Hi Cyril,
Looking forward to get fixed version - We dont have problems with tomcat, i
believe that it is even better option - just hope that installation / new
version will work fine with tomcat and that there will be no more major
bugs.
Thanks for contacting us,
Best,
Dink
On Mar 24, 2015 12:50 PM, "DANGERVILLE Cyril" <
cyril.dangerville at thalesgroup.com> wrote:
> Hello Dino,
>
> This issue should be fixed in the next release. I can send you a new
> version by the end of the week. We are now switching to .deb packaging to
> automate the install as much as possible (for Ubuntu/Debian). However, this
> new .deb package will address Tomcat 7 only (instead of Glassfish). There
> have been strong demand for Tomcat as target server, and simplifying the
> installation.
>
> *Would you have any issue switching to Tomcat 7? *
>
> We will continue to provide instructions for Glassfish if there is still a
> demand for it (especially for production environments), but it will still
> require manual steps as it is now; and not be automated like for Tomcat
> with .deb package.
>
>
>
> Regards,
>
> Cyril
>
>
>
>
>
>
>
> El 19/03/2015 a las 15:22, Dino Osmanovic escribió:
>
> Hi FIWARE Tech Crew,
>
>
>
> We have issue with one of the enablers and we are trying to get support.
> Its related to the access control generic enabler.
>
>
>
> Below is the issue:
>
>
>
> We have problem with PAP PolicySet update, when i make request for update
> PolicySet i got response OK and new PolicySet works fine, but when i try
> to get PolicySet i got old PolicySet data.
>
>
>
> To check what is problem i tried to tail on PolicySet xml file and got
> file reverted to old version, after regular file update.
>
>
>
> This is dump from tail:
>
> tail -f policySet.xml
>
> <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
>
> <PolicySet xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17"
> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
>
> PolicySetId="default" Version="1.0"
>
>
> PolicyCombiningAlgId="urn:oasis:names:tc:xacml:1.1:policy-combining-algorithm:ordered-permit-overrides">
>
> <Target />
>
> <Policy
> RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.1:rule-combining-algorithm:ordered-permit-overrides"
> PolicyId="permit-all" Version="1.0">
>
> <Target />
>
> <Rule Effect="Permit" RuleId="permit-all" />
>
> </Policy>
>
> </PolicySet>
>
> tail: policySet.xml: file truncated
>
> <?xml version="1.0" encoding="UTF-8" standalone="yes"?><PolicySet
> xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17"
> PolicySetId="root:policy" Version="1.0"
> PolicyCombiningAlgId="urn:oasis:names:tc:xacml:1.1:policy-combining-algorithm:ordered-permit-overrides"><Description>
>
> RBAC Policy
>
> </Description><Target/><PolicySet PolicySetId="RPS:Employee_Role"
> Version="1.0"
> PolicyCombiningAlgId="urn:oasis:names:tc:xacml:1.1:policy-combining-algorithm:ordered-permit-overrides"><Description>
>
> Employee Role PolicySet
>
> </Description><Target><AnyOf><AllOf><Match
> MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"><AttributeValue
> DataType="http://www.w3.org/2001/XMLSchema#string">Employee</AttributeValue><AttributeDesignator
> Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject"
> AttributeId="urn:oasis:names:tc:xacml:2.0:subject:role" DataType="
> http://www.w3.org/2001/XMLSchema#string"
> MustBePresent="true"/></Match></AllOf></AnyOf></Target><PolicySetIdReference>PPS:Employee_Role</PolicySetIdReference></PolicySet><PolicySet
> PolicySetId="RPS:Manager_Role" Version="1.0"
> PolicyCombiningAlgId="urn:oasis:names:tc:xacml:1.1:policy-combining-algorithm:ordered-permit-overrides"><Description>
>
> Manager Role PolicySet
>
> </Description><Target><AnyOf><AllOf><Match
> MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"><AttributeValue
> DataType="http://www.w3.org/2001/XMLSchema#string">Manager</AttributeValue><AttributeDesignator
> Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject"
> AttributeId="urn:oasis:names:tc:xacml:2.0:subject:role" DataType="
> http://www.w3.org/2001/XMLSchema#string"
> MustBePresent="true"/></Match></AllOf></AnyOf></Target><PolicySetIdReference>PPS:Manager_Role</PolicySetIdReference></PolicySet><Policy
> PolicyId="default_deny" Version="1.0"
> RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.1:rule-combining-algorithm:ordered-permit-overrides"><Description>
>
> Default Deny policy
>
> </Description><Target/><Rule RuleId="deny_all"
> Effect="Deny"/></Policy></PolicySet>*t*
>
> *ail: policySet.xml: file truncated*
>
> <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
>
> <PolicySet xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17"
> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
>
> PolicySetId="default" Version="1.0"
>
>
> PolicyCombiningAlgId="urn:oasis:names:tc:xacml:1.1:policy-combining-algorithm:ordered-permit-overrides">
>
> <Target />
>
> <Policy
> RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.1:rule-combining-algorithm:ordered-permit-overrides"
> PolicyId="permit-all" Version="1.0">
>
> <Target />
>
> <Rule Effect="Permit" RuleId="permit-all" />
>
> </Policy>
>
> </PolicySet>
>
>
>
> Red coloured part is value before i make update, blue coloured part is
> after update is executed, and this green coloured part is problem part.
>
>
>
> Do you have any idea why policy file is reverted to the original value
> automatically?
>
>
>
>
>
> We believe that in *SecurityDomain.Java*, method *setPolicySet* has
> problem with finally block:
>
>
>
> public void setPolicySet(PolicySet policySet) throws IOException,
> JAXBException
>
> {
>
> // before changing policy, backup current policy
>
> FileUtils.copyFile(this.policySetFile, this.policySetBackupFile);
>
> final Marshaller marshaller;
>
> try
>
> {
>
> marshaller = PdpModelHandler.XACML_3_0_JAXB_CONTEXT.createMarshaller();
>
> marshaller.setSchema(authzApiSchema);
>
> marshaller.setProperty(Marshaller.JAXB_ENCODING, UTF8_JAXB_ENCODING);
>
> marshaller.marshal(policySet, policySetFile);
>
> } catch (JAXBException e)
>
> {
>
> // Replace back with backup in case the file is corrupted due to this
> exception
>
> FileUtils.copyFile(this.policySetBackupFile, this.policySetFile);
>
> throw new JAXBException("Error marshalling new domain policy to file: " +
> this.policySetFile.getAbsolutePath(), e);
>
> }
>
>
>
> // try updating PDP with new policy
>
> try
>
> {
>
> // TODO: optimization: load policy directly from PolicySet arg (requires
> changing
>
> // Sunxacml StaticPolicyFinderModule code)
>
> updatePDP(true, null);
>
> } *finally*
>
> *{*
>
> *FileUtils.copyFile(this.policySetBackupFile, this.policySetFile);*
>
> *}*
>
> }
>
>
>
> Issue is because they put backup file back although everything was ok - My
> assumption is that there should be catch instead of finally??
>
>
>
>
>
>
>
> We reported issue 10 days ago and recently we got response from Mr Cyril
> that we need to write to this email?! Also mr. Cyril asked for XML file
> dump (not sure why), we put it below.
>
>
>
>
>
>
>
>
>
> *<?xml version="1.0" encoding="UTF-8" standalone="yes"?><PolicySet
> xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" xmlns:ns2="**http://thalesgroup.com/authzforce/pdp/model/2014/12
> <http://thalesgroup.com/authzforce/pdp/model/2014/12>**"
> PolicySetId="default" Version="1.0"
> PolicyCombiningAlgId="urn:oasis:names:tc:xacml:1.1:policy-combining-algorithm:ordered-permit-overrides"><Target/><Policy
> PolicyId="permit-all" Version="1.0"
> RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.1:rule-combining-algorithm:ordered-permit-overrides"><Target/><Rule
> RuleId="deny-all" Effect="Deny"/></Policy></PolicySet>*
>
>
>
>
>
>
>
> Hopefully we will get support asap,
>
>
>
> Best Regards,
>
> Dino
>
>
>
>
>
>
>
> ---------- Forwarded message ----------
> From: *DANGERVILLE Cyril* <cyril.dangerville at thalesgroup.com>
> Date: Wed, Mar 18, 2015 at 3:24 PM
> Subject: RE: FIWARE Authorization PDP Issue - PolicySet.xml revert to old
> version after update
> To: "dino at eloptico.com" <dino at eloptico.com>
>
> Hello Dino,
>
> Sorry for the delay. For such Authzforce technical issues, *could you
> please re-submit your request to the following tech support mailing list?*
>
> *fiware-tech-help at lists.fi-ware.org <fiware-tech-help at lists.fi-ware.org>*
>
>
>
> Please also attach the full *policyset.xml* you used to produce the bug,
> so that I can easily reproduce it. Thank you.
>
>
>
> Regards,
>
> Cyril
>
>
>
> --
>
> Cyril DANGERVILLE, Thales Services
>
> FIWARE Phase II
>
> WP1.7 Security (WPA)
>
> Authorization PDP (ex-Access Control) GE Owner
>
>
>
>
>
>
>
> *De :* notifications at typeform.com [mailto:notifications at typeform.com]
> *Envoyé :* lundi 9 mars 2015 11:57
> *À :* cyril.dangerville at thalesgroup.com
> *Objet :* Typeform: New request to FIWARE.AzPDP.Contact
>
>
>
> Your *typeform* FIWARE.AzPDP.Contact has a new entry. Here are the
> results:
>
> - *Please describe the use case for which you intend to use the FIWARE
> Authorization PDP.*
> We use Authorization PDP to manage policies (which we later use in
> Access COntrol)
>
>
>
> - *What type of service do you want to control access to? (Protocol,
> API... e.g. HTTP/REST)*
> HTTP REST
>
>
>
> - *You can now formulate your request, at last :)*
> We have problem with PAP PolicySet update, when i make request for
> update PolicySet i got response OK and new PolicySet works fine, but when i
> try to get PolicySet i got old PolicySet back.
>
> To check what is problem i tried to tail on PolicySet xml file
> directly in the file system and got file reverted to old version, after
> regular file update.
> This is dump from tail:
>
> tail -f policySet.xml
>
>
> PolicySetId="default" Version="1.0"
>
> PolicyCombiningAlgId="urn:oasis:names:tc:xacml:1.1:policy-combining-algorithm:ordered-permit-overrides">
>
>
>
>
>
>
>
> ## after update happnes (we call rest service):
>
> tail: policySet.xml: file truncated
>
> RBAC Policy
>
> Employee Role PolicySet
> EmployeePPS:Employee_Role
> Manager Role PolicySet
> ManagerPPS:Manager_Role
> Default Deny policy
>
>
> ##after update is done we see that somehow file is back to the
> original version:
>
>
> tail: policySet.xml: file truncated
>
>
> PolicySetId="default" Version="1.0"
>
> PolicyCombiningAlgId="urn:oasis:names:tc:xacml:1.1:policy-combining-algorithm:ordered-permit-overrides">
>
>
>
>
>
>
>
> .
>
>
>
> *To complete, please give me some contact information so that we can get
> back to you.*
>
> - *Your full name (last name last):*
> DIno Osmanovic
>
>
>
> - *Your email address:*
> dino at eloptico.com
>
>
>
> - *Name of your organization (company, institution, etc.):*
> eLoptico ApS
>
>
>
> - *Your job function (especially in relation to FIWARE):*
> CTO
>
>
>
>
>
> Have a nice day :)
> *Team Typeform*
>
>
>
>
>
> --
>
>
> --
> Kind regards,
>
> Dino Osmanovic
> eLoptico.com | tech co-founder
>
> Mobile: +387 61 216 927
>
> Web: www.eloptico.com
> E-mail: dino at eloptico.com
>
>
>
>
> _______________________________________________
>
> Fiware-tech-help mailing list
>
> Fiware-tech-help at lists.fi-ware.org
>
> https://lists.fi-ware.org/listinfo/fiware-tech-help
>
>
>
> --
>
>
>
> Please update your address book with my new e-mail address: miguel.carrillopacheco at telefonica.com
>
>
>
> ----------------------------------------------------------------------
>
> _/ _/_/ Miguel Carrillo Pacheco
>
> _/ _/ _/ _/ Telefónica Distrito Telefónica
>
> _/ _/_/_/ _/ _/ Investigación y Edifico Oeste 1, Planta 6
>
> _/ _/ _/ _/ Desarrollo Ronda de la Comunicación S/N
>
> _/ _/_/ 28050 Madrid (Spain)
>
> Tel: (+34) 91 483 26 77
>
>
>
> e-mail: miguel.carrillopacheco at telefonica.com
>
>
>
> Follow FIWARE on the net
>
>
>
> Website: http://www.fiware.org
>
> Facebook: https://www.facebook.com/eu.fiware
>
> Twitter: http://twitter.com/Fiware
>
> LinkedIn: https://www.linkedin.com/groups/FIWARE-4239932
>
> ----------------------------------------------------------------------
>
>
> ------------------------------
>
>
> Este mensaje y sus adjuntos se dirigen exclusivamente a su destinatario,
> puede contener información privilegiada o confidencial y es para uso
> exclusivo de la persona o entidad de destino. Si no es usted. el
> destinatario indicado, queda notificado de que la lectura, utilización,
> divulgación y/o copia sin autorización puede estar prohibida en virtud de
> la legislación vigente. Si ha recibido este mensaje por error, le rogamos
> que nos lo comunique inmediatamente por esta misma vía y proceda a su
> destrucción.
>
> The information contained in this transmission is privileged and
> confidential information intended only for the use of the individual or
> entity named above. If the reader of this message is not the intended
> recipient, you are hereby notified that any dissemination, distribution or
> copying of this communication is strictly prohibited. If you have received
> this transmission in error, do not read it. Please immediately reply to the
> sender that you have received this communication in error and then delete
> it.
>
> Esta mensagem e seus anexos se dirigem exclusivamente ao seu destinatário,
> pode conter informação privilegiada ou confidencial e é para uso exclusivo
> da pessoa ou entidade de destino. Se não é vossa senhoria o destinatário
> indicado, fica notificado de que a leitura, utilização, divulgação e/ou
> cópia sem autorização pode estar proibida em virtude da legislação vigente.
> Se recebeu esta mensagem por erro, rogamos-lhe que nos o comunique
> imediatamente por esta mesma via e proceda a sua destruição
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.fiware.org/private/fiware-tech-help/attachments/20150324/37e0fd11/attachment.html>
You can get more information about our cookies and privacy policies clicking on the following links: Privacy policy Cookies policy