Commit 69ab840e authored by cdanger's avatar cdanger

Merge branch 'release/3.8.1'

parents 9be728ec fc7a8699
# Change log
All notable changes to this project are documented in this file following the [Keep a CHANGELOG](http://keepachangelog.com) conventions.
## 3.8.1
### Fixed
- Removed use of SAXON StandardURIChecker for validating anyURI XACML AttributeValues causing "possible memory leak" errors in Tomcat, as confirmed by: https://sourceforge.net/p/saxon/mailman/message/27043134 and https://sourceforge.net/p/saxon/mailman/saxon-help/thread/4F9E683E.8060001@saxonica.com/. Although XACML 3.0 still refers to XSD 1.0 which has a stricter definition of anyURI than XSD 1.1, the fix consisted to use XSD 1.1 anyURI definition for XACML anyURI AttributeValues. In this definition, anyURI and string datatypes have same value space (refer to XSD 1.1 Datatypes document or SAXON note http://www.saxonica.com/html/documentation9.4/changes/intro93/xsd11-93.html or mailing list: https://sourceforge.net/p/saxon/mailman/saxon-help/thread/4F9E683E.8060001@saxonica.com/) , therefore anyURI-specific validation is removed and anyURI values are accepted like string values by the program. However, this does not affect XML schema validation of Policy/PolicySet/Request documents against OASIS XACML 3.0 schema, where the XSD 1.0 definition of anyURI still applies.
## 3.8.0
### Changed
- PDP XML schema: maxVariableRefDepth and maxPolicyRefDepth attributes made optional (instead of required)
......@@ -31,7 +36,7 @@ All notable changes to this project are documented in this file following the [K
## 3.6.0
### Added
- Support all [XACML 3.0 conformance tests](https://lists.oasis-open.org/archives/xacml-comment/201404/msg00001.html) published by AT&T on XACML mailing list in March 2014, except IIA010, IIA012, IIA024, IID029, IID030, III.C.2, III.C.3, IIIE301, IIIE303, II.G.2-6 (see also [README](src\test\resources\conformance\xacml-3.0-from-2.0-ct\README.md) ); with specific adaptations and anhancements:
- Support all [XACML 3.0 conformance tests](https://lists.oasis-open.org/archives/xacml-comment/201404/msg00001.html) published by AT&T on XACML mailing list in March 2014, except IIA010, IIA012, IIA024, IID029, IID030, III.C.2, III.C.3, IIIE301, IIIE303, II.G.2-6 (see also [README](src\test\resources\conformance\xacml-3.0-from-2.0-ct\README.md) ); with specific adaptations and enhancements:
1. XACML 3.0 Schema validation in all conformance tests (original files are not all compliant with XACML 3.0).
1. The original conformance test folder contains hundreds of files; for better readability and management, the folder is split in *mandatory* folder for tests on supported mandatory features (XACMl 3.0 core), *optional* folder for supported optional features (XACML 3.0 core and profiles), and *unsupported* for unsupported features.
1. For tests requiring a custom attribute finder, added a file with suffix `AttributeProvider.xml` that configures the `TestAttributeProviderModule`. This configuration file must contain a list of `Attributes` elements defining the attributes that this attribute provider is able to provide, with their constant values.
......
......@@ -6,7 +6,7 @@
<version>3.3.7</version>
</parent>
<artifactId>authzforce-ce-core</artifactId>
<version>3.8.0</version>
<version>3.8.1</version>
<name>${project.groupId}:${project.artifactId}</name>
<description>AuthZForce Community Edition - XACML-compliant Core Engine</description>
<url>https://tuleap.ow2.org/projects/authzforce</url>
......
......@@ -18,8 +18,7 @@ import net.sf.saxon.lib.StandardURIChecker;
/**
* Represent the URI value that this class represents
* <p>
* WARNING: java.net.URI cannot be used here for this XACML datatype, because not equivalent to XML schema anyURI type. Spaces are allowed in XSD anyURI [1],
* not in java.net.URI.
* WARNING: java.net.URI cannot be used here for this XACML datatype, because not equivalent to XML schema anyURI type. Spaces are allowed in XSD anyURI [1], not in java.net.URI.
* </p>
* <p>
* [1] http://www.w3.org/TR/xmlschema-2/#anyURI That's why we use String instead.
......@@ -31,8 +30,20 @@ import net.sf.saxon.lib.StandardURIChecker;
* https://java.net/projects/jaxb/lists/users/archive/2011-07/message/16
* </p>
* <p>
* From the JAXB spec: "xs:anyURI is not bound to java.net.URI by default since not all possible values of xs:anyURI can be passed to the java.net.URI
* constructor. Using a global JAXB customization described in Section 7.9".
* From the JAXB spec: "xs:anyURI is not bound to java.net.URI by default since not all possible values of xs:anyURI can be passed to the java.net.URI constructor. Using a global JAXB customization
* described in Section 7.9".
* </p>
* <p>
* Last but not least, we now refer to the definition of anyURI datatype given in XSD 1.1, which has the same value space as the string datatype. More info in the XSD 1.1 datatypes document and SAXON
* documentation: http://www.saxonica.com/html/documentation9.4/changes/intro93/xsd11-93.html. Also confirmed on the mailing list:
* https://sourceforge.net/p/saxon/mailman/saxon-help/thread/4F9E683E.8060001@saxonica.com/. Although XACML 3.0 still refers to XSD 1.0 and its stricter definition of anyURI, we prefer to anticipate
* and use the definition from XSD 1.1 for XACML AttributeValues of datatype anyURI. However, this does not affect XACML schema validation of Policy/PolicySet/Request documents, where the XSD 1.0
* definition of anyURI still applies.
* </p>
* <p>
* With the new anyURI definition of XSD 1.1, we also avoid using {@link StandardURIChecker} which maintains a thread-local cache of validated URIs (cache size is 50 and eviction policy is LRU) that
* may be spotted as a possible memory leak by servlet containers such as Tomcat, as confirmed on the mailing list: https://sourceforge.net/p/saxon/mailman/message/27043134/ ,
* https://sourceforge.net/p/saxon/mailman/saxon-help/thread/4F9E683E.8060001@saxonica.com/ .
* </p>
*/
public final class AnyURIValue extends SimpleValue<String>
......@@ -49,28 +60,15 @@ public final class AnyURIValue extends SimpleValue<String>
* @param value
* the URI to be represented
* <p>
* WARNING: java.net.URI cannot be used here for XACML datatype, because not equivalent to XML schema anyURI type. Spaces are allowed in XSD
* anyURI [1], not in java.net.URI. [1] http://www.w3.org/TR/xmlschema-2/#anyURI So we use String instead.
* WARNING: java.net.URI cannot be used here for XACML datatype, because not equivalent to XML schema anyURI type. Spaces are allowed in XSD anyURI [1], not in java.net.URI. [1]
* http://www.w3.org/TR/xmlschema-2/#anyURI So we use String instead.
* </p>
* @throws IllegalArgumentException
* if {@code value} is not a valid string representation for xs:anyURI
*/
public AnyURIValue(String value) throws IllegalArgumentException
{
super(TYPE_URI, validate(value));
}
private static String validate(String anyURI) throws IllegalArgumentException
{
/*
* Please note that StandardURIChecker maintains a thread-local cache of validated URIs (cache size is 50 and eviction policy is LRU)
*/
if (!StandardURIChecker.getInstance().isValidURI(anyURI))
{
throw new IllegalArgumentException("Invalid value for xs:anyURI: " + anyURI);
}
return anyURI;
super(TYPE_URI, value);
}
@Override
......
<?xml version="1.0"?>
<!-- This is an example configuration file. Many of the options included here are defaults, and do not need to be specified in a real configuration file. They are provided for convenience of editing, so
it is easy to set up a configuration file with non-default options. For documentation on the contents of a Saxon configuration file, see http://www.saxonica.com/documentation/index/configuration-file.html -->
<!-- WARNING: 1) for AuthZForce compatibility, do not set xInclude property here (do not even set xInclude="false")
This would cause an error with XACML Request Attributes/Content XML parsing:
net.sf.saxon.s9api.SaxonApiException: Selected XML parser javax.xml.bind.util.JAXBSource$1 does not recognize request for XInclude processing
at net.sf.saxon.s9api.DocumentBuilder.build(DocumentBuilder.java:374) ~[Saxon-HE-9.6.0-5.jar:na]
at org.ow2.authzforce.core.XACMLParsers$FullJaxbXACMLAttributesParserFactory$FullJaxbXACMLAttributesParser.parseContent(XACMLParsers.java:909) ~[classes/:na]
-->
<!-- This is an example configuration file. Many of the options included here are defaults, and do not need to be specified in a real configuration file. They are provided for convenience of editing, so
it is easy to set up a configuration file with non-default options. For documentation on the contents of a Saxon configuration file, see http://www.saxonica.com/documentation9.6/index.html#!configuration/configuration-file -->
<!-- WARNING: 1) for AuthZForce compatibility, do not set xInclude property here (do not even set xInclude="false") This would cause an error with XACML Request Attributes/Content XML parsing: net.sf.saxon.s9api.SaxonApiException:
Selected XML parser javax.xml.bind.util.JAXBSource$1 does not recognize request for XInclude processing at net.sf.saxon.s9api.DocumentBuilder.build(DocumentBuilder.java:374) ~[Saxon-HE-9.6.0-5.jar:na]
at org.ow2.authzforce.core.XACMLParsers$FullJaxbXACMLAttributesParserFactory$FullJaxbXACMLAttributesParser.parseContent(XACMLParsers.java:909) ~[classes/:na] -->
<configuration
edition="HE"
xmlns="http://saxon.sf.net/ns/configuration"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://saxon.sf.net/ns/configuration config.xsd">
<global
dtdValidation="false"
dtdValidationRecoverable="true"
lineNumbering="true"
treeModel="tinyTree"
stripSpace="all"
expandAttributeDefaults="true"
versionOfXml="1.0"
preferJaxpParser="true"
sourceResolver=""
uriResolver="net.sf.saxon.lib.StandardURIResolver"
collectionUriResolver="net.sf.saxon.lib.StandardCollectionURIResolver"
defaultCollection="file:///e:/temp"
recognizeUriQueryParameters="true"
useTypedValueCache="false"
parser=""
timing="false"
allowExternalFunctions="false"
traceExternalFunctions="false"
optimizationLevel="10"
traceOptimizerDecisions="false"
collationUriResolver="net.sf.saxon.lib.StandardCollationURIResolver"
lazyConstructionMode="false"
preEvaluateDoc="false"
serializerFactory=""
errorListener="net.sf.saxon.lib.StandardErrorListener"
traceListener="net.sf.saxon.trace.XSLTTraceListener"
usePiDisableOutputEscaping="false"
validationWarnings="true" />
<serialization
method="xml"
indent="yes" />
<collations>
<collation
uri="http://codepoint/"
class="net.sf.saxon.expr.sort.CodepointCollator" />
<collation
uri="http://www.microsoft.com/collation/caseblind"
lang="en"
ignore-case="yes" />
</collations>
<localizations
defaultLanguage="en"
defaultCountry="US">
<localization
lang="da"
class="net.sf.saxon.option.local.Numberer_da" />
<localization
lang="de"
class="net.sf.saxon.option.local.Numberer_de" />
<localization
lang="en"
class="net.sf.saxon.expr.number.Numberer_en" />
<localization
lang="fr"
class="net.sf.saxon.option.local.Numberer_fr" />
<localization
lang="fr-BE"
class="net.sf.saxon.option.local.Numberer_frBE" />
<localization
lang="it"
class="net.sf.saxon.option.local.Numberer_it" />
<localization
lang="nl"
class="net.sf.saxon.option.local.Numberer_nl" />
<localization
lang="nl-BE"
class="net.sf.saxon.option.local.Numberer_nlBE" />
<localization
lang="sv"
class="net.sf.saxon.option.local.Numberer_sv" />
</localizations>
<xslt
recoveryPolicy="recoverWithWarnings"
version="2.0"
versionWarning="false"
schemaAware="false"
messageReceiver=""
errorListener="net.sf.saxon.StandardErrorListener"
outputUriResolver=""
stylesheetParser="">
</xslt>
<xquery
version="1.1"
allowUpdate="false"
errorListener="net.sf.saxon.StandardErrorListener"
moduleUriResolver="net.sf.saxon.lib.StandardModuleURIResolver"
inheritNamespaces="true"
preserveNamespaces="true"
constructionMode="preserve"
defaultFunctionNamespace="http://www.w3.org/2005/xpath-functions"
defaultElementNamespace=""
preserveBoundarySpace="false"
requiredContextItemType="document-node()"
emptyLeast="true" />
edition="HE"
xmlns="http://saxon.sf.net/ns/configuration"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://saxon.sf.net/ns/configuration config.xsd">
<global
dtdValidation="false"
dtdValidationRecoverable="true"
lineNumbering="true"
treeModel="tinyTree"
stripSpace="all"
expandAttributeDefaults="true"
versionOfXml="1.0"
preferJaxpParser="true"
sourceResolver=""
uriResolver="net.sf.saxon.lib.StandardURIResolver"
collectionUriResolver="net.sf.saxon.lib.StandardCollectionURIResolver"
defaultCollection="file:///e:/temp"
recognizeUriQueryParameters="true"
useTypedValueCache="false"
parser=""
timing="false"
allowExternalFunctions="false"
traceExternalFunctions="false"
optimizationLevel="10"
traceOptimizerDecisions="false"
collationUriResolver="net.sf.saxon.lib.StandardCollationURIResolver"
lazyConstructionMode="false"
preEvaluateDoc="false"
serializerFactory=""
errorListener="net.sf.saxon.lib.StandardErrorListener"
traceListener="net.sf.saxon.trace.XSLTTraceListener"
usePiDisableOutputEscaping="false"
validationWarnings="true" />
<serialization
method="xml"
indent="yes" />
<collations>
<collation
uri="http://codepoint/"
class="net.sf.saxon.expr.sort.CodepointCollator" />
<collation
uri="http://www.microsoft.com/collation/caseblind"
lang="en"
ignore-case="yes" />
</collations>
<localizations
defaultLanguage="en"
defaultCountry="US">
<localization
lang="da"
class="net.sf.saxon.option.local.Numberer_da" />
<localization
lang="de"
class="net.sf.saxon.option.local.Numberer_de" />
<localization
lang="en"
class="net.sf.saxon.expr.number.Numberer_en" />
<localization
lang="fr"
class="net.sf.saxon.option.local.Numberer_fr" />
<localization
lang="fr-BE"
class="net.sf.saxon.option.local.Numberer_frBE" />
<localization
lang="it"
class="net.sf.saxon.option.local.Numberer_it" />
<localization
lang="nl"
class="net.sf.saxon.option.local.Numberer_nl" />
<localization
lang="nl-BE"
class="net.sf.saxon.option.local.Numberer_nlBE" />
<localization
lang="sv"
class="net.sf.saxon.option.local.Numberer_sv" />
</localizations>
<xslt
recoveryPolicy="recoverWithWarnings"
version="2.0"
versionWarning="false"
schemaAware="false"
messageReceiver=""
errorListener="net.sf.saxon.StandardErrorListener"
outputUriResolver=""
stylesheetParser="">
</xslt>
<xquery
version="1.1"
allowUpdate="false"
errorListener="net.sf.saxon.StandardErrorListener"
moduleUriResolver="net.sf.saxon.lib.StandardModuleURIResolver"
inheritNamespaces="true"
preserveNamespaces="true"
constructionMode="preserve"
defaultFunctionNamespace="http://www.w3.org/2005/xpath-functions"
defaultElementNamespace=""
preserveBoundarySpace="false"
requiredContextItemType="document-node()"
emptyLeast="true" />
<!-- XSD occurrenceLimits property is not considered valid by SAXON 9.6 although it is in the doc:
http://www.saxonica.com/documentation9.6/index.html#!configuration/configuration-file/config-xsd
Bug reported here: https://saxonica.plan.io/issues/2731
-->
<xsd
version="1.1" />
</configuration>
\ No newline at end of file
......@@ -44,18 +44,18 @@ import org.slf4j.LoggerFactory;
/**
*
* class to use for the testSuite MatchTest.class, ConformanceV3FromV2.class, BasicV3_1.class, BasicV3_2.class,
* BasicV3_3.class, BasicV3_4.class, BasicV3_5.class, BasicFunctionV3.class
* Main PDP core implementation test suite.
*
* NB: {@link AnyURIAttributeTest} no longer useful and removed because we now refer to the definition of anyURI datatype given in XSD 1.1, which has the same value space as the string datatype. More
* info in the XSD 1.1 datatypes document and SAXON documentation: http://www.saxonica.com/html/documentation9.4/changes/intro93/xsd11-93.html. Although XACML 3.0 still refers to XSD 1.0 and its
* stricter definition of anyURI, we prefer to anticipate and use the definition from XSD 1.1 for XACML AttributeValues of datatype anyURI. However, this does not affect XACML schema validation of
* Policy/PolicySet/Request documents, where the XSD 1.0 definition of anyURI still applies.
*/
@RunWith(Suite.class)
@SuiteClasses(value = { AnyURIAttributeTest.class, EqualityFunctionsTest.class, NumericArithmeticFunctionsTest.class,
StringConversionFunctionsTest.class, NumericConversionFunctionsTest.class, LogicalFunctionsTest.class,
NumericComparisonFunctionsTest.class, DateTimeArithmeticFunctionsTest.class,
NonNumericComparisonFunctionsTest.class, StringFunctionsTest.class, BagFunctionsTest.class,
SetFunctionsTest.class, HigherOrderFunctionsTest.class, RegExpBasedFunctionsTest.class,
SpecialMatchFunctionsTest.class, ConformanceV3FromV2Mandatory.class, ConformanceV3FromV2Optional.class,
ConformanceV3Others.class, CustomPdpTest.class, TestApplyMarshalling.class,
TestPdpGetStaticApplicablePolicies.class, NonRegression.class })
@SuiteClasses(value = { EqualityFunctionsTest.class, NumericArithmeticFunctionsTest.class, StringConversionFunctionsTest.class, NumericConversionFunctionsTest.class, LogicalFunctionsTest.class,
NumericComparisonFunctionsTest.class, DateTimeArithmeticFunctionsTest.class, NonNumericComparisonFunctionsTest.class, StringFunctionsTest.class, BagFunctionsTest.class,
SetFunctionsTest.class, HigherOrderFunctionsTest.class, RegExpBasedFunctionsTest.class, SpecialMatchFunctionsTest.class, ConformanceV3FromV2Mandatory.class, ConformanceV3FromV2Optional.class,
ConformanceV3Others.class, CustomPdpTest.class, TestApplyMarshalling.class, TestPdpGetStaticApplicablePolicies.class, NonRegression.class })
public class MainTest
{
/**
......
......@@ -29,15 +29,27 @@ import org.junit.runner.RunWith;
import org.junit.runners.Parameterized;
import org.junit.runners.Parameterized.Parameters;
/**
*
* XACML anyURI validation test. This test is no longer used since we refer to the definition of anyURI datatype given in XSD 1.1, which has the same value space as the string datatype. This is
* confirmed by SAXON documentation: http://www.saxonica.com/html/documentation9.4/changes/intro93/xsd11-93.html
*
* Although XACML 3.0 still refers to XSD 1.0 and its stricter definition of anyURI, we prefer to anticipate and use the definition from XSD 1.1 for XACML AttributeValues of datatype anyURI. However,
* this does not affect XACML schema validation of Policy/PolicySet/Request documents, where the XSD 1.0 definition of anyURI still applies.
*
* This class is kept for the record only.
*/
@RunWith(value = Parameterized.class)
public class AnyURIAttributeTest
{
@Parameters
public static Collection<Object[]> data()
{
Object[][] data = new Object[][] { { "http://datypic.com", "absolute URI (also a URL)", true }, { "mailto:info@datypic.com", "absolute URI", true }, { "../%C3%A9dition.html", "relative URI containing escaped non-ASCII character", true },
{ "../édition.html", "relative URI containing escaped non-ASCII character", true }, { "http://datypic.com/prod.html#shirt", "URI with fragment identifier", true }, { "../prod.html#shirt", "relative URI with fragment identifier", true }, { "", "an empty value is allowed", true },
{ "http://datypic.com#frag1#frag2", "too many # characters", false }, { "http://datypic.com#f% rag", "% character followed by something other than two hexadecimal digits", false } };
Object[][] data = new Object[][] { { "http://datypic.com", "absolute URI (also a URL)", true }, { "mailto:info@datypic.com", "absolute URI", true },
{ "../%C3%A9dition.html", "relative URI containing escaped non-ASCII character", true }, { "../édition.html", "relative URI containing escaped non-ASCII character", true },
{ "http://datypic.com/prod.html#shirt", "URI with fragment identifier", true }, { "../prod.html#shirt", "relative URI with fragment identifier", true },
{ "", "an empty value is allowed", true }, { "http://datypic.com#frag1#frag2", "too many # characters", false },
{ "http://datypic.com#f% rag", "% character followed by something other than two hexadecimal digits", false } };
return Arrays.asList(data);
}
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment