Commit e1b3823b authored by cdanger's avatar cdanger
Browse files

Merge branch 'release/6.0.0'

parents 1dce9dd0 45430f20
This diff is collapsed.
# AuthZForce Server (Community Edition)
[![License badge](https://img.shields.io/badge/license-GPL-blue.svg)](https://opensource.org/licenses/GPL-3.0)
[![Documentation badge](https://readthedocs.org/projects/authzforce-ce-fiware/badge/?version=release-5.4.1)](http://authzforce-ce-fiware.readthedocs.io/en/release-5.4.1/?badge=release-5.4.1)
[![Documentation badge](https://readthedocs.org/projects/authzforce-ce-fiware/badge/?version=release-5.4.1c)](http://authzforce-ce-fiware.readthedocs.io/en/release-5.4.1c/?badge=release-5.4.1c)
[![Docker badge](https://img.shields.io/docker/pulls/fiware/authzforce-ce-server.svg)](https://hub.docker.com/r/fiware/authzforce-ce-server/)
[![Support badge]( https://img.shields.io/badge/support-ask.fiware.org-yellowgreen.svg)](https://ask.fiware.org/questions/scope:all/sort:activity-desc/tags:authzforce/)
[![Codacy Badge](https://api.codacy.com/project/badge/Grade/cdb9dd59cbf04a95bfbfbdcf770bb7d8)](https://www.codacy.com/app/coder103/authzforce-ce-server?utm_source=github.com&utm_medium=referral&utm_content=authzforce/server&utm_campaign=Badge_Grade)
AuthZForce Server provides a multi-tenant RESTful API to Policy Administration Points (PAP) and Policy Decision Points (PDP) as defined in the [OASIS XACML 3.0 standard](http://docs.oasis-open.org/xacml/3.0/xacml-3.0-core-spec-os-en.html).
*This project is part of [FIWARE](https://www.fiware.org). More info on the [FIWARE catalogue](http://catalogue.fiware.org/enablers/authorization-pdp-authzforce).*
AuthZForce Server provides a multi-tenant RESTful API to Policy Administration Points (PAP) and Policy Decision Points (PDP) supporting Attribute-Based Access Control (ABAC), as defined in the [OASIS XACML 3.0 standard](http://docs.oasis-open.org/xacml/3.0/xacml-3.0-core-spec-os-en.html).
AuthZForce Server is also the Reference Implementation (GEri) of [FIWARE](https://www.fiware.org) *Authorization PDP* Generic Enabler (GE). More info on the [FIWARE catalogue](http://catalogue.fiware.org/enablers/authorization-pdp-authzforce).
The manuals are available as downloadable HTML/PDF from the [releases page](https://github.com/authzforce/server/releases/latest), or online on [readthedocs.org](http://readthedocs.org/projects/authzforce-ce-fiware/versions/).
**Go to the [releases](https://github.com/authzforce/server/releases) page for links to downloads (Linux packages), Docker image, release notes, and documentation for a specific release.**
*If you are interested in using an embedded XACML-compliant PDP in your Java applications, AuthZForce also provides a PDP engine as a Java library in [Authzforce core project](http://github.com/authzforce/core).*
......@@ -36,10 +39,13 @@ The manuals are available as downloadable HTML/PDF from the [releases page](http
* **Attribute Datatypes**: you may extend the PDP engine with custom XACML attribute datatypes;
* **Functions**: you may extend the PDP engine with custom XACML functions;
* **Combining Algorithms**: you may extend the PDP engine with custom XACML policy/rule combining algorithms;
* **Attribute Providers**: you may plug custom attribute providers into the PDP engine to allow it to retrieve attributes from other attribute sources (e.g. remote service) than the input XACML Request during evaluation;
* **Attribute Providers a.k.a. PIPs** (Policy Information Points): you may plug custom attribute providers into the PDP engine to allow it to retrieve attributes from other attribute sources (e.g. remote service) than the input XACML Request during evaluation;
* **Request Filter**: you may customize the processing of XACML Requests before evaluation by the PDP core engine (e.g. used for implementing [XACML v3.0 Multiple Decision Profile Version 1.0 - Repeated attribute categories](http://docs.oasis-open.org/xacml/3.0/multiple/v1.0/cs02/xacml-3.0-multiple-v1.0-cs02.html#_Toc388943334));
* **Result Filter**: you may customize the processing of XACML Results after evaluation by the PDP engine (e.g. used for implementing [XACML v3.0 Multiple Decision Profile Version 1.0 - Requests for a combined decision](http://docs.oasis-open.org/xacml/3.0/xacml-3.0-multiple-v1-spec-cd-03-en.html#_Toc260837890));
### PIP (Policy Information Point)
AuthzForce provides XACML PIP features in the form of *Attribute Providers*. More information in the previous section.
### PAP (Policy Administration Point)
* Policy management: create/read/update/delete multiple policies and references from one to another (via PolicySetIdReference)
* Policy versioning: create/read/delete multiple versions per policy.
......
......@@ -3,7 +3,7 @@
<parent>
<groupId>org.ow2.authzforce</groupId>
<artifactId>authzforce-ce-server</artifactId>
<version>5.4.1</version>
<version>6.0.0</version>
<relativePath>..</relativePath>
</parent>
<artifactId>authzforce-ce-server-dist</artifactId>
......@@ -51,7 +51,7 @@
authzforce-ce-parent, with a different format, so we use a plugin. -->
<groupId>org.codehaus.mojo</groupId>
<artifactId>build-helper-maven-plugin</artifactId>
<version>1.10</version>
<version>1.12</version>
<executions>
<execution>
<id>jdeb-changelog-timestamp-property</id>
......@@ -82,7 +82,7 @@
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-resources-plugin</artifactId>
<version>2.7</version>
<version>3.0.1</version>
<executions>
<execution>
<phase>process-sources</phase>
......@@ -146,7 +146,7 @@
<configuration>
<verbose>true</verbose>
<snapshotExpand>true</snapshotExpand>
<deb>${project.build.directory}/${productName}_${project.version}_all.deb</deb>
<deb>${project.build.directory}/${productName}_${project.version}-0ubuntu1_all.deb</deb>
<changesIn>${project.build.outputDirectory}/debian/changes.jdeb.txt</changesIn>
<changesOut>${project.build.directory}/${productName}_${project.version}_all.changes</changesOut>
<!-- expand "SNAPSHOT" to what is in the "USER" env variable. Expanded to timestamp by default. -->
......@@ -176,13 +176,13 @@
<!-- Starting '.' necessary to get absolute paths, otherwise lintian complains "relative-conffile" -->
<prefix>./opt/${productName}/conf</prefix>
<user>root</user>
<group>tomcat7</group>
<group>tomcat8</group>
</mapper>
</data>
<data>
<!-- Webapp-specific context for Tomcat, after replacing 'productName' (see previous <resources> tag), therefore take it from target/classes, i.e. ${project.build.outputDirectory} -->
<src>${project.build.outputDirectory}/webapp-context.xml</src>
<dst>/etc/tomcat7/Catalina/localhost/authzforce-ce.xml</dst>
<dst>/etc/tomcat8/Catalina/localhost/authzforce-ce.xml</dst>
<type>file</type>
<conffile>true</conffile>
</data>
......@@ -196,7 +196,7 @@
<type>perm</type>
<prefix>./opt/${productName}/webapp</prefix>
<user>root</user>
<group>tomcat7</group>
<group>tomcat8</group>
<!-- filemode/dirmode set to 000 by default. Issue: https://github.com/tcurdt/jdeb/issues/55 -->
<filemode>644</filemode>
<dirmode>755</dirmode>
......@@ -210,8 +210,8 @@
<mapper>
<type>perm</type>
<prefix>./opt/${productName}/data/domains</prefix>
<user>tomcat7</user>
<group>tomcat7</group>
<user>tomcat8</user>
<group>tomcat8</group>
</mapper>
</data>
</dataSet>
......
......@@ -9,69 +9,73 @@
<!-- More information: http://logback.qos.ch/faq.html#sharedConfiguration -->
<!-- - RollingAppender: http://logback.qos.ch/manual/appenders.html#RollingFileAppender -->
<configuration>
<appender name="stdout" class="ch.qos.logback.core.ConsoleAppender">
<encoder>
<pattern>%date{ISO8601} %-5level [%thread] %logger:%line: %msg%n</pattern>
</encoder>
</appender>
<!-- Change log directory according to your deployment container. Examples below for Tomcat. For Glassfish: ${com.sun.aas.instanceRoot}/logs -->
<appender name="error" class="ch.qos.logback.core.rolling.RollingFileAppender">
<!--See also http://logback.qos.ch/manual/appenders.html#RollingFileAppender -->
<File>${catalina.base}/logs/authzforce-ce/error.log</File>
<encoder>
<pattern>%date{ISO8601}|%-5level|%thread|%logger:%line|%msg|%n</pattern>
</encoder>
<rollingPolicy class="ch.qos.logback.core.rolling.FixedWindowRollingPolicy">
<maxIndex>1</maxIndex>
<FileNamePattern>${catalina.base}/logs/authzforce-ce/error.log.%i</FileNamePattern>
</rollingPolicy>
<triggeringPolicy class="ch.qos.logback.core.rolling.SizeBasedTriggeringPolicy">
<MaxFileSize>100KB</MaxFileSize>
</triggeringPolicy>
</appender>
<appender name="stdout" class="ch.qos.logback.core.ConsoleAppender">
<encoder>
<pattern>%date{ISO8601} %-5level [%thread] %logger:%line: %msg%n</pattern>
</encoder>
</appender>
<!-- Change log directory according to your deployment container. Examples below for Tomcat. For Glassfish: ${com.sun.aas.instanceRoot}/logs -->
<appender name="error" class="ch.qos.logback.core.rolling.RollingFileAppender">
<!--See also http://logback.qos.ch/manual/appenders.html#RollingFileAppender -->
<File>${catalina.base}/logs/authzforce-ce/error.log</File>
<encoder>
<pattern>%date{ISO8601}|%-5level|%thread|%logger:%line|%msg|%n</pattern>
<!-- Pattern mitigating CRLF injection -->
<!-- <pattern>%date{ISO8601}|%-5level|%thread|%logger:%line|%replace(%msg){'\r?\n','<NEWLINE>'}|%n</pattern> -->
</encoder>
<rollingPolicy class="ch.qos.logback.core.rolling.FixedWindowRollingPolicy">
<maxIndex>1</maxIndex>
<FileNamePattern>${catalina.base}/logs/authzforce-ce/error.log.%i</FileNamePattern>
</rollingPolicy>
<triggeringPolicy class="ch.qos.logback.core.rolling.SizeBasedTriggeringPolicy">
<MaxFileSize>100KB</MaxFileSize>
</triggeringPolicy>
</appender>
<!-- Enable 'access' appender only if you need application-level access logging -->
<!-- <appender name="access" class="ch.qos.logback.core.rolling.RollingFileAppender"> -->
<!-- <File>${catalina.base}/logs/authzforce-ce/access.log</File> -->
<!-- <encoder> -->
<!-- <pattern>%date{ISO8601}|%msg|%n</pattern> -->
<!-- </encoder> -->
<!-- <rollingPolicy class="ch.qos.logback.core.rolling.FixedWindowRollingPolicy"> -->
<!-- <maxIndex>1</maxIndex> -->
<!-- <FileNamePattern>${catalina.base}/logs/authzforce-ce/access.log.%i</FileNamePattern> -->
<!-- </rollingPolicy> -->
<!-- <triggeringPolicy class="ch.qos.logback.core.rolling.SizeBasedTriggeringPolicy"> -->
<!-- <MaxFileSize>100KB</MaxFileSize> -->
<!-- </triggeringPolicy> -->
<!-- </appender> -->
<!-- <appender name="accessAsync" class="ch.qos.logback.classic.AsyncAppender"> <appender-ref ref="access" /> </appender> -->
<!-- Enable 'access' appender only if you need application-level access logging -->
<!-- <appender name="access" class="ch.qos.logback.core.rolling.RollingFileAppender"> -->
<!-- <File>${catalina.base}/logs/authzforce-ce/access.log</File> -->
<!-- <encoder> -->
<!-- <pattern>%date{ISO8601}|%msg|%n</pattern> -->
<!-- </encoder> -->
<!-- <rollingPolicy class="ch.qos.logback.core.rolling.FixedWindowRollingPolicy"> -->
<!-- <maxIndex>1</maxIndex> -->
<!-- <FileNamePattern>${catalina.base}/logs/authzforce-ce/access.log.%i</FileNamePattern> -->
<!-- </rollingPolicy> -->
<!-- <triggeringPolicy class="ch.qos.logback.core.rolling.SizeBasedTriggeringPolicy"> -->
<!-- <MaxFileSize>100KB</MaxFileSize> -->
<!-- </triggeringPolicy> -->
<!-- </appender> -->
<!-- <appender name="accessAsync" class="ch.qos.logback.classic.AsyncAppender"> <appender-ref ref="access" /> </appender> -->
<!-- Dumping HTTP requests and response with their headers for access logging. More info: http://blog.xebia.fr/2013/10/10/logs-daudit-pour-les-services-rest/ Use "accessAsync" appender for better performance (asynchronous logging) -->
<!-- <logger name="RequestLoggerFilter.request" level="DEBUG" additivity="false"> -->
<!-- <appender-ref ref="access"/> -->
<!-- </logger> -->
<!-- <logger name="RequestLoggerFilter.response" level="DEBUG" additivity="false"> -->
<!-- <appender-ref ref="access"/> -->
<!-- </logger> -->
<!-- <logger name="RequestLoggerFilter.headers" level="INFO" additivity="false"> -->
<!-- <appender-ref ref="access"/> -->
<!-- </logger> -->
<!-- Dumping HTTP requests and response with their headers for access logging. More info: http://blog.xebia.fr/2013/10/10/logs-daudit-pour-les-services-rest/ Use "accessAsync" appender for better performance
(asynchronous logging) -->
<!-- <logger name="RequestLoggerFilter.request" level="DEBUG" additivity="false"> -->
<!-- <appender-ref ref="access"/> -->
<!-- </logger> -->
<!-- <logger name="RequestLoggerFilter.response" level="DEBUG" additivity="false"> -->
<!-- <appender-ref ref="access"/> -->
<!-- </logger> -->
<!-- <logger name="RequestLoggerFilter.headers" level="INFO" additivity="false"> -->
<!-- <appender-ref ref="access"/> -->
<!-- </logger> -->
<logger name="com.sun.xacml" additivity="false" level="WARN">
<appender-ref ref="error" />
</logger>
<logger name="org.ow2.authzforce" additivity="false" level="WARN">
<appender-ref ref="error" />
</logger>
<logger name="com.thalesgroup" additivity="false" level="WARN">
<appender-ref ref="error" />
</logger>
<logger name="com.sun.xacml" additivity="false" level="WARN">
<appender-ref ref="error" />
</logger>
<logger name="org.ow2.authzforce" additivity="false" level="WARN">
<appender-ref ref="error" />
</logger>
<logger name="com.thalesgroup" additivity="false" level="WARN">
<appender-ref ref="error" />
</logger>
<!-- HTTP/JAX-RS/SOAP request/response debugging -->
<!-- For logging request/response to/from webapp, only logger "org.apache.cxf" in level INFO is required, and you must add CXF org.apache.cxf.interceptor.LoggingInInterceptor/LoggingOutInterceptor to JAX-RS server's in/outInterceptors -->
<!-- <logger name="org.apache.cxf" additivity="false" level="WARN"> <appender-ref ref="error" /> </logger> -->
<!-- <logger name="org.apache.http" additivity="false" level="DEBUG"> <appender-ref ref="error" /> </logger> <logger name="org.apache.http.wire" level="ERROR"> <appender-ref ref="error" /> </logger> -->
<root level="WARN">
<appender-ref ref="error" />
</root>
<!-- HTTP/JAX-RS/SOAP request/response debugging -->
<!-- For logging request/response to/from webapp, only logger "org.apache.cxf" in level INFO is required, and you must add CXF org.apache.cxf.interceptor.LoggingInInterceptor/LoggingOutInterceptor to
JAX-RS server's in/outInterceptors -->
<!-- <logger name="org.apache.cxf" additivity="false" level="WARN"> <appender-ref ref="error" /> </logger> -->
<!-- <logger name="org.apache.http" additivity="false" level="DEBUG"> <appender-ref ref="error" /> </logger> <logger name="org.apache.http.wire" level="ERROR"> <appender-ref ref="error" /> </logger> -->
<root level="WARN">
<appender-ref ref="error" />
</root>
</configuration>
# Java Properties configuring the mapping from XML namespace URIs used in AuthzForce API model to the name prefixes used in JSON payloads.
# For example, if we have the mapping "urn:example:com:mynamespace = myns", then some XML element
# <someElement xmlns="urn:example:com:mynamespace" ... />
# ...becomes in JSON:
# { "myns:someElement" : ... }
#
# Format:
# namespace1=prefix1
# namespace2=prefix2
# ...
# WARNING: remember to escape ':' in namespaces. More info: https://docs.oracle.com/javase/8/docs/api/java/util/Properties.html#load-java.io.Reader-
urn\:oasis\:names\:tc\:xacml\:3.0\:core\:schema\:wd-17 = xacml
http\://www.w3.org/2005/Atom = atom
http\://authzforce.github.io/rest-api-model/xmlns/authz/5 = az
http\://authzforce.github.io/core/xmlns/test/3 = test
......@@ -3,7 +3,7 @@ Version: [[version]]
Section: web
Priority: optional
Architecture: all
Depends: debconf (>= 0.2.26), openjdk-7-jdk | oracle-java7-installer, tomcat7
Depends: debconf (>= 0.2.26), openjdk-8-jre | oracle-java8-installer, tomcat8
Maintainer: [[productMaintainer]]
Description: AuthForce CE Server.
Reference Implementation of FIWARE Authorization PDP Generic Enabler
......
#!/bin/sh
# Uncomment next line for debugging
# set -x
# Exit on error
set -e
# Source debconf library.
. /usr/share/debconf/confmodule
......@@ -13,21 +14,28 @@ fi
db_get [[productName]]/restartTomcat
if [ "$RET" = true ]; then
service tomcat7 restart
export JAVA_OPTS='"-Djava.awt.headless=true -Djavax.xml.accessExternalSchema=http -Xms1024m -Xmx1024m -XX:+UseConcMarkSweepGC -server"'
sed -i 's|^\(JAVA_OPTS\s*=\s*\).*$|\1'"$JAVA_OPTS"'|' /etc/default/tomcat8
systemctl restart tomcat8
fi
echo "If Tomcat fails to restart, check for any Tomcat high-level error in Tomcat log directory: /var/log/tomcat7"
echo "One common reason for failure is Tomcat default configuration may specify a very low value for the Java Xmx flag. Make sure Tomcat is configured with Xmx at 1GB or more, 2 GB recommended. For example, in the official Tomcat package for Ubuntu 12.04, Xmx used to be 128m. You can fix this parameter as follows:"
echo " $ sudo sed -i 's/-Xmx128m/-Xmx1024m/' /etc/default/tomcat"
echo " $ sudo service tomcat7 restart"
echo "If Tomcat is started but AuthZForce webapp deployment fails, check for any webapp-specific error in file: /var/log/tomcat7/authzforce-ce/error.log"
echo "When the webapp is up and running, you should get a HTTP response with status code 200 to this HTTP request with curl tool (replace 8080 with the port Tomcat is listening to):"
echo "If you answered 'No' to the second question, you need to set the JAVA_OPTS in '/etc/default/tomcat8' by yourself before restarting Tomcat:"
echo " JAVA_OPTS=\"-Djava.awt.headless=true -Djavax.xml.accessExternalSchema=http -Xms1024m -Xmx1024m -XX:+UseConcMarkSweepGC -server\""
echo
echo "If Tomcat fails to restart, check for any Tomcat high-level error in Tomcat log directory: /var/log/tomcat8"
echo "Then fix it, in particular check the settings in Tomcat init script /etc/default/tomcat8 and restart Tomcat as follows:"
echo " $ systemctl restart tomcat8"
echo
echo "If Tomcat is started but AuthZForce webapp deployment fails, check for any webapp-specific error in file: /var/log/tomcat8/authzforce-ce/error.log"
echo
echo "If Tomcat takes too long to start, especially to load the AuthZForce webapp, it is very likely caused by lack of entropy on your host for secure random number generation. Having enough entropy is critical for security reasons, especially in production. If and only if you are using this AuthzForce instance for testing only, you may speed up Tomcat startup by adding this JVM argument to the JAVA_OPTS variable in Tomcat service configuration file '/etc/default/tomcat8': '-Djava.security.egd=file:/dev/./urandom'"
echo
echo "When the webapp is up and running, you should get a HTTP response with status code 200 to this HTTP request with curl tool, after replacing 8080 with the port Tomcat is listening to if different:"
printf "$ curl --verbose --show-error --write-out '%b\\%bn' --request GET http://localhost:8080/authzforce-ce/domains\n"
echo "Now you can start playing with the REST API as defined by the WADL document that you can retrieve with a wget command (will save the wadl to local file 'authzforce.wadl'):"
echo "Now you can start playing with the REST API as defined by the WADL document that you can retrieve with a wget command and save to the local file 'authzforce.wadl' as follows:"
echo "$ wget -v -O authzforce.wadl http://localhost:8080/authzforce-ce/?_wadl"
echo "Reminder: Tomcat default setup is not suitable for production! We strongly recommend reading and applying - when relevant - the guidelines from the following links:"
echo
echo "WARNING: Tomcat default setup is not suitable for production! We strongly recommend reading and applying - when relevant - the guidelines from the following links:"
echo "Performance tuning best practices for VMware Apache Tomcat: http://kb.vmware.com/kb/2013486"
echo "How to optimize Tomcat performance in production: http://www.genericarticles.com/mediawiki/index.php?title=How_to_optimize_tomcat_performance_in_production"
echo "Apache Tomcat Tuning Guide for REST/HTTP APIs: https://javamaster.wordpress.com/2013/03/13/apache-tomcat-tuning-guide/"
......@@ -2,13 +2,15 @@ Template: [[productName]]/keepSamples
Type: boolean
Default: false
Description: Do you want to keep the test domain created by default?
The installation creates a test domain by default to get started testing the API quickly. If this is a production system, you may not need this
The installation creates a test domain by default to get started testing the API quickly. If this is a production system, you may not need this
(answer: No). If you answer No, you can always create domains later with the API.
Template: [[productName]]/restartTomcat
Type: boolean
Default: true
Description: Do you want to restart Tomcat now to load the AuthZForce webapp?
The AuthZForce webapp is now ready to be loaded by Tomcat. If Tomcat is configured for automatic deployment, you do not need to do this and may answer No.
Anyway, if you answer No, you can always restart Tomcat later with this command:
$ sudo service tomcat7 restart
Description: Do you want to apply recommended Tomcat settings for AuthZForce (and restart Tomcat to apply changes)?
We recommend the following Tomcat settings for AuthzForce:
JAVA_OPTS='"-Djava.awt.headless=true -Djavax.xml.accessExternalSchema=http -Xms1024m -Xmx1024m -XX:+UseConcMarkSweepGC -server"'
Do you agree to apply these settings to Tomcat init script (/etc/default/tomcat8) now?
If you answer No, you can always apply these manually and restart Tomcat later with this command:
$ systemctl restart tomcat8
......@@ -2,7 +2,7 @@ Format: http://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
Upstream-Name: authzforce-ce-server-dist
Files: *
Copyright: Copyright (C) 2012-2016 Thales Services SAS. All rights reserved.
Copyright: Copyright (C) 2012-2017 Thales Services SAS. All rights reserved.
Licence: GPL-3.0
The full text of the GNU General Public
License version 3 can be found in the file
......
......@@ -10,33 +10,33 @@ This guide provides the procedure to install the AuthZForce server from the tarb
* RAM: 4GB min
* Disk space: 10 GB min
* File system: ext4
* Operating System: Ubuntu 14.04 LTS
* Operating System: Ubuntu 16.04 LTS
* Java environment:
* JDK 7 either from OpenJDK or Oracle;
* Tomcat 7.x.
* JRE 8 either from OpenJDK or Oracle;
* Tomcat 8.x.
## Installation
### Minimal
1. If you don't have a JDK 7 already installed, you may do it on the command-line as follows, depending on your JDK preference:
* If you prefer OpenJDK: `$ sudo aptitude install openjdk-7-jdk`
* If you prefer Oracle JDK, follow the instructions from [WEB UPD8](http://www.webupd8.org/2012/01/install-oracle-java-jdk-7-in-ubuntu-via.html). In the end, you should have the package `oracle-java7-installer` installed.
1. If you don't have Tomcat 7 already installed, you may do it on the command-line: `$ sudo aptitude install tomcat7`
1. If you don't have a JRE 8 already installed, you may do it on the command-line as follows, depending on your JRE preference:
* If you prefer OpenJDK: `$ sudo apt install openjdk-8-jdk`
* If you prefer Oracle JRE, follow the instructions from [WEB UPD8](http://www.webupd8.org/2012/09/install-oracle-java-8-in-ubuntu-via-ppa.html). In the end, you should have the package `oracle-java8-installer` installed.
1. If you don't have Tomcat 8 already installed, you may do it on the command-line: `$ sudo apt install tomcat8`
1. Download AuthZForce server tarball distribution from the [Maven Central Repository](http://repo1.maven.org/maven2/org/ow2/authzforce/authzforce-ce-server-dist/${project.version}/authzforce-ce-server-dist-${project.version}.tar.gz). You get a file called ``authzforce-ce-server-dist-${project.version}.tar.gz``.
1. Copy this file to the host where you want to install AuthZForce Server.
1. For security purposes, Tomcat should be run as an unprivileged user (i.e. not `root`). If you installed Tomcat as shown above, this user is `tomcat7`. Let us assume that `tomcat7` is the user (and group) that will run the Tomcat service in your case, and `/opt` is the directory where you want to install AuthZForce server. Please replace both names according to your setup. `$CATALINA_BASE` is a Tomcat environment-specific property, usually equal to `$CATALINA_HOME`, i.e. the root directory of your Tomcat installation ([more information](https://tomcat.apache.org/tomcat-7.0-doc/introduction.html)). If you installed Tomcat as shown above, `$CATALINA_BASE = /var/lib/tomcat7`. From the directory where you copied the tarball for installation, run the following commands:
1. For security purposes, Tomcat should be run as an unprivileged user (i.e. not `root`). If you installed Tomcat as shown above, this user is `tomcat8`. Let us assume that `tomcat8` is the user (and group) that will run the Tomcat service in your case, and `/opt` is the directory where you want to install AuthZForce server. Please replace both names according to your setup. `$CATALINA_BASE` is a Tomcat environment-specific property, usually equal to `$CATALINA_HOME`, i.e. the root directory of your Tomcat installation ([more information](https://tomcat.apache.org/tomcat-8.0-doc/introduction.html)). If you installed Tomcat as shown above, `$CATALINA_BASE = /var/lib/tomcat8`. From the directory where you copied the tarball for installation, run the following commands:
```shell
$ sudo tar xvzf authzforce-ce-server-dist-${project.version}.tar.gz --directory /opt
$ sudo ln -s authzforce-ce-server-${project.version} authzforce-ce-server
$ sudo chown -RH tomcat7 authzforce-ce-server
$ sudo chgrp -RH tomcat7 authzforce-ce-server
$ sudo chown -RH tomcat8 authzforce-ce-server
$ sudo chgrp -RH tomcat8 authzforce-ce-server
$ sudo cp /opt/authzforce-ce-server/conf/context.xml.sample $CATALINA_BASE/conf/Catalina/localhost/authzforce-ce.xml
```
1. If you did not use `/opt` as installation directory, replace **ALL** occurrences of `/opt` in the webapp context configuration file `authzforce-ce.xml` according to your setup.
1. You may restart Tomcat server now. For instance, if you installed Tomcat as shown above, do it as follows:
```shell
$ sudo service tomcat7 restart
$ systemctl restart tomcat8
```
**Known issue: lack of entropy may cause delays in Tomcat 7+ start up on virtual machines in particular: [more info on Entropy Source issue](https://wiki.apache.org/tomcat/HowTo/FasterStartUp#Entropy_Source). So beware.**
......@@ -64,11 +64,12 @@ Last but not least, please check the *More information* section below.
## Troubleshooting
If Tomcat fails to (re)start, check for any Tomcat high-level error in Tomcat log directory: `$CATALINA_BASE/logs`.
One common reason for failure is Tomcat default configuration may specify a value for the Java `Xmx` flag that is too low for the AuthZForce webapp. Make sure Tomcat is configured with `Xmx` at 1GB or more, 2 GB recommended. For example, in the official Tomcat package for Ubuntu 12.04, Xmx used to be 128m. You can fix this parameter as follows:
One common reason for failure is Tomcat default configuration may specify a value for the Java `Xmx` flag that is too low for the AuthZForce webapp. Make sure Tomcat is configured with `Xmx` at 1GB or more, 2 GB recommended. For example:
```shell
$ sudo sed -i 's/-Xmx128m/-Xmx1024m/' /etc/default/tomcat
$ sudo service tomcat7 restart
$ export JAVA_OPTS='"-Djava.awt.headless=true -Djavax.xml.accessExternalSchema=http -Xms1024m -Xmx1024m -XX:+UseConcMarkSweepGC -server"'
$ sed -i 's|^\(JAVA_OPTS\s*=\s*\).*$|\1'"$JAVA_OPTS"'|' /etc/default/tomcat8
$ systemctl restart tomcat8
```
If Tomcat is started but AuthZForce webapp deployment fails, check for any webapp-specific error in log file: `$CATALINA_BASE/logs/authzforce-ce/error.log`
......
......@@ -25,4 +25,8 @@
<Environment name="org.ow2.authzforce.domains.sync.interval"
value="0" type="java.lang.Integer" override="false"
description="Domains folder-to-memory synchronization interval (seconds); value 0 disables this feature." />
<Environment name="org.ow2.authzforce.domains.enablePdpOnly"
value="false" type="java.lang.Boolean" override="false"
description="Enable PDP only, i.e. disable all PAP (or other administration) features iff true" />
</Context>
\ No newline at end of file
<?xml version="1.0" encoding="UTF-8"?>
<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.1.xsd">
<suppress>
<notes><![CDATA[
file name: mailapi-1.5.6.jar
]]></notes>
<gav regex="true">^com\.sun\.mail:mailapi:.*$</gav>
<cve>CVE-2007-6059</cve>
</suppress>
</suppressions>
\ No newline at end of file
......@@ -4,21 +4,21 @@
<parent>
<groupId>org.ow2.authzforce</groupId>
<artifactId>authzforce-ce-parent</artifactId>
<version>3.4.0</version>
<version>4.1.1</version>
</parent>
<artifactId>authzforce-ce-server</artifactId>
<!-- FIWARE Versioning + Version must be equal or higher than 'authzforce-ce-rest-api-model' dependency in 'rest-service' module -->
<version>5.4.1</version>
<version>6.0.0</version>
<packaging>pom</packaging>
<name>${project.groupId}:${project.artifactId}</name>
<description>AuthZForce CE Server</description>
<url>https://github.com/authzforce/server</url>
<properties>
<git.url.base>https://github.com/authzforce/server</git.url.base>
<authzforce-ce-core.version>5.0.2</authzforce-ce-core.version>
<authzforce-ce-core-pap-api.version>5.3.0</authzforce-ce-core-pap-api.version>
<authzforce-ce-core.version>6.1.0</authzforce-ce-core.version>
<authzforce-ce-core-pap-api.version>6.2.0</authzforce-ce-core-pap-api.version>
<!-- Version must be compatible with authzforce-ce-core and authzforce-ce-core-pap-api versions above. -->
<authzforce-ce-pap-dao-flat-file.version>6.1.0</authzforce-ce-pap-dao-flat-file.version>
<authzforce-ce-pap-dao-flat-file.version>7.0.0</authzforce-ce-pap-dao-flat-file.version>
</properties>
<scm>
<connection>scm:git:${git.url.base}.git</connection>
......@@ -44,6 +44,11 @@
<artifactId>${artifactId.prefix}-pap-dao-flat-file</artifactId>
<version>${authzforce-ce-pap-dao-flat-file.version}</version>
</dependency>
<dependency>
<groupId>org.testng</groupId>
<artifactId>testng</artifactId>
<version>6.9.13.6</version>
</dependency>
</dependencies>
</dependencyManagement>
<modules>
......@@ -53,40 +58,44 @@
<module>dist</module>
</modules>
<build>
<pluginManagement>
<plugins>
<!--This plugin's configuration is used to store Eclipse m2e settings only. It has no influence on the Maven build itself.-->
<plugin>
<groupId>org.eclipse.m2e</groupId>
<artifactId>lifecycle-mapping</artifactId>
<version>1.0.0</version>
<configuration>
<lifecycleMappingMetadata>
<pluginExecutions>
<pluginExecution>
<pluginExecutionFilter>
<groupId>
org.apache.maven.plugins
</groupId>
<artifactId>
maven-antrun-plugin
</artifactId>
<versionRange>
[1.6,)
</versionRange>
<goals>
<goal>run</goal>
</goals>
</pluginExecutionFilter>
<action>
<ignore />
</action>
</pluginExecution>
</pluginExecutions>
</lifecycleMappingMetadata>
</configuration>
</plugin>
</plugins>
</pluginManagement>
<pluginManagement>
<plugins>
<plugin>
<artifactId>maven-resources-plugin</artifactId>
<version>3.0.1</version>
</plugin>
<plugin>
<!--This plugin's configuration is used to store Eclipse m2e settings only. It has no influence on the Maven build itself. -->
<groupId>org.eclipse.m2e</groupId>
<artifactId>lifecycle-mapping</artifactId>
<version>1.0.0</version>
<configuration>
<lifecycleMappingMetadata>
<pluginExecutions>
<pluginExecution>
<pluginExecutionFilter>
<groupId>
org.apache.maven.plugins
</groupId>
<artifactId>
maven-antrun-plugin
</artifactId>
<versionRange>
[1.6,)
</versionRange>
<goals>
<goal>run</goal>
</goals>
</pluginExecutionFilter>
<action>
<ignore />
</action>
</pluginExecution>
</pluginExecutions>
</lifecycleMappingMetadata>
</configuration>
</plugin>
</plugins>
</pluginManagement>
</build>
</project>
<?xml version="1.0" encoding="UTF-8"?>
<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.1.xsd">
<suppress>
<notes><![CDATA[
file name: mailapi-1.5.6.jar
]]></notes>
<gav regex="true">^com\.sun\.mail:mailapi:.*$</gav>
<cve>CVE-2007-6059</cve>
</suppress>
</suppressions>
\ No newline at end of file
......@@ -4,7 +4,7 @@
<groupId>org.ow2.authzforce</groupId>
<artifactId>authzforce-ce-server</artifactId>
<!-- Version must be equal or higher than authzforce-ce-rest-api-model dependency -->
<version>5.4.1</version>
<version>6.0.0</version>
<relativePath>..</relativePath>
</parent>
<artifactId>authzforce-ce-server-rest-service</artifactId>
......@@ -27,16 +27,10 @@
<groupId>org.slf4j</groupId>
<artifactId>log4j-over-slf4j</artifactId>
</dependency>
<dependency>
<!-- For URL path segment escaper: http://google.github.io/guava/releases/18.0/api/docs/com/google/common/net/UrlEscapers.html#urlPathSegmentEscaper() -->
<groupId>com.google.guava</groupId>
<artifactId>guava</artifactId>
<version>18.0</version>
</dependency>
<dependency>
<groupId>${project.groupId}</groupId>
<artifactId>${artifactId.prefix}-rest-api-model</artifactId>
<version>5.3.1</version>
<version>5.4.0</version>
</dependency>
<dependency>
<groupId>${project.groupId}</groupId>
......@@ -65,24 +59,25 @@
<plugin>
<groupId>org.codehaus.mojo</groupId>
<artifactId>findbugs-maven-plugin</artifactId>
<executions>
<execution>
<phase>verify</phase>
<goals>
<goal>check</goal>
</goals>
</execution>
</executions>
</plugin>
<plugin>
<!-- Consider combining with Red Hat Victims and OSS Index. More info on Victims vs. Dependency-check: https://bugzilla.redhat.com/show_bug.cgi?id=1388712 -->
<groupId>org.owasp</groupId>
<artifactId>dependency-check-maven</artifactId>
<configuration>
<!-- Enables analysis which takes more memory but finds more bugs. If you run out of memory, changes the value of the effort element to 'Low'. -->
<effort>Max</effort>
<!-- Reports all bugs (other values are medium and max) -->
<threshold>Low</threshold>
<failOnError>true</failOnError>
<plugins>
<plugin>
<groupId>com.h3xstream.findsecbugs</groupId>
<artifactId>findsecbugs-plugin</artifactId>
<!-- Auto-update to the latest stable -->
<version>LATEST</version>
</plugin>
</plugins>
<!-- The plugin has numerous issues with version matching, which triggers false positives so we need a "suppression" file for those. More info: https://github.com/jeremylong/DependencyCheck/issues -->
<suppressionFile>owasp-dependency-check-suppression.xml</suppressionFile>
</configuration>
<executions>