Merge branch 'release/10.0.0'

.github/workflows/ci.yml

@@ -0,0 +1,26 @@
+name: CI
+'on':
+  push:
+    branches:
+      - develop
+  pull_request:
+    branches:
+      - develop
+jobs:
+  unit-test:
+    name: Unit Tests
+    runs-on: ubuntu-latest
+    steps:
+      - name: Git checkout
+        uses: actions/checkout@v2
+      - name: Use Java 8
+        uses: actions/setup-java@v1
+        with:
+          java-version: 8
+      - name: 'Unit Tests with Java 8'
+        run: |
+          mvn install -DskipTests=true -Dmaven.javadoc.skip=true -B -V
+          mvn test -B
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          COVERALLS_TOKEN: ${{ secrets.COVERALLS_TOKEN }}

.gitignore

@@ -4,3 +4,5 @@
 /.README.md.html
 /.CHANGELOG.md.html
 /.pmd
+/.idea
+*.iml

CHANGELOG.md

@@ -4,6 +4,40 @@ All notable changes to this project are documented in this file following the [K
 Issues reported on [GitHub](https://github.com/authzforce/server/issues) are referenced in the form of `[GH-N]`, where N is the issue number. Issues reported on [OW2](https://jira.ow2.org/browse/AUTHZFORCE/) are mentioned in the form of `[OW2-N]`, where N is the issue number.
 
 
+## 10.0.0
+### Changed
+- Upgraded AuthzForce Parent: 8.0.0:
+  - Upgraded to Java 11 support (Java 8 no longer supported)	
+- Upgraded dependencies:
+  - authzforce-ce-rest-api-model: 6.0.0
+  -	authzforce-ce-jaxrs-utils: 2.0.1
+  - authzforce-ce-core-pdp-engine: 17.1.0
+  - authzforce-ce-core-pdp-io-xacml-json: 17.1.0
+  -	authzforce-ce-core-pap-api: 11.0.0
+  - authzforce-ce-pap-dao-flat-file: 13.0.0
+  - authzforce-ce-core-pdp-api: 18.0.1	
+  - authzforce-ce-xacml-json-model: 3.0.2
+  - Jakarta RESTful Web Services: 2.1.6
+  - JAXB (Jakarta XML Binding): 2.3.3
+  - Apache CXF v3.4.1
+  - Spring Boot Starter 2.3.5
+  - Spring Core: 5.2.10 	
+  - jettison: 1.4.1
+  - org.json:json: v20190722 
+  - org.everit.json.schema: 1.12.1	
+  - SLF4J API: 1.7.30
+
+
+### Added
+- GH-61: JSON Object support in XACML/JSON Requests/Responses (as defined by JSON Profile of XACML), allowing custom XACML datatypes with JSON object structures.
+- Support for validation of XACML/JSON requests (JSON Profile) with custom JSON schema stored in configuration directory, using new webapp environment property (e.g. specified in Tomcat webapp context) `org.ow2.authzforce.domains.xacmlJsonSchemaRelativePath` to be specified in `/etc/tomcat9/<Engine>/<Host>/authzforce-ce.xml`  (more info in [webapp-context.xml](dist/src/webapp-context.xml) )
+
+### Fixed
+- GH-62: duplicate declaration of namespace prefix now allowed
+- CVE on jackson-databind -> v2.9.10.8
+- CVE-2018-8088 affecting slf4j
+
+
 ## 9.0.1
 ### Fixed
 - Tomcat startup error after Debian package install
@@ -31,7 +65,7 @@ Issues reported on [GitHub](https://github.com/authzforce/server/issues) are ref
 	- authzforce-ce-pap-dao-flat-file: 12.0.0
 
 ### Fixed
-- #46 : bad PolicySets pushed to the /pap/policies endpoint are still saved on server side even if a HTTP 400 Bad Request is returned.
+- GH-46: bad PolicySets pushed to the /pap/policies endpoint are still saved on server side even if a HTTP 400 Bad Request is returned.
 - Issues with XACML/JSON responses (XACML JSON Profile)
 - CVE on slf4j
 

README.md

@@ -7,7 +7,7 @@
 [![Support badge](https://img.shields.io/badge/support-ask.fiware.org-yellowgreen.svg)](https://ask.fiware.org/questions/scope:all/sort:activity-desc/tags:authzforce/)
 <br/>
 [![Documentation badge](https://readthedocs.org/projects/authzforce-ce-fiware/badge/?version=latest)](http://authzforce-ce-fiware.readthedocs.io/en/latest/?badge=latest)
-[![Build Status](https://travis-ci.org/authzforce/server.svg?branch=develop)](https://travis-ci.org/authzforce/server)
+[![CI](https://github.com/authzforce/server/workflows/CI/badge.svg)](https://github.com/authzforce/server/actions?query=workflow%3ACI)
 ![Status](https://nexus.lab.fiware.org/static/badges/statuses/authzforce.svg)
 [![Codacy Badge](https://api.codacy.com/project/badge/Grade/cdb9dd59cbf04a95bfbfbdcf770bb7d8)](https://www.codacy.com/app/coder103/authzforce-ce-server?utm_source=github.com&utm_medium=referral&utm_content=authzforce/server&utm_campaign=Badge_Grade)
 [![FOSSA Status](https://app.fossa.io/api/projects/git%2Bgit.luolix.top%2Fauthzforce%2Fserver.svg?type=shield)](https://app.fossa.io/projects/git%2Bgit.luolix.top%2Fauthzforce%2Fserver?ref=badge_shield)
@@ -67,6 +67,7 @@ applications, AuthzForce also provides a PDP engine as a Java library in
             validation;
         -   DoS mitigation: JSON parser variant checking max JSON string size,
             max number of JSON keys/array items and max JSON object depth.
+    - [GeoXACML 1.0.1](http://portal.opengeospatial.org/files/?artifact_id=42734). Supported as third-party extension from [Secure Dimensions](https://github.com/securedimensions/authzforce-geoxacml-basic)
     -   Experimental support for:
         -   [XACML Data Loss Prevention / Network Access Control (DLP/NAC) Profile Version 1.0](http://docs.oasis-open.org/xacml/xacml-3.0-dlp-nac/v1.0/xacml-3.0-dlp-nac-v1.0.html):
             only `dnsName-value` datatype and `dnsName-value-equal` function are
@@ -147,10 +148,10 @@ More information in the previous section.
 -   Conformance with
     [REST Profile of XACML v3.0 Version 1.0](http://docs.oasis-open.org/xacml/xacml-rest/v1.0/xacml-rest-v1.0.html)
 -   Supported data formats, aka content types:
-    - `application/xml`: XML based on API schema; 
-    - `application/fastinfoset`: [Fast Infoset](http://www.itu.int/en/ITU-T/asn1/Pages/Fast-Infoset.aspx) based on API's XML schema; 
-    - `application/json`: JSON based on API's XMLschema with a generic XML-to-JSON mapping convention 
-    - `application/xacml+xml`: XACML content only, as defined by [RFC 7061](https://tools.ietf.org/html/rfc7061) 
+    - `application/xml`: XML based on API schema;
+    - `application/fastinfoset`: [Fast Infoset](http://www.itu.int/en/ITU-T/asn1/Pages/Fast-Infoset.aspx) based on API's XML schema;
+    - `application/json`: JSON based on API's XMLschema with a generic XML-to-JSON mapping convention
+    - `application/xacml+xml`: XACML content only, as defined by [RFC 7061](https://tools.ietf.org/html/rfc7061)
     - `application/xacml+json`: JSON format for XACML Request/Response on PDP only, as defined by [XACML v3.0 - JSON Profile Version 1.0](http://docs.oasis-open.org/xacml/xacml-json-http/v1.0/xacml-json-http-v1.0.html)
 -   Defined in standard
     [Web Application Description Language and XML schema](https://github.com/authzforce/rest-api-model/tree/develop/src/main/resources)
@@ -249,7 +250,7 @@ forwards the request to the web service implementation if the decision is
 Permit, else rejects it. For more information, see the Javadoc of
 [RESTfulPdpBasedAuthzInterceptorTest](webapp/src/test/java/org/ow2/authzforce/webapp/test/pep/cxf/RESTfulPdpBasedAuthzInterceptorTest.java).
 
-    
+
 ## Testing
 
 To run unit tests, install Maven and type
@@ -318,7 +319,7 @@ $ mvn -Dhttps.proxyHost=proxyhostname -Dhttps.proxyPort=8080 jgitflow:release-st
     ```console
     $ mvn -Dhttps.proxyHost=proxyhostname -Dhttps.proxyPort=8080 -DnoDeploy=true jgitflow:release-finish
     ```
-    
+
     More info on jgitflow: http://jgitflow.bitbucket.org/
 5.  Connect and log in to the OSS Nexus Repository Manager:
     https://oss.sonatype.org/
@@ -348,17 +349,17 @@ Apache License.
 
 ### Are there any legal issues with GPL 3.0? Is it safe for me to use?
 
-There is absolutely no problem in using a product licensed under GPL 3.0. Issues with GPL 
-(or AGPL) licenses are mostly related with the fact that different people assign different 
+There is absolutely no problem in using a product licensed under GPL 3.0. Issues with GPL
+(or AGPL) licenses are mostly related with the fact that different people assign different
 interpretations on the meaning of the term “derivate work” used in these licenses. Due to this,
 some people believe that there is a risk in just _using_ software under GPL or AGPL licenses
 (even without _modifying_ it).
 
-For the avoidance of doubt, the owners of this software licensed under an GPL 3.0 license  
+For the avoidance of doubt, the owners of this software licensed under an GPL 3.0 license
 wish to make a clarifying public statement as follows:
 
 > Please note that software derived as a result of modifying the source code of this
-> software in order to fix a bug or incorporate enhancements is considered a derivative 
-> work of the product. Software that merely uses or aggregates (i.e. links to) an otherwise 
+> software in order to fix a bug or incorporate enhancements is considered a derivative
+> work of the product. Software that merely uses or aggregates (i.e. links to) an otherwise
 > unmodified version of existing software is not considered a derivative work, and therefore
 > it does not need to be released as under the same license, or even released as open source.

ROADMAP.md

@@ -18,17 +18,17 @@ any time.
 ## Short term
 
 The following list of features are planned to be addressed in the short term,
-and incorporated in the next release of the product planned for **2020**:
+and incorporated in the next release of the product planned for **2021**:
 
-- #50 .
+*N/A*
 
 ## Medium term
 
 The following list of features are planned to be addressed in the medium term,
 typically within the subsequent release(s) generated in the next **9 months**
 after next planned release:
 
-- GeoXACML support
+- #50 .
 
 ## Long term
 

dist/pom.xml

@@ -3,7 +3,7 @@
    <parent>
       <groupId>org.ow2.authzforce</groupId>
       <artifactId>authzforce-ce-server</artifactId>
-      <version>9.0.1</version>
+      <version>10.0.0</version>
       <relativePath>..</relativePath>
    </parent>
    <artifactId>authzforce-ce-server-dist</artifactId>

dist/src/debian/control/control

@@ -3,7 +3,7 @@ Version: [[version]]
 Section: web
 Priority: optional
 Architecture: all
-Depends: debconf (>= 0.2.26), openjdk-8-jre | oracle-java8-installer, tomcat9
+Depends: debconf (>= 0.2.26), openjdk-11-jre | oracle-java11-installer, tomcat9
 Maintainer: [[productMaintainer]] 
 Description: AuthzForce CE Server.
  Reference Implementation of FIWARE Authorization PDP Generic Enabler

dist/src/debian/control/postinst

@@ -17,15 +17,15 @@ systemctl daemon-reload
 
 db_get [[productId]]/restartTomcat
 if [ "$RET" = true ]; then
-        export JAVA_OPTS='"-Djava.awt.headless=true -Djavax.xml.accessExternalSchema=all -Xms1024m -Xmx1024m -XX:+UseConcMarkSweepGC -server"'
+        export JAVA_OPTS='"-Djava.awt.headless=true -Djavax.xml.accessExternalSchema=all -Xms1024m -Xmx1024m -server"'
         sed -i 's|^\(JAVA_OPTS\s*=\s*\).*$|\1'"$JAVA_OPTS"'|' /etc/default/tomcat9
         systemctl stop tomcat9
         rm -rf /var/log/tomcat9/*
         systemctl start tomcat9
 fi
 
 echo "If you answered 'No' to the second question, you need to set the JAVA_OPTS in '/etc/default/tomcat9' by yourself before restarting Tomcat:" 
-echo "    JAVA_OPTS=\"-Djava.awt.headless=true -Djavax.xml.accessExternalSchema=all -Xms1024m -Xmx1024m -XX:+UseConcMarkSweepGC -server\""
+echo "    JAVA_OPTS=\"-Djava.awt.headless=true -Djavax.xml.accessExternalSchema=all -Xms1024m -Xmx1024m -server\""
 echo
 echo "If Tomcat fails to restart, check for any Tomcat high-level error in Tomcat log directory: /var/log/tomcat9"
 echo "Then fix it, in particular check the settings in Tomcat init script /etc/default/tomcat9 and restart Tomcat as follows:"

dist/src/debian/control/templates

@@ -10,7 +10,7 @@ Type: boolean
 Default: true
 Description: Do you want to apply recommended Tomcat settings for AuthzForce (and restart Tomcat to apply changes)?
  We recommend the following Tomcat settings for AuthzForce:
-        JAVA_OPTS='"-Djava.awt.headless=true -Djavax.xml.accessExternalSchema=all -Xms1024m -Xmx1024m -XX:+UseConcMarkSweepGC -server"'
+        JAVA_OPTS='"-Djava.awt.headless=true -Djavax.xml.accessExternalSchema=all -Xms1024m -Xmx1024m -server"'
  Do you agree to apply these settings to Tomcat init script (/etc/default/tomcat9) now?
  If you answer No, you can always apply these manually and restart Tomcat later with this command:
         $ systemctl restart tomcat9

dist/src/debian/copyright

@@ -2,7 +2,7 @@ Format: http://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
 Upstream-Name: authzforce-ce-server-dist
 
 Files: *
-Copyright: Copyright (C) 2012-2020 Thales. All rights reserved.
+Copyright: Copyright (C) 2012-2021 Thales. All rights reserved.
 Licence: GPL-3.0
  The full text of the GNU General Public
  License version 3 can be found in the file

dist/src/docker/Dockerfile.tmpl

@@ -1,4 +1,4 @@
-# Copyright (C) 2012-2020 Thales.
+# Copyright (C) 2012-2021 Thales.
 #
 # This file is part of AuthzForce CE.
 #
@@ -23,7 +23,7 @@
 
 # The alternative is to use FROM ubuntu:* then install tomcat ubuntu package and use upstart/sysctl init script but this is not the way to go:
 # https://github.com/docker/docker/issues/6800
-FROM tomcat:9-jre8
+FROM tomcat:9-jre11-slim
 MAINTAINER AuthzForce Team
 
 ENV DEBIAN_FRONTEND noninteractive
@@ -37,7 +37,7 @@ ENV DEBIAN_FRONTEND noninteractive
 #ENV HTTP_PROXY 'http://user:password@proxy-host:proxy-port'
 #ENV HTTPS_PROXY 'http://user:password@proxy-host:proxy-port'
 
-ENV JAVA_OPTS="-Djava.security.egd=file:/dev/./urandom -Djava.awt.headless=true -Djavax.xml.accessExternalSchema=all -Xms1024m -Xmx1024m -XX:+UseConcMarkSweepGC -server"
+ENV JAVA_OPTS="-Djava.security.egd=file:/dev/./urandom -Djava.awt.headless=true -Djavax.xml.accessExternalSchema=all -Xms1024m -Xmx1024m -server"
 
 ENV AUTHZFORCE_SERVER_VERSION="${project.version}"
 ENV AUTHZFORCE_SERVER_DOWNLOAD_URL="https://repo1.maven.org/maven2/org/ow2/authzforce/authzforce-ce-server-dist/$AUTHZFORCE_SERVER_VERSION/authzforce-ce-server-dist-$AUTHZFORCE_SERVER_VERSION.deb"

dist/src/docker/README.md

@@ -1,59 +1,59 @@
-## AuthzForce Server CE - Minimal Docker image
-
-This image of a minimal AuthzForce Server runtime is intended to work together with [Identity Manager - Keyrock](http://catalogue.fiware.org/enablers/identity-management-keyrock) and [PEP Proxy Wilma](http://catalogue.fiware.org/enablers/pep-proxy-wilma) generic enabler.
-
-## Image contents
-- OpenJDK JRE 8;
-- Tomcat 9;
-- AuthzForce Server CE (version matching the Docker image tag).
-
-## Usage
-
-This image gives you a minimal installation for testing purposes. The AuthzForce Installation and Administration guide on [readthedocs.org](https://readthedocs.org/projects/authzforce-ce-fiware/versions/) (select the version matching the Docker image tag, then **AuthzForce - Installation and Administration Guide**) provides you a better approach for using it in a production environment. This installation guide also gives instructions to install from .deb package (instead of Docker), which is the recommended way for Ubuntu hosts.
-
-Create a container using `authzforce/server` image by doing (replace the first *8080* after *-p* with whatever network port you want to use on the host to access the AuthzForce Server, e.g. 80; and *release-9.0.0* with the current Docker image tag that you are using):
-
-```
-docker run -d -p 8080:8080 --name <container-name> fiware/authzforce-ce-server:release-9.0.0
-```
-
-As stands in the AuthzForce Installation and administration guide on [readthedocs.org](https://readthedocs.org/projects/authzforce-ce-fiware/versions/) (select the version matching the Docker image tag, then **AuthzForce - Installation and Administration Guide**) you can:
-
-* **Create a domain**
-
-```
-curl -s --request POST \
---header "Accept: application/xml" \
---header "Content-Type: application/xml;charset=UTF-8" \
---data '<?xml version="1.0" encoding="UTF-8"?><taz:domainProperties xmlns:taz="http://authzforce.github.io/rest-api-model/xmlns/authz/5" />' \
- http://<authzforce-container-ip>:8080/authzforce-ce/domains
-```
-
-* **Retrieve the domain ID**
-
-```
-curl -s --request GET http://<authzforce-container-ip>:8080/authzforce-ce/domains
-```
-
-* **Domain removal**
-
-```
-curl --verbose --request DELETE \
---header "Content-Type: application/xml;charset=UTF-8" \
---header "Accept: application/xml" \
-http://<authzforce-container-ip>:8080/authzforce-ce/domains/<domain-id>
-```
-
-* **User and Role Management Setup && Domain Role Assignment**
-
-These tasks are now delegated to the [Identity Manager - Keyrock](http://catalogue.fiware.org/enablers/identity-management-keyrock) enabler. Here you can find how to use the interface for that purpose: [How to manage AuthzForce in Fiware](https://www.fiware.org/devguides/handling-authorization-and-access-control-to-apis/how-to-manage-access-control-in-fiware/).
-
-## User feedback
-
-### Documentation
-
-All the information regarding the Dockerfile is hosted publicly on [Github](https://github.com/authzforce/server/tree/master/src/docker).
-
-### Issues
-
-If you find any issue with this image, feel free to report at [Github issue tracking system](https://github.com/authzforce/server/issues).
+## AuthzForce Server CE - Minimal Docker image
+
+This image of a minimal AuthzForce Server runtime is intended to work together with [Identity Manager - Keyrock](http://catalogue.fiware.org/enablers/identity-management-keyrock) and [PEP Proxy Wilma](http://catalogue.fiware.org/enablers/pep-proxy-wilma) generic enabler.
+
+## Image contents
+- OpenJDK JRE 8;
+- Tomcat 9 (since AuthzForce Server v9.0.1, else Tomcat 8 for older versions);
+- AuthzForce Server CE (version matching the Docker image tag).
+
+## Usage
+
+This image gives you a minimal installation for testing purposes. The AuthzForce Installation and Administration guide on [readthedocs.org](https://readthedocs.org/projects/authzforce-ce-fiware/versions/) (select the version matching the Docker image tag, then **AuthzForce - Installation and Administration Guide**) provides you a better approach for using it in a production environment. This installation guide also gives instructions to install from .deb package (instead of Docker), which is the recommended way for Ubuntu hosts.
+
+Create a container using `authzforce/server` image by doing (replace the first *8080* after *-p* with whatever network port you want to use on the host to access the AuthzForce Server, e.g. 80; and *release-9.0.1* with the current Docker image tag that you are using):
+
+```
+docker run -d -p 8080:8080 --name <container-name> authzforce/server:release-9.0.1
+```
+
+As stands in the AuthzForce Installation and administration guide on [readthedocs.org](https://readthedocs.org/projects/authzforce-ce-fiware/versions/) (select the version matching the Docker image tag, then **AuthzForce - Installation and Administration Guide**) you can:
+
+* **Create a domain**
+
+```
+curl -s --request POST \
+--header "Accept: application/xml" \
+--header "Content-Type: application/xml;charset=UTF-8" \
+--data '<?xml version="1.0" encoding="UTF-8"?><taz:domainProperties xmlns:taz="http://authzforce.github.io/rest-api-model/xmlns/authz/5" />' \
+ http://<authzforce-container-ip>:8080/authzforce-ce/domains
+```
+
+* **Retrieve the domain ID**
+
+```
+curl -s --request GET http://<authzforce-container-ip>:8080/authzforce-ce/domains
+```
+
+* **Domain removal**
+
+```
+curl --verbose --request DELETE \
+--header "Content-Type: application/xml;charset=UTF-8" \
+--header "Accept: application/xml" \
+http://<authzforce-container-ip>:8080/authzforce-ce/domains/<domain-id>
+```
+
+* **User and Role Management Setup && Domain Role Assignment**
+
+These tasks are now delegated to the [Identity Manager - Keyrock](http://catalogue.fiware.org/enablers/identity-management-keyrock) enabler. Here you can find how to use the interface for that purpose: [How to manage AuthzForce in Fiware](https://www.fiware.org/devguides/handling-authorization-and-access-control-to-apis/how-to-manage-access-control-in-fiware/).
+
+## User feedback
+
+### Documentation
+
+All the information regarding the Dockerfile is hosted publicly on [Github](https://github.com/authzforce/server/tree/master/src/docker).
+
+### Issues
+
+If you find any issue with this image, feel free to report at [Github issue tracking system](https://github.com/authzforce/server/issues).