From 13ae834818f61d137bf1bf5e3d089e2fc361787e Mon Sep 17 00:00:00 2001 From: Adam Rauch Date: Wed, 27 Nov 2024 09:49:13 -0800 Subject: [PATCH 1/3] Slim down embedded dependencies --- server/bootstrap/build.gradle | 18 ++++++--------- server/embedded/build.gradle | 22 ++++++------------- .../src/org/labkey/embedded/LabKeyServer.java | 2 -- .../embedded/LabKeySpringBootClassLoader.java | 5 +++-- 4 files changed, 17 insertions(+), 30 deletions(-) diff --git a/server/bootstrap/build.gradle b/server/bootstrap/build.gradle index 7f7c8a101e..c5fcb3e8e3 100644 --- a/server/bootstrap/build.gradle +++ b/server/bootstrap/build.gradle @@ -15,14 +15,13 @@ sourceSets { } dependencies - { - def tomcatVersion = project.apacheTomcatVersion - - implementation "org.apache.tomcat:tomcat-api:${tomcatVersion}" - implementation "org.apache.tomcat:tomcat-catalina:${tomcatVersion}" - implementation "org.apache.tomcat:tomcat-juli:${tomcatVersion}" - implementation "org.apache.tomcat:tomcat-util:${tomcatVersion}" +{ + implementation('org.apache.tomcat.embed:tomcat-embed-core') { + version { + strictly "${apacheTomcatVersion}" } + } +} def JAR_BASE_NAME = "labkeyBootstrap" project.jar { @@ -65,9 +64,6 @@ project.afterEvaluate { publications('libs') } } - } } -} - - +} \ No newline at end of file diff --git a/server/embedded/build.gradle b/server/embedded/build.gradle index adf4e3d143..3c66f3d6cf 100644 --- a/server/embedded/build.gradle +++ b/server/embedded/build.gradle @@ -31,15 +31,15 @@ configurations { } configurations.configureEach { -// exclude group: 'org.springframework.boot', module: 'spring-boot-starter-logging' exclude group: 'ch.qos.logback', module: 'logback-classic' exclude group: 'org.apache.logging.log4j', module: 'log4j-to-slf4j' } dependencies { - implementation "org.springframework.boot:spring-boot-starter-web:${springBootVersion}" - implementation "org.springframework.boot:spring-boot-starter-actuator:${springBootVersion}" - implementation "org.springframework.boot:spring-boot-starter-validation:${springBootVersion}" + implementation("org.springframework.boot:spring-boot-starter-web:${springBootVersion}") { + exclude group: "org.springframework.boot", module: "spring-boot-starter-json" // Not used (?) and pulls in an old version of Jackson + exclude group: "jakarta.annotation", module: "jakarta.annotation-api" // Already present in tomcat-annotations-api + } // Allows forcing a Spring Framework version that differs from spring-boot's version (e.g., to address CVEs) implementation('org.springframework:spring-web') { @@ -50,11 +50,6 @@ dependencies { // Allows forcing a Tomcat version that differs from spring-boot's version (e.g., to address CVEs or regressions, // or to test a Tomcat release candidate) - implementation('org.apache.tomcat.embed:tomcat-embed-core') { - version { - strictly "${apacheTomcatVersion}" - } - } implementation('org.apache.tomcat.embed:tomcat-embed-el') { version { strictly "${apacheTomcatVersion}" @@ -70,14 +65,11 @@ dependencies { strictly "${apacheTomcatVersion}" } } - implementation('org.apache.tomcat:tomcat-jsp-api') { - version { - strictly "${apacheTomcatVersion}" - } - } runtimeOnly "org.apache.tomcat.embed:tomcat-embed-jasper:${apacheTomcatVersion}" - runtimeOnly group: "org.apache.tomcat", name: "tomcat-dbcp", version: "${apacheTomcatVersion}" + runtimeOnly("org.apache.tomcat:tomcat-dbcp:${apacheTomcatVersion}") { + exclude group: "org.apache.tomcat", module: "tomcat-juli" + } runtimeOnly "org.apache.logging.log4j:log4j-slf4j2-impl:${log4j2Version}" implementation "commons-io:commons-io:${commonsIoVersion}" implementation "org.apache.logging.log4j:log4j-core:${log4j2Version}" diff --git a/server/embedded/src/org/labkey/embedded/LabKeyServer.java b/server/embedded/src/org/labkey/embedded/LabKeyServer.java index 060c020437..42ada5fce5 100644 --- a/server/embedded/src/org/labkey/embedded/LabKeyServer.java +++ b/server/embedded/src/org/labkey/embedded/LabKeyServer.java @@ -1,6 +1,5 @@ package org.labkey.embedded; -import jakarta.validation.constraints.NotNull; import org.apache.catalina.connector.Connector; import org.labkey.bootstrap.PipelineBootstrapConfig; import org.springframework.boot.Banner; @@ -405,7 +404,6 @@ public static class ContextProperties private String webAppLocation; private String workDirLocation; - @NotNull (message = "Must provide encryptionKey") private String encryptionKey; private String oldEncryptionKey; private String legacyContextPath; diff --git a/server/embedded/src/org/labkey/embedded/LabKeySpringBootClassLoader.java b/server/embedded/src/org/labkey/embedded/LabKeySpringBootClassLoader.java index 3a8301817d..4f03b0d404 100644 --- a/server/embedded/src/org/labkey/embedded/LabKeySpringBootClassLoader.java +++ b/server/embedded/src/org/labkey/embedded/LabKeySpringBootClassLoader.java @@ -1,6 +1,7 @@ package org.labkey.embedded; -import org.jboss.logging.Logger; +import org.apache.logging.log4j.LogManager; +import org.apache.logging.log4j.Logger; import org.labkey.bootstrap.LabKeyBootstrapClassLoader; import java.io.IOException; @@ -19,7 +20,7 @@ */ public class LabKeySpringBootClassLoader extends LabKeyBootstrapClassLoader { - private static final Logger LOG = Logger.getLogger(LabKeySpringBootClassLoader.class); + private static final Logger LOG = LogManager.getLogger(LabKeySpringBootClassLoader.class); public LabKeySpringBootClassLoader() { From fab98e3bc0d7bc1f4b86ae15e15783750dd5dbaf Mon Sep 17 00:00:00 2001 From: Adam Rauch Date: Wed, 27 Nov 2024 14:54:14 -0800 Subject: [PATCH 2/3] Throw if encryption key is not provided --- server/embedded/src/org/labkey/embedded/LabKeyServer.java | 2 ++ 1 file changed, 2 insertions(+) diff --git a/server/embedded/src/org/labkey/embedded/LabKeyServer.java b/server/embedded/src/org/labkey/embedded/LabKeyServer.java index 42ada5fce5..db6f1c07e2 100644 --- a/server/embedded/src/org/labkey/embedded/LabKeyServer.java +++ b/server/embedded/src/org/labkey/embedded/LabKeyServer.java @@ -497,6 +497,8 @@ public void setWorkDirLocation(String workDirLocation) public String getEncryptionKey() { + if (null == encryptionKey) + throw new RuntimeException("Must provide encryptionKey"); return encryptionKey; } From f66baed4f37dfb8b1f9a92bcb5fa20e81ef974bf Mon Sep 17 00:00:00 2001 From: Adam Rauch Date: Fri, 29 Nov 2024 12:19:25 -0800 Subject: [PATCH 3/3] Explicitly declare and force Jakarta Activation API version implemented by Angus Activation --- build.gradle | 2 ++ gradle.properties | 4 ++++ 2 files changed, 6 insertions(+) diff --git a/build.gradle b/build.gradle index f22c96926d..0ae95b26ad 100644 --- a/build.gradle +++ b/build.gradle @@ -224,6 +224,8 @@ allprojects { force "com.google.guava:guava:${guavaVersion}" // force version for SequenceAnalysis, TargetedMS force "com.google.protobuf:protobuf-java:${googleProtocolBufVersion}" + // force Jakarta Activation API version used by our Angus Activation implementation + force "jakarta.activation:jakarta.activation-api:${jakartaActivationApiVersion}" // force version for accounts, api, query force "javax.validation:validation-api:${validationApiVersion}" // force version for accounts, docker, api, workflow diff --git a/gradle.properties b/gradle.properties index 76c44148dc..a92043d775 100644 --- a/gradle.properties +++ b/gradle.properties @@ -88,6 +88,7 @@ npmWorkDirectory=.node # gradle.properties file to declare these version numbers. Naming # convention is Version camel-cased, i.e. "jacksonVersion". +# The implementation of Jakarta Activation API that we use. Keep in sync with jakartaActivationApiVersion (below). angusActivationVersion=2.0.2 angusMailVersion=2.0.3 @@ -197,6 +198,9 @@ jacksonAnnotationsVersion=2.18.0 jacksonDatabindVersion=2.18.0 jacksonJaxrsBaseVersion=2.18.0 +# The Jakarta Activation API version that Angus Activation implements. Keep in sync with angusActivationVersion (above). +jakartaActivationApiVersion=2.1.3 + jamaVersion=1.0.3 javassistVersion=3.20.0-GA