeviceManagementDataHolder.getInstance().getDeviceManagementProvider().
+            return DeviceManagementDataHolder.getInstance().getDeviceManagementProvider().
-                    getDevice(deviceIdentifier);
+                    isEnrolled(deviceIdentifier, username);
-            EnrolmentInfo enrolmentInfo = device.getEnrolmentInfo();
-            if (enrolmentInfo != null && username.equalsIgnoreCase(enrolmentInfo.getOwner())) {
-                return true;
-            }
         } catch (DeviceManagementException e) {
             throw new DeviceAccessAuthorizationException("Unable to authorize the access to device : " +
                                                                  deviceIdentifier.getId() + " for the user : " +
                                                                  username, e);
         }
-        return false;
     }
 
     private boolean isAdminUser(String username, int tenantId) throws UserStoreException {

components/device-mgt/org.wso2.carbon.device.mgt.core/src/main/java/org/wso2/carbon/device/mgt/core/dao/impl/AbstractDeviceDAOImpl.java

@@ -748,7 +748,7 @@ public abstract class AbstractDeviceDAOImpl implements DeviceDAO {
         ResultSet rs = null;
         try {
             conn = this.getConnection();
-            String sql = "SELECT ID AS ENROLMENT_ID FROM DM_ENROLMENT WHERE DEVICE_ID = (SELECT d.ID " +
+            String sql = "SELECT ID AS ENROLMENT_ID FROM DM_ENROLMENT WHERE DEVICE_ID = (SELECT DISTINCT d.ID " +
                     "FROM DM_DEVICE d, DM_DEVICE_TYPE t WHERE d.DEVICE_TYPE_ID = t.ID " +
                     "AND d.DEVICE_IDENTIFICATION = ? AND t.NAME = ? AND d.TENANT_ID = ?) " +
                     "AND STATUS = ? AND TENANT_ID = ?";

components/device-mgt/org.wso2.carbon.device.mgt.core/src/main/java/org/wso2/carbon/device/mgt/core/device/details/mgt/impl/DeviceInformationManagerImpl.java

@@ -162,7 +162,6 @@ public class DeviceInformationManagerImpl implements DeviceInformationManager {
             deviceDetailsDAO.addDeviceLocation(deviceLocation);
             DeviceManagementDAOFactory.commitTransaction();
         } catch (TransactionManagementException e) {
-            DeviceManagementDAOFactory.rollbackTransaction();
             throw new DeviceDetailsMgtException("Transactional error occurred while adding the device location " +
                     "information.", e);
         } catch (DeviceDetailsMgtDAOException e) {
@@ -172,6 +171,7 @@ public class DeviceInformationManagerImpl implements DeviceInformationManager {
             DeviceManagementDAOFactory.rollbackTransaction();
             throw new DeviceDetailsMgtException("Error occurred while getting the device information.", e);
         } catch (DeviceManagementDAOException e) {
+            DeviceManagementDAOFactory.rollbackTransaction();
             throw new DeviceDetailsMgtException("Error occurred while updating the last updated timestamp of " +
                     "the device", e);
         } finally {
@@ -225,6 +225,8 @@ public class DeviceInformationManagerImpl implements DeviceInformationManager {
             throw new DeviceDetailsMgtException("SQL error occurred while retrieving device from database.", e);
         } catch (DeviceDetailsMgtDAOException e) {
             throw new DeviceDetailsMgtException("Exception occurred while retrieving device locations.", e);
+        } finally{
+            DeviceManagementDAOFactory.closeConnection();
         }
     }
 

components/device-mgt/org.wso2.carbon.device.mgt.core/src/main/java/org/wso2/carbon/device/mgt/core/operation/mgt/OperationManagerImpl.java

@@ -141,7 +141,6 @@ public class OperationManagerImpl implements OperationManager {
         } finally {
             OperationManagementDAOFactory.closeConnection();
         }
-
     }
 
     private List<DeviceIdentifier> getAuthorizedDevices(
@@ -161,26 +160,6 @@ public class OperationManagerImpl implements OperationManager {
         return authorizedDeviceList;
     }
 
-    private List<EnrolmentInfo> getEnrollmentsByStatus(
-            List<DeviceIdentifier> deviceIds) throws OperationManagementException {
-        List<EnrolmentInfo> enrolments;
-        int tenantId = CarbonContext.getThreadLocalCarbonContext().getTenantId();
-        try {
-            DeviceManagementDAOFactory.openConnection();
-            enrolments = deviceDAO.getEnrolmentsByStatus(deviceIds, EnrolmentInfo.Status.ACTIVE, tenantId);
-        } catch (SQLException e) {
-            throw new OperationManagementException("Error occurred while opening a connection the data " +
-                    "source", e);
-        } catch (DeviceManagementDAOException e) {
-            OperationManagementDAOFactory.rollbackTransaction();
-            throw new OperationManagementException(
-                    "Error occurred while retrieving enrollments by status", e);
-        } finally {
-            DeviceManagementDAOFactory.closeConnection();
-        }
-        return enrolments;
-    }
-
     private Device getDevice(DeviceIdentifier deviceId) throws OperationManagementException {
         int tenantId = CarbonContext.getThreadLocalCarbonContext().getTenantId();
         try {
@@ -200,39 +179,19 @@ public class OperationManagerImpl implements OperationManager {
 
     @Override
     public List<? extends Operation> getOperations(DeviceIdentifier deviceId) throws OperationManagementException {
-        int enrolmentId;
         List<Operation> operations = null;
-        try {
+
-            boolean isUserAuthorized = DeviceManagementDataHolder.getInstance().getDeviceAccessAuthorizationService().
+        if (!isActionAuthorized(deviceId)) {
-                    isUserAuthorized(deviceId, DeviceGroupConstants.Permissions.DEFAULT_OPERATOR_PERMISSIONS);
+            throw new OperationManagementException("User '" + getUser() + "' is not authorized to access the '" +
-            if (!isUserAuthorized) {
+                    deviceId.getType() + "' device, which carries the identifier '" + deviceId.getId() + "'");
-                throw new UnauthorizedDeviceAccessException("User '" + getUser() + "' is not authorized to " +
-                        "fetch operations on device '" + deviceId.getId() + "'");
-            }
-        } catch (DeviceAccessAuthorizationException e) {
-            throw new OperationManagementException("Error occurred while authorizing access to the devices for user : " +
-                    this.getUser(), e);
         }
 
-        try {
+        int enrolmentId = this.getEnrolmentByStatus(deviceId, EnrolmentInfo.Status.ACTIVE);
-            DeviceManagementDAOFactory.openConnection();
-            int tenantId = CarbonContext.getThreadLocalCarbonContext().getTenantId();
-            enrolmentId = deviceDAO.getEnrolmentByStatus(deviceId, EnrolmentInfo.Status.ACTIVE, tenantId);
-        } catch (DeviceManagementDAOException e) {
-            throw new OperationManagementException("Error occurred while retrieving metadata of '" +
-                    deviceId.getType() + "' device carrying the identifier '" +
-                    deviceId.getId() + "'");
-        } catch (SQLException e) {
-            throw new OperationManagementException(
-                    "Error occurred while opening a connection to the data source", e);
-        } finally {
-            DeviceManagementDAOFactory.closeConnection();
-        }
-
-        try {
         if (enrolmentId < 0) {
             return null;
         }
+
+        try {
             OperationManagementDAOFactory.openConnection();
             List<? extends org.wso2.carbon.device.mgt.core.dto.operation.mgt.Operation> operationList =
                     operationDAO.getOperationsForDevice(enrolmentId);
@@ -259,42 +218,22 @@ public class OperationManagerImpl implements OperationManager {
     public PaginationResult getOperations(DeviceIdentifier deviceId, PaginationRequest request)
             throws OperationManagementException {
         PaginationResult paginationResult = null;
-        int enrolmentId;
         List<Operation> operations = new ArrayList<>();
-        try {
+
-            boolean isUserAuthorized = DeviceManagementDataHolder.getInstance().getDeviceAccessAuthorizationService().
+        if (!isActionAuthorized(deviceId)) {
-                    isUserAuthorized(deviceId, DeviceGroupConstants.Permissions.DEFAULT_OPERATOR_PERMISSIONS);
+            throw new OperationManagementException("User '" + getUser() + "' is not authorized to access the '" +
-            if (!isUserAuthorized) {
+                    deviceId.getType() + "' device, which carries the identifier '" + deviceId.getId() + "'");
-                log.error("User : " + getUser() + " is not authorized to fetch operations on device : " +
-                        deviceId.getId());
-            }
-        } catch (DeviceAccessAuthorizationException e) {
-            throw new OperationManagementException("Error occurred while authorizing access to the devices for user : " +
-                    this.getUser(), e);
         }
 
-        try {
+        int enrolmentId = this.getEnrolmentByStatus(deviceId, EnrolmentInfo.Status.ACTIVE);
-            DeviceManagementDAOFactory.openConnection();
-            int tenantId = CarbonContext.getThreadLocalCarbonContext().getTenantId();
-            enrolmentId = deviceDAO.getEnrolmentByStatus(deviceId, EnrolmentInfo.Status.ACTIVE, tenantId);
-        } catch (SQLException e) {
-            throw new OperationManagementException(
-                    "Error occurred while opening a connection to the data source", e);
-        } catch (DeviceManagementDAOException e) {
-            throw new OperationManagementException("Error occurred while retrieving metadata of '" +
-                    deviceId.getType() + "' device carrying the identifier '" +
-                    deviceId.getId() + "'");
-        } finally {
-            DeviceManagementDAOFactory.closeConnection();
-        }
-
-        try {
-            OperationManagementDAOFactory.openConnection();
         if (enrolmentId < 0) {
             throw new OperationManagementException("Device not found for given device " +
                     "Identifier:" + deviceId.getId() + " and given type" +
                     deviceId.getType());
         }
+
+        try {
+            OperationManagementDAOFactory.openConnection();
             List<? extends org.wso2.carbon.device.mgt.core.dto.operation.mgt.Operation> operationList =
                     operationDAO.getOperationsForDevice(enrolmentId, request);
             for (org.wso2.carbon.device.mgt.core.dto.operation.mgt.Operation dtoOperation : operationList) {
@@ -326,43 +265,23 @@ public class OperationManagerImpl implements OperationManager {
         if (log.isDebugEnabled()) {
             log.debug("Device identifier id:[" + deviceId.getId() + "] type:[" + deviceId.getType() + "]");
         }
-        int enrolmentId;
         List<Operation> operations = new ArrayList<>();
         List<org.wso2.carbon.device.mgt.core.dto.operation.mgt.Operation> dtoOperationList = new ArrayList<>();
-        try {
+
-            boolean isUserAuthorized = DeviceManagementDataHolder.getInstance().getDeviceAccessAuthorizationService().
+        if (!isActionAuthorized(deviceId)) {
-                    isUserAuthorized(deviceId, DeviceGroupConstants.Permissions.DEFAULT_OPERATOR_PERMISSIONS);
+            throw new OperationManagementException("User '" + getUser() + "' is not authorized to access the '" +
-            if (!isUserAuthorized) {
+                    deviceId.getType() + "' device, which carries the identifier '" + deviceId.getId() + "'");
-                log.error("User : " + getUser() + " is not authorized to fetch operations on device : "
-                        + deviceId.getId());
-            }
-        } catch (DeviceAccessAuthorizationException e) {
-            throw new OperationManagementException("Error occurred while authorizing access to the devices for user :" +
-                    this.getUser(), e);
         }
 
-        try {
+        int enrolmentId = this.getEnrolmentByStatus(deviceId, EnrolmentInfo.Status.ACTIVE);
-            DeviceManagementDAOFactory.openConnection();
-            int tenantId = CarbonContext.getThreadLocalCarbonContext().getTenantId();
-            enrolmentId = deviceDAO.getEnrolmentByStatus(deviceId, EnrolmentInfo.Status.ACTIVE, tenantId);
-        } catch (SQLException e) {
-            throw new OperationManagementException(
-                    "Error occurred while opening a connection to the data source", e);
-        } catch (DeviceManagementDAOException e) {
-            throw new OperationManagementException("Error occurred while retrieving the device " +
-                    "for device Identifier type -'" + deviceId.getType() +
-                    "' and device Id '" + deviceId.getId() + "'", e);
-        } finally {
-            DeviceManagementDAOFactory.closeConnection();
-        }
-
-        try {
-            OperationManagementDAOFactory.openConnection();
         if (enrolmentId < 0) {
             throw new OperationManagementException("Device not found for the given device Identifier:" +
                     deviceId.getId() + " and given type:" +
                     deviceId.getType());
         }
+
+        try {
+            OperationManagementDAOFactory.openConnection();
             dtoOperationList.addAll(commandOperationDAO.getOperationsByDeviceAndStatus(
                     enrolmentId, org.wso2.carbon.device.mgt.core.dto.operation.mgt.Operation.Status.PENDING));
             dtoOperationList.addAll(configOperationDAO.getOperationsByDeviceAndStatus(
@@ -396,41 +315,21 @@ public class OperationManagerImpl implements OperationManager {
             log.debug("device identifier id:[" + deviceId.getId() + "] type:[" + deviceId.getType() + "]");
         }
         Operation operation = null;
-        int enrolmentId;
+
-        try {
+        if (!isActionAuthorized(deviceId)) {
-            boolean isUserAuthorized = DeviceManagementDataHolder.getInstance().getDeviceAccessAuthorizationService().
+            throw new OperationManagementException("User '" + getUser() + "' is not authorized to access the '" +
-                    isUserAuthorized(deviceId, DeviceGroupConstants.Permissions.DEFAULT_OPERATOR_PERMISSIONS);
+                    deviceId.getType() + "' device, which carries the identifier '" + deviceId.getId() + "'");
-            if (!isUserAuthorized) {
-                log.error("User : " + getUser() + " is not authorized to fetch operations on device : "
-                        + deviceId.getId());
-            }
-        } catch (DeviceAccessAuthorizationException e) {
-            throw new OperationManagementException("Error occurred while authorizing access to the devices for user : " +
-                    this.getUser(), e);
         }
 
-        try {
+        int enrolmentId = this.getEnrolmentByStatus(deviceId, EnrolmentInfo.Status.ACTIVE);
-            DeviceManagementDAOFactory.openConnection();
-            int tenantId = CarbonContext.getThreadLocalCarbonContext().getTenantId();
-            enrolmentId = deviceDAO.getEnrolmentByStatus(deviceId, EnrolmentInfo.Status.ACTIVE, tenantId);
-        } catch (DeviceManagementDAOException e) {
-            throw new OperationManagementException("Error occurred while retrieving the device " +
-                    "for device Identifier type -'" + deviceId.getType() +
-                    "' and device Id '" + deviceId.getId(), e);
-        } catch (SQLException e) {
-            throw new OperationManagementException(
-                    "Error occurred while opening a connection to the data source", e);
-        } finally {
-            DeviceManagementDAOFactory.closeConnection();
-        }
-
-        try {
-            OperationManagementDAOFactory.openConnection();
         if (enrolmentId < 0) {
             throw new OperationManagementException("Device not found for given device " +
                     "Identifier:" + deviceId.getId() + " and given type" +
                     deviceId.getType());
         }
+
+        try {
+            OperationManagementDAOFactory.openConnection();
             org.wso2.carbon.device.mgt.core.dto.operation.mgt.Operation dtoOperation = operationDAO.
                     getNextOperation(enrolmentId);
             if (dtoOperation != null) {
@@ -470,34 +369,13 @@ public class OperationManagerImpl implements OperationManager {
         if (log.isDebugEnabled()) {
             log.debug("operation Id:" + operationId + " status:" + operation.getStatus());
         }
-        int enrolmentId;
+
-        try {
+        if (!isActionAuthorized(deviceId)) {
-            boolean isUserAuthorized = DeviceManagementDataHolder.getInstance().getDeviceAccessAuthorizationService().
+            throw new OperationManagementException("User '" + getUser() + "' is not authorized to access the '" +
-                    isUserAuthorized(deviceId, DeviceGroupConstants.Permissions.DEFAULT_OPERATOR_PERMISSIONS);
+                    deviceId.getType() + "' device, which carries the identifier '" + deviceId.getId() + "'");
-            if (!isUserAuthorized) {
-                log.error("User : " + getUser() + " is not authorized to update operations on device : "
-                        + deviceId.getId());
-            }
-        } catch (DeviceAccessAuthorizationException e) {
-            throw new OperationManagementException("Error occurred while authorizing access to the devices for user :" +
-                    this.getUser(), e);
         }
 
-        try {
+        int enrolmentId = this.getEnrolmentByStatus(deviceId, EnrolmentInfo.Status.ACTIVE);
-            DeviceManagementDAOFactory.openConnection();
-            int tenantId = CarbonContext.getThreadLocalCarbonContext().getTenantId();
-            enrolmentId = deviceDAO.getEnrolmentByStatus(deviceId, EnrolmentInfo.Status.ACTIVE, tenantId);
-        } catch (SQLException e) {
-            throw new OperationManagementException("Error occurred while opening a connection to the" +
-                    " data source", e);
-        } catch (DeviceManagementDAOException e) {
-            OperationManagementDAOFactory.rollbackTransaction();
-            throw new OperationManagementException(
-                    "Error occurred while fetching the device for device identifier: " + deviceId.getId() +
-                            "type:" + deviceId.getType(), e);
-        } finally {
-            DeviceManagementDAOFactory.closeConnection();
-        }
 
         try {
             OperationManagementDAOFactory.beginTransaction();
@@ -547,45 +425,25 @@ public class OperationManagerImpl implements OperationManager {
     @Override
     public Operation getOperationByDeviceAndOperationId(DeviceIdentifier deviceId, int operationId)
             throws OperationManagementException {
-        int enrolmentId;
         Operation operation = null;
         if (log.isDebugEnabled()) {
             log.debug("Operation Id: " + operationId + " Device Type: " + deviceId.getType() + " Device Identifier: " +
                     deviceId.getId());
         }
-        try {
+
-            boolean isUserAuthorized = DeviceManagementDataHolder.getInstance().getDeviceAccessAuthorizationService().
+        if (!isActionAuthorized(deviceId)) {
-                    isUserAuthorized(deviceId, DeviceGroupConstants.Permissions.DEFAULT_OPERATOR_PERMISSIONS);
+            throw new OperationManagementException("User '" + getUser() + "' is not authorized to access the '" +
-            if (!isUserAuthorized) {
+                    deviceId.getType() + "' device, which carries the identifier '" + deviceId.getId() + "'");
-                log.error("User : " + getUser() + " is not authorized to fetch operations on device : "
-                        + deviceId.getId());
-            }
-        } catch (DeviceAccessAuthorizationException e) {
-            throw new OperationManagementException("Error occurred while authorizing access to the devices for user :" +
-                    this.getUser(), e);
         }
 
-        try {
+        int enrolmentId = this.getEnrolmentByStatus(deviceId, EnrolmentInfo.Status.ACTIVE);
-            DeviceManagementDAOFactory.openConnection();
-            int tenantId = CarbonContext.getThreadLocalCarbonContext().getTenantId();
-            enrolmentId = deviceDAO.getEnrolmentByStatus(deviceId, EnrolmentInfo.Status.ACTIVE, tenantId);
-        } catch (DeviceManagementDAOException e) {
-            throw new OperationManagementException("Error occurred while retrieving the device " +
-                    "for device Identifier type -'" + deviceId.getType() +
-                    "' and device Id '" + deviceId.getId() + "'", e);
-        } catch (SQLException e) {
-            throw new OperationManagementException("Error occurred while opening connection to the data source",
-                    e);
-        } finally {
-            DeviceManagementDAOFactory.closeConnection();
-        }
-
-        try {
-            OperationManagementDAOFactory.openConnection();
         if (enrolmentId < 0) {
             throw new OperationManagementException("Device not found for given device identifier: " +
                     deviceId.getId() + " type: " + deviceId.getType());
         }
+
+        try {
+            OperationManagementDAOFactory.openConnection();
             org.wso2.carbon.device.mgt.core.dto.operation.mgt.Operation dtoOperation = operationDAO.
                     getOperationByDeviceAndId(enrolmentId, operationId);
             if (dtoOperation.getType().
@@ -630,43 +488,21 @@ public class OperationManagerImpl implements OperationManager {
             DeviceIdentifier deviceId, Operation.Status status) throws OperationManagementException {
         List<Operation> operations = new ArrayList<>();
         List<org.wso2.carbon.device.mgt.core.dto.operation.mgt.Operation> dtoOperationList = new ArrayList<>();
-        int enrolmentId;
+
-        try {
+        if (!isActionAuthorized(deviceId)) {
-            boolean isUserAuthorized = DeviceManagementDataHolder.getInstance().getDeviceAccessAuthorizationService().
+            throw new OperationManagementException("User '" + getUser() + "' is not authorized to access the '" +
-                    isUserAuthorized(deviceId, DeviceGroupConstants.Permissions.DEFAULT_OPERATOR_PERMISSIONS);
+                    deviceId.getType() + "' device, which carries the identifier '" + deviceId.getId() + "'");
-            if (!isUserAuthorized) {
-                log.info("User : " + getUser() + " is not authorized to fetch operations on device : "
-                        + deviceId.getId());
-            }
-        } catch (DeviceAccessAuthorizationException e) {
-            throw new OperationManagementException("Error occurred while authorizing access to the devices for user :" +
-                    this.getUser(), e);
         }
 
-        try {
+        int enrolmentId = this.getEnrolmentByStatus(deviceId, EnrolmentInfo.Status.ACTIVE);
-            DeviceManagementDAOFactory.openConnection();
-            int tenantId = CarbonContext.getThreadLocalCarbonContext().getTenantId();
-            enrolmentId = deviceDAO.getEnrolmentByStatus(deviceId, EnrolmentInfo.Status.ACTIVE, tenantId);
-        } catch (DeviceManagementDAOException e) {
-            throw new OperationManagementException("Error occurred while retrieving the device " +
-                    "for device Identifier type -'" + deviceId.getType() +
-                    "' and device Id '" + deviceId.getId(), e);
-        } catch (SQLException e) {
-            throw new OperationManagementException(
-                    "Error occurred while opening a connection to the data source", e);
-        } finally {
-            DeviceManagementDAOFactory.closeConnection();
-        }
-
-        try {
-            OperationManagementDAOFactory.openConnection();
-
         if (enrolmentId < 0) {
             throw new OperationManagementException(
                     "Device not found for device id:" + deviceId.getId() + " " + "type:" +
                             deviceId.getType());
         }
 
+        try {
+            OperationManagementDAOFactory.openConnection();
             org.wso2.carbon.device.mgt.core.dto.operation.mgt.Operation.Status dtoOpStatus =
                     org.wso2.carbon.device.mgt.core.dto.operation.mgt.Operation.Status.valueOf(status.toString());
             dtoOperationList.addAll(commandOperationDAO.getOperationsByDeviceAndStatus(enrolmentId, dtoOpStatus));
@@ -920,4 +756,36 @@ public class OperationManagerImpl implements OperationManager {
         return status;
     }
 
+    private boolean isActionAuthorized(DeviceIdentifier deviceId) {
+        boolean isUserAuthorized;
+        try {
+            isUserAuthorized = DeviceManagementDataHolder.getInstance().getDeviceAccessAuthorizationService().
+                    isUserAuthorized(deviceId, DeviceGroupConstants.Permissions.DEFAULT_OPERATOR_PERMISSIONS);
+        } catch (DeviceAccessAuthorizationException e) {
+            log.error("Error occurred while trying to authorize current user upon the invoked operation", e);
+            return false;
+        }
+        return isUserAuthorized;
+    }
+
+    private int getEnrolmentByStatus(DeviceIdentifier deviceId,
+                                     EnrolmentInfo.Status status) throws OperationManagementException {
+        int enrolmentId;
+        try {
+            DeviceManagementDAOFactory.openConnection();
+            int tenantId = CarbonContext.getThreadLocalCarbonContext().getTenantId();
+            enrolmentId = deviceDAO.getEnrolmentByStatus(deviceId, status, tenantId);
+        } catch (DeviceManagementDAOException e) {
+            throw new OperationManagementException("Error occurred while retrieving metadata of '" +
+                    deviceId.getType() + "' device carrying the identifier '" +
+                    deviceId.getId() + "'", e);
+        } catch (SQLException e) {
+            throw new OperationManagementException(
+                    "Error occurred while opening a connection to the data source", e);
+        } finally {
+            DeviceManagementDAOFactory.closeConnection();
+        }
+        return enrolmentId;
+    }
+
 }

components/device-mgt/org.wso2.carbon.device.mgt.ui/src/main/resources/jaggeryapps/devicemgt/api/data-tables-invoker-api.jag

@@ -23,7 +23,7 @@ var uri = request.getRequestURI();
 var uriMatcher = new URIMatcher(String(uri));
 
 var devicemgtProps = require("/app/conf/reader/main.js")["conf"];
-var serviceInvokers = require("/app/modules/backend-service-invoker.js")["backendServiceInvoker"];
+var serviceInvokers = require("/app/modules/backend-service-invoker.js")["invokers"];
 
 function appendQueryParam (url, queryParam , value) {
     if (url.indexOf("?") > 0) {

components/device-mgt/org.wso2.carbon.device.mgt.ui/src/main/resources/jaggeryapps/devicemgt/api/device-api.jag

@@ -26,7 +26,7 @@ var deviceModule = require("/app/modules/device.js").deviceModule;
 var utility = require("/app/modules/utility.js").utility;
 var devicemgtProps = require("/app/conf/reader/main.js")["conf"];
 var userModule = require("/app/modules/user.js").userModule;
-var serviceInvokers = require("/app/modules/backend-service-invoker.js").backendServiceInvoker;
+var serviceInvokers = require("/app/modules/backend-service-invoker.js")["invokers"];
 
 var user = session.get(constants.USER_SESSION_KEY);
 var result;

components/device-mgt/org.wso2.carbon.device.mgt.ui/src/main/resources/jaggeryapps/devicemgt/api/group-api.jag

@@ -24,7 +24,7 @@ var log = new Log("api/device-api.jag");
 var constants = require("/app/modules/constants.js");
 var utility = require("/app/modules/utility.js").utility;
 var devicemgtProps = require("/app/conf/reader/main.js")["conf"];
-var serviceInvokers = require("/app/modules/backend-service-invoker.js").backendServiceInvoker;
+var serviceInvokers = require("/app/modules/backend-service-invoker.js")["invokers"];
 
 var user = session.get(constants.USER_SESSION_KEY);
 var result;

components/device-mgt/org.wso2.carbon.device.mgt.ui/src/main/resources/jaggeryapps/devicemgt/api/invoker-api.jag

@@ -24,7 +24,7 @@ var uriMatcher = new URIMatcher(String(uri));
 
 var constants = require("/app/modules/constants.js");
 var devicemgtProps = require("/app/conf/reader/main.js")["conf"];
-var serviceInvokers = require("/app/modules/backend-service-invoker.js")["backendServiceInvoker"];
+var serviceInvokers = require("/app/modules/backend-service-invoker.js")["invokers"];
 
 if (uriMatcher.match("/{context}/api/invoker/execute/")) {
     var restAPIRequestDetails = request.getContent();

components/device-mgt/org.wso2.carbon.device.mgt.ui/src/main/resources/jaggeryapps/devicemgt/api/operation-api.jag

@@ -22,7 +22,7 @@ var uriMatcher = new URIMatcher(String(uri));
 
 var log = new Log("api/operation-api.jag");
 
-var serviceInvokers = require("/app/modules/backend-service-invoker.js")["backendServiceInvoker"];
+var serviceInvokers = require("/app/modules/backend-service-invoker.js")["invokers"];
 var devicemgtProps = require("/app/conf/reader/main.js")["conf"];
 
 if (uriMatcher.match("/{context}/api/operation/paginate")) {

components/device-mgt/org.wso2.carbon.device.mgt.ui/src/main/resources/jaggeryapps/devicemgt/api/token.jag

@@ -21,7 +21,7 @@
  @Deprecated - new
  */
 
-// var apiWrapperUtil = require("/app/modules/api-wrapper-util.js").apiWrapperUtil;
+// var apiWrapperUtil = require("/app/modules/api-wrapper-util.js")["handlers"];
 // var tokenCookie = apiWrapperUtil.refreshToken();
 // print(tokenCookie);
 %>

components/device-mgt/org.wso2.carbon.device.mgt.ui/src/main/resources/jaggeryapps/devicemgt/api/user-api.jag

@@ -27,7 +27,7 @@ var devicemgtProps = require("/app/conf/reader/main.js")["conf"];
 var userModule = require("/app/modules/user.js").userModule;
 var deviceModule = require("/app/modules/device.js").deviceModule;
 var utility = require("/app/modules/utility.js").utility;
-var apiWrapperUtil = require("/app/modules/api-wrapper-util.js").apiWrapperUtil;
+var apiWrapperUtil = require("/app/modules/api-wrapper-util.js")["handlers"];
 var util = require("/app/modules/util.js").util;
 
 var responseProcessor = require('utils').response;

components/device-mgt/org.wso2.carbon.device.mgt.ui/src/main/resources/jaggeryapps/devicemgt/app/modules/api-wrapper-util.js

@@ -16,8 +16,15 @@
  * under the License.
  */
 
-var apiWrapperUtil = function () {
+/**
-    var log = new Log("/app/modules/api-wrapper-util.js");
+ * ----------------------------------------------------------------------------
+ * Following module includes invokers
+ * at Jaggery Layer for calling Backend Services, protected by OAuth Tokens.
+ * These Services include both REST and SOAP Services.
+ * ----------------------------------------------------------------------------
+ */
+var handlers = function () {
+    var log = new Log("/app/modules/token-handlers.js");
 
     var tokenUtil = require("/app/modules/util.js")["util"];
     var constants = require("/app/modules/constants.js");
@@ -28,23 +35,27 @@ var apiWrapperUtil = function () {
 
     privateMethods.setUpEncodedTenantBasedClientCredentials = function (username) {
         if (!username) {
-            log.error("Could not set up encoded tenant based client credentials " +
+            throw new Error("{/app/modules/token-handlers.js} Could not set up encoded tenant based " +
-                "to session context. No username is found as input.");
+                "client credentials to session context. No username is found as " +
+                "input - setUpEncodedTenantBasedClientCredentials(x)");
         } else {
-            var dynamicClientCredentials = tokenUtil.getDyanmicClientCredentials();
+            var dynamicClientCredentials = tokenUtil.getDynamicClientCredentials();
             if (!dynamicClientCredentials) {
-                log.error("Could not set up encoded tenant based client credentials " +
+                throw new Error("{/app/modules/token-handlers.js} Could not set up encoded tenant based " +
-                    "to session context as the server is unable to obtain dynamic client credentials.");
+                    "client credentials to session context as the server is unable to obtain " +
+                    "dynamic client credentials - setUpEncodedTenantBasedClientCredentials(x)");
             } else {
                 var jwtToken = tokenUtil.getTokenWithJWTGrantType(dynamicClientCredentials);
                 if (!jwtToken) {
-                    log.error("Could not set up encoded tenant based client credentials " +
+                    throw new Error("{/app/modules/token-handlers.js} Could not set up encoded tenant based " +
-                        "to session context as the server is unable to obtain a jwt token.");
+                        "client credentials to session context as the server is unable to obtain " +
+                        "a jwt token - setUpEncodedTenantBasedClientCredentials(x)");
                 } else {
                     var tenantBasedClientCredentials = tokenUtil.getTenantBasedAppCredentials(username, jwtToken);
                     if (!tenantBasedClientCredentials) {
-                        log.error("Could not set up encoded tenant based client credentials " +
+                        throw new Error("{/app/modules/token-handlers.js} Could not set up encoded tenant " +
-                            "to session context as the server is unable to obtain such credentials.");
+                            "based client credentials to session context as the server is unable " +
+                            "to obtain such credentials - setUpEncodedTenantBasedClientCredentials(x)");
                     } else {
                         var encodedTenantBasedClientCredentials =
                             tokenUtil.encode(tenantBasedClientCredentials["clientId"] + ":" +
@@ -57,34 +68,18 @@ var apiWrapperUtil = function () {
         }
     };
 
-    publicMethods.refreshToken = function () {
-        var accessTokenPair = parse(session.get(constants["ACCESS_TOKEN_PAIR_IDENTIFIER"]));
-        // accessTokenPair includes current access token as well as current refresh token
-        var encodedClientCredentials = session.get(constants["ENCODED_CLIENT_KEYS_IDENTIFIER"]);
-        if (!accessTokenPair || !encodedClientCredentials) {
-            log.error("Error in refreshing tokens. Either the access token pair, " +
-                "encoded client credentials or both input are not found under session context.");
-        } else {
-            var newAccessTokenPair = tokenUtil.refreshToken(accessTokenPair, encodedClientCredentials);
-            if (!newAccessTokenPair) {
-                log.error("Error in refreshing tokens. Unable to update " +
-                    "session context with new access token pair.");
-            } else {
-                session.put(constants["ACCESS_TOKEN_PAIR_IDENTIFIER"], stringify(newAccessTokenPair));
-            }
-        }
-    };
-
     publicMethods.setupAccessTokenPairByPasswordGrantType = function (username, password) {
         if (!username || !password) {
-            log.error("Could not set up access token pair by password grant type. " +
+            throw new Error("{/app/modules/token-handlers.js} Could not set up access token pair by " +
-                "Either username, password or both are missing as input.");
+                "password grant type. Either username, password or both are missing as " +
+                "input - setupAccessTokenPairByPasswordGrantType(x, y)");
         } else {
             privateMethods.setUpEncodedTenantBasedClientCredentials(username);
             var encodedClientCredentials = session.get(constants["ENCODED_CLIENT_KEYS_IDENTIFIER"]);
             if (!encodedClientCredentials) {
-                log.error("Could not set up access token pair by password grant type. " +
+                throw new Error("{/app/modules/token-handlers.js} Could not set up access token pair by " +
-                    "Encoded client credentials are missing.");
+                    "password grant type. Encoded client credentials are " +
+                    "missing - setupAccessTokenPairByPasswordGrantType(x, y)");
             } else {
                 var accessTokenPair;
                 // accessTokenPair will include current access token as well as current refresh token
@@ -97,7 +92,9 @@ var apiWrapperUtil = function () {
                     getTokenWithPasswordGrantType(username,
                     encodeURIComponent(password), encodedClientCredentials, stringOfScopes);
                 if (!accessTokenPair) {
-                    log.error("Could not set up access token pair by password grant type. Error in token retrieval.");
+                    throw new Error("{/app/modules/token-handlers.js} Could not set up access " +
+                        "token pair by password grant type. Error in token " +
+                        "retrieval - setupAccessTokenPairByPasswordGrantType(x, y)");
                 } else {
                     // setting up access token pair into session context as a string
                     session.put(constants["ACCESS_TOKEN_PAIR_IDENTIFIER"], stringify(accessTokenPair));
@@ -108,21 +105,25 @@ var apiWrapperUtil = function () {
 
     publicMethods.setupAccessTokenPairBySamlGrantType = function (username, samlToken) {
         if (!username || !samlToken) {
-            log.error("Could not set up access token pair by saml grant type. " +
+            throw new Error("{/app/modules/token-handlers.js} Could not set up access token pair by " +
-                "Either username, samlToken or both are missing as input.");
+                "saml grant type. Either username, samlToken or both are missing as " +
+                "input - setupAccessTokenPairByPasswordGrantType(x, y)");
         } else {
             privateMethods.setUpEncodedTenantBasedClientCredentials(username);
             var encodedClientCredentials = session.get(constants["ENCODED_CLIENT_KEYS_IDENTIFIER"]);
             if (!encodedClientCredentials) {
-                log.error("Could not set up access token pair by saml grant type. " +
+                throw new Error("{/app/modules/token-handlers.js} Could not set up access token pair " +
-                    "Encoded client credentials are missing.");
+                    "by saml grant type. Encoded client credentials are " +
+                    "missing - setupAccessTokenPairByPasswordGrantType(x, y)");
             } else {
                 var accessTokenPair;
                 // accessTokenPair will include current access token as well as current refresh token
                 accessTokenPair = tokenUtil.
                     getTokenWithSAMLGrantType(samlToken, encodedClientCredentials, "PRODUCTION");
                 if (!accessTokenPair) {
-                    log.error("Could not set up access token pair by password grant type. Error in token retrieval.");
+                    throw new Error("{/app/modules/token-handlers.js} Could not set up access token " +
+                        "pair by password grant type. Error in token " +
+                        "retrieval - setupAccessTokenPairByPasswordGrantType(x, y)");
                 } else {
                     // setting up access token pair into session context as a string
                     session.put(constants["ACCESS_TOKEN_PAIR_IDENTIFIER"], stringify(accessTokenPair));
@@ -131,5 +132,24 @@ var apiWrapperUtil = function () {
         }
     };
 
+    publicMethods.refreshToken = function () {
+        var accessTokenPair = parse(session.get(constants["ACCESS_TOKEN_PAIR_IDENTIFIER"]));
+        // accessTokenPair includes current access token as well as current refresh token
+        var encodedClientCredentials = session.get(constants["ENCODED_CLIENT_KEYS_IDENTIFIER"]);
+        if (!accessTokenPair || !encodedClientCredentials) {
+            throw new Error("{/app/modules/token-handlers.js} Error in refreshing tokens. Either the access " +
+                "token pair, encoded client credentials or both input are not found under " +
+                "session context - refreshToken()");
+        } else {
+            var newAccessTokenPair = tokenUtil.refreshToken(accessTokenPair, encodedClientCredentials);
+            if (!newAccessTokenPair) {
+                log.error("{/app/modules/token-handlers.js} Error in refreshing tokens. Unable to update " +
+                    "session context with new access token pair - refreshToken()");
+            } else {
+                session.put(constants["ACCESS_TOKEN_PAIR_IDENTIFIER"], stringify(newAccessTokenPair));
+            }
+        }
+    };
+
     return publicMethods;
 }();

components/device-mgt/org.wso2.carbon.device.mgt.ui/src/main/resources/jaggeryapps/devicemgt/app/modules/backend-service-invoker.js

@@ -17,9 +17,13 @@
  */
 
 /**
- * This backendServiceInvoker contains the wrappers for back end jaggery calls.
+ * ----------------------------------------------------------------------------
+ * Following module includes invokers
+ * at Jaggery Layer for calling Backend Services, protected by OAuth Tokens.
+ * These Services include both REST and SOAP Services.
+ * ----------------------------------------------------------------------------
  */
-var backendServiceInvoker = function () {
+var invokers = function () {
     var log = new Log("/app/modules/backend-service-invoker.js");
 
     var publicXMLHTTPInvokers = {};
@@ -34,7 +38,7 @@ var backendServiceInvoker = function () {
     var devicemgtProps = require("/app/conf/reader/main.js")["conf"];
     var constants = require("/app/modules/constants.js");
     var userModule = require("/app/modules/user.js")["userModule"];
-    var tokenUtil = require("/app/modules/api-wrapper-util.js")["apiWrapperUtil"];
+    var tokenUtil = require("/app/modules/api-wrapper-util.js")["handlers"];
 
     /**
      * This method reads the token pair from the session and return the access token.
@@ -43,7 +47,7 @@ var backendServiceInvoker = function () {
     privateMethods.getAccessToken = function () {
         var tokenPair = parse(session.get(constants["ACCESS_TOKEN_PAIR_IDENTIFIER"]));
         if (tokenPair) {
-            return tokenPair.accessToken;
+            return tokenPair["accessToken"];
         } else {
             return null;
         }

components/device-mgt/org.wso2.carbon.device.mgt.ui/src/main/resources/jaggeryapps/devicemgt/app/modules/device.js

@@ -23,7 +23,7 @@ deviceModule = function () {
     var utility = require('/app/modules/utility.js').utility;
     var constants = require('/app/modules/constants.js');
     var devicemgtProps = require("/app/conf/reader/main.js")["conf"];
-    var serviceInvokers = require("/app/modules/backend-service-invoker.js").backendServiceInvoker;
+    var serviceInvokers = require("/app/modules/backend-service-invoker.js")["invokers"];
 
     var ArrayList = Packages.java.util.ArrayList;
     var Properties = Packages.java.util.Properties;

components/device-mgt/org.wso2.carbon.device.mgt.ui/src/main/resources/jaggeryapps/devicemgt/app/modules/group.js

@@ -24,7 +24,7 @@ var groupModule = {};
     var constants = require('/app/modules/constants.js');
     var devicemgtProps = require("/app/conf/reader/main.js")["conf"];
     var utility = require("/app/modules/utility.js").utility;
-    var serviceInvokers = require("/app/modules/backend-service-invoker.js").backendServiceInvoker;
+    var serviceInvokers = require("/app/modules/backend-service-invoker.js")["invokers"];
 
     var groupServiceEndpoint = devicemgtProps["httpsURL"] + constants.ADMIN_SERVICE_CONTEXT + "/groups";
 

components/device-mgt/org.wso2.carbon.device.mgt.ui/src/main/resources/jaggeryapps/devicemgt/app/modules/login.js

@@ -24,7 +24,7 @@ var onFail;
     var constants = require("/app/modules/constants.js");
     onSuccess = function (context) {
         var utility = require("/app/modules/utility.js").utility;
-        var apiWrapperUtil = require("/app/modules/api-wrapper-util.js").apiWrapperUtil;
+        var apiWrapperUtil = require("/app/modules/api-wrapper-util.js")["handlers"];
         if (context.input.samlToken) {
             apiWrapperUtil.setupAccessTokenPairBySamlGrantType(context.input.username, context.input.samlToken);
         } else {

components/device-mgt/org.wso2.carbon.device.mgt.ui/src/main/resources/jaggeryapps/devicemgt/app/modules/operation.js

@@ -21,7 +21,7 @@ var operationModule = function () {
     var utility = require('/app/modules/utility.js').utility;
     var constants = require('/app/modules/constants.js');
     var devicemgtProps = require("/app/conf/reader/main.js")["conf"];
-    var serviceInvokers = require("/app/modules/backend-service-invoker.js").backendServiceInvoker;
+    var serviceInvokers = require("/app/modules/backend-service-invoker.js")["invokers"];;
 
     var publicMethods = {};
     var privateMethods = {};

components/device-mgt/org.wso2.carbon.device.mgt.ui/src/main/resources/jaggeryapps/devicemgt/app/modules/policy.js

@@ -26,7 +26,7 @@ policyModule = function () {
     var constants = require('/app/modules/constants.js');
     var utility = require("/app/modules/utility.js")["utility"];
     var devicemgtProps = require("/app/conf/reader/main.js")["conf"];
-    var serviceInvokers = require("/app/modules/backend-service-invoker.js").backendServiceInvoker;
+    var serviceInvokers = require("/app/modules/backend-service-invoker.js")["invokers"];
 
     var publicMethods = {};
     var privateMethods = {};

components/device-mgt/org.wso2.carbon.device.mgt.ui/src/main/resources/jaggeryapps/devicemgt/app/modules/serverAddress.js

@@ -16,55 +16,59 @@
  * under the License.
  */
 
-var serverAddress = function () {
+/*
-    var log = new Log("serverAddress.js");
+ @Deprecated - new
-    var process = require("process"),
+ */
-        host = process.getProperty('server.host'),
+
-        ip = process.getProperty('carbon.local.ip');
+//var serverAddress = function () {
-    var publicMethods = {};
+//    var log = new Log("serverAddress.js");
-    publicMethods.getHTTPSAddress = function () {
+//    var process = require("process"),
-        var port = process.getProperty('mgt.transport.https.proxyPort');
+//        host = process.getProperty('server.host'),
-        if (!port) {
+//        ip = process.getProperty('carbon.local.ip');
-            port = process.getProperty('mgt.transport.https.port');
+//    var publicMethods = {};
-        }
+//    publicMethods.getHTTPSAddress = function () {
-        if (host === "localhost") {
+//        var port = process.getProperty('mgt.transport.https.proxyPort');
-            return "https://" + ip + ":" + port;
+//        if (!port) {
-        } else {
+//            port = process.getProperty('mgt.transport.https.port');
-            return "https://" + host + ":" + port;
+//        }
-        }
+//        if (host === "localhost") {
-    };
+//            return "https://" + ip + ":" + port;
-    publicMethods.getHPPTAddress = function () {
+//        } else {
-        var port = process.getProperty('mgt.transport.http.proxyPort');
+//            return "https://" + host + ":" + port;
-        if (!port) {
+//        }
-            port = process.getProperty('mgt.transport.http.port');
+//    };
-        }
+//    publicMethods.getHPPTAddress = function () {
-        if (host === "localhost") {
+//        var port = process.getProperty('mgt.transport.http.proxyPort');
-            return "http://" + ip + ":" + port;
+//        if (!port) {
-        } else {
+//            port = process.getProperty('mgt.transport.http.port');
-            return "http://" + host + ":" + port;
+//        }
-        }
+//        if (host === "localhost") {
-    };
+//            return "http://" + ip + ":" + port;
-    publicMethods.getWSSAddress = function () {
+//        } else {
-        var port = process.getProperty('mgt.transport.https.proxyPort');
+//            return "http://" + host + ":" + port;
-        if (!port) {
+//        }
-            port = process.getProperty('mgt.transport.https.port');
+//    };
-        }
+//    publicMethods.getWSSAddress = function () {
-        if (host === "localhost") {
+//        var port = process.getProperty('mgt.transport.https.proxyPort');
-            return "wss://" + ip + ":" + port;
+//        if (!port) {
-        } else {
+//            port = process.getProperty('mgt.transport.https.port');
-            return "wss://" + host + ":" + port;
+//        }
-        }
+//        if (host === "localhost") {
-    };
+//            return "wss://" + ip + ":" + port;
-    publicMethods.getWSAddress = function () {
+//        } else {
-        var port = process.getProperty('mgt.transport.http.proxyPort');
+//            return "wss://" + host + ":" + port;
-        if (!port) {
+//        }
-            port = process.getProperty('mgt.transport.http.port');
+//    };
-        }
+//    publicMethods.getWSAddress = function () {
-        if (host === "localhost") {
+//        var port = process.getProperty('mgt.transport.http.proxyPort');
-            return "ws://" + ip + ":" + port;
+//        if (!port) {
-        } else {
+//            port = process.getProperty('mgt.transport.http.port');
-            return "ws://" + host + ":" + port;
+//        }
-        }
+//        if (host === "localhost") {
-    };
+//            return "ws://" + ip + ":" + port;
-    return publicMethods;
+//        } else {
-}();
+//            return "ws://" + host + ":" + port;
+//        }
+//    };
+//    return publicMethods;
+//}();

components/device-mgt/org.wso2.carbon.device.mgt.ui/src/main/resources/jaggeryapps/devicemgt/app/modules/user.js

@@ -25,7 +25,7 @@ var userModule = function () {
     var constants = require("/app/modules/constants.js");
     var utility = require("/app/modules/utility.js")["utility"];
     var devicemgtProps = require("/app/conf/reader/main.js")["conf"];
-    var serviceInvokers = require("/app/modules/backend-service-invoker.js")["backendServiceInvoker"];
+    var serviceInvokers = require("/app/modules/backend-service-invoker.js")["invokers"];
 
     /* Initializing user manager */
     var carbon = require("carbon");

components/device-mgt/org.wso2.carbon.device.mgt.ui/src/main/resources/jaggeryapps/devicemgt/app/modules/util.js

@@ -27,7 +27,7 @@ var util = function () {
     var adminUser = devicemgtProps["adminUser"];
     var clientName = devicemgtProps["clientName"];
 
-    module.getDyanmicCredentials = function (owner) {
+    module.getDynamicClientCredentials = function () {
         var payload = {
             "callbackUrl": devicemgtProps.callBackUrl,
             "clientName": clientName,

components/device-mgt/org.wso2.carbon.device.mgt.ui/src/main/resources/jaggeryapps/devicemgt/app/pages/cdmf.page.dashboard/dashboard.hbs

@@ -16,12 +16,11 @@
   under the License.
 }}
 {{unit "cdmf.unit.ui.title" pageTitle="Dashboard"}}
-{{unit "cdmf.unit.ui.content.title" pageHeader="Dashboard"}}
 
 {{#zone "breadcrumbs"}}
     <li>
         <a href="{{@app.context}}/">
-            <i class="icon fw fw-home"></i>
+            Dashboard
         </a>
     </li>
 {{/zone}}

components/device-mgt/org.wso2.carbon.device.mgt.ui/src/main/resources/jaggeryapps/devicemgt/app/units/cdmf.unit.lib.qrcode/qrcode.hbs

@@ -30,7 +30,6 @@
             });
         }
 
-
         /*
          * set popup maximum height function.
          */
@@ -38,14 +37,13 @@
             var maxHeight = "max-height";
             var marginTop = "margin-top";
             var body = "body";
-            $(modalPopupContent).css(maxHeight, ($(body).height() - ($(body).height()/100 * 30)));
+            $(modalPopupContainer).css(marginTop, (-($(modalPopupContainer).height() / 2)));
-            $(modalPopupContainer).css(marginTop, (-($(modalPopupContainer).height()/2)));
         }
 
         /*
          * show popup function.
          */
-        function showPopup() {
+        function showQRCodePopup() {
             $(modalPopup).show();
             setPopupMaxHeight();
         }
@@ -68,4 +66,11 @@
             });
         }
     </script>
+    <script type="text/javascript">
+        function toggleEnrollment(){
+            $(".modalpopup-content").html($("#qr-code-modal").html());
+            generateQRCode(".modalpopup-content .qr-code");
+            showQRCodePopup();
+        }
+    </script>
 {{/zone}}

components/device-mgt/org.wso2.carbon.device.mgt.ui/src/main/resources/jaggeryapps/devicemgt/app/units/cdmf.unit.ui.navbar.nav-menu/nav-menu.hbs

@@ -30,6 +30,14 @@
             </a>
         </li>
     {{/if}}
+    {{#if permissions.LIST_DEVICES_ADMIN}}
+        <li>
+            <a href="{{@app.context}}/devices">
+                <i class="fw fw-mobile"></i>
+                Device Management
+            </a>
+        </li>
+    {{else}}
         {{#if permissions.LIST_OWN_DEVICES}}
             <li>
                 <a href="{{@app.context}}/devices">
@@ -38,6 +46,7 @@
                 </a>
             </li>
         {{/if}}
+    {{/if}}
     {{#if permissions.LIST_GROUPS}}
         <li>
             <a href="{{@app.context}}/groups">
@@ -46,35 +55,63 @@
             </a>
         </li>
     {{/if}}
-    {{#if permissions.ADD_USER}}
+    <li><a><i class="fw fw-user"></i>User Management</a>
-        <li>
+        <ul>
-            <a href="{{@app.context}}/users">
+            {{#if permissions.LIST_USERS}}
-                <i class="fw fw-user"></i>
+                <li><a href="{{@app.context}}/users"><i class="fw fw-user"></i>Users</a></li>
-                User Management
-            </a>
-        </li>
             {{/if}}
-    {{#if permissions.ADD_ROLE}}
+
-        <li>
+            {{#if permissions.LIST_ROLES}}
-            <a href="{{@app.context}}/roles">
+                <li><a href="{{@app.context}}/roles"><i class="fw fw-bookmark"></i>Roles</a></li>
-                <i class="fw fw-bookmark"></i>
-                Role Management
-            </a>
-        </li>
             {{/if}}
-    {{#if permissions.ADD_POLICY}}
+        </ul>
-        <li>
-            <a href="{{@app.context}}/policies">
-                <i class="fw fw-policy"></i>
-                Policy Management
-            </a>
     </li>
+    {{#if permissions.LIST_POLICIES}}
+        <li><a href="{{@app.context}}/policies"><i class="fw fw-policy"></i>Policy Management</a></li>
     {{/if}}
+    <li><a><i class="fw fw-settings"></i>Configuration Management</a>
+        <ul>
             {{#if permissions.TENANT_CONFIGURATION}}
-        <li>
+                <li><a href="{{@app.context}}/platform-configuration"><i class="fw fw-service"></i>Platform Configurations</a>
-            <a href="{{@app.context}}/platform-configuration">
-                <i class="fw fw-settings"></i>Platform Configurations
-            </a>
                 </li>
             {{/if}}
+            <!-- todo change the permission and get the related permission -->
+            {{#if permissions.TENANT_CONFIGURATION}}
+                <li><a href="{{@app.context}}/certificates"><i class="fw fw-security-policy"></i>Certificate Configurations</a>
+                </li>
+            {{/if}}
+        </ul>
+    </li>
+{{/zone}}
+
+{{#zone "navbarCollapsableRightItems"}}
+    <ul id="notification-bubble-wrapper" class="nav navbar-nav navbar-right">
+        <li class="visible-inline-block">
+            <!--<a href="{{appContext}}notification-listing" title="Failures of operations on the device side will be listed here">-->
+            <a data-toggle="sidebar" data-target="#right-sidebar" data-container=".page-content"
+               aria-expanded="false" rel="notifications-sidebar">
+                                <span class="icon fw-stack">
+                                    <i class="fw fw-notification fw-stack-1x"></i>
+                                </span>
+                <span class="hidden-xs">Notifications</span>
+                <span class="badge notifications" id="notification-bubble"></span>
+            </a>
+        </li>
+    </ul>
+{{/zone}}
+{{#zone "sidePanes"}}
+    <div class="sidebar-wrapper" id="right-sidebar" is-authorized="{{isAuthorizedForNotifications}}"
+         data-side="right" data-width="320" data-sidebar-fixed="true" data-fixed-offset="50" data-spy="affix"
+         data-offset-top="80">
+        <ul class="sidebar-messages">
+        </ul>
+        <h4 class="text-center"><a href="{{appContext}}notification-listing" class="text-center">Show all notifications</a>
+        </h4>
+    </div>
+{{/zone}}
+{{#zone "bottomJs"}}
+    <script id="notifications" data-current-user="{{currentUser.username}}"
+            data-image-resource="{{self.publicURL}}/images/" src="{{self.publicURL}}/templates/notifications.hbs"
+            type="text/x-handlebars-template"></script>
+    {{js "js/nav-menu.js"}}
 {{/zone}}

components/device-mgt/org.wso2.carbon.device.mgt.ui/src/main/resources/jaggeryapps/devicemgt/app/units/cdmf.unit.ui.navbar.nav-menu/nav-menu.js

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2016, WSO2 Inc. (http://www.wso2.org) All Rights Reserved.
+ * Copyright (c) 2015, WSO2 Inc. (http://www.wso2.org) All Rights Reserved.
  *
  * WSO2 Inc. licenses this file to you under the Apache License,
  * Version 2.0 (the "License"); you may not use this file except
@@ -10,19 +10,47 @@
  *
  * Unless required by applicable law or agreed to in writing,
  * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND,
- * KIND, either express or implied. See the License for the
+ * either express or implied. See the License for the
  * specific language governing permissions and limitations
  * under the License.
  */
 
 function onRequest(context) {
-    var userModule = require("/app/modules/user.js").userModule;
+    context.handlebars.registerHelper('equal', function (lvalue, rvalue, options) {
-    var constants = require("/app/modules/constants.js");
+        if (arguments.length < 3) {
-    var carbonUser = session.get(constants.USER_SESSION_KEY);
+            throw new Error("Handlebars Helper equal needs 2 parameters");
-    var page_data = {};
-    if (carbonUser){
-        page_data.permissions = userModule.getUIPermissions();
         }
-    return page_data;
+        if (lvalue != rvalue) {
+            return options.inverse(this);
+        } else {
+            return options.fn(this);
+        }
+    });
+    var userModule = require("/app/modules/user.js")["userModule"];
+    var mdmProps = require('/app/conf/reader/main.js')["conf"];
+    var constants = require("/app/modules/constants.js");
+    var uiPermissions = userModule.getUIPermissions();
+    context["permissions"] = uiPermissions;
+
+    var links = {
+        "user-mgt": [],
+        "role-mgt": [],
+        "policy-mgt": [],
+        "device-mgt": []
+    };
+
+    // following context.link value comes here based on the value passed at the point
+    // where units are attached to a page zone.
+    // eg: {{unit "appbar" pageLink="users" title="User Management"}}
+    context["currentActions"] = links[context["pageLink"]];
+    context["enrollmentURL"] = mdmProps["generalConfig"]["host"] + mdmProps["enrollmentDir"];
+    var  isAuthorizedForNotifications =
+        userModule.isAuthorized("/permission/admin/device-mgt/emm-admin/notifications/view");
+    var currentUser = session.get(constants["USER_SESSION_KEY"]);
+    context["isAuthorizedForNotifications"] = isAuthorizedForNotifications;
+    context["currentUser"] = currentUser;
+    context["appContext"] = mdmProps["appContext"];
+
+    return context;
 }

components/device-mgt/org.wso2.carbon.device.mgt.ui/src/main/resources/jaggeryapps/devicemgt/app/units/cdmf.unit.ui.navbar.nav-menu/public/js/jquery.qrcode.min.js

@@ -0,0 +1,47 @@
+//---------------------------------------------------------------------
+// QRCode for JavaScript
+//
+// Copyright (c) 2009 Kazuhiko Arase
+//
+// URL: http://www.d-project.com/
+//
+// Licensed under the MIT license:
+//   http://www.opensource.org/licenses/mit-license.php
+//
+// The word "QR Code" is registered trademark of
+// DENSO WAVE INCORPORATED
+//   http://www.denso-wave.com/qrcode/faqpatent-e.html
+//
+//---------------------------------------------------------------------
+
+//---------------------------------------------------------------------
+// QR8bitByte
+//---------------------------------------------------------------------
+(function(r){r.fn.qrcode=function(h){var s;function u(a){this.mode=s;this.data=a}function o(a,c){this.typeNumber=a;this.errorCorrectLevel=c;this.modules=null;this.moduleCount=0;this.dataCache=null;this.dataList=[]}function q(a,c){if(void 0==a.length)throw Error(a.length+"/"+c);for(var d=0;d<a.length&&0==a[d];)d++;this.num=Array(a.length-d+c);for(var b=0;b<a.length-d;b++)this.num[b]=a[b+d]}function p(a,c){this.totalCount=a;this.dataCount=c}function t(){this.buffer=[];this.length=0}u.prototype={getLength:function(){return this.data.length},
+    write:function(a){for(var c=0;c<this.data.length;c++)a.put(this.data.charCodeAt(c),8)}};o.prototype={addData:function(a){this.dataList.push(new u(a));this.dataCache=null},isDark:function(a,c){if(0>a||this.moduleCount<=a||0>c||this.moduleCount<=c)throw Error(a+","+c);return this.modules[a][c]},getModuleCount:function(){return this.moduleCount},make:function(){if(1>this.typeNumber){for(var a=1,a=1;40>a;a++){for(var c=p.getRSBlocks(a,this.errorCorrectLevel),d=new t,b=0,e=0;e<c.length;e++)b+=c[e].dataCount;
+    for(e=0;e<this.dataList.length;e++)c=this.dataList[e],d.put(c.mode,4),d.put(c.getLength(),j.getLengthInBits(c.mode,a)),c.write(d);if(d.getLengthInBits()<=8*b)break}this.typeNumber=a}this.makeImpl(!1,this.getBestMaskPattern())},makeImpl:function(a,c){this.moduleCount=4*this.typeNumber+17;this.modules=Array(this.moduleCount);for(var d=0;d<this.moduleCount;d++){this.modules[d]=Array(this.moduleCount);for(var b=0;b<this.moduleCount;b++)this.modules[d][b]=null}this.setupPositionProbePattern(0,0);this.setupPositionProbePattern(this.moduleCount-
+7,0);this.setupPositionProbePattern(0,this.moduleCount-7);this.setupPositionAdjustPattern();this.setupTimingPattern();this.setupTypeInfo(a,c);7<=this.typeNumber&&this.setupTypeNumber(a);null==this.dataCache&&(this.dataCache=o.createData(this.typeNumber,this.errorCorrectLevel,this.dataList));this.mapData(this.dataCache,c)},setupPositionProbePattern:function(a,c){for(var d=-1;7>=d;d++)if(!(-1>=a+d||this.moduleCount<=a+d))for(var b=-1;7>=b;b++)-1>=c+b||this.moduleCount<=c+b||(this.modules[a+d][c+b]=
+    0<=d&&6>=d&&(0==b||6==b)||0<=b&&6>=b&&(0==d||6==d)||2<=d&&4>=d&&2<=b&&4>=b?!0:!1)},getBestMaskPattern:function(){for(var a=0,c=0,d=0;8>d;d++){this.makeImpl(!0,d);var b=j.getLostPoint(this);if(0==d||a>b)a=b,c=d}return c},createMovieClip:function(a,c,d){a=a.createEmptyMovieClip(c,d);this.make();for(c=0;c<this.modules.length;c++)for(var d=1*c,b=0;b<this.modules[c].length;b++){var e=1*b;this.modules[c][b]&&(a.beginFill(0,100),a.moveTo(e,d),a.lineTo(e+1,d),a.lineTo(e+1,d+1),a.lineTo(e,d+1),a.endFill())}return a},
+    setupTimingPattern:function(){for(var a=8;a<this.moduleCount-8;a++)null==this.modules[a][6]&&(this.modules[a][6]=0==a%2);for(a=8;a<this.moduleCount-8;a++)null==this.modules[6][a]&&(this.modules[6][a]=0==a%2)},setupPositionAdjustPattern:function(){for(var a=j.getPatternPosition(this.typeNumber),c=0;c<a.length;c++)for(var d=0;d<a.length;d++){var b=a[c],e=a[d];if(null==this.modules[b][e])for(var f=-2;2>=f;f++)for(var i=-2;2>=i;i++)this.modules[b+f][e+i]=-2==f||2==f||-2==i||2==i||0==f&&0==i?!0:!1}},setupTypeNumber:function(a){for(var c=
+        j.getBCHTypeNumber(this.typeNumber),d=0;18>d;d++){var b=!a&&1==(c>>d&1);this.modules[Math.floor(d/3)][d%3+this.moduleCount-8-3]=b}for(d=0;18>d;d++)b=!a&&1==(c>>d&1),this.modules[d%3+this.moduleCount-8-3][Math.floor(d/3)]=b},setupTypeInfo:function(a,c){for(var d=j.getBCHTypeInfo(this.errorCorrectLevel<<3|c),b=0;15>b;b++){var e=!a&&1==(d>>b&1);6>b?this.modules[b][8]=e:8>b?this.modules[b+1][8]=e:this.modules[this.moduleCount-15+b][8]=e}for(b=0;15>b;b++)e=!a&&1==(d>>b&1),8>b?this.modules[8][this.moduleCount-
+    b-1]=e:9>b?this.modules[8][15-b-1+1]=e:this.modules[8][15-b-1]=e;this.modules[this.moduleCount-8][8]=!a},mapData:function(a,c){for(var d=-1,b=this.moduleCount-1,e=7,f=0,i=this.moduleCount-1;0<i;i-=2)for(6==i&&i--;;){for(var g=0;2>g;g++)if(null==this.modules[b][i-g]){var n=!1;f<a.length&&(n=1==(a[f]>>>e&1));j.getMask(c,b,i-g)&&(n=!n);this.modules[b][i-g]=n;e--; -1==e&&(f++,e=7)}b+=d;if(0>b||this.moduleCount<=b){b-=d;d=-d;break}}}};o.PAD0=236;o.PAD1=17;o.createData=function(a,c,d){for(var c=p.getRSBlocks(a,
+    c),b=new t,e=0;e<d.length;e++){var f=d[e];b.put(f.mode,4);b.put(f.getLength(),j.getLengthInBits(f.mode,a));f.write(b)}for(e=a=0;e<c.length;e++)a+=c[e].dataCount;if(b.getLengthInBits()>8*a)throw Error("code length overflow. ("+b.getLengthInBits()+">"+8*a+")");for(b.getLengthInBits()+4<=8*a&&b.put(0,4);0!=b.getLengthInBits()%8;)b.putBit(!1);for(;!(b.getLengthInBits()>=8*a);){b.put(o.PAD0,8);if(b.getLengthInBits()>=8*a)break;b.put(o.PAD1,8)}return o.createBytes(b,c)};o.createBytes=function(a,c){for(var d=
+    0,b=0,e=0,f=Array(c.length),i=Array(c.length),g=0;g<c.length;g++){var n=c[g].dataCount,h=c[g].totalCount-n,b=Math.max(b,n),e=Math.max(e,h);f[g]=Array(n);for(var k=0;k<f[g].length;k++)f[g][k]=255&a.buffer[k+d];d+=n;k=j.getErrorCorrectPolynomial(h);n=(new q(f[g],k.getLength()-1)).mod(k);i[g]=Array(k.getLength()-1);for(k=0;k<i[g].length;k++)h=k+n.getLength()-i[g].length,i[g][k]=0<=h?n.get(h):0}for(k=g=0;k<c.length;k++)g+=c[k].totalCount;d=Array(g);for(k=n=0;k<b;k++)for(g=0;g<c.length;g++)k<f[g].length&&
+(d[n++]=f[g][k]);for(k=0;k<e;k++)for(g=0;g<c.length;g++)k<i[g].length&&(d[n++]=i[g][k]);return d};s=4;for(var j={PATTERN_POSITION_TABLE:[[],[6,18],[6,22],[6,26],[6,30],[6,34],[6,22,38],[6,24,42],[6,26,46],[6,28,50],[6,30,54],[6,32,58],[6,34,62],[6,26,46,66],[6,26,48,70],[6,26,50,74],[6,30,54,78],[6,30,56,82],[6,30,58,86],[6,34,62,90],[6,28,50,72,94],[6,26,50,74,98],[6,30,54,78,102],[6,28,54,80,106],[6,32,58,84,110],[6,30,58,86,114],[6,34,62,90,118],[6,26,50,74,98,122],[6,30,54,78,102,126],[6,26,52,
+    78,104,130],[6,30,56,82,108,134],[6,34,60,86,112,138],[6,30,58,86,114,142],[6,34,62,90,118,146],[6,30,54,78,102,126,150],[6,24,50,76,102,128,154],[6,28,54,80,106,132,158],[6,32,58,84,110,136,162],[6,26,54,82,110,138,166],[6,30,58,86,114,142,170]],G15:1335,G18:7973,G15_MASK:21522,getBCHTypeInfo:function(a){for(var c=a<<10;0<=j.getBCHDigit(c)-j.getBCHDigit(j.G15);)c^=j.G15<<j.getBCHDigit(c)-j.getBCHDigit(j.G15);return(a<<10|c)^j.G15_MASK},getBCHTypeNumber:function(a){for(var c=a<<12;0<=j.getBCHDigit(c)-
+j.getBCHDigit(j.G18);)c^=j.G18<<j.getBCHDigit(c)-j.getBCHDigit(j.G18);return a<<12|c},getBCHDigit:function(a){for(var c=0;0!=a;)c++,a>>>=1;return c},getPatternPosition:function(a){return j.PATTERN_POSITION_TABLE[a-1]},getMask:function(a,c,d){switch(a){case 0:return 0==(c+d)%2;case 1:return 0==c%2;case 2:return 0==d%3;case 3:return 0==(c+d)%3;case 4:return 0==(Math.floor(c/2)+Math.floor(d/3))%2;case 5:return 0==c*d%2+c*d%3;case 6:return 0==(c*d%2+c*d%3)%2;case 7:return 0==(c*d%3+(c+d)%2)%2;default:throw Error("bad maskPattern:"+
+a);}},getErrorCorrectPolynomial:function(a){for(var c=new q([1],0),d=0;d<a;d++)c=c.multiply(new q([1,l.gexp(d)],0));return c},getLengthInBits:function(a,c){if(1<=c&&10>c)switch(a){case 1:return 10;case 2:return 9;case s:return 8;case 8:return 8;default:throw Error("mode:"+a);}else if(27>c)switch(a){case 1:return 12;case 2:return 11;case s:return 16;case 8:return 10;default:throw Error("mode:"+a);}else if(41>c)switch(a){case 1:return 14;case 2:return 13;case s:return 16;case 8:return 12;default:throw Error("mode:"+
+a);}else throw Error("type:"+c);},getLostPoint:function(a){for(var c=a.getModuleCount(),d=0,b=0;b<c;b++)for(var e=0;e<c;e++){for(var f=0,i=a.isDark(b,e),g=-1;1>=g;g++)if(!(0>b+g||c<=b+g))for(var h=-1;1>=h;h++)0>e+h||c<=e+h||0==g&&0==h||i==a.isDark(b+g,e+h)&&f++;5<f&&(d+=3+f-5)}for(b=0;b<c-1;b++)for(e=0;e<c-1;e++)if(f=0,a.isDark(b,e)&&f++,a.isDark(b+1,e)&&f++,a.isDark(b,e+1)&&f++,a.isDark(b+1,e+1)&&f++,0==f||4==f)d+=3;for(b=0;b<c;b++)for(e=0;e<c-6;e++)a.isDark(b,e)&&!a.isDark(b,e+1)&&a.isDark(b,e+
+2)&&a.isDark(b,e+3)&&a.isDark(b,e+4)&&!a.isDark(b,e+5)&&a.isDark(b,e+6)&&(d+=40);for(e=0;e<c;e++)for(b=0;b<c-6;b++)a.isDark(b,e)&&!a.isDark(b+1,e)&&a.isDark(b+2,e)&&a.isDark(b+3,e)&&a.isDark(b+4,e)&&!a.isDark(b+5,e)&&a.isDark(b+6,e)&&(d+=40);for(e=f=0;e<c;e++)for(b=0;b<c;b++)a.isDark(b,e)&&f++;a=Math.abs(100*f/c/c-50)/5;return d+10*a}},l={glog:function(a){if(1>a)throw Error("glog("+a+")");return l.LOG_TABLE[a]},gexp:function(a){for(;0>a;)a+=255;for(;256<=a;)a-=255;return l.EXP_TABLE[a]},EXP_TABLE:Array(256),
+    LOG_TABLE:Array(256)},m=0;8>m;m++)l.EXP_TABLE[m]=1<<m;for(m=8;256>m;m++)l.EXP_TABLE[m]=l.EXP_TABLE[m-4]^l.EXP_TABLE[m-5]^l.EXP_TABLE[m-6]^l.EXP_TABLE[m-8];for(m=0;255>m;m++)l.LOG_TABLE[l.EXP_TABLE[m]]=m;q.prototype={get:function(a){return this.num[a]},getLength:function(){return this.num.length},multiply:function(a){for(var c=Array(this.getLength()+a.getLength()-1),d=0;d<this.getLength();d++)for(var b=0;b<a.getLength();b++)c[d+b]^=l.gexp(l.glog(this.get(d))+l.glog(a.get(b)));return new q(c,0)},mod:function(a){if(0>
+    this.getLength()-a.getLength())return this;for(var c=l.glog(this.get(0))-l.glog(a.get(0)),d=Array(this.getLength()),b=0;b<this.getLength();b++)d[b]=this.get(b);for(b=0;b<a.getLength();b++)d[b]^=l.gexp(l.glog(a.get(b))+c);return(new q(d,0)).mod(a)}};p.RS_BLOCK_TABLE=[[1,26,19],[1,26,16],[1,26,13],[1,26,9],[1,44,34],[1,44,28],[1,44,22],[1,44,16],[1,70,55],[1,70,44],[2,35,17],[2,35,13],[1,100,80],[2,50,32],[2,50,24],[4,25,9],[1,134,108],[2,67,43],[2,33,15,2,34,16],[2,33,11,2,34,12],[2,86,68],[4,43,27],
+    [4,43,19],[4,43,15],[2,98,78],[4,49,31],[2,32,14,4,33,15],[4,39,13,1,40,14],[2,121,97],[2,60,38,2,61,39],[4,40,18,2,41,19],[4,40,14,2,41,15],[2,146,116],[3,58,36,2,59,37],[4,36,16,4,37,17],[4,36,12,4,37,13],[2,86,68,2,87,69],[4,69,43,1,70,44],[6,43,19,2,44,20],[6,43,15,2,44,16],[4,101,81],[1,80,50,4,81,51],[4,50,22,4,51,23],[3,36,12,8,37,13],[2,116,92,2,117,93],[6,58,36,2,59,37],[4,46,20,6,47,21],[7,42,14,4,43,15],[4,133,107],[8,59,37,1,60,38],[8,44,20,4,45,21],[12,33,11,4,34,12],[3,145,115,1,146,
+        116],[4,64,40,5,65,41],[11,36,16,5,37,17],[11,36,12,5,37,13],[5,109,87,1,110,88],[5,65,41,5,66,42],[5,54,24,7,55,25],[11,36,12],[5,122,98,1,123,99],[7,73,45,3,74,46],[15,43,19,2,44,20],[3,45,15,13,46,16],[1,135,107,5,136,108],[10,74,46,1,75,47],[1,50,22,15,51,23],[2,42,14,17,43,15],[5,150,120,1,151,121],[9,69,43,4,70,44],[17,50,22,1,51,23],[2,42,14,19,43,15],[3,141,113,4,142,114],[3,70,44,11,71,45],[17,47,21,4,48,22],[9,39,13,16,40,14],[3,135,107,5,136,108],[3,67,41,13,68,42],[15,54,24,5,55,25],[15,
+        43,15,10,44,16],[4,144,116,4,145,117],[17,68,42],[17,50,22,6,51,23],[19,46,16,6,47,17],[2,139,111,7,140,112],[17,74,46],[7,54,24,16,55,25],[34,37,13],[4,151,121,5,152,122],[4,75,47,14,76,48],[11,54,24,14,55,25],[16,45,15,14,46,16],[6,147,117,4,148,118],[6,73,45,14,74,46],[11,54,24,16,55,25],[30,46,16,2,47,17],[8,132,106,4,133,107],[8,75,47,13,76,48],[7,54,24,22,55,25],[22,45,15,13,46,16],[10,142,114,2,143,115],[19,74,46,4,75,47],[28,50,22,6,51,23],[33,46,16,4,47,17],[8,152,122,4,153,123],[22,73,45,
+        3,74,46],[8,53,23,26,54,24],[12,45,15,28,46,16],[3,147,117,10,148,118],[3,73,45,23,74,46],[4,54,24,31,55,25],[11,45,15,31,46,16],[7,146,116,7,147,117],[21,73,45,7,74,46],[1,53,23,37,54,24],[19,45,15,26,46,16],[5,145,115,10,146,116],[19,75,47,10,76,48],[15,54,24,25,55,25],[23,45,15,25,46,16],[13,145,115,3,146,116],[2,74,46,29,75,47],[42,54,24,1,55,25],[23,45,15,28,46,16],[17,145,115],[10,74,46,23,75,47],[10,54,24,35,55,25],[19,45,15,35,46,16],[17,145,115,1,146,116],[14,74,46,21,75,47],[29,54,24,19,
+        55,25],[11,45,15,46,46,16],[13,145,115,6,146,116],[14,74,46,23,75,47],[44,54,24,7,55,25],[59,46,16,1,47,17],[12,151,121,7,152,122],[12,75,47,26,76,48],[39,54,24,14,55,25],[22,45,15,41,46,16],[6,151,121,14,152,122],[6,75,47,34,76,48],[46,54,24,10,55,25],[2,45,15,64,46,16],[17,152,122,4,153,123],[29,74,46,14,75,47],[49,54,24,10,55,25],[24,45,15,46,46,16],[4,152,122,18,153,123],[13,74,46,32,75,47],[48,54,24,14,55,25],[42,45,15,32,46,16],[20,147,117,4,148,118],[40,75,47,7,76,48],[43,54,24,22,55,25],[10,
+        45,15,67,46,16],[19,148,118,6,149,119],[18,75,47,31,76,48],[34,54,24,34,55,25],[20,45,15,61,46,16]];p.getRSBlocks=function(a,c){var d=p.getRsBlockTable(a,c);if(void 0==d)throw Error("bad rs block @ typeNumber:"+a+"/errorCorrectLevel:"+c);for(var b=d.length/3,e=[],f=0;f<b;f++)for(var h=d[3*f+0],g=d[3*f+1],j=d[3*f+2],l=0;l<h;l++)e.push(new p(g,j));return e};p.getRsBlockTable=function(a,c){switch(c){case 1:return p.RS_BLOCK_TABLE[4*(a-1)+0];case 0:return p.RS_BLOCK_TABLE[4*(a-1)+1];case 3:return p.RS_BLOCK_TABLE[4*
+(a-1)+2];case 2:return p.RS_BLOCK_TABLE[4*(a-1)+3]}};t.prototype={get:function(a){return 1==(this.buffer[Math.floor(a/8)]>>>7-a%8&1)},put:function(a,c){for(var d=0;d<c;d++)this.putBit(1==(a>>>c-d-1&1))},getLengthInBits:function(){return this.length},putBit:function(a){var c=Math.floor(this.length/8);this.buffer.length<=c&&this.buffer.push(0);a&&(this.buffer[c]|=128>>>this.length%8);this.length++}};"string"===typeof h&&(h={text:h});h=r.extend({},{render:"canvas",width:256,height:256,typeNumber:-1,
+    correctLevel:2,background:"#ffffff",foreground:"#000000"},h);return this.each(function(){var a;if("canvas"==h.render){a=new o(h.typeNumber,h.correctLevel);a.addData(h.text);a.make();var c=document.createElement("canvas");c.width=h.width;c.height=h.height;for(var d=c.getContext("2d"),b=h.width/a.getModuleCount(),e=h.height/a.getModuleCount(),f=0;f<a.getModuleCount();f++)for(var i=0;i<a.getModuleCount();i++){d.fillStyle=a.isDark(f,i)?h.foreground:h.background;var g=Math.ceil((i+1)*b)-Math.floor(i*b),
+    j=Math.ceil((f+1)*b)-Math.floor(f*b);d.fillRect(Math.round(i*b),Math.round(f*e),g,j)}}else{a=new o(h.typeNumber,h.correctLevel);a.addData(h.text);a.make();c=r("<table></table>").css("width",h.width+"px").css("height",h.height+"px").css("border","0px").css("border-collapse","collapse").css("background-color",h.background);d=h.width/a.getModuleCount();b=h.height/a.getModuleCount();for(e=0;e<a.getModuleCount();e++){f=r("<tr></tr>").css("height",b+"px").appendTo(c);for(i=0;i<a.getModuleCount();i++)r("<td></td>").css("width",
+    d+"px").css("background-color",a.isDark(e,i)?h.foreground:h.background).appendTo(f)}}a=c;jQuery(a).appendTo(this)})}})(jQuery);

components/device-mgt/org.wso2.carbon.device.mgt.ui/src/main/resources/jaggeryapps/devicemgt/app/units/cdmf.unit.ui.navbar.nav-menu/public/js/nav-menu.js

@@ -0,0 +1,351 @@
+/*
+ * Copyright (c) 2015, WSO2 Inc. (http://www.wso2.org) All Rights Reserved.
+ *
+ * WSO2 Inc. licenses this file to you under the Apache License,
+ * Version 2.0 (the "License"); you may not use this file except
+ * in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND,
+ * either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+var modalPopup = ".wr-modalpopup",
+    modalPopupContainer = modalPopup + " .modalpopup-container",
+    modalPopupContent = modalPopup + " .modalpopup-content";
+
+var emmAdminBasePath = "/api/device-mgt/v1.0";
+
+/*
+ * set popup maximum height function.
+ */
+function setPopupMaxHeight() {
+    var maxHeight = "max-height";
+    var marginTop = "margin-top";
+    var body = "body";
+    $(modalPopupContent).css(maxHeight, ($(body).height() - ($(body).height() / 100 * 30)));
+    $(modalPopupContainer).css(marginTop, (-($(modalPopupContainer).height() / 2)));
+}
+
+/*
+ * show popup function.
+ */
+function showPopup() {
+    $(modalPopup).show();
+    setPopupMaxHeight();
+}
+
+/*
+ * hide popup function.
+ */
+function hidePopup() {
+    $(modalPopupContent).html("");
+    $(modalPopupContent).removeClass("operation-data");
+    $(modalPopup).hide();
+}
+
+var updateNotificationCount = function (data, textStatus, jqXHR) {
+    if (jqXHR.status == 200 && data) {
+        var responsePayload = JSON.parse(data);
+        var newNotificationsCount = responsePayload.count;
+        if (newNotificationsCount > 0) {
+            $("#notification-bubble").html(newNotificationsCount);
+        }
+//        } else {
+//            $("#notification-bubble").html("Error");
+//        }
+    }
+};
+
+function loadNotificationsPanel() {
+    if ("true" == $("#right-sidebar").attr("is-authorized")) {
+        var serviceURL = emmAdminBasePath + "/notifications?status=NEW";
+        invokerUtil.get(serviceURL, updateNotificationCount, hideNotificationCount);
+        loadNewNotifications();
+    } else {
+        $("#notification-bubble-wrapper").remove();
+    }
+}
+
+function hideNotificationCount(jqXHR) {
+    if (jqXHR.status == 404) {
+        // this means "no new notifications to show"
+        $("#notification-bubble").hide();
+    } else {
+        $("#notification-bubble").html("Error");
+    }
+}
+
+function loadNewNotifications() {
+    var messageSideBar = ".sidebar-messages";
+    if ($("#right-sidebar").attr("is-authorized") == "true") {
+        var notifications = $("#notifications");
+        var currentUser = notifications.data("currentUser");
+
+        $.template("notification-listing", notifications.attr("src"), function (template) {
+            var serviceURL = emmAdminBasePath + "/notifications?status=NEW";
+
+            var successCallback = function (data, textStatus, jqXHR) {
+                if (jqXHR.status == 200 && data) {
+                    var viewModel = {};
+                    var responsePayload = JSON.parse(data);
+
+                    if (responsePayload.notifications) {
+                        viewModel.notifications = responsePayload.notifications;
+                        if (responsePayload.count > 0) {
+                            $(messageSideBar).html(template(viewModel));
+                        } else {
+                            $(messageSideBar).html("<h4 class='text-center'>No new notifications found...</h4>");
+                        }
+                    } else {
+                        $(messageSideBar).html("<h4 class ='message-danger'>Unexpected error occurred while loading new notifications.</h4>");
+                    }
+                }
+            };
+            var errorCallback = function (jqXHR) {
+                if (jqXHR.status = 500) {
+                    $(messageSideBar).html("<h4 class ='message-danger'>Unexpected error occurred while trying " +
+                        "to retrieve any new notifications.</h4>");
+                }
+            };
+            invokerUtil.get(serviceURL, successCallback, errorCallback);
+        });
+    } else {
+        $(messageSideBar).html("<h4 class ='message-danger'>You are not authorized to view notifications</h4>");
+    }
+}
+
+/**
+ * Toggle function for
+ * notification listing sidebar.
+ * @return {Null}
+ */
+$.sidebar_toggle = function (action, target, container) {
+    var elem = '[data-toggle=sidebar]',
+        button,
+        containerOffsetLeft,
+        containerOffsetRight,
+        targetOffsetLeft,
+        targetOffsetRight,
+        targetWidth,
+        targetSide,
+        relationship,
+        pushType,
+        buttonParent;
+
+    var sidebar_window = {
+        update: function (target, container, button) {
+            containerOffsetLeft = $(container).data('offset-left') ? $(container).data('offset-left') : 0;
+            containerOffsetRight = $(container).data('offset-right') ? $(container).data('offset-right') : 0;
+            targetOffsetLeft = $(target).data('offset-left') ? $(target).data('offset-left') : 0;
+            targetOffsetRight = $(target).data('offset-right') ? $(target).data('offset-right') : 0;
+            targetWidth = $(target).data('width');
+            targetSide = $(target).data("side");
+            pushType = $(container).parent().is('body') == true ? 'padding' : 'margin';
+
+            if (button !== undefined) {
+                relationship = button.attr('rel') ? button.attr('rel') : '';
+                buttonParent = $(button).parent();
+            }
+        },
+
+        show: function () {
+            if ($(target).data('sidebar-fixed') == true) {
+                $(target).height($(window).height() - $(target).data('fixed-offset'));
+            }
+            $(target).trigger('show.sidebar');
+            if (targetWidth !== undefined) {
+                $(target).css('width', targetWidth);
+            }
+            $(target).addClass('toggled');
+            if (button !== undefined) {
+                if (relationship !== '') {
+                    // Removing active class from all relative buttons
+                    $(elem + '[rel=' + relationship + ']:not([data-handle=close])').removeClass("active");
+                    $(elem + '[rel=' + relationship + ']:not([data-handle=close])').attr('aria-expanded', 'false');
+                }
+                // Adding active class to button
+                if (button.attr('data-handle') !== 'close') {
+                    button.addClass("active");
+                    button.attr('aria-expanded', 'true');
+                }
+                if (buttonParent.is('li')) {
+                    if (relationship !== '') {
+                        $(elem + '[rel=' + relationship + ']:not([data-handle=close])').parent().removeClass("active");
+                        $(elem + '[rel=' + relationship + ']:not([data-handle=close])').parent().
+                        attr('aria-expanded', 'false');
+                    }
+                    buttonParent.addClass("active");
+                    buttonParent.attr('aria-expanded', 'true');
+                }
+            }
+            // Sidebar open function
+            if (targetSide == 'left') {
+                if ((button !== undefined) && (button.attr('data-container-divide'))) {
+                    $(container).css(pushType + '-' + targetSide, targetWidth + targetOffsetLeft);
+                }
+                $(target).css(targetSide, targetOffsetLeft);
+            } else if (targetSide == 'right') {
+                if ((button !== undefined) && (button.attr('data-container-divide'))) {
+                    $(container).css(pushType + '-' + targetSide, targetWidth + targetOffsetRight);
+                }
+                $(target).css(targetSide, targetOffsetRight);
+            }
+            $(target).trigger('shown.sidebar');
+        },
+
+        hide: function () {
+            $(target).trigger('hide.sidebar');
+            $(target).removeClass('toggled');
+            if (button !== undefined) {
+                if (relationship !== '') {
+                    // Removing active class from all relative buttons
+                    $(elem + '[rel=' + relationship + ']:not([data-handle=close])').removeClass("active");
+                    $(elem + '[rel=' + relationship + ']:not([data-handle=close])').attr('aria-expanded', 'false');
+                }
+                // Removing active class from button
+                if (button.attr('data-handle') !== 'close') {
+                    button.removeClass("active");
+                    button.attr('aria-expanded', 'false');
+                }
+                if ($(button).parent().is('li')) {
+                    if (relationship !== '') {
+                        $(elem + '[rel=' + relationship + ']:not([data-handle=close])').parent().removeClass("active");
+                        $(elem + '[rel=' + relationship + ']:not([data-handle=close])').parent().
+                        attr('aria-expanded', 'false');
+                    }
+                }
+            }
+            // Sidebar close function
+            if (targetSide == 'left') {
+                if ((button !== undefined) && (button.attr('data-container-divide'))) {
+                    $(container).css(pushType + '-' + targetSide, targetOffsetLeft);
+                }
+                $(target).css(targetSide, -Math.abs(targetWidth + targetOffsetLeft));
+            } else if (targetSide == 'right') {
+                if ((button !== undefined) && (button.attr('data-container-divide'))) {
+                    $(container).css(pushType + '-' + targetSide, targetOffsetRight);
+                }
+                $(target).css(targetSide, -Math.abs(targetWidth + targetOffsetRight));
+            }
+            $(target).trigger('hidden.sidebar');
+        }
+    };
+    if (action === 'show') {
+        sidebar_window.update(target, container);
+        sidebar_window.show();
+    }
+    if (action === 'hide') {
+        sidebar_window.update(target, container);
+        sidebar_window.hide();
+    }
+    // binding click function
+    var body = 'body';
+    $(body).off('click', elem);
+    $(body).on('click', elem, function (e) {
+        e.preventDefault();
+        button = $(this);
+        container = button.data('container');
+        target = button.data('target');
+        sidebar_window.update(target, container, button);
+        /**
+         * Sidebar function on data container divide
+         * @return {Null}
+         */
+        if (button.attr('aria-expanded') == 'false') {
+            sidebar_window.show();
+        } else if (button.attr('aria-expanded') == 'true') {
+            sidebar_window.hide();
+        }
+    });
+};
+
+$.fn.collapse_nav_sub = function () {
+    var navSelector = 'ul.nav';
+
+    if (!$(navSelector).hasClass('collapse-nav-sub')) {
+        $(navSelector + ' > li', this).each(function () {
+            var position = $(this).offset().left - $(this).parent().scrollLeft();
+            $(this).attr('data-absolute-position', (position + 5));
+        });
+
+        $(navSelector + ' li', this).each(function () {
+            if ($('ul', this).length !== 0) {
+                $(this).addClass('has-sub');
+            }
+        });
+
+        $(navSelector + ' > li', this).each(function () {
+            $(this).css({
+                'left': $(this).data('absolute-position'),
+                'position': 'absolute'
+            });
+        });
+
+        $(navSelector + ' li.has-sub', this).on('click', function () {
+            var elem = $(this);
+            if (elem.attr('aria-expanded') !== 'true') {
+                elem.siblings().fadeOut(100, function () {
+                    elem.animate({'left': '15'}, 200, function () {
+                        $(elem).first().children('ul').fadeIn(200);
+                    });
+                });
+                elem.siblings().attr('aria-expanded', 'false');
+                elem.attr('aria-expanded', 'true');
+            } else {
+                $(elem).first().children('ul').fadeOut(100, function () {
+                    elem.animate({'left': $(elem).data('absolute-position')}, 200, function () {
+                        elem.siblings().fadeIn(100);
+                    });
+                });
+                elem.siblings().attr('aria-expanded', 'false');
+                elem.attr('aria-expanded', 'false');
+            }
+        });
+
+        $(navSelector + ' > li.has-sub ul', this).on('click', function (e) {
+            e.stopPropagation();
+        });
+        $(navSelector).addClass('collapse-nav-sub');
+    }
+};
+
+$(document).ready(function () {
+    loadNotificationsPanel();
+    $.sidebar_toggle();
+
+    $("#right-sidebar").on("click", ".new-notification", function () {
+        var notificationId = $(this).data("id");
+        var redirectUrl = $(this).data("url");
+        var markAsReadNotificationsAPI = "/mdm-admin/notifications/" + notificationId + "/CHECKED";
+        var messageSideBar = ".sidebar-messages";
+
+        invokerUtil.put(
+            markAsReadNotificationsAPI,
+            null,
+            function (data) {
+                data = JSON.parse(data);
+                if (data.statusCode == responseCodes["ACCEPTED"]) {
+                    location.href = redirectUrl;
+                }
+            }, function () {
+                var content = "<li class='message message-danger'><h4><i class='icon fw fw-error'></i>Warning</h4>" +
+                    "<p>Unexpected error occurred while loading notification. Please refresh the page and" +
+                    " try again</p></li>";
+                $(messageSideBar).html(content);
+            }
+        );
+    });
+
+    if (typeof $.fn.collapse == 'function') {
+        $('.navbar-collapse.tiles').on('shown.bs.collapse', function () {
+            $(this).collapse_nav_sub();
+        });
+    }
+});

components/device-mgt/org.wso2.carbon.device.mgt.ui/src/main/resources/jaggeryapps/devicemgt/app/units/cdmf.unit.ui.navbar.nav-menu/public/templates/notifications.hbs

@@ -0,0 +1,14 @@
+{{#each notifications}}
+    <li class="message message-info" data-type="selectable" >
+        <h4>
+            <i class="icon fw fw-info"></i>
+            <a href="device?type={{deviceIdentifier.type}}&id={{deviceIdentifier.id}}"
+               data-id="{{notificationId}}"
+               data-url="device?type={{deviceIdentifier.type}}&id={{deviceIdentifier.id}}"
+               class="new-notification" data-click-event="remove-form">
+                Device Type : {{deviceIdentifier.type}}
+            </a>
+        </h4>
+        <p>{{description}}</p>
+    </li>
+{{/each}}

components/identity-extensions/org.wso2.carbon.device.mgt.oauth.extensions/pom.xml

@@ -50,6 +50,10 @@
             <groupId>org.wso2.carbon.apimgt</groupId>
             <artifactId>org.wso2.carbon.apimgt.impl</artifactId>
         </dependency>
+        <dependency>
+            <groupId>org.wso2.carbon.apimgt</groupId>
+            <artifactId>org.wso2.carbon.apimgt.keymgt</artifactId>
+        </dependency>
         <dependency>
             <groupId>com.googlecode.json-simple.wso2</groupId>
             <artifactId>json-simple</artifactId>
@@ -95,40 +99,41 @@
                             org.wso2.carbon.device.mgt.*,
                             org.wso2.carbon.identity.application.common.model,
                             org.wso2.carbon.identity.oauth.callback,
-                            org.wso2.carbon.identity.oauth.common,
                             org.wso2.carbon.identity.oauth2,
                             org.wso2.carbon.identity.oauth2.model,
                             org.wso2.carbon.identity.oauth2.validators,
                             org.wso2.carbon.user.api,
                             org.wso2.carbon.user.core.service,
-                            org.wso2.carbon.identity.application.common.model,
-                            org.wso2.carbon.identity.application.authentication.framework.model,
                             org.wso2.carbon.user.core.tenant,
                             org.json.simple,
                             javax.cache,
-                            javax.xml.namespace,
-                            org.apache.axiom.om,
                             org.wso2.carbon.apimgt.api,
                             org.wso2.carbon.apimgt.impl,
                             org.wso2.carbon.apimgt.impl.dao,
                             org.wso2.carbon.apimgt.impl.utils,
-                            org.wso2.carbon.identity.application.common.cache,
                             org.wso2.carbon.identity.core.util,
                             org.wso2.carbon.identity.oauth2.dto,
                             org.wso2.carbon.identity.oauth2.token,
-                            org.wso2.carbon.identity.oauth2.token.handlers.grant,
+                            org.apache.oltu.oauth2.common.validators,
-                            org.wso2.carbon.user.core,
-                            org.wso2.carbon.user.core.config,
-                            org.wso2.carbon.user.core.util,
                             org.wso2.carbon.utils,
                             org.wso2.carbon.context,
                             org.wso2.carbon.identity.oauth.cache,
                             org.wso2.carbon.identity.oauth.config,
                             org.wso2.carbon.identity.oauth2.dao,
                             org.wso2.carbon.utils.multitenancy,
-                            org.wso2.carbon.base,
                             org.wso2.carbon.identity.oauth2.grant.jwt.*,
-                            org.wso2.carbon.device.mgt.core.*
+                            org.wso2.carbon.device.mgt.core.*,
+                            javax.xml.bind,
+                            javax.xml.bind.annotation,
+                            javax.xml.parsers,
+                            org.w3c.dom,
+                            org.wso2.carbon.apimgt.keymgt,
+                            org.wso2.carbon.apimgt.keymgt.handlers,
+                            com.google.gson,
+                            org.apache.commons.codec.binary,
+                            org.wso2.carbon.identity.application.authentication.framework.model,
+                            org.apache.oltu.oauth2.common,
+                            org.wso2.carbon.base
                         </Import-Package>
                     </instructions>
                 </configuration>

components/identity-extensions/org.wso2.carbon.device.mgt.oauth.extensions/src/main/java/org/wso2/carbon/device/mgt/oauth/extensions/DeviceRequestDTO.java

@@ -0,0 +1,30 @@
+package org.wso2.carbon.device.mgt.oauth.extensions;
+
+import org.wso2.carbon.device.mgt.common.DeviceIdentifier;
+
+import java.util.List;
+
+/**
+ * This class holds the request format for device for grant type.
+ */
+public class DeviceRequestDTO {
+
+    private List<DeviceIdentifier> deviceIdentifiers;
+    private String scope;
+
+    public List<DeviceIdentifier> getDeviceIdentifiers() {
+        return deviceIdentifiers;
+    }
+
+    public void setDeviceIdentifiers(List<DeviceIdentifier> deviceIdentifiers) {
+        this.deviceIdentifiers = deviceIdentifiers;
+    }
+
+    public String getScope() {
+        return scope;
+    }
+
+    public void setScope(String scope) {
+        this.scope = scope;
+    }
+}

components/identity-extensions/org.wso2.carbon.device.mgt.oauth.extensions/src/main/java/org/wso2/carbon/device/mgt/oauth/extensions/OAuthConstants.java

@@ -0,0 +1,13 @@
+package org.wso2.carbon.device.mgt.oauth.extensions;
+
+
+/**
+ * This hold the OAuthConstants related oauth extensions.
+ */
+public class OAuthConstants {
+
+    public static final String DEFAULT_DEVICE_ASSERTION = "device";
+    public static final String DEFAULT_USERNAME_IDENTIFIER = "username";
+    public static final String DEFAULT_PASSWORD_IDENTIFIER = "password";
+
+}

components/identity-extensions/org.wso2.carbon.device.mgt.oauth.extensions/src/main/java/org/wso2/carbon/device/mgt/oauth/extensions/OAuthExtUtils.java

@@ -18,17 +18,25 @@
 
 package org.wso2.carbon.device.mgt.oauth.extensions;
 
+import com.google.gson.Gson;
+import org.apache.commons.codec.binary.Base64;
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
+import org.w3c.dom.Document;
 import org.wso2.carbon.apimgt.api.APIManagementException;
 import org.wso2.carbon.apimgt.impl.APIConstants;
 import org.wso2.carbon.apimgt.impl.dao.ApiMgtDAO;
 import org.wso2.carbon.apimgt.impl.utils.APIUtil;
+import org.wso2.carbon.apimgt.keymgt.ScopesIssuer;
 import org.wso2.carbon.context.PrivilegedCarbonContext;
 import org.wso2.carbon.device.mgt.common.DeviceIdentifier;
-import org.wso2.carbon.device.mgt.common.DeviceManagementException;
+import org.wso2.carbon.device.mgt.common.authorization.DeviceAccessAuthorizationException;
+import org.wso2.carbon.device.mgt.common.authorization.DeviceAuthorizationResult;
+import org.wso2.carbon.device.mgt.oauth.extensions.config.DeviceMgtScopesConfig;
+import org.wso2.carbon.device.mgt.oauth.extensions.config.DeviceMgtScopesConfigurationFailedException;
 import org.wso2.carbon.device.mgt.oauth.extensions.internal.OAuthExtensionsDataHolder;
 import org.wso2.carbon.identity.core.util.IdentityTenantUtil;
+import org.wso2.carbon.identity.oauth2.model.RequestParameter;
 import org.wso2.carbon.identity.oauth2.token.OAuthTokenReqMessageContext;
 import org.wso2.carbon.user.api.TenantManager;
 import org.wso2.carbon.user.api.UserRealm;
@@ -36,6 +44,9 @@ import org.wso2.carbon.user.api.UserStoreException;
 import org.wso2.carbon.user.core.service.RealmService;
 
 import javax.cache.Caching;
+import javax.xml.parsers.DocumentBuilder;
+import javax.xml.parsers.DocumentBuilderFactory;
+import java.io.File;
 import java.util.ArrayList;
 import java.util.Arrays;
 import java.util.List;
@@ -51,7 +62,8 @@ public class OAuthExtUtils {
     private static final String UI_EXECUTE = "ui.execute";
     private static final String REST_API_SCOPE_CACHE = "REST_API_SCOPE_CACHE";
     private static final int START_INDEX = 0;
-    private static final String CDMF_SCOPE_SEPERATOR = "/";
+    private static final String DEFAULT_SCOPE_TAG = "device-mgt";
+
     /**
      * This method is used to get the tenant id when given tenant domain.
      *
@@ -114,7 +126,7 @@ public class OAuthExtUtils {
                 restAPIScopesOfCurrentTenant = APIUtil.
                         getRESTAPIScopesFromConfig(APIUtil.getTenantRESTAPIScopesConfig(tenantDomain));
 
-                //call load tenant config for rest API.
+                //call load tenant org.wso2.carbon.device.mgt.iot.output.adapter.ui.config for rest API.
                 //then put cache
                 appScopes.putAll(restAPIScopesOfCurrentTenant);
                 Caching.getCacheManager(APIConstants.API_MANAGER_CACHE_MANAGER)
@@ -166,20 +178,6 @@ public class OAuthExtUtils {
         return false;
     }
 
-    /**
-     * Determines if the scope is specified with CDMF device scope prefix.
-     *
-     * @param scope - The scope key to check
-     * @return - 'true' if the scope has the prefix. 'false' if not.
-     */
-    private static boolean isCDMFDeviceSpecificScope(String scope) {
-        // load white listed scopes
-        if (scope.startsWith(OAuthExtensionsDataHolder.getInstance().getDeviceScope())) {
-            return true;
-        }
-        return false;
-    }
-
     /**
      * Get the set of default scopes. If a requested scope is matches with the patterns specified in the white list,
      * then such scopes will be issued without further validation. If the scope list is empty,
@@ -275,27 +273,6 @@ public class OAuthExtUtils {
                 else if (appScopes.containsKey(scope) || isWhiteListedScope(scope)) {
                     authorizedScopes.add(scope);
                 }
-
-                //check whether is device specific scope (CDMF)
-                else if (isCDMFDeviceSpecificScope(scope)) {
-                    PrivilegedCarbonContext.startTenantFlow();
-                    PrivilegedCarbonContext.getThreadLocalCarbonContext().setTenantId(tenantId, true);
-                    try {
-                        String deviceId[] = scope.split(CDMF_SCOPE_SEPERATOR);
-                        DeviceIdentifier deviceIdentifier = new DeviceIdentifier(deviceId[2], deviceId[1]);
-                        boolean enrolled = OAuthExtensionsDataHolder.getInstance().getDeviceManagementService().isEnrolled(
-                                deviceIdentifier, tokReqMsgCtx.getAuthorizedUser().getUserName());
-                        if (enrolled) {
-                            authorizedScopes.add(scope);
-                        }
-                    } catch (DeviceManagementException e) {
-                        log.error("Error occurred while checking device scope with CDMF", e);
-                    } catch (ArrayIndexOutOfBoundsException e) {
-                        log.error("Invalid scope format, have to adhere [prefix/devicetype/deviceId]", e);
-                    }finally {
-                        PrivilegedCarbonContext.endTenantFlow();
-                    }
-                }
             }
         } catch (UserStoreException e) {
             log.error("Error occurred while initializing user store.", e);
@@ -311,4 +288,82 @@ public class OAuthExtUtils {
         return trimmedName.substring(START_INDEX, trimmedName.lastIndexOf('@'));
     }
 
+    public static boolean validateScope(OAuthTokenReqMessageContext tokReqMsgCtx) {
+        boolean isScopesSet = ScopesIssuer.getInstance().setScopes(tokReqMsgCtx);
+        if (isScopesSet) {
+            PrivilegedCarbonContext.startTenantFlow();
+            PrivilegedCarbonContext.getThreadLocalCarbonContext().setTenantDomain(
+                    tokReqMsgCtx.getAuthorizedUser().getTenantDomain(), true);
+            String username = tokReqMsgCtx.getAuthorizedUser().getUserName();
+            PrivilegedCarbonContext.getThreadLocalCarbonContext().setUsername(username);
+            try {
+
+                DeviceRequestDTO deviceRequestDTO = null;
+                RequestParameter parameters[] = tokReqMsgCtx.getOauth2AccessTokenReqDTO().getRequestParameters();
+                for (RequestParameter parameter : parameters) {
+                    if (OAuthConstants.DEFAULT_DEVICE_ASSERTION.equals(parameter.getKey())) {
+                        String deviceJson = parameter.getValue()[0];
+                        Gson gson = new Gson();
+                        deviceRequestDTO = gson.fromJson(new String(Base64.decodeBase64(deviceJson)),
+                                                         DeviceRequestDTO.class);
+                    }
+                }
+                if (deviceRequestDTO != null) {
+                    String requestScopes = deviceRequestDTO.getScope();
+                    String scopeNames[] = requestScopes.split(" ");
+                    for (String scopeName : scopeNames) {
+                        List<DeviceIdentifier> deviceIdentifiers = deviceRequestDTO.getDeviceIdentifiers();
+                        DeviceAuthorizationResult deviceAuthorizationResult = OAuthExtensionsDataHolder.getInstance()
+                                .getDeviceAccessAuthorizationService()
+                                .isUserAuthorized(deviceIdentifiers, username, getPermissions(scopeName));
+                        if (deviceAuthorizationResult != null &&
+                                deviceAuthorizationResult.getAuthorizedDevices() != null) {
+                            String scopes[] = tokReqMsgCtx.getScope();
+                            String authorizedScopes[] = new String[scopes.length + deviceAuthorizationResult
+                                    .getAuthorizedDevices().size()];
+                            int scopeIndex = 0;
+                            for (String scope : scopes) {
+                                authorizedScopes[scopeIndex] = scope;
+                                scopeIndex++;
+                            }
+                            for (DeviceIdentifier deviceIdentifier : deviceAuthorizationResult.getAuthorizedDevices()) {
+                                authorizedScopes[scopeIndex] =
+                                        DEFAULT_SCOPE_TAG + ":" + deviceIdentifier.getType() + ":" +
+                                                deviceIdentifier.getId() + ":" + scopeName;
+                                scopeIndex++;
+                            }
+                            tokReqMsgCtx.setScope(authorizedScopes);
+                        }
+                    }
+                }
+            }  catch (DeviceAccessAuthorizationException e) {
+                log.error("Error occurred while checking authorization for the user " + username, e);
+            } finally {
+                PrivilegedCarbonContext.endTenantFlow();
+            }
+        }
+        return isScopesSet;
+    }
+
+    /**
+     * retrieve the permission related to given scope.
+     * @param scopeName requested scope action
+     * @return set of permission associated with the given scope.
+     */
+    private static String[] getPermissions(String scopeName) {
+        return DeviceMgtScopesConfig.getInstance().getDeviceMgtScopePermissionMap().get(scopeName);
+    }
+
+    public static Document convertToDocument(File file) throws DeviceMgtScopesConfigurationFailedException {
+        DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
+        factory.setNamespaceAware(true);
+        try {
+            DocumentBuilder docBuilder = factory.newDocumentBuilder();
+            return docBuilder.parse(file);
+        } catch (Exception e) {
+            throw new DeviceMgtScopesConfigurationFailedException("Error occurred while parsing file, while converting " +
+                                                                          "to a org.w3c.dom.Document", e);
+        }
+    }
+
 }

components/identity-extensions/org.wso2.carbon.device.mgt.oauth.extensions/src/main/java/org/wso2/carbon/device/mgt/oauth/extensions/config/Action.java

@@ -0,0 +1,90 @@
+
+package org.wso2.carbon.device.mgt.oauth.extensions.config;
+
+import javax.xml.bind.annotation.XmlAccessType;
+import javax.xml.bind.annotation.XmlAccessorType;
+import javax.xml.bind.annotation.XmlAttribute;
+import javax.xml.bind.annotation.XmlElement;
+import javax.xml.bind.annotation.XmlType;
+
+
+/**
+ * <p>Java class for Action complex type.
+ * 
+ * <p>The following schema fragment specifies the expected content contained within this class.
+ * 
+ * <pre>
+ * &lt;complexType name="Action">
+ *   &lt;complexContent>
+ *     &lt;restriction base="{http://www.w3.org/2001/XMLSchema}anyType">
+ *       &lt;sequence>
+ *         &lt;element name="Permissions" type="{}Permissions"/>
+ *       &lt;/sequence>
+ *       &lt;attribute name="name" type="{http://www.w3.org/2001/XMLSchema}string" />
+ *     &lt;/restriction>
+ *   &lt;/complexContent>
+ * &lt;/complexType>
+ * </pre>
+ * 
+ * 
+ */
+@XmlAccessorType(XmlAccessType.FIELD)
+@XmlType(name = "Action", propOrder = {
+    "permissions"
+})
+public class Action {
+
+    @XmlElement(name = "Permissions", required = true)
+    protected Permissions permissions;
+    @XmlAttribute(name = "name")
+    protected String name;
+
+    /**
+     * Gets the value of the permissions property.
+     * 
+     * @return
+     *     possible object is
+     *     {@link Permissions }
+     *     
+     */
+    public Permissions getPermissions() {
+        return permissions;
+    }
+
+    /**
+     * Sets the value of the permissions property.
+     * 
+     * @param value
+     *     allowed object is
+     *     {@link Permissions }
+     *     
+     */
+    public void setPermissions(Permissions value) {
+        this.permissions = value;
+    }
+
+    /**
+     * Gets the value of the name property.
+     * 
+     * @return
+     *     possible object is
+     *     {@link String }
+     *     
+     */
+    public String getName() {
+        return name;
+    }
+
+    /**
+     * Sets the value of the name property.
+     * 
+     * @param value
+     *     allowed object is
+     *     {@link String }
+     *     
+     */
+    public void setName(String value) {
+        this.name = value;
+    }
+
+}

components/identity-extensions/org.wso2.carbon.device.mgt.oauth.extensions/src/main/java/org/wso2/carbon/device/mgt/oauth/extensions/config/DeviceMgtScopes.java

@@ -0,0 +1,67 @@
+
+package org.wso2.carbon.device.mgt.oauth.extensions.config;
+
+import java.util.ArrayList;
+import java.util.List;
+import javax.xml.bind.annotation.XmlAccessType;
+import javax.xml.bind.annotation.XmlAccessorType;
+import javax.xml.bind.annotation.XmlElement;
+import javax.xml.bind.annotation.XmlRootElement;
+import javax.xml.bind.annotation.XmlType;
+
+
+/**
+ * <p>Java class for DeviceMgtScopes complex type.
+ * 
+ * <p>The following schema fragment specifies the expected content contained within this class.
+ * 
+ * <pre>
+ * &lt;complexType name="DeviceMgtScopes">
+ *   &lt;complexContent>
+ *     &lt;restriction base="{http://www.w3.org/2001/XMLSchema}anyType">
+ *       &lt;sequence>
+ *         &lt;element name="Action" type="{}Action" maxOccurs="unbounded" minOccurs="0"/>
+ *       &lt;/sequence>
+ *     &lt;/restriction>
+ *   &lt;/complexContent>
+ * &lt;/complexType>
+ * </pre>
+ * 
+ * 
+ */
+@XmlRootElement(name = "DeviceMgtScopes")
+public class DeviceMgtScopes {
+
+    @XmlElement(name = "Action")
+    protected List<Action> action;
+
+    /**
+     * Gets the value of the action property.
+     * 
+     * <p>
+     * This accessor method returns a reference to the live list,
+     * not a snapshot. Therefore any modification you make to the
+     * returned list will be present inside the JAXB object.
+     * This is why there is not a <CODE>set</CODE> method for the action property.
+     * 
+     * <p>
+     * For example, to add a new item, do as follows:
+     * <pre>
+     *    getAction().add(newItem);
+     * </pre>
+     * 
+     * 
+     * <p>
+     * Objects of the following type(s) are allowed in the list
+     * {@link Action }
+     * 
+     * 
+     */
+    public List<Action> getAction() {
+        if (action == null) {
+            action = new ArrayList<Action>();
+        }
+        return this.action;
+    }
+
+}

components/identity-extensions/org.wso2.carbon.device.mgt.oauth.extensions/src/main/java/org/wso2/carbon/device/mgt/oauth/extensions/config/DeviceMgtScopesConfig.java

@@ -0,0 +1,67 @@
+
+package org.wso2.carbon.device.mgt.oauth.extensions.config;
+
+import org.w3c.dom.Document;
+import org.wso2.carbon.device.mgt.oauth.extensions.OAuthExtUtils;
+import org.wso2.carbon.utils.CarbonUtils;
+
+import javax.xml.bind.JAXBContext;
+import javax.xml.bind.JAXBException;
+import javax.xml.bind.Unmarshaller;
+import java.io.File;
+import java.util.HashMap;
+import java.util.Map;
+
+/**
+ * This class represents the configuration that are needed for scopes to permission map.
+ */
+public class DeviceMgtScopesConfig {
+
+    private static DeviceMgtScopesConfig config = new DeviceMgtScopesConfig();
+    private static Map<String, String[]> actionPermissionMap = new HashMap<>();
+
+    private static final String DEVICE_MGT_SCOPES_CONFIG_PATH =
+            CarbonUtils.getEtcCarbonConfigDirPath() + File.separator + "device-mgt-scopes.xml";
+
+    private DeviceMgtScopesConfig() {
+    }
+
+    public static DeviceMgtScopesConfig getInstance() {
+        return config;
+    }
+
+    public static void init() throws DeviceMgtScopesConfigurationFailedException {
+        try {
+            File deviceMgtConfig = new File(DEVICE_MGT_SCOPES_CONFIG_PATH);
+            Document doc = OAuthExtUtils.convertToDocument(deviceMgtConfig);
+
+            /* Un-marshaling DeviceMGtScope configuration */
+            JAXBContext ctx = JAXBContext.newInstance(DeviceMgtScopes.class);
+            Unmarshaller unmarshaller = ctx.createUnmarshaller();
+            //unmarshaller.setSchema(getSchema());
+            DeviceMgtScopes deviceMgtScopes = (DeviceMgtScopes) unmarshaller.unmarshal(doc);
+            if (deviceMgtScopes != null) {
+                for (Action action : deviceMgtScopes.getAction()) {
+                    Permissions permissions = action.getPermissions();
+                    if (permissions != null) {
+                        String permission[] = new String[permissions.getPermission().size()];
+                        int i = 0;
+                        for (String perm : permissions.getPermission()) {
+                            permission[i] = perm;
+                            i++;
+                        }
+                        actionPermissionMap.put(action.getName(), permission);
+                    }
+                }
+            }
+        } catch (JAXBException e) {
+            throw new DeviceMgtScopesConfigurationFailedException("Error occurred while un-marshalling Device Scope" +
+                                                                          " Config", e);
+        }
+    }
+
+    public Map<String, String[]> getDeviceMgtScopePermissionMap() {
+        return actionPermissionMap;
+    }
+
+}

components/identity-extensions/org.wso2.carbon.device.mgt.oauth.extensions/src/main/java/org/wso2/carbon/device/mgt/oauth/extensions/config/DeviceMgtScopesConfigurationFailedException.java

@@ -0,0 +1,44 @@
+/*
+ * Copyright (c) 2016, WSO2 Inc. (http://www.wso2.org) All Rights Reserved.
+ *
+ * WSO2 Inc. licenses this file to you under the Apache License,
+ * Version 2.0 (the "License"); you may not use this file except
+ * in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.wso2.carbon.device.mgt.oauth.extensions.config;
+
+public class DeviceMgtScopesConfigurationFailedException extends Exception {
+
+    private static final long serialVersionUID = -3151279312929070398L;
+
+    public DeviceMgtScopesConfigurationFailedException(String msg, Exception nestedEx) {
+        super(msg, nestedEx);
+    }
+
+    public DeviceMgtScopesConfigurationFailedException(String message, Throwable cause) {
+        super(message, cause);
+    }
+
+    public DeviceMgtScopesConfigurationFailedException(String msg) {
+        super(msg);
+    }
+
+    public DeviceMgtScopesConfigurationFailedException() {
+        super();
+    }
+
+    public DeviceMgtScopesConfigurationFailedException(Throwable cause) {
+        super(cause);
+    }
+}

components/identity-extensions/org.wso2.carbon.device.mgt.oauth.extensions/src/main/java/org/wso2/carbon/device/mgt/oauth/extensions/config/Permissions.java

@@ -0,0 +1,78 @@
+
+package org.wso2.carbon.device.mgt.oauth.extensions.config;
+
+import java.util.ArrayList;
+import java.util.List;
+import javax.xml.bind.annotation.XmlAccessType;
+import javax.xml.bind.annotation.XmlAccessorType;
+import javax.xml.bind.annotation.XmlElement;
+import javax.xml.bind.annotation.XmlType;
+
+
+/**
+ * <p>Java class for Permissions complex type.
+ * 
+ * <p>The following schema fragment specifies the expected content contained within this class.
+ * 
+ * <pre>
+ * &lt;complexType name="Permissions">
+ *   &lt;complexContent>
+ *     &lt;restriction base="{http://www.w3.org/2001/XMLSchema}anyType">
+ *       &lt;sequence>
+ *         &lt;element name="Permission" maxOccurs="unbounded" minOccurs="0">
+ *           &lt;simpleType>
+ *             &lt;restriction base="{http://www.w3.org/2001/XMLSchema}string">
+ *               &lt;enumeration value="/permission/device-mgt/user/groups/device_operation"/>
+ *               &lt;enumeration value="/permission/device-mgt/admin/groups"/>
+ *               &lt;enumeration value="/permission/device-mgt/user/groups"/>
+ *               &lt;enumeration value="/permission/device-mgt/user/groups/device_monitor"/>
+ *             &lt;/restriction>
+ *           &lt;/simpleType>
+ *         &lt;/element>
+ *       &lt;/sequence>
+ *     &lt;/restriction>
+ *   &lt;/complexContent>
+ * &lt;/complexType>
+ * </pre>
+ * 
+ * 
+ */
+@XmlAccessorType(XmlAccessType.FIELD)
+@XmlType(name = "Permissions", propOrder = {
+    "permission"
+})
+public class Permissions {
+
+    @XmlElement(name = "Permission")
+    protected List<String> permission;
+
+    /**
+     * Gets the value of the permission property.
+     * 
+     * <p>
+     * This accessor method returns a reference to the live list,
+     * not a snapshot. Therefore any modification you make to the
+     * returned list will be present inside the JAXB object.
+     * This is why there is not a <CODE>set</CODE> method for the permission property.
+     * 
+     * <p>
+     * For example, to add a new item, do as follows:
+     * <pre>
+     *    getPermission().add(newItem);
+     * </pre>
+     * 
+     * 
+     * <p>
+     * Objects of the following type(s) are allowed in the list
+     * {@link String }
+     * 
+     * 
+     */
+    public List<String> getPermission() {
+        if (permission == null) {
+            permission = new ArrayList<String>();
+        }
+        return this.permission;
+    }
+
+}

components/identity-extensions/org.wso2.carbon.device.mgt.oauth.extensions/src/main/java/org/wso2/carbon/device/mgt/oauth/extensions/handlers/grant/ExtendedDeviceMgtJWTBearerGrantHandler.java

@@ -5,10 +5,10 @@ import org.wso2.carbon.identity.oauth2.IdentityOAuth2Exception;
 import org.wso2.carbon.identity.oauth2.grant.jwt.JWTBearerGrantHandler;
 import org.wso2.carbon.identity.oauth2.token.OAuthTokenReqMessageContext;
 
-public class ExtendedJWTBearerGrantHandler extends JWTBearerGrantHandler {
+public class ExtendedDeviceMgtJWTBearerGrantHandler extends JWTBearerGrantHandler {
 
     @Override
     public boolean validateScope(OAuthTokenReqMessageContext tokReqMsgCtx) throws IdentityOAuth2Exception {
-        return OAuthExtUtils.setScopes(tokReqMsgCtx);
+        return OAuthExtUtils.validateScope(tokReqMsgCtx);
     }
 }

components/identity-extensions/org.wso2.carbon.device.mgt.oauth.extensions/src/main/java/org/wso2/carbon/device/mgt/oauth/extensions/handlers/grant/ExtendedDeviceMgtPasswordGrantHandler.java

@@ -0,0 +1,59 @@
+/*
+ * Copyright (c) 2016, WSO2 Inc. (http://www.wso2.org) All Rights Reserved.
+ *
+ * WSO2 Inc. licenses this file to you under the Apache License,
+ * Version 2.0 (the "License"); you may not use this file except
+ * in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.wso2.carbon.device.mgt.oauth.extensions.handlers.grant;
+
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
+import org.wso2.carbon.apimgt.keymgt.handlers.ExtendedPasswordGrantHandler;
+import org.wso2.carbon.device.mgt.oauth.extensions.OAuthConstants;
+import org.wso2.carbon.device.mgt.oauth.extensions.OAuthExtUtils;
+import org.wso2.carbon.identity.oauth2.IdentityOAuth2Exception;
+import org.wso2.carbon.identity.oauth2.model.RequestParameter;
+import org.wso2.carbon.identity.oauth2.token.OAuthTokenReqMessageContext;
+
+@SuppressWarnings("unused")
+public class ExtendedDeviceMgtPasswordGrantHandler extends ExtendedPasswordGrantHandler {
+
+    private static Log log = LogFactory.getLog(ExtendedDeviceMgtPasswordGrantHandler.class);
+
+    @Override
+    public boolean validateGrant(OAuthTokenReqMessageContext tokReqMsgCtx) throws IdentityOAuth2Exception {
+        RequestParameter parameters[] = tokReqMsgCtx.getOauth2AccessTokenReqDTO().getRequestParameters();
+        for (RequestParameter parameter : parameters) {
+            switch (parameter.getKey()) {
+                case OAuthConstants.DEFAULT_USERNAME_IDENTIFIER:
+                    String username = parameter.getValue()[0];
+                    tokReqMsgCtx.getOauth2AccessTokenReqDTO().setResourceOwnerUsername(username);
+                    break;
+
+                case OAuthConstants.DEFAULT_PASSWORD_IDENTIFIER:
+                    String password = parameter.getValue()[0];
+                    tokReqMsgCtx.getOauth2AccessTokenReqDTO().setResourceOwnerPassword(password);
+                    break;
+            }
+        }
+        return super.validateGrant(tokReqMsgCtx);
+    }
+
+    @Override
+    public boolean validateScope(OAuthTokenReqMessageContext tokReqMsgCtx) {
+        return OAuthExtUtils.validateScope(tokReqMsgCtx);
+    }
+
+}

components/identity-extensions/org.wso2.carbon.device.mgt.oauth.extensions/src/main/java/org/wso2/carbon/device/mgt/oauth/extensions/handlers/grant/ExtendedPasswordGrantHandler.java

@@ -1,328 +0,0 @@
-/*
- * Copyright (c) 2016, WSO2 Inc. (http://www.wso2.org) All Rights Reserved.
- *
- * WSO2 Inc. licenses this file to you under the Apache License,
- * Version 2.0 (the "License"); you may not use this file except
- * in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-
-package org.wso2.carbon.device.mgt.oauth.extensions.handlers.grant;
-
-import org.apache.axiom.om.OMElement;
-import org.apache.commons.logging.Log;
-import org.apache.commons.logging.LogFactory;
-import org.wso2.carbon.device.mgt.oauth.extensions.OAuthExtUtils;
-import org.wso2.carbon.device.mgt.oauth.extensions.internal.OAuthExtensionsDataHolder;
-import org.wso2.carbon.identity.application.common.cache.BaseCache;
-import org.wso2.carbon.identity.core.util.IdentityConfigParser;
-import org.wso2.carbon.identity.core.util.IdentityCoreConstants;
-import org.wso2.carbon.identity.core.util.IdentityTenantUtil;
-import org.wso2.carbon.identity.oauth.common.OAuthConstants;
-import org.wso2.carbon.identity.oauth2.IdentityOAuth2Exception;
-import org.wso2.carbon.identity.oauth2.ResponseHeader;
-import org.wso2.carbon.identity.oauth2.dto.OAuth2AccessTokenReqDTO;
-import org.wso2.carbon.identity.oauth2.token.OAuthTokenReqMessageContext;
-import org.wso2.carbon.identity.oauth2.token.handlers.grant.PasswordGrantHandler;
-import org.wso2.carbon.user.api.Claim;
-import org.wso2.carbon.user.api.UserStoreException;
-import org.wso2.carbon.user.api.UserStoreManager;
-import org.wso2.carbon.user.core.UserRealm;
-import org.wso2.carbon.user.core.config.RealmConfiguration;
-import org.wso2.carbon.user.core.service.RealmService;
-import org.wso2.carbon.user.core.util.UserCoreUtil;
-
-import javax.xml.namespace.QName;
-import java.util.*;
-import java.util.concurrent.ConcurrentHashMap;
-
-@SuppressWarnings("unused")
-public class ExtendedPasswordGrantHandler extends PasswordGrantHandler {
-
-    private static Log log = LogFactory.getLog(ExtendedPasswordGrantHandler.class);
-
-    private static final String CONFIG_ELEM_OAUTH = "OAuth";
-
-    // Claims that are set as response headers of access token response
-    private static final String REQUIRED_CLAIM_URIS = "RequiredRespHeaderClaimUris";
-    private BaseCache<String, Claim[]> userClaimsCache;
-
-    // Primary/Secondary Login configuration
-    private static final String CLAIM_URI = "ClaimUri";
-    private static final String LOGIN_CONFIG = "LoginConfig";
-    private static final String USERID_LOGIN = "UserIdLogin";
-    private static final String EMAIL_LOGIN = "EmailLogin";
-    private static final String PRIMARY_LOGIN = "primary";
-
-    private Map<String, Map<String, String>> loginConfiguration = new ConcurrentHashMap<>();
-
-    private List<String> requiredHeaderClaimUris = new ArrayList<>();
-
-    public void init() throws IdentityOAuth2Exception {
-
-        super.init();
-
-        IdentityConfigParser configParser;
-        configParser = IdentityConfigParser.getInstance();
-        OMElement oauthElem = configParser.getConfigElement(CONFIG_ELEM_OAUTH);
-
-        // Get the required claim uris that needs to be included in the response.
-        parseRequiredHeaderClaimUris(oauthElem.getFirstChildWithName(getQNameWithIdentityNS(REQUIRED_CLAIM_URIS)));
-
-        // read login config
-        parseLoginConfig(oauthElem);
-
-        userClaimsCache = new BaseCache<>("UserClaimsCache");
-        if (log.isDebugEnabled()) {
-            log.debug("Successfully created UserClaimsCache under " + OAuthConstants.OAUTH_CACHE_MANAGER);
-        }
-    }
-
-    @Override
-    public boolean validateGrant(OAuthTokenReqMessageContext tokReqMsgCtx)
-            throws IdentityOAuth2Exception {
-
-        OAuth2AccessTokenReqDTO oAuth2AccessTokenReqDTO = tokReqMsgCtx.getOauth2AccessTokenReqDTO();
-        String username = oAuth2AccessTokenReqDTO.getResourceOwnerUsername();
-        String loginUserName = getLoginUserName(username);
-        tokReqMsgCtx.getOauth2AccessTokenReqDTO().setResourceOwnerUsername(loginUserName);
-
-        boolean isValidated = super.validateGrant(tokReqMsgCtx);
-
-        if (isValidated) {
-
-            int tenantId;
-            tenantId = IdentityTenantUtil.getTenantIdOfUser(username);
-
-            RealmService realmService = OAuthExtensionsDataHolder.getInstance().getRealmService();
-            UserStoreManager userStoreManager;
-            try {
-                userStoreManager = realmService.getTenantUserRealm(tenantId).getUserStoreManager();
-            } catch (UserStoreException e) {
-                log.error("Error when getting the tenant's UserStoreManager", e);
-                return false;
-            }
-
-            List<ResponseHeader> respHeaders = new ArrayList<>();
-
-            if (oAuth2AccessTokenReqDTO.getResourceOwnerUsername() != null) {
-                try {
-                    if (requiredHeaderClaimUris != null && !requiredHeaderClaimUris.isEmpty()) {
-                        // Get user's claim values from the default profile.
-                        String userStoreDomain = tokReqMsgCtx.getAuthorizedUser().getUserStoreDomain();
-
-                        String endUsernameWithDomain = UserCoreUtil.
-                                addDomainToName(oAuth2AccessTokenReqDTO.getResourceOwnerUsername(), userStoreDomain);
-
-                        Claim[] mapClaimValues = getUserClaimValues(endUsernameWithDomain, userStoreManager);
-
-                        if (mapClaimValues != null && mapClaimValues.length > 0) {
-                            ResponseHeader header;
-                            for (String claimUri : requiredHeaderClaimUris) {
-                                for (Claim claim : mapClaimValues) {
-                                    if (claimUri.equals(claim.getClaimUri())) {
-                                        header = new ResponseHeader();
-                                        header.setKey(claim.getDisplayTag());
-                                        header.setValue(claim.getValue());
-                                        respHeaders.add(header);
-                                        break;
-                                    }
-                                }
-                            }
-                        } else if (log.isDebugEnabled()) {
-                            log.debug("No claim values for user : " + endUsernameWithDomain);
-                        }
-                    }
-                } catch (Exception e) {
-                    throw new IdentityOAuth2Exception("Error occurred while retrieving user claims", e);
-                }
-            }
-            tokReqMsgCtx.addProperty("RESPONSE_HEADERS", respHeaders.toArray(new ResponseHeader[respHeaders.size()]));
-        }
-
-        return isValidated;
-    }
-
-    @Override
-    public boolean validateScope(OAuthTokenReqMessageContext tokReqMsgCtx) {
-        return OAuthExtUtils.setScopes(tokReqMsgCtx);
-    }
-
-    private String getLoginUserName(String userID) {
-        String loginUserName = userID;
-        if (isSecondaryLogin(userID)) {
-            loginUserName = getPrimaryFromSecondary(userID);
-        }
-        return loginUserName;
-    }
-
-    /**
-     * Identify whether the logged in user used his Primary Login name or
-     * Secondary login name
-     *
-     * @param userId - The username used to login.
-     * @return <code>true</code> if secondary login name is used,
-     * <code>false</code> if primary login name has been used
-     */
-    private boolean isSecondaryLogin(String userId) {
-
-        if (loginConfiguration.get(EMAIL_LOGIN) != null) {
-            Map<String, String> emailConf = loginConfiguration.get(EMAIL_LOGIN);
-            if ("true".equalsIgnoreCase(emailConf.get(PRIMARY_LOGIN))) {
-                return !isUserLoggedInEmail(userId);
-            } else if ("false".equalsIgnoreCase(emailConf.get(PRIMARY_LOGIN))) {
-                return isUserLoggedInEmail(userId);
-            }
-        } else if (loginConfiguration.get(USERID_LOGIN) != null) {
-            Map<String, String> userIdConf = loginConfiguration.get(USERID_LOGIN);
-            if ("true".equalsIgnoreCase(userIdConf.get(PRIMARY_LOGIN))) {
-                return isUserLoggedInEmail(userId);
-            } else if ("false".equalsIgnoreCase(userIdConf.get(PRIMARY_LOGIN))) {
-                return !isUserLoggedInEmail(userId);
-            }
-        }
-        return false;
-    }
-
-    /**
-     * Identify whether the logged in user used his ordinal username or email
-     *
-     * @param userId - username used to login.
-     * @return - <code>true</code> if userId contains '@'. <code>false</code> otherwise
-     */
-    private boolean isUserLoggedInEmail(String userId) {
-        return userId.contains("@");
-    }
-
-    /**
-     * Get the primaryLogin name using secondary login name. Primary secondary
-     * Configuration is provided in the identitiy.xml. In the userstore, it is
-     * users responsibility TO MAINTAIN THE SECONDARY LOGIN NAME AS UNIQUE for
-     * each and every users. If it is not unique, we will pick the very first
-     * entry from the userlist.
-     *
-     * @param login - username used to login.
-     * @return -
-     */
-    private String getPrimaryFromSecondary(String login) {
-
-        String claimURI, username = null;
-        if (isUserLoggedInEmail(login)) {
-            Map<String, String> emailConf = loginConfiguration.get(EMAIL_LOGIN);
-            claimURI = emailConf.get(CLAIM_URI);
-        } else {
-            Map<String, String> userIdConf = loginConfiguration.get(USERID_LOGIN);
-            claimURI = userIdConf.get(CLAIM_URI);
-        }
-
-        try {
-            RealmService realmSvc = OAuthExtensionsDataHolder.getInstance().getRealmService();
-            RealmConfiguration config = new RealmConfiguration();
-            UserRealm realm = realmSvc.getUserRealm(config);
-            org.wso2.carbon.user.core.UserStoreManager storeManager = realm.getUserStoreManager();
-            String[] user = storeManager.getUserList(claimURI, login, null);
-            if (user.length > 0) {
-                username = user[0];
-            }
-        } catch (UserStoreException e) {
-            log.error("Error while retrieving the primaryLogin name using secondary login name : " + login, e);
-        }
-        return username;
-    }
-
-    private Claim[] getUserClaimValues(String authorizedUser, UserStoreManager userStoreManager)
-            throws
-            UserStoreException {
-        Claim[] userClaims = userClaimsCache.getValueFromCache(authorizedUser);
-        if (userClaims != null) {
-            return userClaims;
-        } else {
-            if (log.isDebugEnabled()) {
-                log.debug("Cache miss for user claims. Username :" + authorizedUser);
-            }
-            userClaims = userStoreManager.getUserClaimValues(
-                    authorizedUser, null);
-            userClaimsCache.addToCache(authorizedUser, userClaims);
-            return userClaims;
-        }
-    }
-
-    /**
-     * Read the required claim configuration from identity.xml
-     */
-    private void parseRequiredHeaderClaimUris(OMElement requiredClaimUrisElem) {
-        if (requiredClaimUrisElem == null) {
-            return;
-        }
-
-        Iterator claimUris = requiredClaimUrisElem.getChildrenWithLocalName(CLAIM_URI);
-        if (claimUris != null) {
-            while (claimUris.hasNext()) {
-                OMElement claimUri = (OMElement) claimUris.next();
-                if (claimUri != null) {
-                    requiredHeaderClaimUris.add(claimUri.getText());
-                }
-            }
-        }
-    }
-
-    /**
-     * Read the primary/secondary login configuration
-     * <OAuth>
-     * ....
-     * <LoginConfig>
-     * <UserIdLogin  primary="true">
-     * <ClaimUri></ClaimUri>
-     * </UserIdLogin>
-     * <EmailLogin  primary="false">
-     * <ClaimUri>http://wso2.org/claims/emailaddress</ClaimUri>
-     * </EmailLogin>
-     * </LoginConfig>
-     * .....
-     * </OAuth>
-     *
-     * @param oauthConfigElem - The '<LoginConfig>' xml configuration element in the api-manager.xml
-     */
-    private void parseLoginConfig(OMElement oauthConfigElem) {
-        OMElement loginConfigElem = oauthConfigElem.getFirstChildWithName(getQNameWithIdentityNS(LOGIN_CONFIG));
-        if (loginConfigElem != null) {
-            if (log.isDebugEnabled()) {
-                log.debug("Login configuration is set ");
-            }
-            // Primary/Secondary supported login mechanisms
-            OMElement emailConfigElem = loginConfigElem.getFirstChildWithName(getQNameWithIdentityNS(EMAIL_LOGIN));
-
-            OMElement userIdConfigElem = loginConfigElem.getFirstChildWithName(getQNameWithIdentityNS(USERID_LOGIN));
-
-            Map<String, String> emailConf = new HashMap<String, String>(2);
-            emailConf.put(PRIMARY_LOGIN,
-                    emailConfigElem.getAttributeValue(new QName(PRIMARY_LOGIN)));
-            emailConf.put(CLAIM_URI,
-                    emailConfigElem.getFirstChildWithName(getQNameWithIdentityNS(CLAIM_URI))
-                            .getText());
-
-            Map<String, String> userIdConf = new HashMap<String, String>(2);
-            userIdConf.put(PRIMARY_LOGIN,
-                    userIdConfigElem.getAttributeValue(new QName(PRIMARY_LOGIN)));
-            userIdConf.put(CLAIM_URI,
-                    userIdConfigElem.getFirstChildWithName(getQNameWithIdentityNS(CLAIM_URI))
-                            .getText());
-
-            loginConfiguration.put(EMAIL_LOGIN, emailConf);
-            loginConfiguration.put(USERID_LOGIN, userIdConf);
-        }
-    }
-
-    private QName getQNameWithIdentityNS(String localPart) {
-        return new QName(IdentityCoreConstants.IDENTITY_DEFAULT_NAMESPACE, localPart);
-    }
-}

components/identity-extensions/org.wso2.carbon.device.mgt.oauth.extensions/src/main/java/org/wso2/carbon/device/mgt/oauth/extensions/internal/OAuthExtensionServiceComponent.java

@@ -24,8 +24,12 @@ import org.osgi.service.component.ComponentContext;
 import org.wso2.carbon.apimgt.api.APIManagementException;
 import org.wso2.carbon.apimgt.impl.APIConstants;
 import org.wso2.carbon.apimgt.impl.APIManagerConfiguration;
+import org.wso2.carbon.device.mgt.common.authorization.DeviceAccessAuthorizationException;
+import org.wso2.carbon.device.mgt.common.authorization.DeviceAccessAuthorizationService;
 import org.wso2.carbon.device.mgt.common.permission.mgt.PermissionManagerService;
 import org.wso2.carbon.device.mgt.core.service.DeviceManagementProviderService;
+import org.wso2.carbon.device.mgt.oauth.extensions.config.DeviceMgtScopesConfig;
+import org.wso2.carbon.device.mgt.oauth.extensions.config.DeviceMgtScopesConfigurationFailedException;
 import org.wso2.carbon.identity.oauth2.OAuth2TokenValidationService;
 import org.wso2.carbon.user.core.service.RealmService;
 import org.wso2.carbon.utils.CarbonUtils;
@@ -54,12 +58,12 @@ import java.util.List;
  * policy="dynamic"
  * bind="setPermissionManagerService"
  * unbind="unsetPermissionManagerService"
- * @scr.reference name="org.wso2.carbon.device.manager"
+ * @scr.reference name="org.wso2.carbon.device.authorization"
- * interface="org.wso2.carbon.device.mgt.core.service.DeviceManagementProviderService"
+ * interface="org.wso2.carbon.device.mgt.common.authorization.DeviceAccessAuthorizationService"
  * cardinality="1..1"
  * policy="dynamic"
- * bind="setDeviceManagementService"
+ * bind="setDeviceAccessAuthorizationService"
- * unbind="unsetDeviceManagementService"
+ * unbind="unsetDeviceAccessAuthorizationService"
  */
 public class OAuthExtensionServiceComponent {
 
@@ -67,8 +71,6 @@ public class OAuthExtensionServiceComponent {
     private static final String REPOSITORY = "repository";
     private static final String CONFIGURATION = "conf";
     private static final String APIM_CONF_FILE = "api-manager.xml";
-    private static final String API_KEY_MANGER_DEVICE_SCOPE = "APIKeyValidator.DeviceScope";
-    private static final String CDMF_DEVICE_SCOPE_PREFIX = "cdmf_";
 
 
     @SuppressWarnings("unused")
@@ -77,6 +79,8 @@ public class OAuthExtensionServiceComponent {
             log.debug("Starting OAuthExtensionBundle");
         }
         try {
+            DeviceMgtScopesConfig.init();
+
             APIManagerConfiguration configuration = new APIManagerConfiguration();
             String filePath = new StringBuilder().
                     append(CarbonUtils.getCarbonHome()).
@@ -102,18 +106,10 @@ public class OAuthExtensionServiceComponent {
             }
 
             OAuthExtensionsDataHolder.getInstance().setWhitelistedScopes(whiteList);
-
-            // Read device scope(Specific to CDMF) from Configuration.
-            String deviceScope = configuration.getFirstProperty(API_KEY_MANGER_DEVICE_SCOPE);
-
-            if (deviceScope == null) {
-                deviceScope = CDMF_DEVICE_SCOPE_PREFIX;
-            }
-
-            OAuthExtensionsDataHolder.getInstance().setDeviceScope(deviceScope);
-
         } catch (APIManagementException e) {
-            log.error("Error occurred while loading APIM configurations", e);
+            log.error("Error occurred while loading DeviceMgtConfig configurations", e);
+        } catch (DeviceMgtScopesConfigurationFailedException e) {
+            log.error("Failed to initialize device scope configuration.", e);
         }
     }
 
@@ -198,24 +194,24 @@ public class OAuthExtensionServiceComponent {
 
     /**
      *  Set DeviceManagementProviderService
-     * @param deviceManagerService  An instance of PermissionManagerService
+     * @param deviceAccessAuthorizationService  An instance of deviceAccessAuthorizationService
      */
-    protected void setDeviceManagementService(DeviceManagementProviderService deviceManagerService) {
+    protected void setDeviceAccessAuthorizationService(DeviceAccessAuthorizationService deviceAccessAuthorizationService) {
         if (log.isDebugEnabled()) {
             log.debug("Setting Device Management Service");
         }
-        OAuthExtensionsDataHolder.getInstance().setDeviceManagementService(deviceManagerService);
+        OAuthExtensionsDataHolder.getInstance().setDeviceAccessAuthorizationService(deviceAccessAuthorizationService);
     }
 
     /**
      * unset DeviceManagementProviderService
-     * @param deviceManagementService  An instance of PermissionManagerService
+     * @param deviceAccessAuthorizationService  An instance of deviceAccessAuthorizationService
      */
-    protected void unsetDeviceManagementService(DeviceManagementProviderService deviceManagementService) {
+    protected void unsetDeviceAccessAuthorizationService(DeviceAccessAuthorizationService deviceAccessAuthorizationService) {
         if (log.isDebugEnabled()) {
             log.debug("Removing Device Management Service");
         }
-        OAuthExtensionsDataHolder.getInstance().setDeviceManagementService(null);
+        OAuthExtensionsDataHolder.getInstance().setDeviceAccessAuthorizationService(null);
     }
 
 }

components/identity-extensions/org.wso2.carbon.device.mgt.oauth.extensions/src/main/java/org/wso2/carbon/device/mgt/oauth/extensions/internal/OAuthExtensionsDataHolder.java

@@ -18,6 +18,7 @@
 
 package org.wso2.carbon.device.mgt.oauth.extensions.internal;
 
+import org.wso2.carbon.device.mgt.common.authorization.DeviceAccessAuthorizationService;
 import org.wso2.carbon.device.mgt.common.permission.mgt.PermissionManagerService;
 import org.wso2.carbon.device.mgt.core.service.DeviceManagementProviderService;
 import org.wso2.carbon.identity.oauth2.OAuth2TokenValidationService;
@@ -35,7 +36,7 @@ public class OAuthExtensionsDataHolder {
     private PermissionManagerService permissionManagerService;
     private List<String> whitelistedScopes;
     private String deviceScope;
-    private DeviceManagementProviderService deviceManagementService;
+    private DeviceAccessAuthorizationService deviceAccessAuthorizationService;
 
     private static OAuthExtensionsDataHolder thisInstance = new OAuthExtensionsDataHolder();
 
@@ -87,19 +88,15 @@ public class OAuthExtensionsDataHolder {
         this.whitelistedScopes = whitelistedScopes;
     }
 
-    public void setDeviceScope(String deviceScope) {
-        this.deviceScope = deviceScope;
-    }
-
     public String getDeviceScope() {
         return deviceScope;
     }
 
-    public DeviceManagementProviderService getDeviceManagementService() {
+    public DeviceAccessAuthorizationService getDeviceAccessAuthorizationService() {
-        return deviceManagementService;
+        return deviceAccessAuthorizationService;
     }
 
-    public void setDeviceManagementService(DeviceManagementProviderService deviceManagementService) {
+    public void setDeviceAccessAuthorizationService(DeviceAccessAuthorizationService deviceAccessAuthorizationService) {
-        this.deviceManagementService = deviceManagementService;
+        this.deviceAccessAuthorizationService = deviceAccessAuthorizationService;
     }
 }

components/identity-extensions/org.wso2.carbon.device.mgt.oauth.extensions/src/main/java/org/wso2/carbon/device/mgt/oauth/extensions/validators/ExtendedDeviceJWTGrantValidator.java

@@ -0,0 +1,38 @@
+/*
+ * Copyright (c) 2016, WSO2 Inc. (http://www.wso2.org) All Rights Reserved.
+ *
+ * WSO2 Inc. licenses this file to you under the Apache License,
+ * Version 2.0 (the "License"); you may not use this file except
+ * in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License
+ */
+
+package org.wso2.carbon.device.mgt.oauth.extensions.validators;
+
+import org.apache.oltu.oauth2.common.OAuth;
+import org.apache.oltu.oauth2.common.validators.AbstractValidator;
+import org.wso2.carbon.device.mgt.oauth.extensions.OAuthConstants;
+
+import javax.servlet.http.HttpServletRequest;
+
+/**
+ * Grant validator for JSON Web Tokens
+ * For JWT Grant to be valid the required parameters are
+ * grant_type and assertion
+ */
+public class ExtendedDeviceJWTGrantValidator extends AbstractValidator<HttpServletRequest> {
+
+    public ExtendedDeviceJWTGrantValidator() {
+        requiredParams.add(OAuth.OAUTH_GRANT_TYPE);
+        requiredParams.add(OAuth.OAUTH_ASSERTION);
+    }
+}

components/identity-extensions/org.wso2.carbon.device.mgt.oauth.extensions/src/main/java/org/wso2/carbon/device/mgt/oauth/extensions/validators/ExtendedDevicePasswordGrantValidator.java

@@ -0,0 +1,37 @@
+/*
+ * Copyright (c) 2016, WSO2 Inc. (http://www.wso2.org) All Rights Reserved.
+ *
+ * WSO2 Inc. licenses this file to you under the Apache License,
+ * Version 2.0 (the "License"); you may not use this file except
+ * in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License
+ */
+
+package org.wso2.carbon.device.mgt.oauth.extensions.validators;
+
+import org.apache.oltu.oauth2.common.OAuth;
+import org.apache.oltu.oauth2.common.validators.AbstractValidator;
+import org.wso2.carbon.device.mgt.oauth.extensions.OAuthConstants;
+
+import javax.servlet.http.HttpServletRequest;
+
+/**
+ * Grant validator for Device Object with Password Grant type
+ */
+public class ExtendedDevicePasswordGrantValidator extends AbstractValidator<HttpServletRequest> {
+
+    public ExtendedDevicePasswordGrantValidator() {
+        requiredParams.add(OAuth.OAUTH_USERNAME);
+        requiredParams.add(OAuth.OAUTH_PASSWORD);
+        requiredParams.add(OAuthConstants.DEFAULT_DEVICE_ASSERTION);
+    }
+}

components/identity-extensions/org.wso2.carbon.identity.jwt.client.extension/src/main/java/org/wso2/carbon/identity/jwt/client/extension/JWTClient.java

@@ -44,6 +44,7 @@ import java.security.KeyStoreException;
 import java.security.NoSuchAlgorithmException;
 import java.util.ArrayList;
 import java.util.List;
+import java.util.Map;
 
 /**
  * this class represents an implementation of Token Client which is based on JWT
@@ -63,14 +64,10 @@ public class JWTClient {
 		this.isDefaultJWTClient = isDefaultJWTClient;
 	}
 
-
-	/**
-	 * {@inheritDoc}
-	 */
 	public AccessTokenInfo getAccessToken(String consumerKey, String consumerSecret, String username, String scopes)
 			throws JWTClientException {
 		List<NameValuePair> params = new ArrayList<>();
-		params.add(new BasicNameValuePair(JWTConstants.GRANT_TYPE_PARAM_NAME, JWTConstants.JWT_GRANT_TYPE));
+		params.add(new BasicNameValuePair(JWTConstants.GRANT_TYPE_PARAM_NAME, jwtConfig.getJwtGrantType()));
 		String assertion = JWTClientUtil.generateSignedJWTAssertion(username, jwtConfig, isDefaultJWTClient);
 		if (assertion == null) {
 			throw new JWTClientException("JWT is not configured properly for user : " + username);
@@ -80,9 +77,26 @@ public class JWTClient {
 		return getTokenInfo(params, consumerKey, consumerSecret);
 	}
 
-	/**
+	public AccessTokenInfo getAccessToken(String consumerKey, String consumerSecret, String username, String scopes,
-	 * {@inheritDoc}
+										  Map<String, String> paramsMap)
-	 */
+			throws JWTClientException {
+		List<NameValuePair> params = new ArrayList<>();
+		params.add(new BasicNameValuePair(JWTConstants.GRANT_TYPE_PARAM_NAME, jwtConfig.getJwtGrantType()));
+		String assertion = JWTClientUtil.generateSignedJWTAssertion(username, jwtConfig, isDefaultJWTClient);
+		if (assertion == null) {
+			throw new JWTClientException("JWT is not configured properly for user : " + username);
+		}
+		params.add(new BasicNameValuePair(JWTConstants.JWT_PARAM_NAME, assertion));
+		params.add(new BasicNameValuePair(JWTConstants.SCOPE_PARAM_NAME, scopes));
+		if (paramsMap != null) {
+			for (String key : paramsMap.keySet()) {
+				params.add(new BasicNameValuePair(key, paramsMap.get(key)));
+			}
+		}
+		return getTokenInfo(params, consumerKey, consumerSecret);
+	}
+
+
 	public AccessTokenInfo getAccessTokenFromRefreshToken(String refreshToken, String username, String scopes,
 														  String consumerKey, String consumerSecret)
 			throws JWTClientException {

components/identity-extensions/org.wso2.carbon.identity.jwt.client.extension/src/main/java/org/wso2/carbon/identity/jwt/client/extension/dto/JWTConfig.java

@@ -1,6 +1,7 @@
 package org.wso2.carbon.identity.jwt.client.extension.dto;
 
 import org.wso2.carbon.core.util.Utils;
+import org.wso2.carbon.identity.jwt.client.extension.constant.JWTConstants;
 
 import java.util.ArrayList;
 import java.util.List;
@@ -20,6 +21,7 @@ public class JWTConfig {
 	private static final String JKS_PASSWORD ="KeyStorePassword";
 	private static final String JKA_PRIVATE_KEY_PASSWORD = "PrivateKeyPassword";
 	private static final String TOKEN_ENDPOINT = "TokenEndpoint";
+	private static final String JWT_GRANT_TYPE_NAME = "GrantType";
 
 	/**
 	 * issuer of the JWT
@@ -69,6 +71,11 @@ public class JWTConfig {
 	private String privateKeyAlias;
 	private String privateKeyPassword;
 
+	/**
+	 * Jwt Grant Type Name
+	 */
+	private String jwtGrantType;
+
 	/**
 	 * @param properties load the config from the properties file.
 	 */
@@ -89,6 +96,8 @@ public class JWTConfig {
 		privateKeyAlias = properties.getProperty(JKS_PRIVATE_KEY_ALIAS);
 		privateKeyPassword = properties.getProperty(JKA_PRIVATE_KEY_PASSWORD);
 		tokenEndpoint = properties.getProperty(TOKEN_ENDPOINT, "");
+		jwtGrantType = properties.getProperty(JWT_GRANT_TYPE_NAME, JWTConstants.JWT_GRANT_TYPE);
+
 	}
 
 	private static List<String> getAudience(String audience){
@@ -146,4 +155,8 @@ public class JWTConfig {
 	public String getTokenEndpoint() {
 		return Utils.replaceSystemProperty(tokenEndpoint);
 	}
+
+	public String getJwtGrantType() {
+		return jwtGrantType;
+	}
 }

components/policy-mgt/org.wso2.carbon.policy.mgt.core/src/main/java/org/wso2/carbon/policy/mgt/core/mgt/impl/FeatureManagerImpl.java

@@ -245,7 +245,7 @@ public class FeatureManagerImpl implements FeatureManager {
     @Override
     public List<ProfileFeature> getFeaturesForProfile(int profileId) throws FeatureManagementException {
         try {
-            DeviceManagementDAOFactory.openConnection();
+            PolicyManagementDAOFactory.openConnection();
             return featureDAO.getFeaturesForProfile(profileId);
         } catch (FeatureManagerDAOException e) {
             throw new FeatureManagementException("Error occurred while getting the features", e);

components/webapp-authenticator-framework/org.wso2.carbon.webapp.authenticator.framework/src/main/java/org/wso2/carbon/webapp/authenticator/framework/authenticator/oauth/OAuthTokenValidationException.java

@@ -25,29 +25,16 @@ public class OAuthTokenValidationException extends Exception {
 
     private static final long serialVersionUID = -3151279311929070297L;
 
-    private String errorMessage;
-
-    public String getErrorMessage() {
-        return errorMessage;
-    }
-
-    public void setErrorMessage(String errorMessage) {
-        this.errorMessage = errorMessage;
-    }
-
     public OAuthTokenValidationException(String msg, Exception nestedEx) {
         super(msg, nestedEx);
-        setErrorMessage(msg);
     }
 
     public OAuthTokenValidationException(String message, Throwable cause) {
         super(message, cause);
-        setErrorMessage(message);
     }
 
     public OAuthTokenValidationException(String msg) {
         super(msg);
-        setErrorMessage(msg);
     }
 
     public OAuthTokenValidationException() {

features/device-mgt/org.wso2.carbon.device.mgt.server.feature/src/main/resources/dbscripts/cdm/h2.sql

@@ -26,8 +26,9 @@ CREATE TABLE IF NOT EXISTS DM_DEVICE (
      LAST_UPDATED_TIMESTAMP TIMESTAMP NOT NULL,
      TENANT_ID INTEGER DEFAULT 0,
      PRIMARY KEY (ID),
-     CONSTRAINT fk_DM_DEVICE_DM_DEVICE_TYPE2 FOREIGN KEY (DEVICE_TYPE_ID )
+     CONSTRAINT fk_DM_DEVICE_DM_DEVICE_TYPE2 FOREIGN KEY (DEVICE_TYPE_ID)
-     REFERENCES DM_DEVICE_TYPE (ID) ON DELETE NO ACTION ON UPDATE NO ACTION
+     REFERENCES DM_DEVICE_TYPE (ID) ON DELETE NO ACTION ON UPDATE NO ACTION,
+     CONSTRAINT uk_DM_DEVICE UNIQUE (NAME, DEVICE_TYPE_ID, DEVICE_IDENTIFICATION, TENANT_ID)
 );
 
 CREATE TABLE IF NOT EXISTS DM_DEVICE_GROUP_MAP (
@@ -96,7 +97,8 @@ CREATE TABLE IF NOT EXISTS DM_ENROLMENT (
     TENANT_ID INT NOT NULL,
     PRIMARY KEY (ID),
     CONSTRAINT fk_dm_device_enrolment FOREIGN KEY (DEVICE_ID) REFERENCES
-    DM_DEVICE (ID) ON DELETE NO ACTION ON UPDATE NO ACTION
+    DM_DEVICE (ID) ON DELETE NO ACTION ON UPDATE NO ACTION,
+    CONSTRAINT uk_dm_device_enrolment UNIQUE (DEVICE_ID, OWNER, OWNERSHIP, TENANT_ID)
 );
 
 CREATE TABLE IF NOT EXISTS DM_ENROLMENT_OP_MAPPING (

features/oauth-extensions/org.wso2.carbon.device.mgt.oauth.extensions.feature/src/main/resources/build.properties

@@ -0,0 +1,19 @@
+#
+# Copyright (c) 2016, WSO2 Inc. (http://www.wso2.org) All Rights Reserved.
+#
+# WSO2 Inc. licenses this file to you under the Apache License,
+# Version 2.0 (the "License"); you may not use this file except
+# in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations
+# under the License.
+#
+
+custom = true

features/oauth-extensions/org.wso2.carbon.device.mgt.oauth.extensions.feature/src/main/resources/device-mgt-scopes.xml

@@ -0,0 +1,51 @@
+<?xml version="1.0" encoding="ISO-8859-1"?>
+<!--
+  ~ Copyright (c) 2016, WSO2 Inc. (http://www.wso2.org) All Rights Reserved.
+  ~
+  ~ WSO2 Inc. licenses this file to you under the Apache License,
+  ~ Version 2.0 (the "License"); you may not use this file except
+  ~ in compliance with the License.
+  ~ you may obtain a copy of the License at
+  ~
+  ~   http://www.apache.org/licenses/LICENSE-2.0
+  ~
+  ~ Unless required by applicable law or agreed to in writing,
+  ~ software distributed under the License is distributed on an
+  ~ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+  ~ KIND, either express or implied.  See the License for the
+  ~ specific language governing permissions and limitations
+  ~ under the License.
+  -->
+
+<!--This holds the scopes that are allowed by the device-mgt, The user require below permission to get the required scope-->
+<!--These scopes are assigned after validating with device-mgt specific grant types-->
+<DeviceMgtScopes>
+	<Action name="mqtt-publisher">
+		<Permissions>
+			<Permission>/permission/device-mgt/user/groups/device_operation</Permission>
+			<Permission>/permission/device-mgt/admin/groups</Permission>
+			<Permission>/permission/device-mgt/user/groups</Permission>
+		</Permissions>
+	</Action>
+	<Action name="mqtt-subscriber">
+		<Permissions>
+			<Permission>/permission/device-mgt/user/groups/device_monitor</Permission>
+			<Permission>/permission/device-mgt/admin/groups</Permission>
+			<Permission>/permission/device-mgt/user/groups</Permission>
+		</Permissions>
+	</Action>
+	<Action name="stats">
+		<Permissions>
+			<Permission>/permission/device-mgt/user/groups/device_monitor</Permission>
+			<Permission>/permission/device-mgt/admin/groups</Permission>
+			<Permission>/permission/device-mgt/user/groups</Permission>
+		</Permissions>
+	</Action>
+	<Action name="operation">
+		<Permissions>
+			<Permission>/permission/device-mgt/user/groups/device_operation</Permission>
+			<Permission>/permission/device-mgt/admin/groups</Permission>
+			<Permission>/permission/device-mgt/user/groups</Permission>
+		</Permissions>
+	</Action>
+</DeviceMgtScopes>

features/oauth-extensions/org.wso2.carbon.device.mgt.oauth.extensions.feature/src/main/resources/p2.inf

@@ -0,0 +1,2 @@
+instructions.configure = \
+org.eclipse.equinox.p2.touchpoint.natives.copy(source:${installFolder}/../features/org.wso2.carbon.device.mgt.oauth.extensions_${feature.version}/device-mgt-scopes.xml,target:${installFolder}/../../conf/etc/device-mgt-scopes.xml,overwrite:true);\

pom.xml

@@ -780,6 +780,11 @@
                 <artifactId>org.wso2.carbon.apimgt.keymgt.client</artifactId>
                 <version>${carbon.api.mgt.version}</version>
             </dependency>
+            <dependency>
+                <groupId>org.wso2.carbon.apimgt</groupId>
+                <artifactId>org.wso2.carbon.apimgt.keymgt</artifactId>
+                <version>${carbon.api.mgt.version}</version>
+            </dependency>
             <dependency>
                 <groupId>org.wso2.carbon.apimgt</groupId>
                 <artifactId>org.wso2.carbon.apimgt.impl</artifactId>