This is an automated email from the ASF dual-hosted git repository. ilgrosso pushed a commit to branch 2_1_X in repository https://gitbox.apache.org/repos/asf/syncope.git
View the commit online: https://github.com/apache/syncope/commit/bd37f3d2e64b3e1d609580aebe00b0bfb84f5dae The following commit(s) were added to refs/heads/2_1_X by this push: new bd37f3d [SYNCOPE-1513] Adding options to console.properties bd37f3d is described below commit bd37f3d2e64b3e1d609580aebe00b0bfb84f5dae Author: Francesco Chicchiriccò <[email protected]> AuthorDate: Wed Nov 20 13:45:02 2019 +0100 [SYNCOPE-1513] Adding options to console.properties --- .../resources/archetype-resources/console/pom.xml | 16 --- .../resources/archetype-resources/core/pom.xml | 8 +- .../resources/archetype-resources/enduser/pom.xml | 8 +- client/console/pom.xml | 27 ++++ .../client/console/SyncopeConsoleApplication.java | 20 ++- .../console/src/main/resources/console.properties | 10 +- .../syncope/client/console/AbstractTest.java | 141 +++++++++++++++++++++ .../console/SyncopeConsoleApplicationTest.java | 69 ++++++++++ client/console/src/test/resources/log4j2.xml | 54 ++++++++ deb/console/pom.xml | 16 --- deb/core/pom.xml | 8 +- deb/enduser/pom.xml | 8 +- .../src/main/resources/console.properties.template | 15 ++- fit/build-tools/pom.xml | 8 +- fit/console-reference/pom.xml | 12 -- .../src/main/resources/console.properties | 10 +- fit/core-reference/pom.xml | 8 +- .../src/test/resources/console.properties | 9 +- pom.xml | 16 ++- 19 files changed, 362 insertions(+), 101 deletions(-) diff --git a/archetype/src/main/resources/archetype-resources/console/pom.xml b/archetype/src/main/resources/archetype-resources/console/pom.xml index fb5724c..0534f18 100644 --- a/archetype/src/main/resources/archetype-resources/console/pom.xml +++ b/archetype/src/main/resources/archetype-resources/console/pom.xml @@ -63,22 +63,6 @@ under the License. <artifactId>slf4j-api</artifactId> </dependency> <dependency> - <groupId>org.apache.logging.log4j</groupId> - <artifactId>log4j-api</artifactId> - </dependency> - <dependency> - <groupId>org.apache.logging.log4j</groupId> - <artifactId>log4j-core</artifactId> - </dependency> - <dependency> - <groupId>com.lmax</groupId> - <artifactId>disruptor</artifactId> - </dependency> - <dependency> - <groupId>org.apache.logging.log4j</groupId> - <artifactId>log4j-slf4j-impl</artifactId> - </dependency> - <dependency> <groupId>commons-logging</groupId> <artifactId>commons-logging</artifactId> <scope>provided</scope> diff --git a/archetype/src/main/resources/archetype-resources/core/pom.xml b/archetype/src/main/resources/archetype-resources/core/pom.xml index f951894..f2f9753 100644 --- a/archetype/src/main/resources/archetype-resources/core/pom.xml +++ b/archetype/src/main/resources/archetype-resources/core/pom.xml @@ -71,21 +71,17 @@ under the License. </dependency> <dependency> <groupId>org.apache.logging.log4j</groupId> - <artifactId>log4j-api</artifactId> + <artifactId>log4j-core</artifactId> </dependency> <dependency> <groupId>org.apache.logging.log4j</groupId> - <artifactId>log4j-core</artifactId> + <artifactId>log4j-slf4j-impl</artifactId> </dependency> <dependency> <groupId>com.lmax</groupId> <artifactId>disruptor</artifactId> </dependency> <dependency> - <groupId>org.apache.logging.log4j</groupId> - <artifactId>log4j-slf4j-impl</artifactId> - </dependency> - <dependency> <groupId>commons-logging</groupId> <artifactId>commons-logging</artifactId> <scope>provided</scope> diff --git a/archetype/src/main/resources/archetype-resources/enduser/pom.xml b/archetype/src/main/resources/archetype-resources/enduser/pom.xml index 1e3bb28..e7df3ce 100644 --- a/archetype/src/main/resources/archetype-resources/enduser/pom.xml +++ b/archetype/src/main/resources/archetype-resources/enduser/pom.xml @@ -64,21 +64,17 @@ under the License. </dependency> <dependency> <groupId>org.apache.logging.log4j</groupId> - <artifactId>log4j-api</artifactId> + <artifactId>log4j-core</artifactId> </dependency> <dependency> <groupId>org.apache.logging.log4j</groupId> - <artifactId>log4j-core</artifactId> + <artifactId>log4j-slf4j-impl</artifactId> </dependency> <dependency> <groupId>com.lmax</groupId> <artifactId>disruptor</artifactId> </dependency> <dependency> - <groupId>org.apache.logging.log4j</groupId> - <artifactId>log4j-slf4j-impl</artifactId> - </dependency> - <dependency> <groupId>commons-logging</groupId> <artifactId>commons-logging</artifactId> <scope>provided</scope> diff --git a/client/console/pom.xml b/client/console/pom.xml index 422abbc..e6b6b70 100644 --- a/client/console/pom.xml +++ b/client/console/pom.xml @@ -156,6 +156,33 @@ under the License. <groupId>org.apache.logging.log4j</groupId> <artifactId>log4j-core</artifactId> </dependency> + <dependency> + <groupId>org.apache.logging.log4j</groupId> + <artifactId>log4j-slf4j-impl</artifactId> + </dependency> + <dependency> + <groupId>com.lmax</groupId> + <artifactId>disruptor</artifactId> + </dependency> + + <!-- required by wicket tester --> + <dependency> + <groupId>junit</groupId> + <artifactId>junit</artifactId> + <version>4.12</version> + <scope>test</scope> + </dependency> + + <dependency> + <groupId>org.mockito</groupId> + <artifactId>mockito-core</artifactId> + <scope>test</scope> + </dependency> + <dependency> + <groupId>org.junit.jupiter</groupId> + <artifactId>junit-jupiter</artifactId> + <scope>test</scope> + </dependency> </dependencies> <build> diff --git a/client/console/src/main/java/org/apache/syncope/client/console/SyncopeConsoleApplication.java b/client/console/src/main/java/org/apache/syncope/client/console/SyncopeConsoleApplication.java index 7417758..0fd291f 100644 --- a/client/console/src/main/java/org/apache/syncope/client/console/SyncopeConsoleApplication.java +++ b/client/console/src/main/java/org/apache/syncope/client/console/SyncopeConsoleApplication.java @@ -136,6 +136,17 @@ public class SyncopeConsoleApplication extends AuthenticatedWebApplication { } } + protected void setSecurityHeaders(final Properties props, final WebResponse response) { + @SuppressWarnings("unchecked") + Enumeration<String> propNames = (Enumeration<String>) props.propertyNames(); + while (propNames.hasMoreElements()) { + String name = propNames.nextElement(); + if (name.startsWith("security.headers.")) { + response.setHeader(StringUtils.substringAfter(name, "security.headers."), props.getProperty(name)); + } + } + } + @Override protected void init() { super.init(); @@ -169,8 +180,6 @@ public class SyncopeConsoleApplication extends AuthenticatedWebApplication { maxPoolSize = Integer.valueOf(props.getProperty("topology.maxPoolSize", "10")); queueCapacity = Integer.valueOf(props.getProperty("topology.queueCapacity", "50")); - String csrf = props.getProperty("csrf"); - // process page properties pageClasses = new HashMap<>(); populatePageClasses(props); @@ -201,7 +210,7 @@ public class SyncopeConsoleApplication extends AuthenticatedWebApplication { getMarkupSettings().setStripWicketTags(true); getMarkupSettings().setCompressWhitespace(true); - if (BooleanUtils.toBoolean(csrf)) { + if (BooleanUtils.toBoolean(props.getProperty("csrf"))) { getRequestCycleListeners().add(new WebSocketAwareCsrfPreventionRequestCycleListener()); } getRequestCycleListeners().add(new SyncopeConsoleRequestCycleListener()); @@ -210,10 +219,7 @@ public class SyncopeConsoleApplication extends AuthenticatedWebApplication { @Override public void onEndRequest(final RequestCycle cycle) { if (cycle.getResponse() instanceof WebResponse && !(cycle.getResponse() instanceof WebSocketResponse)) { - WebResponse response = (WebResponse) cycle.getResponse(); - response.setHeader("X-XSS-Protection", "1; mode=block"); - response.setHeader("X-Content-Type-Options", "nosniff"); - response.setHeader("X-Frame-Options", "sameorigin"); + setSecurityHeaders(props, (WebResponse) cycle.getResponse()); } } }); diff --git a/client/console/src/main/resources/console.properties b/client/console/src/main/resources/console.properties index 0e262cb..e8ac65e 100644 --- a/client/console/src/main/resources/console.properties +++ b/client/console/src/main/resources/console.properties @@ -29,8 +29,6 @@ maxUploadFileSizeMB=5 # Max wait time on apply changes from modals/wizards (given in seconds) maxWaitTimeOnApplyChanges=30 -csrf=true - reconciliationReportKey=c3520ad9-179f-49e7-b315-d684d216dd97 page.dashboard=org.apache.syncope.client.console.pages.Dashboard @@ -49,3 +47,11 @@ page.parameters=org.apache.syncope.client.console.pages.Parameters topology.corePoolSize=10 topology.maxPoolSize=20 topology.queueCapacity=50 + +csrf=true + +security.headers.X-XSS-Protection=1; mode=block +security.headers.Strict-Transport-Security=max-age=31536000; includeSubDomains; preload +security.headers.X-Content-Type-Options=nosniff +security.headers.X-Frame-Options=sameorigin +#security.headers.Content-Security-Policy=default-src https: diff --git a/client/console/src/test/java/org/apache/syncope/client/console/AbstractTest.java b/client/console/src/test/java/org/apache/syncope/client/console/AbstractTest.java new file mode 100644 index 0000000..6e4372b --- /dev/null +++ b/client/console/src/test/java/org/apache/syncope/client/console/AbstractTest.java @@ -0,0 +1,141 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ +package org.apache.syncope.client.console; + +import static org.mockito.ArgumentMatchers.any; +import static org.mockito.ArgumentMatchers.anyString; +import static org.mockito.Mockito.mock; +import static org.mockito.Mockito.when; + +import java.io.IOException; +import java.io.InputStream; +import java.util.Collections; +import java.util.HashMap; +import java.util.List; +import java.util.Properties; +import java.util.stream.Stream; +import javax.servlet.ServletContext; +import org.apache.commons.lang3.tuple.Pair; +import org.apache.cxf.jaxrs.client.Client; +import org.apache.syncope.client.console.init.ClassPathScanImplementationLookup; +import org.apache.syncope.client.console.init.ConsoleInitializer; +import org.apache.syncope.client.console.init.MIMETypesLoader; +import org.apache.syncope.client.lib.AuthenticationHandler; +import org.apache.syncope.client.lib.SyncopeClient; +import org.apache.syncope.client.lib.SyncopeClientFactoryBean; +import org.apache.syncope.common.lib.SyncopeConstants; +import org.apache.syncope.common.lib.info.NumbersInfo; +import org.apache.syncope.common.lib.info.PlatformInfo; +import org.apache.syncope.common.lib.info.SystemInfo; +import org.apache.syncope.common.lib.to.DomainTO; +import org.apache.syncope.common.lib.to.UserTO; +import org.apache.syncope.common.rest.api.service.DomainService; +import org.apache.syncope.common.rest.api.service.SyncopeService; +import org.apache.wicket.util.tester.WicketTester; +import org.junit.jupiter.api.BeforeAll; + +public abstract class AbstractTest { + + protected static Properties PROPS; + + public interface SyncopeServiceClient extends SyncopeService, Client { + } + + @BeforeAll + public static void loadProps() throws IOException { + PROPS = new Properties(); + try (InputStream is = AbstractTest.class.getResourceAsStream("/console.properties")) { + PROPS.load(is); + } + } + + protected static final WicketTester TESTER = new WicketTester(new SyncopeConsoleApplication() { + + @Override + protected void init() { + ServletContext ctx = getServletContext(); + ClassPathScanImplementationLookup lookup = new ClassPathScanImplementationLookup(); + lookup.load(); + ctx.setAttribute(ConsoleInitializer.CLASSPATH_LOOKUP, lookup); + + MIMETypesLoader mimeTypes = new MIMETypesLoader(); + mimeTypes.load(); + ctx.setAttribute(ConsoleInitializer.MIMETYPES_LOADER, mimeTypes); + + super.init(); + } + + @Override + public List<String> getDomains() { + return super.getDomains(); + } + + private SyncopeService getSyncopeService() { + SyncopeServiceClient service = mock(SyncopeServiceClient.class); + when(service.type(anyString())).thenReturn(service); + when(service.accept(anyString())).thenReturn(service); + + when(service.platform()).thenReturn(new PlatformInfo()); + when(service.system()).thenReturn(new SystemInfo()); + + NumbersInfo numbersInfo = new NumbersInfo(); + Stream.of(NumbersInfo.ConfItem.values()). + forEach(item -> numbersInfo.getConfCompleteness().put(item.name(), true)); + when(service.numbers()).thenReturn(numbersInfo); + + return service; + } + + private UserTO getUserTO() { + UserTO userTO = new UserTO(); + userTO.setUsername("username"); + return userTO; + } + + private DomainService getDomainService() { + DomainService domainService = mock(DomainService.class); + DomainTO domainTO = new DomainTO(); + domainTO.setKey(SyncopeConstants.MASTER_DOMAIN); + when(domainService.list()).thenReturn(Collections.singletonList(domainTO)); + return domainService; + } + + @SuppressWarnings("unchecked") + @Override + public SyncopeClientFactoryBean newClientFactory() { + SyncopeClient client = mock(SyncopeClient.class); + + when(client.self()).thenReturn(Pair.of(new HashMap<>(), getUserTO())); + + SyncopeService syncopeService = getSyncopeService(); + when(client.getService(SyncopeService.class)).thenReturn(syncopeService); + + DomainService domainService = getDomainService(); + when(client.getService(DomainService.class)).thenReturn(domainService); + + SyncopeClientFactoryBean clientFactory = mock(SyncopeClientFactoryBean.class); + when(clientFactory.setDomain(any())).thenReturn(clientFactory); + when(clientFactory.create(any(AuthenticationHandler.class))).thenReturn(client); + when(clientFactory.create(anyString(), anyString())).thenReturn(client); + + return clientFactory; + } + }); + +} diff --git a/client/console/src/test/java/org/apache/syncope/client/console/SyncopeConsoleApplicationTest.java b/client/console/src/test/java/org/apache/syncope/client/console/SyncopeConsoleApplicationTest.java new file mode 100644 index 0000000..a1f0bd1 --- /dev/null +++ b/client/console/src/test/java/org/apache/syncope/client/console/SyncopeConsoleApplicationTest.java @@ -0,0 +1,69 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ +package org.apache.syncope.client.console; + +import static org.junit.jupiter.api.Assertions.assertEquals; + +import java.io.IOException; +import java.util.Enumeration; +import java.util.HashMap; +import java.util.Map; +import org.apache.commons.lang3.StringUtils; +import org.apache.syncope.client.console.pages.Dashboard; +import org.apache.syncope.client.console.pages.Login; +import org.apache.wicket.util.tester.FormTester; +import org.junit.jupiter.api.Test; + +public class SyncopeConsoleApplicationTest extends AbstractTest { + + private Map<String, String> getConfiguredSecurityHeaders() throws IOException { + Map<String, String> securityHeaders = new HashMap<>(); + + @SuppressWarnings("unchecked") + Enumeration<String> propNames = (Enumeration<String>) PROPS.propertyNames(); + while (propNames.hasMoreElements()) { + String name = propNames.nextElement(); + if (name.startsWith("security.headers.")) { + securityHeaders.put(StringUtils.substringAfter(name, "security.headers."), PROPS.getProperty(name)); + } + } + + return securityHeaders; + } + + @Test + public void securityHeaders() throws IOException { + Map<String, String> securityHeaders = getConfiguredSecurityHeaders(); + assertEquals(4, securityHeaders.size()); + + // 1. anonymous + TESTER.startPage(Login.class); + TESTER.assertRenderedPage(Login.class); + securityHeaders.forEach((key, value) -> assertEquals(value, TESTER.getLastResponse().getHeader(key))); + + // 2. authenticated + FormTester formTester = TESTER.newFormTester("login"); + formTester.setValue("username", "username"); + formTester.setValue("password", "password"); + formTester.submit("submit"); + + TESTER.assertRenderedPage(Dashboard.class); + securityHeaders.forEach((key, value) -> assertEquals(value, TESTER.getLastResponse().getHeader(key))); + } +} diff --git a/client/console/src/test/resources/log4j2.xml b/client/console/src/test/resources/log4j2.xml new file mode 100644 index 0000000..28257a5 --- /dev/null +++ b/client/console/src/test/resources/log4j2.xml @@ -0,0 +1,54 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!-- +Licensed to the Apache Software Foundation (ASF) under one +or more contributor license agreements. See the NOTICE file +distributed with this work for additional information +regarding copyright ownership. The ASF licenses this file +to you under the Apache License, Version 2.0 (the +"License"); you may not use this file except in compliance +with the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, +software distributed under the License is distributed on an +"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +KIND, either express or implied. See the License for the +specific language governing permissions and limitations +under the License. +--> +<configuration status="WARN"> + + <appenders> + + <Console name="main" target="SYSTEM_OUT"> + <PatternLayout pattern="%d{HH:mm:ss.SSS} %-5level %logger - %msg%n"/> + </Console> + + </appenders> + + <loggers> + + <asyncLogger name="org.apache.syncope.client.lib" additivity="false" level="OFF"> + <appender-ref ref="main"/> + </asyncLogger> + + <asyncLogger name="org.apache.syncope.client.console" additivity="false" level="ERROR"> + <appender-ref ref="main"/> + </asyncLogger> + + <asyncLogger name="org.apache.wicket" additivity="false" level="ERROR"> + <appender-ref ref="main"/> + </asyncLogger> + + <asyncLogger name="org.apache.cxf" additivity="false" level="ERROR"> + <appender-ref ref="main"/> + </asyncLogger> + + <root level="ERROR"> + <appender-ref ref="main"/> + </root> + + </loggers> + +</configuration> diff --git a/deb/console/pom.xml b/deb/console/pom.xml index e71a7d1..60c0f1a 100644 --- a/deb/console/pom.xml +++ b/deb/console/pom.xml @@ -75,22 +75,6 @@ under the License. <artifactId>slf4j-api</artifactId> </dependency> <dependency> - <groupId>org.apache.logging.log4j</groupId> - <artifactId>log4j-api</artifactId> - </dependency> - <dependency> - <groupId>org.apache.logging.log4j</groupId> - <artifactId>log4j-core</artifactId> - </dependency> - <dependency> - <groupId>com.lmax</groupId> - <artifactId>disruptor</artifactId> - </dependency> - <dependency> - <groupId>org.apache.logging.log4j</groupId> - <artifactId>log4j-slf4j-impl</artifactId> - </dependency> - <dependency> <groupId>commons-logging</groupId> <artifactId>commons-logging</artifactId> <scope>provided</scope> diff --git a/deb/core/pom.xml b/deb/core/pom.xml index a126c4d..743edc9 100644 --- a/deb/core/pom.xml +++ b/deb/core/pom.xml @@ -121,21 +121,17 @@ under the License. </dependency> <dependency> <groupId>org.apache.logging.log4j</groupId> - <artifactId>log4j-api</artifactId> + <artifactId>log4j-core</artifactId> </dependency> <dependency> <groupId>org.apache.logging.log4j</groupId> - <artifactId>log4j-core</artifactId> + <artifactId>log4j-slf4j-impl</artifactId> </dependency> <dependency> <groupId>com.lmax</groupId> <artifactId>disruptor</artifactId> </dependency> <dependency> - <groupId>org.apache.logging.log4j</groupId> - <artifactId>log4j-slf4j-impl</artifactId> - </dependency> - <dependency> <groupId>commons-logging</groupId> <artifactId>commons-logging</artifactId> <scope>provided</scope> diff --git a/deb/enduser/pom.xml b/deb/enduser/pom.xml index 3fd6f0a..0aa559a 100644 --- a/deb/enduser/pom.xml +++ b/deb/enduser/pom.xml @@ -68,21 +68,17 @@ under the License. </dependency> <dependency> <groupId>org.apache.logging.log4j</groupId> - <artifactId>log4j-api</artifactId> + <artifactId>log4j-core</artifactId> </dependency> <dependency> <groupId>org.apache.logging.log4j</groupId> - <artifactId>log4j-core</artifactId> + <artifactId>log4j-slf4j-impl</artifactId> </dependency> <dependency> <groupId>com.lmax</groupId> <artifactId>disruptor</artifactId> </dependency> <dependency> - <groupId>org.apache.logging.log4j</groupId> - <artifactId>log4j-slf4j-impl</artifactId> - </dependency> - <dependency> <groupId>commons-logging</groupId> <artifactId>commons-logging</artifactId> <scope>provided</scope> diff --git a/docker/console/src/main/resources/console.properties.template b/docker/console/src/main/resources/console.properties.template index 8789cb5..29490cc 100644 --- a/docker/console/src/main/resources/console.properties.template +++ b/docker/console/src/main/resources/console.properties.template @@ -31,15 +31,12 @@ maxUploadFileSizeMB=5 # Max wait time on apply changes from modals/wizards (given in seconds) maxWaitTimeOnApplyChanges=30 -csrf=true - reconciliationReportKey=c3520ad9-179f-49e7-b315-d684d216dd97 page.dashboard=org.apache.syncope.client.console.pages.Dashboard page.realms=org.apache.syncope.client.console.pages.Realms page.topology=org.apache.syncope.client.console.topology.Topology page.reports=org.apache.syncope.client.console.pages.Reports -page.workflow=org.apache.syncope.client.console.pages.Workflow page.audit=org.apache.syncope.client.console.pages.Audit page.implementations=org.apache.syncope.client.console.pages.Implementations page.logs=org.apache.syncope.client.console.pages.Logs @@ -48,3 +45,15 @@ page.types=org.apache.syncope.client.console.pages.Types page.policies=org.apache.syncope.client.console.pages.Policies page.notifications=org.apache.syncope.client.console.pages.Notifications page.parameters=org.apache.syncope.client.console.pages.Parameters + +topology.corePoolSize=10 +topology.maxPoolSize=20 +topology.queueCapacity=50 + +csrf=true + +security.headers.X-XSS-Protection=1; mode=block +security.headers.Strict-Transport-Security=max-age=31536000; includeSubDomains; preload +security.headers.X-Content-Type-Options=nosniff +security.headers.X-Frame-Options=sameorigin +#security.headers.Content-Security-Policy=default-src https: diff --git a/fit/build-tools/pom.xml b/fit/build-tools/pom.xml index 46b02d3..2a5c9d5 100644 --- a/fit/build-tools/pom.xml +++ b/fit/build-tools/pom.xml @@ -216,21 +216,17 @@ under the License. </dependency> <dependency> <groupId>org.apache.logging.log4j</groupId> - <artifactId>log4j-api</artifactId> + <artifactId>log4j-core</artifactId> </dependency> <dependency> <groupId>org.apache.logging.log4j</groupId> - <artifactId>log4j-core</artifactId> + <artifactId>log4j-slf4j-impl</artifactId> </dependency> <dependency> <groupId>com.lmax</groupId> <artifactId>disruptor</artifactId> </dependency> <dependency> - <groupId>org.apache.logging.log4j</groupId> - <artifactId>log4j-slf4j-impl</artifactId> - </dependency> - <dependency> <groupId>commons-logging</groupId> <artifactId>commons-logging</artifactId> <scope>provided</scope> diff --git a/fit/console-reference/pom.xml b/fit/console-reference/pom.xml index 6b12521..220ef5b 100644 --- a/fit/console-reference/pom.xml +++ b/fit/console-reference/pom.xml @@ -93,18 +93,6 @@ under the License. </dependency> <dependency> <groupId>org.apache.logging.log4j</groupId> - <artifactId>log4j-api</artifactId> - </dependency> - <dependency> - <groupId>org.apache.logging.log4j</groupId> - <artifactId>log4j-core</artifactId> - </dependency> - <dependency> - <groupId>com.lmax</groupId> - <artifactId>disruptor</artifactId> - </dependency> - <dependency> - <groupId>org.apache.logging.log4j</groupId> <artifactId>log4j-slf4j-impl</artifactId> </dependency> <dependency> diff --git a/fit/console-reference/src/main/resources/console.properties b/fit/console-reference/src/main/resources/console.properties index fbba1d6..28e1822 100644 --- a/fit/console-reference/src/main/resources/console.properties +++ b/fit/console-reference/src/main/resources/console.properties @@ -29,8 +29,6 @@ maxUploadFileSizeMB=5 # Max wait time on apply changes from modals/wizards (given in seconds) maxWaitTimeOnApplyChanges=30 -csrf=true - reconciliationReportKey=c3520ad9-179f-49e7-b315-d684d216dd97 page.dashboard=org.apache.syncope.client.console.pages.Dashboard @@ -49,3 +47,11 @@ page.parameters=org.apache.syncope.client.console.pages.Parameters topology.corePoolSize=50 topology.maxPoolSize=100 topology.queueCapacity=10 + +csrf=true + +security.headers.X-XSS-Protection=1; mode=block +security.headers.Strict-Transport-Security=max-age=31536000; includeSubDomains; preload +security.headers.X-Content-Type-Options=nosniff +security.headers.X-Frame-Options=sameorigin +#security.headers.Content-Security-Policy=default-src https: diff --git a/fit/core-reference/pom.xml b/fit/core-reference/pom.xml index 517a63d..d980a12 100644 --- a/fit/core-reference/pom.xml +++ b/fit/core-reference/pom.xml @@ -79,21 +79,17 @@ under the License. </dependency> <dependency> <groupId>org.apache.logging.log4j</groupId> - <artifactId>log4j-api</artifactId> + <artifactId>log4j-core</artifactId> </dependency> <dependency> <groupId>org.apache.logging.log4j</groupId> - <artifactId>log4j-core</artifactId> + <artifactId>log4j-slf4j-impl</artifactId> </dependency> <dependency> <groupId>com.lmax</groupId> <artifactId>disruptor</artifactId> </dependency> <dependency> - <groupId>org.apache.logging.log4j</groupId> - <artifactId>log4j-slf4j-impl</artifactId> - </dependency> - <dependency> <groupId>commons-logging</groupId> <artifactId>commons-logging</artifactId> <scope>provided</scope> diff --git a/fit/core-reference/src/test/resources/console.properties b/fit/core-reference/src/test/resources/console.properties index 648782b..28e1822 100644 --- a/fit/core-reference/src/test/resources/console.properties +++ b/fit/core-reference/src/test/resources/console.properties @@ -29,8 +29,6 @@ maxUploadFileSizeMB=5 # Max wait time on apply changes from modals/wizards (given in seconds) maxWaitTimeOnApplyChanges=30 -csrf=false - reconciliationReportKey=c3520ad9-179f-49e7-b315-d684d216dd97 page.dashboard=org.apache.syncope.client.console.pages.Dashboard @@ -50,3 +48,10 @@ topology.corePoolSize=50 topology.maxPoolSize=100 topology.queueCapacity=10 +csrf=true + +security.headers.X-XSS-Protection=1; mode=block +security.headers.Strict-Transport-Security=max-age=31536000; includeSubDomains; preload +security.headers.X-Content-Type-Options=nosniff +security.headers.X-Frame-Options=sameorigin +#security.headers.Content-Security-Policy=default-src https: diff --git a/pom.xml b/pom.xml index 61e5a51..9f53446 100644 --- a/pom.xml +++ b/pom.xml @@ -1399,16 +1399,16 @@ under the License. <version>${log4j.version}</version> </dependency> <dependency> - <groupId>com.lmax</groupId> - <artifactId>disruptor</artifactId> - <version>${disruptor.version}</version> - </dependency> - <dependency> <groupId>org.apache.logging.log4j</groupId> <artifactId>log4j-slf4j-impl</artifactId> <version>${log4j.version}</version> </dependency> <dependency> + <groupId>com.lmax</groupId> + <artifactId>disruptor</artifactId> + <version>${disruptor.version}</version> + </dependency> + <dependency> <groupId>commons-logging</groupId> <artifactId>commons-logging</artifactId> <version>${commons-logging.version}</version> @@ -1790,6 +1790,12 @@ under the License. <scope>test</scope> </dependency> <dependency> + <groupId>org.mockito</groupId> + <artifactId>mockito-core</artifactId> + <version>3.1.0</version> + <scope>test</scope> + </dependency> + <dependency> <groupId>org.junit.jupiter</groupId> <artifactId>junit-jupiter</artifactId> <version>${junit.version}</version>
