Skip to content

Commit

Permalink
Updated documentation for new release 10.0.0
Browse files Browse the repository at this point in the history
  • Loading branch information
cdanger committed Mar 9, 2021
1 parent 5af8004 commit c41b559
Show file tree
Hide file tree
Showing 6 changed files with 64 additions and 56 deletions.
4 changes: 4 additions & 0 deletions doc/Features.md
Original file line number Diff line number Diff line change
Expand Up @@ -434,6 +434,10 @@ Conformance table according to [section 5](http://docs.oasis-open.org/xacml/xacm
#### XACML Additional Combining Algorithms Profile
AuthzForce provides experimental support for [XACML 3.0 Additional Combining Algorithms Profile Version 1.0](http://docs.oasis-open.org/xacml/xacml-3.0-combalgs/v1.0/xacml-3.0-combalgs-v1.0.html), i.e. `on-permit-apply-second` policy combining algorithm.

#### GeoXACML
[GeoXACML](http://portal.opengeospatial.org/files/?artifact_id=42734) (Open Geospatial Consortium) is supported as an AuthzForce plugin from [SecureDimensions](https://github.com/securedimensions/authzforce-geoxacml-basic).


### Safety & Security

* Detection of circular XACML policy references (PolicySetIdReference);
Expand Down
2 changes: 1 addition & 1 deletion doc/Features.rst
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
Features
========

See `the list of features on Github for the current version <https://github.com/authzforce/fiware/blob/release-9.0.1/doc/Features.md>`__.
See `the list of features on Github for the current version <https://github.com/authzforce/fiware/blob/release-10.0.0/doc/Features.md>`__.
45 changes: 25 additions & 20 deletions doc/InstallationAndAdministrationGuide.rst
Original file line number Diff line number Diff line change
Expand Up @@ -14,10 +14,10 @@ The system requirements are the following:
* RAM: 4GB min
* Disk space: 10 GB min
* File system: ext4
* Operating System: Ubuntu 18.04 LTS
* Operating System: Ubuntu 18.04 LTS or later
* Java environment:

* JRE 8 either from OpenJDK or Oracle;
* JRE 11 either from OpenJDK or Oracle;
* Tomcat 9.x.

Installation
Expand All @@ -29,14 +29,12 @@ finally, proceed with the `Upgrade`_ section that follows, to transfer data from
Minimal setup
-------------

#. Install a JRE 8 if you don't have one already, using either of these two methods depending on your JDK preference:
#. Install a JRE 11 if you don't have one already, using either of these two methods depending on your JDK preference:

* If you prefer OpenJDK: ``$ sudo apt install openjdk-8-jre``
* If you prefer Oracle JDK, follow the instructions from `WEB UPD8 <http://www.webupd8.org/2012/09/install-oracle-java-8-in-ubuntu-via-ppa.html>`_.
In the end, you should have the package ``oracle-java8-installer`` installed.
* For OpenJDK: ``$ sudo apt install openjdk-11-jre``
#. Install Tomcat 9: ``$ sudo apt install tomcat9``.
#. Each AuthzForce Server version number has the form MAJOR.MINOR.PATH (Semantic Versioning). Identify the latest binary (Ubuntu package with ``.deb`` extension) release of AuthzForce Server
on `Maven Central Repository <http://repo1.maven.org/maven2/org/ow2/authzforce/authzforce-ce-server-dist/>`_ that matches the MAJOR.MINOR version of this documentation.
on `Maven Central Repository <https://repo1.maven.org/maven2/org/ow2/authzforce/authzforce-ce-server-dist/>`_ that matches the MAJOR.MINOR version of this documentation.
This is the current latest software version to which this documentation version applies.
If you want to use a different software version, go to the latest documentation version with matching MAJOR.MINOR and follow instructions there.
Else you may download the software version. We will refer to its version number as ``M.m.P`` (please replace accordingly):
Expand Down Expand Up @@ -92,12 +90,12 @@ Tomcat

For configuring and managing Tomcat, please refer to the `official user guide <http://tomcat.apache.org/tomcat-9.0-doc/index.html>`_.

Authzforce webapp
AuthzForce webapp
-----------------

The Authzforce webapp configuration directory is located here: ``/opt/authzforce-ce-server/conf``.
The AuthzForce webapp configuration directory is located here: ``/opt/authzforce-ce-server/conf``.

In particular, the file ``logback.xml`` configures the logging for the webapp (independently from Tomcat). By default, Authzforce-specific logs go to ``/var/log/tomcat9/authzforce-ce/error.log``.
In particular, the file ``logback.xml`` configures the logging for the webapp (independently from Tomcat). By default, AuthzForce-specific logs go to ``/var/log/tomcat9/authzforce-ce/error.log``.

Restart Tomcat to apply any configuration change::
Expand Down Expand Up @@ -132,7 +130,7 @@ The Concept of Policy Domain
The application is multi-tenant, i.e. it allows users or organizations to work on authorization policies in complete isolation from each other. In this document, we use the term *domain* instead of *tenant*.
In this context, a policy domain consists of:

* Various metadata about the domain: ID assigned by the Authzforce API, external ID (assigned by the provisioning client), description;
* Various metadata about the domain: ID assigned by the AuthzForce API, external ID (assigned by the provisioning client), description;
* A policy repository;
* Attribute Providers configuration: attribute providers provide attributes that the PEP does NOT directly provide in the XACML <Request>.
For example, an attribute provider may get attribute values from an external database.
Expand Down Expand Up @@ -284,9 +282,9 @@ Sanity check procedures
The Sanity Check Procedures are the steps that a System Administrator will take to verify that the installation is ready to be tested.
This is therefore a preliminary set of tests to ensure that obvious or basic malfunctioning is fixed before proceeding to unit tests, integration tests and user validation.

End to End testing
End-to-End testing
------------------
To check the proper deployment and operation of the Authorization Server, perform the following steps:
To check the proper deployment and operation of the AuthzForce Server, perform the following steps:

#. Get the list of policy administration domains by doing the following HTTP request, replacing ``${host}`` with the server hostname, and ``${port}`` with the HTTP port of the server, for example with ``curl`` tool::

Expand Down Expand Up @@ -420,8 +418,8 @@ For Tomcat 9, refer to the `Tomcat 9 SSL/TLS Configuration HOW-TO <https://tomca
Web Application Secutity
++++++++++++++++++++++++

XML Security
************
XML and JSON Security
*********************

The AuthzForce web application exposes a XML-based API. Therefore it is vulnerable to XML denial-of-service attacks.
To mitigate these attacks, there are two solutions:
Expand All @@ -433,14 +431,14 @@ To mitigate these attacks, there are two solutions:
<Environment
name="org.apache.cxf.stax.maxChildElements"
description="Maximum number of child elements in an input XML element. Default: 50000."
description="Maximum number of child elements (resp. properties) in an input XML element (resp. JSON)."
type="java.lang.Integer"
value="1000"
override="false" />
<Environment
name="org.apache.cxf.stax.maxElementDepth"
description="Maximum depth of an element in input XML. Default: 100."
description="Maximum depth of an element (resp. JSON object) in input XML (resp. JSON)."
type="java.lang.Integer"
value="100"
override="false" />
Expand All @@ -449,24 +447,31 @@ To mitigate these attacks, there are two solutions:
(more info: https://issues.apache.org/jira/browse/CXF-6848) -->
<Environment
name="org.apache.cxf.stax.maxAttributeCount"
description="Maximum number of attributes per element in input XML. Default: 500."
description="Maximum number of attributes per element in input XML."
type="java.lang.Integer"
value="100"
override="false" />
<Environment
name="org.apache.cxf.stax.maxAttributeSize"
description="Maximum size of a single attribute in input XML. Default: 65536 (= 64*1024)."
description="Maximum size of a single attribute in input XML."
type="java.lang.Integer"
value="1000"
override="false" />
<Environment
name="org.apache.cxf.stax.maxTextLength"
description="Maximum size of XML text node in input XML. Default: 134217728 (= 128*1024*1024)."
description="Maximum size of XML text node (resp. JSON string) in input XML (resp. JSON)."
type="java.lang.Integer"
value="1000"
override="false" />
<Environment
name="org.ow2.authzforce.domains.xacmlJsonSchemaRelativePath"
description="Path to JSON schema file for XACML JSON Profile's Request validation, relative to ${org.ow2.authzforce.config.dir} (if undefined/empty value, the Request.schema.json file from authzforce-ce-xacml-json-model project is used by default). This property applies if and only if 'org.ow2.authzforce.domains.enableXacmlJsonProfile' is true."
type="java.lang.String"
value=""
override="false" />
Restart Tomcat to apply changes.
* **Dedicated WAF**: for better mitigation, we recommend using a WAF (Web Application Firewall) with XML attack mitigation features in front of the Authzforce server.
Expand Down
Loading

0 comments on commit c41b559

Please sign in to comment.