org.forgerock / org.forgerock.openig

22 Jan, 2015

2 commits

  • a2b8aba5   Trivial javadoc fix : no longer have 'objects' in 'heap'. ... Browse Dir » 
    git-svn-id: https://svn.forgerock.org/openig/trunk@844 dbb9e58e-28e6-4ce0-90e8-f11d9605b710
    violette
     
  • b7229e8c   OPENIG-180 (CR-5830) Provide a baseURI decorator ... Browse Dir » 
    As the URI rebasing is done at different places in the code
we'd like to have a BaseUriHandler/Filter in order to factor
out the code.

Following the same scheme as the "Timer" decorator, the "baseURI"
decorator is created by default in the Gateway Servlet.
(Named "baseUri" and created at startup time in the top-level heap.)

* GatewayServlet.class, Route.class
The creation of the "baseUri" decorator means the attribute
class 'baseURI' is no longer needed as the URI rebasing is now
directly done by the decorator. In the other hand,
the heap initialization performed within both class constructors,
contained a list of reservedFieldNames where the 'baseURI'was present.
It has been removed from there as it is now a global decorator.

* RouteTest.java
Removed unit test 'testRouteIsRebasingTheRequestUri'(Duplicated
in the RouteBuilder test, and the RouteBuilder has the responsability
to apply decorators).

git-svn-id: https://svn.forgerock.org/openig/trunk@843 dbb9e58e-28e6-4ce0-90e8-f11d9605b710
    violette
     

20 Jan, 2015

1 commit

  • dcfbc791   OPENIG-315 Complete the fix for empty messages ... Browse Dir » 
    The previous commit introduced a regression, especially for GET messages
being sent with an empty entity where they should have no entity at all.

They were being falsely detected as messages with content because we were
comparing `EMPTY_STREAM` with `Entity.head` (the branched content) instead
of the `Entity.trunk` (`head` being re-created every time OpenIG tries to read
the content, so in the `HttpBasicAuthFilter` for example, we push the Entity,
then delegates to the next handler in chain, so when message is sent, the
`head` is != from the `trunk` and cannot be == to `EMPTY_STREAM`)

I could not reliably reproduce that in a unit test with a real HTTP Server
because the failure also need the HTTPClient to re-use the same connection
for 2 consecutive messages. Thus, I only added a small `Entity` unit test
to make sure that `Entity.mayContainData()` behave correct even when the
entity is pushed/popped.

git-svn-id: https://svn.forgerock.org/openig/trunk@838 dbb9e58e-28e6-4ce0-90e8-f11d9605b710
    guillaume.sauthier
     

19 Jan, 2015

2 commits

16 Jan, 2015

2 commits

  • 1b82ae1c   OPENIG-394 (CR-5754) Implement toString() to Expression ... Browse Dir » 
    The toString() method is now implemented and tested.
We also decide to replace Expression constructor by a more conventional valueOf(...) factory method.
A new Expression is now created by Expression exp = Expression.valueOf(<Expression string>);

git-svn-id: https://svn.forgerock.org/openig/trunk@834 dbb9e58e-28e6-4ce0-90e8-f11d9605b710
    violette
     
  • 3a864f31   OPENIG-315 (CR-5787) Fix non-empty messages being considered as empty ... Browse Dir » 
    The `Entity.isEmpty()` method relied on `InputStream.available()` returning
something different of `0` (zero) to detect if the entity was empty or not.
This technic is not reliable enough since the javadoc clearly states that
this return the number of bytes that can be read **without blocking**, that
means that the result of this method depends on the network (and to some
extension to the web container), not entirely on the message.

The idea here is to now check if the wrapped stream is the `EMPTY_STREAM` instance
to detect if the entity is empty or not.
This is better than the old solution because we don't rely anymore on an external
`InputStream` implementation, but that will not detect a user provided stream with
no data inside. This is why `isEmpty()` has been renamed to `mayContainData()`.
There is also a new `setEmpty()` method to mark the entity as empty (simply assign
`EMPTY_STREAM` to the wrapped stram field).

git-svn-id: https://svn.forgerock.org/openig/trunk@833 dbb9e58e-28e6-4ce0-90e8-f11d9605b710
    guillaume.sauthier
     

13 Jan, 2015

5 commits

02 Dec, 2014

5 commits

  • c94f546a   OPENIG-411 Fix route reloading in case of unchecked exceptions being thrown ... Browse Dir » 
    git-svn-id: https://svn.forgerock.org/openig/trunk@775 dbb9e58e-28e6-4ce0-90e8-f11d9605b710
    guillaume.sauthier
     
  • a089b789   Fix javadoc ... Browse Dir » 
    git-svn-id: https://svn.forgerock.org/openig/trunk@774 dbb9e58e-28e6-4ce0-90e8-f11d9605b710
    guillaume.sauthier
     
  • ad9dae78   Write a proper error message when dealing with recursive declarations ... Browse Dir » 
    git-svn-id: https://svn.forgerock.org/openig/trunk@773 dbb9e58e-28e6-4ce0-90e8-f11d9605b710
    guillaume.sauthier
     
  • a32d9777   OPENIG-389 (CR-5537) Fix "object already defined" errors for servlet registered object declarations ... Browse Dir » 
    `HeapImpl.addDefaultDeclaration()` is now the way to add default object declarations in the heap.

Default declarations are only included if no user-provided overriding declaration is
found (only works for heap declarations, not for named inline declaration).

git-svn-id: https://svn.forgerock.org/openig/trunk@772 dbb9e58e-28e6-4ce0-90e8-f11d9605b710
    guillaume.sauthier
     
  • bab15cbc   OPENIG-370 (CR-5528) Rework Console and File LogSinks ... Browse Dir » 
    `ConsoleLogSink` is now rendering each `LogEntry` on 2 lines with a line separator
between entries, the objective being to improve console log readability. The first line
is the header line and display the timestamp of the event (in the current system Locale),
the entry's `LogLevel` and ends with the `Name` (leaf part) of the heap object that is
the source of the log statement.

```
MON DEC 01 20:39:16 CET 2014 (INFO) _Router
Added route 'oauth2-resources.json' defined in file '/Users/guillaume/tmp/demo/config/routes/oauth2-resources.json'
------------------------------
```

Notice that a special treatment is done when logging a `Throwable`: a condensed stack
trace is printed on the console and if (and only if) the `LogSink` has been assigned
a `DEBUG` or `TRACE` level, the full stack trace is printed (independently of the
entry's level).

```
MON DEC 01 15:28:10 CET 2014 (DEBUG) ResourceServer
Initial token resolution has failed
[     OAuth2TokenException] > Initial token resolution has failed
[     OAuth2TokenException] > Authorization Server returned an error
                              (error: bad_request, description: Could not read token in CTS)

org.forgerock.openig.filter.oauth2.OAuth2TokenException: Initial token resolution has failed
  at org.forgerock.openig.filter.oauth2.cache.CachingAccessTokenResolver.resolve(CachingAccessTokenResolver.java:62)
... 33 more
------------------------------
```

A new `stream` property has been added to `ConsoleLogSink` to let the user choose
which PrintStream to use for printing messages:
 * `ERR`: Use System.err (default value, keep compatibility)
 * `OUT`: Use System.out
 * `AUTO`: Select System.out for `TRACE` to `INFO` messages, switching to System.err
   for `WARNING` and `ERROR`.

`FileLogSink` implements a machine parseable `LogEntry` rendering: each entry is on
one line and includes:
 * timestamp of the event (in the current system Locale), always have the same length
 * the entry's `LogLevel`, always 1 word, uppercase
 * the `Name` (leaf part) of the heap object that is the source of the log statement.
 * a `---` separator that segregates the beginning of the line (log statement's context)
   from the entry's message (the rest of the line)

Notice that in the case of `Throwable` printing, the full stack trace is printed as commented lines.

```
MON DEC 01 17:46:21 CET 2014 DEBUG ResourceServer --- Initial token resolution has failed
 # org.forgerock.openig.filter.oauth2.OAuth2TokenException: Initial token resolution has failed
 # 	at org.forgerock.openig.filter.oauth2.cache.CachingAccessTokenResolver.resolve(CachingAccessTokenResolver.java:62)
 # 	at org.forgerock.openig.filter.oauth2.OAuth2ResourceServerFilter.filter(OAuth2ResourceServerFilter.java:205)
 # 	at org.forgerock.openig.decoration.capture.CaptureFilter.filter(CaptureFilter.java:62)
```

git-svn-id: https://svn.forgerock.org/openig/trunk@771 dbb9e58e-28e6-4ce0-90e8-f11d9605b710
    guillaume.sauthier
     

01 Dec, 2014

3 commits

28 Nov, 2014

4 commits

  • 21ff5479   OPENIG-401 (CR-5498) Rework decorator configuration model ... Browse Dir » 
    The decorations are now applied in a more intuitive way:

  * Local decorations are declared inside of the heap object declaration (no changes here)
    ```
    {
      "type": "Something",
      "decorator-name": "configuration ..."
    }
    ```
  * Global decorations are declared in a top-level element called `globalDecorators`
    and are inherited by sub-heap.
    ```
    "globalDecorators": {
      "decorator-name": "configuration ...",
      ...
    }
    ```
  * Top-level handler decorations are declared as top-level attributes
  ```
  "handler": "NameOfHandler"
  "decorator-name": "configuration ..."
  ```

Decorators are applied in this order:
  1. local decorations
  2. global decorations (inherited first, up to the ones declared in the requester heap)
  3. top-level reference decorations (only if the heap object is the main `handler`
     object and retrieved with `HeapImpl.getHandler()`)

Default configuration is now using the top-level reference decoration style.

git-svn-id: https://svn.forgerock.org/openig/trunk@761 dbb9e58e-28e6-4ce0-90e8-f11d9605b710
    guillaume.sauthier
     
  • c41f480e   OPENIG-386 (CR-5503) Introduce per-tag monitoring endpoint ... Browse Dir » 
    This audit framework application maintains hit counters on a per-tag basis.

Here is an output sample:
```
  {
      "resources": {
          "completed": 1,
          "failed": 0,
          "flowing": 0
      },
      "main": {
          "completed": 12,
          "failed": 0,
          "flowing": 1
      },
      "monitor": {
          "completed": 11,
          "failed": 0,
          "flowing": 1
      }
  }
```
`resources`, `main` and `monitor` being "non-standard" (or user-provided) tags.

git-svn-id: https://svn.forgerock.org/openig/trunk@760 dbb9e58e-28e6-4ce0-90e8-f11d9605b710
    guillaume.sauthier
     
  • 7d2f07a4   Provide an Enum containing OpenIG's 'standard'/'managed' tag names ... Browse Dir » 
    git-svn-id: https://svn.forgerock.org/openig/trunk@759 dbb9e58e-28e6-4ce0-90e8-f11d9605b710
    guillaume.sauthier
     
  • 3450fa14   Fix wrong time unit for AuditEvent.timestamp (must be ms) ... Browse Dir » 
    git-svn-id: https://svn.forgerock.org/openig/trunk@758 dbb9e58e-28e6-4ce0-90e8-f11d9605b710
    guillaume.sauthier
     

27 Nov, 2014

1 commit

  • 8bbd0851   CR-5463 OPENIG-325 Cannot use exchange.request.uri as lvalue-expression ... Browse Dir » 
    The issue was due to the BeanELResolver involded by the use of Expression
which was unable to get the right setter to set the URI.
Solution was to create a RequestResolver, to guide it through the setters to get
the right one and to finally be able to write the uri as expected.

- added RequestResolver.class
- added unit tests for the new RequestResolver class.
- added unit tests for the AssignmentFilter about URI change.

Thanks to Guillaume for his help.

git-svn-id: https://svn.forgerock.org/openig/trunk@754 dbb9e58e-28e6-4ce0-90e8-f11d9605b710
    violette
     

20 Nov, 2014

3 commits

  • f011fcf7   OPENIG-379 CR-5353 Improve logging when JWT sessions are using random keys and e… ... Browse Dir » 
    …nsure that invalid JWT sessions are expired


git-svn-id: https://svn.forgerock.org/openig/trunk@740 dbb9e58e-28e6-4ce0-90e8-f11d9605b710
    matthew
     
  • 6e866493   OPENIG-359 (CR-5294) Introduce Audit Framework ... Browse Dir » 
    The audit framework is a new OpenIG API that gives to users a deeper view (and probably
a better understanding) of what's going on in the observed OpenIG system.

This is an initial version of the audit framework that only supports `Exchange` flow
observation: Filters and Handlers will send `AuditEvent` notifications both when an
Exchange enters or exists.

An `AuditEvent` is a notification that includes meta-information about the observed
component emitter of the notification (its `Name` in particular), a timestamp, the
exchange being captured and a set of tags that helps to qualify the event.

Four tags are supported out-of-the-box: `request`, `response`, `completed` and `exception`.
The user can add as many tags as wanted as part of the decoration configuration:

    "audit": "route-#1"  // add a single tag to the decorated component
    "audit": [ "super-tag", "route-#2" ] // add all of theses tags
    "audit": boolean, object, ... // any other format will be ignored

OpenIG provides a single `audit` decorator by default.

Consumers of AuditEvent are `AuditEventListener`, they have to provide their own Heaplet
implementation that extends `ConditionalListenerHeaplet`. They'll be automatically notified
of emitted AuditEvents and can (optionally) filter the received event using the `condition`
configuration attribute (condition is expressed as an `Expression` that needs to evaluate
to a boolean).

Examples of such event-filtering conditions:

    ${true}
    ${contains(tags, 'tag#1')}
    ${source.name.leaf == 'source'}

git-svn-id: https://svn.forgerock.org/openig/trunk@736 dbb9e58e-28e6-4ce0-90e8-f11d9605b710
    guillaume.sauthier
     
  • 95f1d731   OPENIG-368 (CR-5326) Use exchange.originalUri in OAuth2ClientFilter ... Browse Dir » 
    The Client filter heavily use the `exchange.request.uri` property to compute URIs.

That was causing issues because, in the set of upstream filters/handlers, someone
could have rebased the request URI (usually to globally 'redirect' the message
to the protected application). That was causing wrong URI computations (like an
OAuth2 `redirect_uri` with the hostname of the protected application, instead of
the user-facing one of OpenIG).

This changes fix this behaviour with the introduction of an immutable
`exchange.originalUri` property that is the original request URI, as received by the
web container.

The Client filter is now using this instead of the mutable one (`exchange.request.uri`).

Updated the Nascar page sample of the documentation to limit copy/paste errors.

git-svn-id: https://svn.forgerock.org/openig/trunk@735 dbb9e58e-28e6-4ce0-90e8-f11d9605b710
    guillaume.sauthier
     

19 Nov, 2014

1 commit

18 Nov, 2014

1 commit

17 Nov, 2014

2 commits

14 Nov, 2014

1 commit

13 Nov, 2014

2 commits

12 Nov, 2014

1 commit

  • 38836d05   OPENIG-361 Provides tools for decorators to avoid StackOverFlowErrors at creation time ... Browse Dir » 
    A `StackOverFlowError` can be thrown during the Heap init when the configuration file declare
global decorators that have a heap object dependency.

When the globally enabled decorator is first created, it tries to resolve a dependency
from the heap, the heap then tries to decorate that instance, looking for the globally
declared decorator, that is not yet available since it has not finished its initialization,
so the heap think the decorator instance was not created yet and triggers another
decorator instance creation, that will itself try to resolve the dependency, looping
again and again ad nauseam.

The framework cannot provide any guards against that problem right now, the decorators
implementers have to care of this on their own and carefully craft their decorators
to avoid that problem.

The framework can only provide some limited level of support to help developers not
hitting that issue.

Introduced a new `DecoratorHeaplet` abstract class that does not resolve automatically heap
objects at creation time (no `LogSink` and `TemporaryStorage` resolution, as opposed to
`GenericHeaplet` behaviour).

Introduced a `LazyReference<T>` that encapsulate the resolution logic to allow easy
heap object resolution delaying.

Decorator implementation are encouraged to use theses 2 classes (having their `Heaplet`
extending `DecoratorHeaplet` instead of `GenericHeaplet`) and using `LazyReference` when a
heap object dependency is un-avoidable.

Moved `CaptureDecorator` to use the `LazyReference` and updated existing decorator's
heaplet to extend `DecoratorHeaplet`.

Updated javadoc to make that clear for Decorator implementers.

git-svn-id: https://svn.forgerock.org/openig/trunk@699 dbb9e58e-28e6-4ce0-90e8-f11d9605b710
    guillaume.sauthier
     

07 Nov, 2014

4 commits

  • 70a47970   OPENIG-338 ... Browse Dir » 
    Wrong charset used in Entity class
- Added static UTF_8 Charset.
- Replaced newDecodedContentReader(null)
by newDecodedContentReader(UTF_8) in entity#getJson.

git-svn-id: https://svn.forgerock.org/openig/trunk@695 dbb9e58e-28e6-4ce0-90e8-f11d9605b710
    violette
     
  • 61cbf492   OPENIG-264 Supports zero-length Durations ... Browse Dir » 
    That will be useful to support deactivation marker values when configuring cache timeouts.

This fix support both `zero` and `disabled` as zero-length Duration markers.
When the parsed String value also represents a zero-length duration (like `0 days and 0 ms`),
the special ZERO marker duration is returned.

Updated documentation as well.

git-svn-id: https://svn.forgerock.org/openig/trunk@692 dbb9e58e-28e6-4ce0-90e8-f11d9605b710
    guillaume.sauthier
     
  • 2fd96997   OPENIG-371 (CR-5157) Expose the source Name to the Logger API ... Browse Dir » 
    In order to facilitate OPENIG-370 (log simplification), we now expose the Name
of the log source to the Logger. This has a number of implications:
 * `LogEntry.source` has been splited into the `source` and `type` attributes.
source being the original Name and type being the type of the entry (like
`log`, `started`, `elapsed`, ...). Log messages have the `log` type and
exception's messages have the `throwable` type.
 * Logger is no more a LogSink implementation
 * LogEntry has been adapted to directly use Logger instead of LogSink (this way
it can benefit of the Logger.source attribute's value automatically)
 * Logger do not "rebase" the source name anymore: can't do that since source
is not a String anymore.
 * That solves the source duplication issue of OPENIG-370

LogSink interface has been adapted to have a source Name instead of a source
String when trying to determine if something is legible.

LogSink implementations (ConsoleLogSink and FileLogSink) have been changed to
keep an output as close as possible as what we have previously (don't want to
work on OPEN-370 yet).

git-svn-id: https://svn.forgerock.org/openig/trunk@689 dbb9e58e-28e6-4ce0-90e8-f11d9605b710
    guillaume.sauthier
     
  • 46839327   OPENIG-371 (CR-5157) Support hierarchical names to uniquely identify heap objects ... Browse Dir » 
    A Name is a recursive object based on a leaf name and a parent Name.

Each Heap as a unique Name used to scope names of the managed heap objects.
Each heap object has a unique Name whose parent is the container Heap.

The Heaplet interface has been updated to give the Name instead of just a String.

The name of each created heap is based on the resource name.

git-svn-id: https://svn.forgerock.org/openig/trunk@688 dbb9e58e-28e6-4ce0-90e8-f11d9605b710
    guillaume.sauthier