Commit 99082294 authored by cdanger's avatar cdanger
Browse files

Merge branch 'release/5.1.2'

parents d94c8ac4 7358cb5f
# Change log
All notable changes to this project are documented in this file following the [Keep a CHANGELOG](http://keepachangelog.com) conventions.
All notable changes to this project are documented in this file following the [Keep a CHANGELOG](http://keepachangelog.com) conventions. We try to apply [Semantic Versioning](http://semver.org) with one particular rule: the version must be equal to or greater than the version of the _authzforce-ce-rest-api-model_ dependency (declared in _rest-service_ module's POM). Indeed, this dependency holds the resources of the REST API specification implemented by this project. Therefore, the rule helps relate a specific version of this project to the specific version of the REST API specification that is implemented/supported.
## 5.1.2
### Added
- REST API features (see *Changed* section for API changes):
- URL path specific to PDP properties:
- `GET /domains/{domainId}/pap/pdp.properties` gives properties of the PDP, including date/time of last modification and active/applicable policies (root policy and policies referenced directly/indirectly from root)
- `PUT /domains/{domainId}/pap/pdp.properties` also allows to set PDP's root policy reference and enable PDP implementation-specific features, such as Multiple Decision Profile support (scheme 2.3 - repeated attribute categories)
- URL path specific to PRP (Policy Repository Point) properties: `GET or PUT /domains/{domainId}/pap/prp.properties`: set/get properties `maxPolicyCount` (maximum number of policies), `maxVersionCount` (maximum number of versions per policy), `versionRollingEnabled` (enable policy version rolling, i.e. oldest versions auto-removed when the number of versions of a policy is about to exceed `maxVersionCount`)
- Special keyword `latest` usable as version ID pointing to the latest version of a given policy (in addition to XACML version IDs like before), e.g. URL path `/domains/{domainId}/pap/policies/P1/latest` points to the latest version of the policy `P1`
- Fast Infoset support with new data representation type `application/fastinfoset` (in addition to `application/xml`) for all API payloads. Requires Authzforce Server to be started in a specific mode using [JavaEE Environment Entry](https://tomcat.apache.org/tomcat-7.0-doc/config/context.html#Environment_Entries) `spring.profiles.active` in Tomcat-specific Authzforce webapp context file (`authzforce-ce.xml`). Default type remains `application/xml` (default type is used when a wildcard is received as Accept header value from the client)
- API caches domains' PDPs and externalIds for performance reasons, but it is now possible to force re-synchronizing this domain cache after any change to the backend domain repository, i.e. reloading domains' PDPs and externalIDs without restarting the webapp or server:
- `GET or HEAD /domains` forces re-synchronization of all domains
- `GET or HEAD /domain/{domainId}/properties` forces re-synchronization of externalId with domain properties file (properties.xml) in the domain directory
- `GET or HEAD /domain/{domainId}/pap/pdp.properties`; or `GET or HEAD /domain/{domainId}/pap/policies` forces re-synchronization of PDP with configuration file (`pdp.xml`) and policy files in subfolder `policies` of the domain directory
- `DELETE /domain/{domainId}` forces removal of the domain from cache, and the domain directory if it still exists (removes from cache only if directory already removed)
- Properties for controlling the size of incoming XML (`maxElementDepth`, `maxChildElements`, `maxAttributeCount`, `maxAttributeSize`, `maxTextLength`) corresponding to [CXF XML security properties](http://cxf.apache.org/docs/security.html#Security-XML) may be configured as [JavaEE Environment Entries](https://tomcat.apache.org/tomcat-7.0-doc/config/context.html#Environment_Entries) in Tomcat-specific Authzforce webapp context file (`authzforce-ce.xml`). Only `maxElementDepth` and `maxChildElements` are supported in Fast Infoset mode (due to issue [CXF-6848](https://issues.apache.org/jira/browse/CXF-6848)).
- Completed 100% XACML 3.0 Core Specification compliance with support of Extended Indeterminate values in policy evaluation (XACML 3.0 Core specification, section 7.10-7.14, appendix C: combining algorithms)
- Distribution upgrader: tool to upgrade from Authzforce 4.2.0
### Changed
- Supported REST API model (authzforce-ce-rest-api-model) upgraded to **v5.1.1** with following changes:
- PDP's root policy reference set via method `PUT /domains/{domainId}/pap/pdp.properties` (instead of `PUT /domains/{domainId}/properties` in previous version)
- URL path `/domains/{domainId}/pap/attribute.providers` replaces `/domains/{domainId}/pap/attributeProviders` from previous version, in order to apply better practices of REST API design (case-insensitive URLs) and to be consistent with new API paths `pdp.properties` and `prp.properties` (see *Added* section)
- Multiple Decision Profile disabled by default after domain creation (enabled by default in previous version)
- Backend flat-file database (DAO):
- Format of `properties.xml` (domain properties): XML namespace changed to `http://authzforce.github.io/pap-dao-flat-file/xmlns/properties/3.6` (instead of `http://authzforce.github.io/pap-dao-file/xmlns/properties/3.6` in previous version)
- Format of `pdp.xml` (PDP): XML schema/namespace of PDP PolicyProvider configuration changed to `http://authzforce.github.io/pap-dao-flat-file/xmlns/pdp-ext/3.6` (instead of `http://authzforce.github.io/pap-dao-file/xmlns/pdp-ext/3.6` in previous version)
- Strategy for synchronizing cached domain's PDP and externalId-to-domain mapping with configuration files: no longer using Java WatchService (not adapted to NFS or CIFS shares), but each domain has a specific thread polling files in the domain directory's and checking their `lastModifiedTime` attribute for change:
- If a given domain ID is requested and no matching domain in cache, but a matching domain directory is found, the domain is automatically synced to cache and the synchronizing thread created;
- If the domain's directory found missing by the synchronizing thread, the thread deletes the domain from cache.
- If any change to `properties.xml` (domain description, externalId) detected, externalId updated in cache
- If any change to `pdp.xml` or the file of any policy used by the PDP, the PDP is reloaded.
- ZIP distribution format (`.zip`) changed to tarball format (`.tar.gz`), more suitable for Unix/Linux environments.
### Removed
- Dependency on commons-io, replaced with Java 7 java.nio.file API for recursive directory copy/deletion
### Fixed
- Github #1: deleted domain ID still returned by GET /domains?externalId=...
- FIWARE JIRA [SEC-870](https://jira.fiware.org/browse/SEC-870): Debian/Ubuntu package dependencies: `java7-jdk` replaced with `openjdk-7-jdk | oracle-java7-installer`
- Policy versions returned in wrong order by API
## 4.4.1
### Changed
- Default domain rootPolicyRef no longer has 'Version' specified so that the root policy is always the latest version added via the PAP (by default).
### Fixed
- Hidding file paths from error messages
- Hiding file paths from error messages returned by the REST API
## 4.4.0
......@@ -28,7 +70,7 @@ All notable changes to this project are documented in this file following the [K
1. OR: If at least 1 True arg, then True regardless of Indeterminate args; else if at least 1 Indeterminate, return Indeterminate; else false.
1. AND: If at least 1 False arg, then False regardless of Indeterminate args; else if at least 1 Indeterminate, then Indeterminate; else True.
1. N-OF: similar to OR but checking whether at least N args are True instead of 1, in the remaining arguments; else there is/are n True(s) with n < N; if there are at least (N-n) Indeterminate, return Indeterminate; else return false.
- Global configuration properties: max number of policies per domain, max number of versions per domain
- Global configuration properties: max number of policies per domain, max number of versions per policy
- Distribution as WAR
### Changed
......
# AuthZForce Server
[![License badge](https://img.shields.io/badge/license-GPL-blue.svg)](https://opensource.org/licenses/GPL-3.0)
[![Documentation badge](https://readthedocs.org/projects/authzforce-ce-fiware/badge/?version=release-4.4.1d)](http://authzforce-ce-fiware.readthedocs.io/en/release-4.4.1d/?badge=release-4.4.1d)
[![Docker badge](https://img.shields.io/docker/pulls/fiware/authzforce-ce-server.svg)](https://hub.docker.com/r/fiware/authzforce-ce-server/)
[![Support badge]( https://img.shields.io/badge/support-ask.fiware.org-yellowgreen.svg)](https://ask.fiware.org/questions/scope:all/sort:activity-desc/tags:authzforce/)
Server components and distribution of AuthZForce authorization service (FIWARE Authorization PDP GEri).
This project also provides the Reference Implementation (GEri) of [FIWARE](https://www.fiware.org) *Authorization PDP* Generic Enabler (GE). More info on the [FIWARE catalogue](http://catalogue.fiware.org/enablers/authorization-pdp-authzforce).
The manuals are available on [readthedocs.org](http://authzforce-ce-fiware.readthedocs.org/).
/.settings/
/.classpath
/.project
/CHANGES.txt
......@@ -44,7 +44,7 @@
My comment: if you run the command with strace, you will actually see that it is trying to read bytes from /dev/random, one by one in order to create a 64-bytes base64-encoded string (therefore reading bytes until it has 64 of them) -> 64*64=4096 bit (+ a newline character).
if you are on a master, say ubuntu199.theresis.org, and master-slave config with ubuntu200.theresis.org as slave...
if you are on a master, say ubuntu199.example.org, and master-slave config with ubuntu200.example.org as slave...
Edit /etc/csync2.cfg and update as below (use brackets '()' for slave hosts):
****
# please see the README file how to configure csync2
......@@ -52,11 +52,11 @@
group taz {
# use bracket for slave hosts
host ubuntu199.theresis.org (ubuntu200.theresis.org);
host ubuntu199.example.org (ubuntu200.example.org);
#pre-shared group authentication key
key /etc/csync2.key;
# Monitored pattern path
include /home/theresis/;
include /home/example/;
# Action when change
action {
# For some reason, it can happen that "%%" will list all files changed since first sync after last csync2 daemon started, not only the last changes (during last sync)
......@@ -90,14 +90,14 @@
... to clean the database, before you retry sync
The lastchangedfiles will look like this (whitespace-separated list of absolute paths): (only changed files during last sync in there, previous list overwritten, no append):
theresis@sp:~$ cat lastchangedfiles.log
/home/theresis/csync2testdir/test5.txt /home/theresis/csync2testdir/test4dir/test.txt /home/theresis/csync2testdir/test4dir /home/theresis/csync2testdir/test3.txt
example@sp:~$ cat lastchangedfiles.log
/home/example/csync2testdir/test5.txt /home/example/csync2testdir/test4dir/test.txt /home/example/csync2testdir/test4dir /home/example/csync2testdir/test3.txt
TODO: test deleted file
If you use whitespaces in filenames, it will end like this in lastchangefiles.log:
theresis@sp:~$ cat lastchangedfiles.log
/home/theresis/csync2testdir/test%20with%20whitespace.txt
example@sp:~$ cat lastchangedfiles.log
/home/example/csync2testdir/test%20with%20whitespace.txt
-> URL-encoded (%-encoded)
......@@ -107,19 +107,18 @@
*/1 * * * * csync2 -x >/dev/null 2>&1
Once saved, Csync2 will run once per 1 minute, check, synchronize and restart your service if required automatically.
============
-TESTING (showing /var/log/syslog output)-
== SAMPLE TESTING OUTPUT (showing /var/log/syslog output) ==
1) update domain2/policyset.xml, creating domain5, delete domain 4
Nov 30 16:28:42 kyrill-old-desktop-pc csync2 taz update: /home/cdangerv/XIFI/domains/domain5/policySet.xml /home/cdangerv/XIFI/domains/domain5/pdp.xml /home/cdangerv/XIFI/domains/domain5 /home/cdangerv/XIFI/domains/domain2/policySet.xml /home/cdangerv/XIFI/domains/domain4 /home/cdangerv/XIFI/domains/domain4/pdp.xml /home/cdangerv/XIFI/domains/domain4/policySet.xml
... csync2 taz update: /home/example/XIFI/domains/domain5/policySet.xml /home/example/XIFI/domains/domain5/pdp.xml /home/example/XIFI/domains/domain5 /home/example/XIFI/domains/domain2/policySet.xml /home/example/XIFI/domains/domain4 /home/example/XIFI/domains/domain4/pdp.xml /home/example/XIFI/domains/domain4/policySet.xml
2) update domain2/policyset.xml and domain2/pdp.xml
Nov 30 16:32:09 kyrill-old-desktop-pc csync2 taz update: /home/cdangerv/XIFI/domains/domain2/policySet.xml /home/cdangerv/XIFI/domains/domain2/pdp.xml
... csync2 taz update: /home/example/XIFI/domains/domain2/policySet.xml /home/example/XIFI/domains/domain2/pdp.xml
3) delete domain5
Nov 30 16:33:57 kyrill-old-desktop-pc csync2 update:: /home/cdangerv/XIFI/domains/domain5 /home/cdangerv/XIFI/domains/domain5/pdp.xml /home/cdangerv/XIFI/domains/domain5/policySet.xml
... csync2 update:: /home/example/XIFI/domains/domain5 /home/example/XIFI/domains/domain5/pdp.xml /home/example/XIFI/domains/domain5/policySet.xml
4) create domain3:
Nov 30 16:35:17 kyrill-old-desktop-pc csync2 update:: /home/cdangerv/XIFI/domains/domain3/policySet.xml /home/cdangerv/XIFI/domains/domain3/pdp.xml /home/cdangerv/XIFI/domains/domain3
... csync2 update:: /home/example/XIFI/domains/domain3/policySet.xml /home/example/XIFI/domains/domain3/pdp.xml /home/example/XIFI/domains/domain3
\ No newline at end of file
......@@ -3,7 +3,7 @@
<parent>
<groupId>org.ow2.authzforce</groupId>
<artifactId>authzforce-ce-server</artifactId>
<version>4.4.1</version>
<version>5.1.2</version>
<relativePath>..</relativePath>
</parent>
<artifactId>authzforce-ce-server-dist</artifactId>
......@@ -14,6 +14,9 @@
<properties>
<productName>${project.parent.artifactId}</productName>
<productMaintainer>Thales Services SAS</productMaintainer>
<!-- Timestamp to be used in debian/changes.jdeb.txt -->
<maven.build.timestamp.format>HH:mm dd.MM.yyyy</maven.build.timestamp.format>
<jdeb.changelog.timestamp>${maven.build.timestamp}</jdeb.changelog.timestamp>
</properties>
<url>https://github.com/authzforce/server/dist</url>
<scm>
......@@ -33,16 +36,46 @@
<build>
<finalName>${productName}-${project.version}</finalName>
<resources>
<!-- Replace variable 'productName' in some source files. The result goes to ${project.build.directory}. -->
<!-- Replace variable 'productName' and 'project.version' in some source files. The result goes to ${project.build.directory}. -->
<resource>
<directory>src</directory>
<filtering>true</filtering>
<includes>
<include>webapp-context.xml</include>
<include>debian/changelog</include>
<include>debian/changes.jdeb.txt</include>
<include>tar/README.md</include>
</includes>
</resource>
</resources>
<plugins>
<plugin>
<!-- Set timestamp property to be used in debian/changelog -->
<groupId>org.codehaus.mojo</groupId>
<artifactId>build-helper-maven-plugin</artifactId>
<version>1.10</version>
<executions>
<execution>
<id>timestamp-property</id>
<goals>
<goal>timestamp-property</goal>
</goals>
<configuration>
<name>debian.changelog.timestamp</name>
<locale>en,US</locale>
<pattern>E, dd MMM yyyy HH:mm:ss Z</pattern>
</configuration>
</execution>
</executions>
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-resources-plugin</artifactId>
<version>2.7</version>
<configuration>
<escapeString>\</escapeString>
</configuration>
</plugin>
<plugin>
<artifactId>maven-assembly-plugin</artifactId>
<executions>
......@@ -62,28 +95,6 @@
</execution>
</executions>
</plugin>
<plugin>
<!-- Compress debian package changelog using gzip to comply with Debian Policy -->
<groupId>net.alchim31.maven</groupId>
<artifactId>yuicompressor-maven-plugin</artifactId>
<version>1.3.0</version>
<executions>
<execution>
<goals>
<goal>compress</goal>
</goals>
</execution>
</executions>
<configuration>
<gzip>true</gzip>
<nosuffix>true</nosuffix>
<outputDirectory>${project.build.directory}</outputDirectory>
<sourceDirectory>src/debian</sourceDirectory>
<includes>
<include>changelog</include>
</includes>
</configuration>
</plugin>
<plugin>
<artifactId>jdeb</artifactId>
<groupId>org.vafer</groupId>
......@@ -98,17 +109,17 @@
<verbose>true</verbose>
<snapshotExpand>true</snapshotExpand>
<deb>${project.build.directory}/${productName}_${project.version}_all.deb</deb>
<changesIn>${project.build.outputDirectory}/debian/changes.jdeb.txt</changesIn>
<changesOut>${project.build.directory}/${productName}_${project.version}_all.changes</changesOut>
<!-- expand "SNAPSHOT" to what is in the "USER" env variable. Expanded to timestamp by default. -->
<!-- <snapshotEnv>USER</snapshotEnv> -->
<!-- In control files, you can use any variable defined by initializeVariableResolver(...) method in https://github.com/tcurdt/jdeb/blob/master/src/main/java/org/vafer/jdeb/maven/DebMojo.java Surround
the variable name with double square brackets "[[" "]]" to have it replaced by the variable value. -->
<!-- In control files, you can use any variable defined by initializeVariableResolver(...) method in https://github.com/tcurdt/jdeb/blob/master/src/main/java/org/vafer/jdeb/maven/DebMojo.java Surround the variable name with double square brackets "[[" "]]" to have it replaced by the variable value. -->
<controlDir>${project.basedir}/src/debian/control</controlDir>
<dataSet>
<data>
<!-- lintian will complain changelog-not-compressed-with-max-compression changelog.gz Fix to come: https://github.com/tcurdt/jdeb/issues/157 -->
<src>${project.build.directory}/changelog.gz</src>
<dst>/usr/share/doc/${productName}/changelog.gz</dst>
<!-- lintian will complain changelog-not-compressed-with-max-compression . Fix to come: https://github.com/tcurdt/jdeb/issues/157 -->
<src>${project.build.outputDirectory}/debian/changelog</src>
<dst>/usr/share/doc/${productName}/changelog</dst>
<type>file</type>
</data>
<data>
......@@ -138,7 +149,7 @@
</data>
<data>
<!-- WAR deployed to Tomcat -->
<src>${project.build.directory}/${project.build.finalName}.zip</src>
<src>${project.build.directory}/${project.build.finalName}.tar.gz</src>
<type>archive</type>
<includes>${project.build.finalName}/webapp/**</includes>
<missingSrc>fail</missingSrc>
......@@ -170,34 +181,5 @@
</executions>
</plugin>
</plugins>
<pluginManagement>
<plugins>
<!--This plugin's configuration is used to store Eclipse m2e settings only. It has no influence on the Maven build itself. -->
<plugin>
<groupId>org.eclipse.m2e</groupId>
<artifactId>lifecycle-mapping</artifactId>
<version>1.0.0</version>
<configuration>
<lifecycleMappingMetadata>
<pluginExecutions>
<pluginExecution>
<pluginExecutionFilter>
<groupId>net.alchim31.maven</groupId>
<artifactId>yuicompressor-maven-plugin</artifactId>
<versionRange>[1.3.0,)</versionRange>
<goals>
<goal>compress</goal>
</goals>
</pluginExecutionFilter>
<action>
<ignore />
</action>
</pluginExecution>
</pluginExecutions>
</lifecycleMappingMetadata>
</configuration>
</plugin>
</plugins>
</pluginManagement>
</build>
</project>
\ No newline at end of file
</project>
<?xml version="1.0" encoding="UTF-8"?>
<xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema" targetNamespace="http://thalesgroup.com/authzforce/model/3.0"
xmlns:tns="http://thalesgroup.com/authzforce/model/3.0" elementFormDefault="qualified"
attributeFormDefault="unqualified">
<xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema" targetNamespace="http://authzforce.github.io/rest-api-model/xmlns/authzforce/ext" xmlns:tns="http://authzforce.github.io/rest-api-model/xmlns/authzforce/ext" elementFormDefault="qualified" attributeFormDefault="unqualified" version="4.0">
<xs:annotation>
<xs:documentation xml:lang="en">
Thales Authorization Service extensions to Data Model
for RESTful Authorization API. To be customized for your own instance of the Authzforce webapp,
with the extensions that you want to enable such as PDP attribute finders, policy finders, etc.
The value
of 'schemaLocation' attribute without the '.xsd' extension must
match the name of a valid fully
qualified Java class available on the classpath.
This schema is used to import schemas of all extensions that may be configured via the API.
Schemas of enabled AuthZForce extensions, such as attribute providers.
</xs:documentation>
</xs:annotation>
<!-- Extension for file-based PAP DAO root/ref policy providers -->
<xs:import namespace="http://authzforce.github.io/pap-dao-file/xmlns/pdp-ext/3.6"/>
<xs:import namespace="http://authzforce.github.io/pap-dao-flat-file/xmlns/pdp-ext/3.6" />
</xs:schema>
\ No newline at end of file
......@@ -7,5 +7,5 @@
<system systemId="authzforce-ext.xsd" uri="classpath:authzforce-ext.xsd"/>
<!-- PDP Extensions -->
<uri name="http://authzforce.github.io/pap-dao-file/xmlns/pdp-ext/3.6" uri="classpath:org.ow2.authzforce.pap.dao.file.pdp-ext.xsd"/>
<uri name="http://authzforce.github.io/pap-dao-flat-file/xmlns/pdp-ext/3.6" uri="classpath:org.ow2.authzforce.pap.dao.flatfile.pdp-ext.xsd"/>
</catalog>
<pdp
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns="http://authzforce.github.io/core/xmlns/pdp/3.6"
xmlns:pap-dao="http://authzforce.github.io/pap-dao-file/xmlns/pdp-ext/3.6"
version="3.6.1"
maxVariableRefDepth="1"
maxPolicyRefDepth="10"
requestFilter="urn:oasis:names:tc:xacml:3.0:profile:multiple:repeated-attribute-categories-lax">
xmlns:pap-dao="http://authzforce.github.io/pap-dao-flat-file/xmlns/pdp-ext/3.6"
version="3.6.4"
maxVariableRefDepth="10"
maxPolicyRefDepth="10"
strictAttributeIssuerMatch="false"
requestFilter="urn:ow2:authzforce:xacml:request-filter:default-lax">
<!-- Replace with requestFilter = "urn:ow2:authzforce:xacml:request-filter:multiple:repeated-attribute-categories-lax" for Multiple Decision Profile support. -->
<!-- You may customize this PDP configuration except 'rootPolicyProvider' and 'refPolicyProvider' elements. -->
<!-- policyLocation must start with ${PARENT_DIR}/ and end with: /*SUFFIX (* is expanded to base64url(policyId)/policyVersion) -->
<refPolicyProvider
id="refPolicyProvider"
xsi:type="pap-dao:StaticFileBasedDAORefPolicyProvider"
xsi:type="pap-dao:StaticFlatFileDAORefPolicyProvider"
policyLocationPattern="${PARENT_DIR}/policies/*.xml" />
<rootPolicyProvider
id="rootPolicyProvider"
......
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<domainProperties xmlns="http://authzforce.github.io/pap-dao-file/xmlns/properties/3.6" />
\ No newline at end of file
<domainProperties
xmlns="http://authzforce.github.io/pap-dao-flat-file/xmlns/properties/3.6"
maxPolicyCount="10" maxVersionCountPerPolicy="10"
versionRollingEnabled="true" />
\ No newline at end of file
......@@ -14,8 +14,7 @@
<pattern>%date{ISO8601} %-5level [%thread] %logger:%line: %msg%n</pattern>
</encoder>
</appender>
<!-- Change log directory according to your deployment container. Examples below for Tomcat. For Glassfish:
${com.sun.aas.instanceRoot}/logs -->
<!-- Change log directory according to your deployment container. Examples below for Tomcat. For Glassfish: ${com.sun.aas.instanceRoot}/logs -->
<appender name="error" class="ch.qos.logback.core.rolling.RollingFileAppender">
<!--See also http://logback.qos.ch/manual/appenders.html#RollingFileAppender -->
<File>${catalina.base}/logs/authzforce-ce/error.log</File>
......@@ -30,56 +29,48 @@
<MaxFileSize>100KB</MaxFileSize>
</triggeringPolicy>
</appender>
<!-- Enable 'access' appender only if you need application-level access logging -->
<!-- <appender name="access" class="ch.qos.logback.core.rolling.RollingFileAppender"> -->
<!-- <File>${catalina.base}/logs/authzforce-ce/access.log</File> -->
<!-- <encoder> -->
<!-- <pattern>%date{ISO8601}|%msg|%n</pattern> -->
<!-- </encoder> -->
<!-- <rollingPolicy class="ch.qos.logback.core.rolling.FixedWindowRollingPolicy"> -->
<!-- <maxIndex>1</maxIndex> -->
<!-- <FileNamePattern>${catalina.base}/logs/authzforce-ce/access.log.%i</FileNamePattern> -->
<!-- </rollingPolicy> -->
<!-- <triggeringPolicy class="ch.qos.logback.core.rolling.SizeBasedTriggeringPolicy"> -->
<!-- <MaxFileSize>100KB</MaxFileSize> -->
<!-- </triggeringPolicy> -->
<!-- </appender> -->
<!--
<appender name="accessAsync" class="ch.qos.logback.classic.AsyncAppender">
<appender-ref ref="access" />
</appender>
-->
<!--
Dumping HTTP requests and response with their headers for access logging
More info: http://blog.xebia.fr/2013/10/10/logs-daudit-pour-les-services-rest/
Use "accessAsync" appender for better performance (asynchronous logging)
-->
<!-- <logger name="RequestLoggerFilter.request" level="DEBUG" additivity="false"> -->
<!-- <appender-ref ref="access"/> -->
<!-- </logger> -->
<!-- <logger name="RequestLoggerFilter.response" level="DEBUG" additivity="false"> -->
<!-- <appender-ref ref="access"/> -->
<!-- </logger> -->
<!-- <logger name="RequestLoggerFilter.headers" level="INFO" additivity="false"> -->
<!-- <appender-ref ref="access"/> -->
<!-- </logger> -->
<!-- <appender name="access" class="ch.qos.logback.core.rolling.RollingFileAppender"> -->
<!-- <File>${catalina.base}/logs/authzforce-ce/access.log</File> -->
<!-- <encoder> -->
<!-- <pattern>%date{ISO8601}|%msg|%n</pattern> -->
<!-- </encoder> -->
<!-- <rollingPolicy class="ch.qos.logback.core.rolling.FixedWindowRollingPolicy"> -->
<!-- <maxIndex>1</maxIndex> -->
<!-- <FileNamePattern>${catalina.base}/logs/authzforce-ce/access.log.%i</FileNamePattern> -->
<!-- </rollingPolicy> -->
<!-- <triggeringPolicy class="ch.qos.logback.core.rolling.SizeBasedTriggeringPolicy"> -->
<!-- <MaxFileSize>100KB</MaxFileSize> -->
<!-- </triggeringPolicy> -->
<!-- </appender> -->
<!-- <appender name="accessAsync" class="ch.qos.logback.classic.AsyncAppender"> <appender-ref ref="access" /> </appender> -->
<!-- Dumping HTTP requests and response with their headers for access logging. More info: http://blog.xebia.fr/2013/10/10/logs-daudit-pour-les-services-rest/ Use "accessAsync" appender for better performance (asynchronous logging) -->
<!-- <logger name="RequestLoggerFilter.request" level="DEBUG" additivity="false"> -->
<!-- <appender-ref ref="access"/> -->
<!-- </logger> -->
<!-- <logger name="RequestLoggerFilter.response" level="DEBUG" additivity="false"> -->
<!-- <appender-ref ref="access"/> -->
<!-- </logger> -->
<!-- <logger name="RequestLoggerFilter.headers" level="INFO" additivity="false"> -->
<!-- <appender-ref ref="access"/> -->
<!-- </logger> -->
<logger name="com.sun.xacml" additivity="false" level="WARN">
<appender-ref ref="error" />
</logger>
<logger name="org.ow2.authzforce" additivity="false" level="WARN">
<appender-ref ref="error" />
</logger>
<!-- HTTP/JAX-RS/SOAP request/response debugging -->
<!-- For logging request/response to/from webapp, only logger "org.apache.cxf" in level INFO is required,
and you must add CXF org.apache.cxf.interceptor.LoggingInInterceptor/LoggingOutInterceptor to JAX-RS
server's in/outInterceptors -->
<logger name="com.thalesgroup" additivity="false" level="WARN">
<appender-ref ref="error" />
</logger>
<!-- HTTP/JAX-RS/SOAP request/response debugging -->
<!-- For logging request/response to/from webapp, only logger "org.apache.cxf" in level INFO is required, and you must add CXF org.apache.cxf.interceptor.LoggingInInterceptor/LoggingOutInterceptor to JAX-RS server's in/outInterceptors -->
<!-- <logger name="org.apache.cxf" additivity="false" level="WARN"> <appender-ref ref="error" /> </logger> -->
<!-- <logger name="org.apache.http" additivity="false" level="DEBUG"> <appender-ref ref="error" /> </logger> <logger name="org.apache.http.wire"
level="ERROR"> <appender-ref ref="error" /> </logger> -->
<!-- <logger name="org.apache.http" additivity="false" level="DEBUG"> <appender-ref ref="error" /> </logger> <logger name="org.apache.http.wire" level="ERROR"> <appender-ref ref="error" /> </logger> -->
<root level="WARN">
<appender-ref ref="error" />
</root>
......
<pdp
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns="http://authzforce.github.io/core/xmlns/pdp/3.6"
xmlns:pap-dao="http://authzforce.github.io/pap-dao-file/xmlns/pdp-ext/3.6"
version="3.6.1"
maxVariableRefDepth="1"
maxPolicyRefDepth="10"
requestFilter="urn:oasis:names:tc:xacml:3.0:profile:multiple:repeated-attribute-categories-lax">
xmlns:pap-dao="http://authzforce.github.io/pap-dao-flat-file/xmlns/pdp-ext/3.6"
version="3.6.4"
maxPolicyRefDepth="10"
strictAttributeIssuerMatch="false"
requestFilter="urn:ow2:authzforce:xacml:request-filter:default-lax">
<!-- Replace with requestFilter = "urn:ow2:authzforce:xacml:request-filter:multiple:repeated-attribute-categories-lax" for Multiple Decision Profile support. -->
<!-- You may customize this PDP configuration except 'rootPolicyProvider' and 'refPolicyProvider' elements. -->
<!-- policyLocation must start with ${PARENT_DIR}/ and end with: /*SUFFIX (* is expanded to base64url(policyId)/policyVersion) -->
<refPolicyProvider
id="refPolicyProvider"
xsi:type="pap-dao:StaticFileBasedDAORefPolicyProvider"
xsi:type="pap-dao:StaticFlatFileDAORefPolicyProvider"
policyLocationPattern="${PARENT_DIR}/policies/*.xml" />
<rootPolicyProvider
id="rootPolicyProvider"
......
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<domainProperties xmlns="http://authzforce.github.io/pap-dao-file/xmlns/properties/3.6" />
\ No newline at end of file
<domainProperties
xmlns="http://authzforce.github.io/pap-dao-flat-file/xmlns/properties/3.6"
maxPolicyCount="10" maxVersionCountPerPolicy="10"
versionRollingEnabled="true" />
\ No newline at end of file
authzforce-ce-server (4.3.0) trusty; urgency=low
* See https://github.com/authzforce/server/CHANGELOG.md
-- Thales Services <http://www.thalesgroup.com> Fri, 16 October 2015 12:00:00 +0100
authzforce-ce-server (${project.version}) trusty; urgency=low
* See https://github.com/authzforce/server/blob/release-${project.version}/CHANGELOG.md
-- Thales Services <http://www.thalesgroup.com> ${debian.changelog.timestamp}
release date=${jdeb.changelog.timestamp},version=${project.version},urgency=low,by=Thales Services <http://www.thalesgroup.com>
* See https://github.com/authzforce/server/blob/release-${project.version}/CHANGELOG.md
......@@ -3,8 +3,11 @@ Version: [[version]]
Section: web
Priority: optional
Architecture: all
Depends: debconf (>= 0.2.26), java7-jdk, tomcat7
Depends: debconf (>= 0.2.26), openjdk-7-jdk | oracle-java7-installer, tomcat7
Maintainer: [[productMaintainer]]
Description: AuthForce CE Server.
Reference Implementation of FIWARE Authorization PDP Generic Enabler
Homepage: https://github.com/authzforce
\ No newline at end of file
# Distribution will be removed by jdeb from the final debian control file but used as 'distribution' in the .changes file
# Do not specify 'distribution' in the CHANGES.txt (on the contrary to current jdeb doc with ant) as it is ignored, only the Distribution specified here is used for the .changes file.
Distribution: stable
Homepage: https://github.com/authzforce
......@@ -27,7 +27,7 @@ echo "Now you can start playing with the REST API as defined by the WADL documen
echo "$ wget -v -O authzforce.wadl http://localhost:8080/authzforce-ce/?_wadl"
echo "Reminder: Tomcat default setup is not suitable for production! We strongly recommend reading and applying - when relevant - the guidelines from the following links:"
echo "Performance tuning best practices for VMware Apache Tomcat: http://kb.vmware.com/kb/2013486"
echo "How to optimize tomcat performance in production: http://www.genericarticles.com/mediawiki/index.php?title=How_to_optimize_tomcat_performance_in_production"
echo "How to optimize Tomcat performance in production: http://www.genericarticles.com/mediawiki/index.php?title=How_to_optimize_tomcat_performance_in_production"
echo "Apache Tomcat Tuning Guide for REST/HTTP APIs: https://javamaster.wordpress.com/2013/03/13/apache-tomcat-tuning-guide/"
Format: http://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
Upstream-Name: authzforce-dist
Upstream-Name: authzforce-ce-server-dist
Files: *
Copyright: Copyright (C) 2012-2015 Thales Services SAS. All rights reserved.
Copyright: Copyright (C) 2012-2016 Thales Services SAS. All rights reserved.
Licence: GPL-3.0
The full text of the GNU General Public
License version 3 can be found in the file
......
This document may be viewed in HTML form from this link:
https://github.com/authzforce/server/tree/release-${project.version}/dist/src/tar/README.md
# AuthZForce Server - Manual installation
This guide provides the procedure to install the AuthZForce server from the `tar.gz` distribution, including system requirements and troubleshooting instructions.
## System Requirements
* CPU frequency: 2.6 GHz min
* CPU architecture: i686/x86_64
* RAM: 4GB min
* Disk space: 10 GB min
* Operating System: Ubuntu 14.04 LTS
* Java environment:
* JDK 7 either from OpenJDK or Oracle;
* Tomcat 7.x.
## Installation
### Minimal
1. If you don't have a JDK 7 already installed, you may do it on the command-line as follows, depending on your JDK preference:
* If you prefer OpenJDK: `$ sudo aptitude install openjdk-7-jdk`
* If you prefer Oracle JDK, follow the instructions from [WEB UPD8](http://www.webupd8.org/2012/01/install-oracle-java-jdk-7-in-ubuntu-via.html). In the end, you should have the package `oracle-java7-installer` installed.
1. If you don't have Tomcat 7 already installed, you may do it on the command-line: `$ sudo aptitude install tomcat7`
1. Download AuthZForce server `tar.gz` distribution from the [Github project releases page](https://github.com/authzforce/server/releases/download/release-${project.version}/authzforce-ce-server-${project.version}.tar.gz>). You get a file called ``authzforce-ce-server-${project.version}.tar.gz``.
1. Copy this file to the host where you want to install AuthZForce Server.
1. For security purposes, Tomcat should be run as an unprivileged user (i.e. not `root`). If you installed Tomcat as shown above, this user is `tomcat7`. Let us assume that `tomcat7` is the user (and group) that will run the Tomcat service in your case, and `/opt` is the directory where you want to install AuthZForce server. Please replace both names according to your setup. `$CATALINA_BASE` is a Tomcat environment-specific property, usually equal to `$CATALINA_HOME`, i.e. the root directory of your Tomcat installation ([more information](https://tomcat.apache.org/tomcat-7.0-doc/introduction.html)). If you installed Tomcat as shown above, `$CATALINA_BASE = /var/lib/tomcat7`. From the directory where you copied the `tar.gz` for installation, run the following commands:
```shell
$ sudo tar xvzf authzforce-ce-server-${project.version}.tar.gz --directory /opt
$ sudo ln -s authzforce-ce-server-${project.version}.tar.gz authzforce-ce-server
$ sudo chown -RH tomcat7 authzforce-ce-server
$ sudo chgrp -RH tomcat7 authzforce-ce-server
$ sudo cp /opt/authzforce-ce-server/conf/context.xml.sample $CATALINA_BASE/conf/Catalina/localhost/authzforce-ce.xml
```
1. If you did not use `/opt` as installation directory, replace **ALL** occurrences of `/opt` in the webapp context configuration file `authzforce-ce.xml` according to your setup.
1. You may restart Tomcat server now. For instance, if you installed Tomcat as shown above, do it as follows:
```shell
$ sudo service tomcat7 restart
```
1. When the webapp is up and running, you should get a HTTP response with status code 200 to this HTTP request with curl tool (replace 8080 with the port that Tomcat is listening to):
```shell
$ curl --verbose --show-error --write-out '\n' --request GET http://localhost:8080/authzforce-ce/domains
```
Now you can start playing with the REST API as defined by the WADL document that you can retrieve with a wget command (will save the wadl to local file `authzforce.wadl`):
```shell
$ wget -v -O authzforce.wadl http://localhost:8080/authzforce-ce/?_wadl
```
### Advanced
Tomcat default setup is not suitable for production! If you are targeting a production environment, you have to carry out extra installation and configuration steps to address non-functional aspects: security (including availability), performance, etc. For performance aspects, we strongly recommend reading and applying - when relevant - the guidelines from the following links:
- [Performance tuning best practices for VMware Apache Tomcat](http://kb.vmware.com/kb/2013486)
- [How to optimize Tomcat performance in production](http://www.genericarticles.com/mediawiki/index.php?title=How_to_optimize_tomcat_performance_in_production)
- [Apache Tomcat Tuning Guide for REST/HTTP APIs](https://javamaster.wordpress.com/2013/03/13/apache-tomcat-tuning-guide/)
Last but not least, please check the *More information* section below.
## Troubleshooting
If Tomcat fails to (re)start, check for any Tomcat high-level error in Tomcat log directory: `$CATALINA_BASE/logs`.
One common reason for failure is Tomcat default configuration may specify a value for the Java `Xmx` flag that is too low for the AuthZForce webapp. Make sure Tomcat is configured with `Xmx` at 1GB or more, 2 GB recommended. For example, in the official Tomcat package for Ubuntu 12.04, Xmx used to be 128m. You can fix this parameter as follows:
```shell
$ sudo sed -i 's/-Xmx128m/-Xmx1024m/' /etc/default/tomcat
$ sudo service tomcat7 restart
```
If Tomcat is started but AuthZForce webapp deployment fails, check for any webapp-specific error in log file: `$CATALINA_BASE/logs/authzforce-ce/error.log`
## More information
For more information, go to the [online documentation](http://authzforce-ce-fiware.readthedocs.io/en/) and select the version matching your software release at the bottom of the page.