The above patch does not work Jacques, you are hard coding the path. This needs to be properly developed.
On Thu, Sep 8, 2016 at 9:23 AM, Jacques Le Roux < jacques.le.r...@les7arts.com> wrote: > OK wait! I think we skipped a step: access the jar from an accessible repo. > > I see 2 solutions: > > 1. Push ourselves the notsoserial jar in jcenter => updating a fork now > and then, though notsoserial will not need much changes now > 2. Use https://jitpack.io/ > > I prefer 2, though I have still to > > * resolve the notsoserial.jar path in my hasty proposition below > * use|master-SNAPSHOT| instead of last hash (to not break on changes) > which may need to refresh dependencies (did not investigate yet: > https://jitpack.io/docs/#snapshots) > > Index: build.gradle > =================================================================== > --- build.gradle (revision 1759557) > +++ build.gradle (working copy) > @@ -32,7 +32,7 @@ > > // java settings > def jvmArguments = ['-Xms128M', '-Xmx1024M', > - "-javaagent:${rootDir}/tools/security/notsoserial/notsoseria > l-1.0-SNAPSHOT.jar", > + "-javaagent:C:/Users/Jacques/.gradle/caches/modules-2/files- > 2.1/com.github.kantega/notsoserial/f2baaaa/3646e12f5ce4713f9 > ad2aa027e3fec81097fcd93/notsoserial-f2baaaa.jar", > "-Dnotsoserial.whitelist=${rootDir}/tools/security/notsoserial/empty.txt", > "-Dnotsoserial.dryrun=${rootDir}/tools/security/notsoserial/ > is-deserialized.txt", > "-Dnotsoserial.trace=${rootDir}/tools/security/notsoserial/ > deserialize-trace.txt"] > @@ -52,6 +52,7 @@ > allprojects { > repositories{ > jcenter() > + maven { url "https://jitpack.io" } > } > } > > @@ -119,6 +120,7 @@ > compile 'org.zapodot:jackson-databind-java-optional:2.4.2' > compile 'oro:oro:2.0.8' > compile 'wsdl4j:wsdl4j:1.6.2' > + compile 'com.github.kantega:notsoserial:f2baaaa' > > // general framework runtime libs > runtime 'de.odysseus.juel:juel-spi:2.2.7' > > I think you get the idea, it works w/o any other modifications, what to > you think? > > Jacques > > > > Le 07/09/2016 à 22:37, Jacques Le Roux a écrit : > >> OK, since we have no issues OOTB that can be done. >> >> But IMO documenting the whole thing in our nososerial readme.txt is not >> enough. We need to make that more prominent. Not sure how yet... >> >> Jacques >> >> >> Le 07/09/2016 à 20:09, Taher Alkhateeb a écrit : >> >>> Scratch that, actually only the -D arguments are ignored, we must remove >>> the -javaagent argument because it's not a classpath argument and would >>> crash the VM >>> >>> But for consistency's sake, let's remove them all for now. So simply we >>> apply: >>> >>> Index: build.gradle >>> =================================================================== >>> --- build.gradle (revision 1759596) >>> +++ build.gradle (working copy) >>> @@ -31,11 +31,7 @@ >>> ext.os = System.getProperty('os.name').toLowerCase() >>> >>> // java settings >>> -def jvmArguments = ['-Xms128M', '-Xmx1024M', >>> - >>> "-javaagent:${rootDir}/tools/security/notsoserial/notsoseria >>> l-1.0-SNAPSHOT.jar", >>> - >>> "-Dnotsoserial.whitelist=${rootDir}/tools/security/notsoseri >>> al/empty.txt", >>> - >>> "-Dnotsoserial.dryrun=${rootDir}/tools/security/notsoserial/ >>> is-deserialized.txt", >>> - >>> "-Dnotsoserial.trace=${rootDir}/tools/security/notsoserial/ >>> deserialize-trace.txt"] >>> +def jvmArguments = ['-Xms128M', '-Xmx1024M'] >>> ext.ofbizMainClass = 'org.apache.ofbiz.base.start.Start' >>> javadoc.failOnError = false >>> sourceCompatibility = '1.8' >>> >>> On Wed, Sep 7, 2016 at 9:04 PM, Jacques Le Roux < >>> jacques.le.r...@les7arts.com> wrote: >>> >>> OK Cool, if the JVM arguments are simply ignored, then I will proceed >>>> with >>>> an addition in the readme and remove the jar, simple >>>> >>>> Jacques >>>> >>>> >>>> >>>> Le 07/09/2016 à 17:16, Jacopo Cappellato a écrit : >>>> >>>> Thank you Jacques and Taher. >>>>> >>>>> So it seems we can move on and temporarily remove the jar. >>>>> >>>>> Jacopo >>>>> >>>>> >>>>> On Wed, Sep 7, 2016 at 5:11 PM, Taher Alkhateeb < >>>>> slidingfilame...@gmail.com> >>>>> wrote: >>>>> >>>>> Hi Jacques, >>>>> >>>>>> First of all the ofbizSecure task is gone instead everything calls the >>>>>> correct jvm arguments by default to fetch notsoserial. >>>>>> >>>>>> The work to remove notsoserial is almost nothing. You just to remove a >>>>>> few >>>>>> jvm args and that's it. Even if you don't remove the jvm args nothing >>>>>> happens because it will just ignore it as missing from the classpath. >>>>>> >>>>>> Taher Alkhateeb >>>>>> >>>>>> On Sep 7, 2016 5:48 PM, "Jacques Le Roux" < >>>>>> jacques.le.r...@les7arts.com> >>>>>> wrote: >>>>>> >>>>>> Huho, I was too fast on this. Currently the Gradle "ofbizSecure" tasks >>>>>> >>>>>>> depends on the notsoserial-1.0-SNAPSHOT.jar >>>>>>> >>>>>>> So this would need more work and w/o answers from them I suspect they >>>>>>> >>>>>>> will >>>>>> >>>>>> not publish the jar. >>>>>>> >>>>>>> Now it's a serious security but not OOTB. So I see 2 possibilities. >>>>>>> >>>>>>> 1. Ask the ASF for a derogation (after all it's a Java issue not an >>>>>>> OFBiz >>>>>>> one) >>>>>>> 2. Do what I said before AND change the Gradle "ofbizSecure" tasks >>>>>>> >>>>>>> Opinions? >>>>>>> >>>>>>> Jacques >>>>>>> >>>>>>> >>>>>>> Le 07/09/2016 à 14:01, Jacques Le Roux a écrit : >>>>>>> >>>>>>> Yes I see no problems with that. I just need to add directions for >>>>>>> users >>>>>>> >>>>>>>> before. I'll then remove the jars... very soon... >>>>>>>> >>>>>>>> Jacques >>>>>>>> >>>>>>>> >>>>>>>> Le 07/09/2016 à 13:09, Jacopo Cappellato a écrit : >>>>>>>> >>>>>>>> Jacques, any news from notsoserial? >>>>>>>> >>>>>>>>> If not, I think we can proceed by (temporarily) removing the jars >>>>>>>>> until >>>>>>>>> they will publish the jar. >>>>>>>>> >>>>>>>>> Regards, >>>>>>>>> >>>>>>>>> Jacopo >>>>>>>>> >>>>>>>>> On Sat, Aug 20, 2016 at 11:12 AM, Jacques Le Roux < >>>>>>>>> jacques.le.r...@les7arts.com> wrote: >>>>>>>>> >>>>>>>>> Yes that's what I proposed also, I will try that before the worse >>>>>>>>> >>>>>>>>> solution >>>>>>>>>> as Taher called them, would you help? >>>>>>>>>> >>>>>>>>>> Jacques >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> Le 20/08/2016 à 08:32, Pierre Smits a écrit : >>>>>>>>>> >>>>>>>>>> Hi Jacques, >>>>>>>>>> >>>>>>>>>> Why not try to convince the people behind notsoserial to have them >>>>>>>>>>> >>>>>>>>>>> push >>>>>>>>>> >>>>>>>>> the >>>>>>> >>>>>>>> library to maven central and/or jpublish? In stead of this community >>>>>>>>>>> doing >>>>>>>>>>> the work? >>>>>>>>>>> >>>>>>>>>>> Best regards, >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> Pierre Smits >>>>>>>>>>> >>>>>>>>>>> ORRTIZ.COM <http://www.orrtiz.com> >>>>>>>>>>> OFBiz based solutions & services >>>>>>>>>>> >>>>>>>>>>> OFBiz Extensions Marketplace >>>>>>>>>>> http://oem.ofbizci.net/oci-2/ >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >> >> >