org.forgerock / org.forgerock.openig

02 Dec, 2014

7 commits

25c457c0 OPENIG-412 Fix logoutURI property description ... Browse Code »
```
Reviewed onscreen by Jean-Charles.

git-svn-id: https://svn.forgerock.org/openig/trunk@776 dbb9e58e-28e6-4ce0-90e8-f11d9605b710
```
mark
2014-12-02 17:43:40 +0000
c94f546a OPENIG-411 Fix route reloading in case of unchecked exceptions being thrown ... Browse Code »
```
git-svn-id: https://svn.forgerock.org/openig/trunk@775 dbb9e58e-28e6-4ce0-90e8-f11d9605b710
```
guillaume.sauthier
2014-12-02 17:04:19 +0000
a089b789 Fix javadoc ... Browse Code »
```
git-svn-id: https://svn.forgerock.org/openig/trunk@774 dbb9e58e-28e6-4ce0-90e8-f11d9605b710
```
guillaume.sauthier
2014-12-02 16:00:13 +0000
ad9dae78 Write a proper error message when dealing with recursive declarations ... Browse Code »
```
git-svn-id: https://svn.forgerock.org/openig/trunk@773 dbb9e58e-28e6-4ce0-90e8-f11d9605b710
```
guillaume.sauthier
2014-12-02 16:00:06 +0000

a32d9777 OPENIG-389 (CR-5537) Fix "object already defined" errors for servlet registered object declarations ... Browse Code »

`HeapImpl.addDefaultDeclaration()` is now the way to add default object declarations in the heap.

Default declarations are only included if no user-provided overriding declaration is
found (only works for heap declarations, not for named inline declaration).

git-svn-id: https://svn.forgerock.org/openig/trunk@772 dbb9e58e-28e6-4ce0-90e8-f11d9605b710

2014-12-02 15:59:58 +0000

bab15cbc OPENIG-370 (CR-5528) Rework Console and File LogSinks ... Browse Code »

`ConsoleLogSink` is now rendering each `LogEntry` on 2 lines with a line separator
between entries, the objective being to improve console log readability. The first line
is the header line and display the timestamp of the event (in the current system Locale),
the entry's `LogLevel` and ends with the `Name` (leaf part) of the heap object that is
the source of the log statement.

```
MON DEC 01 20:39:16 CET 2014 (INFO) _Router
Added route 'oauth2-resources.json' defined in file '/Users/guillaume/tmp/demo/config/routes/oauth2-resources.json'
------------------------------
```

Notice that a special treatment is done when logging a `Throwable`: a condensed stack
trace is printed on the console and if (and only if) the `LogSink` has been assigned
a `DEBUG` or `TRACE` level, the full stack trace is printed (independently of the
entry's level).

```
MON DEC 01 15:28:10 CET 2014 (DEBUG) ResourceServer
Initial token resolution has failed
[     OAuth2TokenException] > Initial token resolution has failed
[     OAuth2TokenException] > Authorization Server returned an error
                              (error: bad_request, description: Could not read token in CTS)

org.forgerock.openig.filter.oauth2.OAuth2TokenException: Initial token resolution has failed
  at org.forgerock.openig.filter.oauth2.cache.CachingAccessTokenResolver.resolve(CachingAccessTokenResolver.java:62)
... 33 more
------------------------------
```

A new `stream` property has been added to `ConsoleLogSink` to let the user choose
which PrintStream to use for printing messages:
 * `ERR`: Use System.err (default value, keep compatibility)
 * `OUT`: Use System.out
 * `AUTO`: Select System.out for `TRACE` to `INFO` messages, switching to System.err
   for `WARNING` and `ERROR`.

`FileLogSink` implements a machine parseable `LogEntry` rendering: each entry is on
one line and includes:
 * timestamp of the event (in the current system Locale), always have the same length
 * the entry's `LogLevel`, always 1 word, uppercase
 * the `Name` (leaf part) of the heap object that is the source of the log statement.
 * a `---` separator that segregates the beginning of the line (log statement's context)
   from the entry's message (the rest of the line)

Notice that in the case of `Throwable` printing, the full stack trace is printed as commented lines.

```
MON DEC 01 17:46:21 CET 2014 DEBUG ResourceServer --- Initial token resolution has failed
 # org.forgerock.openig.filter.oauth2.OAuth2TokenException: Initial token resolution has failed
 # 	at org.forgerock.openig.filter.oauth2.cache.CachingAccessTokenResolver.resolve(CachingAccessTokenResolver.java:62)
 # 	at org.forgerock.openig.filter.oauth2.OAuth2ResourceServerFilter.filter(OAuth2ResourceServerFilter.java:205)
 # 	at org.forgerock.openig.decoration.capture.CaptureFilter.filter(CaptureFilter.java:62)
```

git-svn-id: https://svn.forgerock.org/openig/trunk@771 dbb9e58e-28e6-4ce0-90e8-f11d9605b710

2014-12-02 15:59:45 +0000

43d750fb CR-5513 OPENIG-408 Update doc for refinement of decorators ... Browse Code »
```
git-svn-id: https://svn.forgerock.org/openig/trunk@770 dbb9e58e-28e6-4ce0-90e8-f11d9605b710
```
mark
2014-12-02 07:15:24 +0000

01 Dec, 2014

4 commits

f953f701 Rename Monitoring endpoint JSON properties ... Browse Code »
```
git-svn-id: https://svn.forgerock.org/openig/trunk@769 dbb9e58e-28e6-4ce0-90e8-f11d9605b710
```
guillaume.sauthier
2014-12-01 20:24:08 +0000

350f79c1 OPENIG-385 Mention audit features in the release notes ... Browse Code »

Minor updates reviewed by Guillaume

The expectation is that OpenIG will expose endpoints like this under /openig.

git-svn-id: https://svn.forgerock.org/openig/trunk@768 dbb9e58e-28e6-4ce0-90e8-f11d9605b710

2014-12-01 15:50:19 +0000

a0e2359e OPENIG-150 Added a unit test for the Dispatch Handler where the uri ... Browse Code »
```
contains a port number.

git-svn-id: https://svn.forgerock.org/openig/trunk@767 dbb9e58e-28e6-4ce0-90e8-f11d9605b710
```
violette
2014-12-01 12:50:48 +0000

25aba171 CR-5515 OPENIG-150 'Host' Http header does not reflect changes in target URI ... Browse Code »

Indeed, the host http header wasn't replaced when doing a rebaseUri,
but not only in this case, with the setUri too.
To solve this problem, a simple fix would be to do an update of the headers
when getting them.

- A unit test has been added for the DispatchHandler case.

git-svn-id: https://svn.forgerock.org/openig/trunk@766 dbb9e58e-28e6-4ce0-90e8-f11d9605b710

2014-12-01 09:04:09 +0000

28 Nov, 2014

9 commits

6d7ec122 OPENIG-385 Mention audit features in the release notes ... Browse Code »
```
git-svn-id: https://svn.forgerock.org/openig/trunk@765 dbb9e58e-28e6-4ce0-90e8-f11d9605b710
```
mark
2014-11-28 16:32:41 +0000
e0d3a992 CR-5512 OPENIG-385: Document new auditing capabilities ... Browse Code »
```
git-svn-id: https://svn.forgerock.org/openig/trunk@764 dbb9e58e-28e6-4ce0-90e8-f11d9605b710
```
mark
2014-11-28 16:13:35 +0000
f1ef6b96 Typo/missing capture decoration ... Browse Code »
```
git-svn-id: https://svn.forgerock.org/openig/trunk@763 dbb9e58e-28e6-4ce0-90e8-f11d9605b710
```
mark
2014-11-28 14:29:53 +0000
13db39c1 List Filters alphabetically in the Reference ... Browse Code »
```
git-svn-id: https://svn.forgerock.org/openig/trunk@762 dbb9e58e-28e6-4ce0-90e8-f11d9605b710
```
mark
2014-11-28 13:39:29 +0000

21ff5479 OPENIG-401 (CR-5498) Rework decorator configuration model ... Browse Code »

The decorations are now applied in a more intuitive way:

  * Local decorations are declared inside of the heap object declaration (no changes here)
    ```
    {
      "type": "Something",
      "decorator-name": "configuration ..."
    }
    ```
  * Global decorations are declared in a top-level element called `globalDecorators`
    and are inherited by sub-heap.
    ```
    "globalDecorators": {
      "decorator-name": "configuration ...",
      ...
    }
    ```
  * Top-level handler decorations are declared as top-level attributes
  ```
  "handler": "NameOfHandler"
  "decorator-name": "configuration ..."
  ```

Decorators are applied in this order:
  1. local decorations
  2. global decorations (inherited first, up to the ones declared in the requester heap)
  3. top-level reference decorations (only if the heap object is the main `handler`
     object and retrieved with `HeapImpl.getHandler()`)

Default configuration is now using the top-level reference decoration style.

git-svn-id: https://svn.forgerock.org/openig/trunk@761 dbb9e58e-28e6-4ce0-90e8-f11d9605b710

2014-11-28 10:56:48 +0000

c41f480e OPENIG-386 (CR-5503) Introduce per-tag monitoring endpoint ... Browse Code »

This audit framework application maintains hit counters on a per-tag basis.

Here is an output sample:
```
  {
      "resources": {
          "completed": 1,
          "failed": 0,
          "flowing": 0
      },
      "main": {
          "completed": 12,
          "failed": 0,
          "flowing": 1
      },
      "monitor": {
          "completed": 11,
          "failed": 0,
          "flowing": 1
      }
  }
```
`resources`, `main` and `monitor` being "non-standard" (or user-provided) tags.

git-svn-id: https://svn.forgerock.org/openig/trunk@760 dbb9e58e-28e6-4ce0-90e8-f11d9605b710

2014-11-28 10:13:43 +0000

7d2f07a4 Provide an Enum containing OpenIG's 'standard'/'managed' tag names ... Browse Code »
```
git-svn-id: https://svn.forgerock.org/openig/trunk@759 dbb9e58e-28e6-4ce0-90e8-f11d9605b710
```
guillaume.sauthier
2014-11-28 10:12:47 +0000
3450fa14 Fix wrong time unit for AuditEvent.timestamp (must be ms) ... Browse Code »
```
git-svn-id: https://svn.forgerock.org/openig/trunk@758 dbb9e58e-28e6-4ce0-90e8-f11d9605b710
```
guillaume.sauthier
2014-11-28 10:12:19 +0000

d2c5efab Fix regression introduced by r756 ... Browse Code »

The `307` status code is a temporary redirect and is processed by the UA as
a complete request replay (including method, form params, ...).

`302`, on the other hand simply expects the UA to `GET` the provided `Location` Uri value.

git-svn-id: https://svn.forgerock.org/openig/trunk@757 dbb9e58e-28e6-4ce0-90e8-f11d9605b710

2014-11-28 10:11:51 +0000

27 Nov, 2014

3 commits

b82d500c OPENIG-384 Use OpenIG session, request and response instead of servlet's objects ... Browse Code »

Reserve real usage of HttpServletRequest and HttpServletResponse objects for
Fedlet classes only.

Session attributes' variables `subjectMapping`, `sessionIndexMapping`,
`authnContext` and all of the `attributeMapping` values are now stored in
the OpenIG Session object (instead of the `HttpSession`). That makes it possible
to use theses values inside OpenIG configuration files (through `Expression`).

git-svn-id: https://svn.forgerock.org/openig/trunk@756 dbb9e58e-28e6-4ce0-90e8-f11d9605b710

2014-11-27 14:31:12 +0000

ab2d3099 OPENIG-384 Merge FederationServlet into SamlFederationHandler (no other changes) ... Browse Code »
```
git-svn-id: https://svn.forgerock.org/openig/trunk@755 dbb9e58e-28e6-4ce0-90e8-f11d9605b710
```
guillaume.sauthier
2014-11-27 14:31:05 +0000

8bbd0851 CR-5463 OPENIG-325 Cannot use exchange.request.uri as lvalue-expression ... Browse Code »

The issue was due to the BeanELResolver involded by the use of Expression
which was unable to get the right setter to set the URI.
Solution was to create a RequestResolver, to guide it through the setters to get
the right one and to finally be able to write the uri as expected.

- added RequestResolver.class
- added unit tests for the new RequestResolver class.
- added unit tests for the AssignmentFilter about URI change.

Thanks to Guillaume for his help.

git-svn-id: https://svn.forgerock.org/openig/trunk@754 dbb9e58e-28e6-4ce0-90e8-f11d9605b710

2014-11-27 10:54:32 +0000

26 Nov, 2014

1 commit

072f2833 OPENIG-403 Doc use of unique session field names for SAML SPs ... Browse Code »

Additional fix suggested and reviewed by Guillaume over IM

git-svn-id: https://svn.forgerock.org/openig/trunk@752 dbb9e58e-28e6-4ce0-90e8-f11d9605b710

2014-11-26 09:14:44 +0000

25 Nov, 2014

5 commits

79b6c965 CR-5446 OPENIG-390 Move DumpExchange.groovy out of docs ... Browse Code »

Now that we have a CaptureDecorator to capture the exchange,
we do not need to document a script for doing the same thing.

In working on this issue, it also became apparent
that these examples did not call for dumping the exchange anyway.


git-svn-id: https://svn.forgerock.org/openig/trunk@751 dbb9e58e-28e6-4ce0-90e8-f11d9605b710

2014-11-25 16:56:06 +0000

77dd58c6 CR-5444 OPENIG-403 Doc use of unique session field names for SAML SPs ... Browse Code »

A SamlFederationHandler maps data from the assertion
into the exchange.session object.

With multiple SP configurations, it is important to use unique field names
for mapped data to avoid one handler from overwriting another's session data.

This patch fixes the doc to account for that requirement.

git-svn-id: https://svn.forgerock.org/openig/trunk@750 dbb9e58e-28e6-4ce0-90e8-f11d9605b710

2014-11-25 15:41:01 +0000

6ea2e38d CR-5426 OPENIG-402 Update DESKEY gen steps for OpenAM 12 ... Browse Code »

This patch anticipates the release of OpenAM 12.
I'm hoping that
http://sources.forgerock.org/browse/openam/trunk/openam/pom.xml?hb=true#to123
does not change before release. 


git-svn-id: https://svn.forgerock.org/openig/trunk@749 dbb9e58e-28e6-4ce0-90e8-f11d9605b710

2014-11-25 11:23:15 +0000

e0cab7fd CR-5424 OPENIG-396 Correct doc for logSink used by a TimerDecorator ... Browse Code »
```
git-svn-id: https://svn.forgerock.org/openig/trunk@748 dbb9e58e-28e6-4ce0-90e8-f11d9605b710
```
mark
2014-11-25 11:20:42 +0000
4c9435d5 CR-5423 OPENIG-392 Document exchange.originalUri ... Browse Code »
```
git-svn-id: https://svn.forgerock.org/openig/trunk@747 dbb9e58e-28e6-4ce0-90e8-f11d9605b710
```
mark
2014-11-25 11:18:30 +0000

24 Nov, 2014

1 commit

2c656823 Reformat XML without material changes to content ... Browse Code »
```
git-svn-id: https://svn.forgerock.org/openig/trunk@746 dbb9e58e-28e6-4ce0-90e8-f11d9605b710
```
mark
2014-11-24 16:48:53 +0000

22 Nov, 2014

1 commit

e9c0ea30 CR-5398 OPENIG-388 Document that empty heap is optional ... Browse Code »
```
git-svn-id: https://svn.forgerock.org/openig/trunk@745 dbb9e58e-28e6-4ce0-90e8-f11d9605b710
```
mark
2014-11-22 05:11:47 +0000

21 Nov, 2014

3 commits

55fd7118 Code simplification ... Browse Code »
```
git-svn-id: https://svn.forgerock.org/openig/trunk@744 dbb9e58e-28e6-4ce0-90e8-f11d9605b710
```
guillaume.sauthier
2014-11-21 21:17:26 +0000

28c72a3c OPENIG-269 (CR-5396) Fix erroneous OAuth 2.0 error codes ... Browse Code »

Issues an `invalid_request` when there are multiple `Authorization` headers.
Issues an `invalid_token` when there is no bearer token and when the token
can't be resolved (for any reason: expiration, revocation, plain wrong token, ...)

git-svn-id: https://svn.forgerock.org/openig/trunk@743 dbb9e58e-28e6-4ce0-90e8-f11d9605b710

2014-11-21 21:17:04 +0000

845e23c0 CR-5379 OPENIG-387 Document removal of "objects" layer from heap ... Browse Code »
```
git-svn-id: https://svn.forgerock.org/openig/trunk@742 dbb9e58e-28e6-4ce0-90e8-f11d9605b710
```
mark
2014-11-21 09:14:36 +0000

20 Nov, 2014

6 commits

98574eb1 Placate checkstyle ... Browse Code »
```
git-svn-id: https://svn.forgerock.org/openig/trunk@741 dbb9e58e-28e6-4ce0-90e8-f11d9605b710
```
mark
2014-11-20 16:49:21 +0000
f011fcf7 OPENIG-379 CR-5353 Improve logging when JWT sessions are using random keys and e… ... Browse Code »
```
…nsure that invalid JWT sessions are expired


git-svn-id: https://svn.forgerock.org/openig/trunk@740 dbb9e58e-28e6-4ce0-90e8-f11d9605b710
```
matthew
2014-11-20 16:05:07 +0000

e323e6df Remove LogTimer on the GatewayServlet ... Browse Code »

Timer values should always be obtained through `timer` decorations.

git-svn-id: https://svn.forgerock.org/openig/trunk@739 dbb9e58e-28e6-4ce0-90e8-f11d9605b710

2014-11-20 15:44:50 +0000

0503020c CR-5343 OPENIG-381 Update doc for change to global decorator config ... Browse Code »
```
git-svn-id: https://svn.forgerock.org/openig/trunk@738 dbb9e58e-28e6-4ce0-90e8-f11d9605b710
```
mark
2014-11-20 15:42:38 +0000

13b2d660 CR-5327 OPENIG-365 Doc how to configure multiple SAML SPs ... Browse Code »

This patch adds an appendix
that briefly describes and demonstrates
how OpenIG as a SAML 2.0 SP can support more than one application.

For future consideration I have also opened some issues
that might make this easier:
OPENIG-397, but also OPENIG-399, OPENIG-400.

git-svn-id: https://svn.forgerock.org/openig/trunk@737 dbb9e58e-28e6-4ce0-90e8-f11d9605b710

2014-11-20 15:34:20 +0000

6e866493 OPENIG-359 (CR-5294) Introduce Audit Framework ... Browse Code »

The audit framework is a new OpenIG API that gives to users a deeper view (and probably
a better understanding) of what's going on in the observed OpenIG system.

This is an initial version of the audit framework that only supports `Exchange` flow
observation: Filters and Handlers will send `AuditEvent` notifications both when an
Exchange enters or exists.

An `AuditEvent` is a notification that includes meta-information about the observed
component emitter of the notification (its `Name` in particular), a timestamp, the
exchange being captured and a set of tags that helps to qualify the event.

Four tags are supported out-of-the-box: `request`, `response`, `completed` and `exception`.
The user can add as many tags as wanted as part of the decoration configuration:

    "audit": "route-#1"  // add a single tag to the decorated component
    "audit": [ "super-tag", "route-#2" ] // add all of theses tags
    "audit": boolean, object, ... // any other format will be ignored

OpenIG provides a single `audit` decorator by default.

Consumers of AuditEvent are `AuditEventListener`, they have to provide their own Heaplet
implementation that extends `ConditionalListenerHeaplet`. They'll be automatically notified
of emitted AuditEvents and can (optionally) filter the received event using the `condition`
configuration attribute (condition is expressed as an `Expression` that needs to evaluate
to a boolean).

Examples of such event-filtering conditions:

    ${true}
    ${contains(tags, 'tag#1')}
    ${source.name.leaf == 'source'}

git-svn-id: https://svn.forgerock.org/openig/trunk@736 dbb9e58e-28e6-4ce0-90e8-f11d9605b710

2014-11-20 15:25:21 +0000