Skip to content

GitLab

Commit 18327506 authored by cdanger's avatar cdanger
Browse files

Merge branch 'release/5.2.0'

parents 99082294 a6c19ca6
Hide whitespace changes
Inline Side-by-side
CHANGELOG.md
View file @ 18327506
# Change log
All notable changes to this project are documented in this file following the [Keep a CHANGELOG](http://keepachangelog.com) conventions. We try to apply [Semantic Versioning](http://semver.org) with one particular rule: the version must be equal to or greater than the version of the _authzforce-ce-rest-api-model_ dependency (declared in _rest-service_ module's POM). Indeed, this dependency holds the resources of the REST API specification implemented by this project. Therefore, the rule helps relate a specific version of this project to the specific version of the REST API specification that is implemented/supported.
## 5.2.0
### Added
- REST API spec (authzforce-ce-rest-api-model) v5.1.0 support: enhanced management of PDP features, i.e. all supported features may be listed, and each feature may have a 'type' and an 'enabled' (true or false) state that can be updated via the API
- Supported PDP features by type:
- Type `urn:ow2:authzforce:feature-type:pdp:core` (PDP core engine features, as opposed to extensions below): `urn:ow2:authzforce:feature:pdp:core:xpath-eval` (experimental support for XACML AttributeSelector, xpathExpression datatype and xpath-node-count function), `urn:ow2:authzforce:feature:pdp:core:strict-attribute-issuer-match` (enable strict Attribute Issuer matching, i.e. AttributeDesignators without Issuer only match request Attributes with same AttributeId/Category but without Issuer)
- Type `urn:ow2:authzforce:feature-type:pdp:data-type`: any custom XACML Data type extension
- Type `urn:ow2:authzforce:feature-type:pdp:function`: any custom XACML function extension
- Type `urn:ow2:authzforce:feature-type:pdp:function-set`: any set of custom XACML function extensions
- Type `urn:ow2:authzforce:feature-type:pdp:combining-algorithm`: any custom XACML policy/rule combining algorithm extension
- Type `urn:ow2:authzforce:feature-type:pdp:request-filter`: any custom XACML request filter + native ones, i.e. `urn:ow2:authzforce:xacml:request-filter:default-lax` (default XACML Core-compliant Individual Decision Request filter), `urn:ow2:authzforce:xacml:request-filter:default-strict` (like previous one except duplicate <Attribute> in a <Attributes> is not allowed), `urn:ow2:authzforce:xacml:request-filter:multiple:repeated-attribute-categories-lax` (request filter implenting XACML profile `urn:oasis:names:tc:xacml:3.0:profile:multiple:repeated-attribute-categories`), `urn:ow2:authzforce:xacml:request-filter:multiple:repeated-attribute-categories-strict` (like previous one except duplicate <Attribute> in a <Attributes> is not allowed)
- Type `urn:ow2:authzforce:feature-type:pdp:result-filter`: any custom XACML Result filter extension
- Distribution upgrader now supporting all 4.x versions as old versions
## 5.1.2
### Added
- REST API features (see *Changed* section for API changes):
......@@ -12,9 +27,9 @@ All notable changes to this project are documented in this file following the [K
- Fast Infoset support with new data representation type `application/fastinfoset` (in addition to `application/xml`) for all API payloads. Requires Authzforce Server to be started in a specific mode using [JavaEE Environment Entry](https://tomcat.apache.org/tomcat-7.0-doc/config/context.html#Environment_Entries) `spring.profiles.active` in Tomcat-specific Authzforce webapp context file (`authzforce-ce.xml`). Default type remains `application/xml` (default type is used when a wildcard is received as Accept header value from the client)
- API caches domains' PDPs and externalIds for performance reasons, but it is now possible to force re-synchronizing this domain cache after any change to the backend domain repository, i.e. reloading domains' PDPs and externalIDs without restarting the webapp or server:
- `GET or HEAD /domains` forces re-synchronization of all domains
- `GET or HEAD /domain/{domainId}/properties` forces re-synchronization of externalId with domain properties file (properties.xml) in the domain directory
- `GET or HEAD /domain/{domainId}/pap/pdp.properties`; or `GET or HEAD /domain/{domainId}/pap/policies` forces re-synchronization of PDP with configuration file (`pdp.xml`) and policy files in subfolder `policies` of the domain directory
- `DELETE /domain/{domainId}` forces removal of the domain from cache, and the domain directory if it still exists (removes from cache only if directory already removed)
- `GET or HEAD /domains/{domainId}/properties` forces re-synchronization of externalId with domain properties file (properties.xml) in the domain directory
- `GET or HEAD /domains/{domainId}/pap/pdp.properties`; or `GET or HEAD /domains/{domainId}/pap/policies` forces re-synchronization of PDP with configuration file (`pdp.xml`) and policy files in subfolder `policies` of the domain directory
- `DELETE /domains/{domainId}` forces removal of the domain from cache, and the domain directory if it still exists (removes from cache only if directory already removed)
- Properties for controlling the size of incoming XML (`maxElementDepth`, `maxChildElements`, `maxAttributeCount`, `maxAttributeSize`, `maxTextLength`) corresponding to [CXF XML security properties](http://cxf.apache.org/docs/security.html#Security-XML) may be configured as [JavaEE Environment Entries](https://tomcat.apache.org/tomcat-7.0-doc/config/context.html#Environment_Entries) in Tomcat-specific Authzforce webapp context file (`authzforce-ce.xml`). Only `maxElementDepth` and `maxChildElements` are supported in Fast Infoset mode (due to issue [CXF-6848](https://issues.apache.org/jira/browse/CXF-6848)).
- Completed 100% XACML 3.0 Core Specification compliance with support of Extended Indeterminate values in policy evaluation (XACML 3.0 Core specification, section 7.10-7.14, appendix C: combining algorithms)
- Distribution upgrader: tool to upgrade from Authzforce 4.2.0
......@@ -85,6 +100,7 @@ All notable changes to this project are documented in this file following the [K
- Detection of circular references in Policy(Set)IdReferences or VariableReference
- Configurable max allowed depth of PolicySetIdReference or VariableReference
## 4.2.0
### Added
- Distribution as Debian package
......@@ -93,6 +109,7 @@ All notable changes to this project are documented in this file following the [K
- XACML 3.0: Ordered-permit-overrides policy/rule combining algorithm
- XACML 3.0: Multiple Decision Profile, scheme 2.3 (repetition of attribute categories)
## 4.1.0
### Changed
- Initial release in open source
README.md
View file @ 18327506
# AuthZForce Server
[![License badge](https://img.shields.io/badge/license-GPL-blue.svg)](https://opensource.org/licenses/GPL-3.0)
[![Documentation badge](https://readthedocs.org/projects/authzforce-ce-fiware/badge/?version=release-4.4.1d)](http://authzforce-ce-fiware.readthedocs.io/en/release-4.4.1d/?badge=release-4.4.1d)
[![Documentation badge](https://readthedocs.org/projects/authzforce-ce-fiware/badge/?version=release-5.1.2)](http://authzforce-ce-fiware.readthedocs.io/en/release-5.1.2/?badge=release-5.1.2)
[![Docker badge](https://img.shields.io/docker/pulls/fiware/authzforce-ce-server.svg)](https://hub.docker.com/r/fiware/authzforce-ce-server/)
[![Support badge]( https://img.shields.io/badge/support-ask.fiware.org-yellowgreen.svg)](https://ask.fiware.org/questions/scope:all/sort:activity-desc/tags:authzforce/)
......@@ -8,3 +8,6 @@ Server components and distribution of AuthZForce authorization service (FIWARE A
This project also provides the Reference Implementation (GEri) of [FIWARE](https://www.fiware.org) *Authorization PDP* Generic Enabler (GE). More info on the [FIWARE catalogue](http://catalogue.fiware.org/enablers/authorization-pdp-authzforce).
The manuals are available on [readthedocs.org](http://authzforce-ce-fiware.readthedocs.org/).
Note for contributers:
The sources for the manuals are located in [fiware repository](http://github.com/authzforce/fiware/doc).
dist/doc/README.txt deleted 100644 → 0
View file @ 99082294
The sources for the user and administration manuals are located at http://github.com/authzforce/fiware.
dist/doc/user-guide-pap-policyset-update-req.xml deleted 100644 → 0
View file @ 99082294
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<PolicySet xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" PolicySetId="P1"
Version="1.0" PolicyCombiningAlgId="urn:oasis:names:tc:xacml:3.0:policy-combining-algorithm:deny-unless-permit">
<Description>Sample PolicySet</Description>
<Target />
<Policy PolicyId="MissionManagementApp" Version="1.0"
RuleCombiningAlgId="urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:deny-unless-permit">
<Description>Policy for MissionManagementApp</Description>
<Target>
<AnyOf>
<AllOf>
<Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">MissionManagementApp</AttributeValue>
<AttributeDesignator Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource"
AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" DataType="http://www.w3.org/2001/XMLSchema#string"
MustBePresent="true" />
</Match>
</AllOf>
</AnyOf>
</Target>
<Rule RuleId="MissionManager_role_can_manage_team" Effect="Permit">
<Description>Only MissionManager role authorized to manage the mission team</Description>
<Target>
<AnyOf>
<AllOf>
<Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Team</AttributeValue>
<AttributeDesignator Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource"
AttributeId="urn:thales:xacml:2.0:resource:sub-resource-id" DataType="http://www.w3.org/2001/XMLSchema#string"
MustBePresent="true" />
</Match>
</AllOf>
</AnyOf>
<AnyOf>
<AllOf>
<Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">manage</AttributeValue>
<AttributeDesignator Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action"
AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string"
MustBePresent="true" />
</Match>
</AllOf>
</AnyOf>
</Target>
<Condition>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:any-of">
<Function FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-equal" />
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">MissionManager</AttributeValue>
<AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:2.0:subject:role"
DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false"
Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" />
</Apply>
</Condition>
</Rule>
</Policy>
</PolicySet>
\ No newline at end of file
dist/doc/user-guide-pap-policysets-with-ref.xml deleted 100644 → 0
View file @ 99082294
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<PolicySet xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
PolicySetId="root:policyset" Version="1.0"
PolicyCombiningAlgId="urn:oasis:names:tc:xacml:3.0:policy-combining-algorithm:deny-unless-permit">
<Description>Root PolicySet</Description>
<Target />
<PolicySet PolicySetId="RPS:Employee" Version="1.0"
PolicyCombiningAlgId="urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:deny-unless-permit">
<Description>
Employee Role PolicySet
</Description>
<Target>
<AnyOf>
<AllOf>
<Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Employee</AttributeValue>
<AttributeDesignator Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" AttributeId="urn:oasis:names:tc:xacml:2.0:subject:role"
DataType="http://www.w3.org/2001/XMLSchema#string" />
</Match>
</AllOf>
</AnyOf>
</Target>
<PolicySetIdReference>PPS:Employee</PolicySetIdReference>
</PolicySet>
<PolicySet PolicySetId="RPS:Manager" Version="1.0"
PolicyCombiningAlgId="urn:oasis:names:tc:xacml:3.0:policy-combining-algorithm:deny-unless-permit">
<Description>
Manager Role PolicySet
</Description>
<Target>
<AnyOf>
<AllOf>
<Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Manager</AttributeValue>
<AttributeDesignator Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" AttributeId="urn:oasis:names:tc:xacml:2.0:subject:role"
DataType="http://www.w3.org/2001/XMLSchema#string" />
</Match>
</AllOf>
</AnyOf>
</Target>
<Policy PolicyId="PP1:Manager"
RuleCombiningAlgId="urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:deny-unless-permit">
<Description>Permissions specific to Manager Role</Description>
<Target />
<Rule RuleId="Permission_to_create_new_project" Effect="Permit">
<Target>
<AnyOf>
<AllOf>
<Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">https://acme.com/ticketmanagementservice/projects</AttributeValue>
<AttributeDesignator Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true" />
</Match>
</AllOf>
</AnyOf>
<AnyOf>
<AllOf>
<Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">POST</AttributeValue>
<AttributeDesignator Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id"
DataType="http://www.w3.org/2001/XMLSchema#string" />
</Match>
</AllOf>
</AnyOf>
</Target>
</Rule>
</Policy>
<!-- This role is senior to the Employee role, therefore includes the Employee role Permission PolicySet -->
<PolicySetIdReference>PPS:Employee</PolicySetIdReference>
</PolicySet>
</PolicySet>
\ No newline at end of file
dist/doc/user-guide-pap-refpolicysets-update-req.xml deleted 100644 → 0
View file @ 99082294
<?xml version="1.0" encoding="UTF-8"?>
<az:policySets xmlns:az="http://thalesgroup.com/authz/model/3.0" xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17">
<PolicySet PolicySetId="PPS:Employee" Version="1.0"
PolicyCombiningAlgId="urn:oasis:names:tc:xacml:3.0:policy-combining-algorithm:deny-unless-permit">
<Description>Permissions specific to the Employee role</Description>
<Target />
<Policy PolicyId="PP:Employee" Version="1.0"
RuleCombiningAlgId="urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:deny-unless-permit">
<Target />
<Rule RuleId="Permission_to_create_issue_ticket" Effect="Permit">
<Target>
<AnyOf>
<AllOf>
<Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">https://acme.com/ticketmanagementservice/tickets</AttributeValue>
<AttributeDesignator Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource"
AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" DataType="http://www.w3.org/2001/XMLSchema#string"
MustBePresent="true" />
</Match>
</AllOf>
</AnyOf>
<AnyOf>
<AllOf>
<Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">POST</AttributeValue>
<AttributeDesignator Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id"
DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true" />
</Match>
</AllOf>
</AnyOf>
</Target>
</Rule>
</Policy>
</PolicySet>
<!-- <PolicySet PolicySetId="PPS:Technician" PolicyCombiningAlgId="urn:oasis:names:tc:xacml:1.1:policy-combining-algorithm:ordered-permit-overrides">
...content omitted... </PolicySet> ... -->
</az:policySets>
\ No newline at end of file
dist/doc/user-guide-pdp-req.xml deleted 100644 → 0
View file @ 99082294
<?xml version='1.0' encoding='UTF-8' standalone='yes'?>
<Request xmlns='urn:oasis:names:tc:xacml:3.0:core:schema:wd-17' CombinedDecision="false"
ReturnPolicyIdList="false">
<Attributes Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject">
<Attribute AttributeId='urn:oasis:names:tc:xacml:1.0:subject:subject-id'
IncludeInResult="false">
<AttributeValue DataType='http://www.w3.org/2001/XMLSchema#string'>joe</AttributeValue>
</Attribute>
<Attribute AttributeId="urn:oasis:names:tc:xacml:2.0:subject:role" IncludeInResult="false">
<AttributeValue DataType='http://www.w3.org/2001/XMLSchema#string'>Manager</AttributeValue>
</Attribute>
</Attributes>
<Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource">
<Attribute AttributeId='urn:oasis:names:tc:xacml:1.0:resource:resource-id'
IncludeInResult="false">
<AttributeValue DataType='http://www.w3.org/2001/XMLSchema#string'>MissionManagementApp</AttributeValue>
</Attribute>
<Attribute AttributeId='urn:thales:xacml:2.0:resource:sub-resource-id' IncludeInResult="false">
<AttributeValue DataType='http://www.w3.org/2001/XMLSchema#string'>Team</AttributeValue>
</Attribute>
</Attributes>
<Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action">
<Attribute AttributeId='urn:oasis:names:tc:xacml:1.0:action:action-id'
IncludeInResult="false">
<AttributeValue DataType='http://www.w3.org/2001/XMLSchema#string'>manage</AttributeValue>
</Attribute>
</Attributes>
<Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:environment" />
</Request>
\ No newline at end of file
dist/doc/user-guide-pdp-resp.xml deleted 100644 → 0
View file @ 99082294
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<Response xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17">
<Result>
<Decision>Permit</Decision>
<Status>
<StatusCode Value="urn:oasis:names:tc:xacml:1.0:status:ok" />
</Status>
</Result>
</Response>
\ No newline at end of file
dist/html/footer.html 0 → 100644
View file @ 18327506
<footer>&copy; Copyright ${inceptionYear}-${currentYear} Thales Services.</footer>
</body>
</html>
dist/html/header.html 0 → 100644
View file @ 18327506
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"
"http://www.w3.org/TR/html4/strict.dtd">
<html lang="en">
<head>
<title>AuthZForce Upgrader</title>
<meta charset="utf-8" />
<!-- <link rel="stylesheet" href="##SITE_BASE##/css/default.css"> -->
</head>
<body>
\ No newline at end of file
dist/pom.xml
View file @ 18327506
......@@ -3,7 +3,7 @@
<parent>
<groupId>org.ow2.authzforce</groupId>
<artifactId>authzforce-ce-server</artifactId>
<version>5.1.2</version>
<version>5.2.0</version>
<relativePath>..</relativePath>
</parent>
<artifactId>authzforce-ce-server-dist</artifactId>
......@@ -15,8 +15,9 @@
<productName>${project.parent.artifactId}</productName>
<productMaintainer>Thales Services SAS</productMaintainer>
<!-- Timestamp to be used in debian/changes.jdeb.txt -->
<maven.build.timestamp.format>HH:mm dd.MM.yyyy</maven.build.timestamp.format>
<!--<maven.build.timestamp.format>HH:mm dd.MM.yyyy</maven.build.timestamp.format>
<jdeb.changelog.timestamp>${maven.build.timestamp}</jdeb.changelog.timestamp>
-->
</properties>
<url>https://github.com/authzforce/server/dist</url>
<scm>
......@@ -44,20 +45,36 @@
<include>webapp-context.xml</include>
<include>debian/changelog</include>
<include>debian/changes.jdeb.txt</include>
<include>tar/README.md</include>
<include>tar/README.md</include>
</includes>
</resource>
</resources>
<plugins>
<plugin>
<!-- Set timestamp property to be used in debian/changelog -->
<plugin>
<!--
Compute timestamp to be used in debian/changes.jdeb.txt
We cannot use Maven property 'maven.build.timestamp.format' because already used to compute 'currentYear' property inherited from authzforce-ce-parent, with a different format, so we use a plugin.
-->
<groupId>org.codehaus.mojo</groupId>
<artifactId>build-helper-maven-plugin</artifactId>
<version>1.10</version>
<executions>
<execution>
<id>jdeb-changelog-timestamp-property</id>
<phase>process-sources</phase>
<goals>
<goal>timestamp-property</goal>
</goals>
<configuration>
<name>jdeb.changelog.timestamp</name>
<pattern>HH:mm dd.MM.yyyy</pattern>
</configuration>
</execution>
<execution>
<id>timestamp-property</id>
<goals>
<!-- Set timestamp property to be used in debian/changelog -->
<id>debian-changelog-timestamp-property</id>
<phase>process-sources</phase>
<goals>
<goal>timestamp-property</goal>
</goals>
<configuration>
......@@ -72,10 +89,38 @@
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-resources-plugin</artifactId>
<version>2.7</version>
<executions>
<execution>
<phase>process-sources</phase>
</execution>
</executions>
<configuration>
<escapeString>\</escapeString>
</configuration>
</plugin>
<plugin>
<groupId>com.ruleoftech</groupId>
<artifactId>markdown-page-generator-plugin</artifactId>
<version>0.10</version>
<executions>
<execution>
<phase>package</phase>
<goals>
<goal>generate</goal>
</goals>
</execution>
</executions>
<configuration>
<headerHtmlFile>${project.basedir}/html/header.html</headerHtmlFile>
<footerHtmlFile>${project.basedir}/html/footer.html</footerHtmlFile>
<!-- <copyDirectories>css,js</copyDirectories> -->
<inputDirectory>${project.build.outputDirectory}/tar</inputDirectory>
<outputDirectory>${project.build.directory}/html/tar</outputDirectory>
<inputEncoding>UTF-8</inputEncoding>
<outputEncoding>UTF-8</outputEncoding>
<pegdownExtensions>SMARTS,QUOTES,ANCHORLINKS,FENCED_CODE_BLOCKS,AUTOLINKS</pegdownExtensions>
</configuration>
</plugin>
<plugin>
<artifactId>maven-assembly-plugin</artifactId>
<executions>
......
dist/src/tar/README.md
View file @ 18327506
This document may be viewed in HTML form from this link:
https://github.com/authzforce/server/tree/release-${project.version}/dist/src/tar/README.md
{inceptionYear=${project.inceptionYear}}
{currentYear=${currentYear}}
# AuthZForce Server - Manual installation
This guide provides the procedure to install the AuthZForce server from the `tar.gz` distribution, including system requirements and troubleshooting instructions.
This guide provides the procedure to install the AuthZForce server from the tarball distribution, including system requirements and troubleshooting instructions.
## System Requirements
* CPU frequency: 2.6 GHz min
* CPU architecture: i686/x86_64
* RAM: 4GB min
* Disk space: 10 GB min
* File system: ext4
* Operating System: Ubuntu 14.04 LTS
* Java environment:
* JDK 7 either from OpenJDK or Oracle;
......@@ -18,52 +18,59 @@ This guide provides the procedure to install the AuthZForce server from the `tar
## Installation
### Minimal
1. If you don't have a JDK 7 already installed, you may do it on the command-line as follows, depending on your JDK preference:
* If you prefer OpenJDK: `$ sudo aptitude install openjdk-7-jdk`
* If you prefer Oracle JDK, follow the instructions from [WEB UPD8](http://www.webupd8.org/2012/01/install-oracle-java-jdk-7-in-ubuntu-via.html). In the end, you should have the package `oracle-java7-installer` installed.
* If you prefer OpenJDK: `$ sudo aptitude install openjdk-7-jdk`
* If you prefer Oracle JDK, follow the instructions from [WEB UPD8](http://www.webupd8.org/2012/01/install-oracle-java-jdk-7-in-ubuntu-via.html). In the end, you should have the package `oracle-java7-installer` installed.
1. If you don't have Tomcat 7 already installed, you may do it on the command-line: `$ sudo aptitude install tomcat7`
1. Download AuthZForce server `tar.gz` distribution from the [Github project releases page](https://github.com/authzforce/server/releases/download/release-${project.version}/authzforce-ce-server-${project.version}.tar.gz>). You get a file called ``authzforce-ce-server-${project.version}.tar.gz``.
1. Download AuthZForce server tarball distribution from the [Maven Central Repository](http://repo1.maven.org/maven2/org/ow2/authzforce/authzforce-ce-server-dist/${project.version}/authzforce-ce-server-dist-${project.version}.tar.gz). You get a file called ``authzforce-ce-server-dist-${project.version}.tar.gz``.
1. Copy this file to the host where you want to install AuthZForce Server.
1. For security purposes, Tomcat should be run as an unprivileged user (i.e. not `root`). If you installed Tomcat as shown above, this user is `tomcat7`. Let us assume that `tomcat7` is the user (and group) that will run the Tomcat service in your case, and `/opt` is the directory where you want to install AuthZForce server. Please replace both names according to your setup. `$CATALINA_BASE` is a Tomcat environment-specific property, usually equal to `$CATALINA_HOME`, i.e. the root directory of your Tomcat installation ([more information](https://tomcat.apache.org/tomcat-7.0-doc/introduction.html)). If you installed Tomcat as shown above, `$CATALINA_BASE = /var/lib/tomcat7`. From the directory where you copied the `tar.gz` for installation, run the following commands:
1. For security purposes, Tomcat should be run as an unprivileged user (i.e. not `root`). If you installed Tomcat as shown above, this user is `tomcat7`. Let us assume that `tomcat7` is the user (and group) that will run the Tomcat service in your case, and `/opt` is the directory where you want to install AuthZForce server. Please replace both names according to your setup. `$CATALINA_BASE` is a Tomcat environment-specific property, usually equal to `$CATALINA_HOME`, i.e. the root directory of your Tomcat installation ([more information](https://tomcat.apache.org/tomcat-7.0-doc/introduction.html)). If you installed Tomcat as shown above, `$CATALINA_BASE = /var/lib/tomcat7`. From the directory where you copied the tarball for installation, run the following commands:
```shell
$ sudo tar xvzf authzforce-ce-server-${project.version}.tar.gz --directory /opt
$ sudo ln -s authzforce-ce-server-${project.version}.tar.gz authzforce-ce-server
$ sudo tar xvzf authzforce-ce-server-dist-${project.version}.tar.gz --directory /opt
$ sudo ln -s authzforce-ce-server-${project.version} authzforce-ce-server
$ sudo chown -RH tomcat7 authzforce-ce-server
$ sudo chgrp -RH tomcat7 authzforce-ce-server
$ sudo cp /opt/authzforce-ce-server/conf/context.xml.sample $CATALINA_BASE/conf/Catalina/localhost/authzforce-ce.xml
```
1. If you did not use `/opt` as installation directory, replace **ALL** occurrences of `/opt` in the webapp context configuration file `authzforce-ce.xml` according to your setup.
1. You may restart Tomcat server now. For instance, if you installed Tomcat as shown above, do it as follows:
```shell
$ sudo service tomcat7 restart
```
**Known issue: lack of entropy may cause delays in Tomcat 7+ start up on virtual machines in particular: [more info on Entropy Source issue](https://wiki.apache.org/tomcat/HowTo/FasterStartUp#Entropy_Source). So beware.**
1. When the webapp is up and running, you should get a HTTP response with status code 200 to this HTTP request with curl tool (replace 8080 with the port that Tomcat is listening to):
```shell
$ curl --verbose --show-error --write-out '\n' --request GET http://localhost:8080/authzforce-ce/domains
```
Now you can start playing with the REST API as defined by the WADL document that you can retrieve with a wget command (will save the wadl to local file `authzforce.wadl`):
```shell
$ wget -v -O authzforce.wadl http://localhost:8080/authzforce-ce/?_wadl
```
### Advanced
Tomcat default setup is not suitable for production! If you are targeting a production environment, you have to carry out extra installation and configuration steps to address non-functional aspects: security (including availability), performance, etc. For performance aspects, we strongly recommend reading and applying - when relevant - the guidelines from the following links:
- [Performance tuning best practices for VMware Apache Tomcat](http://kb.vmware.com/kb/2013486)
- [How to optimize Tomcat performance in production](http://www.genericarticles.com/mediawiki/index.php?title=How_to_optimize_tomcat_performance_in_production)
- [Apache Tomcat Tuning Guide for REST/HTTP APIs](https://javamaster.wordpress.com/2013/03/13/apache-tomcat-tuning-guide/)
- [Performance tuning best practices for VMware Apache Tomcat](http://kb.vmware.com/kb/2013486);
- [How to optimize Tomcat performance in production](http://www.genericarticles.com/mediawiki/index.php?title=How_to_optimize_tomcat_performance_in_production);
- [Apache Tomcat Tuning Guide for REST/HTTP APIs](https://javamaster.wordpress.com/2013/03/13/apache-tomcat-tuning-guide/).
Last but not least, please check the *More information* section below.
## Troubleshooting
If Tomcat fails to (re)start, check for any Tomcat high-level error in Tomcat log directory: `$CATALINA_BASE/logs`.
One common reason for failure is Tomcat default configuration may specify a value for the Java `Xmx` flag that is too low for the AuthZForce webapp. Make sure Tomcat is configured with `Xmx` at 1GB or more, 2 GB recommended. For example, in the official Tomcat package for Ubuntu 12.04, Xmx used to be 128m. You can fix this parameter as follows:
```shell
$ sudo sed -i 's/-Xmx128m/-Xmx1024m/' /etc/default/tomcat
$ sudo service tomcat7 restart
```
If Tomcat is started but AuthZForce webapp deployment fails, check for any webapp-specific error in log file: `$CATALINA_BASE/logs/authzforce-ce/error.log`
## More information
......
dist/src/webapp-assembly.xml
View file @ 18327506
......@@ -31,7 +31,7 @@
<outputDirectory>/data</outputDirectory>
</fileSet>
<fileSet>
<directory>${project.build.outputDirectory}/tar</directory>
<directory>${project.build.directory}/html/tar</directory>
<outputDirectory>/</outputDirectory>
</fileSet>
</fileSets>
......@@ -42,4 +42,4 @@
<destName>context.xml.sample</destName>
</file>
</files>
</assembly>
\ No newline at end of file
</assembly>
pom.xml
View file @ 18327506
<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion>
<parent>
<groupId>org.ow2.authzforce</groupId>
<artifactId>authzforce-ce-parent</artifactId>
<version>3.3.7</version>
</parent>
<artifactId>authzforce-ce-server</artifactId>
<!-- FIWARE Versioning + Version must be equal or higher than 'authzforce-ce-rest-api-model' dependency in 'rest-service' module-->
<version>5.1.2</version>
<packaging>pom</packaging>
<name>${project.groupId}:${project.artifactId}</name>
<description>AuthZForce CE Server</description>
<url>https://github.com/authzforce/server</url>
<properties>
<git.url.base>https://github.com/authzforce/server</git.url.base>
</properties>
<scm>
<connection>scm:git:${git.url.base}.git</connection>
<developerConnection>scm:git:${git.url.base}.git</developerConnection>
<tag>HEAD</tag>
<url>${git.url.base}</url>
</scm>
<dependencyManagement>
<dependencies>
<dependency>
<groupId>${project.groupId}</groupId>
<artifactId>${artifactId.prefix}-core</artifactId>
<version>3.8.3</version>
<classifier>tests</classifier>
</dependency>
<dependency>
<groupId>${project.groupId}</groupId>
<artifactId>${artifactId.prefix}-pap-dao-flat-file</artifactId>
<version>5.0.2</version>
</dependency>
</dependencies>
</dependencyManagement>
<modules>
<module>rest-service</module>
<module>webapp</module>
<module>upgrader</module>
<module>dist</module>
</modules>
<modelVersion>4.0.0</modelVersion>
<parent>
<groupId>org.ow2.authzforce</groupId>
<artifactId>authzforce-ce-parent</artifactId>
<version>3.3.7</version>
</parent>
<artifactId>authzforce-ce-server</artifactId>
<!-- FIWARE Versioning + Version must be equal or higher than 'authzforce-ce-rest-api-model'
dependency in 'rest-service' module -->
<version>5.2.0</version>
<packaging>pom</packaging>
<name>${project.groupId}:${project.artifactId}</name>
<description>AuthZForce CE Server</description>
<url>https://github.com/authzforce/server</url>
<properties>
<git.url.base>https://github.com/authzforce/server</git.url.base>
<authzforce-ce-core.version>3.9.0</authzforce-ce-core.version>
<authzforce-ce-pap-dao-flat-file.version>5.1.0</authzforce-ce-pap-dao-flat-file.version>
</properties>
<scm>
<connection>scm:git:${git.url.base}.git</connection>
<developerConnection>scm:git:${git.url.base}.git</developerConnection>
<tag>HEAD</tag>
<url>${git.url.base}</url>
</scm>
<dependencyManagement>
<dependencies>
<dependency>
<groupId>${project.groupId}</groupId>
<artifactId>${artifactId.prefix}-core</artifactId>
<version>${authzforce-ce-core.version}</version>
</dependency>
<dependency>
<groupId>${project.groupId}</groupId>
<artifactId>${artifactId.prefix}-core</artifactId>
<version>${authzforce-ce-core.version}</version>
<classifier>tests</classifier>
</dependency>
<dependency>
<groupId>${project.groupId}</groupId>
<artifactId>${artifactId.prefix}-pap-dao-flat-file</artifactId>
<version>${authzforce-ce-pap-dao-flat-file.version}</version>
</dependency>
</dependencies>
</dependencyManagement>
<modules>
<module>rest-service</module>
<module>webapp</module>
<module>upgrader</module>
<module>dist</module>
</modules>
</project>
rest-service/pom.xml
View file @ 18327506
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion>
<parent>
<groupId>org.ow2.authzforce</groupId>
<artifactId>authzforce-ce-server</artifactId>
<!-- Version must be equal or higher than authzforce-ce-rest-api-model dependency -->
<version>5.1.2</version>
<relativePath>..</relativePath>
</parent>
<artifactId>authzforce-ce-server-rest-service</artifactId>
<name>${project.groupId}:${project.artifactId}</name>
<description>Implementation of RESTful API defined by authzforce-ce-rest-api-model package</description>
<url>https://github.com/authzforce/server/rest-service</url>
<scm>
<connection>scm:git:${git.url.base}.git</connection>
<developerConnection>scm:git:${git.url.base}.git</developerConnection>
<tag>HEAD</tag>
<url>${git.url.base}/rest-service</url>
</scm>
<dependencies>
<dependency>