From 96c05042e8d479a20ec327184fee6a42cce3f70f Mon Sep 17 00:00:00 2001 From: Mike Andrasak Date: Mon, 23 Mar 2020 17:09:06 -0400 Subject: [PATCH 1/3] 704 document quick start security removal on deployment --- incubator/java-microprofile/image/project/Dockerfile | 3 +++ 1 file changed, 3 insertions(+) diff --git a/incubator/java-microprofile/image/project/Dockerfile b/incubator/java-microprofile/image/project/Dockerfile index fd6a2a459..b76ea6f1f 100644 --- a/incubator/java-microprofile/image/project/Dockerfile +++ b/incubator/java-microprofile/image/project/Dockerfile @@ -23,6 +23,9 @@ RUN cd /project/user-app && mvn -B liberty:install-server # Remove quick-start-security.xml since it is only needed during local development. COPY ./user-app/src /project/user-app/src RUN cd /project/user-app && \ + echo "!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!" + echo "quick-start-security is not secure for production environments. It is being removed" + echo "!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!" rm -f src/main/liberty/config/configDropins/defaults/quick-start-security.xml && \ mvn package -DskipTests From edc6a58cc90855ccee6738074d05b94b8e1e266b Mon Sep 17 00:00:00 2001 From: Mike Andrasak Date: Mon, 23 Mar 2020 19:28:35 -0400 Subject: [PATCH 2/3] java-microprofile: document quick start security removal --- incubator/java-microprofile/README.md | 9 +++++++++ incubator/java-microprofile/image/project/Dockerfile | 4 +--- incubator/java-microprofile/stack.yaml | 4 ++-- incubator/java-openliberty/image/project/Dockerfile | 1 + 4 files changed, 13 insertions(+), 5 deletions(-) diff --git a/incubator/java-microprofile/README.md b/incubator/java-microprofile/README.md index 05c40e633..411b78baf 100644 --- a/incubator/java-microprofile/README.md +++ b/incubator/java-microprofile/README.md @@ -44,6 +44,13 @@ OpenAPI endpoints: - http://localhost:9080/openapi (the RESTful APIs of the inventory service) - http://localhost:9080/openapi/ui (Swagger UI of the deployed APIs) +### Config dropin: **quick-start-security.xml** + +The metrics endpoint is secured with a userid and password enabled through the config dropin included in the default template at path: +**src/main/liberty/config/configDropins/defaults/quick-start-security.xml**. + +In order to lock down the production image built via `appsody build` this file is deleted during the Docker build of your application production image. (The same file would be deleted if you happened to create your own file at this location as well). + ## Getting Started 1. Create a new folder in your local directory and initialize it using the Appsody CLI, e.g.: @@ -74,6 +81,8 @@ OpenAPI endpoints: - Swagger UI endpoint: http://localhost:9080/openapi/ui - Javametrics Dashboard endpoint: http://localhost:9080/javametrics-dash/ (development-time only) + + ## License This stack is licensed under the [Apache 2.0](./image/LICENSE) license diff --git a/incubator/java-microprofile/image/project/Dockerfile b/incubator/java-microprofile/image/project/Dockerfile index b76ea6f1f..d37d85be9 100644 --- a/incubator/java-microprofile/image/project/Dockerfile +++ b/incubator/java-microprofile/image/project/Dockerfile @@ -23,9 +23,7 @@ RUN cd /project/user-app && mvn -B liberty:install-server # Remove quick-start-security.xml since it is only needed during local development. COPY ./user-app/src /project/user-app/src RUN cd /project/user-app && \ - echo "!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!" - echo "quick-start-security is not secure for production environments. It is being removed" - echo "!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!" + echo "QUICK START SECURITY IS NOT SECURE FOR PRODUCTION ENVIRONMENTS. IT IS BEING REMOVED" \ rm -f src/main/liberty/config/configDropins/defaults/quick-start-security.xml && \ mvn package -DskipTests diff --git a/incubator/java-microprofile/stack.yaml b/incubator/java-microprofile/stack.yaml index 3e82be8bb..dbefed55c 100644 --- a/incubator/java-microprofile/stack.yaml +++ b/incubator/java-microprofile/stack.yaml @@ -1,5 +1,5 @@ name: Eclipse MicroProfile® -version: 0.2.24 +version: 0.2.25 description: Eclipse MicroProfile on Open Liberty & OpenJ9 using Maven license: Apache-2.0 language: java @@ -17,4 +17,4 @@ default-template: default requirements: appsody-version: ">= 0.5.0" templating-data: - libertyversion: '19.0.0.12' \ No newline at end of file + libertyversion: '19.0.0.12' diff --git a/incubator/java-openliberty/image/project/Dockerfile b/incubator/java-openliberty/image/project/Dockerfile index 196d6b5d1..151b1d6d6 100644 --- a/incubator/java-openliberty/image/project/Dockerfile +++ b/incubator/java-openliberty/image/project/Dockerfile @@ -45,6 +45,7 @@ COPY --chown=java_user:java_group ./user-app /project/user-app # also liberty:create copies config from src->target # also remove quick-start-security.xml since it's convenient for local dev mode but should not be in the production image. RUN cd /project/user-app && \ + echo "QUICK START SECURITY IS NOT SECURE FOR PRODUCTION ENVIRONMENTS. IT IS BEING REMOVED" \ rm -f src/main/liberty/config/configDropins/defaults/quick-start-security.xml && \ mvn -Pappsody-build -B liberty:create package From 605be4025f759858dedf074ffea299c33d54ae60 Mon Sep 17 00:00:00 2001 From: Mike Andrasak Date: Tue, 14 Apr 2020 09:01:47 -0400 Subject: [PATCH 3/3] java-microprofile: Notify of quick start security removal --- incubator/java-openliberty/image/project/Dockerfile | 1 - 1 file changed, 1 deletion(-) diff --git a/incubator/java-openliberty/image/project/Dockerfile b/incubator/java-openliberty/image/project/Dockerfile index 151b1d6d6..196d6b5d1 100644 --- a/incubator/java-openliberty/image/project/Dockerfile +++ b/incubator/java-openliberty/image/project/Dockerfile @@ -45,7 +45,6 @@ COPY --chown=java_user:java_group ./user-app /project/user-app # also liberty:create copies config from src->target # also remove quick-start-security.xml since it's convenient for local dev mode but should not be in the production image. RUN cd /project/user-app && \ - echo "QUICK START SECURITY IS NOT SECURE FOR PRODUCTION ENVIRONMENTS. IT IS BEING REMOVED" \ rm -f src/main/liberty/config/configDropins/defaults/quick-start-security.xml && \ mvn -Pappsody-build -B liberty:create package