Skip to content
Permalink
Browse files
FC-274 - Upgrade maven plugins and dependencies
  • Loading branch information
shawnmckinney committed Dec 10, 2019
1 parent 271bce7 commit 1a2f696efeb72fb392b2dd5090fc2fafc96e90b5
Showing 3 changed files with 94 additions and 23 deletions.
@@ -202,10 +202,14 @@ This web app uses Java EE security.
```

This sample requires Java 8 and Maven 3 to be setup within the execution env.


#### 2. Load the default security policy for Fortress REST.

```
mvn install -Dload.file=src/main/resources/FortressRestServerPolicy.xml
```

#### 2. Optional, load a sample security policy for ARBAC.
#### 3. Optional, load a sample security policy for ARBAC.
```maven
mvn install -Dload.file=src/main/resources/FortressRestArbacSamplePolicy.xml
```
@@ -214,7 +218,7 @@ This web app uses Java EE security.
* *-Dload.file* automatically loads the [directory-fortress-rest security policy](src/main/resources/FortressRestServerPolicy.xml) data into ldap.
* This load needs to happen just once for the default test cases to work and may be dropped from future `mvn` commands.

#### 3. Deploy to Tomcat:
#### 4. Deploy to Tomcat:

a. If using autodeploy feature, verify the Tomcat auto-deploy options are set correctly in the [pom.xml](pom.xml) file:
```xml
70 pom.xml
@@ -104,17 +104,17 @@
<java.version>1.8</java.version>
<!-- Dependencies version -->
<fortress.realm.version>2.0.4</fortress.realm.version>
<cxf.version>3.2.6</cxf.version>
<cxf.version>3.3.4</cxf.version>
<httpclient.version>3.1</httpclient.version>
<java.version>1.8</java.version>
<javadoc.version>2.9.1</javadoc.version>
<junit.version>4.12</junit.version>
<log4j.version>1.2.17</log4j.version>
<servlet-api.version>2.5.0</servlet-api.version>
<slf4j.log4j12.version>1.7.21</slf4j.log4j12.version>
<spring.version>5.0.9.RELEASE</spring.version>
<spring.security.version>5.0.7.RELEASE</spring.security.version>
<jackson-jaxrs.version>2.9.7</jackson-jaxrs.version>
<jackson-jaxrs.version>2.10.1</jackson-jaxrs.version>
<version.jaxb.core>2.3.0.1</version.jaxb.core>
<version.jaxb.impl>2.3.2</version.jaxb.impl>

<!-- Other properties -->
<base.dir>.</base.dir>
@@ -155,17 +155,16 @@
<version>${jackson-jaxrs.version}</version>
</dependency>

<!-- Spring Dependencies -->
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-core</artifactId>
<version>${spring.version}</version>
<version>5.2.2.RELEASE</version>
</dependency>

<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-web</artifactId>
<version>${spring.security.version}</version>
<version>5.2.1.RELEASE</version>
</dependency>

<!-- Logging Dependencies -->
@@ -197,16 +196,16 @@
</dependency>

<dependency>
<groupId>com.sun.xml.bind</groupId>
<artifactId>jaxb-core</artifactId>
<version>2.3.0</version>
</dependency>
<groupId>com.sun.xml.bind</groupId>
<artifactId>jaxb-impl</artifactId>
<version>${version.jaxb.impl}</version>
</dependency>

<dependency>
<groupId>com.sun.xml.bind</groupId>
<artifactId>jaxb-impl</artifactId>
<version>2.3.0</version>
</dependency>
<groupId>org.glassfish.jaxb</groupId>
<artifactId>jaxb-core</artifactId>
<version>${version.jaxb.core}</version>
</dependency>

</dependencies>

@@ -289,7 +288,6 @@
<server>local-tomcat</server>
<url>http://localhost:8080/manager/text</url>
<path>/${project.artifactId}-${project.version}</path>
<!-- <path>/enmasse-${version}</path>-->
<!-- Warning the tomcat manager creds here are for deploying into a demo environment only. -->
<username>tcmanager</username>
<password>m@nager123</password>
@@ -311,11 +309,21 @@
</configuration>
</plugin>

<plugin>
<groupId>org.owasp</groupId>
<artifactId>dependency-check-maven</artifactId>
<version>5.2.4</version>
<configuration>
<failBuildOnAnyVulnerability>true</failBuildOnAnyVulnerability>
<suppressionFile>${project.basedir}/src/owasp/suppression.xml</suppressionFile>
</configuration>
</plugin>

<!-- War the app -->
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-war-plugin</artifactId>
<version>2.4</version>
<version>3.2.3</version>
<configuration>
<warName>${project.artifactId}-${project.version}</warName>
<archive>
@@ -357,7 +365,7 @@
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-compiler-plugin</artifactId>
<version>3.8.0</version>
<version>3.8.1</version>
<configuration>
<source>${java.version}</source>
<target>${java.version}</target>
@@ -369,7 +377,7 @@
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-source-plugin</artifactId>
<version>3.0.0</version>
<version>3.2.0</version>
<executions>
<execution>
<id>attach-sources</id>
@@ -451,4 +459,26 @@
</repository>
</repositories>

</project>
<!-- OWASP Dependency Vulnerability Scanner Profile -->
<profiles>

<profile>
<id>owasp</id>
<build>
<plugins>
<plugin>
<groupId>org.owasp</groupId>
<artifactId>dependency-check-maven</artifactId>
<executions>
<execution>
<goals>
<goal>check</goal>
</goals>
</execution>
</executions>
</plugin>
</plugins>
</build>
</profile>
</profiles>
</project>
@@ -0,0 +1,37 @@
<?xml version="1.0" encoding="UTF-8"?>
<!--
* Licensed to the Apache Software Foundation (ASF) under one
* or more contributor license agreements. See the NOTICE file
* distributed with this work for additional information
* regarding copyright ownership. The ASF licenses this file
* to you under the Apache License, Version 2.0 (the
* "License"); you may not use this file except in compliance
* with the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing,
* software distributed under the License is distributed on an
* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
* KIND, either express or implied. See the License for the
* specific language governing permissions and limitations
* under the License.
*
-->
<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
<!-- Suppress OWASP warnings about spring security, security method override, not applicable here. -->
<suppress>
<notes><![CDATA[
file name: spring-security-core-5.2.1.RELEASE.jar
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.springframework\.security/spring\-security\-core@.*$</packageUrl>
<cve>CVE-2018-1258</cve>
</suppress>
<suppress>
<notes><![CDATA[
file name: spring-security-web-5.2.1.RELEASE.jar
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.springframework\.security/spring\-security\-web@.*$</packageUrl>
<cpe>cpe:/a:pivotal_software:spring_security</cpe>
</suppress>
</suppressions>

0 comments on commit 1a2f696

Please sign in to comment.