AuthzForce Server (Community Edition)
AuthzForce Server provides a multi-tenant RESTful API to Policy Administration Points (PAP) and Policy Decision Points (PDP) supporting Attribute-Based Access Control (ABAC), as defined in the OASIS XACML 3.0 standard.
This project is part of FIWARE. For more information check the FIWARE Catalogue entry for Security.
Go to the releases page for specific release info: downloads (Linux packages), Docker image, release notes, and documentation.
The roadmap of this FIWARE GE is described here.
If you are interested in using an embedded XACML-compliant PDP in your Java applications, AuthzForce also provides a PDP engine as a Java library in Authzforce core project.
:books: Documentation | :mortar_board: Academy | :whale: Docker Hub | :dart: Roadmap |
---|
urn:oasis:names:tc:xacml:3.0:profile:multiple:repeated-attribute-categories
).dnsName-value
datatype and dnsName-value-equal
function are
supported;on-permit-apply-second
policy combining algorithm;urn:oasis:names:tc:xacml:3.0:profile:multiple:combined-decision
).AttributeValue
elements in the
same Attribute element (instead of duplicate Attribute elements); this does
not fully comply with
XACML 3.0 Core specification of Multivalued attributes (§7.3.3),
but it usually performs better than the default mode since it simplifies the
parsing of attribute values in the request;AttributeDesignators
without Issuer only match request Attributes without
Issuer (and same AttributeId, Category...); this option is not fully
compliant with XACML 3.0, §5.29, in the case that the Issuer is indeed not
present on a AttributeDesignator; but it is the recommended option when all
AttributeDesignators have an Issuer (the XACML 3.0 specification (5.29)
says: If the Issuer is not present in the attribute designator, then the
matching of the attribute to the named attribute SHALL be governed by
AttributeId and DataType attributes alone.);AuthzForce provides XACML PIP features in the form of Attribute Providers. More information in the previous section.
application/xml
: XML based on API schema;application/fastinfoset
: Fast Infoset based on API's XML schema;application/json
: JSON based on API's XMLschema with a generic XML-to-JSON mapping conventionapplication/xacml+xml
: XACML content only, as defined by RFC 7061
application/xacml+json
: JSON format for XACML Request/Response on PDP only, as defined by XACML v3.0 - JSON Profile Version 1.0
The following optional features from XACML v3.0 Core standard are not supported:
AttributesReferences
, MultiRequests
and RequestReference
;urn:oasis:names:tc:xacml:3.0:function:xpath-node-equal
,
urn:oasis:names:tc:xacml:3.0:function:xpath-node-match
and
urn:oasis:names:tc:xacml:3.0:function:access-permitted
;If you are interested in those, you can ask for support.
This project is part of FIWARE and has been rated as follows:
Every release is packaged in various types of distribution and the installation depends on the distribution type:
.deb
. Use your usual Ubuntu/Debian APT to install the package;.tar.gz
for any Linux distribution. More info in the documentation;For download links, please go to the specific release page.
Once you downloaded the distribution of your preference, check the documentation for more information.
For links to the documentation of a release, please go to the specific release page.
The following tutorials on AuthzForce Server are available:
This section gives examples of usage and PEP code with a web service authorization module.
For an example of using an AuthzForce Server's RESTful PDP API in a real-life use case, please refer to the JUnit test class RESTfulPdpBasedAuthzInterceptorTest and the Apache CXF authorization interceptor RESTfulPdpBasedAuthzInterceptor. The test class runs a test similar to @coheigea's XACML 3.0 Authorization Interceptor test but using AuthzForce Server as PDP instead of OpenAZ. In this test, a web service client requests a Apache-CXF-based web service with a SAML token as credentials (previously issued by a Security Token Service upon successful client authentication) that contains the user ID and roles. Each request is intercepted on the web service side by a RESTfulPdpBasedAuthzInterceptor that plays the role of PEP (Policy Enforcement Point in XACML jargon), i.e. it extracts the various authorization attributes (user ID and roles, web service name, operation...) and requests a decision with these attributes from a remote PDP provided by AuthzForce Server, then enforces the PDP's decision, i.e. forwards the request to the web service implementation if the decision is Permit, else rejects it. For more information, see the Javadoc of RESTfulPdpBasedAuthzInterceptorTest.
To run unit tests, install Maven and type
mvn test
You should use AuthzForce users' mailing list as first contact for any communication about AuthzForce: question, feature request, notification, potential issue (unconfirmed), etc.
If you are experiencing any bug with this project and you indeed confirm this is not an issue with your environment (contact the users mailing list first if you are unsure), please report it on the OW2 Issue Tracker. Please include as much information as possible; the more we know, the better the chance of a quicker resolution:
If you want to report a vulnerability, you can do so on this Github repository by following the process: Privately reporting a security vulnerability.
The sources for the manuals are located in fiware repository.
$ mvn -Dhttps.proxyHost=proxyhostname -Dhttps.proxyPort=8080 jgitflow:release-start
Update the changelog with the new version according to keepachangelog.com.
Commit
Perform the software release (example using a HTTP proxy):
$ mvn -Dhttps.proxyHost=proxyhostname -Dhttps.proxyPort=8080 jgitflow:release-finish
If, after deployment, the command does not succeed because of some issue with the branches. Fix the issue, then re-run the same command but with 'noDeploy' option set to true to avoid re-deployment:
$ mvn -Dhttps.proxyHost=proxyhostname -Dhttps.proxyPort=8080 -DnoDeploy=true jgitflow:release-finish
More info on jgitflow: http://jgitflow.bitbucket.org/
Connect and log in to the OSS Nexus Repository Manager: https://oss.sonatype.org/
Go to Staging Profiles and select the pending repository authzforce-*...
you just uploaded with jgitflow:release-finish
Click the Release button to release to Maven Central.
When the artifacts have been successfully published on Maven Central, follow the instructions in the Release section of fiware repository.
Build and publish the Docker image:
$ git checkout master
$ mvn clean package
$ cd dist/target
$ chmod +x release-docker.sh
$ ./release.sh
Update the versions in badges at the top of this file.
Create a release on Github with a description based on the release description template, replacing M/m/P with the new major/minor/patch versions.
This project is licensed under the terms of GPL v3 except Java classes in
packages org.ow2.authzforce.webapp.org.apache.cxf.jaxrs.provider.json.utils
and org.ow2.authzforce.webapp.org.codehaus.jettison.mapped
which are under
Apache License.
There is absolutely no problem in using a product licensed under GPL 3.0. Issues with GPL (or AGPL) licenses are mostly related with the fact that different people assign different interpretations on the meaning of the term “derivate work” used in these licenses. Due to this, some people believe that there is a risk in just using software under GPL or AGPL licenses (even without modifying it).
For the avoidance of doubt, the owners of this software licensed under an GPL 3.0 license wish to make a clarifying public statement as follows:
Please note that software derived as a result of modifying the source code of this software in order to fix a bug or incorporate enhancements is considered a derivative work of the product. Software that merely uses or aggregates (i.e. links to) an otherwise unmodified version of existing software is not considered a derivative work, and therefore it does not need to be released as under the same license, or even released as open source.