From 5624863b086c374bc1fbf17b635867a5aad12634 Mon Sep 17 00:00:00 2001 From: kabicin Date: Mon, 12 Jun 2023 14:59:11 -0400 Subject: [PATCH] Add the SKIP_SSO_FEATURE_INSTALL flag --- README.md | 13 ++++++++----- SECURITY.md | 15 ++++++++++++++- releases/23.0.0.6/full/helpers/build/configure.sh | 4 +++- .../kernel-slim/helpers/build/features.sh | 2 +- releases/23.0.0.9/full/helpers/build/configure.sh | 4 +++- .../kernel-slim/helpers/build/features.sh | 2 +- releases/latest/beta/helpers/build/configure.sh | 4 +++- releases/latest/full/helpers/build/configure.sh | 4 +++- .../latest/kernel-slim/helpers/build/features.sh | 2 +- 9 files changed, 37 insertions(+), 13 deletions(-) diff --git a/README.md b/README.md index 5ebba5e2..b6f26900 100644 --- a/README.md +++ b/README.md @@ -78,16 +78,19 @@ Refer to [Repository and proxy modifications](https://openliberty.io/docs/ref/co ## Enterprise Functionality -This section describes the optional enterprise functionality that can be enabled via the Dockerfile during `build` time, by setting particular build-arguments (`ARG`) and calling `RUN configure.sh`. Each of these options trigger the inclusion of specific configuration via XML snippets (except for `VERBOSE`), described below: +This section describes the optional enterprise functionality that can be enabled via the Dockerfile during `build` time, by setting particular build-arguments (`ARG`) and calling `RUN configure.sh`. Each of these options trigger the inclusion/exclusion of specific configuration via XML snippets (except for `VERBOSE`), described below: -* `TLS` (`SSL` is deprecated) - * Description: Enable Transport Security in Liberty by adding the `transportSecurity-1.0` feature (includes support for SSL). - * XML Snippet Location: [keystore.xml](/releases/latest/kernel-slim/helpers/build/configuration_snippets/keystore.xml). * `HZ_SESSION_CACHE` * Description: Enable the persistence of HTTP sessions using JCache by adding the `sessionCache-1.0` feature. * XML Snippet Location: [hazelcast-sessioncache.xml](/releases/latest/kernel-slim/helpers/build/configuration_snippets/hazelcast-sessioncache.xml) +* `SKIP_SSO_FEATURE_INSTALL` + * Description: Disable the install of `appSecurity-2.0` and `socialLogin-1.0` when `SEC_SSO_PROVIDERS` is set. (see [SECURITY.md](/SECURITY.md) for usage.) + * XML Snippet Location: [sso-features.xml](/releases/latest/kernel-slim/helpers/build/configuration_snippets/sso-features.xml) +* `TLS` (`SSL` is deprecated) + * Description: Enable Transport Security in Liberty by adding the `transportSecurity-1.0` feature (includes support for SSL). + * XML Snippet Location: [keystore.xml](/releases/latest/kernel-slim/helpers/build/configuration_snippets/keystore.xml). * `VERBOSE` - * Description: When set to `true` it outputs the commands and results to stdout from `configure.sh`. Otherwise, default setting is `false` and `configure.sh` is silenced. + * Description: When set to `true` it outputs the commands and results to stdout from `features.sh` and `configure.sh`. Otherwise, default setting is `false` and `features.sh` and `configure.sh` are silenced. ### Deprecated Enterprise Functionality diff --git a/SECURITY.md b/SECURITY.md index 92260624..7a8add0a 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -38,7 +38,20 @@ The following variables configure container security for Single Sign-On using th * Providers usually require the use of HTTPS. Specify `ARG TLS=true` in your Dockerfile. - * Your Dockerfile must call `RUN configure.sh` for these to take effect. + * Your Dockerfile must call `RUN configure.sh` for these to take effect. + +#### The `` and `appSecurity-2.0` configured features include an incompatible combination of features. + + * When specifying the `SEC_SSO_PROVIDERS` ARG, you might get an incompatible set of features with `appSecurity-2.0` similar to the snippet below: + + ``` + CWWKF0044E: The persistence-3.1 and appSecurity-2.0 features cannot be loaded at the same time. + The persistence-3.1 feature of Jakarta EE 10 is incompatible with the appSecurity-2.0 feature of Java EE 6. + The persistence-3.1 and appSecurity-2.0 configured features include an incompatible combination of features. + Your configuration is not supported. Update the configuration to use features that support either the Jakarta EE or Java EE programming models, but not both. + ``` + + * To avoid this error, set `ARG SKIP_SSO_FEATURE_INSTALL=true` in your Dockerfile. ### Configuration needed at image build time or at container deploy time: diff --git a/releases/23.0.0.6/full/helpers/build/configure.sh b/releases/23.0.0.6/full/helpers/build/configure.sh index 895d2860..9526216c 100755 --- a/releases/23.0.0.6/full/helpers/build/configure.sh +++ b/releases/23.0.0.6/full/helpers/build/configure.sh @@ -86,7 +86,9 @@ function main() { fi if [[ -n "$SEC_SSO_PROVIDERS" ]]; then - cp $SNIPPETS_SOURCE/sso-features.xml $SNIPPETS_TARGET_DEFAULTS + if [[ "$SKIP_SSO_FEATURE_INSTALL" != "true" ]]; then + cp $SNIPPETS_SOURCE/sso-features.xml $SNIPPETS_TARGET_DEFAULTS + fi parseProviders $SEC_SSO_PROVIDERS fi diff --git a/releases/23.0.0.6/kernel-slim/helpers/build/features.sh b/releases/23.0.0.6/kernel-slim/helpers/build/features.sh index 17d43812..9496b110 100755 --- a/releases/23.0.0.6/kernel-slim/helpers/build/features.sh +++ b/releases/23.0.0.6/kernel-slim/helpers/build/features.sh @@ -20,7 +20,7 @@ if [ -n "$INFINISPAN_SERVICE_NAME" ] || [ "${HZ_SESSION_CACHE}" == "client" ] || fi # SSO -if [[ -n "$SEC_SSO_PROVIDERS" ]]; then +if [[ -n "$SEC_SSO_PROVIDERS" ]] && [[ "$SKIP_SSO_FEATURE_INSTALL" != "true" ]]; then cp $SNIPPETS_SOURCE/sso-features.xml $SNIPPETS_TARGET_DEFAULTS fi diff --git a/releases/23.0.0.9/full/helpers/build/configure.sh b/releases/23.0.0.9/full/helpers/build/configure.sh index 895d2860..9526216c 100755 --- a/releases/23.0.0.9/full/helpers/build/configure.sh +++ b/releases/23.0.0.9/full/helpers/build/configure.sh @@ -86,7 +86,9 @@ function main() { fi if [[ -n "$SEC_SSO_PROVIDERS" ]]; then - cp $SNIPPETS_SOURCE/sso-features.xml $SNIPPETS_TARGET_DEFAULTS + if [[ "$SKIP_SSO_FEATURE_INSTALL" != "true" ]]; then + cp $SNIPPETS_SOURCE/sso-features.xml $SNIPPETS_TARGET_DEFAULTS + fi parseProviders $SEC_SSO_PROVIDERS fi diff --git a/releases/23.0.0.9/kernel-slim/helpers/build/features.sh b/releases/23.0.0.9/kernel-slim/helpers/build/features.sh index 17d43812..9496b110 100755 --- a/releases/23.0.0.9/kernel-slim/helpers/build/features.sh +++ b/releases/23.0.0.9/kernel-slim/helpers/build/features.sh @@ -20,7 +20,7 @@ if [ -n "$INFINISPAN_SERVICE_NAME" ] || [ "${HZ_SESSION_CACHE}" == "client" ] || fi # SSO -if [[ -n "$SEC_SSO_PROVIDERS" ]]; then +if [[ -n "$SEC_SSO_PROVIDERS" ]] && [[ "$SKIP_SSO_FEATURE_INSTALL" != "true" ]]; then cp $SNIPPETS_SOURCE/sso-features.xml $SNIPPETS_TARGET_DEFAULTS fi diff --git a/releases/latest/beta/helpers/build/configure.sh b/releases/latest/beta/helpers/build/configure.sh index 895d2860..9526216c 100755 --- a/releases/latest/beta/helpers/build/configure.sh +++ b/releases/latest/beta/helpers/build/configure.sh @@ -86,7 +86,9 @@ function main() { fi if [[ -n "$SEC_SSO_PROVIDERS" ]]; then - cp $SNIPPETS_SOURCE/sso-features.xml $SNIPPETS_TARGET_DEFAULTS + if [[ "$SKIP_SSO_FEATURE_INSTALL" != "true" ]]; then + cp $SNIPPETS_SOURCE/sso-features.xml $SNIPPETS_TARGET_DEFAULTS + fi parseProviders $SEC_SSO_PROVIDERS fi diff --git a/releases/latest/full/helpers/build/configure.sh b/releases/latest/full/helpers/build/configure.sh index 895d2860..9526216c 100755 --- a/releases/latest/full/helpers/build/configure.sh +++ b/releases/latest/full/helpers/build/configure.sh @@ -86,7 +86,9 @@ function main() { fi if [[ -n "$SEC_SSO_PROVIDERS" ]]; then - cp $SNIPPETS_SOURCE/sso-features.xml $SNIPPETS_TARGET_DEFAULTS + if [[ "$SKIP_SSO_FEATURE_INSTALL" != "true" ]]; then + cp $SNIPPETS_SOURCE/sso-features.xml $SNIPPETS_TARGET_DEFAULTS + fi parseProviders $SEC_SSO_PROVIDERS fi diff --git a/releases/latest/kernel-slim/helpers/build/features.sh b/releases/latest/kernel-slim/helpers/build/features.sh index 17d43812..9496b110 100755 --- a/releases/latest/kernel-slim/helpers/build/features.sh +++ b/releases/latest/kernel-slim/helpers/build/features.sh @@ -20,7 +20,7 @@ if [ -n "$INFINISPAN_SERVICE_NAME" ] || [ "${HZ_SESSION_CACHE}" == "client" ] || fi # SSO -if [[ -n "$SEC_SSO_PROVIDERS" ]]; then +if [[ -n "$SEC_SSO_PROVIDERS" ]] && [[ "$SKIP_SSO_FEATURE_INSTALL" != "true" ]]; then cp $SNIPPETS_SOURCE/sso-features.xml $SNIPPETS_TARGET_DEFAULTS fi