Skip to content

Commit

Permalink
Merge pull request TexasDigitalLibrary#1969 from TexasDigitalLibrary/…
Browse files Browse the repository at this point in the history
…security-patch-yml

fixed security issue with application.yml
  • Loading branch information
cstarcher authored Nov 5, 2024
2 parents d97b1be + fdd6424 commit f6941c3
Show file tree
Hide file tree
Showing 6 changed files with 35 additions and 9 deletions.
10 changes: 5 additions & 5 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -66,7 +66,7 @@ $ mvn clean spring-boot:run -Dproduction
$ mvn clean package -DskipTests -Dproduction -Dassets.uri=file:/opt/vireo/ -Dconfig.uri=file:/opt/vireo/config/
```

If build succeeds, you should have both a `vireo-4.2.9.war` and a `vireo-4.2.9-install.zip` in the `target/` directory. When building for production required static assets are copied into the packaged war file and the index.html template is optimized for production. For development a symlink is used to allow the application to access required static assets.
If build succeeds, you should have both a `vireo-4.2.10.war` and a `vireo-4.2.10-install.zip` in the `target/` directory. When building for production required static assets are copied into the packaged war file and the index.html template is optimized for production. For development a symlink is used to allow the application to access required static assets.

#### Apache Reverse Proxy Config

Expand Down Expand Up @@ -117,7 +117,7 @@ Unzip package into preferred directory (or any directory you choose):

```bash
$ cd /opt/vireo
$ unzip vireo-4.2.9-install.zip
$ unzip vireo-4.2.10-install.zip
```

### Directory Structure of installed package
Expand Down Expand Up @@ -190,13 +190,13 @@ ln -s /opt/vireo/webapp /opt/tomcat/webapps/ROOT
Copy war file into Tomcat webapps directory (your location may vary -- this is an example):

```bash
$ cp ~/vireo-4.2.9.war /usr/local/tomcat/webapps/vireo.war
$ cp ~/vireo-4.2.10.war /usr/local/tomcat/webapps/vireo.war
```

or as root:

```bash
$ cp ~/vireo-4.2.9.war /usr/local/tomcat/webapps/ROOT.war
$ cp ~/vireo-4.2.10.war /usr/local/tomcat/webapps/ROOT.war
```

**if not specifying assets.uri during build the assets will be stored under the vireo webapp's classpath, /opt/tomcat/webapps/vireo/WEB-INF/classes**
Expand All @@ -209,7 +209,7 @@ $ cp ~/vireo-4.2.9.war /usr/local/tomcat/webapps/ROOT.war
## Running WAR as a stand-alone Spring Boot application

```bash
java -jar target/vireo-4.2.9.war
java -jar target/vireo-4.2.10.war
```

<div align="right">(<a href="#readme-top">back to top</a>)</div>
Expand Down
2 changes: 1 addition & 1 deletion build/appConfig.js.template
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
var appConfig = {

'version': '4.2.9',
'version': '4.2.10',

'allowAnonymous': true,
'anonymousRole': 'ROLE_ANONYMOUS',
Expand Down
2 changes: 1 addition & 1 deletion example.env
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@
##############################

IMAGE_HOST=127.0.0.1
IMAGE_VERSION=4.2.9
IMAGE_VERSION=4.2.10
SERVICE_PROJECT=tdl
SERVICE_PATH=vireo

Expand Down
2 changes: 1 addition & 1 deletion package.json
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
{
"name": "vireo",
"private": false,
"version": "4.2.9",
"version": "4.2.10",
"description": "Vireo 4",
"homepage": "https://github.com/TexasDigitalLibrary/Vireo",
"repository": {
Expand Down
2 changes: 1 addition & 1 deletion pom.xml
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@

<groupId>org.tdl</groupId>
<artifactId>vireo</artifactId>
<version>4.2.9</version>
<version>4.2.10</version>

<name>Vireo</name>
<description>Vireo Thesis and Dissertation Submission System</description>
Expand Down
26 changes: 26 additions & 0 deletions src/main/java/org/tdl/vireo/config/AppWebMvcConfig.java
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,8 @@

import java.util.List;

import javax.servlet.http.HttpServletRequest;

import org.apache.catalina.connector.Connector;
import org.apache.coyote.http11.AbstractHttp11Protocol;
import org.slf4j.Logger;
Expand All @@ -13,12 +15,15 @@
import org.springframework.boot.web.embedded.tomcat.TomcatServletWebServerFactory;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.core.io.Resource;
import org.springframework.data.jpa.repository.config.EnableJpaRepositories;
import org.springframework.http.converter.HttpMessageConverter;
import org.springframework.web.method.support.HandlerMethodArgumentResolver;
import org.springframework.web.servlet.config.annotation.EnableWebMvc;
import org.springframework.web.servlet.config.annotation.ResourceHandlerRegistry;
import org.springframework.web.servlet.config.annotation.WebMvcConfigurer;
import org.springframework.web.servlet.resource.ResourceResolver;
import org.springframework.web.servlet.resource.ResourceResolverChain;
import org.tdl.vireo.Application;
import org.tdl.vireo.model.User;
import org.tdl.vireo.model.repo.UserRepo;
Expand Down Expand Up @@ -65,6 +70,27 @@ public void addResourceHandlers(ResourceHandlerRegistry registry) {
registry.addResourceHandler("/**").addResourceLocations("classpath:/");

registry.addResourceHandler("/public/**").addResourceLocations("file:" + Application.getAssetsPath() + publicFolder + "/");
registry.addResourceHandler("/application.yml")
.setCachePeriod(0)
.addResourceLocations("classpath:/")
.resourceChain(true)
.addResolver(new ResourceResolver() {

@Override
public Resource resolveResource(HttpServletRequest request, String requestPath,
List<? extends Resource> locations, ResourceResolverChain chain) {
return null;
}

@Override
public String resolveUrlPath(String resourcePath, List<? extends Resource> locations,
ResourceResolverChain chain) {
return null;
}

})
.addTransformer((resource, requestPath, transformerChain) -> null);

registry.setOrder(Integer.MAX_VALUE - 2);

logger.info("/public/** -> file:" + Application.getAssetsPath() + publicFolder + "/");
Expand Down

0 comments on commit f6941c3

Please sign in to comment.