org.forgerock / org.forgerock.openig

23 Mar, 2015

2 commits

06 Mar, 2015

2 commits

25 Feb, 2015

3 commits

17 Feb, 2015

1 commit

  • 8b839dd7   Add a type to Expression ... Browse Dir » 
    The type of an Expression is now given at the creation time,
which means we do not provide it anymore for the evaluation.
Furthermore, it helps the developper as it knows the expected
type of an Expression.

git-svn-id: https://svn.forgerock.org/openig/trunk@897 dbb9e58e-28e6-4ce0-90e8-f11d9605b710
    laurent.vaills
     

09 Feb, 2015

4 commits

03 Feb, 2015

1 commit

  • 24af71af   OPENIG-443 (CR-5969) Split `Json` utility class ... Browse Dir » 
    The soon-to-come Http framework needs a subset of the features provided
by `Json`: only what is related to JSON parsing/writing.
Everything else is related to `JsonValue` or more OpenIG specific types
like `Heap`, `Expression`, ...

So this is just a simple split, we now have:
 * `Json`: JSON parsing
 * `JsonValues`: OpenIG-related code

git-svn-id: https://svn.forgerock.org/openig/trunk@872 dbb9e58e-28e6-4ce0-90e8-f11d9605b710
    guillaume.sauthier
     

29 Jan, 2015

1 commit

16 Jan, 2015

1 commit

  • 1b82ae1c   OPENIG-394 (CR-5754) Implement toString() to Expression ... Browse Dir » 
    The toString() method is now implemented and tested.
We also decide to replace Expression constructor by a more conventional valueOf(...) factory method.
A new Expression is now created by Expression exp = Expression.valueOf(<Expression string>);

git-svn-id: https://svn.forgerock.org/openig/trunk@834 dbb9e58e-28e6-4ce0-90e8-f11d9605b710
    violette
     

08 Dec, 2014

1 commit

02 Dec, 2014

1 commit

  • bab15cbc   OPENIG-370 (CR-5528) Rework Console and File LogSinks ... Browse Dir » 
    `ConsoleLogSink` is now rendering each `LogEntry` on 2 lines with a line separator
between entries, the objective being to improve console log readability. The first line
is the header line and display the timestamp of the event (in the current system Locale),
the entry's `LogLevel` and ends with the `Name` (leaf part) of the heap object that is
the source of the log statement.

```
MON DEC 01 20:39:16 CET 2014 (INFO) _Router
Added route 'oauth2-resources.json' defined in file '/Users/guillaume/tmp/demo/config/routes/oauth2-resources.json'
------------------------------
```

Notice that a special treatment is done when logging a `Throwable`: a condensed stack
trace is printed on the console and if (and only if) the `LogSink` has been assigned
a `DEBUG` or `TRACE` level, the full stack trace is printed (independently of the
entry's level).

```
MON DEC 01 15:28:10 CET 2014 (DEBUG) ResourceServer
Initial token resolution has failed
[     OAuth2TokenException] > Initial token resolution has failed
[     OAuth2TokenException] > Authorization Server returned an error
                              (error: bad_request, description: Could not read token in CTS)

org.forgerock.openig.filter.oauth2.OAuth2TokenException: Initial token resolution has failed
  at org.forgerock.openig.filter.oauth2.cache.CachingAccessTokenResolver.resolve(CachingAccessTokenResolver.java:62)
... 33 more
------------------------------
```

A new `stream` property has been added to `ConsoleLogSink` to let the user choose
which PrintStream to use for printing messages:
 * `ERR`: Use System.err (default value, keep compatibility)
 * `OUT`: Use System.out
 * `AUTO`: Select System.out for `TRACE` to `INFO` messages, switching to System.err
   for `WARNING` and `ERROR`.

`FileLogSink` implements a machine parseable `LogEntry` rendering: each entry is on
one line and includes:
 * timestamp of the event (in the current system Locale), always have the same length
 * the entry's `LogLevel`, always 1 word, uppercase
 * the `Name` (leaf part) of the heap object that is the source of the log statement.
 * a `---` separator that segregates the beginning of the line (log statement's context)
   from the entry's message (the rest of the line)

Notice that in the case of `Throwable` printing, the full stack trace is printed as commented lines.

```
MON DEC 01 17:46:21 CET 2014 DEBUG ResourceServer --- Initial token resolution has failed
 # org.forgerock.openig.filter.oauth2.OAuth2TokenException: Initial token resolution has failed
 # 	at org.forgerock.openig.filter.oauth2.cache.CachingAccessTokenResolver.resolve(CachingAccessTokenResolver.java:62)
 # 	at org.forgerock.openig.filter.oauth2.OAuth2ResourceServerFilter.filter(OAuth2ResourceServerFilter.java:205)
 # 	at org.forgerock.openig.decoration.capture.CaptureFilter.filter(CaptureFilter.java:62)
```

git-svn-id: https://svn.forgerock.org/openig/trunk@771 dbb9e58e-28e6-4ce0-90e8-f11d9605b710
    guillaume.sauthier
     

21 Nov, 2014

2 commits

20 Nov, 2014

4 commits

  • 95f1d731   OPENIG-368 (CR-5326) Use exchange.originalUri in OAuth2ClientFilter ... Browse Dir » 
    The Client filter heavily use the `exchange.request.uri` property to compute URIs.

That was causing issues because, in the set of upstream filters/handlers, someone
could have rebased the request URI (usually to globally 'redirect' the message
to the protected application). That was causing wrong URI computations (like an
OAuth2 `redirect_uri` with the hostname of the protected application, instead of
the user-facing one of OpenIG).

This changes fix this behaviour with the introduction of an immutable
`exchange.originalUri` property that is the original request URI, as received by the
web container.

The Client filter is now using this instead of the mutable one (`exchange.request.uri`).

Updated the Nascar page sample of the documentation to limit copy/paste errors.

git-svn-id: https://svn.forgerock.org/openig/trunk@735 dbb9e58e-28e6-4ce0-90e8-f11d9605b710
    guillaume.sauthier
     
  • 19e1869d   OPENIG-326 - Revert previously introduced List as Set (no duplicate elements) ... Browse Dir » 
    git-svn-id: https://svn.forgerock.org/openig/trunk@734 dbb9e58e-28e6-4ce0-90e8-f11d9605b710
    violette
     
  • 82d70698   Modified error message from the OAuth2Utils#getScopes function as it is ... Browse Dir » 
    only used by the Client Server and to uniformize the message with the
OAuth2ResourceFilter.

git-svn-id: https://svn.forgerock.org/openig/trunk@733 dbb9e58e-28e6-4ce0-90e8-f11d9605b710
    violette
     
  • cef1488f   CR-5340 OPENIG-326 The OAuth2 ResourceServer scopes is now a list of ... Browse Dir » 
    expressions.

OAuth2ResourceServerFilter.java
- Replaced 'Set<String> scopes' to 'List<Expression> scopes'.
- As the AccessToken defines scopes as Set<String>,
 added a new method to getScopes from List<Expression> to Set<String>.
- InsufficientScopeChallengeHandler is no longer a field of the
OAuth2ResourceServerFilter.
- Added realm attribute to the OAuth2ResourceServerFilter.

OAuth2ResourceServerFilterTest.java
- Fixed tests according to the above modifications.
- Added unit tests with expression evaluations.

man-OAuth2ResourceServerFilter.xml
- Modified doc according to Mark's patch.

git-svn-id: https://svn.forgerock.org/openig/trunk@732 dbb9e58e-28e6-4ce0-90e8-f11d9605b710
    violette
     

18 Nov, 2014

1 commit

07 Nov, 2014

3 commits

  • 471ec570   OPENIG-336 OPENIG-350 (CCR-5078) Lazily retrieve cached user info resources in OAuth2 Client Filter ... Browse Dir » 
    Without this change, the OAuth 2.0 Client Filter triggers the retrieval of
the user info resource for each request that is intercepted. It's a problem
for Identity Providers such as Google that have an allowed quota of request/sec,
because of the sudden burst of user info request.

This is even worse than that because sometimes, the intercepted request may
not even need to use theses information (think of OpenIG intercepting an
image served by the protected application and returned as-is) ...

This fix includes both a user-info resources caching for a few seconds (the
time for all requests to load a web page to be executed) and a lazy loading
of the resource (triggered the first time a downstream filter/handler access
the `user_info` structure). By default, resources are kept for 20 seconds after
the first access.

Like for OAuth2ResourceServerFilter, you can disable that cache with
`"cacheExpiration": "disabled"` in the configuration.

git-svn-id: https://svn.forgerock.org/openig/trunk@694 dbb9e58e-28e6-4ce0-90e8-f11d9605b710
    guillaume.sauthier
     
  • d086d2b6   OPENIG-264 Support disabling the access-token cache for OAuth2 RS Filter ... Browse Dir » 
    This takes advantage of the new zero-length Duration support.
If the configuration express `zero`, `disabled` or any `0 <timeunit>`, the
access token cache will be disabled.

git-svn-id: https://svn.forgerock.org/openig/trunk@693 dbb9e58e-28e6-4ce0-90e8-f11d9605b710
    guillaume.sauthier
     
  • be4291ed   Only style ... Browse Dir » 
    git-svn-id: https://svn.forgerock.org/openig/trunk@691 dbb9e58e-28e6-4ce0-90e8-f11d9605b710
    guillaume.sauthier
     

05 Nov, 2014

2 commits

23 Oct, 2014

1 commit

15 Oct, 2014

3 commits

  • 68890016   Minor code cleanup. ... Browse Dir » 
    - Reorganized imports.
- Removed extra spaces.
- Closed previously 'omitted' inputstreamreader in RouteBuilder.
(OPENIG-312)

git-svn-id: https://svn.forgerock.org/openig/trunk@623 dbb9e58e-28e6-4ce0-90e8-f11d9605b710
    violette
     
  • 98500dfe   CR-4828 OPENIG-312 ... Browse Dir » 
    Consider using Jackson for parsing the JSON configuration
- Renamed JsonValueUtil to Json.
- Renamed JsonValueUtilTest to JsonTest.

git-svn-id: https://svn.forgerock.org/openig/trunk@622 dbb9e58e-28e6-4ce0-90e8-f11d9605b710
    violette
     
  • 77bed597   CR-4763 CR-4828 OPENIG-312 Consider using Jackson for parsing the JSON ... Browse Dir » 
    configuration

- Remove json simple from openig pom file configuration. (added com.fasterxml.jackson.core / databind)
- Jackson throws now IOExceptions instead of json exceptions.
- Added unit tests.
- Fixed javadoc.

git-svn-id: https://svn.forgerock.org/openig/trunk@621 dbb9e58e-28e6-4ce0-90e8-f11d9605b710
    violette
     

08 Oct, 2014

1 commit

19 Sep, 2014

1 commit

15 Sep, 2014

2 commits

  • 18535edc   OPENIG-316 (CR-4524) Improve Heap interface usability ... Browse Dir » 
    Heap.get(String):Object gains type safety

    Heap.get(String, Class<T>):T

Heap.getRequiredObject(JsonValue, Class<T>) has a shorter name

    Heap.resolve(JsonValue, Class<T>):T

Heap.getObject(JsonValue, Class<T>) is replaced by a resolve
variant that supports optional dependencies:

    Heap.resolve(JsonValue, Class<T>, boolean):T

git-svn-id: https://svn.forgerock.org/openig/trunk@572 dbb9e58e-28e6-4ce0-90e8-f11d9605b710
    guillaume.sauthier
     
  • a6e0cd60   OPENIG-311 OPENIG-316 (CR-4524) Support inlined declaration in the JSON configuration ... Browse Dir » 
    Inline object declarations are a mean to ease understanding of
Exchange processing.
They permit to describe anonymously, inner objects when a reference to
another heap object is required. That introduce, in the configuration
files, some hierarchical support, easing the user to mentally
represents his processing chain.

This is done in a fully backward compatible way, without requiring any
changes to existing object declarations (the one that requires other
objects through references or names).

The idea is to automatically extract inline declaration when the Heaplet
is calling the get***Object() methods: if the provided JsonValue is a
String, traditional object lookup is performed, but when the JsonValue
represents a JSONObject (a Map), we try to turn this into a normal
object declaration (just like what is done during heap initialisation).
If the given JsonValue does not describe a valid declaration, a
JsonValueException is thrown (again, just like the heap init process
is doing).

Notice that inline declarations do not require a 'name' attribute to
be specified (like anonymous Java classes), so we generate a unique name
based on the JsonPointer (represents the location of the node in
the JSON structure).

Notice that OPENIG-316 is partly resolved in this commit: HeapUtil methods
have only been moved into the Heap interface: no additional type safety,
no renaming.

git-svn-id: https://svn.forgerock.org/openig/trunk@571 dbb9e58e-28e6-4ce0-90e8-f11d9605b710
    guillaume.sauthier
     

08 Sep, 2014

1 commit

05 Sep, 2014

1 commit

  • 7a460545   Introduce HeapletFactory service support ... Browse Dir » 
    When a new heap object instance has to be created, we first have to
find a Heaplet instance that will create the required object from the
given JSON configuration.
Heaplet instances are linked to the single object they created: they
manage the heap object lifecycle with the start() and destroy() methods.
The old behaviour was using Heaplet instances directly loaded and
instantiated, meaning that a single Heaplet instance could be used to
create multiple heap objects, somehow mixing states, which was very
wrong.

Now, HeapletFactory (instead of direct Heaplet) are found using the
ServiceLoader discovery mechanism. They are responsible to create new
Heaplet instances, meaning that we cannot anymore share a Heaplet
instance for 2 or more heap objects.

Heaplet class does not extends Indexed<Class> anymore (was only used
because of the way Heaplets was looking for Heaplet instances).
NestedHeaplet is now deprecated since its only duty was to implement the
Indexed interface. All references to NestedHeaplet were replaced to
GenericHeaplet (its parent class) in our code base to avoid ugly
compiler warnings.

As per OPENIG-302 comments, the HeapletFactory will be a short-lived
concept since this additional layer introduction was the straw that broke
the camel's back :)

Issues: OPENIG-302
Reviews: CR-4457

git-svn-id: https://svn.forgerock.org/openig/trunk@555 dbb9e58e-28e6-4ce0-90e8-f11d9605b710
    guillaume.sauthier
     

02 Sep, 2014

1 commit