org.forgerock / org.forgerock.openig

20 Nov, 2014

9 commits

  • f011fcf7   OPENIG-379 CR-5353 Improve logging when JWT sessions are using random keys and e… ... Browse Code » 
    …nsure that invalid JWT sessions are expired


git-svn-id: https://svn.forgerock.org/openig/trunk@740 dbb9e58e-28e6-4ce0-90e8-f11d9605b710
    matthew
     
  • e323e6df   Remove LogTimer on the GatewayServlet ... Browse Code » 
    Timer values should always be obtained through `timer` decorations.

git-svn-id: https://svn.forgerock.org/openig/trunk@739 dbb9e58e-28e6-4ce0-90e8-f11d9605b710
    guillaume.sauthier
     
  • 0503020c   CR-5343 OPENIG-381 Update doc for change to global decorator config ... Browse Code » 
    git-svn-id: https://svn.forgerock.org/openig/trunk@738 dbb9e58e-28e6-4ce0-90e8-f11d9605b710
    mark
     
  • 13b2d660   CR-5327 OPENIG-365 Doc how to configure multiple SAML SPs ... Browse Code » 
    This patch adds an appendix
that briefly describes and demonstrates
how OpenIG as a SAML 2.0 SP can support more than one application.

For future consideration I have also opened some issues
that might make this easier:
OPENIG-397, but also OPENIG-399, OPENIG-400.

git-svn-id: https://svn.forgerock.org/openig/trunk@737 dbb9e58e-28e6-4ce0-90e8-f11d9605b710
    mark
     
  • 6e866493   OPENIG-359 (CR-5294) Introduce Audit Framework ... Browse Code » 
    The audit framework is a new OpenIG API that gives to users a deeper view (and probably
a better understanding) of what's going on in the observed OpenIG system.

This is an initial version of the audit framework that only supports `Exchange` flow
observation: Filters and Handlers will send `AuditEvent` notifications both when an
Exchange enters or exists.

An `AuditEvent` is a notification that includes meta-information about the observed
component emitter of the notification (its `Name` in particular), a timestamp, the
exchange being captured and a set of tags that helps to qualify the event.

Four tags are supported out-of-the-box: `request`, `response`, `completed` and `exception`.
The user can add as many tags as wanted as part of the decoration configuration:

    "audit": "route-#1"  // add a single tag to the decorated component
    "audit": [ "super-tag", "route-#2" ] // add all of theses tags
    "audit": boolean, object, ... // any other format will be ignored

OpenIG provides a single `audit` decorator by default.

Consumers of AuditEvent are `AuditEventListener`, they have to provide their own Heaplet
implementation that extends `ConditionalListenerHeaplet`. They'll be automatically notified
of emitted AuditEvents and can (optionally) filter the received event using the `condition`
configuration attribute (condition is expressed as an `Expression` that needs to evaluate
to a boolean).

Examples of such event-filtering conditions:

    ${true}
    ${contains(tags, 'tag#1')}
    ${source.name.leaf == 'source'}

git-svn-id: https://svn.forgerock.org/openig/trunk@736 dbb9e58e-28e6-4ce0-90e8-f11d9605b710
    guillaume.sauthier
     
  • 95f1d731   OPENIG-368 (CR-5326) Use exchange.originalUri in OAuth2ClientFilter ... Browse Code » 
    The Client filter heavily use the `exchange.request.uri` property to compute URIs.

That was causing issues because, in the set of upstream filters/handlers, someone
could have rebased the request URI (usually to globally 'redirect' the message
to the protected application). That was causing wrong URI computations (like an
OAuth2 `redirect_uri` with the hostname of the protected application, instead of
the user-facing one of OpenIG).

This changes fix this behaviour with the introduction of an immutable
`exchange.originalUri` property that is the original request URI, as received by the
web container.

The Client filter is now using this instead of the mutable one (`exchange.request.uri`).

Updated the Nascar page sample of the documentation to limit copy/paste errors.

git-svn-id: https://svn.forgerock.org/openig/trunk@735 dbb9e58e-28e6-4ce0-90e8-f11d9605b710
    guillaume.sauthier
     
  • 19e1869d   OPENIG-326 - Revert previously introduced List as Set (no duplicate elements) ... Browse Code » 
    git-svn-id: https://svn.forgerock.org/openig/trunk@734 dbb9e58e-28e6-4ce0-90e8-f11d9605b710
    violette
     
  • 82d70698   Modified error message from the OAuth2Utils#getScopes function as it is ... Browse Code » 
    only used by the Client Server and to uniformize the message with the
OAuth2ResourceFilter.

git-svn-id: https://svn.forgerock.org/openig/trunk@733 dbb9e58e-28e6-4ce0-90e8-f11d9605b710
    violette
     
  • cef1488f   CR-5340 OPENIG-326 The OAuth2 ResourceServer scopes is now a list of ... Browse Code » 
    expressions.

OAuth2ResourceServerFilter.java
- Replaced 'Set<String> scopes' to 'List<Expression> scopes'.
- As the AccessToken defines scopes as Set<String>,
 added a new method to getScopes from List<Expression> to Set<String>.
- InsufficientScopeChallengeHandler is no longer a field of the
OAuth2ResourceServerFilter.
- Added realm attribute to the OAuth2ResourceServerFilter.

OAuth2ResourceServerFilterTest.java
- Fixed tests according to the above modifications.
- Added unit tests with expression evaluations.

man-OAuth2ResourceServerFilter.xml
- Modified doc according to Mark's patch.

git-svn-id: https://svn.forgerock.org/openig/trunk@732 dbb9e58e-28e6-4ce0-90e8-f11d9605b710
    violette
     

19 Nov, 2014

3 commits

18 Nov, 2014

3 commits

17 Nov, 2014

2 commits

15 Nov, 2014

1 commit

14 Nov, 2014

3 commits

13 Nov, 2014

2 commits

12 Nov, 2014

4 commits

  • b4d3173e   Adding admonition graphics. ... Browse Code » 
    git-svn-id: https://svn.forgerock.org/openig/trunk@700 dbb9e58e-28e6-4ce0-90e8-f11d9605b710
    austingene
     
  • 38836d05   OPENIG-361 Provides tools for decorators to avoid StackOverFlowErrors at creation time ... Browse Code » 
    A `StackOverFlowError` can be thrown during the Heap init when the configuration file declare
global decorators that have a heap object dependency.

When the globally enabled decorator is first created, it tries to resolve a dependency
from the heap, the heap then tries to decorate that instance, looking for the globally
declared decorator, that is not yet available since it has not finished its initialization,
so the heap think the decorator instance was not created yet and triggers another
decorator instance creation, that will itself try to resolve the dependency, looping
again and again ad nauseam.

The framework cannot provide any guards against that problem right now, the decorators
implementers have to care of this on their own and carefully craft their decorators
to avoid that problem.

The framework can only provide some limited level of support to help developers not
hitting that issue.

Introduced a new `DecoratorHeaplet` abstract class that does not resolve automatically heap
objects at creation time (no `LogSink` and `TemporaryStorage` resolution, as opposed to
`GenericHeaplet` behaviour).

Introduced a `LazyReference<T>` that encapsulate the resolution logic to allow easy
heap object resolution delaying.

Decorator implementation are encouraged to use theses 2 classes (having their `Heaplet`
extending `DecoratorHeaplet` instead of `GenericHeaplet`) and using `LazyReference` when a
heap object dependency is un-avoidable.

Moved `CaptureDecorator` to use the `LazyReference` and updated existing decorator's
heaplet to extend `DecoratorHeaplet`.

Updated javadoc to make that clear for Decorator implementers.

git-svn-id: https://svn.forgerock.org/openig/trunk@699 dbb9e58e-28e6-4ce0-90e8-f11d9605b710
    guillaume.sauthier
     
  • 1665f94b   CR-5249 OPENIG-373 Doc how to disable caching for OAuth RS, OIDC RP ... Browse Code » 
    

git-svn-id: https://svn.forgerock.org/openig/trunk@698 dbb9e58e-28e6-4ce0-90e8-f11d9605b710
    mark
     
  • b5e0e665   CR-5246 OPENIG-362: Document client info available ... Browse Code » 
    git-svn-id: https://svn.forgerock.org/openig/trunk@697 dbb9e58e-28e6-4ce0-90e8-f11d9605b710
    mark
     

10 Nov, 2014

1 commit

07 Nov, 2014

9 commits

  • 70a47970   OPENIG-338 ... Browse Code » 
    Wrong charset used in Entity class
- Added static UTF_8 Charset.
- Replaced newDecodedContentReader(null)
by newDecodedContentReader(UTF_8) in entity#getJson.

git-svn-id: https://svn.forgerock.org/openig/trunk@695 dbb9e58e-28e6-4ce0-90e8-f11d9605b710
    violette
     
  • 471ec570   OPENIG-336 OPENIG-350 (CCR-5078) Lazily retrieve cached user info resources in OAuth2 Client Filter ... Browse Code » 
    Without this change, the OAuth 2.0 Client Filter triggers the retrieval of
the user info resource for each request that is intercepted. It's a problem
for Identity Providers such as Google that have an allowed quota of request/sec,
because of the sudden burst of user info request.

This is even worse than that because sometimes, the intercepted request may
not even need to use theses information (think of OpenIG intercepting an
image served by the protected application and returned as-is) ...

This fix includes both a user-info resources caching for a few seconds (the
time for all requests to load a web page to be executed) and a lazy loading
of the resource (triggered the first time a downstream filter/handler access
the `user_info` structure). By default, resources are kept for 20 seconds after
the first access.

Like for OAuth2ResourceServerFilter, you can disable that cache with
`"cacheExpiration": "disabled"` in the configuration.

git-svn-id: https://svn.forgerock.org/openig/trunk@694 dbb9e58e-28e6-4ce0-90e8-f11d9605b710
    guillaume.sauthier
     
  • d086d2b6   OPENIG-264 Support disabling the access-token cache for OAuth2 RS Filter ... Browse Code » 
    This takes advantage of the new zero-length Duration support.
If the configuration express `zero`, `disabled` or any `0 <timeunit>`, the
access token cache will be disabled.

git-svn-id: https://svn.forgerock.org/openig/trunk@693 dbb9e58e-28e6-4ce0-90e8-f11d9605b710
    guillaume.sauthier
     
  • 61cbf492   OPENIG-264 Supports zero-length Durations ... Browse Code » 
    That will be useful to support deactivation marker values when configuring cache timeouts.

This fix support both `zero` and `disabled` as zero-length Duration markers.
When the parsed String value also represents a zero-length duration (like `0 days and 0 ms`),
the special ZERO marker duration is returned.

Updated documentation as well.

git-svn-id: https://svn.forgerock.org/openig/trunk@692 dbb9e58e-28e6-4ce0-90e8-f11d9605b710
    guillaume.sauthier
     
  • be4291ed   Only style ... Browse Code » 
    git-svn-id: https://svn.forgerock.org/openig/trunk@691 dbb9e58e-28e6-4ce0-90e8-f11d9605b710
    guillaume.sauthier
     
  • 707ab045   Updated doc with new log samples ... Browse Code » 
    git-svn-id: https://svn.forgerock.org/openig/trunk@690 dbb9e58e-28e6-4ce0-90e8-f11d9605b710
    guillaume.sauthier
     
  • 2fd96997   OPENIG-371 (CR-5157) Expose the source Name to the Logger API ... Browse Code » 
    In order to facilitate OPENIG-370 (log simplification), we now expose the Name
of the log source to the Logger. This has a number of implications:
 * `LogEntry.source` has been splited into the `source` and `type` attributes.
source being the original Name and type being the type of the entry (like
`log`, `started`, `elapsed`, ...). Log messages have the `log` type and
exception's messages have the `throwable` type.
 * Logger is no more a LogSink implementation
 * LogEntry has been adapted to directly use Logger instead of LogSink (this way
it can benefit of the Logger.source attribute's value automatically)
 * Logger do not "rebase" the source name anymore: can't do that since source
is not a String anymore.
 * That solves the source duplication issue of OPENIG-370

LogSink interface has been adapted to have a source Name instead of a source
String when trying to determine if something is legible.

LogSink implementations (ConsoleLogSink and FileLogSink) have been changed to
keep an output as close as possible as what we have previously (don't want to
work on OPEN-370 yet).

git-svn-id: https://svn.forgerock.org/openig/trunk@689 dbb9e58e-28e6-4ce0-90e8-f11d9605b710
    guillaume.sauthier
     
  • 46839327   OPENIG-371 (CR-5157) Support hierarchical names to uniquely identify heap objects ... Browse Code » 
    A Name is a recursive object based on a leaf name and a parent Name.

Each Heap as a unique Name used to scope names of the managed heap objects.
Each heap object has a unique Name whose parent is the container Heap.

The Heaplet interface has been updated to give the Name instead of just a String.

The name of each created heap is based on the resource name.

git-svn-id: https://svn.forgerock.org/openig/trunk@688 dbb9e58e-28e6-4ce0-90e8-f11d9605b710
    guillaume.sauthier
     
  • 397990d0   OPENIG-320 CR-5181 Rename KeyStore 'file' option to 'url' ... Browse Code » 
    git-svn-id: https://svn.forgerock.org/openig/trunk@687 dbb9e58e-28e6-4ce0-90e8-f11d9605b710
    matthew
     

06 Nov, 2014

2 commits

05 Nov, 2014

1 commit