Merge branch 'release/7.1.0'

README.md

@@ -1,6 +1,6 @@
 # AuthZForce Server (Community Edition)
 [![License badge](https://img.shields.io/badge/license-GPL-blue.svg)](https://opensource.org/licenses/GPL-3.0)
-[![Documentation badge](https://readthedocs.org/projects/authzforce-ce-fiware/badge/?version=release-5.4.1c)](http://authzforce-ce-fiware.readthedocs.io/en/release-5.4.1c/?badge=release-5.4.1c)
+[![Documentation badge](https://readthedocs.org/projects/authzforce-ce-fiware/badge/?version=release-5.4.1d)](http://authzforce-ce-fiware.readthedocs.io/en/release-5.4.1d/?badge=release-5.4.1d)
 [![Docker badge](https://img.shields.io/docker/pulls/fiware/authzforce-ce-server.svg)](https://hub.docker.com/r/fiware/authzforce-ce-server/)
 [![Support badge]( https://img.shields.io/badge/support-ask.fiware.org-yellowgreen.svg)](https://ask.fiware.org/questions/scope:all/sort:activity-desc/tags:authzforce/)
 [![Codacy Badge](https://api.codacy.com/project/badge/Grade/cdb9dd59cbf04a95bfbfbdcf770bb7d8)](https://www.codacy.com/app/coder103/authzforce-ce-server?utm_source=github.com&utm_medium=referral&utm_content=authzforce/server&utm_campaign=Badge_Grade)
@@ -11,7 +11,7 @@ AuthZForce Server provides a multi-tenant RESTful API to Policy Administration P
 
 AuthZForce Server is also the Reference Implementation (GEri) of [FIWARE](https://www.fiware.org) *Authorization PDP* Generic Enabler (GE). More info on the [FIWARE catalogue](http://catalogue.fiware.org/enablers/authorization-pdp-authzforce).
 
-**Go to the [releases](https://github.com/authzforce/server/releases) page for links to downloads (Linux packages), Docker image, release notes, and documentation for a specific release.**
+**Go to the [releases](https://github.com/authzforce/server/releases) page for specific release info: downloads (Linux packages), Docker image, [release notes](CHANGELOG.md), and [documentation](http://readthedocs.org/projects/authzforce-ce-fiware/versions/).**
 
 *If you are interested in using an embedded XACML-compliant PDP in your Java applications, AuthZForce also provides a PDP engine as a Java library in [Authzforce core project](http://github.com/authzforce/core).*
 
@@ -20,16 +20,16 @@ AuthZForce Server is also the Reference Implementation (GEri) of [FIWARE](https:
 
 ### PDP (Policy Decision Point)
 * Compliance with the following OASIS XACML 3.0 standards:
-  * [XACML v3.0 Core standard](http://docs.oasis-open.org/xacml/3.0/xacml-3.0-core-spec-os-en.html): all mandatory and optional features are supported, **except**: 
-    * Elements `AttributesReferences`, `MultiRequests` and `RequestReference`;
-    * Functions `urn:oasis:names:tc:xacml:3.0:function:xpath-node-equal`, `urn:oasis:names:tc:xacml:3.0:function:xpath-node-match` and `urn:oasis:names:tc:xacml:3.0:function:access-permitted`;
-    * [Algorithms planned for future deprecation](http://docs.oasis-open.org/xacml/3.0/xacml-3.0-core-spec-os-en.html#_Toc325047257).
+  * [XACML v3.0 Core standard](http://docs.oasis-open.org/xacml/3.0/xacml-3.0-core-spec-os-en.html): all mandatory and optional features are supported, **except**:
+      * Elements `AttributesReferences`, `MultiRequests` and `RequestReference`;
+      * Functions `urn:oasis:names:tc:xacml:3.0:function:xpath-node-equal`, `urn:oasis:names:tc:xacml:3.0:function:xpath-node-match` and `urn:oasis:names:tc:xacml:3.0:function:access-permitted`;
+      * [Algorithms planned for future deprecation](http://docs.oasis-open.org/xacml/3.0/xacml-3.0-core-spec-os-en.html#_Toc325047257).
   * [XACML v3.0 Core and Hierarchical Role Based Access Control (RBAC) Profile Version 1.0](http://docs.oasis-open.org/xacml/3.0/rbac/v1.0/xacml-3.0-rbac-v1.0.html)
   * [XACML v3.0 Multiple Decision Profile Version 1.0 - Repeated attribute categories](http://docs.oasis-open.org/xacml/3.0/multiple/v1.0/cs02/xacml-3.0-multiple-v1.0-cs02.html#_Toc388943334)  (`urn:oasis:names:tc:xacml:3.0:profile:multiple:repeated-attribute-categories`). 
   * Experimental support for:
-    * [XACML Data Loss Prevention / Network Access Control (DLP/NAC) Profile Version 1.0](http://docs.oasis-open.org/xacml/xacml-3.0-dlp-nac/v1.0/xacml-3.0-dlp-nac-v1.0.html): only `dnsName-value` datatype and `dnsName-value-equal` function are supported;
-    * [XACML 3.0 Additional Combining Algorithms Profile Version 1.0](http://docs.oasis-open.org/xacml/xacml-3.0-combalgs/v1.0/xacml-3.0-combalgs-v1.0.html): `on-permit-apply-second` policy combining algorithm;
-    * [XACML v3.0 Multiple Decision Profile Version 1.0 - Requests for a combined decision](http://docs.oasis-open.org/xacml/3.0/xacml-3.0-multiple-v1-spec-cd-03-en.html#_Toc260837890)  (`urn:oasis:names:tc:xacml:3.0:profile:multiple:combined-decision`). 
+      * [XACML Data Loss Prevention / Network Access Control (DLP/NAC) Profile Version 1.0](http://docs.oasis-open.org/xacml/xacml-3.0-dlp-nac/v1.0/xacml-3.0-dlp-nac-v1.0.html): only `dnsName-value` datatype and `dnsName-value-equal` function are supported;
+      * [XACML 3.0 Additional Combining Algorithms Profile Version 1.0](http://docs.oasis-open.org/xacml/xacml-3.0-combalgs/v1.0/xacml-3.0-combalgs-v1.0.html): `on-permit-apply-second` policy combining algorithm;
+      * [XACML v3.0 Multiple Decision Profile Version 1.0 - Requests for a combined decision](http://docs.oasis-open.org/xacml/3.0/xacml-3.0-multiple-v1-spec-cd-03-en.html#_Toc260837890)  (`urn:oasis:names:tc:xacml:3.0:profile:multiple:combined-decision`). 
 * Detection of circular XACML policy references (PolicySetIdReference); 
 * Control of the **maximum XACML PolicySetIdReference depth**;
 * Control of the **maximum XACML VariableReference depth**;
@@ -75,6 +75,10 @@ For download links, please go to the specific [release page](https://github.com/
 ## Documentation
 For links to the documentation of a release, please go to the specific [release page](https://github.com/authzforce/server/releases).
 
+## Examples of usage and PEP code with a web service authorization module
+For an example of using an AuthzForce Server's RESTful PDP API in a real-life use case, please refer to the JUnit test class [RESTfulPdpBasedAuthzInterceptorTest](webapp/src/test/java/org/ow2/authzforce/web/test/pep/cxf/RESTfulPdpBasedAuthzInterceptorTest.java) and the Apache CXF authorization interceptor [RESTfulPdpBasedAuthzInterceptor](webapp/src/test/java/org/ow2/authzforce/web/test/pep/cxf/RESTfulPdpBasedAuthzInterceptor.java). The test class runs a test similar to @coheigea's [XACML 3.0 Authorization Interceptor test](https://github.com/coheigea/testcases/blob/master/apache/cxf/cxf-sts-xacml/src/test/java/org/apache/coheigea/cxf/sts/xacml/authorization/xacml3/XACML3AuthorizationTest.java) but using AuthzForce Server as PDP instead of OpenAZ. In this test, a web service client requests a Apache-CXF-based web service with a SAML token as credentials (previously issued by a Security Token Service upon successful client authentication) that contains the user ID and roles. Each request is intercepted on the web service side by a [RESTfulPdpBasedAuthzInterceptor](webapp/src/test/java/org/ow2/authzforce/web/test/pep/cxf/RESTfulPdpBasedAuthzInterceptor.java) that plays the role of PEP (Policy Enforcement Point in XACML jargon), i.e. it extracts the various authorization attributes (user ID and roles, web service name, operation...) and requests a decision with these attributes from a remote PDP provided by AuthzForce Server, then enforces the PDP's decision, i.e. forwards the request to the web service implementation if the decision is Permit, else rejects it.
+For more information, see the Javadoc of [RESTfulPdpBasedAuthzInterceptorTest](webapp/src/test/java/org/ow2/authzforce/web/test/pep/cxf/RESTfulPdpBasedAuthzInterceptorTest.java).
+
 ## Support
 Use the *Issues* tab on the Github repository page.
 Please include as much information as possible; the more we know, the better the chance of a quicker resolution:
@@ -96,8 +100,10 @@ The sources for the manuals are located in [fiware repository](http://github.com
 <pre><code>
     $ mvn -Dhttps.proxyHost=proxyhostname -Dhttps.proxyPort=8080 jgitflow:release-start
 </code></pre>
-1. Update the CHANGELOG according to keepachangelog.com.
-1. To perform the release (example using a HTTP proxy):
+1. Update the `AUTHZFORCE_SERVER_VERSION` ENV variable to the new version in [Dockerfile](dist/src/docker/Dockerfile).
+1. Update the [changelog](CHANGELOG.md) with the new version according to keepachangelog.com.
+1. Commit 
+1. Perform the software release (example using a HTTP proxy):
 <pre><code>
     $ mvn -Dhttps.proxyHost=proxyhostname -Dhttps.proxyPort=8080 jgitflow:release-finish
 </code></pre>
@@ -110,5 +116,6 @@ The sources for the manuals are located in [fiware repository](http://github.com
 1. Go to Staging Profiles and select the pending repository authzforce-*... you just uploaded with `jgitflow:release-finish`
 1. Click the Release button to release to Maven Central.
 1. When the artifacts have been successfully published on Maven Central, follow the instructions in the [Release section of fiware repository](https://github.com/authzforce/fiware/blob/master/README.md#release).
+1. Build the Dockerfile by triggering Docker automated build on the current Github release branch in [authzforce-ce-server's Docker repository](https://hub.docker.com/r/authzforce/server/) (*Build Settings*). Check the result in *Build Details*.
 1. Update the versions in badges at the top of this file.
 1. Create a release on Github with a description based on the [release description template](release.description.tmpl.md), replacing M/m/P with the new major/minor/patch versions.

dist/pom.xml

@@ -3,7 +3,7 @@
    <parent>
       <groupId>org.ow2.authzforce</groupId>
       <artifactId>authzforce-ce-server</artifactId>
-      <version>7.0.0</version>
+      <version>7.1.0</version>
       <relativePath>..</relativePath>
    </parent>
    <artifactId>authzforce-ce-server-dist</artifactId>

dist/src/docker/Dockerfile

@@ -0,0 +1,75 @@
+# Copyright (C) 2012-2017 Thales Services SAS.
+#
+# This file is part of AuthZForce CE.
+#
+# AuthZForce CE is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+# 
+# AuthZForce CE is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+# 
+# You should have received a copy of the GNU General Public License
+# along with AuthZForce CE.  If not, see <http://www.gnu.org/licenses/>.
+
+# Best practices for writing Dockerfiles:
+# https://docs.docker.com/engine/userguide/eng-image/dockerfile_best-practices/
+
+# Tips to do an unattended installation on Debian/Ubuntu: 
+# http://www.microhowto.info/howto/perform_an_unattended_installation_of_a_debian_package.html
+
+# The alternative is to use FROM ubuntu:* then install tomcat ubuntu package and use upstart/sysctl init script but this is not the way to go:
+# https://github.com/docker/docker/issues/6800
+FROM tomcat:8-jre8
+MAINTAINER AuthzForce Team (contact mailing list: http://scr.im/azteam)
+
+ENV DEBIAN_FRONTEND noninteractive
+
+# Proxy configuration (if you are building from behind a proxy)
+# Next release of docker 1.9.0 should allow you to configure these by passing build-time arguments
+# More info: https://github.com/docker/docker/issues/14634
+
+#ENV http_proxy 'http://user:password@proxy-host:proxy-port'
+#ENV https_proxy 'http://user:password@proxy-host:proxy-port'
+#ENV HTTP_PROXY 'http://user:password@proxy-host:proxy-port'
+#ENV HTTPS_PROXY 'http://user:password@proxy-host:proxy-port'
+
+ENV JAVA_OPTS="-Djava.security.egd=file:/dev/./urandom -Djava.awt.headless=true -Djavax.xml.accessExternalSchema=http -Xms1024m -Xmx1024m -XX:+UseConcMarkSweepGC -server"
+
+ENV AUTHZFORCE_SERVER_VERSION="7.1.0"
+ENV AUTHZFORCE_SERVER_DOWNLOAD_URL="http://repo1.maven.org/maven2/org/ow2/authzforce/authzforce-ce-server-dist/$AUTHZFORCE_SERVER_VERSION/authzforce-ce-server-dist-$AUTHZFORCE_SERVER_VERSION.deb"
+
+# Download and install Authzforce Server (service starts automatically)
+# Where there is a command with a pipe, we need to put in between quotes and make it an argument to bash -c command
+RUN apt-get update --assume-yes -qq && \
+ apt-get install --assume-yes -qq \
+        locales-all \ 
+        locales \
+        less \
+        apt-utils \ 
+        debconf-utils \
+        gdebi \
+        curl && \
+ rm -rf /var/lib/apt/lists/* 
+
+RUN locale-gen en_US en_US.UTF-8
+RUN dpkg-reconfigure locales
+ENV LANG en_US.UTF-8 
+ENV LANGUAGE en_US:en 
+ENV LC_ALL en_US.UTF-8 
+
+RUN curl --silent --output authzforce-ce-server.deb --location $AUTHZFORCE_SERVER_DOWNLOAD_URL && \
+ dpkg --extract authzforce-ce-server.deb /root/authzforce/ && \
+ mv /root/authzforce/etc/tomcat8/Catalina /usr/local/tomcat/conf/ && \
+ mv /root/authzforce/opt/* /opt/ && \
+ rm -rf /opt/authzforce-ce-server/data/domains/* && \
+ rm -rf /root/authzforce && \
+ rm -f authzforce-ce-server.deb
+CMD ["catalina.sh", "run"]
+
+### Exposed ports
+# - App server
+EXPOSE 8080

dist/src/docker/README.md

@@ -0,0 +1,59 @@
+## AuthzForce Server CE - Minimal Docker image
+
+This image of a minimal AuthzForce Server runtime is intended to work together with [Identity Manager - Keyrock](http://catalogue.fiware.org/enablers/identity-management-keyrock) and [PEP Proxy Wilma](http://catalogue.fiware.org/enablers/pep-proxy-wilma) generic enabler.
+
+## Image contents
+- OpenJDK JRE 8;
+- Tomcat 8;
+- AuthzForce Server CE (version matching the Docker image tag).
+
+## Usage
+
+This image gives you a minimal installation for testing purposes. The AuthzForce Installation and Administration guide on [readthedocs.org](https://readthedocs.org/projects/authzforce-ce-fiware/versions/) (select the version matching the Docker image tag, then **AuthzForce - Installation and Administration Guide**) provides you a better approach for using it in a production environment. This installation guide also gives instructions to install from .deb package (instead of Docker), which is the recommended way for Ubuntu hosts.
+
+Create a container using `authzforce/server` image by doing (replace the first *8080* after *-p* with whatever network port you want to use on the host to access the AuthzForce Server, e.g. 80; and *release-7.1.0* with the current Docker image tag that you are using):
+
+```
+docker run -d -p 8080:8080 --name <container-name> fiware/authzforce-ce-server:release-7.1.0
+```
+
+As stands in the AuthZForce Installation and administration guide on [readthedocs.org](https://readthedocs.org/projects/authzforce-ce-fiware/versions/) (select the version matching the Docker image tag, then **AuthzForce - Installation and Administration Guide**) you can:
+
+* **Create a domain**
+
+```
+curl -s --request POST \
+--header "Accept: application/xml" \
+--header "Content-Type: application/xml;charset=UTF-8" \
+--data '<?xml version="1.0" encoding="UTF-8"?><taz:domainProperties xmlns:taz="http://authzforce.github.io/rest-api-model/xmlns/authz/5" />' \
+ http://<authzforce-container-ip>:8080/authzforce-ce/domains
+```
+
+* **Retrieve the domain ID**
+
+```
+curl -s --request GET http://<authzforce-container-ip>:8080/authzforce-ce/domains
+```
+
+* **Domain removal**
+
+```
+curl --verbose --request DELETE \
+--header "Content-Type: application/xml;charset=UTF-8" \
+--header "Accept: application/xml" \
+http://<authzforce-container-ip>:8080/authzforce-ce/domains/<domain-id>
+```
+
+* **User and Role Management Setup && Domain Role Assignment**
+
+These tasks are now delegated to the [Identity Manager - Keyrock](http://catalogue.fiware.org/enablers/identity-management-keyrock) enabler. Here you can find how to use the interface for that purpose: [How to manage AuthzForce in Fiware](https://www.fiware.org/devguides/handling-authorization-and-access-control-to-apis/how-to-manage-access-control-in-fiware/).
+
+## User feedback
+
+### Documentation
+
+All the information regarding the Dockerfile is hosted publicly on [Github](https://github.com/authzforce/server/tree/master/src/docker).
+
+### Issues
+
+If you find any issue with this image, feel free to report at [Github issue tracking system](https://github.com/authzforce/server/issues).

pom.xml

@@ -4,21 +4,21 @@
    <parent>
       <groupId>org.ow2.authzforce</groupId>
       <artifactId>authzforce-ce-parent</artifactId>
-      <version>5.0.0</version>
+      <version>5.1.0</version>
    </parent>
    <artifactId>authzforce-ce-server</artifactId>
    <!-- FIWARE Versioning + Version must be equal or higher than 'authzforce-ce-rest-api-model' dependency in 'rest-service' module -->
-   <version>7.0.0</version>
+   <version>7.1.0</version>
    <packaging>pom</packaging>
    <name>${project.groupId}:${project.artifactId}</name>
-   <description>AuthZForce CE Server</description>
-   <url>https://github.com/authzforce/server</url>
+   <description>AuthzForce CE Server</description>
+   <url>${project.url}</url>
    <properties>
       <git.url.base>https://github.com/authzforce/server</git.url.base>
-      <authzforce-ce-core.version>7.1.0</authzforce-ce-core.version>
-      <authzforce-ce-core-pap-api.version>6.3.0</authzforce-ce-core-pap-api.version>
+      <authzforce-ce-core.version>8.0.0</authzforce-ce-core.version>
+      <authzforce-ce-core-pap-api.version>6.4.0</authzforce-ce-core-pap-api.version>
       <!-- Version must be compatible with authzforce-ce-core and authzforce-ce-core-pap-api versions above. -->
-      <authzforce-ce-pap-dao-flat-file.version>8.0.0</authzforce-ce-pap-dao-flat-file.version>
+      <authzforce-ce-pap-dao-flat-file.version>8.1.0</authzforce-ce-pap-dao-flat-file.version>
    </properties>
    <scm>
       <connection>scm:git:${git.url.base}.git</connection>
@@ -30,9 +30,8 @@
       <dependencies>
          <dependency>
             <groupId>${project.groupId}</groupId>
-            <artifactId>${artifactId.prefix}-core</artifactId>
+            <artifactId>${artifactId.prefix}-core-pdp-testutils</artifactId>
             <version>${authzforce-ce-core.version}</version>
-            <classifier>tests</classifier>
          </dependency>
          <dependency>
             <groupId>${project.groupId}</groupId>

rest-service/pom.xml

@@ -4,7 +4,7 @@
       <groupId>org.ow2.authzforce</groupId>
       <artifactId>authzforce-ce-server</artifactId>
       <!-- Version must be equal or higher than authzforce-ce-rest-api-model dependency -->
-      <version>7.0.0</version>
+      <version>7.1.0</version>
       <relativePath>..</relativePath>
    </parent>
    <artifactId>authzforce-ce-server-rest-service</artifactId>

rest-service/src/main/java/org/ow2/authzforce/rest/service/jaxrs/BadRequestExceptionMapper.java

@@ -1,20 +1,20 @@
 /**
  * Copyright (C) 2012-2017 Thales Services SAS.
  *
- * This file is part of AuthZForce CE.
+ * This file is part of AuthzForce CE.
  *
- * AuthZForce CE is free software: you can redistribute it and/or modify
+ * AuthzForce CE is free software: you can redistribute it and/or modify
  * it under the terms of the GNU General Public License as published by
  * the Free Software Foundation, either version 3 of the License, or
  * (at your option) any later version.
  *
- * AuthZForce CE is distributed in the hope that it will be useful,
+ * AuthzForce CE is distributed in the hope that it will be useful,
  * but WITHOUT ANY WARRANTY; without even the implied warranty of
  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  * GNU General Public License for more details.
  *
  * You should have received a copy of the GNU General Public License
- * along with AuthZForce CE.  If not, see <http://www.gnu.org/licenses/>.
+ * along with AuthzForce CE.  If not, see <http://www.gnu.org/licenses/>.
  */
 /**
  *