Merge branch 'release/9.0.0'

CHANGELOG.md

@@ -4,6 +4,33 @@ All notable changes to this project are documented in this file following the [K
 Issues reported on [GitHub](https://github.com/authzforce/server/issues) are referenced in the form of `[GH-N]`, where N is the issue number. Issues reported on [OW2](https://jira.ow2.org/browse/AUTHZFORCE/) are mentioned in the form of `[OW2-N]`, where N is the issue number.
 
 
+## 9.0.0
+*See the [Upgrader tool](upgrader/src) for upgrading from 8.x versions.*
+
+### Added
+- **Tomcat 9** support. 
+- New application configuration variable `org.ow2.authzforce.webapp.badReqErrVerbosity`: configures the verbosity of HTTP 400 (Bad Request) responses to help clients troubleshoot their API requests. To be set in the webapp-specific Tomcat Context element, typically `/etc/tomcat9/Catalina/localhost/authzforce-ce.xml`.
+- PDP API (/pdp): support for **Multiple Decision Profile with XACML/JSON Profile** (JSON input)
+
+### Changed
+- **Tomcat requirement: 9.x**. Although AuthzForce Server may still run on Tomcat 8 with a few tweaks, **Tomcat 8 is not officially supported anymore**.
+- Domains' PDP configuration format changed, i.e. XML namespaces / types / elements changed  (the [Upgrader tool](upgrader/src) helps migrate configurations from older 8.x versions)
+- Upgraded parent project (authzforce-ce-parent): 7.6.1: upgraded dependencies:
+	- slf4j-api: 1.7.30 (fix CVE)
+	- Apache CXF: 3.3.6
+  	- Spring: 5.1.14
+- Upgraded dependencies: 
+	- authzforce-ce-core-pdp-engine: 16.0.0
+	- authzforce-ce-core-pap-api: 10.1.0
+	- authzforce-ce-jaxrs-utils: 1.6.0
+	- authzforce-ce-pap-dao-flat-file: 12.0.0
+
+### Fixed
+- #46 : bad PolicySets pushed to the /pap/policies endpoint are still saved on server side even if a HTTP 400 Bad Request is returned.
+- Issues with XACML/JSON responses (XACML JSON Profile)
+- CVE on slf4j
+
+
 ## 8.1.0
 ### Added
 - [GH-29] Systematic input policy validation on API - HTTP POST `/domains/{domain-id}/pap/policies` - even if the policy is not currently in use by the PDP (it is potentially used later on after changing PDP configuration), in order to improve safety and troubleshooting. Policies are validated by attempting to load a temporary PDP configuration with the input policy as root policy.

README.md

@@ -32,8 +32,8 @@ _If you are interested in using an embedded XACML-compliant PDP in your Java
 applications, AuthzForce also provides a PDP engine as a Java library in
 [Authzforce core project](http://github.com/authzforce/core)._
 
-|  :books: [Documentation](https://authzforce-ce-fiware.rtfd.io/) | :mortar_board: [Academy](https://fiware-academy.readthedocs.io/en/latest/security/authzforce) | :whale: [Docker Hub](https://hub.docker.com/r/authzforce/server/) |
-|---|---|---|
+|  :books: [Documentation](https://authzforce-ce-fiware.rtfd.io/) | :mortar_board: [Academy](https://fiware-academy.readthedocs.io/en/latest/security/authzforce) | :whale: [Docker Hub](https://hub.docker.com/r/authzforce/server/) |  :dart: [Roadmap](https://github.com/authzforce/server/blob/develop/ROADMAP.md)
+|---|---|---|---|
 
 
 ## Contents
@@ -160,7 +160,7 @@ More information in the previous section.
 
 -   Integration with file synchronization tools (e.g.
     [csync2](http://oss.linbit.com/csync2/)) or distributed filesystems (e.g.
-    NFS and CIFS) to build clusters of AuthZForce Servers.
+    NFS and CIFS) to build clusters of AuthzForce Servers.
 
 ## Limitations
 
@@ -268,7 +268,7 @@ request, notification, potential issue (unconfirmed), etc.
 If you are experiencing any bug with this project and you indeed confirm this is
 not an issue with your environment (contact the users mailing list first if you
 are unsure), please report it on the
-[OW2 Issue Tracker](https://jira.ow2.org/browse/AUTHZFORCE/). Please include as
+[OW2 Issue Tracker](https://gitlab.ow2.org/authzforce/server/issues). Please include as
 much information as possible; the more we know, the better the chance of a
 quicker resolution:
 
@@ -299,20 +299,26 @@ The sources for the manuals are located in
 ### Releasing
 
 1.  From the develop branch, prepare a release (example using a HTTP proxy):
+
 ```console
-    $ mvn -Dhttps.proxyHost=proxyhostname -Dhttps.proxyPort=8080 jgitflow:release-start
+$ mvn -Dhttps.proxyHost=proxyhostname -Dhttps.proxyPort=8080 jgitflow:release-start
 ```
+
 2.  Update the [changelog](CHANGELOG.md) with the new version according to
     keepachangelog.com.
 3.  Commit
 4.  Perform the software release (example using a HTTP proxy):
-```console
+
+    ```console
     $ mvn -Dhttps.proxyHost=proxyhostname -Dhttps.proxyPort=8080 jgitflow:release-finish
-```
-        If, after deployment, the command does not succeed because of some issue with the branches. Fix the issue, then re-run the same command but with 'noDeploy' option set to true to avoid re-deployment:
-```console
+    ```
+
+    If, after deployment, the command does not succeed because of some issue with the branches. Fix the issue, then re-run the     same command but with 'noDeploy' option set to true to avoid re-deployment:
+
+    ```console
     $ mvn -Dhttps.proxyHost=proxyhostname -Dhttps.proxyPort=8080 -DnoDeploy=true jgitflow:release-finish
-```
+    ```
+    
     More info on jgitflow: http://jgitflow.bitbucket.org/
 5.  Connect and log in to the OSS Nexus Repository Manager:
     https://oss.sonatype.org/
@@ -339,3 +345,20 @@ and `org.ow2.authzforce.webapp.org.codehaus.jettison.mapped` which are under
 Apache License.
 
 [![FOSSA Status](https://app.fossa.io/api/projects/git%2Bgit.luolix.top%2Fauthzforce%2Fserver.svg?type=large)](https://app.fossa.io/projects/git%2Bgit.luolix.top%2Fauthzforce%2Fserver?ref=badge_large)
+
+### Are there any legal issues with GPL 3.0? Is it safe for me to use?
+
+There is absolutely no problem in using a product licensed under GPL 3.0. Issues with GPL 
+(or AGPL) licenses are mostly related with the fact that different people assign different 
+interpretations on the meaning of the term “derivate work” used in these licenses. Due to this,
+some people believe that there is a risk in just _using_ software under GPL or AGPL licenses
+(even without _modifying_ it).
+
+For the avoidance of doubt, the owners of this software licensed under an GPL 3.0 license  
+wish to make a clarifying public statement as follows:
+
+> Please note that software derived as a result of modifying the source code of this
+> software in order to fix a bug or incorporate enhancements is considered a derivative 
+> work of the product. Software that merely uses or aggregates (i.e. links to) an otherwise 
+> unmodified version of existing software is not considered a derivative work, and therefore
+> it does not need to be released as under the same license, or even released as open source.

ROADMAP.md

@@ -18,9 +18,9 @@ any time.
 ## Short term
 
 The following list of features are planned to be addressed in the short term,
-and incorporated in the next release of the product planned for **2019**:
+and incorporated in the next release of the product planned for **2020**:
 
-- [Systematic policy validation on PAP API](https://github.com/authzforce/server/issues/29).
+- #50 .
 
 ## Medium term
 

dist/html/footer.html

@@ -1,3 +1,3 @@
-<footer>&copy; Copyright ${inceptionYear}-${currentYear} Thales Services.</footer>
+<footer>&copy; Copyright ${inceptionYear}-${currentYear} Thales.</footer>
 </body>
 </html>

dist/html/header.html

@@ -2,7 +2,7 @@
    "http://www.w3.org/TR/html4/strict.dtd">
 <html lang="en">
 <head>
-    <title>AuthZForce Upgrader</title>
+    <title>AuthzForce Upgrader</title>
     <meta charset="utf-8" />
 <!--     <link rel="stylesheet" href="##SITE_BASE##/css/default.css"> -->
 </head>

dist/pom.xml

@@ -3,14 +3,14 @@
    <parent>
       <groupId>org.ow2.authzforce</groupId>
       <artifactId>authzforce-ce-server</artifactId>
-      <version>8.1.0</version>
+      <version>9.0.0</version>
       <relativePath>..</relativePath>
    </parent>
    <artifactId>authzforce-ce-server-dist</artifactId>
    <!-- If using 'pom' packaging, jdeb refuses to execute. -->
    <packaging>jar</packaging>
    <name>${project.groupId}:${project.artifactId}</name>
-   <description>AuthZForce CE server distribution (zip and deb)</description>
+   <description>AuthzForce CE server distribution (zip and deb)</description>
    <url>https://github.com/authzforce/server/dist</url>
    <scm>
       <connection>scm:git:${git.url.base}.git</connection>
@@ -198,13 +198,13 @@
                               <!-- Starting '.' necessary to get absolute paths, otherwise lintian complains "relative-conffile" -->
                               <prefix>./opt/${productId}/conf</prefix>
                               <user>root</user>
-                              <group>tomcat8</group>
+                              <group>tomcat</group>
                            </mapper>
                         </data>
                         <data>
                            <!-- Webapp-specific context for Tomcat, after replacing 'productId' (see previous <resources> tag), therefore take it from target/classes, i.e. ${project.build.outputDirectory} -->
                            <src>${project.build.outputDirectory}/webapp-context.xml</src>
-                           <dst>/etc/tomcat8/Catalina/localhost/authzforce-ce.xml</dst>
+                           <dst>/etc/tomcat9/Catalina/localhost/authzforce-ce.xml</dst>
                            <type>file</type>
                            <conffile>true</conffile>
                         </data>
@@ -218,22 +218,29 @@
                               <type>perm</type>
                               <prefix>./opt/${productId}/webapp</prefix>
                               <user>root</user>
-                              <group>tomcat8</group>
+                              <group>tomcat</group>
                               <!-- filemode/dirmode set to 000 by default. Issue: https://github.com/tcurdt/jdeb/issues/55 -->
                               <filemode>644</filemode>
                               <dirmode>755</dirmode>
                               <strip>2</strip>
                            </mapper>
                         </data>
+                        <data>
+                           <!-- Systemd config override to allow writing to other non-official Tomcat directories. More info: https://salsa.debian.org/java-team/tomcat9/blob/master/debian/README.Debian -->
+                           <src>${project.basedir}/src/debian/systemd-tomcat9-override.conf</src>
+                            <dst>/etc/systemd/system/tomcat9.service.d/override.conf</dst>
+                           <type>file</type>
+                           <conffile>true</conffile>
+                        </data>
                         <data>
                            <!-- Configuration directory -->
                            <src>${project.basedir}/src/data/domains</src>
                            <type>directory</type>
                            <mapper>
                               <type>perm</type>
                               <prefix>./opt/${productId}/data/domains</prefix>
-                              <user>tomcat8</user>
-                              <group>tomcat8</group>
+                              <user>tomcat</user>
+                              <group>tomcat</group>
                            </mapper>
                         </data>
                      </dataSet>

dist/src/conf/authzforce-ext.xsd

@@ -2,9 +2,9 @@
 <xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema" targetNamespace="http://authzforce.github.io/rest-api-model/xmlns/authzforce/ext" xmlns:tns="http://authzforce.github.io/rest-api-model/xmlns/authzforce/ext" elementFormDefault="qualified" attributeFormDefault="unqualified" version="4.0">
 	<xs:annotation>
 		<xs:documentation xml:lang="en">
-			Schemas of enabled AuthZForce extensions, such as attribute providers.
+			Schemas of enabled AuthzForce extensions, such as attribute providers.
 		</xs:documentation>
 	</xs:annotation>
 	<!-- Extension for file-based PAP DAO root/ref policy providers -->
-	<xs:import namespace="http://authzforce.github.io/pap-dao-flat-file/xmlns/pdp-ext/3.6" />
+	<xs:import namespace="http://authzforce.github.io/pap-dao-flat-file/xmlns/pdp-ext/4" />
 </xs:schema>

dist/src/conf/catalog.xml

@@ -7,5 +7,5 @@
 	<system systemId="authzforce-ext.xsd" uri="classpath:authzforce-ext.xsd"/>
 
 	<!-- PDP Extensions -->
-	<uri name="http://authzforce.github.io/pap-dao-flat-file/xmlns/pdp-ext/3.6" uri="classpath:org.ow2.authzforce.pap.dao.flatfile.pdp-ext.xsd"/>
+	<uri name="http://authzforce.github.io/pap-dao-flat-file/xmlns/pdp-ext/4" uri="classpath:org.ow2.authzforce.pap.dao.flatfile.pdp-ext.xsd"/>
 </catalog>

dist/src/conf/domain.tmpl/pdp.xml

@@ -1,13 +1,11 @@
-<pdp xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://authzforce.github.io/core/xmlns/pdp/6.0" xmlns:pap-dao="http://authzforce.github.io/pap-dao-flat-file/xmlns/pdp-ext/3.6"
-   version="6.0.0" maxVariableRefDepth="10" maxPolicyRefDepth="10" strictAttributeIssuerMatch="false">
-   <!-- You may customize this PDP configuration except 'rootPolicyProvider' and 'refPolicyProvider' elements. -->
-   <!-- policyLocation must start with ${PARENT_DIR}/ and end with: /*SUFFIX (* is expanded to base64url(policyId)/policyVersion) -->
-   <refPolicyProvider id="refPolicyProvider" xsi:type="pap-dao:StaticFlatFileDAORefPolicyProvider" policyLocationPattern="${PARENT_DIR}/policies/*.xml" />
-   <rootPolicyProvider id="rootPolicyProvider" xsi:type="StaticRefBasedRootPolicyProvider">
-      <policyRef>root</policyRef>
-   </rootPolicyProvider>
-   <ioProcChain>
-      <!-- Replace requestPreproc value with "urn:ow2:authzforce:feature:pdp:request-preproc:xacml-xml:multiple:repeated-attribute-categories-lax" for Multiple Decision Profile support. -->
-      <requestPreproc>urn:ow2:authzforce:feature:pdp:request-preproc:xacml-xml:default-lax</requestPreproc>
-   </ioProcChain>
+<pdp xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://authzforce.github.io/core/xmlns/pdp/7" xmlns:pap-dao="http://authzforce.github.io/pap-dao-flat-file/xmlns/pdp-ext/4"
+	version="7.1" maxVariableRefDepth="10" maxPolicyRefDepth="10" strictAttributeIssuerMatch="false">
+	<!-- You may customize this PDP configuration except 'policyProvider' element. -->
+	<!-- policyLocation must start with ${PARENT_DIR}/ and end with: /*SUFFIX (* is expanded to base64url(policyId)/policyVersion) -->
+	<policyProvider id="rootPolicyProvider" xsi:type="pap-dao:StaticFlatFileDaoPolicyProviderDescriptor" policyLocationPattern="${PARENT_DIR}/policies/*.xml" />
+	<rootPolicyRef policySet="true">root</rootPolicyRef>
+	<ioProcChain>
+		<!-- Replace requestPreproc value with "urn:ow2:authzforce:feature:pdp:request-preproc:xacml-xml:multiple:repeated-attribute-categories-lax" for Multiple Decision Profile support. -->
+		<requestPreproc>urn:ow2:authzforce:feature:pdp:request-preproc:xacml-xml:default-lax</requestPreproc>
+	</ioProcChain>
 </pdp>

dist/src/data/domains/A0bdIbmGEeWhFwcKrC9gSQ/pdp.xml

@@ -1,20 +1,7 @@
-<pdp
-   xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-   xmlns="http://authzforce.github.io/core/xmlns/pdp/6.0"
-   xmlns:pap-dao="http://authzforce.github.io/pap-dao-flat-file/xmlns/pdp-ext/3.6"
-   version="6.0.0"
-   maxVariableRefDepth="10"
-   maxPolicyRefDepth="10"
-   strictAttributeIssuerMatch="false">
-   <!-- You may customize this PDP configuration except 'rootPolicyProvider' and 'refPolicyProvider' elements. -->
-   <!-- policyLocation must start with ${PARENT_DIR}/ and end with: /*SUFFIX (* is expanded to base64url(policyId)/policyVersion) -->
-   <refPolicyProvider
-      id="refPolicyProvider"
-      xsi:type="pap-dao:StaticFlatFileDAORefPolicyProvider"
-      policyLocationPattern="${PARENT_DIR}/policies/*.xml" />
-   <rootPolicyProvider
-      id="rootPolicyProvider"
-      xsi:type="StaticRefBasedRootPolicyProvider">
-      <policyRef>root</policyRef>
-   </rootPolicyProvider>
+<pdp xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://authzforce.github.io/core/xmlns/pdp/7" xmlns:pap-dao="http://authzforce.github.io/pap-dao-flat-file/xmlns/pdp-ext/4"
+	version="7.1" maxVariableRefDepth="10" maxPolicyRefDepth="10" strictAttributeIssuerMatch="false">
+	<!-- You may customize this PDP configuration except 'policyProvider' element. -->
+	<!-- policyLocation must start with ${PARENT_DIR}/ and end with: /*SUFFIX (* is expanded to base64url(policyId)/policyVersion) -->
+	<policyProvider id="rootPolicyProvider" xsi:type="pap-dao:StaticFlatFileDaoPolicyProviderDescriptor" policyLocationPattern="${PARENT_DIR}/policies/*.xml" />
+	<rootPolicyRef policySet="true">root</rootPolicyRef>
 </pdp>

dist/src/debian/changelog

@@ -1,3 +1,3 @@
 authzforce-ce-server (${project.version}) xenial; urgency=low
   * See https://github.com/authzforce/server/blob/release-${project.version}/CHANGELOG.md
- -- Thales Services <http://www.thalesgroup.com>  ${debian.changelog.timestamp}
+ -- Thales <http://www.thalesgroup.com>  ${debian.changelog.timestamp}

dist/src/debian/changes.jdeb.txt

@@ -1,2 +1,2 @@
-release date=${jdeb.changelog.timestamp},version=${project.version},urgency=low,by=Thales Services <http://www.thalesgroup.com>
+release date=${jdeb.changelog.timestamp},version=${project.version},urgency=low,by=Thales <http://www.thalesgroup.com>
  * See https://github.com/authzforce/server/blob/release-${project.version}/CHANGELOG.md

dist/src/debian/control/control

@@ -3,7 +3,7 @@ Version: [[version]]
 Section: web
 Priority: optional
 Architecture: all
-Depends: debconf (>= 0.2.26), openjdk-8-jre | oracle-java8-installer, tomcat8
+Depends: debconf (>= 0.2.26), openjdk-8-jre | oracle-java8-installer, tomcat9
 Maintainer: [[productMaintainer]] 
 Description: AuthzForce CE Server.
  Reference Implementation of FIWARE Authorization PDP Generic Enabler