- Fixed OW2-28, OW2-29, OW2-30, OW2-32

- Changed parent project version: 5.1.0 -> 7.0.0
- Changed dependency versions:
	- core version: 8.0.0 -> 10.0.0
		-> changed PDP configuration XSD version: 5.0.0 -> 6.0.0
(requestFilter/resultFilter replaced with
inoutProcChain/requestPreproc|resultPostproc)
	- core-pap-api version: 6.4.0 -> 9.0.0, pap-dao-flat-file version:
8.1.0 -> 9.0.0
	- rest-api-model: 5.4.0 -> 5.6.0 providing XACML JSON Profile
compliance (application/xacml+xml and application/xacml+json media types
now supported), and new '/version' resource providing product metadata
- Added new JNDI environment properties:
org.ow2.authzforce.domains.enableXacmlJsonProfile (true iff JSON-Profile
support is enabled on PDPs),
org.ow2.authzforce.webapp.publishedEndpointUrl (base address in WADL),
org.ow2.authzforce.webapp.jsonKeysWithArrays (comma-separated list of
JSON keys with values serialized to arrays always),
org.ow2.authzforce.webapp.noNamespaceInJsonOutput (true iff namespaces
dropped in JSON output),
org.ow2.authzforce.webapp.jsonKeysToXmlAttributes (comma-separated list
of keys of JSON objects to be deserialized as XML attributes),
org.ow2.authzforce.webapp.xmlAttributesToJsonLikeElements
(org.ow2.authzforce.webapp.xmlAttributesToJsonLikeElements)
- New configuration file for configuring CXF/JAX-RS JSON Provider's
inTransformElements property
(http://cxf.apache.org/docs/jax-rs-data-bindings.html#JAX-RSDataBindings-CustomizingJAXBXMLandJSONinputandoutput):
json-to-xml-map.properties
- New /version resource implementation class
(ProductMetadataResourceImpl) providing product name/version/release
date, server uptime and API doc URL) based on file
'org.ow2.authzforce.server.product.properties' auto-filled by Maven
build
- Moved generic JAX-RS extensions (ExceptionMapper,
ContainerRequestFilter...) to new separate authzforce-ce-jaxrs-utils
project
- Applied new naming conventions for Java classes with acronyms (only
first letter is uppercase)
- Renamed JsonJaxrsProvider class to JSONProvider
- JSON schema validation base on XSD for application/json provider
(JSONProvider)
- Added JSON Profile support using org.json API: new
JsonRiCxfJaxrsProvider as JAX-RS/CXF Provider supporting security
properties restricting the size of JSON strings, max number of JSON
keys/items in a JSON object/array, max JSON object depth

Author: cdanger

dist/pom.xml

@@ -11,10 +11,6 @@
    <packaging>jar</packaging>
    <name>${project.groupId}:${project.artifactId}</name>
    <description>AuthZForce CE server distribution (zip and deb)</description>
-   <properties>
-      <productName>${project.parent.artifactId}</productName>
-      <productMaintainer>Thales Services SAS</productMaintainer>
-   </properties>
    <url>https://github.com/authzforce/server/dist</url>
    <scm>
       <connection>scm:git:${git.url.base}.git</connection>
@@ -82,7 +78,6 @@
          <plugin>
             <groupId>org.apache.maven.plugins</groupId>
             <artifactId>maven-resources-plugin</artifactId>
-            <version>3.0.1</version>
             <executions>
                <execution>
                   <phase>process-sources</phase>

dist/src/conf/domain.tmpl/pdp.xml

@@ -1,22 +1,13 @@
-<pdp
-	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-	xmlns="http://authzforce.github.io/core/xmlns/pdp/5.0"
-	xmlns:pap-dao="http://authzforce.github.io/pap-dao-flat-file/xmlns/pdp-ext/3.6"
-	version="5.0.0"
-        maxVariableRefDepth="10"
-	maxPolicyRefDepth="10" 
-	strictAttributeIssuerMatch="false" 
-	requestFilter="urn:ow2:authzforce:feature:pdp:request-filter:default-lax">
-	<!-- Replace with requestFilter = "urn:ow2:authzforce:feature:pdp:request-filter:multiple:repeated-attribute-categories-lax" for Multiple Decision Profile support. -->
-	<!-- You may customize this PDP configuration except 'rootPolicyProvider' and 'refPolicyProvider' elements. -->
-	<!-- policyLocation must start with ${PARENT_DIR}/ and end with: /*SUFFIX (* is expanded to base64url(policyId)/policyVersion) -->
-	<refPolicyProvider
-		id="refPolicyProvider"
-		xsi:type="pap-dao:StaticFlatFileDAORefPolicyProvider"
-		policyLocationPattern="${PARENT_DIR}/policies/*.xml" />
-	<rootPolicyProvider
-		id="rootPolicyProvider"
-		xsi:type="StaticRefBasedRootPolicyProvider">
-		<policyRef>root</policyRef>
-	</rootPolicyProvider>
+<pdp xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://authzforce.github.io/core/xmlns/pdp/6.0" xmlns:pap-dao="http://authzforce.github.io/pap-dao-flat-file/xmlns/pdp-ext/3.6"
+   version="6.0.0" maxVariableRefDepth="10" maxPolicyRefDepth="10" strictAttributeIssuerMatch="false">
+   <!-- You may customize this PDP configuration except 'rootPolicyProvider' and 'refPolicyProvider' elements. -->
+   <!-- policyLocation must start with ${PARENT_DIR}/ and end with: /*SUFFIX (* is expanded to base64url(policyId)/policyVersion) -->
+   <refPolicyProvider id="refPolicyProvider" xsi:type="pap-dao:StaticFlatFileDAORefPolicyProvider" policyLocationPattern="${PARENT_DIR}/policies/*.xml" />
+   <rootPolicyProvider id="rootPolicyProvider" xsi:type="StaticRefBasedRootPolicyProvider">
+      <policyRef>root</policyRef>
+   </rootPolicyProvider>
+   <ioProcChain>
+      <!-- Replace requestPreproc value with "urn:ow2:authzforce:feature:pdp:request-preproc:xacml-xml:multiple:repeated-attribute-categories-lax" for Multiple Decision Profile support. -->
+      <requestPreproc>urn:ow2:authzforce:feature:pdp:request-preproc:xacml-xml:default-lax</requestPreproc>
+   </ioProcChain>
 </pdp>

dist/src/conf/json-to-xml-map.properties

@@ -0,0 +1,13 @@
+# Configuration of JSON-key-to-XML-element mapping in JSON message body reader, as defined by CXF inTransformElements property: 
+# More info: http://cxf.apache.org/docs/jax-rs-data-bindings.html#JAX-RSDataBindings-CustomizingJAXBXMLandJSONinputandoutput
+# 
+# WARNING: remember to escape ':' in keys (namespaces). More info: https://docs.oracle.com/javase/8/docs/api/java/util/Properties.html#load-java.io.Reader-
+# JSONkeyX={xmlNamespaceY}elementNameZ
+
+# Example used for AuthzForce Manager GUI
+#domainProperties={http://authzforce.github.io/rest-api-model/xmlns/authz/5}domainProperties
+#pdpPropertiesUpdate={http://authzforce.github.io/rest-api-model/xmlns/authz/5}pdpPropertiesUpdate
+#rootPolicyRefExpression={http://authzforce.github.io/rest-api-model/xmlns/authz/5}rootPolicyRefExpression
+#feature={http://authzforce.github.io/rest-api-model/xmlns/authz/5}feature
+#description="{http://authzforce.github.io/rest-api-model/xmlns/authz/5}description
+#*={urn:oasis:names:tc:xacml:3.0:core:schema:wd-17}*

dist/src/conf/logback.xml

@@ -60,9 +60,6 @@
    <!-- <appender-ref ref="access"/> -->
    <!-- </logger> -->
 
-   <logger name="com.sun.xacml" additivity="false" level="WARN">
-      <appender-ref ref="error" />
-   </logger>
    <logger name="org.ow2.authzforce" additivity="false" level="WARN">
       <appender-ref ref="error" />
    </logger>

dist/src/conf/xmlns-to-json-key-prefix-map.properties

@@ -1,15 +1,15 @@
-# Java Properties configuring the mapping from XML namespace URIs used in AuthzForce API model to the name prefixes used in JSON payloads.
-# For example, if we have the mapping "urn:example:com:mynamespace = myns", then some XML element
-# <someElement xmlns="urn:example:com:mynamespace" ... />
-# ...becomes in JSON:
-# { "myns:someElement" : ... }
-#
-# Format:
-# namespace1=prefix1
-# namespace2=prefix2
-# ...
-# WARNING: remember to escape ':' in namespaces. More info: https://docs.oracle.com/javase/8/docs/api/java/util/Properties.html#load-java.io.Reader-
-urn\:oasis\:names\:tc\:xacml\:3.0\:core\:schema\:wd-17 = xacml
-http\://www.w3.org/2005/Atom = atom
-http\://authzforce.github.io/rest-api-model/xmlns/authz/5 = az
-http\://authzforce.github.io/core/xmlns/test/3 = test
+# Java Properties configuring the mapping from XML namespace URIs used in AuthzForce API model to the name prefixes used in JSON payloads.
+# For example, if we have the mapping "urn:example:com:mynamespace = myns", then some XML element
+# <someElement xmlns="urn:example:com:mynamespace" ... />
+# ...becomes in JSON:
+# { "myns:someElement" : ... }
+#
+# Format:
+# namespace1=prefix1
+# namespace2=prefix2
+# ...
+# WARNING: remember to escape ':' in namespaces. More info: https://docs.oracle.com/javase/8/docs/api/java/util/Properties.html#load-java.io.Reader-
+urn\:oasis\:names\:tc\:xacml\:3.0\:core\:schema\:wd-17 = 
+http\://www.w3.org/2005/Atom = atom
+http\://authzforce.github.io/rest-api-model/xmlns/authz/5 = az
+http\://authzforce.github.io/core/xmlns/test/3 = test

dist/src/data/domains/A0bdIbmGEeWhFwcKrC9gSQ/pdp.xml

@@ -1,21 +1,20 @@
 <pdp
-	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-	xmlns="http://authzforce.github.io/core/xmlns/pdp/5.0"
-	xmlns:pap-dao="http://authzforce.github.io/pap-dao-flat-file/xmlns/pdp-ext/3.6"
-	version="5.0.0"
-	maxPolicyRefDepth="10" 
-	strictAttributeIssuerMatch="false" 
-	requestFilter="urn:ow2:authzforce:feature:pdp:request-filter:default-lax">
-	<!-- Replace with requestFilter = "urn:ow2:authzforce:feature:pdp:request-filter:multiple:repeated-attribute-categories-lax" for Multiple Decision Profile support. -->
-	<!-- You may customize this PDP configuration except 'rootPolicyProvider' and 'refPolicyProvider' elements. -->
-	<!-- policyLocation must start with ${PARENT_DIR}/ and end with: /*SUFFIX (* is expanded to base64url(policyId)/policyVersion) -->
-	<refPolicyProvider
-		id="refPolicyProvider"
-		xsi:type="pap-dao:StaticFlatFileDAORefPolicyProvider"
-		policyLocationPattern="${PARENT_DIR}/policies/*.xml" />
-	<rootPolicyProvider
-		id="rootPolicyProvider"
-		xsi:type="StaticRefBasedRootPolicyProvider">
-		<policyRef>root</policyRef>
-	</rootPolicyProvider>
+   xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+   xmlns="http://authzforce.github.io/core/xmlns/pdp/6.0"
+   xmlns:pap-dao="http://authzforce.github.io/pap-dao-flat-file/xmlns/pdp-ext/3.6"
+   version="6.0.0"
+   maxVariableRefDepth="10"
+   maxPolicyRefDepth="10"
+   strictAttributeIssuerMatch="false">
+   <!-- You may customize this PDP configuration except 'rootPolicyProvider' and 'refPolicyProvider' elements. -->
+   <!-- policyLocation must start with ${PARENT_DIR}/ and end with: /*SUFFIX (* is expanded to base64url(policyId)/policyVersion) -->
+   <refPolicyProvider
+      id="refPolicyProvider"
+      xsi:type="pap-dao:StaticFlatFileDAORefPolicyProvider"
+      policyLocationPattern="${PARENT_DIR}/policies/*.xml" />
+   <rootPolicyProvider
+      id="rootPolicyProvider"
+      xsi:type="StaticRefBasedRootPolicyProvider">
+      <policyRef>root</policyRef>
+   </rootPolicyProvider>
 </pdp>

dist/src/debian/changelog

@@ -1,3 +1,3 @@
-authzforce-ce-server (${project.version}) trusty; urgency=low
+authzforce-ce-server (${project.version}) xenial; urgency=low
   * See https://github.com/authzforce/server/blob/release-${project.version}/CHANGELOG.md
  -- Thales Services <http://www.thalesgroup.com>  ${debian.changelog.timestamp}

dist/src/webapp-context.xml

@@ -2,31 +2,40 @@
 <!-- Context used by Tomcat -->
 <Context path="/authzforce-ce" docBase="/opt/${productName}/webapp">
 
-	<!-- Override <context-param>s in web.xml -->
-	<Parameter name="logbackConfigLocation" description="Logging configuration file"
-		value="file:/opt/${productName}/conf/logback.xml" override="false" />
-
-	<Parameter name="spring.profiles.active" description="application profiles: '+fastinfoset' to enable FastInfoset support, '-fastinfoset' to disable FastInfoset support"
-		value="-fastinfoset" override="false" />
-
-	<!-- Override <env-entry>s in web.xml -->
-	<Environment name="org.ow2.authzforce.config.dir" value="file:/opt/${productName}/conf"
-		type="java.lang.String" override="false"
-		description="Configuration directory path that may contain \${...} placeholders, to be resolved as system properties: e.g. \${user.dir}. Default values can be supplied using the ':' separator between key and value (see org.springframework.util.SystemPropertyUtils class)" />
-
-	<Environment name="org.ow2.authzforce.data.dir" value="file:/opt/${productName}/data"
-		type="java.lang.String" override="false"
-		description="Data (e.g. data of domains created and managed by the API) directory path that may contain \${...} placeholders, to be resolved as system properties: e.g. \${user.dir}. Default values can be supplied using the ':' separator between key and value (see org.springframework.util.SystemPropertyUtils class)" />
-
-	<Environment name="org.ow2.authzforce.uuid.gen.randomMulticastAddressBased"
-		value="false" type="java.lang.Boolean" override="false"
-		description="UUID generator option for domain IDs, set to true if and only if Authzforce deployed in dev environment that is disconnected from the network, i.e. no 'real' Ethernet address to use, set this JNDI variable to 'true' to initialize the UUID (variant 1) generator with a random multicast address instead." />
-
-	<Environment name="org.ow2.authzforce.domains.sync.interval"
-		value="0" type="java.lang.Integer" override="false"
-		description="Domains folder-to-memory synchronization interval (seconds); value 0 disables this feature." />
-      
-    <Environment name="org.ow2.authzforce.domains.enablePdpOnly"
-      value="false" type="java.lang.Boolean" override="false"
+   <!-- Override <context-param>s in web.xml -->
+   <Parameter name="logbackConfigLocation" description="Logging configuration file" value="file:/opt/${productName}/conf/logback.xml" override="false" />
+
+   <Parameter name="spring.profiles.active" description="application profiles: '+fastinfoset' to enable FastInfoset support, '-fastinfoset' to disable FastInfoset support" value="-fastinfoset"
+      override="false" />
+
+   <!-- <env-entry>s in web.xml do not override entries below iff override=false. -->
+   <Environment name="org.ow2.authzforce.config.dir" value="file:/opt/${productName}/conf" type="java.lang.String" override="false"
+      description="Configuration directory path that may contain \${...} placeholders, to be resolved as system properties: e.g. \${user.dir}. Default values can be supplied using the ':' separator between key and value (see org.springframework.util.SystemPropertyUtils class)" />
+
+   <Environment name="org.ow2.authzforce.data.dir" value="file:/opt/${productName}/data" type="java.lang.String" override="false"
+      description="Data (e.g. data of domains created and managed by the API) directory path that may contain \${...} placeholders, to be resolved as system properties: e.g. \${user.dir}. Default values can be supplied using the ':' separator between key and value (see org.springframework.util.SystemPropertyUtils class)" />
+
+   <Environment name="org.ow2.authzforce.uuid.gen.randomMulticastAddressBased" value="false" type="java.lang.Boolean" override="false"
+      description="UUID generator option for domain IDs, set to true if and only if Authzforce deployed in dev environment that is disconnected from the network, i.e. no 'real' Ethernet address to use, set this JNDI variable to 'true' to initialize the UUID (variant 1) generator with a random multicast address instead." />
+
+   <Environment name="org.ow2.authzforce.domains.sync.interval" value="0" type="java.lang.Integer" override="false"
+      description="Domains folder-to-memory synchronization interval (seconds); value 0 disables this feature." />
+
+   <Environment name="org.ow2.authzforce.domains.enablePdpOnly" value="false" type="java.lang.Boolean" override="false"
       description="Enable PDP only, i.e. disable all PAP (or other administration) features iff true" />
+
+   <Environment name="org.ow2.authzforce.domains.enableXacmlJsonProfile" value="false" type="java.lang.Boolean" override="false"
+      description="Enable support for JSON Profile of XACML 3.0 on domains' PDP endpoints iff true" />
+
+   <!-- <Environment name="org.ow2.authzforce.webapp.publishedEndpointUrl" value="http://localhost:8080" type="java.lang.Boolean" override="false" description="Base address specified in the auto-generated 
+      WADL. This parameter allows setting the public URL that may not be the same as the URL the service is deployed on. (For example, the service is behind a proxy of some sort)." /> -->
+
+   <!-- <Environment name="org.ow2.authzforce.webapp.jsonKeysWithArrays" type="java.lang.String" override="false" description="Comma-separated list of JSON keys with values to be always serialized to JSON 
+      arrays (even if single-valued). More info: http://cxf.apache.org/docs/jax-rs-data-bindings.html#JAX-RSDataBindings-DealingwithJettisonarrayserializationissues (serializeAsArray always true but no effect 
+      if this property undefined or has empty value). The example here works for AuthzForce Manager GUI" value="link,PolicySet,PolicySetIdReference,Policy,PolicyIdReference,Rule,VariableDefinition,AnyOf,AllOf,Match,ObligationExpressions,AdviceExpressions,Obligations,AssociatedAdvice" 
+      /> -->
+     
+     <Environment name="org.ow2.authzforce.webapp.noNamespaceInJsonOutput" value="false" type="java.lang.Boolean" override="false"
+      description="Whether to drop all XML namespaces (JSON key prefixes) from JSON output in XML-to-JSON translation. Enable this for AuthzForce Manager GUI." /> 
+
 </Context>

owasp-dependency-check-suppression.xml

@@ -2,9 +2,12 @@
 <suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.1.xsd">
    <suppress>
       <notes><![CDATA[
-      file name: mailapi-1.5.6.jar
+      file name: mailapi-1.5.6.jar, 
+      false positive reported: https://github.com/jeremylong/DependencyCheck/issues/912
       ]]></notes>
-      <gav regex="true">^com\.sun\.mail:mailapi:.*$</gav>
+      <cpe>cpe:/a:mail_project:mail</cpe>
+      <cpe>cpe:/a:sun:javamail</cpe>
       <cve>CVE-2007-6059</cve>
+      <cve>CVE-2015-9097</cve>
    </suppress>
 </suppressions>

pom.xml

@@ -4,7 +4,7 @@
    <parent>
       <groupId>org.ow2.authzforce</groupId>
       <artifactId>authzforce-ce-parent</artifactId>
-      <version>5.1.0</version>
+      <version>7.0.0</version>
    </parent>
    <artifactId>authzforce-ce-server</artifactId>
    <!-- FIWARE Versioning + Version must be equal or higher than 'authzforce-ce-rest-api-model' dependency in 'rest-service' module -->
@@ -15,10 +15,12 @@
    <url>${project.url}</url>
    <properties>
       <git.url.base>https://github.com/authzforce/server</git.url.base>
-      <authzforce-ce-core.version>8.0.0</authzforce-ce-core.version>
-      <authzforce-ce-core-pap-api.version>6.4.0</authzforce-ce-core-pap-api.version>
+      <authzforce-ce-core.version>10.0.0</authzforce-ce-core.version>
+      <authzforce-ce-core-pap-api.version>9.0.0</authzforce-ce-core-pap-api.version>
       <!-- Version must be compatible with authzforce-ce-core and authzforce-ce-core-pap-api versions above. -->
-      <authzforce-ce-pap-dao-flat-file.version>8.1.0</authzforce-ce-pap-dao-flat-file.version>
+      <authzforce-ce-pap-dao-flat-file.version>9.0.0</authzforce-ce-pap-dao-flat-file.version>
+      <productName>AuthzForce CE Server</productName>
+      <productMaintainer>Thales Services SAS</productMaintainer>
    </properties>
    <scm>
       <connection>scm:git:${git.url.base}.git</connection>

release.description.tmpl.md

@@ -5,4 +5,4 @@
 
  Docker image available on [Docker Hub](https://hub.docker.com/r/fiware/authzforce-ce-server/tags/).
 
- Documentation available [online](http://authzforce-ce-fiware.readthedocs.io/en/release-M.m.P/) and as  downloadable [HTML](https://media.readthedocs.org/htmlzip/authzforce-ce-fiware/release-M.m.P/authzforce-ce-fiware.zip) and [PDF](https://media.readthedocs.org/pdf/authzforce-ce-fiware/release-M.m.P/authzforce-ce-fiware.pdf).
+ Documentation available [online](http://authzforce-ce-fiware.readthedocs.io/en/release-M.m.P/) and as downloadable [HTML](https://media.readthedocs.org/htmlzip/authzforce-ce-fiware/release-M.m.P/authzforce-ce-fiware.zip) and [PDF](https://media.readthedocs.org/pdf/authzforce-ce-fiware/release-M.m.P/authzforce-ce-fiware.pdf).

rest-service/owasp-dependency-check-suppression.xml

@@ -2,9 +2,12 @@
 <suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.1.xsd">
    <suppress>
       <notes><![CDATA[
-      file name: mailapi-1.5.6.jar
+      file name: mailapi-1.5.6.jar, 
+      false positive reported: https://github.com/jeremylong/DependencyCheck/issues/912
       ]]></notes>
-      <gav regex="true">^com\.sun\.mail:mailapi:.*$</gav>
+      <cpe>cpe:/a:mail_project:mail</cpe>
+      <cpe>cpe:/a:sun:javamail</cpe>
       <cve>CVE-2007-6059</cve>
+      <cve>CVE-2015-9097</cve>
    </suppress>
 </suppressions>