org.forgerock / org.forgerock.openig

02 Dec, 2014

5 commits

  • c94f546a   OPENIG-411 Fix route reloading in case of unchecked exceptions being thrown ... Browse Dir » 
    git-svn-id: https://svn.forgerock.org/openig/trunk@775 dbb9e58e-28e6-4ce0-90e8-f11d9605b710
    guillaume.sauthier
     
  • a089b789   Fix javadoc ... Browse Dir » 
    git-svn-id: https://svn.forgerock.org/openig/trunk@774 dbb9e58e-28e6-4ce0-90e8-f11d9605b710
    guillaume.sauthier
     
  • ad9dae78   Write a proper error message when dealing with recursive declarations ... Browse Dir » 
    git-svn-id: https://svn.forgerock.org/openig/trunk@773 dbb9e58e-28e6-4ce0-90e8-f11d9605b710
    guillaume.sauthier
     
  • a32d9777   OPENIG-389 (CR-5537) Fix "object already defined" errors for servlet registered object declarations ... Browse Dir » 
    `HeapImpl.addDefaultDeclaration()` is now the way to add default object declarations in the heap.

Default declarations are only included if no user-provided overriding declaration is
found (only works for heap declarations, not for named inline declaration).

git-svn-id: https://svn.forgerock.org/openig/trunk@772 dbb9e58e-28e6-4ce0-90e8-f11d9605b710
    guillaume.sauthier
     
  • bab15cbc   OPENIG-370 (CR-5528) Rework Console and File LogSinks ... Browse Dir » 
    `ConsoleLogSink` is now rendering each `LogEntry` on 2 lines with a line separator
between entries, the objective being to improve console log readability. The first line
is the header line and display the timestamp of the event (in the current system Locale),
the entry's `LogLevel` and ends with the `Name` (leaf part) of the heap object that is
the source of the log statement.

```
MON DEC 01 20:39:16 CET 2014 (INFO) _Router
Added route 'oauth2-resources.json' defined in file '/Users/guillaume/tmp/demo/config/routes/oauth2-resources.json'
------------------------------
```

Notice that a special treatment is done when logging a `Throwable`: a condensed stack
trace is printed on the console and if (and only if) the `LogSink` has been assigned
a `DEBUG` or `TRACE` level, the full stack trace is printed (independently of the
entry's level).

```
MON DEC 01 15:28:10 CET 2014 (DEBUG) ResourceServer
Initial token resolution has failed
[     OAuth2TokenException] > Initial token resolution has failed
[     OAuth2TokenException] > Authorization Server returned an error
                              (error: bad_request, description: Could not read token in CTS)

org.forgerock.openig.filter.oauth2.OAuth2TokenException: Initial token resolution has failed
  at org.forgerock.openig.filter.oauth2.cache.CachingAccessTokenResolver.resolve(CachingAccessTokenResolver.java:62)
... 33 more
------------------------------
```

A new `stream` property has been added to `ConsoleLogSink` to let the user choose
which PrintStream to use for printing messages:
 * `ERR`: Use System.err (default value, keep compatibility)
 * `OUT`: Use System.out
 * `AUTO`: Select System.out for `TRACE` to `INFO` messages, switching to System.err
   for `WARNING` and `ERROR`.

`FileLogSink` implements a machine parseable `LogEntry` rendering: each entry is on
one line and includes:
 * timestamp of the event (in the current system Locale), always have the same length
 * the entry's `LogLevel`, always 1 word, uppercase
 * the `Name` (leaf part) of the heap object that is the source of the log statement.
 * a `---` separator that segregates the beginning of the line (log statement's context)
   from the entry's message (the rest of the line)

Notice that in the case of `Throwable` printing, the full stack trace is printed as commented lines.

```
MON DEC 01 17:46:21 CET 2014 DEBUG ResourceServer --- Initial token resolution has failed
 # org.forgerock.openig.filter.oauth2.OAuth2TokenException: Initial token resolution has failed
 # 	at org.forgerock.openig.filter.oauth2.cache.CachingAccessTokenResolver.resolve(CachingAccessTokenResolver.java:62)
 # 	at org.forgerock.openig.filter.oauth2.OAuth2ResourceServerFilter.filter(OAuth2ResourceServerFilter.java:205)
 # 	at org.forgerock.openig.decoration.capture.CaptureFilter.filter(CaptureFilter.java:62)
```

git-svn-id: https://svn.forgerock.org/openig/trunk@771 dbb9e58e-28e6-4ce0-90e8-f11d9605b710
    guillaume.sauthier
     

01 Dec, 2014

3 commits

28 Nov, 2014

4 commits

  • 21ff5479   OPENIG-401 (CR-5498) Rework decorator configuration model ... Browse Dir » 
    The decorations are now applied in a more intuitive way:

  * Local decorations are declared inside of the heap object declaration (no changes here)
    ```
    {
      "type": "Something",
      "decorator-name": "configuration ..."
    }
    ```
  * Global decorations are declared in a top-level element called `globalDecorators`
    and are inherited by sub-heap.
    ```
    "globalDecorators": {
      "decorator-name": "configuration ...",
      ...
    }
    ```
  * Top-level handler decorations are declared as top-level attributes
  ```
  "handler": "NameOfHandler"
  "decorator-name": "configuration ..."
  ```

Decorators are applied in this order:
  1. local decorations
  2. global decorations (inherited first, up to the ones declared in the requester heap)
  3. top-level reference decorations (only if the heap object is the main `handler`
     object and retrieved with `HeapImpl.getHandler()`)

Default configuration is now using the top-level reference decoration style.

git-svn-id: https://svn.forgerock.org/openig/trunk@761 dbb9e58e-28e6-4ce0-90e8-f11d9605b710
    guillaume.sauthier
     
  • c41f480e   OPENIG-386 (CR-5503) Introduce per-tag monitoring endpoint ... Browse Dir » 
    This audit framework application maintains hit counters on a per-tag basis.

Here is an output sample:
```
  {
      "resources": {
          "completed": 1,
          "failed": 0,
          "flowing": 0
      },
      "main": {
          "completed": 12,
          "failed": 0,
          "flowing": 1
      },
      "monitor": {
          "completed": 11,
          "failed": 0,
          "flowing": 1
      }
  }
```
`resources`, `main` and `monitor` being "non-standard" (or user-provided) tags.

git-svn-id: https://svn.forgerock.org/openig/trunk@760 dbb9e58e-28e6-4ce0-90e8-f11d9605b710
    guillaume.sauthier
     
  • 7d2f07a4   Provide an Enum containing OpenIG's 'standard'/'managed' tag names ... Browse Dir » 
    git-svn-id: https://svn.forgerock.org/openig/trunk@759 dbb9e58e-28e6-4ce0-90e8-f11d9605b710
    guillaume.sauthier
     
  • 3450fa14   Fix wrong time unit for AuditEvent.timestamp (must be ms) ... Browse Dir » 
    git-svn-id: https://svn.forgerock.org/openig/trunk@758 dbb9e58e-28e6-4ce0-90e8-f11d9605b710
    guillaume.sauthier
     

27 Nov, 2014

1 commit

  • 8bbd0851   CR-5463 OPENIG-325 Cannot use exchange.request.uri as lvalue-expression ... Browse Dir » 
    The issue was due to the BeanELResolver involded by the use of Expression
which was unable to get the right setter to set the URI.
Solution was to create a RequestResolver, to guide it through the setters to get
the right one and to finally be able to write the uri as expected.

- added RequestResolver.class
- added unit tests for the new RequestResolver class.
- added unit tests for the AssignmentFilter about URI change.

Thanks to Guillaume for his help.

git-svn-id: https://svn.forgerock.org/openig/trunk@754 dbb9e58e-28e6-4ce0-90e8-f11d9605b710
    violette
     

20 Nov, 2014

3 commits

  • f011fcf7   OPENIG-379 CR-5353 Improve logging when JWT sessions are using random keys and e… ... Browse Dir » 
    …nsure that invalid JWT sessions are expired


git-svn-id: https://svn.forgerock.org/openig/trunk@740 dbb9e58e-28e6-4ce0-90e8-f11d9605b710
    matthew
     
  • 6e866493   OPENIG-359 (CR-5294) Introduce Audit Framework ... Browse Dir » 
    The audit framework is a new OpenIG API that gives to users a deeper view (and probably
a better understanding) of what's going on in the observed OpenIG system.

This is an initial version of the audit framework that only supports `Exchange` flow
observation: Filters and Handlers will send `AuditEvent` notifications both when an
Exchange enters or exists.

An `AuditEvent` is a notification that includes meta-information about the observed
component emitter of the notification (its `Name` in particular), a timestamp, the
exchange being captured and a set of tags that helps to qualify the event.

Four tags are supported out-of-the-box: `request`, `response`, `completed` and `exception`.
The user can add as many tags as wanted as part of the decoration configuration:

    "audit": "route-#1"  // add a single tag to the decorated component
    "audit": [ "super-tag", "route-#2" ] // add all of theses tags
    "audit": boolean, object, ... // any other format will be ignored

OpenIG provides a single `audit` decorator by default.

Consumers of AuditEvent are `AuditEventListener`, they have to provide their own Heaplet
implementation that extends `ConditionalListenerHeaplet`. They'll be automatically notified
of emitted AuditEvents and can (optionally) filter the received event using the `condition`
configuration attribute (condition is expressed as an `Expression` that needs to evaluate
to a boolean).

Examples of such event-filtering conditions:

    ${true}
    ${contains(tags, 'tag#1')}
    ${source.name.leaf == 'source'}

git-svn-id: https://svn.forgerock.org/openig/trunk@736 dbb9e58e-28e6-4ce0-90e8-f11d9605b710
    guillaume.sauthier
     
  • 95f1d731   OPENIG-368 (CR-5326) Use exchange.originalUri in OAuth2ClientFilter ... Browse Dir » 
    The Client filter heavily use the `exchange.request.uri` property to compute URIs.

That was causing issues because, in the set of upstream filters/handlers, someone
could have rebased the request URI (usually to globally 'redirect' the message
to the protected application). That was causing wrong URI computations (like an
OAuth2 `redirect_uri` with the hostname of the protected application, instead of
the user-facing one of OpenIG).

This changes fix this behaviour with the introduction of an immutable
`exchange.originalUri` property that is the original request URI, as received by the
web container.

The Client filter is now using this instead of the mutable one (`exchange.request.uri`).

Updated the Nascar page sample of the documentation to limit copy/paste errors.

git-svn-id: https://svn.forgerock.org/openig/trunk@735 dbb9e58e-28e6-4ce0-90e8-f11d9605b710
    guillaume.sauthier
     

19 Nov, 2014

1 commit

18 Nov, 2014

1 commit

17 Nov, 2014

2 commits

14 Nov, 2014

1 commit

13 Nov, 2014

2 commits

12 Nov, 2014

1 commit

  • 38836d05   OPENIG-361 Provides tools for decorators to avoid StackOverFlowErrors at creation time ... Browse Dir » 
    A `StackOverFlowError` can be thrown during the Heap init when the configuration file declare
global decorators that have a heap object dependency.

When the globally enabled decorator is first created, it tries to resolve a dependency
from the heap, the heap then tries to decorate that instance, looking for the globally
declared decorator, that is not yet available since it has not finished its initialization,
so the heap think the decorator instance was not created yet and triggers another
decorator instance creation, that will itself try to resolve the dependency, looping
again and again ad nauseam.

The framework cannot provide any guards against that problem right now, the decorators
implementers have to care of this on their own and carefully craft their decorators
to avoid that problem.

The framework can only provide some limited level of support to help developers not
hitting that issue.

Introduced a new `DecoratorHeaplet` abstract class that does not resolve automatically heap
objects at creation time (no `LogSink` and `TemporaryStorage` resolution, as opposed to
`GenericHeaplet` behaviour).

Introduced a `LazyReference<T>` that encapsulate the resolution logic to allow easy
heap object resolution delaying.

Decorator implementation are encouraged to use theses 2 classes (having their `Heaplet`
extending `DecoratorHeaplet` instead of `GenericHeaplet`) and using `LazyReference` when a
heap object dependency is un-avoidable.

Moved `CaptureDecorator` to use the `LazyReference` and updated existing decorator's
heaplet to extend `DecoratorHeaplet`.

Updated javadoc to make that clear for Decorator implementers.

git-svn-id: https://svn.forgerock.org/openig/trunk@699 dbb9e58e-28e6-4ce0-90e8-f11d9605b710
    guillaume.sauthier
     

07 Nov, 2014

5 commits

  • 70a47970   OPENIG-338 ... Browse Dir » 
    Wrong charset used in Entity class
- Added static UTF_8 Charset.
- Replaced newDecodedContentReader(null)
by newDecodedContentReader(UTF_8) in entity#getJson.

git-svn-id: https://svn.forgerock.org/openig/trunk@695 dbb9e58e-28e6-4ce0-90e8-f11d9605b710
    violette
     
  • 61cbf492   OPENIG-264 Supports zero-length Durations ... Browse Dir » 
    That will be useful to support deactivation marker values when configuring cache timeouts.

This fix support both `zero` and `disabled` as zero-length Duration markers.
When the parsed String value also represents a zero-length duration (like `0 days and 0 ms`),
the special ZERO marker duration is returned.

Updated documentation as well.

git-svn-id: https://svn.forgerock.org/openig/trunk@692 dbb9e58e-28e6-4ce0-90e8-f11d9605b710
    guillaume.sauthier
     
  • 2fd96997   OPENIG-371 (CR-5157) Expose the source Name to the Logger API ... Browse Dir » 
    In order to facilitate OPENIG-370 (log simplification), we now expose the Name
of the log source to the Logger. This has a number of implications:
 * `LogEntry.source` has been splited into the `source` and `type` attributes.
source being the original Name and type being the type of the entry (like
`log`, `started`, `elapsed`, ...). Log messages have the `log` type and
exception's messages have the `throwable` type.
 * Logger is no more a LogSink implementation
 * LogEntry has been adapted to directly use Logger instead of LogSink (this way
it can benefit of the Logger.source attribute's value automatically)
 * Logger do not "rebase" the source name anymore: can't do that since source
is not a String anymore.
 * That solves the source duplication issue of OPENIG-370

LogSink interface has been adapted to have a source Name instead of a source
String when trying to determine if something is legible.

LogSink implementations (ConsoleLogSink and FileLogSink) have been changed to
keep an output as close as possible as what we have previously (don't want to
work on OPEN-370 yet).

git-svn-id: https://svn.forgerock.org/openig/trunk@689 dbb9e58e-28e6-4ce0-90e8-f11d9605b710
    guillaume.sauthier
     
  • 46839327   OPENIG-371 (CR-5157) Support hierarchical names to uniquely identify heap objects ... Browse Dir » 
    A Name is a recursive object based on a leaf name and a parent Name.

Each Heap as a unique Name used to scope names of the managed heap objects.
Each heap object has a unique Name whose parent is the container Heap.

The Heaplet interface has been updated to give the Name instead of just a String.

The name of each created heap is based on the resource name.

git-svn-id: https://svn.forgerock.org/openig/trunk@688 dbb9e58e-28e6-4ce0-90e8-f11d9605b710
    guillaume.sauthier
     
  • 397990d0   OPENIG-320 CR-5181 Rename KeyStore 'file' option to 'url' ... Browse Dir » 
    git-svn-id: https://svn.forgerock.org/openig/trunk@687 dbb9e58e-28e6-4ce0-90e8-f11d9605b710
    matthew
     

06 Nov, 2014

1 commit

05 Nov, 2014

2 commits

04 Nov, 2014

1 commit

03 Nov, 2014

2 commits

31 Oct, 2014

2 commits

30 Oct, 2014

3 commits

  • 79382cfe   OPENIG-301 Add an option to dump the exchange as part of the capture ... Browse Dir » 
    The CaptureDecorator can now be configured to additionally capture the content
of the Exchange being intercepted.

If specified, it will print the full content of the Exchange instance, excluding
the `response` and the `request` since they should be captured by another mean.
The output contains a deep view of the exchange obtained through introspection
of the class structure (this is done by the Groovy JsonOutput class).
It appears that this class doesn't support cycles very well, so, depending on
the content of the exchange, it may throw exceptions.
By default we're doing our best to remove known cycles.

By default (in the system provided `capture` decorator), this option is disabled
since it adds a lot of cruft in the logs.

git-svn-id: https://svn.forgerock.org/openig/trunk@672 dbb9e58e-28e6-4ce0-90e8-f11d9605b710
    guillaume.sauthier
     
  • 1c809a6d   OPENIG-328 Enable the default HttpClient instance to use the TemporaryStorage co… ... Browse Dir » 
    …nfigured in the config.json

Instead of creating manually the HttpClient instance and giving it the
(also manually) created TemporaryStorage instance, we now declare an
equivalent object declaration in the heap, letting the HttpClient heaplet
resolves properly its dependencies.

git-svn-id: https://svn.forgerock.org/openig/trunk@670 dbb9e58e-28e6-4ce0-90e8-f11d9605b710
    guillaume.sauthier
     
  • 2a48e00e   OPENIG-360 Supports false to deactivate timer in the decoration configuration ... Browse Dir » 
    git-svn-id: https://svn.forgerock.org/openig/trunk@669 dbb9e58e-28e6-4ce0-90e8-f11d9605b710
    guillaume.sauthier