This is an automated email from the ASF dual-hosted git repository. robertlazarski pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/axis-axis2-java-core.git
commit 8621db7faddd3dfae085cea1c540a87418d5bea5 Author: Robert Lazarski <[email protected]> AuthorDate: Wed May 13 10:37:16 2026 -1000 Remove dev-insecure profile, require login for all testing The dev-insecure profile was a security bypass that set a bad example for users copying the sample code. Removed entirely. Instead, the docs now show the correct flow: log in with the sample credentials ([email protected] / userguide) to get a token, then pass it as a Bearer token. This is how the app works in production and how users should test locally. Also kept the AnonRequestMatcher fix (equals/startsWith instead of contains) from the previous commit. Co-Authored-By: Claude Opus 4.6 (1M context) <[email protected]> --- .../src/userguide/springbootdemo-tomcat11/pom.xml | 7 ++-- .../userguide/springboot/Axis2Application.java | 47 ++++------------------ .../configuration/Axis2WebAppInitializer.java | 9 ++++- src/site/xdoc/docs/spring-boot-starter.xml | 30 +++++++++----- 4 files changed, 39 insertions(+), 54 deletions(-) diff --git a/modules/samples/userguide/src/userguide/springbootdemo-tomcat11/pom.xml b/modules/samples/userguide/src/userguide/springbootdemo-tomcat11/pom.xml index c8fe0ca842..365be43c31 100644 --- a/modules/samples/userguide/src/userguide/springbootdemo-tomcat11/pom.xml +++ b/modules/samples/userguide/src/userguide/springbootdemo-tomcat11/pom.xml @@ -369,9 +369,10 @@ Embedded Tomcat profile: adds spring-boot-starter-web so the application can run standalone without an external container. - Usage: - mvn spring-boot:run -Pembedded - mvn package -Pembedded && java -jar target/*.war + Usage (must build first, then run from the project directory): + mvn clean install -DskipTests + mvn spring-boot:run -Pembedded \ + -Dspring-boot.run.jvmArguments="-Daxis2.repo=target/deploy/axis2-json-api/WEB-INF" The default (no profile) build produces a WAR for external Tomcat/WildFly deployment with jakarta.servlet-api as provided. diff --git a/modules/samples/userguide/src/userguide/springbootdemo-tomcat11/src/main/java/userguide/springboot/Axis2Application.java b/modules/samples/userguide/src/userguide/springbootdemo-tomcat11/src/main/java/userguide/springboot/Axis2Application.java index 6c45ea1d14..e197e29416 100644 --- a/modules/samples/userguide/src/userguide/springbootdemo-tomcat11/src/main/java/userguide/springboot/Axis2Application.java +++ b/modules/samples/userguide/src/userguide/springbootdemo-tomcat11/src/main/java/userguide/springboot/Axis2Application.java @@ -116,30 +116,6 @@ public class Axis2Application extends SpringBootServletInitializer { public static class SecurityConfigurationTokenWebServices { private static final Logger logger = LogManager.getLogger(SecurityConfigurationTokenWebServices.class); - /** - * When the "dev-insecure" Spring profile is active, all /services/* - * requests bypass JWT authentication. For local/embedded testing only. - * Activate via: --spring.profiles.active=dev-insecure - */ - @org.springframework.beans.factory.annotation.Value("${spring.profiles.active:}") - private String activeProfiles; - - private boolean devInsecureActive; - - @jakarta.annotation.PostConstruct - void checkDevInsecureProfile() { - devInsecureActive = activeProfiles != null - && java.util.Arrays.asList(activeProfiles.split(",")) - .contains("dev-insecure"); - if (devInsecureActive) { - logger.warn("***********************************************************"); - logger.warn("* SECURITY BYPASSED: 'dev-insecure' profile is active. *"); - logger.warn("* All /services/* requests skip JWT authentication. *"); - logger.warn("* DO NOT use this profile in production or staging. *"); - logger.warn("***********************************************************"); - } - } - public SecurityConfigurationTokenWebServices() { } @@ -147,22 +123,15 @@ public class Axis2Application extends SpringBootServletInitializer { @Override public boolean matches(HttpServletRequest request) { - String logPrefix = "AnonRequestMatcher.matches , "; - String uri = request.getRequestURI().toLowerCase(); - boolean result = uri.equals("/services/loginservice") - || uri.startsWith("/services/loginservice/"); - // Allow all service requests without auth when the - // "dev-insecure" Spring profile is active. This is for - // local/embedded testing only. Activate via: - // mvn spring-boot:run -Pembedded -Dspring-boot.run.profiles=dev-insecure - if (!result && devInsecureActive) { - result = request.getRequestURI().startsWith("/services/"); + String uri = request.getRequestURI(); + boolean result = uri.equalsIgnoreCase("/services/loginService") + || uri.toLowerCase(java.util.Locale.ROOT).startsWith("/services/loginservice/"); + if (logger.isDebugEnabled()) { + String safeUri = uri.replaceAll("[\\r\\n]", "_"); + logger.debug("AnonRequestMatcher.matches , result: " + + result + " , uri: " + safeUri + + " , method: " + request.getMethod()); } - logger.debug(logPrefix - + "inside AnonRequestMatcher.matches, will return result: " - + result + " , on request.getRequestURI() : " - + request.getRequestURI() + " , request.getMethod() : " - + request.getMethod()); return result; } diff --git a/modules/samples/userguide/src/userguide/springbootdemo-tomcat11/src/main/java/userguide/springboot/configuration/Axis2WebAppInitializer.java b/modules/samples/userguide/src/userguide/springbootdemo-tomcat11/src/main/java/userguide/springboot/configuration/Axis2WebAppInitializer.java index def0e01189..a21f6e26cf 100644 --- a/modules/samples/userguide/src/userguide/springbootdemo-tomcat11/src/main/java/userguide/springboot/configuration/Axis2WebAppInitializer.java +++ b/modules/samples/userguide/src/userguide/springbootdemo-tomcat11/src/main/java/userguide/springboot/configuration/Axis2WebAppInitializer.java @@ -104,8 +104,13 @@ public class Axis2WebAppInitializer implements ServletContextInitializer { // returns null because the temp docbase is empty. java.io.File axis2xml = new java.io.File(repoDir, "conf/axis2.xml"); if (axis2xml.isFile()) { - dispatcher.setInitParameter(WarBasedAxisConfigurator.PARAM_AXIS2_XML_PATH, - axis2xml.getAbsolutePath()); + try { + dispatcher.setInitParameter(WarBasedAxisConfigurator.PARAM_AXIS2_XML_PATH, + axis2xml.getCanonicalPath()); + } catch (java.io.IOException e) { + dispatcher.setInitParameter(WarBasedAxisConfigurator.PARAM_AXIS2_XML_PATH, + axis2xml.getAbsolutePath()); + } logger.info("addAxis2Servlet: axis2.xml.path = " + axis2xml.getAbsolutePath()); } } diff --git a/src/site/xdoc/docs/spring-boot-starter.xml b/src/site/xdoc/docs/spring-boot-starter.xml index e57aa1c4ff..d54bc2c60f 100644 --- a/src/site/xdoc/docs/spring-boot-starter.xml +++ b/src/site/xdoc/docs/spring-boot-starter.xml @@ -110,20 +110,30 @@ mvn spring-boot:run -Pembedded \ -Dspring-boot.run.jvmArguments="-Daxis2.repo=target/deploy/axis2-json-api/WEB-INF" </pre> -<p>For local testing without JWT authentication, the sample application -implements a <code>dev-insecure</code> Spring profile that bypasses -auth for all <code>/services/*</code> requests. This is a pattern you -can replicate in your own application — it is not a built-in starter -feature. <strong>Never use in production.</strong></p> +<p>The sample application requires authentication. Log in first to +obtain a token, then pass it as a Bearer token on subsequent +requests:</p> <pre> -mvn spring-boot:run -Pembedded \ - -Dspring-boot.run.arguments="--server.port=9090 --spring.profiles.active=dev-insecure" \ - -Dspring-boot.run.jvmArguments="-Daxis2.repo=target/deploy/axis2-json-api/WEB-INF" +# 1. Log in (sample credentials) +TOKEN=$(curl -s http://localhost:9090/services/loginService \ + -H 'Content-Type: application/json' \ + -d '{"doLogin":[{"arg0":{"email":"[email protected]","credentials":"userguide"}}]}' \ + | python3 -c "import sys,json; print(json.load(sys.stdin)['response']['token'])") + +# 2. Call a service with the token +curl -s http://localhost:9090/services/FinancialBenchmarkService \ + -H 'Content-Type: application/json' \ + -H "Authorization: Bearer $TOKEN" \ + -d '{"portfolioVariance":[{"arg0":{"weights":[0.5,0.5],"covarianceMatrix":[[0.04,0.006],[0.006,0.09]]}}]}' </pre> -<p>The sample login service accepts hardcoded credentials for testing: -<code>[email protected]</code> / <code>userguide</code>.</p> +<p>OpenAPI and MCP endpoints do not require authentication:</p> + +<pre> +curl -s http://localhost:9090/openapi.json +curl -s http://localhost:9090/openapi-mcp.json +</pre> <p>For production, external containers remain the recommended deployment:</p>
