Commit 0d793235 authored by cdanger's avatar cdanger

Merge branch 'release/9.0.0'

parents c56c774b b0bf7e06
......@@ -4,6 +4,33 @@ All notable changes to this project are documented in this file following the [K
Issues reported on [GitHub](https://github.com/authzforce/server/issues) are referenced in the form of `[GH-N]`, where N is the issue number. Issues reported on [OW2](https://jira.ow2.org/browse/AUTHZFORCE/) are mentioned in the form of `[OW2-N]`, where N is the issue number.
## 9.0.0
*See the [Upgrader tool](upgrader/src) for upgrading from 8.x versions.*
### Added
- **Tomcat 9** support.
- New application configuration variable `org.ow2.authzforce.webapp.badReqErrVerbosity`: configures the verbosity of HTTP 400 (Bad Request) responses to help clients troubleshoot their API requests. To be set in the webapp-specific Tomcat Context element, typically `/etc/tomcat9/Catalina/localhost/authzforce-ce.xml`.
- PDP API (/pdp): support for **Multiple Decision Profile with XACML/JSON Profile** (JSON input)
### Changed
- **Tomcat requirement: 9.x**. Although AuthzForce Server may still run on Tomcat 8 with a few tweaks, **Tomcat 8 is not officially supported anymore**.
- Domains' PDP configuration format changed, i.e. XML namespaces / types / elements changed (the [Upgrader tool](upgrader/src) helps migrate configurations from older 8.x versions)
- Upgraded parent project (authzforce-ce-parent): 7.6.1: upgraded dependencies:
- slf4j-api: 1.7.30 (fix CVE)
- Apache CXF: 3.3.6
- Spring: 5.1.14
- Upgraded dependencies:
- authzforce-ce-core-pdp-engine: 16.0.0
- authzforce-ce-core-pap-api: 10.1.0
- authzforce-ce-jaxrs-utils: 1.6.0
- authzforce-ce-pap-dao-flat-file: 12.0.0
### Fixed
- #46 : bad PolicySets pushed to the /pap/policies endpoint are still saved on server side even if a HTTP 400 Bad Request is returned.
- Issues with XACML/JSON responses (XACML JSON Profile)
- CVE on slf4j
## 8.1.0
### Added
- [GH-29] Systematic input policy validation on API - HTTP POST `/domains/{domain-id}/pap/policies` - even if the policy is not currently in use by the PDP (it is potentially used later on after changing PDP configuration), in order to improve safety and troubleshooting. Policies are validated by attempting to load a temporary PDP configuration with the input policy as root policy.
......
......@@ -32,8 +32,8 @@ _If you are interested in using an embedded XACML-compliant PDP in your Java
applications, AuthzForce also provides a PDP engine as a Java library in
[Authzforce core project](http://github.com/authzforce/core)._
| :books: [Documentation](https://authzforce-ce-fiware.rtfd.io/) | :mortar_board: [Academy](https://fiware-academy.readthedocs.io/en/latest/security/authzforce) | :whale: [Docker Hub](https://hub.docker.com/r/authzforce/server/) |
|---|---|---|
| :books: [Documentation](https://authzforce-ce-fiware.rtfd.io/) | :mortar_board: [Academy](https://fiware-academy.readthedocs.io/en/latest/security/authzforce) | :whale: [Docker Hub](https://hub.docker.com/r/authzforce/server/) | :dart: [Roadmap](https://github.com/authzforce/server/blob/develop/ROADMAP.md)
|---|---|---|---|
## Contents
......@@ -160,7 +160,7 @@ More information in the previous section.
- Integration with file synchronization tools (e.g.
[csync2](http://oss.linbit.com/csync2/)) or distributed filesystems (e.g.
NFS and CIFS) to build clusters of AuthZForce Servers.
NFS and CIFS) to build clusters of AuthzForce Servers.
## Limitations
......@@ -268,7 +268,7 @@ request, notification, potential issue (unconfirmed), etc.
If you are experiencing any bug with this project and you indeed confirm this is
not an issue with your environment (contact the users mailing list first if you
are unsure), please report it on the
[OW2 Issue Tracker](https://jira.ow2.org/browse/AUTHZFORCE/). Please include as
[OW2 Issue Tracker](https://gitlab.ow2.org/authzforce/server/issues). Please include as
much information as possible; the more we know, the better the chance of a
quicker resolution:
......@@ -299,20 +299,26 @@ The sources for the manuals are located in
### Releasing
1. From the develop branch, prepare a release (example using a HTTP proxy):
```console
$ mvn -Dhttps.proxyHost=proxyhostname -Dhttps.proxyPort=8080 jgitflow:release-start
$ mvn -Dhttps.proxyHost=proxyhostname -Dhttps.proxyPort=8080 jgitflow:release-start
```
2. Update the [changelog](CHANGELOG.md) with the new version according to
keepachangelog.com.
3. Commit
4. Perform the software release (example using a HTTP proxy):
```console
```console
$ mvn -Dhttps.proxyHost=proxyhostname -Dhttps.proxyPort=8080 jgitflow:release-finish
```
If, after deployment, the command does not succeed because of some issue with the branches. Fix the issue, then re-run the same command but with 'noDeploy' option set to true to avoid re-deployment:
```console
```
If, after deployment, the command does not succeed because of some issue with the branches. Fix the issue, then re-run the same command but with 'noDeploy' option set to true to avoid re-deployment:
```console
$ mvn -Dhttps.proxyHost=proxyhostname -Dhttps.proxyPort=8080 -DnoDeploy=true jgitflow:release-finish
```
```
More info on jgitflow: http://jgitflow.bitbucket.org/
5. Connect and log in to the OSS Nexus Repository Manager:
https://oss.sonatype.org/
......@@ -339,3 +345,20 @@ and `org.ow2.authzforce.webapp.org.codehaus.jettison.mapped` which are under
Apache License.
[![FOSSA Status](https://app.fossa.io/api/projects/git%2Bgithub.com%2Fauthzforce%2Fserver.svg?type=large)](https://app.fossa.io/projects/git%2Bgithub.com%2Fauthzforce%2Fserver?ref=badge_large)
### Are there any legal issues with GPL 3.0? Is it safe for me to use?
There is absolutely no problem in using a product licensed under GPL 3.0. Issues with GPL
(or AGPL) licenses are mostly related with the fact that different people assign different
interpretations on the meaning of the term “derivate work” used in these licenses. Due to this,
some people believe that there is a risk in just _using_ software under GPL or AGPL licenses
(even without _modifying_ it).
For the avoidance of doubt, the owners of this software licensed under an GPL 3.0 license
wish to make a clarifying public statement as follows:
> Please note that software derived as a result of modifying the source code of this
> software in order to fix a bug or incorporate enhancements is considered a derivative
> work of the product. Software that merely uses or aggregates (i.e. links to) an otherwise
> unmodified version of existing software is not considered a derivative work, and therefore
> it does not need to be released as under the same license, or even released as open source.
......@@ -18,9 +18,9 @@ any time.
## Short term
The following list of features are planned to be addressed in the short term,
and incorporated in the next release of the product planned for **2019**:
and incorporated in the next release of the product planned for **2020**:
- [Systematic policy validation on PAP API](https://github.com/authzforce/server/issues/29).
- #50 .
## Medium term
......
<footer>&copy; Copyright ${inceptionYear}-${currentYear} Thales Services.</footer>
<footer>&copy; Copyright ${inceptionYear}-${currentYear} Thales.</footer>
</body>
</html>
......@@ -2,7 +2,7 @@
"http://www.w3.org/TR/html4/strict.dtd">
<html lang="en">
<head>
<title>AuthZForce Upgrader</title>
<title>AuthzForce Upgrader</title>
<meta charset="utf-8" />
<!-- <link rel="stylesheet" href="##SITE_BASE##/css/default.css"> -->
</head>
......
......@@ -3,14 +3,14 @@
<parent>
<groupId>org.ow2.authzforce</groupId>
<artifactId>authzforce-ce-server</artifactId>
<version>8.1.0</version>
<version>9.0.0</version>
<relativePath>..</relativePath>
</parent>
<artifactId>authzforce-ce-server-dist</artifactId>
<!-- If using 'pom' packaging, jdeb refuses to execute. -->
<packaging>jar</packaging>
<name>${project.groupId}:${project.artifactId}</name>
<description>AuthZForce CE server distribution (zip and deb)</description>
<description>AuthzForce CE server distribution (zip and deb)</description>
<url>https://github.com/authzforce/server/dist</url>
<scm>
<connection>scm:git:${git.url.base}.git</connection>
......@@ -198,13 +198,13 @@
<!-- Starting '.' necessary to get absolute paths, otherwise lintian complains "relative-conffile" -->
<prefix>./opt/${productId}/conf</prefix>
<user>root</user>
<group>tomcat8</group>
<group>tomcat</group>
</mapper>
</data>
<data>
<!-- Webapp-specific context for Tomcat, after replacing 'productId' (see previous <resources> tag), therefore take it from target/classes, i.e. ${project.build.outputDirectory} -->
<src>${project.build.outputDirectory}/webapp-context.xml</src>
<dst>/etc/tomcat8/Catalina/localhost/authzforce-ce.xml</dst>
<dst>/etc/tomcat9/Catalina/localhost/authzforce-ce.xml</dst>
<type>file</type>
<conffile>true</conffile>
</data>
......@@ -218,13 +218,20 @@
<type>perm</type>
<prefix>./opt/${productId}/webapp</prefix>
<user>root</user>
<group>tomcat8</group>
<group>tomcat</group>
<!-- filemode/dirmode set to 000 by default. Issue: https://github.com/tcurdt/jdeb/issues/55 -->
<filemode>644</filemode>
<dirmode>755</dirmode>
<strip>2</strip>
</mapper>
</data>
<data>
<!-- Systemd config override to allow writing to other non-official Tomcat directories. More info: https://salsa.debian.org/java-team/tomcat9/blob/master/debian/README.Debian -->
<src>${project.basedir}/src/debian/systemd-tomcat9-override.conf</src>
<dst>/etc/systemd/system/tomcat9.service.d/override.conf</dst>
<type>file</type>
<conffile>true</conffile>
</data>
<data>
<!-- Configuration directory -->
<src>${project.basedir}/src/data/domains</src>
......@@ -232,8 +239,8 @@
<mapper>
<type>perm</type>
<prefix>./opt/${productId}/data/domains</prefix>
<user>tomcat8</user>
<group>tomcat8</group>
<user>tomcat</user>
<group>tomcat</group>
</mapper>
</data>
</dataSet>
......
......@@ -2,9 +2,9 @@
<xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema" targetNamespace="http://authzforce.github.io/rest-api-model/xmlns/authzforce/ext" xmlns:tns="http://authzforce.github.io/rest-api-model/xmlns/authzforce/ext" elementFormDefault="qualified" attributeFormDefault="unqualified" version="4.0">
<xs:annotation>
<xs:documentation xml:lang="en">
Schemas of enabled AuthZForce extensions, such as attribute providers.
Schemas of enabled AuthzForce extensions, such as attribute providers.
</xs:documentation>
</xs:annotation>
<!-- Extension for file-based PAP DAO root/ref policy providers -->
<xs:import namespace="http://authzforce.github.io/pap-dao-flat-file/xmlns/pdp-ext/3.6" />
<xs:import namespace="http://authzforce.github.io/pap-dao-flat-file/xmlns/pdp-ext/4" />
</xs:schema>
\ No newline at end of file
......@@ -7,5 +7,5 @@
<system systemId="authzforce-ext.xsd" uri="classpath:authzforce-ext.xsd"/>
<!-- PDP Extensions -->
<uri name="http://authzforce.github.io/pap-dao-flat-file/xmlns/pdp-ext/3.6" uri="classpath:org.ow2.authzforce.pap.dao.flatfile.pdp-ext.xsd"/>
<uri name="http://authzforce.github.io/pap-dao-flat-file/xmlns/pdp-ext/4" uri="classpath:org.ow2.authzforce.pap.dao.flatfile.pdp-ext.xsd"/>
</catalog>
<pdp xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://authzforce.github.io/core/xmlns/pdp/6.0" xmlns:pap-dao="http://authzforce.github.io/pap-dao-flat-file/xmlns/pdp-ext/3.6"
version="6.0.0" maxVariableRefDepth="10" maxPolicyRefDepth="10" strictAttributeIssuerMatch="false">
<!-- You may customize this PDP configuration except 'rootPolicyProvider' and 'refPolicyProvider' elements. -->
<!-- policyLocation must start with ${PARENT_DIR}/ and end with: /*SUFFIX (* is expanded to base64url(policyId)/policyVersion) -->
<refPolicyProvider id="refPolicyProvider" xsi:type="pap-dao:StaticFlatFileDAORefPolicyProvider" policyLocationPattern="${PARENT_DIR}/policies/*.xml" />
<rootPolicyProvider id="rootPolicyProvider" xsi:type="StaticRefBasedRootPolicyProvider">
<policyRef>root</policyRef>
</rootPolicyProvider>
<ioProcChain>
<!-- Replace requestPreproc value with "urn:ow2:authzforce:feature:pdp:request-preproc:xacml-xml:multiple:repeated-attribute-categories-lax" for Multiple Decision Profile support. -->
<requestPreproc>urn:ow2:authzforce:feature:pdp:request-preproc:xacml-xml:default-lax</requestPreproc>
</ioProcChain>
<pdp xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://authzforce.github.io/core/xmlns/pdp/7" xmlns:pap-dao="http://authzforce.github.io/pap-dao-flat-file/xmlns/pdp-ext/4"
version="7.1" maxVariableRefDepth="10" maxPolicyRefDepth="10" strictAttributeIssuerMatch="false">
<!-- You may customize this PDP configuration except 'policyProvider' element. -->
<!-- policyLocation must start with ${PARENT_DIR}/ and end with: /*SUFFIX (* is expanded to base64url(policyId)/policyVersion) -->
<policyProvider id="rootPolicyProvider" xsi:type="pap-dao:StaticFlatFileDaoPolicyProviderDescriptor" policyLocationPattern="${PARENT_DIR}/policies/*.xml" />
<rootPolicyRef policySet="true">root</rootPolicyRef>
<ioProcChain>
<!-- Replace requestPreproc value with "urn:ow2:authzforce:feature:pdp:request-preproc:xacml-xml:multiple:repeated-attribute-categories-lax" for Multiple Decision Profile support. -->
<requestPreproc>urn:ow2:authzforce:feature:pdp:request-preproc:xacml-xml:default-lax</requestPreproc>
</ioProcChain>
</pdp>
<pdp
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns="http://authzforce.github.io/core/xmlns/pdp/6.0"
xmlns:pap-dao="http://authzforce.github.io/pap-dao-flat-file/xmlns/pdp-ext/3.6"
version="6.0.0"
maxVariableRefDepth="10"
maxPolicyRefDepth="10"
strictAttributeIssuerMatch="false">
<!-- You may customize this PDP configuration except 'rootPolicyProvider' and 'refPolicyProvider' elements. -->
<!-- policyLocation must start with ${PARENT_DIR}/ and end with: /*SUFFIX (* is expanded to base64url(policyId)/policyVersion) -->
<refPolicyProvider
id="refPolicyProvider"
xsi:type="pap-dao:StaticFlatFileDAORefPolicyProvider"
policyLocationPattern="${PARENT_DIR}/policies/*.xml" />
<rootPolicyProvider
id="rootPolicyProvider"
xsi:type="StaticRefBasedRootPolicyProvider">
<policyRef>root</policyRef>
</rootPolicyProvider>
<pdp xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://authzforce.github.io/core/xmlns/pdp/7" xmlns:pap-dao="http://authzforce.github.io/pap-dao-flat-file/xmlns/pdp-ext/4"
version="7.1" maxVariableRefDepth="10" maxPolicyRefDepth="10" strictAttributeIssuerMatch="false">
<!-- You may customize this PDP configuration except 'policyProvider' element. -->
<!-- policyLocation must start with ${PARENT_DIR}/ and end with: /*SUFFIX (* is expanded to base64url(policyId)/policyVersion) -->
<policyProvider id="rootPolicyProvider" xsi:type="pap-dao:StaticFlatFileDaoPolicyProviderDescriptor" policyLocationPattern="${PARENT_DIR}/policies/*.xml" />
<rootPolicyRef policySet="true">root</rootPolicyRef>
</pdp>
authzforce-ce-server (${project.version}) xenial; urgency=low
* See https://github.com/authzforce/server/blob/release-${project.version}/CHANGELOG.md
-- Thales Services <http://www.thalesgroup.com> ${debian.changelog.timestamp}
-- Thales <http://www.thalesgroup.com> ${debian.changelog.timestamp}
release date=${jdeb.changelog.timestamp},version=${project.version},urgency=low,by=Thales Services <http://www.thalesgroup.com>
release date=${jdeb.changelog.timestamp},version=${project.version},urgency=low,by=Thales <http://www.thalesgroup.com>
* See https://github.com/authzforce/server/blob/release-${project.version}/CHANGELOG.md
......@@ -3,7 +3,7 @@ Version: [[version]]
Section: web
Priority: optional
Architecture: all
Depends: debconf (>= 0.2.26), openjdk-8-jre | oracle-java8-installer, tomcat8
Depends: debconf (>= 0.2.26), openjdk-8-jre | oracle-java8-installer, tomcat9
Maintainer: [[productMaintainer]]
Description: AuthzForce CE Server.
Reference Implementation of FIWARE Authorization PDP Generic Enabler
......
......@@ -14,21 +14,21 @@ fi
db_get [[productId]]/restartTomcat
if [ "$RET" = true ]; then
export JAVA_OPTS='"-Djava.awt.headless=true -Djavax.xml.accessExternalSchema=http -Xms1024m -Xmx1024m -XX:+UseConcMarkSweepGC -server"'
sed -i 's|^\(JAVA_OPTS\s*=\s*\).*$|\1'"$JAVA_OPTS"'|' /etc/default/tomcat8
systemctl restart tomcat8
export JAVA_OPTS='"-Djava.awt.headless=true -Djavax.xml.accessExternalSchema=all -Xms1024m -Xmx1024m -XX:+UseConcMarkSweepGC -server"'
sed -i 's|^\(JAVA_OPTS\s*=\s*\).*$|\1'"$JAVA_OPTS"'|' /etc/default/tomcat9
systemctl restart tomcat9
fi
echo "If you answered 'No' to the second question, you need to set the JAVA_OPTS in '/etc/default/tomcat8' by yourself before restarting Tomcat:"
echo " JAVA_OPTS=\"-Djava.awt.headless=true -Djavax.xml.accessExternalSchema=http -Xms1024m -Xmx1024m -XX:+UseConcMarkSweepGC -server\""
echo "If you answered 'No' to the second question, you need to set the JAVA_OPTS in '/etc/default/tomcat9' by yourself before restarting Tomcat:"
echo " JAVA_OPTS=\"-Djava.awt.headless=true -Djavax.xml.accessExternalSchema=all -Xms1024m -Xmx1024m -XX:+UseConcMarkSweepGC -server\""
echo
echo "If Tomcat fails to restart, check for any Tomcat high-level error in Tomcat log directory: /var/log/tomcat8"
echo "Then fix it, in particular check the settings in Tomcat init script /etc/default/tomcat8 and restart Tomcat as follows:"
echo " $ systemctl restart tomcat8"
echo "If Tomcat fails to restart, check for any Tomcat high-level error in Tomcat log directory: /var/log/tomcat9"
echo "Then fix it, in particular check the settings in Tomcat init script /etc/default/tomcat9 and restart Tomcat as follows:"
echo " $ systemctl restart tomcat9"
echo
echo "If Tomcat is started but AuthZForce webapp deployment fails, check for any webapp-specific error in file: /var/log/tomcat8/authzforce-ce/error.log"
echo "If Tomcat is started but AuthzForce webapp deployment fails, check for any webapp-specific error in file: /var/log/tomcat9/authzforce-ce/error.log"
echo
echo "If Tomcat takes too long to start, especially to load the AuthZForce webapp, it is very likely caused by lack of entropy on your host for secure random number generation. Having enough entropy is critical for security reasons, especially in production. If and only if you are using this AuthzForce instance for testing only, you may speed up Tomcat startup by adding this JVM argument to the JAVA_OPTS variable in Tomcat service configuration file '/etc/default/tomcat8': '-Djava.security.egd=file:/dev/./urandom'"
echo "If Tomcat takes too long to start, especially to load the AuthzForce webapp, it is very likely caused by lack of entropy on your host for secure random number generation. Having enough entropy is critical for security reasons, especially in production. If and only if you are using this AuthzForce instance for testing only, you may speed up Tomcat startup by adding this JVM argument to the JAVA_OPTS variable in Tomcat service configuration file '/etc/default/tomcat9': '-Djava.security.egd=file:/dev/./urandom'"
echo
echo "When the webapp is up and running, you should get a HTTP response with status code 200 to this HTTP request with curl tool, after replacing 8080 with the port Tomcat is listening to if different:"
printf "$ curl --verbose --show-error --write-out '%b\\%bn' --request GET http://localhost:8080/authzforce-ce/domains\n"
......
......@@ -8,9 +8,9 @@ Description: Do you want to keep the test domain created by default?
Template: [[productId]]/restartTomcat
Type: boolean
Default: true
Description: Do you want to apply recommended Tomcat settings for AuthZForce (and restart Tomcat to apply changes)?
Description: Do you want to apply recommended Tomcat settings for AuthzForce (and restart Tomcat to apply changes)?
We recommend the following Tomcat settings for AuthzForce:
JAVA_OPTS='"-Djava.awt.headless=true -Djavax.xml.accessExternalSchema=http -Xms1024m -Xmx1024m -XX:+UseConcMarkSweepGC -server"'
Do you agree to apply these settings to Tomcat init script (/etc/default/tomcat8) now?
JAVA_OPTS='"-Djava.awt.headless=true -Djavax.xml.accessExternalSchema=all -Xms1024m -Xmx1024m -XX:+UseConcMarkSweepGC -server"'
Do you agree to apply these settings to Tomcat init script (/etc/default/tomcat9) now?
If you answer No, you can always apply these manually and restart Tomcat later with this command:
$ systemctl restart tomcat8
$ systemctl restart tomcat9
......@@ -2,7 +2,7 @@ Format: http://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
Upstream-Name: authzforce-ce-server-dist
Files: *
Copyright: Copyright (C) 2012-2017 Thales Services SAS. All rights reserved.
Copyright: Copyright (C) 2012-2020 Thales. All rights reserved.
Licence: GPL-3.0
The full text of the GNU General Public
License version 3 can be found in the file
......
[Service]
ReadWritePaths=/opt/authzforce-ce-server/data/
# Copyright (C) 2012-2017 Thales Services SAS.
# Copyright (C) 2012-2020 Thales.
#
# This file is part of AuthZForce CE.
# This file is part of AuthzForce CE.
#
# AuthZForce CE is free software: you can redistribute it and/or modify
# AuthzForce CE is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# AuthZForce CE is distributed in the hope that it will be useful,
# AuthzForce CE is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with AuthZForce CE. If not, see <http://www.gnu.org/licenses/>.
# along with AuthzForce CE. If not, see <http://www.gnu.org/licenses/>.
# Best practices for writing Dockerfiles:
# https://docs.docker.com/engine/userguide/eng-image/dockerfile_best-practices/
......@@ -23,7 +23,7 @@
# The alternative is to use FROM ubuntu:* then install tomcat ubuntu package and use upstart/sysctl init script but this is not the way to go:
# https://github.com/docker/docker/issues/6800
FROM tomcat:8-jre8
FROM tomcat:9-jre8
MAINTAINER AuthzForce Team (contact mailing list: http://scr.im/azteam)
ENV DEBIAN_FRONTEND noninteractive
......@@ -37,7 +37,7 @@ ENV DEBIAN_FRONTEND noninteractive
#ENV HTTP_PROXY 'http://user:password@proxy-host:proxy-port'
#ENV HTTPS_PROXY 'http://user:password@proxy-host:proxy-port'
ENV JAVA_OPTS="-Djava.security.egd=file:/dev/./urandom -Djava.awt.headless=true -Djavax.xml.accessExternalSchema=http -Xms1024m -Xmx1024m -XX:+UseConcMarkSweepGC -server"
ENV JAVA_OPTS="-Djava.security.egd=file:/dev/./urandom -Djava.awt.headless=true -Djavax.xml.accessExternalSchema=all -Xms1024m -Xmx1024m -XX:+UseConcMarkSweepGC -server"
ENV AUTHZFORCE_SERVER_VERSION="${project.version}"
ENV AUTHZFORCE_SERVER_DOWNLOAD_URL="http://repo1.maven.org/maven2/org/ow2/authzforce/authzforce-ce-server-dist/$AUTHZFORCE_SERVER_VERSION/authzforce-ce-server-dist-$AUTHZFORCE_SERVER_VERSION.deb"
......@@ -63,7 +63,7 @@ ENV LC_ALL en_US.UTF-8
RUN curl --silent --output authzforce-ce-server.deb --location $AUTHZFORCE_SERVER_DOWNLOAD_URL && \
dpkg --extract authzforce-ce-server.deb /root/authzforce/ && \
mv /root/authzforce/etc/tomcat8/Catalina /usr/local/tomcat/conf/ && \
mv /root/authzforce/etc/tomcat9/Catalina /usr/local/tomcat/conf/ && \
mv /root/authzforce/opt/* /opt/ && \
rm -rf /opt/authzforce-ce-server/data/domains/* && \
rm -rf /root/authzforce && \
......
......@@ -4,20 +4,20 @@ This image of a minimal AuthzForce Server runtime is intended to work together w
## Image contents
- OpenJDK JRE 8;
- Tomcat 8;
- Tomcat 9;
- AuthzForce Server CE (version matching the Docker image tag).
## Usage
This image gives you a minimal installation for testing purposes. The AuthzForce Installation and Administration guide on [readthedocs.org](https://readthedocs.org/projects/authzforce-ce-fiware/versions/) (select the version matching the Docker image tag, then **AuthzForce - Installation and Administration Guide**) provides you a better approach for using it in a production environment. This installation guide also gives instructions to install from .deb package (instead of Docker), which is the recommended way for Ubuntu hosts.
Create a container using `authzforce/server` image by doing (replace the first *8080* after *-p* with whatever network port you want to use on the host to access the AuthzForce Server, e.g. 80; and *release-8.0.1* with the current Docker image tag that you are using):
Create a container using `authzforce/server` image by doing (replace the first *8080* after *-p* with whatever network port you want to use on the host to access the AuthzForce Server, e.g. 80; and *release-9.0.0* with the current Docker image tag that you are using):
```
docker run -d -p 8080:8080 --name <container-name> fiware/authzforce-ce-server:release-8.0.1
docker run -d -p 8080:8080 --name <container-name> fiware/authzforce-ce-server:release-9.0.0
```
As stands in the AuthZForce Installation and administration guide on [readthedocs.org](https://readthedocs.org/projects/authzforce-ce-fiware/versions/) (select the version matching the Docker image tag, then **AuthzForce - Installation and Administration Guide**) you can:
As stands in the AuthzForce Installation and administration guide on [readthedocs.org](https://readthedocs.org/projects/authzforce-ce-fiware/versions/) (select the version matching the Docker image tag, then **AuthzForce - Installation and Administration Guide**) you can:
* **Create a domain**
......
{inceptionYear=${project.inceptionYear}}
{currentYear=${currentYear}}
# AuthZForce Server - Manual installation
# AuthzForce Server - Manual installation
This guide provides the procedure to install the AuthZForce server from the tarball distribution, including system requirements and troubleshooting instructions.
This guide provides the procedure to install the AuthzForce server from the tarball distribution, including system requirements and troubleshooting instructions.
## System Requirements
* CPU frequency: 2.6 GHz min
......@@ -10,33 +10,33 @@ This guide provides the procedure to install the AuthZForce server from the tarb
* RAM: 4GB min
* Disk space: 10 GB min
* File system: ext4
* Operating System: Ubuntu 16.04 LTS
* Operating System: Ubuntu 18.04 LTS
* Java environment:
* JRE 8 either from OpenJDK or Oracle;
* Tomcat 8.x.
* Tomcat 9.x.
## Installation
### Minimal
1. If you don't have a JRE 8 already installed, you may do it on the command-line as follows, depending on your JRE preference:
* If you prefer OpenJDK: `$ sudo apt install openjdk-8-jdk`
* If you prefer Oracle JRE, follow the instructions from [WEB UPD8](http://www.webupd8.org/2012/09/install-oracle-java-8-in-ubuntu-via-ppa.html). In the end, you should have the package `oracle-java8-installer` installed.
1. If you don't have Tomcat 8 already installed, you may do it on the command-line: `$ sudo apt install tomcat8`
1. Download AuthZForce server tarball distribution from the [Maven Central Repository](http://repo1.maven.org/maven2/org/ow2/authzforce/authzforce-ce-server-dist/${project.version}/authzforce-ce-server-dist-${project.version}.tar.gz). You get a file called ``authzforce-ce-server-dist-${project.version}.tar.gz``.
1. Copy this file to the host where you want to install AuthZForce Server.
1. For security purposes, Tomcat should be run as an unprivileged user (i.e. not `root`). If you installed Tomcat as shown above, this user is `tomcat8`. Let us assume that `tomcat8` is the user (and group) that will run the Tomcat service in your case, and `/opt` is the directory where you want to install AuthZForce server. Please replace both names according to your setup. `$CATALINA_BASE` is a Tomcat environment-specific property, usually equal to `$CATALINA_HOME`, i.e. the root directory of your Tomcat installation ([more information](https://tomcat.apache.org/tomcat-8.0-doc/introduction.html)). If you installed Tomcat as shown above, `$CATALINA_BASE = /var/lib/tomcat8`. From the directory where you copied the tarball for installation, run the following commands:
1. If you don't have Tomcat 8 already installed, you may do it on the command-line: `$ sudo apt install tomcat9`
1. Download AuthzForce server tarball distribution from the [Maven Central Repository](http://repo1.maven.org/maven2/org/ow2/authzforce/authzforce-ce-server-dist/${project.version}/authzforce-ce-server-dist-${project.version}.tar.gz). You get a file called ``authzforce-ce-server-dist-${project.version}.tar.gz``.
1. Copy this file to the host where you want to install AuthzForce Server.
1. For security purposes, Tomcat should be run as an unprivileged user (i.e. not `root`). If you installed Tomcat as shown above, this user is `tomcat`. Let us assume that `tomcat` is the user (and group) that will run the Tomcat service in your case, and `/opt` is the directory where you want to install AuthzForce server. Please replace both names according to your setup. `$CATALINA_BASE` is a Tomcat environment-specific property, usually equal to `$CATALINA_HOME`, i.e. the root directory of your Tomcat installation ([more information](https://tomcat.apache.org/tomcat-9.0-doc/introduction.html)). If you installed Tomcat as shown above, `$CATALINA_BASE = /var/lib/tomcat9`. From the directory where you copied the tarball for installation, run the following commands:
```shell
$ sudo tar xvzf authzforce-ce-server-dist-${project.version}.tar.gz --directory /opt
$ sudo ln -s authzforce-ce-server-${project.version} authzforce-ce-server
$ sudo chown -RH tomcat8 authzforce-ce-server
$ sudo chgrp -RH tomcat8 authzforce-ce-server
$ sudo chown -RH tomcat authzforce-ce-server
$ sudo chgrp -RH tomcat authzforce-ce-server
$ sudo cp /opt/authzforce-ce-server/conf/context.xml.sample $CATALINA_BASE/conf/Catalina/localhost/authzforce-ce.xml
```
1. If you did not use `/opt` as installation directory, replace **ALL** occurrences of `/opt` in the webapp context configuration file `authzforce-ce.xml` according to your setup.
1. You may restart Tomcat server now. For instance, if you installed Tomcat as shown above, do it as follows:
```shell
$ systemctl restart tomcat8
$ systemctl restart tomcat9
```
**Known issue: lack of entropy may cause delays in Tomcat 7+ start up on virtual machines in particular: [more info on Entropy Source issue](https://wiki.apache.org/tomcat/HowTo/FasterStartUp#Entropy_Source). So beware.**
......@@ -64,15 +64,15 @@ Last but not least, please check the *More information* section below.
## Troubleshooting
If Tomcat fails to (re)start, check for any Tomcat high-level error in Tomcat log directory: `$CATALINA_BASE/logs`.
One common reason for failure is Tomcat default configuration may specify a value for the Java `Xmx` flag that is too low for the AuthZForce webapp. Make sure Tomcat is configured with `Xmx` at 1GB or more, 2 GB recommended. For example:
One common reason for failure is Tomcat default configuration may specify a value for the Java `Xmx` flag that is too low for the AuthzForce webapp. Make sure Tomcat is configured with `Xmx` at 1GB or more, 2 GB recommended. For example:
```shell
$ export JAVA_OPTS='"-Djava.awt.headless=true -Djavax.xml.accessExternalSchema=http -Xms1024m -Xmx1024m -XX:+UseConcMarkSweepGC -server"'
$ sed -i 's|^\(JAVA_OPTS\s*=\s*\).*$|\1'"$JAVA_OPTS"'|' /etc/default/tomcat8
$ systemctl restart tomcat8
$ export JAVA_OPTS='"-Djava.awt.headless=true -Djavax.xml.accessExternalSchema=all -Xms1024m -Xmx1024m -XX:+UseConcMarkSweepGC -server"'
$ sed -i 's|^\(JAVA_OPTS\s*=\s*\).*$|\1'"$JAVA_OPTS"'|' /etc/default/tomcat9
$ systemctl restart tomcat9
```
If Tomcat is started but AuthZForce webapp deployment fails, check for any webapp-specific error in log file: `$CATALINA_BASE/logs/authzforce-ce/error.log`
If Tomcat is started but AuthzForce webapp deployment fails, check for any webapp-specific error in log file: `$CATALINA_BASE/logs/authzforce-ce/error.log`
## More information
For more information, go to the [online documentation](http://authzforce-ce-fiware.readthedocs.io/en/) and select the version matching your software release at the bottom of the page.
<?xml version="1.0" encoding="UTF-8"?>
<!-- Context used by Tomcat -->
<Context path="/authzforce-ce" docBase="/opt/${productId}/webapp">
<JarScanner scanClassPath="false">
<JarScanFilter defaultPluggabilityScan="false" defaultTldScan="false" />
</JarScanner>
<JarScanner scanClassPath="false">
<JarScanFilter defaultPluggabilityScan="false" defaultTldScan="false" />
</JarScanner>
<!-- Override <context-param>s in web.xml -->
<Parameter name="logbackConfigLocation" description="Logging configuration file" value="file:/opt/${productId}/conf/logback.xml" override="false" />
<!-- Override <context-param>s in web.xml -->
<Parameter name="logbackConfigLocation" description="Logging configuration file" value="file:/opt/${productId}/conf/logback.xml" override="false" />
<Parameter name="spring.profiles.active" description="application profiles: '+fastinfoset' to enable FastInfoset support, '-fastinfoset' to disable FastInfoset support" value="-fastinfoset"
override="false" />
<Parameter name="spring.profiles.active" description="application profiles: '+fastinfoset' to enable FastInfoset support, '-fastinfoset' to disable FastInfoset support" value="-fastinfoset"
override="false" />
<!-- <env-entry>s in web.xml do not override entries below iff override=false. -->
<Environment name="org.ow2.authzforce.config.dir" value="file:/opt/${productId}/conf" type="java.lang.String" override="false"
description="Configuration directory path that may contain \${...} placeholders, to be resolved as system properties: e.g. \${user.dir}. Default values can be supplied using the ':' separator between key and value (see org.springframework.util.SystemPropertyUtils class)" />
<!-- <env-entry>s in web.xml do not override entries below iff override=false. -->
<Environment name="org.ow2.authzforce.config.dir" value="file:/opt/${productId}/conf" type="java.lang.String" override="false"
description="Configuration directory path that may contain \${...} placeholders, to be resolved as system properties: e.g. \${user.dir}. Default values can be supplied using the ':' separator between key and value (see org.springframework.util.SystemPropertyUtils class)" />
<Environment name="org.ow2.authzforce.data.dir" value="file:/opt/${productId}/data" type="java.lang.String" override="false"
description="Data (e.g. data of domains created and managed by the API) directory path that may contain \${...} placeholders, to be resolved as system properties: e.g. \${user.dir}. Default values can be supplied using the ':' separator between key and value (see org.springframework.util.SystemPropertyUtils class)" />
<Environment name="org.ow2.authzforce.data.dir" value="file:/opt/${productId}/data" type="java.lang.String" override="false"
description="Data (e.g. data of domains created and managed by the API) directory path that may contain \${...} placeholders, to be resolved as system properties: e.g. \${user.dir}. Default values can be supplied using the ':' separator between key and value (see org.springframework.util.SystemPropertyUtils class)" />
<Environment name="org.ow2.authzforce.uuid.gen.randomMulticastAddressBased" value="false" type="java.lang.Boolean" override="false"
description="UUID generator option for domain IDs, set to true if and only if Authzforce deployed in dev environment that is disconnected from the network, i.e. no 'real' Ethernet address to use, set this JNDI variable to 'true' to initialize the UUID (variant 1) generator with a random multicast address instead." />
<Environment name="org.ow2.authzforce.uuid.gen.randomMulticastAddressBased" value="false" type="java.lang.Boolean" override="false"
description="UUID generator option for domain IDs, set to true if and only if Authzforce deployed in dev environment that is disconnected from the network, i.e. no 'real' Ethernet address to use, set this JNDI variable to 'true' to initialize the UUID (variant 1) generator with a random multicast address instead." />
<Environment name="org.ow2.authzforce.domains.sync.interval" value="0" type="java.lang.Integer" override="false"
description="Domains folder-to-memory synchronization interval (seconds); value 0 disables this feature." />
<Environment name="org.ow2.authzforce.domains.sync.interval" value="0" type="java.lang.Integer" override="false"
description="Domains folder-to-memory synchronization interval (seconds); value 0 disables this feature." />
<Environment name="org.ow2.authzforce.domains.enablePdpOnly" value="false" type="java.lang.Boolean" override="false"
description="Enable PDP only, i.e. disable all PAP (or other administration) features iff true" />
<Environment name="org.ow2.authzforce.domains.enablePdpOnly" value="false" type="java.lang.Boolean" override="false"
description="Enable PDP only, i.e. disable all PAP (or other administration) features iff true" />
<Environment name="org.ow2.authzforce.domains.enableXacmlJsonProfile" value="false" type="java.lang.Boolean" override="false"
description="Enable support for JSON Profile of XACML 3.0 on domains' PDP endpoints iff true" />
<Environment name="org.ow2.authzforce.domains.enableXacmlJsonProfile" value="true" type="java.lang.Boolean" override="false"
description="Enable support for JSON Profile of XACML 3.0 on domains' PDP endpoints iff true" />
<!-- <Environment name="org.ow2.authzforce.webapp.publishedEndpointUrl" value="http://localhost:8080" type="java.lang.Boolean" override="false" description="Base address specified in the auto-generated
WADL. This parameter allows setting the public URL that may not be the same as the URL the service is deployed on. (For example, the service is behind a proxy of some sort)." /> -->
<!-- <Environment name="org.ow2.authzforce.webapp.publishedEndpointUrl" value="http://localhost:8080" type="java.lang.Boolean" override="false" description="Base address specified in the auto-generated
WADL. This parameter allows setting the public URL that may not be the same as the URL the service is deployed on. (For example, the service is behind a proxy of some sort)." /> -->
<!-- <Environment name="org.ow2.authzforce.webapp.jsonKeysWithArrays" type="java.lang.String" override="false" description="Comma-separated list of JSON keys with values to be always serialized to JSON
arrays (even if single-valued). More info: http://cxf.apache.org/docs/jax-rs-data-bindings.html#JAX-RSDataBindings-DealingwithJettisonarrayserializationissues (serializeAsArray always true but no effect
if this property undefined or has empty value). The example here works for AuthzForce Manager GUI" value="link,PolicySet,PolicySetIdReference,Policy,PolicyIdReference,Rule,VariableDefinition,AnyOf,AllOf,Match,ObligationExpressions,AdviceExpressions,Obligations,AssociatedAdvice"
/> -->
<!-- <Environment name="org.ow2.authzforce.webapp.jsonKeysWithArrays" type="java.lang.String" override="false" description="Comma-separated list of JSON keys with values to be always serialized to JSON
arrays (even if single-valued). More info: http://cxf.apache.org/docs/jax-rs-data-bindings.html#JAX-RSDataBindings-DealingwithJettisonarrayserializationissues (serializeAsArray always true but no effect
if this property undefined or has empty value). The example here works for AuthzForce Manager GUI" value="link,PolicySet,PolicySetIdReference,Policy,PolicyIdReference,Rule,VariableDefinition,AnyOf,AllOf,Match,ObligationExpressions,AdviceExpressions,Obligations,AssociatedAdvice"
/> -->
<Environment name="org.ow2.authzforce.webapp.noNamespaceInJsonOutput" value="false" type="java.lang.Boolean" override="false"
description="Whether to drop all XML namespaces (JSON key prefixes) from JSON output in XML-to-JSON translation. Enable this for AuthzForce Manager GUI." />
<Environment name="org.ow2.authzforce.webapp.noNamespaceInJsonOutput" value="false" type="java.lang.Boolean" override="false"
description="Whether to drop all XML namespaces (JSON key prefixes) from JSON output in XML-to-JSON translation. Enable this for AuthzForce Manager GUI." />
<Environment name="org.ow2.authzforce.webapp.badReqErrVerbosity" value="1" type="java.lang.Integer" override="false" description="HTTP 400 Bad Request error message verbosity" />
</Context>
\ No newline at end of file
......@@ -4,21 +4,21 @@
<parent>
<groupId>org.ow2.authzforce</groupId>