FIWARE Generic Enabler for PDP/PAP support functions using an access control schema based on the XACML standard
Home Page: https://authzforce-ce-fiware.rtfd.io
License: GNU General Public License v3.0
Hi,
I need some help please: I want to perform Level 2 basic authorization. So I created a new role in my application on keyrock (idm) and created two new permissions: One that has the HTTP verb GET and /test1 as resource and one that has POST as HTTP verb and /test2 as resource, but I did not yet assign these permissions to my newly created role. I created these two resources just for testing purposes. All they do is that they send back a text message that tell me if I could access these resources. My newly created role I assigned to one of my registered users.
Using Chrome's Advanced REST Client I sent a GET and POST request for these resources to the pep-proxy. For both requests I got a response of 401 Unauthorized, which is fine since I did not include a X-Auth-Token in these requests yet. Then I performed the authentication with the oauth2 example-client and got back my token. I copied the token into the header field and sent the same requests to the pep-proxy again. In both cases I got back a 200 OK message and the dedicated success messages that I created. But actually this should not be the case. Instead I should get back a 401 Unauthorized messages since the role of the user, which I am logged in as, does not have the permissions to access these resources.
Why can I still access these resources? It seems to me the only thing that is checked is if the token is valid or not. As soon as the token is valid, the user can access whatever he wants. Did I do something wrong?
I run everything as docker containers. Here is some log output for the GET request:
pep | 2016-11-25 12:44:05.300 - INFO: IDM-Client - Token in cache, checking timestamp...
pep | 2016-11-25 12:44:05.300 - INFO: IDM-Client - Token in cache expired
pep | 2016-11-25 12:44:05.300 - INFO: IDM-Client - Checking token with IDM...
keyrock | 2016-11-25 12:44:05.331 34 INFO eventlet.wsgi.server [-] 172.18.0.7 - - [25/Nov/2016 12:44:05] "GET /v3/access-tokens/nalLDoB334Z3BItu0ytcoUJOmOC3m2 HTTP/1.1" 200 394 0.026148
pep | 2016-11-25 12:44:05.332 - INFO: AZF-Client - Checking auth with AZF...
pep | 2016-11-25 12:44:05.332 - INFO: AZF-Client - Checking authorization to roles [ '5fedd57e74c94a9b993db26b145c1035' ] to do GET on test1 and app eb5fc491be0d4edd946cc6ce20a096b3
pep | 2016-11-25 12:44:05.332 - INFO: AZF-Client - Checking auth with AZF...
pep | 2016-11-25 12:44:05.345 - INFO: Root - Access-token OK. Redirecting to app...
I hope someone can help me with this.
Best regards,
Thomas
There's apparently a problem in the interaction between idm, authzforce and probably pep.
Since I cannot tell which component is the actual trouble maker, I've filed an issue at the IdM project as well. So please see this issue for a detailed description. I cannot see any rules in the PAP that correspond to the roles I have defined in IdM, although the IdM creates a valid domain.
As mentioned in the other issue, authentication between my client app and the IdM works perfectly fine. But whenever PEP tries to perform the authorization, things go terribly wrong.
Here's again the log from PEP:
2016-08-18 11:32:30.971 - INFO: IDM-Client - Checking token with IDM...
2016-08-18 11:32:31.001 - INFO: AZF-Client - Checking auth with AZF...
2016-08-18 11:32:31.002 - INFO: AZF-Client - Checking authorization to roles [ 'provider', '4db71b9d39d340f387585ed832c28c78' ] to do GET on v2/entities and app 6806127773ae47fdb777886585358543
2016-08-18 11:32:31.002 - INFO: AZF-Client - Checking auth with AZF...
2016-08-18 11:32:31.006 - ERROR: Server - Caught exception: Error: There are errors in your xml file: syntax error
Wireshark revealed the following:
PEP first checks the token with the IdM
Frame 43: 142 bytes on wire (1136 bits), 142 bytes captured (1136 bits) on interface 0
Ethernet II, Src: AsustekC_86:b6:ea (d8:50:e6:86:b6:ea), Dst: Apple_1f:46:33 (c8:2a:14:1f:46:33)
Internet Protocol Version 4, Src: 10.12.200.84, Dst: 10.12.200.247
Transmission Control Protocol, Src Port: 41769 (41769), Dst Port: 8000 (8000), Seq: 1449, Ack: 1, Len: 76
Source Port: 41769
Destination Port: 8000
[Stream index: 2]
[TCP Segment Len: 76]
Sequence number: 1449 (relative sequence number)
[Next sequence number: 1525 (relative sequence number)]
Acknowledgment number: 1 (relative ack number)
Header Length: 32 bytes
Flags: 0x018 (PSH, ACK)
Window size value: 1369
[Calculated window size: 87616]
[Window size scaling factor: 64]
Checksum: 0x98a7 [validation disabled]
Urgent pointer: 0
Options: (12 bytes), No-Operation (NOP), No-Operation (NOP), Timestamps
[SEQ/ACK analysis]
TCP segment data (76 bytes)
[2 Reassembled TCP Segments (1524 bytes): #42(1448), #43(76)]
Hypertext Transfer Protocol
GET /user?access_token=lH15kS8pSCV1wGFf57lp1zYMAsBTuw HTTP/1.1\r\n
[Expert Info (Chat/Sequence): GET /user?access_token=lH15kS8pSCV1wGFf57lp1zYMAsBTuw HTTP/1.1\r\n]
Request Method: GET
Request URI: /user?access_token=lH15kS8pSCV1wGFf57lp1zYMAsBTuw
Request Version: HTTP/1.1
Host: 10.12.200.247:8000\r\n
Connection: keep-alive\r\n
User-Agent: Mozilla/5.0 (Linux; Android 6.0.1; Nexus 7 Build/MOB30P; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/52.0.2743.98 Safari/537.36\r\n
Accept: */*\r\n
Accept-Encoding: gzip, deflate\r\n
Accept-Language: en-US\r\n
[truncated]Cookie: csrftoken=nfAqXttUUjNygfpWdWUBD7DrbANdRstQ; sessionid=".eJyFU8tu3DYUdcdjjyPHdmK3zbOp0yau3MeYpKhXVkWbVQp4kZaINsaAL1lyZqS5I8qoFwKSTYD-Q3-jX9Af6bZ_EUojt4OiQKCFyHvPuee--GbQwEcu262LSpZzrSamfK0LdigUFUJpFCqCaRr4QqBQIyEI9rXSCrF
X-Requested-With: com.ionicframework.myfiwareclient357647\r\n
\r\n
[Full request URI: http://10.12.200.247:8000/user?access_token=lH15kS8pSCV1wGFf57lp1zYMAsBTuw]
[HTTP request 1/1]
Then the Idm provides the necessary information about the AFZ domain:
HTTP/1.0 200 OK
Date: Thu, 18 Aug 2016 11:32:19 GMT
Server: WSGIServer/0.1 Python/2.7.6
Vary: Accept-Language, Cookie
X-Frame-Options: SAMEORIGIN
Content-Type: application/json
Content-Language: en
Set-Cookie: sessionid=".eJyFU8tu3DYUdcdjjyPHdmK3zbOp0yau3MeYpKhXVkWbVQp4kZaINsaAL1lyZqS5I8qoFwKSTYD-Q3-jX9Af6bZ_EUojt4OiQKCFyHvPuee--GbQwEcu262LSpZzrSamfK0LdigUFUJpFCqCaRr4QqBQIyEI9rXSCrFRXenFJFfJaG1t7aLMClVqGLDthT7Py2JS8Jk-ZTsTXpts0kOzAdvr3bpQ8zIvTHLfsjNj5s9OTjAJx8h--Jnne354cumdwDrbs9zLXOpqsqQmm5bx85znBYEh218REFza1BU7snUUlbG3zjnu7eOf9FVlykL_0ON2prwyEy5Nfpmbqxd__v7HK7bRlS__E6EN7_zSehzYOH4Lmw2MXLapyplNA7YauOGyQa7AOWXDtnDYPq3Zbp_4j9zwaXkON89gp4FdN7lhC7iuvzqDPbeBW26ybq31Ygq3s_UOYZ16kXKpYT_Zur4XfNrVv2wFHGTDDts31Wbw8Up7kkFLU_BJcmgPGPu-FwYi8r2Aklhy6hNClY-8iFKJeN3Ap252-wMDyfaTDQvgapYX2cGKWLaqnC0lqeIhkgRFAeEUqUikfojaJEgYEx4IK3mnlbz3f5I-QqhXbAPPazHN5Ycl7WqGItXaDxXlSkYxkphEXNoiI-GRWidDCzNXc73sqtKFsdO_pqdxEFKCYs82KUUxj1KayhB5KVECyyW5m_Ddjv66X6mas41FOdUV3DuD-w08cPuAoUSppwIUehGmOhUiCFI_DrEkMfalr7O7__bTBtntFnm5V-04H3avS-mU11MDn7Fbq_4uj0cd4nmP-JyN9K_zfGETOZSKG23ymXb-OcBj5oz-2tq_-dBZ__s3mVdlFCA87v8OM9KBL45fwpfvXsITNpovygstDTxt4MjNnGS7a9hscm3_Ktvu1tbawK3ZsE0Ojhv42oKzgXW2hAv1vdGVGctyVneP5Bt2iGIU45TjgGNBhd3AIOICpxGNcEQJxfAt2zS64IWB77KjWtTj9wRqWnM:1baLYZ:YyDjkSAR3VR82PFrrTF29kTd5zE"; httponly; Path=/
{"organizations": [], "displayName": "johndoe", "roles": [{"name": "Provider", "id": "provider"}, {"name": "Restaurant-Viewer", "id": "4db71b9d39d340f387585ed832c28c78"}], "app_id": "6806127773ae47fdb777886585358543",
"email": "[email protected]", "id": "johndoe", "app_azf_domain": "-XUmQmUdEeatWgJCrBEABg"}
After this I cannot make out a valid http request sent from PEP to AFZ, nevertheless the following response pops up:
Frame 67: 200 bytes on wire (1600 bits), 200 bytes captured (1600 bits) on interface 9
Null/Loopback
Internet Protocol Version 4, Src: 10.12.200.247, Dst: 10.12.200.247
Transmission Control Protocol, Src Port: 8282 (8282), Dst Port: 62035 (62035), Seq: 1, Ack: 329, Len: 144
Source Port: 8282
Destination Port: 62035
[Stream index: 3]
[TCP Segment Len: 144]
Sequence number: 1 (relative sequence number)
[Next sequence number: 145 (relative sequence number)]
Acknowledgment number: 329 (relative ack number)
Header Length: 32 bytes
Flags: 0x018 (PSH, ACK)
Window size value: 12749
[Calculated window size: 407968]
[Window size scaling factor: 32]
Checksum: 0xa6bd [validation disabled]
Urgent pointer: 0
Options: (12 bytes), No-Operation (NOP), No-Operation (NOP), Timestamps
[SEQ/ACK analysis]
Hypertext Transfer Protocol
HTTP/1.1 400 Bad Request\r\n
[Expert Info (Chat/Sequence): HTTP/1.1 400 Bad Request\r\n]
Request Version: HTTP/1.1
Status Code: 400
Response Phrase: Bad Request
Server: Apache-Coyote/1.1\r\n
Transfer-Encoding: chunked\r\n
Date: Thu, 18 Aug 2016 11:32:31 GMT\r\n
Connection: close\r\n
\r\n
[HTTP response 1/1]
HTTP chunked response
End of chunked encoding
Chunk size: 0 octets
\r\n
So maybe there's something wrong with the request sent from PEP. Nevertheless, could you please check whether the XML stored in AFZ looks ok (ging/fiware-idm#70)?
The permissions for role "Restaurant-Viewer" should be "GET" , "/v2/entities".
Line #25 of the Dockerfile should be:
rm -rf /opt/authzforce-ce-server/data/domains/* && \
as the path changed from version 4.2.0.
... or link to features on the github repo for the corresponding release
The FIWARE Docker guidelines says:
At least a Docker container tag associated with the latest stable release MUST be present in Dockerhub.
The new automated image only has the latest tag.
Please add versioned tags to the docker image, at least for the latest stable release (4.4.1.b).
Under Domain Management API section, there is an example of how to retrieve the current domain properties.
The text over the request sample is: "For example, this request updates the externalId and the root policy reference to some policy 'PolicyABC' that must exist in the domain (added via the PAP API mentioned later) as a prerequisite:". The request sample is a GET request with a payload.
The text and the request are confusing.
The docker image fails with the following not very verbose log message:
* Starting Tomcat servlet engine tomcat7 ...fail!
Running on OSX 10.11.6 and Docker 1.12.0-beta21
Update: After having spent hours in finding a work-around (eg. by installing Ubuntu in a VM and following your steps from the Dockefile or also by tweaking with the Dockerfile) I could find the following issue:
/var/log/tomcat7/authzforce-ce/error.log contains the following entry:
016-08-04 11:25:41,752|ERROR|localhost-startStop-2|org.springframework.web.context.ContextLoader:324|Context initialization failed| java.lang.NoSuchMethodError: java.util.concurrent.ConcurrentHashMap.keySet()Ljava/util/concurrent/ConcurrentHashMap$KeySetView; at org.apache.catalina.core.ApplicationContext.getInitParameterNames(ApplicationContext.java:368) ~[tomcat-catalina-7.0.68.jar:7.0.68] at org.apache.catalina.core.ApplicationContextFacade.getInitParameterNames(ApplicationContextFacade.java:367) ~[tomcat-catalina-7.0.68.jar:7.0.68] at org.springframework.web.context.support.WebApplicationContextUtils.registerEnvironmentBeans(WebApplicationContextUtils.java:201) ~[spring-web-3.2.2.RELEASE.jar:3.2.2.RELEASE] at org.springframework.web.context.support.AbstractRefreshableWebApplicationContext.postProcessBeanFactory(AbstractRefreshableWebApplicationContext.java:169) ~[spring-web-3.2.2.RELEASE.jar:3.2.2.RELEASE] at org.springframework.context.support.AbstractApplicationContext.refresh(AbstractApplicationContext.java:458) ~[spring-context-3.2.2.RELEASE.jar:3.2.2.RELEASE] at org.springframework.web.context.ContextLoader.configureAndRefreshWebApplicationContext(ContextLoader.java:389) ~[spring-web-3.2.2.RELEASE.jar:3.2.2.RELEASE] at org.springframework.web.context.ContextLoader.initWebApplicationContext(ContextLoader.java:294) ~[spring-web-3.2.2.RELEASE.jar:3.2.2.RELEASE] at org.springframework.web.context.ContextLoaderListener.contextInitialized(ContextLoaderListener.java:112) [spring-web-3.2.2.RELEASE.jar:3.2.2.RELEASE] at org.apache.catalina.core.StandardContext.listenerStart(StandardContext.java:5068) [tomcat-catalina-7.0.68.jar:7.0.68] at org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5584) [tomcat-catalina-7.0.68.jar:7.0.68] at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:147) [tomcat-catalina-7.0.68.jar:7.0.68] at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:899) [tomcat-catalina-7.0.68.jar:7.0.68] at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:875) [tomcat-catalina-7.0.68.jar:7.0.68] at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:652) [tomcat-catalina-7.0.68.jar:7.0.68] at org.apache.catalina.startup.HostConfig.deployDescriptor(HostConfig.java:677) [tomcat-catalina-7.0.68.jar:7.0.68] at org.apache.catalina.startup.HostConfig$DeployDescriptor.run(HostConfig.java:1962) [tomcat-catalina-7.0.68.jar:7.0.68] at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:471) [na:1.7.0_95] at java.util.concurrent.FutureTask.run(FutureTask.java:262) [na:1.7.0_95] at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) [na:1.7.0_95] at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) [na:1.7.0_95] at java.lang.Thread.run(Thread.java:745) [na:1.7.0_95]
So there's apparently a Spring library that depends on Java8 but you are still using Java/.
When trying to fix this, I first ran into a security error, that prevented some xsd files to be loaded.
After that you end up in a NullPointerException:
2016-08-04 13:20:21,075|ERROR|localhost-startStop-1|org.springframework.web.context.ContextLoader:319|Context initialization failed| org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'tazService': Invocation of init method failed; nested exception is org.apache.cxf.service.factory.ServiceConstructionException at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.initializeBean(AbstractAutowireCapableBeanFactory.java:1488) ~[spring-beans-3.2.2.RELEASE.jar:3.2.2.RELEASE] at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:524) ~[spring-beans-3.2.2.RELEASE.jar:3.2.2.RELEASE] at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:461) ~[spring-beans-3.2.2.RELEASE.jar:3.2.2.RELEASE] at org.springframework.beans.factory.support.AbstractBeanFactory$1.getObject(AbstractBeanFactory.java:295) ~[spring-beans-3.2.2.RELEASE.jar:3.2.2.RELEASE] at org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.getSingleton(DefaultSingletonBeanRegistry.java:223) ~[spring-beans-3.2.2.RELEASE.jar:3.2.2.RELEASE] at org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:292) ~[spring-beans-3.2.2.RELEASE.jar:3.2.2.RELEASE] at org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:194) ~[spring-beans-3.2.2.RELEASE.jar:3.2.2.RELEASE] at org.springframework.beans.factory.support.DefaultListableBeanFactory.preInstantiateSingletons(DefaultListableBeanFactory.java:626) ~[spring-beans-3.2.2.RELEASE.jar:3.2.2.RELEASE] at org.springframework.context.support.AbstractApplicationContext.finishBeanFactoryInitialization(AbstractApplicationContext.java:932) ~[spring-context-3.2.2.RELEASE.jar:3.2.2.RELEASE] at org.springframework.context.support.AbstractApplicationContext.refresh(AbstractApplicationContext.java:479) ~[spring-context-3.2.2.RELEASE.jar:3.2.2.RELEASE] at org.springframework.web.context.ContextLoader.configureAndRefreshWebApplicationContext(ContextLoader.java:389) ~[spring-web-3.2.2.RELEASE.jar:3.2.2.RELEASE] at org.springframework.web.context.ContextLoader.initWebApplicationContext(ContextLoader.java:294) ~[spring-web-3.2.2.RELEASE.jar:3.2.2.RELEASE] at org.springframework.web.context.ContextLoaderListener.contextInitialized(ContextLoaderListener.java:112) [spring-web-3.2.2.RELEASE.jar:3.2.2.RELEASE] at org.apache.catalina.core.StandardContext.listenerStart(StandardContext.java:5068) [tomcat-catalina-7.0.68.jar:7.0.68] at org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5584) [tomcat-catalina-7.0.68.jar:7.0.68] at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:147) [tomcat-catalina-7.0.68.jar:7.0.68] at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:899) [tomcat-catalina-7.0.68.jar:7.0.68] at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:875) [tomcat-catalina-7.0.68.jar:7.0.68] at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:652) [tomcat-catalina-7.0.68.jar:7.0.68] at org.apache.catalina.startup.HostConfig.deployDescriptor(HostConfig.java:677) [tomcat-catalina-7.0.68.jar:7.0.68] at org.apache.catalina.startup.HostConfig$DeployDescriptor.run(HostConfig.java:1962) [tomcat-catalina-7.0.68.jar:7.0.68] at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) [na:1.8.0_91] at java.util.concurrent.FutureTask.run(FutureTask.java:266) [na:1.8.0_91] at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) [na:1.8.0_91] at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) [na:1.8.0_91] at java.lang.Thread.run(Thread.java:745) [na:1.8.0_91] Caused by: org.apache.cxf.service.factory.ServiceConstructionException: null at org.apache.cxf.jaxrs.JAXRSServerFactoryBean.create(JAXRSServerFactoryBean.java:219) ~[cxf-rt-frontend-jaxrs-3.1.0.jar:3.1.0] at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[na:1.8.0_91] at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) ~[na:1.8.0_91] at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[na:1.8.0_91] at java.lang.reflect.Method.invoke(Method.java:498) ~[na:1.8.0_91] at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.invokeCustomInitMethod(AbstractAutowireCapableBeanFactory.java:1614) ~[spring-beans-3.2.2.RELEASE.jar:3.2.2.RELEASE] at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.invokeInitMethods(AbstractAutowireCapableBeanFactory.java:1555) ~[spring-beans-3.2.2.RELEASE.jar:3.2.2.RELEASE] at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.initializeBean(AbstractAutowireCapableBeanFactory.java:1485) ~[spring-beans-3.2.2.RELEASE.jar:3.2.2.RELEASE] ... 25 common frames omitted Caused by: java.lang.NullPointerException: null at java.util.concurrent.ConcurrentHashMap.putVal(ConcurrentHashMap.java:1011) ~[na:1.8.0_91] at java.util.concurrent.ConcurrentHashMap.putAll(ConcurrentHashMap.java:1084) ~[na:1.8.0_91] at org.apache.cxf.jaxrs.AbstractJAXRSFactoryBean.createEndpoint(AbstractJAXRSFactoryBean.java:223) ~[cxf-rt-frontend-jaxrs-3.1.0.jar:3.1.0] at org.apache.cxf.jaxrs.JAXRSServerFactoryBean.create(JAXRSServerFactoryBean.java:165) ~[cxf-rt-frontend-jaxrs-3.1.0.jar:3.1.0] ... 32 common frames omitted
I get 501 Not implemented response from AuthzForce 8.1.0 with the following request to the PDP:
POST /authzforce-ce/domains/xb8YXEXfEeq70AJCrBMAAw/pdp HTTP/1.1
Host: localhost:8080
Content-Type: application/xacml+json;charset=UTF-8
Accept: application/xacml+json
{
"Request": {
"ReturnPolicyIdList": true,
"AccessSubject": {
"Attribute": [
{"AttributeId": "user-type", "Value": "Practitioner"},
{"AttributeId": "practitioner-role", "Value": "administrator"}
]
},
"Resource": {
"Attribute": [
{"AttributeId": "resource-type", "Value": "Practitioner"},
{"AttributeId": "resource-id", "Value": "123"}
]
},
"Action": {
"Attribute": [
{"AttributeId": "interaction", "Value": "instance.read"}
]
}
}
}
The documentation states the JSON profile is supported, however:
https://authzforce-ce-fiware.readthedocs.io/en/release-8.1.0/Features.html#xacml-json-profile
I'm using the docker image fiware/authzforce-ce-server:release-8.1.0
Some identifiers (algorithms, functions...) are mispelled in Features.rst but OK in Features.md. Make sure the generated doc (PDF/HTML) uses the Markdown.
Hi,
I'm trying to deploy authzforce-ce-server as a container using docker (Docker version 19.03.1, build 74b1e89) on a CentOS 7 machine and the problem I'm currently having is that whenever I start the container, tomcat GUI appears on the browser. Its seems like it did not download any of the authzorce sourcecode.
This happened while using Docker Hubs image (release-8.1.0) and using an image I builded myself using the Dockerfile available on this repo.
Any help would be appreciated.
According to this Stack Overflow Answer -
As far as AuthzForce is concerned, all the policies pushed successfully by the IdM to Authzforce are persisted to disk in AuthzForce server's
/opt/authzforce-ce-server/datadirectory.
According to Docker
Volumes are the preferred mechanism for persisting data generated by and used by Docker containers. While bind mounts are dependent on the directory structure of the host machine, volumes are completely managed by Docker. Volumes have several advantages over bind mounts:
- New volumes can have their content pre-populated by a container.
I would like to be able to pre-populate my Authzforce instance. I would first extract the current policies from an instantiated container using the the docker cp command:
docker cp fiware-authzforce:/opt/authzforce-ce-server/data dataI can the then pre-populate my domains by running with an attached volume with:
docker run --volume=./data/domains:/opt/authzforce-ce-server/data/domains ...This will only work if the Dockerfile is amended to expose a VOLUME for the data
According to the contribution requirements, credit must be given to developers who contribute to the development of each component. A simple way to do this is to add and maintain a CREDITS file.
The list of previous contributors can be obtained using the following command:
git shortlog -cseThe image available at the Docker Hub is not automated, but manually pushed. Please, automate the image build using the Dockerfile from this repository.
For the Fiware security layer Keyrock version 8.0.0, Wilma version 8.0.0 and Authzforce version release-10.0.0 are configured.
Keyrock generates a Bearer token that works properly for Orion authorization. But, the problem comes if I use a JWT token instead. I generate a JWT token by adding the scope option in the request:
POST /oauth2/token HTTP/1.1 Host: localhost:3005 Authorization: Basic MTlmMjdiZGMtMTM1My00MTY5LTkxN2ItZTI1NTVjNDYwYzUyOjU4YWIxZTFjLTBkYjktNDBmZi1hMmUyLTJjZTYyNjNlNjI1Yg== Content-Type: application/x-www-form-urlencoded grant_type=password&username=username1&password=password1&scope=jwt
When I try to access Orion through Wilma using the below request, Wilma reports the error "AZF domain not created for application 19f27bdc-1353-4169-917b-e2555c460c52":
GET /version HTTP/1.1 Host: localhost:1022 Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJvcmdhbml...TgxODQzfQ.O_UgX-Jl_ng0r--uDSr8dk1AeCnJAJPS3qn6VXurhxQ
Moreover, in Keyrock GUI for the application all Grant Types are selected. And, for Token types "JWT token" is selected.
Also in Wilma configuration property for JWT Secret is added (PEP_TOKEN_SECRET=5e39ee34ad881b01).
I removed a few times az_domain from authzforce table in MySQL database and recreated it by adding new roles/permissions from the Keyrock GUI, but that new domain didn't solve the problem either.
I hope someone can help me. Thanks in advance.
The User and Programmer Guide shows the following response when using the Policy Decision API:
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<Response xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17">
<Result>
<Decision>Permit</Decision>
<Status>
<StatusCode Value="urn:oasis:names:tc:xacml:1.0:status:ok" />
</Status>
</Result>
</Response>but when using the API with authzforce 4.4.1b, the response is:
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<ns5:Response xmlns:ns2="http://authzforce.github.io/core/xmlns/pdp/3.6" xmlns:ns3="http://authzforce.github.io/rest-api-model/xmlns/authz/4" xmlns:ns4="http://www.w3.org/2005/Atom" xmlns:ns5="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" xmlns:ns6="http://authzforce.github.io/pap-dao-file/xmlns/properties/3.6">
<ns5:Result>
<ns5:Decision>Permit</ns5:Decision>
</ns5:Result>
</ns5:Response>Is authzforce returning the wrong xml or is the documentation outdated? All other examples in the guide use the same format that is returned by authzforce, so I assume it's the documentation that needs to be updated.
Hi, i'm following the step to make an Attribute Provider (http://authzforce-ce-fiware.readthedocs.io/en/latest/UserAndProgrammersGuide.html#making-an-attribute-provider) and I'm having some problems with the fourth step. When I copy the build plugin configuration, it shows an error at the execution label. If I remove it then shows an error at the id label, then at the phase, etc.
This is the code:
<execution>
<id>jaxb-generate-compile-sources</id> <phase>generate-sources</phase> <goals>
<goal>generate</goal>
</goals>
</execution>
And the error that Eclipse shows is this: Plugin execution not covered by lifecycle configuration: doc-examples:lambda-java-example:0.13.0:generate (execution:
jaxb-generate-compile-sources, phase: generate-sources)
Thanks.
Fix missing XACML namespace in sample request: see https://jira.fiware.org/browse/SEC-1075
Also fix typo "namespace prefixe" in 3.3.1.
Finally recommend to use XML-schema-aware on client side for developers.
Could you please add an additional tags to indicate which version aligns with which FIWARE release- you can see a similar examples here:
FIWARE 7.5.1, FIWARE_7.5, FIWARE_7.4As per subject of this issue, the current Authzforce GE docker image is vulnerable (for eg. see CVE-2022-29885) due to its dependence on the base tomcat:9-jre11-slim docker image which hasn't been updated in three years and is currently unmaintained.
Unfortunately, simply building the image from another up-to-date official image doesn't work. For example, here's an log excerpt of Authzforce failing when running an image built from tomcat:9-jdk11:
2022-06-09 09:51:36,866|ERROR|main|org.springframework.web.context.ContextLoader:313|Context initialization failed|
org.springframework.beans.factory.BeanDefinitionStoreException: Unexpected exception parsing XML document from ServletContext resource [/WEB-INF/beans.xml]; nested exception is org.springframework.beans.FatalBeanException: Unresolvable class definition for NamespaceHandler class [org.apache.cxf.bus.spring.NamespaceHandler] for namespace [http://cxf.apache.org/core]; nested exception is java.lang.NoClassDefFoundError: javax/xml/ws/WebServiceFeature
I've tested several different base images, both JRE and OpenJDK based, with no success.
This GE is currently deployed on VMs hosted on FIWARE nodes and should be maintained on an updated base image for security reasons.
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
Django
The Web framework for perfectionists with deadlines.
Laravel
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft
Open source projects and samples from Microsoft.
Google
Google โค๏ธ Open Source for everyone.
Alibaba
Alibaba Open Source for everyone
D3
Data-Driven Documents codes.
Tencent
China tencent open source team.