[jira] [Work started] (TOMEE-2877) Translate to Portuguese: examples/mp-rest-jwt-public-key
[ https://issues.apache.org/jira/browse/TOMEE-2877?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Work on TOMEE-2877 started by Daniel Dias. -- > Translate to Portuguese: examples/mp-rest-jwt-public-key > > > Key: TOMEE-2877 > URL: https://issues.apache.org/jira/browse/TOMEE-2877 > Project: TomEE > Issue Type: Sub-task >Reporter: Daniel Dias >Assignee: Daniel Dias >Priority: Trivial > > Translate into Portuguese the README file using a suffix `_pt` to allow the > Tomee Website to pick up and configure this version and corresponding language -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Created] (TOMEE-2877) Translate to Portuguese: examples/mp-rest-jwt-public-key
Daniel Dias created TOMEE-2877: -- Summary: Translate to Portuguese: examples/mp-rest-jwt-public-key Key: TOMEE-2877 URL: https://issues.apache.org/jira/browse/TOMEE-2877 Project: TomEE Issue Type: Sub-task Reporter: Daniel Dias Assignee: Daniel Dias Translate into Portuguese the README file using a suffix `_pt` to allow the Tomee Website to pick up and configure this version and corresponding language -- This message was sent by Atlassian Jira (v8.3.4#803005)
[tomee] branch master updated: Fix classloading issue by using a different approach to discover annotations.
This is an automated email from the ASF dual-hosted git repository. jlmonteiro pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/tomee.git The following commit(s) were added to refs/heads/master by this push: new 7e83701 Fix classloading issue by using a different approach to discover annotations. 7e83701 is described below commit 7e8370155d4431e03e6e0e38a7377426f5db8a6c Author: Jean-Louis Monteiro AuthorDate: Wed Jul 15 23:46:56 2020 +0200 Fix classloading issue by using a different approach to discover annotations. --- .../tomee/security/cdi/TomEESecurityExtension.java | 107 + 1 file changed, 47 insertions(+), 60 deletions(-) diff --git a/tomee/tomee-security/src/main/java/org/apache/tomee/security/cdi/TomEESecurityExtension.java b/tomee/tomee-security/src/main/java/org/apache/tomee/security/cdi/TomEESecurityExtension.java index 7a315be..591523f 100644 --- a/tomee/tomee-security/src/main/java/org/apache/tomee/security/cdi/TomEESecurityExtension.java +++ b/tomee/tomee-security/src/main/java/org/apache/tomee/security/cdi/TomEESecurityExtension.java @@ -31,13 +31,13 @@ import javax.enterprise.event.Observes; import javax.enterprise.inject.Any; import javax.enterprise.inject.Default; import javax.enterprise.inject.spi.AfterBeanDiscovery; +import javax.enterprise.inject.spi.Annotated; import javax.enterprise.inject.spi.AnnotatedType; import javax.enterprise.inject.spi.BeanAttributes; import javax.enterprise.inject.spi.BeanManager; import javax.enterprise.inject.spi.BeforeBeanDiscovery; import javax.enterprise.inject.spi.Extension; -import javax.enterprise.inject.spi.ProcessAnnotatedType; -import javax.enterprise.inject.spi.WithAnnotations; +import javax.enterprise.inject.spi.ProcessBean; import javax.enterprise.util.TypeLiteral; import javax.security.enterprise.authentication.mechanism.http.BasicAuthenticationMechanismDefinition; import javax.security.enterprise.authentication.mechanism.http.CustomFormAuthenticationMechanismDefinition; @@ -47,19 +47,28 @@ import javax.security.enterprise.authentication.mechanism.http.LoginToContinue; import javax.security.enterprise.identitystore.DatabaseIdentityStoreDefinition; import javax.security.enterprise.identitystore.IdentityStore; import javax.security.enterprise.identitystore.LdapIdentityStoreDefinition; -import java.util.HashSet; -import java.util.Set; +import java.lang.annotation.Annotation; +import java.util.Arrays; +import java.util.List; +import java.util.concurrent.atomic.AtomicReference; import java.util.function.Supplier; public class TomEESecurityExtension implements Extension { -private final Set basicAuthentication = new HashSet<>(); -private final Set formAuthentication = new HashSet<>(); -private final Set customAuthentication = new HashSet<>(); +final List> annotationsToFind = Arrays.asList(TomcatUserIdentityStoreDefinition.class, + DatabaseIdentityStoreDefinition.class, + LdapIdentityStoreDefinition.class, + BasicAuthenticationMechanismDefinition.class, + FormAuthenticationMechanismDefinition.class, + CustomFormAuthenticationMechanismDefinition.class); -private final Set tomcatUserIdentityStore = new HashSet<>(); -private final Set databaseIdentityStore = new HashSet<>(); -private final Set ldapIdentityStore = new HashSet<>(); +private final AtomicReference basicMechanism = new AtomicReference<>(); +private final AtomicReference formMechanism = new AtomicReference<>(); +private final AtomicReference customMechanism = new AtomicReference<>(); + +private final AtomicReference tomcatUserStore = new AtomicReference<>(); +private final AtomicReference databaseStore = new AtomicReference<>(); +private final AtomicReference ldapStore = new AtomicReference<>(); void observeBeforeBeanDiscovery( @Observes final BeforeBeanDiscovery beforeBeanDiscovery, @@ -67,7 +76,6 @@ public class TomEESecurityExtension implements Extension { beforeBeanDiscovery.addAnnotatedType(beanManager.createAnnotatedType(DefaultAuthenticationMechanism.class)); beforeBeanDiscovery.addAnnotatedType(beanManager.createAnnotatedType(TomEESecurityServletAuthenticationMechanismMapper.class)); -// beforeBeanDiscovery.addAnnotatedType(beanManager.createAnnotatedType(TomEEDefaultIdentityStore.class)); // only if at least idstore was found? beforeBeanDiscovery.addAnnotatedType(beanManager.createAnnotatedType(TomEEIdentityStoreHandler.class));
buildbot failure in on tomee-trunk-ubuntu-jvm8
The Buildbot has detected a new failure on builder tomee-trunk-ubuntu-jvm8 while building tomee. Full details are available at: https://ci.apache.org/builders/tomee-trunk-ubuntu-jvm8/builds/1386 Buildbot URL: https://ci.apache.org/ Buildslave for this Build: bb_qnode7_ubuntu Build Reason: The SingleBranchScheduler scheduler named 'on-tomee-trunk-ubuntu-jvm8-commit' triggered this build Build Source Stamp: [branch master] 32953ed0b7f9a3654e354b3e5339ed97bddb1a14 Blamelist: Jean-Louis Monteiro BUILD FAILED: failed test Sincerely, -The Buildbot
[tomee] branch master updated: Better fix for default Tomcat User identity store
This is an automated email from the ASF dual-hosted git repository. jlmonteiro pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/tomee.git The following commit(s) were added to refs/heads/master by this push: new 276a9e6 Better fix for default Tomcat User identity store 276a9e6 is described below commit 276a9e6aab8f1103ab39beaa8bfe5e2bf4b7cd68 Author: Jean-Louis Monteiro AuthorDate: Wed Jul 15 16:00:12 2020 +0200 Better fix for default Tomcat User identity store --- .../tomee/security/cdi/TomEESecurityExtension.java | 29 +++- .../cdi/TomcatUserIdentityStoreDefinition.java | 31 ++ .../identitystore/TomEEDefaultIdentityStore.java | 11 +++- .../security/context/SecurityContextTest.java | 4 +++ .../security/servlet/BasicAuthServletTest.java | 2 ++ .../security/servlet/FormAuthServletTest.java | 3 +++ .../tomee/security/servlet/SimpleServletTest.java | 2 ++ 7 files changed, 80 insertions(+), 2 deletions(-) diff --git a/tomee/tomee-security/src/main/java/org/apache/tomee/security/cdi/TomEESecurityExtension.java b/tomee/tomee-security/src/main/java/org/apache/tomee/security/cdi/TomEESecurityExtension.java index 82683c8..7a315be 100644 --- a/tomee/tomee-security/src/main/java/org/apache/tomee/security/cdi/TomEESecurityExtension.java +++ b/tomee/tomee-security/src/main/java/org/apache/tomee/security/cdi/TomEESecurityExtension.java @@ -57,6 +57,7 @@ public class TomEESecurityExtension implements Extension { private final Set formAuthentication = new HashSet<>(); private final Set customAuthentication = new HashSet<>(); +private final Set tomcatUserIdentityStore = new HashSet<>(); private final Set databaseIdentityStore = new HashSet<>(); private final Set ldapIdentityStore = new HashSet<>(); @@ -82,12 +83,17 @@ public class TomEESecurityExtension implements Extension { void processIdentityStores( @Observes @WithAnnotations({ + TomcatUserIdentityStoreDefinition.class, DatabaseIdentityStoreDefinition.class, LdapIdentityStoreDefinition.class }) final ProcessAnnotatedType processAnnotatedType) { final AnnotatedType annotatedType = processAnnotatedType.getAnnotatedType(); +if (annotatedType.isAnnotationPresent(TomcatUserIdentityStoreDefinition.class)) { +tomcatUserIdentityStore.add(annotatedType); +} + if (annotatedType.isAnnotationPresent(DatabaseIdentityStoreDefinition.class)) { databaseIdentityStore.add(annotatedType); } @@ -125,7 +131,17 @@ public class TomEESecurityExtension implements Extension { @Observes final AfterBeanDiscovery afterBeanDiscovery, final BeanManager beanManager) { -if (databaseIdentityStore.isEmpty() && ldapIdentityStore.isEmpty()) { // add out identity store +if (!tomcatUserIdentityStore.isEmpty()) { +afterBeanDiscovery +.addBean() +.id(TomEEDefaultIdentityStore.class.getName() + "#" + TomcatUserIdentityStoreDefinition.class.getName()) +.beanClass(Supplier.class) +.addType(Object.class) +.addType(new TypeLiteral>() {}) +.qualifiers(Default.Literal.INSTANCE, Any.Literal.INSTANCE) +.scope(ApplicationScoped.class) +.createWith(creationalContext -> createTomcatUserIdentityStoreDefinitionSupplier(beanManager)); + afterBeanDiscovery .addBean() .id(TomEEDefaultIdentityStore.class.getName()) @@ -313,6 +329,17 @@ public class TomEESecurityExtension implements Extension { }; } +private Supplier createTomcatUserIdentityStoreDefinitionSupplier(final BeanManager beanManager) { +return () -> { +final TomcatUserIdentityStoreDefinition annotation = tomcatUserIdentityStore.iterator() + .next() + .getAnnotation( + TomcatUserIdentityStoreDefinition.class); + +return TomEEELInvocationHandler.of(TomcatUserIdentityStoreDefinition.class, annotation, beanManager); +}; +} + private Supplier createDatabaseIdentityStoreDefinitionSupplier(final BeanManager beanManager) { return () -> { final DatabaseIdentityStoreDefinition annotation = databaseIdentityStore.iterator() diff --git a/tomee/tomee-security/src/main/java/org/apache/tomee/security/cdi/TomcatUserIdentityStoreDefinition.java b/tomee/tomee-security/src/main/java/org/apache/tomee/security/cdi/TomcatUserIdentityStoreDefinition.java
[tomee] branch master updated: Fix tomee-security tests
This is an automated email from the ASF dual-hosted git repository. jlmonteiro pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/tomee.git The following commit(s) were added to refs/heads/master by this push: new 32953ed Fix tomee-security tests 32953ed is described below commit 32953ed0b7f9a3654e354b3e5339ed97bddb1a14 Author: Jean-Louis Monteiro AuthorDate: Wed Jul 15 15:27:57 2020 +0200 Fix tomee-security tests --- tomee/pom.xml | 2 +- .../tomee/security/cdi/TomEESecurityExtension.java | 21 + .../security/TomEEELInvocationHandlerTest.java | 4 +++- .../security/servlet/BasicAuthServletTest.java | 10 +- .../tomee/security/servlet/SimpleServletTest.java | 2 +- tomee/tomee-webapp/pom.xml | 4 ++-- 6 files changed, 33 insertions(+), 10 deletions(-) diff --git a/tomee/pom.xml b/tomee/pom.xml index 2016ce2..a8aa721 100644 --- a/tomee/pom.xml +++ b/tomee/pom.xml @@ -53,7 +53,7 @@ tomee-juli tomee-overlay-runner - +tomee-security diff --git a/tomee/tomee-security/src/main/java/org/apache/tomee/security/cdi/TomEESecurityExtension.java b/tomee/tomee-security/src/main/java/org/apache/tomee/security/cdi/TomEESecurityExtension.java index 2abd093..82683c8 100644 --- a/tomee/tomee-security/src/main/java/org/apache/tomee/security/cdi/TomEESecurityExtension.java +++ b/tomee/tomee-security/src/main/java/org/apache/tomee/security/cdi/TomEESecurityExtension.java @@ -21,6 +21,7 @@ import org.apache.tomee.security.TomEEPbkdf2PasswordHash; import org.apache.tomee.security.TomEEPlaintextPasswordHash; import org.apache.tomee.security.TomEESecurityContext; import org.apache.tomee.security.identitystore.TomEEDatabaseIdentityStore; +import org.apache.tomee.security.identitystore.TomEEDefaultIdentityStore; import org.apache.tomee.security.identitystore.TomEEIdentityStoreHandler; import org.apache.tomee.security.identitystore.TomEELDAPIdentityStore; @@ -124,6 +125,26 @@ public class TomEESecurityExtension implements Extension { @Observes final AfterBeanDiscovery afterBeanDiscovery, final BeanManager beanManager) { +if (databaseIdentityStore.isEmpty() && ldapIdentityStore.isEmpty()) { // add out identity store +afterBeanDiscovery +.addBean() +.id(TomEEDefaultIdentityStore.class.getName()) +.beanClass(TomEEDefaultIdentityStore.class) +.types(Object.class, IdentityStore.class, TomEEDefaultIdentityStore.class) +.qualifiers(Default.Literal.INSTANCE, Any.Literal.INSTANCE) +.scope(ApplicationScoped.class) +.createWith((CreationalContext creationalContext) -> { +final AnnotatedType annotatedType = + beanManager.createAnnotatedType(TomEEDefaultIdentityStore.class); +final BeanAttributes beanAttributes = +beanManager.createBeanAttributes(annotatedType); +return beanManager.createBean(beanAttributes, TomEEDefaultIdentityStore.class, + beanManager.getInjectionTargetFactory(annotatedType)) + .create(creationalContext); +}); + +} + if (!databaseIdentityStore.isEmpty()) { afterBeanDiscovery .addBean() diff --git a/tomee/tomee-security/src/test/java/org/apache/tomee/security/TomEEELInvocationHandlerTest.java b/tomee/tomee-security/src/test/java/org/apache/tomee/security/TomEEELInvocationHandlerTest.java index 2d581aa..3516527 100644 --- a/tomee/tomee-security/src/test/java/org/apache/tomee/security/TomEEELInvocationHandlerTest.java +++ b/tomee/tomee-security/src/test/java/org/apache/tomee/security/TomEEELInvocationHandlerTest.java @@ -20,6 +20,8 @@ import org.junit.Assert; import org.junit.Test; import javax.el.ELProcessor; +import javax.enterprise.inject.Alternative; +import javax.enterprise.inject.Vetoed; import javax.enterprise.inject.spi.BeanManager; import javax.enterprise.inject.spi.CDI; import javax.security.enterprise.identitystore.DatabaseIdentityStoreDefinition; @@ -51,13 +53,13 @@ public class TomEEELInvocationHandlerTest extends AbstractTomEESecurityTest { return CDI.current().getBeanManager(); } +@Vetoed // so we don't break the other tests with this @DatabaseIdentityStoreDefinition(dataSourceLookup = "jdbc/securityAPIDB", callerQuery = "select password from caller where name = ?", groupsQuery = "select group_name from caller_groups where caller_name = ?", hashAlgorithm = CleartextPasswordHash.class, priority = 30, priorityExpression =
[jira] [Commented] (TOMEE-2876) Fix cxf CVE issues
[ https://issues.apache.org/jira/browse/TOMEE-2876?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17158060#comment-17158060 ] Jonathan Gallimore commented on TOMEE-2876: --- This has been discussed on the mailing list, and in short, isn't straightforward, as the newer versions of CXF target newer versions of JAX-RS than the TomEE 7.x.y branches are using (TomEE 7 targets EE7). That restricts us to CXF 3.1.x on these branches. The CXF team have confirmed that they will not create newer releases on the 3.1.x branch. You could consider moving to TomEE 8. Over the next couple of days, I will look at the possibility of patching these using the tomee-patch-plugin we recently introduces with the Jakarta EE 9 work - does that sound reasonable? These two CVEs are unlikely to impact TomEE: [https://nvd.nist.gov/vuln/detail/CVE-2019-12423] This relates to the JWK functionality in CXF, which TomEE does not use. Unless you're doing something specific in your application to use this functionality, you shouldn't be affected by this. [https://nvd.nist.gov/vuln/detail/CVE-2020-1954] Its possible to register an InstrumentationManager extension with the CXF bus, which opens a JMX/RMI port that is vulnerable to a man-in-the-middle attack. You'll notice from the CXF announcement that I helped to research and patch this issue in CXF. If you're using CXF directly, with a config like this: [https://github.com/apache/cxf/blob/master/distribution/src/main/release/samples/wsdl_first/src/main/resources/server-applicationContext.xml#L32-L37] you may be vulnerable. TomEE does not use this functionality, but your application might. > Fix cxf CVE issues > -- > > Key: TOMEE-2876 > URL: https://issues.apache.org/jira/browse/TOMEE-2876 > Project: TomEE > Issue Type: Dependency upgrade > Components: TomEE Build >Affects Versions: 7.1.3 >Reporter: Leandro Vale >Assignee: Jonathan Gallimore >Priority: Major > > The following CVE vulnerabilities have been identified in cxf 3.1.18: > * CVE-2019-12423 > * CVE-2020-1954 > * CVE-2019-12406 > Please consider upgrading to at least v3.3.6 (latest v3.3.7). -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Assigned] (TOMEE-2876) Fix cxf CVE issues
[ https://issues.apache.org/jira/browse/TOMEE-2876?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jonathan Gallimore reassigned TOMEE-2876: - Assignee: Jonathan Gallimore > Fix cxf CVE issues > -- > > Key: TOMEE-2876 > URL: https://issues.apache.org/jira/browse/TOMEE-2876 > Project: TomEE > Issue Type: Dependency upgrade > Components: TomEE Build >Affects Versions: 7.1.3 >Reporter: Leandro Vale >Assignee: Jonathan Gallimore >Priority: Major > > The following CVE vulnerabilities have been identified in cxf 3.1.18: > * CVE-2019-12423 > * CVE-2020-1954 > * CVE-2019-12406 > Please consider upgrading to at least v3.3.6 (latest v3.3.7). -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Created] (TOMEE-2876) Fix cxf CVE issues
Leandro Vale created TOMEE-2876: --- Summary: Fix cxf CVE issues Key: TOMEE-2876 URL: https://issues.apache.org/jira/browse/TOMEE-2876 Project: TomEE Issue Type: Dependency upgrade Components: TomEE Build Affects Versions: 7.1.3 Reporter: Leandro Vale The following CVE vulnerabilities have been identified in cxf 3.1.18: * CVE-2019-12423 * CVE-2020-1954 * CVE-2019-12406 Please consider upgrading to at least v3.3.6 (latest v3.3.7). -- This message was sent by Atlassian Jira (v8.3.4#803005)