Commit c41b5592 authored by cdanger's avatar cdanger
Browse files

Updated documentation for new release 10.0.0

parent 5af80049
......@@ -434,6 +434,10 @@ Conformance table according to [section 5](http://docs.oasis-open.org/xacml/xacm
#### XACML Additional Combining Algorithms Profile
AuthzForce provides experimental support for [XACML 3.0 Additional Combining Algorithms Profile Version 1.0](http://docs.oasis-open.org/xacml/xacml-3.0-combalgs/v1.0/xacml-3.0-combalgs-v1.0.html), i.e. `on-permit-apply-second` policy combining algorithm.
#### GeoXACML
[GeoXACML](http://portal.opengeospatial.org/files/?artifact_id=42734) (Open Geospatial Consortium) is supported as an AuthzForce plugin from [SecureDimensions](https://github.com/securedimensions/authzforce-geoxacml-basic).
### Safety & Security
* Detection of circular XACML policy references (PolicySetIdReference);
......
Features
========
See `the list of features on Github for the current version <https://github.com/authzforce/fiware/blob/release-9.0.1/doc/Features.md>`__.
See `the list of features on Github for the current version <https://github.com/authzforce/fiware/blob/release-10.0.0/doc/Features.md>`__.
......@@ -14,10 +14,10 @@ The system requirements are the following:
* RAM: 4GB min
* Disk space: 10 GB min
* File system: ext4
* Operating System: Ubuntu 18.04 LTS
* Operating System: Ubuntu 18.04 LTS or later
* Java environment:
* JRE 8 either from OpenJDK or Oracle;
* JRE 11 either from OpenJDK or Oracle;
* Tomcat 9.x.
Installation
......@@ -29,14 +29,12 @@ finally, proceed with the `Upgrade`_ section that follows, to transfer data from
Minimal setup
-------------
#. Install a JRE 8 if you don't have one already, using either of these two methods depending on your JDK preference:
#. Install a JRE 11 if you don't have one already, using either of these two methods depending on your JDK preference:
* If you prefer OpenJDK: ``$ sudo apt install openjdk-8-jre``
* If you prefer Oracle JDK, follow the instructions from `WEB UPD8 <http://www.webupd8.org/2012/09/install-oracle-java-8-in-ubuntu-via-ppa.html>`_.
In the end, you should have the package ``oracle-java8-installer`` installed.
* For OpenJDK: ``$ sudo apt install openjdk-11-jre``
#. Install Tomcat 9: ``$ sudo apt install tomcat9``.
#. Each AuthzForce Server version number has the form MAJOR.MINOR.PATH (Semantic Versioning). Identify the latest binary (Ubuntu package with ``.deb`` extension) release of AuthzForce Server
on `Maven Central Repository <http://repo1.maven.org/maven2/org/ow2/authzforce/authzforce-ce-server-dist/>`_ that matches the MAJOR.MINOR version of this documentation.
on `Maven Central Repository <https://repo1.maven.org/maven2/org/ow2/authzforce/authzforce-ce-server-dist/>`_ that matches the MAJOR.MINOR version of this documentation.
This is the current latest software version to which this documentation version applies.
If you want to use a different software version, go to the latest documentation version with matching MAJOR.MINOR and follow instructions there.
Else you may download the software version. We will refer to its version number as ``M.m.P`` (please replace accordingly):
......@@ -92,12 +90,12 @@ Tomcat
For configuring and managing Tomcat, please refer to the `official user guide <http://tomcat.apache.org/tomcat-9.0-doc/index.html>`_.
Authzforce webapp
AuthzForce webapp
-----------------
The Authzforce webapp configuration directory is located here: ``/opt/authzforce-ce-server/conf``.
The AuthzForce webapp configuration directory is located here: ``/opt/authzforce-ce-server/conf``.
In particular, the file ``logback.xml`` configures the logging for the webapp (independently from Tomcat). By default, Authzforce-specific logs go to ``/var/log/tomcat9/authzforce-ce/error.log``.
In particular, the file ``logback.xml`` configures the logging for the webapp (independently from Tomcat). By default, AuthzForce-specific logs go to ``/var/log/tomcat9/authzforce-ce/error.log``.
Restart Tomcat to apply any configuration change::
......@@ -132,7 +130,7 @@ The Concept of Policy Domain
The application is multi-tenant, i.e. it allows users or organizations to work on authorization policies in complete isolation from each other. In this document, we use the term *domain* instead of *tenant*.
In this context, a policy domain consists of:
* Various metadata about the domain: ID assigned by the Authzforce API, external ID (assigned by the provisioning client), description;
* Various metadata about the domain: ID assigned by the AuthzForce API, external ID (assigned by the provisioning client), description;
* A policy repository;
* Attribute Providers configuration: attribute providers provide attributes that the PEP does NOT directly provide in the XACML <Request>.
For example, an attribute provider may get attribute values from an external database.
......@@ -284,9 +282,9 @@ Sanity check procedures
The Sanity Check Procedures are the steps that a System Administrator will take to verify that the installation is ready to be tested.
This is therefore a preliminary set of tests to ensure that obvious or basic malfunctioning is fixed before proceeding to unit tests, integration tests and user validation.
End to End testing
End-to-End testing
------------------
To check the proper deployment and operation of the Authorization Server, perform the following steps:
To check the proper deployment and operation of the AuthzForce Server, perform the following steps:
#. Get the list of policy administration domains by doing the following HTTP request, replacing ``${host}`` with the server hostname, and ``${port}`` with the HTTP port of the server, for example with ``curl`` tool::
......@@ -420,8 +418,8 @@ For Tomcat 9, refer to the `Tomcat 9 SSL/TLS Configuration HOW-TO <https://tomca
Web Application Secutity
++++++++++++++++++++++++
XML Security
************
XML and JSON Security
*********************
The AuthzForce web application exposes a XML-based API. Therefore it is vulnerable to XML denial-of-service attacks.
To mitigate these attacks, there are two solutions:
......@@ -433,14 +431,14 @@ To mitigate these attacks, there are two solutions:
<Environment
name="org.apache.cxf.stax.maxChildElements"
description="Maximum number of child elements in an input XML element. Default: 50000."
description="Maximum number of child elements (resp. properties) in an input XML element (resp. JSON)."
type="java.lang.Integer"
value="1000"
override="false" />
<Environment
name="org.apache.cxf.stax.maxElementDepth"
description="Maximum depth of an element in input XML. Default: 100."
description="Maximum depth of an element (resp. JSON object) in input XML (resp. JSON)."
type="java.lang.Integer"
value="100"
override="false" />
......@@ -449,24 +447,31 @@ To mitigate these attacks, there are two solutions:
(more info: https://issues.apache.org/jira/browse/CXF-6848) -->
<Environment
name="org.apache.cxf.stax.maxAttributeCount"
description="Maximum number of attributes per element in input XML. Default: 500."
description="Maximum number of attributes per element in input XML."
type="java.lang.Integer"
value="100"
override="false" />
<Environment
name="org.apache.cxf.stax.maxAttributeSize"
description="Maximum size of a single attribute in input XML. Default: 65536 (= 64*1024)."
description="Maximum size of a single attribute in input XML."
type="java.lang.Integer"
value="1000"
override="false" />
<Environment
name="org.apache.cxf.stax.maxTextLength"
description="Maximum size of XML text node in input XML. Default: 134217728 (= 128*1024*1024)."
description="Maximum size of XML text node (resp. JSON string) in input XML (resp. JSON)."
type="java.lang.Integer"
value="1000"
override="false" />
<Environment
name="org.ow2.authzforce.domains.xacmlJsonSchemaRelativePath"
description="Path to JSON schema file for XACML JSON Profile's Request validation, relative to ${org.ow2.authzforce.config.dir} (if undefined/empty value, the Request.schema.json file from authzforce-ce-xacml-json-model project is used by default). This property applies if and only if 'org.ow2.authzforce.domains.enableXacmlJsonProfile' is true."
type="java.lang.String"
value=""
override="false" />
Restart Tomcat to apply changes.
* **Dedicated WAF**: for better mitigation, we recommend using a WAF (Web Application Firewall) with XML attack mitigation features in front of the Authzforce server.
......
This diff is collapsed.
......@@ -85,7 +85,7 @@ master_doc = 'index'
# General information about the project.
project = u'AuthzForce CE'
copyright = u'2015-2019, THALES'
copyright = u'2015-2021, THALES'
author = u'Cyril Dangerville, THALES'
# The version info for the project you're documenting, acts as replacement for
......@@ -93,9 +93,9 @@ author = u'Cyril Dangerville, THALES'
# built documents.
#
# The short X.Y version.
version = '9.0.1'
version = '10.0.0'
# The full version, including alpha/beta/rc tags.
release = '9.0.1'
release = '10.0.0'
rst_epilog = """
.. |product.version| replace:: {0}
......
<?xml version="1.0" encoding="UTF-8"?>
<pdp xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://authzforce.github.io/core/xmlns/pdp/6.0" version="6.0.0">
<rootPolicyProvider id="rootPolicyProvider" xsi:type="StaticRootPolicyProvider" policyLocation="${PARENT_DIR}/policy.xml" />
<pdp xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://authzforce.github.io/core/xmlns/pdp/7" version="7.1">
<policyProvider id="rootPolicyProvider" xsi:type="StaticPolicyProvider" policyLocation="${PARENT_DIR}/policy.xml" />
<ioProcChain>
<requestPreproc>urn:ow2:authzforce:feature:pdp:request-preproc:xacml-json:default-lax</requestPreproc>
<resultPostproc>urn:ow2:authzforce:feature:pdp:result-postproc:xacml-json:default</resultPostproc>
</ioProcChain>
</pdp>
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment