Merge branch 'release/3.0.0'

.gitignore

@@ -4,3 +4,5 @@
 /.classpath
 /.pmd
 /.project
+**/.idea
+*.iml

CHANGELOG.md

@@ -2,6 +2,13 @@
 All notable changes to this project are documented in this file following the [Keep a CHANGELOG](http://keepachangelog.com) conventions. This project adheres to [Semantic Versioning](http://semver.org).
 
 
+## 3.0.0
+### Changed
+- Upgraded parent project version: 8.0.0
+- Upgraded to Java 11 (Java 8 no longer supported)
+- Upgraded spring-core: 5.2.10
+
+
 ## 2.3.0
 ### Changed
 - Upgraded parent project version: 7.6.0

README.md

 [![Javadocs](http://javadoc.io/badge/org.ow2.authzforce/authzforce-ce-xacml-json-model.svg)](http://javadoc.io/doc/org.ow2.authzforce/authzforce-ce-xacml-json-model)
 
 # XACML/JSON Request and Response JSON schema (XACML/JSON Profile standard) and validation
-This project provides JSON schemas for validating XACML Requests/Responses according to JSON Profile of XACMl 3.0:
+This project provides JSON schemas for validating XACML Requests/Responses according to JSON Profile of XACML 3.0:
 - [Request.schema.json](src/main/resources/org/ow2/authzforce/xacml/json/model/Request.schema.json) for validating XACML/JSON Requests;
 - [Response.schema.json](src/main/resources/org/ow2/authzforce/xacml/json/model/Response.schema.json) for validating XACML/JSON Responses.
 
@@ -23,7 +23,7 @@ There are a few high-level differences between this JSON schema and the standard
 * Type PepActionExpression replaces Obligation/Advice with a boolean property "required" to make the difference (=true for Obligation, =false for Advice)
 * DataType defined at Attribute level, not AttributeValue level, like in standard XACML/JSON Profile
 * Apply must have at least one arg to the function
-* Several XACML/XML features are not translatable to JSON, or require a non-standard - possibly complex - convention or workaround to be translated to JSON, due to limitations of JSON, JSON Schema or of the implementation library (everit json-schema). See previous section in this document for more info.
+* Several XACML/XML features are not translatable to JSON, or require a non-standard - possibly complex - convention or workaround to be translated to JSON, due to limitations of JSON, JSON Schema or of the implementation library (everit json-schema). See next section in this document for more info.
 
 More info:
 - http://json-schema.org/draft-06/json-schema-release-notes.html#q-what-happened-to-all-the-discussions-around-re-using-schemas-with-additionalproperties

pom.xml

@@ -3,11 +3,11 @@
 	<parent>
 		<groupId>org.ow2.authzforce</groupId>
 		<artifactId>authzforce-ce-parent</artifactId>
-		<version>7.6.0</version>
+		<version>8.0.0</version>
 	</parent>
 	<artifactId>authzforce-ce-xacml-json-model</artifactId>
 	<packaging>jar</packaging>
-	<version>2.3.0</version>
+	<version>3.0.0</version>
 	<name>${project.groupId}:${project.artifactId}</name>
 	<description>AuthzForce - Data model for JSON Profile of XACML 3.0</description>
 	<url>${project.url}</url>
@@ -51,6 +51,11 @@
 			<artifactId>authzforce-ce-xacml-model</artifactId>
 			<scope>test</scope>
 		</dependency>
+		<dependency>
+			<groupId>org.glassfish.jaxb</groupId>
+			<artifactId>jaxb-runtime</artifactId>
+			<scope>test</scope>
+		</dependency>
 	</dependencies>
 	<build>
 		<plugins>
@@ -93,12 +98,8 @@
 				</executions>
 			</plugin>
 			<plugin>
-				<groupId>org.codehaus.mojo</groupId>
-				<artifactId>findbugs-maven-plugin</artifactId>
-				<configuration>
-					<onlyAnalyze>org.ow2.authzforce.*</onlyAnalyze>
-					<excludeFilterFile>findbugs-exclude-filter.xml</excludeFilterFile>
-				</configuration>
+				<groupId>com.github.spotbugs</groupId>
+				<artifactId>spotbugs-maven-plugin</artifactId>
 				<executions>
 					<execution>
 						<phase>verify</phase>

findbugs-exclude-filter.xml → spotbugs-security-exclude.xml

@@ -11,4 +11,8 @@
    -->
     <Bug pattern="CRLF_INJECTION_LOGS" />
   </Match>
+  <Match>
+    <Class name="org.ow2.authzforce.xacml.json.model.SpringBasedJsonSchemaClient"/>
+    <Bug pattern="URLCONNECTION_SSRF_FD" />
+  </Match>
 </FindBugsFilter>
\ No newline at end of file

src/main/java/org/ow2/authzforce/xacml/json/model/LimitsCheckingJSONObject.java

 /**
- * Copyright 2012-2020 THALES.
+ * Copyright 2012-2021 THALES.
  *
  * This file is part of AuthzForce CE.
  *
@@ -17,15 +17,14 @@
  */
 package org.ow2.authzforce.xacml.json.model;
 
-import java.io.InputStream;
-import java.io.InputStreamReader;
-import java.io.Reader;
-
 import org.json.JSONArray;
 import org.json.JSONException;
 import org.json.JSONObject;
 import org.json.JSONTokener;
 
+import java.io.InputStream;
+import java.io.Reader;
+
 /**
  * {@link JSONObject} that complies with limits in terms of value length, depth and number of elements.
  */
@@ -71,24 +70,6 @@ public final class LimitsCheckingJSONObject extends JSONObject
 			this.maxDepth = maxDepth;
 		}
 
-		/**
-		 * Constructs from an {@link InputStream}
-		 * 
-		 * @param inputStream
-		 *            the source
-		 * 
-		 * @param maxJsonStringLength
-		 *            allowed maximum length of JSON keys and string values
-		 * @param maxNumOfImmediateChildren
-		 *            allowed maximum number of keys (therefore key-value pairs) in JSON object, or items in JSON array
-		 * @param maxDepth
-		 *            allowed maximum depth of JSON object
-		 */
-		private LimitsCheckingJSONTokener(final InputStream inputStream, final int maxJsonStringLength, final int maxNumOfImmediateChildren, final int maxDepth)
-		{
-			this(new InputStreamReader(inputStream), maxJsonStringLength, maxNumOfImmediateChildren, maxDepth);
-		}
-
 		/*
 		 * (non-Javadoc)
 		 * 
@@ -312,28 +293,10 @@ public final class LimitsCheckingJSONObject extends JSONObject
 		}
 	}
 
-	/**
-	 * Constructs from a {@link Reader}
-	 * 
-	 * @param reader
-	 *            a reader
-	 * 
-	 * @param maxJsonStringLength
-	 *            allowed maximum size of JSON keys and string values
-	 * @param maxNumOfImmediateChildren
-	 *            allowed maximum number of keys (therefore key-value pairs) in JSON object, or items in JSON array
-	 * @param maxDepth
-	 *            allowed maximum depth of JSON object
-	 */
-	public LimitsCheckingJSONObject(final Reader reader, final int maxJsonStringLength, final int maxNumOfImmediateChildren, final int maxDepth)
-	{
-		this(new LimitsCheckingJSONTokener(reader, maxJsonStringLength, maxNumOfImmediateChildren, maxDepth));
-	}
-
 	/**
 	 * Constructs from an {@link InputStream}
 	 * 
-	 * @param inputStream
+	 * @param reader
 	 *            the source
 	 * 
 	 * @param maxJsonStringLength
@@ -343,8 +306,8 @@ public final class LimitsCheckingJSONObject extends JSONObject
 	 * @param maxDepth
 	 *            allowed maximum depth of JSON object
 	 */
-	public LimitsCheckingJSONObject(final InputStream inputStream, final int maxJsonStringLength, final int maxNumOfImmediateChildren, final int maxDepth)
+	public LimitsCheckingJSONObject(final Reader reader, final int maxJsonStringLength, final int maxNumOfImmediateChildren, final int maxDepth)
 	{
-		this(new LimitsCheckingJSONTokener(inputStream, maxJsonStringLength, maxNumOfImmediateChildren, maxDepth));
+		this(new LimitsCheckingJSONTokener(reader, maxJsonStringLength, maxNumOfImmediateChildren, maxDepth));
 	}
 }
\ No newline at end of file

src/main/java/org/ow2/authzforce/xacml/json/model/SpringBasedJsonSchemaClient.java

 /**
- * Copyright 2012-2020 THALES.
+ * Copyright 2012-2021 THALES.
  *
  * This file is part of AuthzForce CE.
  *

src/main/java/org/ow2/authzforce/xacml/json/model/XacmlJsonUtils.java

 /**
- * Copyright 2012-2020 THALES.
+ * Copyright 2012-2021 THALES.
  *
  * This file is part of AuthzForce CE.
  *

src/test/java/org/ow2/authzforce/xacml/json/model/test/LimitsCheckingJSONObjectTest.java

 /**
- * Copyright 2012-2020 THALES.
+ * Copyright 2012-2021 THALES.
  *
  * This file is part of AuthzForce CE.
  *
@@ -17,12 +17,10 @@
  */
 package org.ow2.authzforce.xacml.json.model.test;
 
-import java.io.File;
-import java.io.FileInputStream;
-import java.io.FileNotFoundException;
-import java.io.IOException;
-import java.io.InputStream;
+import java.io.*;
 import java.net.URISyntaxException;
+import java.nio.charset.StandardCharsets;
+import java.nio.file.Files;
 import java.util.AbstractMap;
 import java.util.Arrays;
 import java.util.Iterator;
@@ -86,11 +84,11 @@ public class LimitsCheckingJSONObjectTest
 		/*
 		 * Read properly as UTF-8 to avoid character decoding issues with org.json API
 		 */
-		try (final InputStream in = new FileInputStream(xacmlJsonFile))
+		try (final BufferedReader fileReader = Files.newBufferedReader(xacmlJsonFile.toPath(), StandardCharsets.UTF_8))
 		{
 			try
 			{
-				final JSONObject json = new LimitsCheckingJSONObject(in, MAX_JSON_STRING_LENGTH, MAX_JSON_CHILDREN_COUNT, MAX_JSON_DEPTH);
+				final JSONObject json = new LimitsCheckingJSONObject(fileReader, MAX_JSON_STRING_LENGTH, MAX_JSON_CHILDREN_COUNT, MAX_JSON_DEPTH);
 				if (!expectedValid)
 				{
 					Assert.fail("Validation against JSON schema succeeded but expected to fail.  JSON = " + json);

src/test/java/org/ow2/authzforce/xacml/json/model/test/TestDataProvider.java

 /**
- * Copyright 2012-2020 THALES.
+ * Copyright 2012-2021 THALES.
  *
  * This file is part of AuthzForce CE.
  *

src/test/java/org/ow2/authzforce/xacml/json/model/test/XacmlJsonSchemaValidationTest.java

 /**
- * Copyright 2012-2020 THALES.
+ * Copyright 2012-2021 THALES.
  *
  * This file is part of AuthzForce CE.
  *
@@ -127,7 +127,7 @@ public class XacmlJsonSchemaValidationTest
 		/*
 		 * Read properly as UTF-8 to avoid character decoding issues with org.json API
 		 */
-		try (final BufferedReader reader = new BufferedReader(new InputStreamReader(new FileInputStream(xacmlJsonFile), StandardCharsets.UTF_8)))
+		try (final BufferedReader reader = Files.newBufferedReader(xacmlJsonFile.toPath(), StandardCharsets.UTF_8))
 		{
 			final JSONObject json = new LimitsCheckingJSONObject(reader, MAX_JSON_STRING_LENGTH, MAX_JSON_CHILDREN_COUNT, MAX_JSON_DEPTH);
 			final Schema schema;