scope-role-permission refactoring and webapp authorization

components/apimgt-extensions/org.wso2.carbon.apimgt.annotations/src/main/java/org/wso2/carbon/apimgt/annotations/api/Scope.java

@@ -20,4 +20,6 @@ public @interface Scope {
 
     String[] permissions();
 
+    String[] roles();
+
 }

components/apimgt-extensions/org.wso2.carbon.apimgt.application.extension.api/src/main/webapp/WEB-INF/web.xml

@@ -37,7 +37,7 @@
     </servlet-mapping>
     <context-param>
         <param-name>doAuthentication</param-name>
-        <param-value>true</param-value>
+        <param-value>false</param-value>
     </context-param>
 	<!--This is to support basic auth.-->
 	<context-param>

components/apimgt-extensions/org.wso2.carbon.apimgt.webapp.publisher/src/main/java/org/wso2/carbon/apimgt/webapp/publisher/APIPublisherServiceImpl.java

@@ -18,6 +18,8 @@
  */
 package org.wso2.carbon.apimgt.webapp.publisher;
 
+import org.wso2.carbon.apimgt.webapp.publisher.dto.ApiScope;
+import org.wso2.carbon.apimgt.webapp.publisher.dto.ApiUriTemplate;
 import org.wso2.carbon.apimgt.api.APIManagementException;
 import org.wso2.carbon.apimgt.api.APIProvider;
 import org.wso2.carbon.apimgt.api.FaultGatewaysException;
@@ -32,7 +34,6 @@ import org.wso2.carbon.apimgt.api.model.URITemplate;
 import org.wso2.carbon.apimgt.impl.APIConstants;
 import org.wso2.carbon.apimgt.impl.APIManagerFactory;
 import org.wso2.carbon.apimgt.webapp.publisher.config.WebappPublisherConfig;
-import org.wso2.carbon.apimgt.webapp.publisher.dto.ApiUriTemplate;
 import org.wso2.carbon.apimgt.webapp.publisher.exception.APIManagerPublisherException;
 import org.wso2.carbon.context.PrivilegedCarbonContext;
 import org.wso2.carbon.utils.multitenancy.MultitenantUtils;
@@ -61,11 +62,26 @@ public class APIPublisherServiceImpl implements APIPublisherService {
         PrivilegedCarbonContext.startTenantFlow();
         PrivilegedCarbonContext.getThreadLocalCarbonContext().setTenantDomain(tenantDomain, true);
         PrivilegedCarbonContext.getThreadLocalCarbonContext().setUsername(apiConfig.getOwner());
+        int tenantId = PrivilegedCarbonContext.getThreadLocalCarbonContext().getTenantId();
         try {
             APIProvider apiProvider = API_MANAGER_FACTORY.getAPIProvider(apiConfig.getOwner());
-            API api = getAPI(apiConfig);
+            APIIdentifier apiIdentifier = new APIIdentifier(apiConfig.getOwner(), apiConfig.getName(), apiConfig.getVersion());
 
-            if (!apiProvider.isAPIAvailable(api.getId())) {
+            if (!apiProvider.isAPIAvailable(apiIdentifier)) {
+
+                // add new scopes as shared scopes
+                Set<String> allSharedScopeKeys = apiProvider.getAllSharedScopeKeys(tenantDomain);
+                for (ApiScope apiScope : apiConfig.getScopes()) {
+                    if (!allSharedScopeKeys.contains(apiScope.getKey())) {
+                        Scope scope = new Scope();
+                        scope.setName(apiScope.getName());
+                        scope.setDescription(apiScope.getDescription());
+                        scope.setKey(apiScope.getKey());
+                        scope.setRoles(apiScope.getRoles());
+                        apiProvider.addSharedScope(scope, tenantDomain);
+                    }
+                }
+                API api = getAPI(apiConfig, true);
                 API createdAPI = apiProvider.addAPI(api);
                 if (CREATED_STATUS.equals(createdAPI.getStatus())) {
                     apiProvider.changeLifeCycleStatus(tenantDomain, createdAPI.getUuid(), PUBLISH_ACTION, null);
@@ -73,6 +89,7 @@ public class APIPublisherServiceImpl implements APIPublisherService {
                     apiRevision.setApiUUID(createdAPI.getUuid());
                     apiRevision.setDescription("Initial Revision");
                     String apiRevisionId = apiProvider.addAPIRevision(apiRevision, tenantDomain);
+
                     APIRevisionDeployment apiRevisionDeployment = new APIRevisionDeployment();
                     apiRevisionDeployment.setDeployment(API_PUBLISH_ENVIRONMENT);
                     apiRevisionDeployment.setVhost("localhost");
@@ -85,14 +102,83 @@ public class APIPublisherServiceImpl implements APIPublisherService {
                 }
             } else {
                 if (WebappPublisherConfig.getInstance().isEnabledUpdateApi()) {
-                    API existingAPI = apiProvider.getAPI(api.getId());
+
+                    // With 4.x to 5.x upgrade
+                    // - there cannot be same local scope assigned in 2 different APIs
+                    // - local scopes will be deprecated in the future, so need to move all scopes as shared scopes
+
+                    // if an api scope is not available as shared scope, but already assigned as local scope -> that means, the scopes available for this API has not moved as shared scopes
+                    // in order to do that :
+                    // 1. update the same API removing scopes from URI templates
+                    // 2. add scopes as shared scopes
+                    // 3. update the API again adding scopes for the URI Templates
+
+                    // if an api scope is not available as shared scope, and not assigned as local scope -> that means, there are new scopes
+                    // 1. add new scopes as shared scopes
+                    // 2. update the API adding scopes for the URI Templates
+
+                    Set<String> allSharedScopeKeys = apiProvider.getAllSharedScopeKeys(tenantDomain);
+                    Set<ApiScope> scopesToMoveAsSharedScopes = new HashSet<>();
+                    for (ApiScope apiScope : apiConfig.getScopes()) {
+                        // if the scope is not available as shared scope and it is assigned to an API as a local scope
+                        // need remove the local scope and add as a shared scope
+                        if (!allSharedScopeKeys.contains(apiScope.getKey())) {
+                            if (apiProvider.isScopeKeyAssignedLocally(apiIdentifier, apiScope.getKey(), tenantId)) {
+                                // collect scope to move as shared scopes
+                                scopesToMoveAsSharedScopes.add(apiScope);
+                            } else {
+                                // if new scope add as shared scope
+                                Scope scope = new Scope();
+                                scope.setName(apiScope.getName());
+                                scope.setDescription(apiScope.getDescription());
+                                scope.setKey(apiScope.getKey());
+                                scope.setRoles(apiScope.getRoles());
+                                apiProvider.addSharedScope(scope, tenantDomain);
+                            }
+                        } else {
+                            // if already available as shared scope -> update
+                            Scope scope = new Scope();
+                            scope.setName(apiScope.getName());
+                            scope.setDescription(apiScope.getDescription());
+                            scope.setKey(apiScope.getKey());
+                            scope.setRoles(apiScope.getRoles());
+                            apiProvider.updateSharedScope(scope, tenantDomain);
+                        }
+                    }
+
+                    // Get existing API
+                    API existingAPI = apiProvider.getAPI(apiIdentifier);
+
+                    if (scopesToMoveAsSharedScopes.size() > 0) {
+                        // update API to remove local scopes
+                        API api = getAPI(apiConfig, false);
+                        api.setStatus(existingAPI.getStatus());
+                        apiProvider.updateAPI(api);
+
+                        for (ApiScope apiScope : scopesToMoveAsSharedScopes) {
+                            Scope scope = new Scope();
+                            scope.setName(apiScope.getName());
+                            scope.setDescription(apiScope.getDescription());
+                            scope.setKey(apiScope.getKey());
+                            scope.setRoles(apiScope.getRoles());
+                            apiProvider.addSharedScope(scope, tenantDomain);
+                        }
+                    }
+
+                    existingAPI = apiProvider.getAPI(apiIdentifier);
+                    API api = getAPI(apiConfig, true);
                     api.setStatus(existingAPI.getStatus());
                     apiProvider.updateAPI(api);
-                    if (api.getId().getName().equals(existingAPI.getId().getName()) &&
+
-                            api.getId().getVersion().equals(existingAPI.getId().getVersion())) {
+                    if (CREATED_STATUS.equals(existingAPI.getStatus())) {
-                        if (CREATED_STATUS.equals(existingAPI.getStatus())) {
+                        apiProvider.changeLifeCycleStatus(tenantDomain, existingAPI.getUuid(), PUBLISH_ACTION, null);
-                            apiProvider.changeLifeCycleStatus(tenantDomain, existingAPI.getUuid(), PUBLISH_ACTION, null);
+                        APIRevision apiRevision = new APIRevision();
-                        }
+                        apiRevision.setApiUUID(existingAPI.getUuid());
+                        apiRevision.setDescription("Updated Revision");
+                        String apiRevisionId = apiProvider.addAPIRevision(apiRevision, tenantDomain);
+
+                        List<APIRevisionDeployment> apiRevisionDeploymentList = apiProvider.getAPIRevisionDeploymentList(apiRevisionId);
+                        apiProvider.deployAPIRevision(existingAPI.getUuid(), apiRevisionId, apiRevisionDeploymentList);
                     }
                 }
             }
@@ -105,7 +191,7 @@ public class APIPublisherServiceImpl implements APIPublisherService {
         }
     }
 
-    private API getAPI(APIConfig config) {
+    private API getAPI(APIConfig config, boolean includeScopes) {
 
         APIIdentifier apiIdentifier = new APIIdentifier(config.getOwner(), config.getName(), config.getVersion());
         API api = new API(apiIdentifier);
@@ -129,13 +215,15 @@ public class APIPublisherServiceImpl implements APIPublisherService {
             uriTemplate.setHTTPVerb(apiUriTemplate.getHttpVerb());
             uriTemplate.setResourceURI(apiUriTemplate.getResourceURI());
             uriTemplate.setUriTemplate(apiUriTemplate.getUriTemplate());
-            Scope scope = new Scope();
+            if (includeScopes) {
-            if (apiUriTemplate.getScope() != null) {
+                Scope scope = new Scope();
-                scope.setName(apiUriTemplate.getScope().getName());
+                if (apiUriTemplate.getScope() != null) {
-                scope.setDescription(apiUriTemplate.getScope().getDescription());
+                    scope.setName(apiUriTemplate.getScope().getName());
-                scope.setKey(apiUriTemplate.getScope().getKey());
+                    scope.setDescription(apiUriTemplate.getScope().getDescription());
-                scope.setRoles(apiUriTemplate.getScope().getRoles());
+                    scope.setKey(apiUriTemplate.getScope().getKey());
-                uriTemplate.setScope(scope);
+                    scope.setRoles(apiUriTemplate.getScope().getRoles());
+                    uriTemplate.setScopes(scope);
+                }
             }
             uriTemplates.add(uriTemplate);
         }

components/apimgt-extensions/org.wso2.carbon.apimgt.webapp.publisher/src/main/java/org/wso2/carbon/apimgt/webapp/publisher/dto/ApiScope.java

@@ -23,6 +23,7 @@ public class ApiScope {
     String key;
     String name;
     String roles;
+    String permissions;
     String description;
     int id;
 
@@ -61,4 +62,11 @@ public class ApiScope {
         this.description = description;
     }
 
+    public String getPermissions() {
+        return permissions;
+    }
+
+    public void setPermissions(String permissions) {
+        this.permissions = permissions;
+    }
 }

components/apimgt-extensions/org.wso2.carbon.apimgt.webapp.publisher/src/main/java/org/wso2/carbon/apimgt/webapp/publisher/lifecycle/util/AnnotationProcessor.java

@@ -70,6 +70,7 @@ public class AnnotationProcessor {
     private static final String SWAGGER_ANNOTATIONS_PROPERTIES_DESCRIPTION = "description";
     private static final String SWAGGER_ANNOTATIONS_PROPERTIES_KEY = "key";
     private static final String SWAGGER_ANNOTATIONS_PROPERTIES_PERMISSIONS = "permissions";
+    private static final String SWAGGER_ANNOTATIONS_PROPERTIES_ROLES = "roles";
     private static final String SWAGGER_ANNOTATIONS_PROPERTIES_VERSION = "version";
     private static final String SWAGGER_ANNOTATIONS_PROPERTIES_CONTEXT = "context";
     private static final String SWAGGER_ANNOTATIONS_PROPERTIES_VALUE = "value";
@@ -78,6 +79,7 @@ public class AnnotationProcessor {
     private static final String DEFAULT_SCOPE_NAME = "default admin scope";
     private static final String DEFAULT_SCOPE_KEY = "perm:admin";
     private static final String DEFAULT_SCOPE_PERMISSION = "/permision/device-mgt";
+    private static final String DEFAULT_SCOPE_ROLE = "admin";
 
     private static final String PERMISSION_PREFIX = "/permission/admin";
 
@@ -217,8 +219,11 @@ public class AnnotationProcessor {
         ApiScope scope;
         String permissions[];
         StringBuilder aggregatedPermissions;
+        String roles[];
+        StringBuilder aggregatedRoles;
         for(int i=0; i<annotatedScopes.length; i++){
             aggregatedPermissions = new StringBuilder();
+            aggregatedRoles = new StringBuilder();
             methodHandler = Proxy.getInvocationHandler(annotatedScopes[i]);
             scope = new ApiScope();
             scope.setName(invokeMethod(scopeClass
@@ -234,7 +239,14 @@ public class AnnotationProcessor {
                 aggregatedPermissions.append(permission);
                 aggregatedPermissions.append(" ");
             }
-            scope.setRoles(aggregatedPermissions.toString().trim());
+            scope.setPermissions(aggregatedPermissions.toString().trim());
+            roles = (String[])methodHandler.invoke(annotatedScopes[i], scopeClass
+                    .getMethod(SWAGGER_ANNOTATIONS_PROPERTIES_ROLES, null),null);
+            for (String role : roles) {
+                aggregatedRoles.append(role);
+                aggregatedRoles.append(",");
+            }
+            scope.setRoles(aggregatedRoles.substring(0, aggregatedRoles.lastIndexOf(",")));
             scopes.put(scope.getKey(), scope);
         }
         return scopes;
@@ -288,7 +300,8 @@ public class AnnotationProcessor {
                             scope.setName(DEFAULT_SCOPE_NAME);
                             scope.setDescription(DEFAULT_SCOPE_NAME);
                             scope.setKey(DEFAULT_SCOPE_KEY);
-                            scope.setRoles(DEFAULT_SCOPE_PERMISSION);
+                            scope.setRoles(DEFAULT_SCOPE_ROLE);
+                            scope.setPermissions(DEFAULT_SCOPE_PERMISSION);
                             resource.setScope(scope);
                         }
                     }

components/application-mgt/org.wso2.carbon.device.application.mgt.publisher.api/src/main/java/org/wso2/carbon/device/application/mgt/publisher/api/services/ApplicationManagementPublisherAPI.java

@@ -86,12 +86,14 @@ import javax.ws.rs.core.Response;
                         name = "Get ApplicationDTO Details",
                         description = "Get application details",
                         key = "perm:app:publisher:view",
+                        roles = {"Internal/everyone"},
                         permissions = {"/app-mgt/publisher/application/view"}
                 ),
                 @Scope(
                         name = "Update an ApplicationDTO",
                         description = "Update an application",
                         key = "perm:app:publisher:update",
+                        roles = {"Internal/everyone"},
                         permissions = {"/app-mgt/publisher/application/update"}
                 )
         }

components/application-mgt/org.wso2.carbon.device.application.mgt.publisher.api/src/main/java/org/wso2/carbon/device/application/mgt/publisher/api/services/admin/ApplicationManagementPublisherAdminAPI.java

@@ -68,6 +68,7 @@ import java.util.List;
                         name = "Delete Application Release",
                         description = "Delete Application Release",
                         key = "perm:admin:app:publisher:update",
+                        roles = {"admin"},
                         permissions = {"/app-mgt/publisher/admin/application/update"}
                 )
         }

components/application-mgt/org.wso2.carbon.device.application.mgt.publisher.api/src/main/java/org/wso2/carbon/device/application/mgt/publisher/api/services/admin/ReviewManagementPublisherAdminAPI.java

@@ -65,12 +65,14 @@ scopes = {
                 name = "Update a Review",
                 description = "Update a Review of application.",
                 key = "perm:admin:app:review:update",
+                roles = {"admin"},
                 permissions = {"/app-mgt/publisher/admin/review/update"}
         ),
         @Scope(
                 name = "Get Review Details",
                 description = "Get review details of application.",
                 key = "perm:admin:app:review:view",
+                roles = {"admin"},
                 permissions = {"/app-mgt/publisher/admin/review/view"}
         )
 }

components/application-mgt/org.wso2.carbon.device.application.mgt.store.api/src/main/java/org/wso2/carbon/device/application/mgt/store/api/services/ApplicationManagementAPI.java

@@ -68,6 +68,7 @@ import javax.ws.rs.core.Response;
                         name = "Get Application Details",
                         description = "Get application details",
                         key = "perm:app:store:view",
+                        roles = {"Internal/everyone"},
                         permissions = {"/app-mgt/store/application/view"}
                 )
         }

components/application-mgt/org.wso2.carbon.device.application.mgt.store.api/src/main/java/org/wso2/carbon/device/application/mgt/store/api/services/ReviewManagementAPI.java

@@ -73,12 +73,14 @@ import java.util.List;
                         name = "Get Review Details",
                         description = "Get review details from application store.",
                         key = "perm:app:review:view",
+                        roles = {"Internal/everyone"},
                         permissions = {"/app-mgt/store/review/view"}
                 ),
                 @Scope(
                         name = "Update a Review",
                         description = "Update a Review from the application store.",
                         key = "perm:app:review:update",
+                        roles = {"Internal/everyone"},
                         permissions = {"/app-mgt/store/review/update"}
                 ),
         }

components/application-mgt/org.wso2.carbon.device.application.mgt.store.api/src/main/java/org/wso2/carbon/device/application/mgt/store/api/services/SubscriptionManagementAPI.java

@@ -27,6 +27,7 @@ import io.swagger.annotations.ExtensionProperty;
 import io.swagger.annotations.Info;
 import io.swagger.annotations.SwaggerDefinition;
 import io.swagger.annotations.Tag;
+import org.wso2.carbon.apimgt.annotations.api.Scope;
 import org.wso2.carbon.apimgt.annotations.api.Scopes;
 import org.wso2.carbon.device.application.mgt.common.ErrorResponse;
 import org.wso2.carbon.device.mgt.common.DeviceIdentifier;
@@ -65,16 +66,18 @@ import java.util.List;
 )
 @Scopes(
         scopes = {
-                @org.wso2.carbon.apimgt.annotations.api.Scope(
+                @Scope(
                         name = "Install an ApplicationDTO",
                         description = "Install an application",
                         key = "perm:app:subscription:install",
+                        roles = {"Internal/everyone"},
                         permissions = {"/app-mgt/store/subscription/install"}
                 ),
-                @org.wso2.carbon.apimgt.annotations.api.Scope(
+                @Scope(
                         name = "Uninstall an Application",
                         description = "Uninstall an application",
                         key = "perm:app:subscription:uninstall",
+                        roles = {"Internal/everyone"},
                         permissions = {"/app-mgt/store/subscription/uninstall"}
                 )
         }

components/application-mgt/org.wso2.carbon.device.application.mgt.store.api/src/main/java/org/wso2/carbon/device/application/mgt/store/api/services/admin/ReviewManagementStoreAdminAPI.java

@@ -63,6 +63,7 @@ scopes = {
                 name = "Update a Review",
                 description = "Update a Review of applications.",
                 key = "perm:admin:app:review:update",
+                roles = {"admin"},
                 permissions = {"/app-mgt/store/admin/review/update"}
         )
 }

components/application-mgt/org.wso2.carbon.device.application.mgt.store.api/src/main/java/org/wso2/carbon/device/application/mgt/store/api/services/admin/SubscriptionManagementAdminAPI.java

@@ -67,6 +67,7 @@ import java.util.List;
                         name = "View Application Subscriptions",
                         description = "View Application Subscriptions.",
                         key = "perm:admin:app:subscription:view",
+                        roles = {"admin"},
                         permissions = {"/app-mgt/store/admin/subscription/view"}
                 )
         }

components/certificate-mgt/org.wso2.carbon.certificate.mgt.api/src/main/java/org/wso2/carbon/certificate/mgt/jaxrs/api/CertificateMgtService.java

@@ -41,6 +41,7 @@ import javax.ws.rs.core.Response;
                 name = "Sign CSR",
                 description = "Sign CSR",
                 key = "perm:sign-csr",
+                roles = {"Internal/everyone"},
                 permissions = {"/device-mgt/certificates/manage"}
         )
 }

components/certificate-mgt/org.wso2.carbon.certificate.mgt.cert.admin.api/src/main/java/org/wso2/carbon/certificate/mgt/cert/jaxrs/api/CertificateManagementAdminService.java

@@ -45,30 +45,35 @@ import javax.ws.rs.core.Response;
                 name = "Adding a new SSL certificate",
                 description = "Adding a new SSL certificate",
                 key = "perm:admin:certificates:add",
+                roles = {"admin"},
                 permissions = {"/device-mgt/admin/certificates/add"}
         ),
         @Scope(
                 name = "Getting Details of an SSL Certificate",
                 description = "Getting Details of an SSL Certificate",
                 key = "perm:admin:certificates:details",
+                roles = {"admin"},
                 permissions = {"/device-mgt/admin/certificates/details"}
         ),
         @Scope(
                 name = "Getting Details of Certificates",
                 description = "Getting Details of Certificates",
                 key = "perm:admin:certificates:view",
+                roles = {"admin"},
                 permissions = {"/device-mgt/admin/certificates/view"}
         ),
         @Scope(
                 name = "Deleting an SSL Certificate",
                 description = "Deleting an SSL Certificate",
                 key = "perm:admin:certificates:delete",
+                roles = {"admin"},
                 permissions = {"/device-mgt/admin/certificates/delete"}
         ),
         @Scope(
                 name = "Verify SSL certificate",
                 description = "Verify SSL certificate",
                 key = "perm:admin:certificates:verify",
+                roles = {"admin"},
                 permissions = {"/device-mgt/admin/certificates/verify"}
         )
 }

components/device-mgt/io.entgra.carbon.device.mgt.config.api/src/main/java/io/entgra/carbon/device/mgt/config/jaxrs/service/DeviceManagementConfigService.java

@@ -71,24 +71,28 @@ import java.util.List;
                 name = "View configurations",
                 description = "",
                 key = "perm:view-configuration",
+                roles = {"Internal/everyone"},
                 permissions = {"/device-mgt/platform-configurations/view"}
         ),
         @Scope(
                 name = "Manage configurations",
                 description = "",
                 key = "perm:manage-configuration",
+                roles = {"Internal/everyone"},
                 permissions = {"/device-mgt/platform-configurations/manage"}
         ),
         @Scope(
                 name = "Getting Details of Device tenants",
                 description = "Getting Details of Device tenants",
                 key = "perm:admin:tenant:view",
+                roles = {"Internal/everyone"},
                 permissions = {"/tenants/view"}
         ),
         @Scope(
                 name = "Add a permission to the permission tree",
                 description = "Add a permission to the permission tree",
                 key = "perm:admin:permissions:add",
+                roles = {"Internal/everyone"},
                 permissions = {"/permissions/add"}
         )
 }

components/device-mgt/io.entgra.carbon.device.mgt.config.api/src/main/java/io/entgra/carbon/device/mgt/config/jaxrs/service/impl/DeviceManagementConfigServiceImpl.java

@@ -37,13 +37,13 @@ import org.wso2.carbon.device.mgt.common.exceptions.DeviceManagementException;
 import org.wso2.carbon.device.mgt.common.exceptions.DeviceNotFoundException;
 import org.wso2.carbon.device.mgt.common.general.TenantDetail;
 import org.wso2.carbon.device.mgt.common.permission.mgt.PermissionManagementException;
-import org.wso2.carbon.device.mgt.common.permission.mgt.PermissionManagerService;
 import org.wso2.carbon.device.mgt.core.DeviceManagementConstants;
 import org.wso2.carbon.device.mgt.core.config.DeviceConfigurationManager;
 import org.wso2.carbon.device.mgt.core.config.DeviceManagementConfig;
 import org.wso2.carbon.device.mgt.core.config.keymanager.KeyManagerConfigurations;
 import org.wso2.carbon.device.mgt.core.config.ui.UIConfiguration;
 import org.wso2.carbon.device.mgt.core.config.ui.UIConfigurationManager;
+import org.wso2.carbon.device.mgt.core.permission.mgt.PermissionUtils;
 import org.wso2.carbon.device.mgt.core.service.DeviceManagementProviderService;
 import org.wso2.carbon.device.mgt.core.util.DeviceManagerUtil;
 import org.wso2.carbon.identity.jwt.client.extension.dto.AccessTokenInfo;
@@ -274,15 +274,16 @@ public class DeviceManagementConfigServiceImpl implements DeviceManagementConfig
     @Path("/permissions")
     @Produces({MediaType.APPLICATION_JSON})
     public Response addPermission(List<String> permissions) {
-        PermissionManagerService permissionService = DeviceMgtAPIUtils.getPermissionManagerService();
+//        PermissionManagerService permissionService = DeviceMgtAPIUtils.getPermissionManagerService();
-        org.wso2.carbon.device.mgt.common.permission.mgt.Permission permission = new org
+//        org.wso2.carbon.device.mgt.common.permission.mgt.Permission permission = new org
-                .wso2.carbon.device.mgt.common.permission.mgt.Permission();
+//                .wso2.carbon.device.mgt.common.permission.mgt.Permission();
 
         for (String path : permissions) {
-            permission.setPath(path);
+//            permission.setPath(path);
-            permission.setUrl(path);
+//            permission.setUrl(path);
             try {
-                permissionService.addPermission(permission);
+                PermissionUtils.putPermission(path);
+//                permissionService.addPermission(permission);
             } catch (PermissionManagementException e) {
                 String msg = "Error occurred adding permission";
                 log.error(msg, e);

components/device-mgt/io.entgra.carbon.device.mgt.config.api/src/main/java/io/entgra/carbon/device/mgt/config/jaxrs/util/DeviceMgtAPIUtils.java

@@ -21,7 +21,6 @@ package io.entgra.carbon.device.mgt.config.jaxrs.util;
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
 import org.wso2.carbon.context.PrivilegedCarbonContext;
-import org.wso2.carbon.device.mgt.common.permission.mgt.PermissionManagerService;
 import org.wso2.carbon.device.mgt.core.service.DeviceManagementProviderService;
 import org.wso2.carbon.user.core.service.RealmService;
 
@@ -33,7 +32,6 @@ public class DeviceMgtAPIUtils {
     private static final Log log = LogFactory.getLog(DeviceMgtAPIUtils.class);
 
     private static DeviceManagementProviderService deviceManagementProviderService = null;
-    private static PermissionManagerService permissionManagerService = null;
     private static RealmService realmService = null;
 
     public static DeviceManagementProviderService getDeviceManagementService() {
@@ -50,20 +48,6 @@ public class DeviceMgtAPIUtils {
         return deviceManagementProviderService;
     }
 
-    public static PermissionManagerService getPermissionManagerService() {
-        if (permissionManagerService == null) {
-            PrivilegedCarbonContext ctx = PrivilegedCarbonContext.getThreadLocalCarbonContext();
-            permissionManagerService =
-                    (PermissionManagerService) ctx.getOSGiService(PermissionManagerService.class, null);
-            if (permissionManagerService == null) {
-                String msg = "Permission Management provider service has not initialized.";
-                log.error(msg);
-                throw new IllegalStateException(msg);
-            }
-        }
-        return permissionManagerService;
-    }
-
     public static RealmService getRealmService() {
         if (realmService == null) {
             PrivilegedCarbonContext ctx = PrivilegedCarbonContext.getThreadLocalCarbonContext();

components/device-mgt/org.wso2.carbon.device.mgt.api/src/main/java/org/wso2/carbon/device/mgt/jaxrs/service/api/ActivityInfoProviderService.java

@@ -76,6 +76,7 @@ import javax.ws.rs.core.Response;
                 name = "Get activities",
                 description = "Get activities",
                 key = "perm:get-activity",
+                roles = {"Internal/everyone"},
                 permissions = {"/device-mgt/devices/owning-device/view"}
                 )
         }

components/device-mgt/org.wso2.carbon.device.mgt.api/src/main/java/org/wso2/carbon/device/mgt/jaxrs/service/api/AnalyticsArtifactsManagementService.java

@@ -68,41 +68,49 @@ import javax.ws.rs.core.Response;
                         name = "Create Event Stream Artifact",
                         description = "Create Event Stream Artifact",
                         key = "perm:analytics:artifacts:stream",
+                        roles = {"Internal/everyone"},
                         permissions = {"/device-mgt/analytics/artifacts/stream/add"}),
                 @Scope(
                         name = "Delete Stream Artifact",
                         description = "Delete Stream Artifact",
                         key = "perm:analytics:artifacts:stream:delete",
+                        roles = {"Internal/everyone"},
                         permissions = {"/device-mgt/analytics/artifacts/stream/delete"}),
                 @Scope(
                         name = "Create Event Receiver Artifact",
                         description = "Create Event Receiver Artifact",
                         key = "perm:analytics:artifacts:receiver",
+                        roles = {"Internal/everyone"},
                         permissions = {"/device-mgt/analytics/artifacts/receiver/add"}),
                 @Scope(
                         name = "Delete Receiver Artifact",
                         description = "Delete Receiver Artifact",
                         key = "perm:analytics:artifacts:receiver:delete",
+                        roles = {"Internal/everyone"},
                         permissions = {"/device-mgt/analytics/artifacts/receiver/delete"}),
                 @Scope(
                         name = "Create Event Publisher Artifact",
                         description = "Create Event Publisher Artifact",
                         key = "perm:analytics:artifacts:publisher",
+                        roles = {"Internal/everyone"},
                         permissions = {"/device-mgt/analytics/artifacts/publisher/add"}),
                 @Scope(
                         name = "Delete Publisher Artifact",
                         description = "Delete Publisher Artifact",
                         key = "perm:analytics:artifacts:publisher:delete",
+                        roles = {"Internal/everyone"},
                         permissions = {"/device-mgt/analytics/artifacts/publisher/delete"}),
                 @Scope(
                         name = "Create Siddhi Script Artifact",
                         description = "Create Siddhi Script Artifact",
                         key = "perm:analytics:artifacts:siddhi",
+                        roles = {"Internal/everyone"},
                         permissions = {"/device-mgt/analytics/artifacts/siddhi-script/add"}),
                 @Scope(
                         name = "Delete Siddhi Script Artifact",
                         description = "Delete Siddhi Script Artifact",
                         key = "perm:analytics:artifacts:siddhi:delete",
+                        roles = {"Internal/everyone"},
                         permissions = {"/device-mgt/analytics/artifacts/siddhi-script/delete"})
         }
 )

components/device-mgt/org.wso2.carbon.device.mgt.api/src/main/java/org/wso2/carbon/device/mgt/jaxrs/service/api/ConfigurationManagementService.java

@@ -69,12 +69,14 @@ import javax.ws.rs.core.Response;
                 name = "View configurations",
                 description = "",
                 key = "perm:view-configuration",
+                roles = {"Internal/everyone"},
                 permissions = {"/device-mgt/platform-configurations/view"}
         ),
         @Scope(
                 name = "Manage configurations",
                 description = "",
                 key = "perm:manage-configuration",
+                roles = {"Internal/everyone"},
                 permissions = {"/device-mgt/platform-configurations/manage"}
         )
 }

components/device-mgt/org.wso2.carbon.device.mgt.api/src/main/java/org/wso2/carbon/device/mgt/jaxrs/service/api/DeviceAgentService.java

@@ -77,30 +77,35 @@ import java.util.Map;
                         name = "Enroll Device",
                         description = "Register a device",
                         key = "perm:device:enroll",
+                        roles = {"Internal/everyone"},
                         permissions = {"/device-mgt/devices/owning-device/add"}
                 ),
                 @Scope(
                         name = "Modify Device",
                         description = "Modify a device",
                         key = "perm:device:modify",
+                        roles = {"Internal/everyone"},
                         permissions = {"/device-mgt/devices/owning-device/modify"}
                 ),
                 @Scope(
                         name = "Disenroll Device",
                         description = "Disenroll a device",
                         key = "perm:device:disenroll",
+                        roles = {"Internal/everyone"},
                         permissions = {"/device-mgt/devices/owning-device/remove"}
                 ),
                 @Scope(
                         name = "Publish Event",
                         description = "publish device event",
                         key = "perm:device:publish-event",
+                        roles = {"Internal/everyone"},
                         permissions = {"/device-mgt/devices/owning-device/event"}
                 ),
                 @Scope(
                         name = "Getting Device Operation Details",
                         description = "Getting Device Operation Details",
                         key = "perm:device:operations",
+                        roles = {"Internal/everyone"},
                         permissions = {"/device-mgt/devices/owning-device/view"}
                 )
         }

components/device-mgt/org.wso2.carbon.device.mgt.api/src/main/java/org/wso2/carbon/device/mgt/jaxrs/service/api/DeviceEventManagementService.java

@@ -51,12 +51,14 @@ import javax.ws.rs.core.Response;
                         name = "Add or Delete Event Definition for device type",
                         description = "Add or Delete Event Definition for device type",
                         key = "perm:device-types:events",
+                        roles = {"Internal/everyone"},
                         permissions = {"/device-mgt/device-type/add"}
                 ),
                 @Scope(
                         name = "Get Events Details of a Device Type",
                         description = "Get Events Details of a Device Type",
                         key = "perm:device-types:events:view",
+                        roles = {"Internal/everyone"},
                         permissions = {"/device-mgt/devices/owning-device/view"}
                 )
         }

components/device-mgt/org.wso2.carbon.device.mgt.api/src/main/java/org/wso2/carbon/device/mgt/jaxrs/service/api/DeviceManagementService.java

@@ -107,66 +107,77 @@ import java.util.List;
                         name = "Getting Details of Registered Devices",
                         description = "Getting Details of Registered Devices",
                         key = "perm:devices:view",
+                        roles = {"Internal/everyone"},
                         permissions = {"/device-mgt/devices/owning-device/view"}
                 ),
                 @Scope(
                         name = "Getting Details of a Device",
                         description = "Getting Details of a Device",
                         key = "perm:devices:details",
+                        roles = {"Internal/everyone"},
                         permissions = {"/device-mgt/devices/owning-device/view"}
                 ),
                 @Scope(
                         name = "Update the device specified by device id",
                         description = "Update the device specified by device id",
                         key = "perm:devices:update",
+                        roles = {"Internal/everyone"},
                         permissions = {"/device-mgt/devices/owning-device/view"}
                 ),
                 @Scope(
                         name = "Delete the device specified by device id",
                         description = "Delete the device specified by device id",
                         key = "perm:devices:delete",
+                        roles = {"Internal/everyone"},
                         permissions = {"/device-mgt/devices/owning-device/view"}
                 ),
                 @Scope(
                         name = "Getting Feature Details of a Device",
                         description = "Getting Feature Details of a Device",
                         key = "perm:devices:features",
+                        roles = {"Internal/everyone"},
                         permissions = {"/device-mgt/devices/owning-device/view"}
                 ),
                 @Scope(
                         name = "Advanced Search for Devices",
                         description = "Advanced Search for Devices",
                         key = "perm:devices:search",
+                        roles = {"Internal/everyone"},
                         permissions = {"/device-mgt/devices/owning-device/view"}
                 ),
                 @Scope(
                         name = "Getting Installed Application Details of a Device",
                         description = "Getting Installed Application Details of a Device",
                         key = "perm:devices:applications",
+                        roles = {"Internal/everyone"},
                         permissions = {"/device-mgt/devices/owning-device/view"}
                 ),
                 @Scope(
                         name = "Getting Device Operation Details",
                         description = "Getting Device Operation Details",
                         key = "perm:devices:operations",
+                        roles = {"Internal/everyone"},
                         permissions = {"/device-mgt/devices/owning-device/view"}
                 ),
                 @Scope(
                         name = "Get the details of the policy that is enforced on a device.",
                         description = "Get the details of the policy that is enforced on a device.",
                         key = "perm:devices:effective-policy",
+                        roles = {"Internal/everyone"},
                         permissions = {"/device-mgt/devices/owning-device/view"}
                 ),
                 @Scope(
                         name = "Getting Policy Compliance Details of a Device",
                         description = "Getting Policy Compliance Details of a Device",
                         key = "perm:devices:compliance-data",
+                        roles = {"Internal/everyone"},
                         permissions = {"/device-mgt/devices/owning-device/view"}
                 ),
                 @Scope(
                         name = "Change device status.",
                         description = "Change device status.",
                         key = "perm:devices:change-status",
+                        roles = {"Internal/everyone"},
                         permissions = {"/device-mgt/devices/change-status"}
                 ),
         }

components/device-mgt/org.wso2.carbon.device.mgt.api/src/main/java/org/wso2/carbon/device/mgt/jaxrs/service/api/DeviceTypeManagementService.java

@@ -87,24 +87,28 @@ import javax.ws.rs.core.Response;
                         name = "Getting the Supported Device Platforms",
                         description = "Getting the Supported Device Platforms",
                         key = "perm:device-types:types",
+                        roles = {"Internal/everyone"},
                         permissions = {"/device-mgt/device-type/view"}
                 ),
                 @Scope(
                         name = "Get Feature Details of a Device Type",
                         description = "Get Feature Details of a Device Type",
                         key = "perm:device-types:features",
+                        roles = {"Internal/everyone"},
                         permissions = {"/device-mgt/device-type/features/view"}
                 ),
                 @Scope(
                         name = "Get Config Details of a Device Type",
                         description = "Get Config Details of a Device Type",
                         key = "perm:device-types:configs",
+                        roles = {"Internal/everyone"},
                         permissions = {"/device-mgt/device-type/config/view"}
                 ),
                 @Scope(
                         name = "Getting Details of Policies",
                         description = "Getting Details of Policies",
                         key = "perm:policies:get-details",
+                        roles = {"Internal/everyone"},
                         permissions = {"/device-mgt/policies/view"}
                 )
         }

components/device-mgt/org.wso2.carbon.device.mgt.api/src/main/java/org/wso2/carbon/device/mgt/jaxrs/service/api/GeoLocationBasedService.java

@@ -73,18 +73,21 @@ import java.util.List;
                         name = "View Analytics",
                         description = "",
                         key = "perm:geo-service:analytics-view",
+                        roles = {"Internal/everyone"},
                         permissions = {"/device-mgt/devices/owning-device/view-analytics"}
                 ),
                 @Scope(
                         name = "Manage Alerts",
                         description = "",
                         key = "perm:geo-service:alerts-manage",
+                        roles = {"Internal/everyone"},
                         permissions = {"/device-mgt/devices/owning-device/manage-alerts"}
                 ),
                 @Scope(
                         name = "Manage Geo Fences",
                         description = "",
                         key = "perm:geo-service:geo-fence",
+                        roles = {"Internal/everyone"},
                         permissions = {"/device-mgt/devices/owning-device/manage-geo-fence"}
                 )
         }

components/device-mgt/org.wso2.carbon.device.mgt.api/src/main/java/org/wso2/carbon/device/mgt/jaxrs/service/api/GroupManagementService.java

@@ -82,84 +82,98 @@ import java.util.List;
                         name = "Get the list of groups belongs to current user.",
                         description = "Get the list of groups belongs to current user.",
                         key = "perm:groups:groups",
+                        roles = {"Internal/everyone"},
                         permissions = {"/device-mgt/groups/view"}
                 ),
                 @Scope(
                         name = "Get the count of groups belongs to current user.",
                         description = "Get the count of groups belongs to current user.",
                         key = "perm:groups:count",
+                        roles = {"Internal/everyone"},
                         permissions = {"/device-mgt/groups/view"}
                 ),
                 @Scope(
                         name = "Add new device group to the system.",
                         description = "Add new device group to the system.",
                         key = "perm:groups:add",
+                        roles = {"Internal/everyone"},
                         permissions = {"/device-mgt/groups/add"}
                 ),
                 @Scope(
                         name = "View group specified",
                         description = "View group specified",
                         key = "perm:groups:groups-view",
+                        roles = {"Internal/everyone"},
                         permissions = {"/device-mgt/groups/view"}
                 ),
                 @Scope(
                         name = "Update a group",
                         description = "Update a group",
                         key = "perm:groups:update",
+                        roles = {"Internal/everyone"},
                         permissions = {"/device-mgt/groups/update"}
                 ),
                 @Scope(
                         name = "Delete a group",
                         description = "Delete a group",
                         key = "perm:groups:remove",
+                        roles = {"Internal/everyone"},
                         permissions = {"/device-mgt/groups/remove"}
                 ),
                 @Scope(
                         name = "Manage group sharing with a user",
                         description = "Manage group sharing with a user",
                         key = "perm:groups:share",
+                        roles = {"Internal/everyone"},
                         permissions = {"/device-mgt/groups/share"}
                 ),
                 @Scope(
                         name = "View list of roles of a device group",
                         description = "View list of roles of a device group",
                         key = "perm:groups:roles",
+                        roles = {"Internal/everyone"},
                         permissions = {"/device-mgt/groups/roles/view"}
                 ),
                 @Scope(
                         name = "View list of devices in the device group",
                         description = "View list of devices in the device group",
                         key = "perm:groups:devices",
+                        roles = {"Internal/everyone"},
                         permissions = {"/device-mgt/groups/devices/view"}
                 ),
                 @Scope(
                         name = "View list of device count in the device group",
                         description = "View list of device count in the device group",
                         key = "perm:groups:devices-count",
+                        roles = {"Internal/everyone"},
                         permissions = {"/device-mgt/groups/devices/view"}
                 ),
                 @Scope(
                         name = "Add devices to group",
                         description = "Add devices to group",
                         key = "perm:groups:devices-add",
+                        roles = {"Internal/everyone"},
                         permissions = {"/device-mgt/groups/devices/add"}
                 ),
                 @Scope(
                         name = "Remove devices from group",
                         description = "Remove devices from group",
                         key = "perm:groups:devices-remove",
+                        roles = {"Internal/everyone"},
                         permissions = {"/device-mgt/groups/devices/remove"}
                 ),
                 @Scope(
                         name = "Assign devices to groups",
                         description = "Assign devices to groups",
                         key = "perm:groups:assign",
+                        roles = {"Internal/everyone"},
                         permissions = {"/device-mgt/groups/devices/add"}
                 ),
                 @Scope(
                         name = "List of groups that have the device",
                         description = "List of groups that have the device",
                         key = "perm:groups:device",
+                        roles = {"Internal/everyone"},
                         permissions = {"/device-mgt/groups/devices/view"}
                 )
         }

components/device-mgt/org.wso2.carbon.device.mgt.api/src/main/java/org/wso2/carbon/device/mgt/jaxrs/service/api/MetadataService.java

@@ -73,24 +73,28 @@ import javax.ws.rs.core.Response;
                         name = "View metadata records",
                         description = "View metadata records",
                         key = "perm:metadata:view",
+                        roles = {"Internal/everyone"},
                         permissions = {"/device-mgt/metadata/view"}
                 ),
                 @Scope(
                         name = "Create a metadata record",
                         description = "Create a metadata record",
                         key = "perm:metadata:create",
+                        roles = {"Internal/everyone"},
                         permissions = {"/device-mgt/metadata/create"}
                 ),
                 @Scope(
                         name = "Update a metadata record",
                         description = "Updating a specified metadata record",
                         key = "perm:metadata:update",
+                        roles = {"Internal/everyone"},
                         permissions = {"/device-mgt/metadata/update"}
                 ),
                 @Scope(
                         name = "Delete a metadata record",
                         description = "Delete a specified metadata record",
                         key = "perm:metadata:remove",
+                        roles = {"Internal/everyone"},
                         permissions = {"/device-mgt/metadata/remove"}
                 )
         }

components/device-mgt/org.wso2.carbon.device.mgt.api/src/main/java/org/wso2/carbon/device/mgt/jaxrs/service/api/NotificationManagementService.java

@@ -73,12 +73,14 @@ import javax.ws.rs.core.Response;
                         name = "Getting All Device Notification Details",
                         description = "Getting All Device Notification Details",
                         key = "perm:notifications:view",
+                        roles = {"Internal/everyone"},
                         permissions = {"/device-mgt/notifications/view"}
                 ),
                 @Scope(
                         name = "Updating the Device Notification Status",
                         description = "Updating the Device Notification Status",
                         key = "perm:notifications:mark-checked",
+                        roles = {"Internal/everyone"},
                         permissions = {"/device-mgt/notifications/view"}
                 )
         }

components/device-mgt/org.wso2.carbon.device.mgt.api/src/main/java/org/wso2/carbon/device/mgt/jaxrs/service/api/PolicyManagementService.java

@@ -79,60 +79,70 @@ import java.util.List;
                         name = "Adding a Policy",
                         description = "Adding a Policy",
                         key = "perm:policies:manage",
+                        roles = {"Internal/everyone"},
                         permissions = {"/device-mgt/policies/manage"}
                 ),
                 @Scope(
                         name = "Getting Details of Policies",
                         description = "Getting Details of Policies",
                         key = "perm:policies:get-details",
+                        roles = {"Internal/everyone"},
                         permissions = {"/device-mgt/policies/view"}
                 ),
                 @Scope(
                         name = "Getting Details of a Policy",
                         description = "Getting Details of a Policy",
                         key = "perm:policies:get-policy-details",
+                        roles = {"Internal/everyone"},
                         permissions = {"/device-mgt/policies/view"}
                 ),
                 @Scope(
                         name = "Updating a Policy",
                         description = "Updating a Policy",
                         key = "perm:policies:update",
+                        roles = {"Internal/everyone"},
                         permissions = {"/device-mgt/policies/manage"}
                 ),
                 @Scope(
                         name = "Removing Multiple Policies",
                         description = "Removing Multiple Policies",
                         key = "perm:policies:remove",
+                        roles = {"Internal/everyone"},
                         permissions = {"/device-mgt/policies/manage"}
                 ),
                 @Scope(
                         name = "Activating Policies",
                         description = "Activating Policies",
                         key = "perm:policies:activate",
+                        roles = {"Internal/everyone"},
                         permissions = {"/device-mgt/policies/manage"}
                 ),
                 @Scope(
                         name = "Deactivating Policies",
                         description = "Deactivating Policies",
                         key = "perm:policies:deactivate",
+                        roles = {"Internal/everyone"},
                         permissions = {"/device-mgt/policies/manage"}
                 ),
                 @Scope(
                         name = "Applying Changes on Policies",
                         description = "Applying Changes on Policies",
                         key = "perm:policies:changes",
+                        roles = {"Internal/everyone"},
                         permissions = {"/device-mgt/policies/manage"}
                 ),
                 @Scope(
                         name = "Updating the Policy Priorities",
                         description = "Updating the Policy Priorities",
                         key = "perm:policies:priorities",
+                        roles = {"Internal/everyone"},
                         permissions = {"/device-mgt/policies/manage"}
                 ),
                 @Scope(
                         name = "Fetching the Effective Policy",
                         description = "Fetching the Effective Policy",
                         key = "perm:policies:effective-policy",
+                        roles = {"Internal/everyone"},
                         permissions = {"/device-mgt/policies/view"}
                 )
         }

components/device-mgt/org.wso2.carbon.device.mgt.api/src/main/java/org/wso2/carbon/device/mgt/jaxrs/service/api/RemoteSessionService.java

@@ -61,6 +61,7 @@ import javax.ws.rs.core.Response;
                         name = "Remote Session Connection",
                         description = "",
                         key = "perm:remote-session-service:connect",
+                        roles = {"Internal/everyone"},
                         permissions = {"/device-mgt/devices/owning-device/remote-session"}
                 )
         }

components/device-mgt/org.wso2.carbon.device.mgt.api/src/main/java/org/wso2/carbon/device/mgt/jaxrs/service/api/ReportManagementService.java

@@ -66,6 +66,7 @@ import java.util.List;
                         name = "Getting Details of Registered Devices",
                         description = "Getting Details of Registered Devices",
                         key = "perm:devices:view",
+                        roles = {"Internal/everyone"},
                         permissions = {"/device-mgt/devices/owning-device/view"}
                 ),
         }

components/device-mgt/org.wso2.carbon.device.mgt.api/src/main/java/org/wso2/carbon/device/mgt/jaxrs/service/api/RoleManagementService.java

@@ -53,48 +53,56 @@ import java.util.List;
                         name = "Getting the List of Roles",
                         description = "Getting the List of Roles",
                         key = "perm:roles:view",
+                        roles = {"Internal/everyone"},
                         permissions = {"/device-mgt/roles/view"}
                 ),
                 @Scope(
                         name = "Getting Permission Details of a Role",
                         description = "Getting Permission Details of a Role",
                         key = "perm:roles:permissions",
+                        roles = {"Internal/everyone"},
                         permissions = {"/device-mgt/roles/view"}
                 ),
                 @Scope(
                         name = "Getting the List of Roles",
                         description = "Getting the List of Roles",
                         key = "perm:roles:details",
+                        roles = {"Internal/everyone"},
                         permissions = {"/device-mgt/roles/view"}
                 ),
                 @Scope(
                         name = "Adding a Role",
                         description = "Adding a Role",
                         key = "perm:roles:add",
+                        roles = {"Internal/everyone"},
                         permissions = {"/device-mgt/roles/manage"}
                 ),
                 @Scope(
                         name = "Adding a combined Role",
                         description = "Adding a combined Role",
                         key = "perm:roles:create-combined-role",
+                        roles = {"Internal/everyone"},
                         permissions = {"/device-mgt/roles/manage"}
                 ),
                 @Scope(
                         name = "Updating Role Details",
                         description = "Updating Role Details",
                         key = "perm:roles:update",
+                        roles = {"Internal/everyone"},
                         permissions = {"/device-mgt/roles/manage"}
                 ),
                 @Scope(
                         name = "Deleting a Role",
                         description = "Deleting a Role",
                         key = "perm:roles:delete",
+                        roles = {"Internal/everyone"},
                         permissions = {"/device-mgt/roles/manage"}
                 ),
                 @Scope(
                         name = "Adding Users to a Role",
                         description = "Adding Users to a Role",
                         key = "perm:roles:add-users",
+                        roles = {"Internal/everyone"},
                         permissions = {"/device-mgt/roles/manage"}
                 )
         }

components/device-mgt/org.wso2.carbon.device.mgt.api/src/main/java/org/wso2/carbon/device/mgt/jaxrs/service/api/UserManagementService.java

@@ -97,78 +97,91 @@ import javax.ws.rs.core.Response;
                         name = "Adding a User",
                         description = "Adding a User",
                         key = "perm:users:add",
+                        roles = {"Internal/everyone"},
                         permissions = {"/device-mgt/users/manage"}
                 ),
                 @Scope(
                         name = "Getting Details of a User",
                         description = "Getting Details of a User",
                         key = "perm:users:details",
+                        roles = {"Internal/everyone"},
                         permissions = {"/device-mgt/users/view"}
                 ),
                 @Scope(
                         name = "Updating Details of a User",
                         description = "Updating Details of a User",
                         key = "perm:users:update",
+                        roles = {"Internal/everyone"},
                         permissions = {"/device-mgt/users/manage"}
                 ),
                 @Scope(
                         name = "Deleting a User",
                         description = "Deleting a User",
                         key = "perm:users:delete",
+                        roles = {"Internal/everyone"},
                         permissions = {"/device-mgt/users/manage"}
                 ),
                 @Scope(
                         name = "Getting the Role Details of a User",
                         description = "Getting the Role Details of a User",
                         key = "perm:users:roles",
+                        roles = {"Internal/everyone"},
                         permissions = {"/device-mgt/users/view"}
                 ),
                 @Scope(
                         name = "Getting Details of Users",
                         description = "Getting Details of Users",
                         key = "perm:users:user-details",
+                        roles = {"Internal/everyone"},
                         permissions = {"/device-mgt/users/view"}
                 ),
                 @Scope(
                         name = "Getting the User Count",
                         description = "Getting the User Count",
                         key = "perm:users:count",
+                        roles = {"Internal/everyone"},
                         permissions = {"/device-mgt/users/view"}
                 ),
                 @Scope(
                         name = "Getting the User existence status",
                         description = "Getting the User existence status",
                         key = "perm:users:is-exist",
+                        roles = {"Internal/everyone"},
                         permissions = {"/device-mgt/users/view"}
                 ),
                 @Scope(
                         name = "Searching for a User Name",
                         description = "Searching for a User Name",
                         key = "perm:users:search",
+                        roles = {"Internal/everyone"},
                         permissions = {"/device-mgt/users/view"}
                 ),
                 @Scope(
                         name = "Changing the User Password",
                         description = "Adding a User",
                         key = "perm:users:credentials",
+                        roles = {"Internal/everyone"},
                         permissions = {"/login"}
                 ),
                 @Scope(
                         name = "Sending Enrollment Invitations to Users",
                         description = "Sending Enrollment Invitations to Users",
                         key = "perm:users:send-invitation",
+                        roles = {"Internal/everyone"},
                         permissions = {"/device-mgt/users/manage"}
                 ),
                 @Scope(
                         name = "Get activities",
                         description = "Get activities",
                         key = "perm:get-activity",
+                        roles = {"Internal/everyone"},
                         permissions = {"/device-mgt/devices/owning-device/view"}
                 ),
                 @Scope(
                         name = "Getting the Permissions of the User",
                         description = "Getting the Permissions of the User",
                         key = "perm:user:permission-view",
+                        roles = {"Internal/everyone"},
                         permissions = {"/login"}
                 )
         }

components/device-mgt/org.wso2.carbon.device.mgt.api/src/main/java/org/wso2/carbon/device/mgt/jaxrs/service/api/admin/ApplicationManagementAdminService.java

@@ -67,12 +67,14 @@ import javax.ws.rs.core.Response;
                         name = "Installing an Application (Internal API)",
                         description = "Installing an Application (Internal API)",
                         key = "perm:applications:install",
+                        roles = {"admin"},
                         permissions = {"/device-mgt/applications/manage"}
                 ),
                 @Scope(
                         name = "Uninstalling an Application (Internal API)",
                         description = "Uninstalling an Application (Internal API)",
                         key = "perm:applications:uninstall",
+                        roles = {"admin"},
                         permissions = {"/device-mgt/applications/manage"}
                 )
         }

components/device-mgt/org.wso2.carbon.device.mgt.api/src/main/java/org/wso2/carbon/device/mgt/jaxrs/service/api/admin/DeviceAccessAuthorizationAdminService.java

@@ -67,6 +67,7 @@ import javax.ws.rs.core.Response;
                         name = "Verify device authorization",
                         description = "Verify device authorization",
                         key = "perm:authorization:verify",
+                        roles = {"admin"},
                         permissions = {"/device-mgt/authorization/verify"}
                 )
         }

components/device-mgt/org.wso2.carbon.device.mgt.api/src/main/java/org/wso2/carbon/device/mgt/jaxrs/service/api/admin/DeviceAnalyticsArtifactUploaderAdminService.java

@@ -57,6 +57,7 @@ import javax.ws.rs.core.Response;
                         name = "Devicetype deployment",
                         description = "Deploy devicetype",
                         key = "perm:devicetype:deployment",
+                        roles = {"admin"},
                         permissions = {"/device-mgt/devicetype/deploy"}
                 )
         }

components/device-mgt/org.wso2.carbon.device.mgt.api/src/main/java/org/wso2/carbon/device/mgt/jaxrs/service/api/admin/DeviceManagementAdminService.java

@@ -94,18 +94,21 @@ import java.util.List;
                         name = "Getting Details of a Device",
                         description = "Getting Details of a Device",
                         key = "perm:admin:devices:view",
+                        roles = {"admin"},
                         permissions = {"/device-mgt/devices/owning-device/view"}
                 ),
                 @Scope(
                         name = "Update the Device Owner",
                         description = "Update the ownership of the device",
                         key = "perm:admin:devices:update-enrollment",
+                        roles = {"admin"},
                         permissions = {"/device-mgt/admin/devices/update-enrollment"}
                 ),
                 @Scope(
                         name = "Permanently Delete the device specified by device id",
                         description = "Permanently Delete the device specified by device id",
                         key = "perm:devices:permanent-delete",
+                        roles = {"admin"},
                         permissions = {"/device-mgt/admin/devices/permanent-delete"}
                 )
         }

components/device-mgt/org.wso2.carbon.device.mgt.api/src/main/java/org/wso2/carbon/device/mgt/jaxrs/service/api/admin/DeviceTypeManagementAdminService.java

@@ -92,18 +92,21 @@ import javax.ws.rs.core.Response;
                         name = "Manage a Device Type",
                         description = "Add, Edit or View a Device Type",
                         key = "perm:admin:device-type",
+                        roles = {"admin"},
                         permissions = {"/device-mgt/admin/device-type"}
                 ),
                 @Scope(
                         name = "Getting Details of a Device Type",
                         description = "Getting Details of a Device Type",
                         key = "perm:admin:device-type:view",
+                        roles = {"admin"},
                         permissions = {"/device-mgt/admin/device-type/view"}
                 ),
                 @Scope(
                         name = "Add Device Type Config",
                         description = "Add Platform Config of a Device Type",
                         key = "perm:admin:device-type:configs",
+                        roles = {"admin"},
                         permissions = {"/device-mgt/admin/device-type/config"}
                 )
         }

components/device-mgt/org.wso2.carbon.device.mgt.api/src/main/java/org/wso2/carbon/device/mgt/jaxrs/service/api/admin/GroupManagementAdminService.java

@@ -70,18 +70,21 @@ import javax.ws.rs.core.Response;
                         name = "View groups",
                         description = "",
                         key = "perm:admin-groups:view",
+                        roles = {"admin"},
                         permissions = {"/device-mgt/admin/groups/view"}
                 ),
                 @Scope(
                         name = "Count groups",
                         description = "",
                         key = "perm:admin-groups:count",
+                        roles = {"admin"},
                         permissions = {"/device-mgt/admin/groups/view"}
                 ),
                 @Scope(
                         name = "Add groups",
                         description = "",
                         key = "perm:admin-groups:add",
+                        roles = {"admin"},
                         permissions = {"/device-mgt/admin/groups/add"}
                 )
         }

components/device-mgt/org.wso2.carbon.device.mgt.api/src/main/java/org/wso2/carbon/device/mgt/jaxrs/service/api/admin/UserManagementAdminService.java

@@ -53,12 +53,14 @@ import javax.ws.rs.core.Response;
                         name = "View Users",
                         description = "View Users",
                         key = "perm:admin-users:view",
+                        roles = {"admin"},
                         permissions = {"/device-mgt/users/manage"}
                 ),
                 @Scope(
                         name = "Delete Users Device Information",
                         description = "Delete users device details",
                         key = "perm:admin-users:remove",
+                        roles = {"admin"},
                         permissions = {"/device-mgt/users/manage"}
                 )
         }

components/device-mgt/org.wso2.carbon.device.mgt.api/src/main/java/org/wso2/carbon/device/mgt/jaxrs/util/DeviceMgtAPIUtils.java

@@ -74,7 +74,6 @@ import org.wso2.carbon.device.mgt.common.group.mgt.GroupManagementException;
 import org.wso2.carbon.device.mgt.common.metadata.mgt.MetadataManagementService;
 import org.wso2.carbon.device.mgt.common.notification.mgt.NotificationManagementService;
 import org.wso2.carbon.device.mgt.common.operation.mgt.Operation;
-import org.wso2.carbon.device.mgt.common.permission.mgt.PermissionManagerService;
 import org.wso2.carbon.device.mgt.common.report.mgt.ReportManagementService;
 import org.wso2.carbon.device.mgt.common.spi.DeviceTypeGeneratorService;
 import org.wso2.carbon.device.mgt.common.spi.OTPManagementService;
@@ -549,16 +548,6 @@ public class DeviceMgtAPIUtils {
         return searchManagerService;
     }
 
-    public static PermissionManagerService getPermissionManagerService() {
-        PrivilegedCarbonContext ctx = PrivilegedCarbonContext.getThreadLocalCarbonContext();
-        PermissionManagerService PermissionManagerService =
-                (PermissionManagerService) ctx.getOSGiService(PermissionManagerService.class, null);
-        if (PermissionManagerService == null) {
-            throw new IllegalStateException("Permission manager service is not initialized.");
-        }
-        return PermissionManagerService;
-    }
-
     public static GeoLocationProviderService getGeoService() {
         PrivilegedCarbonContext ctx = PrivilegedCarbonContext.getThreadLocalCarbonContext();
         GeoLocationProviderService

components/device-mgt/org.wso2.carbon.device.mgt.common/src/main/java/org/wso2/carbon/device/mgt/common/permission/mgt/Permission.java

@@ -18,9 +18,6 @@
 
 package org.wso2.carbon.device.mgt.common.permission.mgt;
 
-import javax.xml.bind.annotation.XmlElement;
-import javax.xml.bind.annotation.XmlRootElement;
-
 /**
  * This class represents the information related to permission.
  */
@@ -30,6 +27,7 @@ public class Permission {
     private String path; // permission string
     private String url; // url of the resource
     private String method; // http method
+    private String urlPattern;
 
     public String getUrl() {
         return url;
@@ -62,4 +60,12 @@ public class Permission {
     public void setPath(String path) {
         this.path = path;
     }
+
+    public String getUrlPattern() {
+        return urlPattern;
+    }
+
+    public void setUrlPattern(String urlPattern) {
+        this.urlPattern = urlPattern;
+    }
 }

components/device-mgt/org.wso2.carbon.device.mgt.common/src/main/java/org/wso2/carbon/device/mgt/common/permission/mgt/PermissionManagerService.java

@@ -18,7 +18,7 @@
 
 package org.wso2.carbon.device.mgt.common.permission.mgt;
 
-import java.util.Properties;
+import java.util.List;
 
 /**
  * This represents the Permission management functionality which should be implemented by
@@ -26,22 +26,8 @@ import java.util.Properties;
  */
 public interface PermissionManagerService {
 
-    /**
+    boolean addPermission(String context, List<Permission> permissions) throws PermissionManagementException;
-     * Adds a permission.
-     *
-     * @param permission - Permission to be added
-     * @return A boolean indicating the status of the operation.
-     * @throws PermissionManagementException If some unusual behaviour is observed while adding the permission.
-     */
-    boolean addPermission(Permission permission) throws PermissionManagementException;
 
-    /**
+    List<Permission> getPermission(String context) throws PermissionManagementException;
-     * Fetches a given permission.
-     *
-     * @param properties - Properties of the permission to be fetched.
-     * @return The matched Permission object.
-     * @throws PermissionManagementException If some unusual behaviour is observed while fetching the permission.
-     */
-    Permission getPermission(Properties properties) throws PermissionManagementException;
 
 }

components/device-mgt/org.wso2.carbon.device.mgt.core/src/main/java/org/wso2/carbon/device/mgt/core/DeviceManagementConstants.java

@@ -42,6 +42,7 @@ public final class DeviceManagementConstants {
 
     public static final String DM_CACHE_MANAGER = "DM_CACHE_MANAGER";
     public static final String DEVICE_CACHE = "DEVICE_CACHE";
+    public static final String API_RESOURCE_PERMISSION_CACHE = "API_RESOURCE_CACHE_CACHE";
     public static final String GEOFENCE_CACHE = "GEOFENCE_CACHE";
     public static final String ENROLLMENT_NOTIFICATION_API_ENDPOINT = "/api/device-mgt/enrollment-notification";
     public static final String URL_SEPERATOR = "/";

components/device-mgt/org.wso2.carbon.device.mgt.core/src/main/java/org/wso2/carbon/device/mgt/core/cache/APIResourcePermissionCacheKey.java

@@ -0,0 +1,64 @@
+/*
+ * Copyright (c) 2021, WSO2 Inc. (http://www.wso2.org) All Rights Reserved.
+ *
+ * WSO2 Inc. licenses this file to you under the Apache License,
+ * Version 2.0 (the "License"); you may not use this file except
+ * in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.wso2.carbon.device.mgt.core.cache;
+
+import java.util.Objects;
+
+public class APIResourcePermissionCacheKey {
+
+    private String context;
+    private volatile int hashCode;
+
+    public APIResourcePermissionCacheKey(String context) {
+        this.context = context;
+    }
+
+
+    public String getContext() {
+        return context;
+    }
+
+    public void setContext(String context) {
+        this.context = context;
+    }
+
+    @Override
+    public boolean equals(Object obj) {
+        if (obj == null) {
+            return false;
+        }
+        if (!APIResourcePermissionCacheKey.class.isAssignableFrom(obj.getClass())) {
+            return false;
+        }
+        final APIResourcePermissionCacheKey other = (APIResourcePermissionCacheKey) obj;
+        String thisId = this.context;
+        String otherId = other.context;
+        if (!thisId.equals(otherId)) {
+            return false;
+        }
+        return true;
+    }
+
+    @Override
+    public int hashCode() {
+        if (hashCode == 0) {
+            hashCode = Objects.hash(context);
+        }
+        return hashCode;
+    }
+}

components/device-mgt/org.wso2.carbon.device.mgt.core/src/main/java/org/wso2/carbon/device/mgt/core/cache/APIResourcePermissionCacheManager.java

@@ -0,0 +1,31 @@
+/*
+ * Copyright (c) 2021, WSO2 Inc. (http://www.wso2.org) All Rights Reserved.
+ *
+ * WSO2 Inc. licenses this file to you under the Apache License,
+ * Version 2.0 (the "License"); you may not use this file except
+ * in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.wso2.carbon.device.mgt.core.cache;
+
+import org.wso2.carbon.device.mgt.common.permission.mgt.Permission;
+
+import java.util.List;
+
+public interface APIResourcePermissionCacheManager {
+
+    void addAPIResourcePermissionToCache(APIResourcePermissionCacheKey cacheKey, List<Permission> permissions);
+
+    void updateAPIResourcePermissionInCache(APIResourcePermissionCacheKey cacheKey, List<Permission> permissions);
+
+    List<Permission> getAPIResourceRermissionFromCache(APIResourcePermissionCacheKey cacheKey);
+}

components/device-mgt/org.wso2.carbon.device.mgt.core/src/main/java/org/wso2/carbon/device/mgt/core/cache/impl/APIResourcePermissionCacheManagerImpl.java

@@ -0,0 +1,84 @@
+/*
+ * Copyright (c) 2021, WSO2 Inc. (http://www.wso2.org) All Rights Reserved.
+ *
+ * WSO2 Inc. licenses this file to you under the Apache License,
+ * Version 2.0 (the "License"); you may not use this file except
+ * in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.wso2.carbon.device.mgt.core.cache.impl;
+
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
+import org.wso2.carbon.device.mgt.common.permission.mgt.Permission;
+import org.wso2.carbon.device.mgt.core.cache.APIResourcePermissionCacheKey;
+import org.wso2.carbon.device.mgt.core.cache.APIResourcePermissionCacheManager;
+import org.wso2.carbon.device.mgt.core.util.DeviceManagerUtil;
+
+import javax.cache.Cache;
+import java.util.List;
+
+public class APIResourcePermissionCacheManagerImpl implements APIResourcePermissionCacheManager {
+
+
+    private static final Log log = LogFactory.getLog(APIResourcePermissionCacheManagerImpl.class);
+
+    private static APIResourcePermissionCacheManagerImpl apiResourceCacgeManager;
+
+    private APIResourcePermissionCacheManagerImpl() {
+    }
+
+    public static APIResourcePermissionCacheManagerImpl getInstance() {
+        if (apiResourceCacgeManager == null) {
+            synchronized (APIResourcePermissionCacheManagerImpl.class) {
+                if (apiResourceCacgeManager == null) {
+                    apiResourceCacgeManager = new APIResourcePermissionCacheManagerImpl();
+                }
+            }
+        }
+        return apiResourceCacgeManager;
+    }
+
+
+    @Override
+    public void addAPIResourcePermissionToCache(APIResourcePermissionCacheKey cacheKey, List<Permission> permissions) {
+        Cache<APIResourcePermissionCacheKey, List<Permission>> lCache = DeviceManagerUtil.getAPIResourcePermissionCache();
+        if (lCache != null) {
+            if (lCache.containsKey(cacheKey)) {
+                this.updateAPIResourcePermissionInCache(cacheKey, permissions);
+            } else {
+                lCache.put(cacheKey, permissions);
+            }
+        }
+    }
+
+    @Override
+    public void updateAPIResourcePermissionInCache(APIResourcePermissionCacheKey cacheKey, List<Permission> permissions) {
+
+        Cache<APIResourcePermissionCacheKey, List<Permission>> lCache = DeviceManagerUtil.getAPIResourcePermissionCache();
+        if (lCache != null) {
+            if (lCache.containsKey(cacheKey)) {
+                lCache.replace(cacheKey, permissions);
+            }
+        }
+
+    }
+
+    @Override
+    public List<Permission> getAPIResourceRermissionFromCache(APIResourcePermissionCacheKey cacheKey) {
+        Cache<APIResourcePermissionCacheKey, List<Permission>> lCache = DeviceManagerUtil.getAPIResourcePermissionCache();
+        if (lCache != null) {
+            return lCache.get(cacheKey);
+        }
+        return null;
+    }
+}

components/device-mgt/org.wso2.carbon.device.mgt.core/src/main/java/org/wso2/carbon/device/mgt/core/config/permission/AnnotationProcessor.java

@@ -67,6 +67,7 @@ public class AnnotationProcessor {
     private static final String SWAGGER_ANNOTATIONS_PROPERTIES_DESCRIPTION = "description";
     private static final String SWAGGER_ANNOTATIONS_PROPERTIES_KEY = "key";
     private static final String SWAGGER_ANNOTATIONS_PROPERTIES_PERMISSIONS = "permissions";
+    private static final String SWAGGER_ANNOTATIONS_PROPERTIES_ROLES = "roles";
     private static final String ANNOTATIONS_SCOPES = "scopes";
     private static final String ANNOTATIONS_SCOPE = "scope";
     private static final String DEFAULT_PERM_NAME = "default";
@@ -239,6 +240,7 @@ public class AnnotationProcessor {
                     subCtx = makeContextURLReady(resourceRootContext) + makeContextURLReady(subCtx);
                 }
                 permission.setUrl(replaceDynamicPathVariables(subCtx));
+                permission.setUrlPattern(permission.getUrl().replace("*", "[a-zA-Z0-9-_]+"));
                 String httpMethod;
                 for (int i = 0; i < annotations.length; i++) {
                     httpMethod = getHTTPMethodAnnotation(annotations[i]);
@@ -398,7 +400,7 @@ public class AnnotationProcessor {
                         if (scope != null) {
                             permission.setName(scope.getName());
                             //TODO: currently permission tree supports only adding one permission per API point.
-                            permission.setPath(scope.getRoles().split(" ")[0]);
+                            permission.setPath(scope.getPermissions().split(" ")[0]);
                         } else {
                             log.warn("No Scope mapping is done for scope key: " + scopeKey);
                             permission.setName(DEFAULT_PERM_NAME);
@@ -420,8 +422,11 @@ public class AnnotationProcessor {
         Scope scope;
         String permissions[];
         StringBuilder aggregatedPermissions;
+        String roles[];
+        StringBuilder aggregatedRoles;
         for(int i=0; i<annotatedScopes.length; i++){
             aggregatedPermissions = new StringBuilder();
+            aggregatedRoles = new StringBuilder();
             methodHandler = Proxy.getInvocationHandler(annotatedScopes[i]);
             scope = new Scope();
             scope.setName(invokeMethod(scopeClass
@@ -437,7 +442,14 @@ public class AnnotationProcessor {
                 aggregatedPermissions.append(permission);
                 aggregatedPermissions.append(" ");
             }
-            scope.setRoles(aggregatedPermissions.toString());
+            scope.setPermissions(aggregatedPermissions.toString().trim());
+            roles = (String[])methodHandler.invoke(annotatedScopes[i], scopeClass
+                    .getMethod(SWAGGER_ANNOTATIONS_PROPERTIES_ROLES, null),null);
+            for (String role : roles) {
+                aggregatedRoles.append(role);
+                aggregatedRoles.append(",");
+            }
+            scope.setRoles(aggregatedRoles.toString().substring(0, aggregatedRoles.lastIndexOf(",")));
             scopes.put(scope.getKey(), scope);
         }
         return scopes;

components/device-mgt/org.wso2.carbon.device.mgt.core/src/main/java/org/wso2/carbon/device/mgt/core/config/permission/Scope.java

@@ -21,6 +21,7 @@ public class Scope implements Serializable {
     String key;
     String name;
     String roles;
+    String permissions;
     String description;
     int id;
 
@@ -66,5 +67,13 @@ public class Scope implements Serializable {
     public void setId(int id) {
         this.id = id;
     }
+
+    public String getPermissions() {
+        return permissions;
+    }
+
+    public void setPermissions(String permissions) {
+        this.permissions = permissions;
+    }
 }
 

components/device-mgt/org.wso2.carbon.device.mgt.core/src/main/java/org/wso2/carbon/device/mgt/core/config/permission/lifecycle/WebAppDeploymentLifecycleListener.java

@@ -62,11 +62,8 @@ public class WebAppDeploymentLifecycleListener implements LifecycleListener {
                             scanStandardContext(io.swagger.annotations.SwaggerDefinition.class.getName());
                     List<Permission> permissions = annotationProcessor.extractPermissions(annotatedAPIClasses);
                     PermissionManagerService permissionManagerService = PermissionManagerServiceImpl.getInstance();
-                    if (permissions != null) {
+                    permissionManagerService.addPermission(contextPath, permissions);
-                        for (Permission permission : permissions) {
+
-                            permissionManagerService.addPermission(permission);
-                        }
-                    }
                 } catch (PermissionManagementException e) {
                     log.error("Exception occurred while adding the permissions from webapp : "
                             + servletContext.getContextPath(), e);

components/device-mgt/org.wso2.carbon.device.mgt.core/src/main/java/org/wso2/carbon/device/mgt/core/internal/DeviceManagementServiceComponent.java

@@ -22,11 +22,11 @@ import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
 import org.osgi.framework.BundleContext;
 import org.osgi.service.component.ComponentContext;
-import org.wso2.carbon.device.mgt.common.event.config.EventConfigurationProviderService;
-import org.wso2.carbon.device.mgt.common.exceptions.DeviceManagementException;
 import org.wso2.carbon.device.mgt.common.app.mgt.ApplicationManagementException;
 import org.wso2.carbon.device.mgt.common.authorization.DeviceAccessAuthorizationService;
 import org.wso2.carbon.device.mgt.common.configuration.mgt.PlatformConfigurationManagementService;
+import org.wso2.carbon.device.mgt.common.event.config.EventConfigurationProviderService;
+import org.wso2.carbon.device.mgt.common.exceptions.DeviceManagementException;
 import org.wso2.carbon.device.mgt.common.geo.service.GeoLocationProviderService;
 import org.wso2.carbon.device.mgt.common.group.mgt.GroupManagementException;
 import org.wso2.carbon.device.mgt.common.metadata.mgt.MetadataManagementService;
@@ -48,6 +48,7 @@ import org.wso2.carbon.device.mgt.core.config.DeviceConfigurationManager;
 import org.wso2.carbon.device.mgt.core.config.DeviceManagementConfig;
 import org.wso2.carbon.device.mgt.core.config.datasource.DataSourceConfig;
 import org.wso2.carbon.device.mgt.core.config.tenant.PlatformConfigurationManagementServiceImpl;
+import org.wso2.carbon.device.mgt.core.config.ui.UIConfigurationManager;
 import org.wso2.carbon.device.mgt.core.dao.DeviceManagementDAOFactory;
 import org.wso2.carbon.device.mgt.core.dao.GroupManagementDAOFactory;
 import org.wso2.carbon.device.mgt.core.device.details.mgt.DeviceInformationManager;
@@ -75,7 +76,6 @@ import org.wso2.carbon.device.mgt.core.service.DeviceManagementProviderServiceIm
 import org.wso2.carbon.device.mgt.core.service.GroupManagementProviderService;
 import org.wso2.carbon.device.mgt.core.service.GroupManagementProviderServiceImpl;
 import org.wso2.carbon.device.mgt.core.task.DeviceTaskManagerService;
-import org.wso2.carbon.device.mgt.core.config.ui.UIConfigurationManager;
 import org.wso2.carbon.device.mgt.core.util.DeviceManagementSchemaInitializer;
 import org.wso2.carbon.device.mgt.core.util.DeviceManagerUtil;
 import org.wso2.carbon.device.mgt.core.util.DeviceMgtTenantMgtListener;

components/device-mgt/org.wso2.carbon.device.mgt.core/src/main/java/org/wso2/carbon/device/mgt/core/permission/mgt/PermissionManagerServiceImpl.java

@@ -18,13 +18,16 @@
 
 package org.wso2.carbon.device.mgt.core.permission.mgt;
 
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
 import org.wso2.carbon.device.mgt.common.permission.mgt.Permission;
 import org.wso2.carbon.device.mgt.common.permission.mgt.PermissionManagementException;
 import org.wso2.carbon.device.mgt.common.permission.mgt.PermissionManagerService;
+import org.wso2.carbon.device.mgt.core.cache.APIResourcePermissionCacheKey;
+import org.wso2.carbon.device.mgt.core.cache.impl.APIResourcePermissionCacheManagerImpl;
 
-import java.util.HashSet;
+import java.util.List;
 import java.util.Properties;
-import java.util.Set;
 
 /**
  * This class will add, update custom permissions defined in permission.xml in webapps and it will
@@ -32,10 +35,7 @@ import java.util.Set;
  */
 public class PermissionManagerServiceImpl implements PermissionManagerService {
 
-    public static final String URL_PROPERTY = "URL";
-    public static final String HTTP_METHOD_PROPERTY = "HTTP_METHOD";
     private static PermissionManagerServiceImpl registryBasedPermissionManager;
-    private static PermissionTree permissionTree; // holds the permissions at runtime.
 
     private PermissionManagerServiceImpl() {
     }
@@ -45,7 +45,6 @@ public class PermissionManagerServiceImpl implements PermissionManagerService {
             synchronized (PermissionManagerServiceImpl.class) {
                 if (registryBasedPermissionManager == null) {
                     registryBasedPermissionManager = new PermissionManagerServiceImpl();
-                    permissionTree = new PermissionTree();
                 }
             }
         }
@@ -53,21 +52,22 @@ public class PermissionManagerServiceImpl implements PermissionManagerService {
     }
 
     @Override
-    public boolean addPermission(Permission permission) throws PermissionManagementException {
+    public boolean addPermission(String context, List<Permission> permissions) throws PermissionManagementException {
-        // adding a permission to the tree
+        try {
-        permission.setPath(permission.getPath());
+            for (Permission permission : permissions) {
-        permissionTree.addPermission(permission);
+                PermissionUtils.putPermission(permission);
-        return PermissionUtils.putPermission(permission);
+            }
+            APIResourcePermissionCacheManagerImpl.getInstance().addAPIResourcePermissionToCache(
+                    new APIResourcePermissionCacheKey(context), permissions);
+        } catch (PermissionManagementException e) {
+            return false;
+        }
+        return true;
     }
 
     @Override
-    public Permission getPermission(Properties properties) throws PermissionManagementException {
+    public List<Permission> getPermission(String context) throws PermissionManagementException {
-        String url = (String) properties.get(URL_PROPERTY);
+        return APIResourcePermissionCacheManagerImpl.getInstance().getAPIResourceRermissionFromCache(
-        String httpMethod = (String) properties.get(HTTP_METHOD_PROPERTY);
+                new APIResourcePermissionCacheKey(context));
-
-        if (url == null || url.isEmpty() || httpMethod == null || httpMethod.isEmpty()) {
-            throw new PermissionManagementException("Resource URI/HTTP method is empty");
-        }
-        return permissionTree.getPermission(url, httpMethod);
     }
 }

components/device-mgt/org.wso2.carbon.device.mgt.core/src/main/java/org/wso2/carbon/device/mgt/core/util/DeviceManagerUtil.java

@@ -73,8 +73,10 @@ import org.wso2.carbon.device.mgt.common.group.mgt.DeviceGroup;
 import org.wso2.carbon.device.mgt.common.group.mgt.GroupManagementException;
 import org.wso2.carbon.device.mgt.common.notification.mgt.NotificationManagementException;
 import org.wso2.carbon.device.mgt.common.operation.mgt.OperationManagementException;
+import org.wso2.carbon.device.mgt.common.permission.mgt.Permission;
 import org.wso2.carbon.device.mgt.common.type.mgt.DeviceTypeMetaDefinition;
 import org.wso2.carbon.device.mgt.core.DeviceManagementConstants;
+import org.wso2.carbon.device.mgt.core.cache.APIResourcePermissionCacheKey;
 import org.wso2.carbon.device.mgt.core.cache.DeviceCacheKey;
 import org.wso2.carbon.device.mgt.core.cache.GeoCacheKey;
 import org.wso2.carbon.device.mgt.core.config.DeviceConfigurationManager;
@@ -136,6 +138,7 @@ public final class DeviceManagerUtil {
     public static final String GENERAL_CONFIG_RESOURCE_PATH = "general";
 
     private  static boolean isDeviceCacheInitialized = false;
+    private  static boolean isAPIResourcePermissionCacheInitialized = false;
     private static boolean isGeoFenceCacheInitialized = false;
 
     public static Document convertToDocument(File file) throws DeviceManagementException {
@@ -663,6 +666,44 @@ public final class DeviceManagerUtil {
         }
     }
 
+    public static void initializeAPIResourcePermissionCache() {
+//        DeviceManagementConfig config = DeviceConfigurationManager.getInstance().getDeviceManagementConfig();
+//        int deviceCacheExpiry = config.getDeviceCacheConfiguration().getExpiryTime();
+//        long deviceCacheCapacity = config.getDeviceCacheConfiguration().getCapacity();
+        CacheManager manager = getCacheManager();
+//        if (config.getDeviceCacheConfiguration().isEnabled()) {
+            if(!isDeviceCacheInitialized) {
+                isDeviceCacheInitialized = true;
+                if (manager != null) {
+//                    if (deviceCacheExpiry > 0) {
+//                        manager.<DeviceCacheKey, Device>createCacheBuilder(DeviceManagementConstants.DEVICE_CACHE).
+//                                setExpiry(CacheConfiguration.ExpiryType.MODIFIED, new CacheConfiguration.Duration(TimeUnit.SECONDS,
+//                                        deviceCacheExpiry)).setExpiry(CacheConfiguration.ExpiryType.ACCESSED, new CacheConfiguration.
+//                                Duration(TimeUnit.SECONDS, deviceCacheExpiry)).setStoreByValue(true).build();
+//                        if(deviceCacheCapacity > 0 ) {
+//                            ((CacheImpl) manager.<DeviceCacheKey, Device>getCache(DeviceManagementConstants.DEVICE_CACHE)).
+//                                    setCapacity(deviceCacheCapacity);
+//                        }
+//                    } else {
+                        manager.<DeviceCacheKey, Device>getCache(DeviceManagementConstants.API_RESOURCE_PERMISSION_CACHE);
+//                    }
+                } else {
+//                    if (deviceCacheExpiry > 0) {
+//                        Caching.getCacheManager().
+//                                <DeviceCacheKey, Device>createCacheBuilder(DeviceManagementConstants.DEVICE_CACHE).
+//                                setExpiry(CacheConfiguration.ExpiryType.MODIFIED, new CacheConfiguration.Duration(TimeUnit.SECONDS,
+//                                        deviceCacheExpiry)).setExpiry(CacheConfiguration.ExpiryType.ACCESSED, new CacheConfiguration.
+//                                Duration(TimeUnit.SECONDS, deviceCacheExpiry)).setStoreByValue(true).build();
+//                        ((CacheImpl)(manager.<DeviceCacheKey, Device>getCache(DeviceManagementConstants.DEVICE_CACHE))).
+//                                setCapacity(deviceCacheCapacity);
+//                    } else {
+                        Caching.getCacheManager().<DeviceCacheKey, Device>getCache(DeviceManagementConstants.API_RESOURCE_PERMISSION_CACHE);
+//                    }
+                }
+            }
+//        }
+    }
+
     /**
      * Enable Geofence caching according to the configurations proviced by cdm-config.xml
      */
@@ -722,6 +763,24 @@ public final class DeviceManagerUtil {
         return deviceCache;
     }
 
+    public static Cache<APIResourcePermissionCacheKey, List<Permission>> getAPIResourcePermissionCache() {
+//        DeviceManagementConfig config = DeviceConfigurationManager.getInstance().getDeviceManagementConfig();
+        CacheManager manager = getCacheManager();
+        Cache<APIResourcePermissionCacheKey, List<Permission>> apiResourcePermissionCache = null;
+//        if (config.getDeviceCacheConfiguration().isEnabled()) {
+            if(!isAPIResourcePermissionCacheInitialized) {
+                initializeAPIResourcePermissionCache();
+            }
+            if (manager != null) {
+                apiResourcePermissionCache = manager.getCache(DeviceManagementConstants.API_RESOURCE_PERMISSION_CACHE);
+            } else {
+                apiResourcePermissionCache =  Caching.getCacheManager(DeviceManagementConstants.DM_CACHE_MANAGER)
+                        .getCache(DeviceManagementConstants.API_RESOURCE_PERMISSION_CACHE);
+            }
+//        }
+        return apiResourcePermissionCache;
+    }
+
     /**
      * Get geofence cache object
      * @return {@link Cache<GeoCacheKey, GeofenceData>}

components/identity-extensions/org.wso2.carbon.identity.jwt.client.extension/src/main/java/org/wso2/carbon/identity/jwt/client/extension/util/JWTClientUtil.java

@@ -232,18 +232,18 @@ public class JWTClientUtil {
 			}
 			List<String> aud = jwtConfig.getAudiences();
 			//set up the basic claims
-			JWTClaimsSet claimsSet = new JWTClaimsSet();
+			JWTClaimsSet.Builder claimsSet = new JWTClaimsSet.Builder();
-			claimsSet.setIssueTime(new Date(iat));
+			claimsSet.issueTime(new Date(iat));
-			claimsSet.setExpirationTime(new Date(exp));
+			claimsSet.expirationTime(new Date(exp));
-			claimsSet.setIssuer(iss);
+			claimsSet.issuer(iss);
-            claimsSet.setSubject(username);
+            claimsSet.subject(username);
-            claimsSet.setNotBeforeTime(new Date(nbf));
+            claimsSet.notBeforeTime(new Date(nbf));
-			claimsSet.setJWTID(jti);
+			claimsSet.jwtID(jti);
-			claimsSet.setAudience(aud);
+			claimsSet.audience(aud);
-            claimsSet.setClaim(SIGNED_JWT_AUTH_USERNAME, username);
+            claimsSet.claim(SIGNED_JWT_AUTH_USERNAME, username);
             if (customClaims != null && !customClaims.isEmpty()) {
                 for (String key : customClaims.keySet()) {
-                    claimsSet.setClaim(key, customClaims.get(key));
+                    claimsSet.claim(key, customClaims.get(key));
                 }
             }
 
@@ -280,7 +280,7 @@ public class JWTClientUtil {
 				}
 			}
 			JWSSigner signer = new RSASSASigner(rsaPrivateKey);
-			SignedJWT signedJWT = new SignedJWT(new JWSHeader(JWSAlgorithm.RS256), claimsSet);
+			SignedJWT signedJWT = new SignedJWT(new JWSHeader(JWSAlgorithm.RS256), claimsSet.build());
 			signedJWT.sign(signer);
 			String assertion = signedJWT.serialize();
 			return assertion;

components/transport-mgt/sms-handler/io.entgra.transport.mgt.sms.handler.api/src/main/java/io/entgra/transport/mgt/sms/handler/api/service/ConfigurationManagementService.java

@@ -64,6 +64,7 @@ import javax.ws.rs.core.Response;
                 name = "View configurations",
                 description = "",
                 key = "perm:sms-handler:view-configuration",
+                roles = {"Internal/everyone"},
                 permissions = {"/sms-handler/platform-configurations/view"}
         )
 })

components/webapp-authenticator-framework/org.wso2.carbon.webapp.authenticator.framework/pom.xml

@@ -55,22 +55,22 @@
                             org.wso2.carbon.webapp.authenticator.framework.*
                         </Export-Package>
                         <Import-Package>
-                            com.nimbusds.jose,
+                            com.nimbusds.jose;version="${nimbus.orbit.version.range}",
-                            com.nimbusds.jose.crypto,
+                            com.nimbusds.jose.crypto;version="${nimbus.orbit.version.range}",
-                            com.nimbusds.jwt,
+                            com.nimbusds.jwt;version="${nimbus.orbit.version.range}",
                             javax.xml.bind,
                             javax.xml.bind.annotation,
                             javax.xml.parsers;version="${javax.xml.parsers.import.pkg.version}";resolution:=optional,
                             javax.xml.validation,
-                            <!--org.apache.catalina,-->
+                            org.apache.catalina;version="9.0",
-                            <!--org.apache.catalina.connector,-->
+                            org.apache.catalina.connector;version="9.0",
-                            <!--org.apache.catalina.util,-->
+                            org.apache.catalina.util;version="9.0",
                             org.apache.commons.logging,
-                            <!--org.apache.coyote,-->
+                            org.apache.coyote;version="9.0",
-                            <!--org.apache.tomcat.util.buf,-->
+                            org.apache.tomcat.util.buf;version="9.0",
-                            <!--org.apache.tomcat.util.http,-->
+                            org.apache.tomcat.util.http;version="9.0",
-                            org.osgi.service.component,
+                            org.osgi.framework.*;version="${imp.package.version.osgi.framework}",
-                            org.osgi.framework,
+                            org.osgi.service.*;version="${imp.package.version.osgi.service}",
                             org.w3c.dom,
                             org.wso2.carbon.context,
                             org.wso2.carbon.core.util,
@@ -85,15 +85,15 @@
                             org.wso2.carbon.utils,
                             org.wso2.carbon.utils.multitenancy,
                             org.xml.sax,
-                            com.google.gson.*,
+                            <!--com.google.gson.*,-->
                             javax.servlet,
                             javax.servlet.http,
                             javax.xml,
                             org.apache.axis2.transport.http,
                             org.wso2.carbon.certificate.mgt.core.*,
-                            org.wso2.carbon.device.mgt.core.permission.mgt,
+                            org.wso2.carbon.device.mgt.core.permission.mgt.*,
                             org.wso2.carbon.device.mgt.common.*,
-                            org.wso2.carbon.device.mgt.common.permission.mgt,
+                            org.wso2.carbon.device.mgt.common.permission.mgt.*,
                             org.apache.axis2,
                             org.apache.axis2.client,
                             org.apache.commons.codec.binary;version="${commons-codec.wso2.osgi.version.range}",
@@ -114,6 +114,9 @@
                             org.wso2.carbon.base,
                             org.owasp.encoder
                         </Import-Package>
+                        <!--<Embed-Dependency>-->
+                            <!--tomcat-coyote,-->
+                        <!--</Embed-Dependency>-->
                     </instructions>
                 </configuration>
             </plugin>
@@ -194,6 +197,22 @@
         <dependency>
             <groupId>org.wso2.carbon.identity.inbound.auth.oauth2</groupId>
             <artifactId>org.wso2.carbon.identity.oauth</artifactId>
+            <exclusions>
+                <exclusion>
+                    <!--<dependency>-->
+                        <groupId>org.wso2.orbit.com.nimbusds</groupId>
+                        <artifactId>nimbus-jose-jwt</artifactId>
+                    <!--</dependency>-->
+                </exclusion>
+                <exclusion>
+                    <!--<dependency>-->
+                        <groupId>com.nimbusds</groupId>
+                        <artifactId>nimbus-jose-jwt</artifactId>
+                        <!--<version>9.10</version>-->
+                    <!--</dependency>-->
+
+                </exclusion>
+            </exclusions>
         </dependency>
         <dependency>
             <groupId>org.wso2.carbon</groupId>
@@ -202,6 +221,7 @@
         <dependency>
             <groupId>org.wso2.orbit.com.nimbusds</groupId>
             <artifactId>nimbus-jose-jwt</artifactId>
+            <scope>compile</scope>
         </dependency>
         <dependency>
             <groupId>org.wso2.carbon.devicemgt</groupId>

components/webapp-authenticator-framework/org.wso2.carbon.webapp.authenticator.framework/src/main/java/org/wso2/carbon/webapp/authenticator/framework/AuthenticationFrameworkUtil.java

@@ -73,7 +73,7 @@ public class AuthenticationFrameworkUtil {
         }
     }
 
-    static boolean isUserAuthorized(int tenantId, String tenantDomain, String username, String
+    public static boolean isUserAuthorized(int tenantId, String tenantDomain, String username, String
             permission) throws
             AuthenticationException {
         boolean tenantFlowStarted = false;

components/webapp-authenticator-framework/org.wso2.carbon.webapp.authenticator.framework/src/main/java/org/wso2/carbon/webapp/authenticator/framework/WebappAuthenticationValve.java

@@ -18,11 +18,9 @@
  */
 package org.wso2.carbon.webapp.authenticator.framework;
 
-import com.google.gson.Gson;
 import org.apache.catalina.Context;
 import org.apache.catalina.connector.Request;
 import org.apache.catalina.connector.Response;
-import org.apache.commons.lang.StringUtils;
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
 import org.owasp.encoder.Encode;
@@ -33,6 +31,7 @@ import org.wso2.carbon.user.api.Tenant;
 import org.wso2.carbon.user.api.UserStoreException;
 import org.wso2.carbon.user.core.service.RealmService;
 import org.wso2.carbon.webapp.authenticator.framework.authenticator.WebappAuthenticator;
+import org.wso2.carbon.webapp.authenticator.framework.authorizer.PermissionAuthorizer;
 import org.wso2.carbon.webapp.authenticator.framework.authorizer.WebappTenantAuthorizer;
 
 import javax.servlet.http.HttpServletResponse;
@@ -48,9 +47,6 @@ public class WebappAuthenticationValve extends CarbonTomcatValve {
 
     private static final Log log = LogFactory.getLog(WebappAuthenticationValve.class);
     private static final TreeMap<String, String> nonSecuredEndpoints = new TreeMap<>();
-    private static final String PERMISSION_PREFIX = "/permission/admin";
-    public static final String AUTHORIZE_PERMISSION = "Authorize-Permission";
-
     private static InetAddress inetAddress = null;
 
     @Override
@@ -81,8 +77,7 @@ public class WebappAuthenticationValve extends CarbonTomcatValve {
             }
         }
 
-        if ((this.isContextSkipped(request) ||  this.skipAuthentication(request))
+        if ((this.isContextSkipped(request) ||  this.skipAuthentication(request))) {
-                && (StringUtils.isEmpty(request.getHeader(AUTHORIZE_PERMISSION)))) {
                 this.getNext().invoke(request, response, compositeValve);
             return;
         }
@@ -103,29 +98,12 @@ public class WebappAuthenticationValve extends CarbonTomcatValve {
         // This section will allow to validate a given access token is authenticated to access given
         // resource(permission)
         if (request.getCoyoteRequest() != null
-                && StringUtils.isNotEmpty(request.getHeader(AUTHORIZE_PERMISSION))
                 && (authenticationInfo.getStatus() == WebappAuthenticator.Status.CONTINUE ||
                 authenticationInfo.getStatus() == WebappAuthenticator.Status.SUCCESS)) {
             boolean isAllowed;
-            try {
+            WebappAuthenticator.Status authorizeStatus = PermissionAuthorizer.authorize(request, authenticationInfo);
-                isAllowed = AuthenticationFrameworkUtil.isUserAuthorized(
+            isAllowed = WebappAuthenticator.Status.SUCCESS == authorizeStatus;
-                        authenticationInfo.getTenantId(), authenticationInfo.getTenantDomain(),
+            if (!isAllowed) {
-                        authenticationInfo.getUsername(),
-                        PERMISSION_PREFIX + request.getHeader (AUTHORIZE_PERMISSION));
-            } catch (AuthenticationException e) {
-                String msg = "Could not authorize permission";
-                log.error(msg);
-                AuthenticationFrameworkUtil.handleResponse(request, response,
-                        HttpServletResponse.SC_INTERNAL_SERVER_ERROR, msg);
-                return;
-            }
-
-            if (isAllowed) {
-                Gson gson = new Gson();
-                AuthenticationFrameworkUtil.handleResponse(request, response, HttpServletResponse.SC_OK,
-                        gson.toJson(authenticationInfo));
-                return;
-            } else {
                 log.error("Unauthorized message from user " + authenticationInfo.getUsername());
                 AuthenticationFrameworkUtil.handleResponse(request, response,
                         HttpServletResponse.SC_FORBIDDEN, "Unauthorized to access the API");
@@ -133,7 +111,7 @@ public class WebappAuthenticationValve extends CarbonTomcatValve {
             }
         }
 
-        Tenant tenant = null;
+            Tenant tenant = null;
         if (authenticationInfo.getTenantId() != -1) {
             try {
                 PrivilegedCarbonContext.startTenantFlow();

components/webapp-authenticator-framework/org.wso2.carbon.webapp.authenticator.framework/src/main/java/org/wso2/carbon/webapp/authenticator/framework/authorizer/MatchingResource.java

@@ -0,0 +1,30 @@
+package org.wso2.carbon.webapp.authenticator.framework.authorizer;
+
+/**
+ * Created by amalka on 6/26/21.
+ */
+public class MatchingResource {
+    private String urlPattern;
+    private String permission;
+
+    public MatchingResource(String urlPattern, String permission) {
+        this.urlPattern = urlPattern;
+        this.permission = permission;
+    }
+
+    public String getUrlPattern() {
+        return urlPattern;
+    }
+
+    public void setUrlPattern(String urlPattern) {
+        this.urlPattern = urlPattern;
+    }
+
+    public String getPermission() {
+        return permission;
+    }
+
+    public void setPermission(String permission) {
+        this.permission = permission;
+    }
+}

components/webapp-authenticator-framework/org.wso2.carbon.webapp.authenticator.framework/src/main/java/org/wso2/carbon/webapp/authenticator/framework/authorizer/PermissionAuthorizer.java

@@ -0,0 +1,143 @@
+/*
+ * Copyright (c) 2021, WSO2 Inc. (http://www.wso2.org) All Rights Reserved.
+ *
+ * WSO2 Inc. licenses this file to you under the Apache License,
+ * Version 2.0 (the "License"); you may not use this file except
+ * in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.wso2.carbon.webapp.authenticator.framework.authorizer;
+
+import org.apache.catalina.connector.Request;
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
+import org.wso2.carbon.device.mgt.common.permission.mgt.Permission;
+import org.wso2.carbon.device.mgt.common.permission.mgt.PermissionManagementException;
+import org.wso2.carbon.device.mgt.common.permission.mgt.PermissionManagerService;
+import org.wso2.carbon.device.mgt.core.permission.mgt.PermissionManagerServiceImpl;
+import org.wso2.carbon.webapp.authenticator.framework.AuthenticationException;
+import org.wso2.carbon.webapp.authenticator.framework.AuthenticationFrameworkUtil;
+import org.wso2.carbon.webapp.authenticator.framework.AuthenticationInfo;
+import org.wso2.carbon.webapp.authenticator.framework.authenticator.WebappAuthenticator;
+
+import java.util.ArrayList;
+import java.util.List;
+import java.util.StringTokenizer;
+
+public class PermissionAuthorizer {
+
+    private static final Log log = LogFactory.getLog(PermissionAuthorizer.class);
+
+    public static WebappAuthenticator.Status authorize(Request request, AuthenticationInfo authenticationInfo) {
+        String requestUri = request.getRequestURI();
+        String requestMethod = request.getMethod();
+        String context = request.getContextPath();
+
+        if (requestUri == null || requestUri.isEmpty() || requestMethod == null || requestMethod.isEmpty()) {
+            return WebappAuthenticator.Status.CONTINUE;
+        }
+
+        PermissionManagerService registryBasedPermissionManager =
+                PermissionManagerServiceImpl.getInstance();
+        List<Permission> matchingPermissions = null;
+        try {
+            matchingPermissions = registryBasedPermissionManager.getPermission(context);
+        } catch (PermissionManagementException e) {
+            log.error(
+                    "Error occurred while fetching the permission for URI : " + requestUri +
+                            ", msg = " + e.getMessage());
+        }
+
+        if (matchingPermissions == null) {
+            if (log.isDebugEnabled()) {
+                log.debug("Permission to request '" + requestUri + "' is not defined in the configuration");
+            }
+            return WebappAuthenticator.Status.FAILURE;
+        }
+
+        String requiredPermission = null;
+        List<MatchingResource> matchingResources = new ArrayList<>();
+        for (Permission permission : matchingPermissions) {
+            if (requestMethod.equals(permission.getMethod()) && requestUri.matches(permission.getUrlPattern())) {
+                if (requestUri.equals(permission.getUrl())) { // is there a exact match
+                    requiredPermission = permission.getPath();
+                    break;
+                } else { // all templated urls add to a list
+                    matchingResources.add(new MatchingResource(permission.getUrlPattern().replace(context, ""), permission.getPath()));
+                }
+            }
+        }
+
+        if (requiredPermission == null) {
+            if (matchingResources.size() == 1) { // only 1 templated url found
+                requiredPermission = matchingResources.get(0).getPermission();
+            }
+
+            if (matchingResources.size() > 1) { // more than 1 templated urls found
+                String urlWithoutContext = requestUri.replace(context, "");
+                StringTokenizer st = new StringTokenizer(urlWithoutContext, "/");
+                int tokenPosition = 1;
+                while (st.hasMoreTokens()) {
+                    List<MatchingResource> tempList = new ArrayList<>();
+                    String currentToken = st.nextToken();
+                    for (MatchingResource matchingResource : matchingResources) {
+                        StringTokenizer stmr = new StringTokenizer(matchingResource.getUrlPattern(), "/");
+                        int internalTokenPosition = 1;
+                        while (stmr.hasMoreTokens()) {
+                            String internalToken = stmr.nextToken();
+                            if ((tokenPosition == internalTokenPosition)  && currentToken.equals(internalToken)) {
+                                tempList.add(matchingResource);
+                            }
+                            internalTokenPosition++;
+                            if (tokenPosition < internalTokenPosition) {
+                                break;
+                            }
+                        }
+                    }
+                    if (tempList.size() == 1) {
+                        requiredPermission = tempList.get(0).getPermission();
+                        break;
+                    }
+                    tokenPosition++;
+                }
+            }
+        }
+
+        if (requiredPermission == null) {
+            if (log.isDebugEnabled()) {
+                log.debug("Matching permission not found for " + requestUri);
+            }
+            return WebappAuthenticator.Status.FAILURE;
+        }
+
+        boolean isUserAuthorized;
+        try {
+                isUserAuthorized = AuthenticationFrameworkUtil.isUserAuthorized(
+                        authenticationInfo.getTenantId(), authenticationInfo.getTenantDomain(),
+                        authenticationInfo.getUsername(), requiredPermission);
+        } catch (AuthenticationException e) {
+            log.error("Error occurred while retrieving user store. " + e.getMessage());
+            return WebappAuthenticator.Status.FAILURE;
+        }
+
+        if (isUserAuthorized) {
+            return WebappAuthenticator.Status.SUCCESS;
+        } else {
+            return WebappAuthenticator.Status.FAILURE;
+        }
+
+    }
+
+}
+
+
+

pom.xml

@@ -2175,8 +2175,8 @@
         <eclipse.paho.version>1.0.2</eclipse.paho.version>
 
         <!-- Nimbus Jose-->
-        <nimbus.orbit.version>2.26.1.wso2v3</nimbus.orbit.version>
+        <nimbus.orbit.version>7.3.0.wso2v1</nimbus.orbit.version>
-        <nimbus.orbit.version.range>[2.26.1, 3.0.0)</nimbus.orbit.version.range>
+        <nimbus.orbit.version.range>[7.3, 8)</nimbus.orbit.version.range>
 
         <!--javax ws rs version-->
         <javax.ws.rs.version>2.0.1</javax.ws.rs.version>