From 54115af85a8dcf426f14799125e0479a281df8e1 Mon Sep 17 00:00:00 2001 From: Damian Sobieralski Date: Thu, 14 Dec 2023 17:34:34 -0500 Subject: [PATCH 1/4] LMSA-7710 - upgraded --- README.md | 1 + pom.xml | 22 +++++++++---------- .../iu/uits/lms/viewem/WebApplication.java | 1 - .../lms/viewem/config/SecurityConfig.java | 21 +++++++++++++++--- 4 files changed, 30 insertions(+), 15 deletions(-) diff --git a/README.md b/README.md index 7092641..1815d98 100644 --- a/README.md +++ b/README.md @@ -63,6 +63,7 @@ They can be set in a properties file, or overridden as environment variables. | Property | Default Value | Description | |----------------------|-----------------------------|-----------------------------------------------------------| | `canvas.host` | | Hostname of the Canvas instance | +| `canvas.sso.host` | | Hostname of the Canvas OIDC auth domain | | `canvas.baseUrl` | https://`${canvas.host}` | Base URL of the Canvas instance | | `canvas.baseApiUrl` | `${canvas.baseUrl}`/api/v1 | Base URL for the Canvas API | | `canvas.token` | | Token for access to Canvas instance | diff --git a/pom.xml b/pom.xml index f777354..19a84f6 100644 --- a/pom.xml +++ b/pom.xml @@ -9,7 +9,7 @@ org.springframework.boot spring-boot-starter-parent - 2.7.10 + 2.7.18 @@ -55,26 +55,26 @@ ${project.version} 1.5 - 2.11.0 + 2.15.1 5.0.0 2.5.0 17 17 17 - 3.5.1 - 5.2.3.1 - 5.2.5 + 3.7.1 + 5.2.5.2_2 + 5.2.27 4.8 - 5.7.1 - 1.6.15 - 2021.0.5 - 0.46 + 5.9 + 1.7.0 + 2021.0.8 + 0.50 - 3.10.1 + 3.11.0 2.0.0 - 2.5.3 + 3.0.0 diff --git a/src/main/java/edu/iu/uits/lms/viewem/WebApplication.java b/src/main/java/edu/iu/uits/lms/viewem/WebApplication.java index da2365b..de58a1d 100644 --- a/src/main/java/edu/iu/uits/lms/viewem/WebApplication.java +++ b/src/main/java/edu/iu/uits/lms/viewem/WebApplication.java @@ -68,7 +68,6 @@ public class WebApplication { private ToolConfig toolConfig; public static void main(String[] args) { -// SpringApplication.run(WebApplication.class, args); SpringApplication app = new SpringApplication(WebApplication.class); BufferingApplicationStartup startup = new BufferingApplicationStartup(2048); startup.addFilter(startupStep -> startupStep.getName().matches("spring.boot.application.ready")); diff --git a/src/main/java/edu/iu/uits/lms/viewem/config/SecurityConfig.java b/src/main/java/edu/iu/uits/lms/viewem/config/SecurityConfig.java index 4bad224..1479b34 100644 --- a/src/main/java/edu/iu/uits/lms/viewem/config/SecurityConfig.java +++ b/src/main/java/edu/iu/uits/lms/viewem/config/SecurityConfig.java @@ -47,6 +47,7 @@ import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; import org.springframework.security.config.http.SessionCreationPolicy; +import org.springframework.security.web.header.writers.ReferrerPolicyHeaderWriter; import uk.ac.ox.ctl.lti13.Lti13Configurer; import static edu.iu.uits.lms.lti.LTIConstants.BASE_USER_ROLE; @@ -62,7 +63,9 @@ public static class RestSecurityConfigurationAdapter extends WebSecurityConfigur @Override public void configure(HttpSecurity http) throws Exception { - http.requestMatchers().antMatchers("/rest/**", "/api/**") + http + .cors().and() + .requestMatchers().antMatchers("/rest/**", "/api/**") .and() .authorizeRequests() // In order to allow CORS preflight requests to succeed, we need to allow OPTIONS requests to the token endpoint @@ -96,7 +99,13 @@ protected void configure(HttpSecurity http) throws Exception { .authorizeRequests() .antMatchers(WELL_KNOWN_ALL, "/error").permitAll() .antMatchers("/**").hasRole(BASE_USER_ROLE) - .withObjectPostProcessor(new LmsFilterSecurityInterceptorObjectPostProcessor()); + .withObjectPostProcessor(new LmsFilterSecurityInterceptorObjectPostProcessor()) + .and() + .headers() + .contentSecurityPolicy("style-src 'self' 'unsafe-inline'; form-action 'self'; frame-ancestors 'self' https://*.instructure.com") + .and() + .referrerPolicy(referrer -> referrer + .policy(ReferrerPolicyHeaderWriter.ReferrerPolicy.SAME_ORIGIN)); //Setup the LTI handshake Lti13Configurer lti13Configurer = new Lti13Configurer() @@ -109,7 +118,13 @@ protected void configure(HttpSecurity http) throws Exception { .and() .authorizeRequests() .anyRequest().authenticated() - .withObjectPostProcessor(new LmsFilterSecurityInterceptorObjectPostProcessor()); + .withObjectPostProcessor(new LmsFilterSecurityInterceptorObjectPostProcessor()) + .and() + .headers() + .contentSecurityPolicy("style-src 'self' 'unsafe-inline'; form-action 'self'; frame-ancestors 'self' https://*.instructure.com") + .and() + .referrerPolicy(referrer -> referrer + .policy(ReferrerPolicyHeaderWriter.ReferrerPolicy.SAME_ORIGIN)); } @Override From e16c57270708ce899cac5c3b75ad1de90e054d94 Mon Sep 17 00:00:00 2001 From: Damian Sobieralski Date: Wed, 3 Jan 2024 16:45:31 -0500 Subject: [PATCH 2/4] LMSA-7710 - upgraded --- pom.xml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pom.xml b/pom.xml index 19a84f6..2c7cfc4 100644 --- a/pom.xml +++ b/pom.xml @@ -63,13 +63,13 @@ 17 3.7.1 5.2.5.2_2 - 5.2.27 + 5.2.28 4.8 5.9 1.7.0 - 2021.0.8 + 2021.0.9 0.50 3.11.0 From e1ec010fef6f3c596e3438892b1b3e418ba79739 Mon Sep 17 00:00:00 2001 From: Damian Sobieralski Date: Wed, 3 Jan 2024 17:54:15 -0500 Subject: [PATCH 3/4] LMSA-7710 - use newer embedded services that has older lti dep --- pom.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pom.xml b/pom.xml index 2c7cfc4..997621f 100644 --- a/pom.xml +++ b/pom.xml @@ -63,7 +63,7 @@ 17 3.7.1 5.2.5.2_2 - 5.2.28 + 5.2.29 4.8 From 382048b0771ef9b32b6f858887b279f439a54d0b Mon Sep 17 00:00:00 2001 From: Damian Sobieralski Date: Thu, 4 Jan 2024 17:00:56 -0500 Subject: [PATCH 4/4] LMSA-7710 - use newer embedded services and added README area regarding issuer --- README.md | 9 +++++++++ pom.xml | 2 +- 2 files changed, 10 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 1815d98..b46ba00 100644 --- a/README.md +++ b/README.md @@ -92,6 +92,15 @@ They can be set in a security.properties file, or overridden as environment vari | `lti.errorcontact.name` | Display name for your support organization | | `lti.errorcontact.link` | Contact mechanism - URL or mailto:email (e.g. `http://support.school.edu` or `mailto:support@school.edu`) | +### LTI issuer configuration +Be sure to configure an environment appropriate issuer for the Canvas instance that is launching the tool. + +See https://canvas.instructure.com/doc/api/file.lti_dev_key_config.html#overview-of-an-lti-launch for details. + +| Property | Description | +|-------------------|----------------------------------------------------------| +| `canvas.issuer` | Issuer for the Canvas instance doing the LTI tool launch | + ### Redis Configuration (optional) If you would like to use Redis for session storage, you will need to enable it by including the value `redis-session` into the `SPRING_PROFILES_ACTIVE` environment variable. Be aware that if the tool requires multiple values, that there could be more than one profile value in there. diff --git a/pom.xml b/pom.xml index 997621f..dc1362d 100644 --- a/pom.xml +++ b/pom.xml @@ -63,7 +63,7 @@ 17 3.7.1 5.2.5.2_2 - 5.2.29 + 5.2.30 4.8