[GitHub] [tomee] cesarhernandezgt merged pull request #735: Added github workflow for tomee-7.0.x branch
cesarhernandezgt merged pull request #735: URL: https://github.com/apache/tomee/pull/735 This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[GitHub] [tomee] cesarhernandezgt commented on pull request #735: Added github workflow for tomee-7.0.x branch
cesarhernandezgt commented on pull request #735: URL: https://github.com/apache/tomee/pull/735#issuecomment-747178759 Jenkis CI for PR failed with `java.io.IOException: Unexpected Fingerprint type. Expected class hudson.model.Fingerprint or subclass but got class hudson.model.Fingerprint$RangeSet` . But github actions builder successfully. This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org
Re: CI job for tomee-7.0.x
Hi All, I merged today the last test fix and now tomee-7.0.x is back to green (blue in current apache jenkins job): https://ci-builds.apache.org/job/Tomee/job/tomee-7.0.x/10/ In parallel I'm troubleshooting the current Jenkins Job we have for Pull Requests [1] and also adding Github actions for tomee-7.0.x branch [2]. Github actions is a WIP as I'm applying the lessons learned in the iteration performed over master branch. [1] https://ci-builds.apache.org/job/Tomee/job/Pull%20Requests/20/ [2] https://github.com/apache/tomee/pull/735 El mar, 15 dic 2020 a las 14:40, Cesar Hernandez () escribió: > Thank you Richard and Jean-Louis for the work done. > > As promise, I created the ticket for DeployInWebAppsDirectoryTest issue: > https://issues.apache.org/jira/browse/TOMEE-2942 > > Also, a PR is available with the fix based on the nice patch Richard did > previously with TOMEE-2930. > https://github.com/apache/tomee/pull/727 > > El jue, 10 dic 2020 a las 6:39, Jean-Louis Monteiro (< > jlmonte...@tomitribe.com>) escribió: > >> Reviewing and merging now. >> Thanks for the reminder >> -- >> Jean-Louis Monteiro >> http://twitter.com/jlouismonteiro >> http://www.tomitribe.com >> >> >> On Thu, Dec 10, 2020 at 12:29 PM Zowalla, Richard < >> richard.zowa...@hs-heilbronn.de> wrote: >> >> > Just a friendly reminder. The PRs for this are still pending: >> > >> > https://github.com/apache/tomee/pull/720 >> > https://github.com/apache/tomee/pull/722 >> > >> > >> > Am Dienstag, den 01.12.2020, 08:02 + schrieb Zowalla, Richard: >> > > Hi, >> > > >> > > forgot to send an eMail to the list. The related PRs are available: >> > > >> > > https://github.com/apache/tomee/pull/720 >> > > https://github.com/apache/tomee/pull/722 >> > > >> > > Best >> > > Richard Z >> > > >> > > >> > > Am Freitag, den 27.11.2020, 13:09 + schrieb Zowalla, Richard: >> > > > Will also check the third one :) - will create a related JIRA. >> > > > >> > > > Best, >> > > > Richard >> > > > >> > > > >> > > > Am Freitag, den 27.11.2020, 08:24 + schrieb Zowalla, Richard: >> > > > > Hi Cesar, >> > > > > >> > > > > i will give >> > > > > >> > > > > > The second failing test trowed a: [Fatal Error] :8:23: Invalid >> > > > > > byte 2 of >> > > > > > 2-byte UTF-8 sequence. error. >> > > > > > >> > >> https://ci-builds.apache.org/job/Tomee/job/tomee-7.0.x/org.superbiz$moviefun-functional-test/3/testReport/junit/org.superbiz.moviefun/MoviesArquillianHtmlUnitTest/org_superbiz_moviefun_MoviesArquillianHtmlUnitTest/ >> > > > > >> > > > > a try and create a related JIRA. >> > > > > >> > > > > Best, >> > > > > Richard >> > > > > >> > > > > Am Donnerstag, den 26.11.2020, 20:35 -0600 schrieb Cesar >> > > > > Hernandez: >> > > > > > Hi All, >> > > > > > >> > > > > > Today I set up a CI job for tomee 7.0.x. >> > > > > > I initially set up Java 7 but I got the "Unsupported >> > > > > > major.minor version >> > > > > > 52.0" error so the job currently uses Java 8 and maven 3.3.9. >> > > > > > The current branch status is here >> > > > > > https://ci-builds.apache.org/job/Tomee/job/tomee-7.0.x/3/ >> > > > > > >> > > > > > >> > > > > > One of the failing test is because one of the examples requires >> > > > > > the usage >> > > > > > of 7.0.8-SNAPSHOT:zip:plus. >> > > > > > >> > >> https://github.com/apache/tomee/blob/tomee-7.0.x/examples/connector-ear/connector-sample-functional-tests/src/test/java/org/superbiz/moviefun/DeployInWebAppsDirectoryTest.java#L108 >> > > > > > >> > > > > > I'll open a JIRA and a Patch for that test. >> > > > > > >> > > > > > The second failing test trowed a: [Fatal Error] :8:23: Invalid >> > > > > > byte 2 of >> > > > > > 2-byte UTF-8 sequence. error. >> > > > > > >> > >> https://ci-builds.apache.org/job/Tomee/job/tomee-7.0.x/org.superbiz$moviefun-functional-test/3/testReport/junit/org.superbiz.moviefun/MoviesArquillianHtmlUnitTest/org_superbiz_moviefun_MoviesArquillianHtmlUnitTest/ >> > > > > > >> > > > > > If someone wants to take a swing on this, feel free to pick it >> > > > > > up. Remember >> > > > > > to create a JIRA and notify the mailing list to avoid >> > > > > > duplication of work. >> > > > > > >> > > > > > The thrid failing test: javax.ws.rs.NotSupportedException: HTTP >> > > > > > 415 >> > > > > > Unsupported Media Type >> > > > > > >> > >> https://ci-builds.apache.org/job/Tomee/job/tomee-7.0.x/org.superbiz$tomee-webprofile-embedded/3/testReport/junit/org.superbiz.movie/MovieServiceTest/addMovie/ >> > > > > > >> > > > > > If someone wants to take a swing on this, feel free to pick it >> > > > > > up. Remember >> > > > > > to create a JIRA and notify the mailing list to avoid >> > > > > > duplication of work. >> > > > > > >> > -- >> > Richard Zowalla, M.Sc. >> > Research Associate, PhD Student | Medical Informatics >> > >> > Hochschule Heilbronn – University of Applied Sciences >> > Max-Planck-Str. 39 >> > D-74081 Heilbronn >> > phone: +49 7131 504 6791 >> > mail: richard.zowa...@hs-heilbronn.de >> > web: https://www.mi.hs
[GitHub] [tomee] cesarhernandezgt merged pull request #732: TOMEE-2942 fixed DeployInWebAppsDirectoryTest
cesarhernandezgt merged pull request #732: URL: https://github.com/apache/tomee/pull/732 This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org
Re: TOMEE-2943 Updating configuration for TomEE repository
Very good Cesar : ) Em qua., 16 de dez. de 2020 às 15:40, Cesar Hernandez escreveu: > Hi All, > > I found that JIRA integration is currently broken even when the current > TomEE repository configuration contains it: > https://gitbox.apache.org/schemes.cgi?tomee > > After a follow-up from the INFRA team [1] it seems now repository > configuration is done via the .asf.yaml file. > > I created TOMEE-2943 to describe the current status and what the project > gets with the inclusion of the .asf.yaml file. > https://issues.apache.org/jira/browse/TOMEE-2943 > > A PR is now also available for review: > https://github.com/apache/tomee/pull/734 > > > [1] https://issues.apache.org/jira/browse/INFRA-21176 > > -- > Atentamente: > César Hernández. >
TOMEE-2943 Updating configuration for TomEE repository
Hi All, I found that JIRA integration is currently broken even when the current TomEE repository configuration contains it: https://gitbox.apache.org/schemes.cgi?tomee After a follow-up from the INFRA team [1] it seems now repository configuration is done via the .asf.yaml file. I created TOMEE-2943 to describe the current status and what the project gets with the inclusion of the .asf.yaml file. https://issues.apache.org/jira/browse/TOMEE-2943 A PR is now also available for review: https://github.com/apache/tomee/pull/734 [1] https://issues.apache.org/jira/browse/INFRA-21176 -- Atentamente: César Hernández.
[GitHub] [tomee] cesarhernandezgt closed pull request #733: TOMEE-2943 Added .asf.yaml
cesarhernandezgt closed pull request #733: URL: https://github.com/apache/tomee/pull/733 This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org
Re: [TCK] Servlet status
In a meeting and about to get the kids for diner. I'll answer later.
In regards to the debug, the deployment class does not run on the server.
Check out the runtest script. At the beginning, there are a couple of flags
you can use to debug the server, the javatest, the harness (ds, dj, dh ...).
it gives the ports you can connect to.
--
Jean-Louis Monteiro
http://twitter.com/jlouismonteiro
http://www.tomitribe.com
On Wed, Dec 16, 2020 at 6:04 PM Thiago Henrique Hupner
wrote:
> Well, the AnnotationDeployer does in fact run on servlet classes, however
> it doesn't process the security
> annotations in the deploy method:
>
> https://github.com/apache/tomee/blob/master/container/openejb-core/src/main/java/org/apache/openejb/config/AnnotationDeployer.java#L1084
>
> I'll keep looking around.
>
> Thanks
>
> Em qua., 16 de dez. de 2020 às 13:48, Thiago Henrique Hupner <
> thi...@gmail.com> escreveu:
>
> > Hi.
> >
> > I tried to debug the DeploymentImpl however I wasn't able. Do you know if
> > this class is only used by the
> > full TCK run or if it used by single run?
> >
> > I'm running the TCK with:
> > ./runtests -sql skip -ds --web tomee-plume
> > com.sun.ts.tests.servlet.ee.spec.security.runAs
> > And attaching the debugger to port 5005.
> >
> > I also find something weird: looks like the AnnotationDeployer class is
> > not run on Servlet classes.
> > From what I can tell, only the EJBs are been scanned. The
> > com.sun.ts.tests.servlet.ee.spec.security.runAs.ServletTwo doesn't reach
> > there and the applications
> > doesn't know about the RunAs("Manager").
> >
> > About the DeploymentImpl probably I'll need to get more information to
> > understand how it works.
> > For now, I've applied a patch to the DeployerEjb:
> >
> > if (slash > 0) {
> >String moduleId = name.substring(0, slash);
> >// To remove ".war" from the module name
> >moduleId = moduleId.substring(0, moduleId.length() - 4);
> >name = name.substring(slash + 1);
> >module = modules.get(moduleId);
> > }
> >
> > Probably I'll revisit it before sending some official patch.
> >
> > Thanks!
> >
> > Em qua., 16 de dez. de 2020 às 10:39, Jean-Louis Monteiro <
> > jlmonte...@tomitribe.com> escreveu:
> >
> >> Hi Thiago,
> >>
> >> That is astonishing how deep you got in such a little amount of time.
> >> You have nothing to worry about or to be sorry about.
> >>
> >> We all truly appreciate the help.
> >>
> >> You are right on.
> >> Here are some pointers for debugging.
> >>
> >> Here is where we get notified by TCK stack about deployments and
> >> descriptors.
> >>
> >>
> https://github.com/apache/tomee-tck/blob/master/src/main/java/org/apache/openejb/cts/DeploymentImpl.java#L170
> >>
> >> L182, I added a hack the other day to support overriding the context
> from
> >> the sun descriptor.
> >> I acknowledge it was a hack but changing the DeployerEjb is a bit tricky
> >> and can break too many things
> >> A solution would be to fork it in TomEE TCK and clean it up so we can
> >> support all deployment descriptors for EAR, WAR packagings.
> >>
> >> We would use the TCK specific version to deploy and configure (finer).
> >>
> >> What do you think?
> >>
> >>
> >>
> >> --
> >> Jean-Louis Monteiro
> >> http://twitter.com/jlouismonteiro
> >> http://www.tomitribe.com
> >>
> >>
> >> On Wed, Dec 16, 2020 at 12:14 PM Thiago Henrique Hupner <
> thi...@gmail.com
> >> >
> >> wrote:
> >>
> >> > Hi all!
> >> >
> >> > I started taking a look to get a feeling of the whole process.
> >> > I guess I was able to configure the TCK because I'm able to use the
> >> > "runtests" script and debug in my IDE.
> >> >
> >> > So, as far as I could tell, there isn't any processing of security for
> >> any
> >> > sun-*.xml.
> >> >
> >> > Another thing that I noticed is that the
> >> > `webModule.getAltDDs().get("sun-web.xml");` is returning null. The
> >> process
> >> > of
> >> > including the in the "altDDs"
> >> (org.apache.openejb.assembler.DeployerEjb) is
> >> > trying to find the module
> >> > "servlet_ee_spec_security_runAs_second_module_web.war"
> >> > while the correct (I guess) is
> >> > "servlet_ee_spec_security_runAs_second_module_web" (because there's a
> >> entry
> >> > with this key).
> >> >
> >> > Sorry if I'm taking a lot of time to process all this information and
> >> thank
> >> > you for helping me.
> >> >
> >> > Em ter., 15 de dez. de 2020 às 12:41, Jonathan Gallimore <
> >> > jonathan.gallim...@gmail.com> escreveu:
> >> >
> >> > > There's a similar issue for some of the JAX-RS tests as well which I
> >> had
> >> > > been meaning to tackle in the same way - if you have some joy with
> the
> >> > > Servlet tests, you'll likely fix the JAX-RS tests too.
> >> > >
> >> > > Thanks for looking at this Thiago - let us know how you're getting
> on!
> >> > >
> >> > > Jon
> >> > >
> >> > > On Tue, Dec 15, 2020 at 1:02 PM Jean-Louis Monteiro <
> >> > > jlmonte...@tomitribe.com> wrote:
> >> > >
> >> > > > Hi Thiago,
> >> > > >
> >> > > > No the TCK setup
Re: [TCK] Servlet status
Well, the AnnotationDeployer does in fact run on servlet classes, however
it doesn't process the security
annotations in the deploy method:
https://github.com/apache/tomee/blob/master/container/openejb-core/src/main/java/org/apache/openejb/config/AnnotationDeployer.java#L1084
I'll keep looking around.
Thanks
Em qua., 16 de dez. de 2020 às 13:48, Thiago Henrique Hupner <
thi...@gmail.com> escreveu:
> Hi.
>
> I tried to debug the DeploymentImpl however I wasn't able. Do you know if
> this class is only used by the
> full TCK run or if it used by single run?
>
> I'm running the TCK with:
> ./runtests -sql skip -ds --web tomee-plume
> com.sun.ts.tests.servlet.ee.spec.security.runAs
> And attaching the debugger to port 5005.
>
> I also find something weird: looks like the AnnotationDeployer class is
> not run on Servlet classes.
> From what I can tell, only the EJBs are been scanned. The
> com.sun.ts.tests.servlet.ee.spec.security.runAs.ServletTwo doesn't reach
> there and the applications
> doesn't know about the RunAs("Manager").
>
> About the DeploymentImpl probably I'll need to get more information to
> understand how it works.
> For now, I've applied a patch to the DeployerEjb:
>
> if (slash > 0) {
>String moduleId = name.substring(0, slash);
>// To remove ".war" from the module name
>moduleId = moduleId.substring(0, moduleId.length() - 4);
>name = name.substring(slash + 1);
>module = modules.get(moduleId);
> }
>
> Probably I'll revisit it before sending some official patch.
>
> Thanks!
>
> Em qua., 16 de dez. de 2020 às 10:39, Jean-Louis Monteiro <
> jlmonte...@tomitribe.com> escreveu:
>
>> Hi Thiago,
>>
>> That is astonishing how deep you got in such a little amount of time.
>> You have nothing to worry about or to be sorry about.
>>
>> We all truly appreciate the help.
>>
>> You are right on.
>> Here are some pointers for debugging.
>>
>> Here is where we get notified by TCK stack about deployments and
>> descriptors.
>>
>> https://github.com/apache/tomee-tck/blob/master/src/main/java/org/apache/openejb/cts/DeploymentImpl.java#L170
>>
>> L182, I added a hack the other day to support overriding the context from
>> the sun descriptor.
>> I acknowledge it was a hack but changing the DeployerEjb is a bit tricky
>> and can break too many things
>> A solution would be to fork it in TomEE TCK and clean it up so we can
>> support all deployment descriptors for EAR, WAR packagings.
>>
>> We would use the TCK specific version to deploy and configure (finer).
>>
>> What do you think?
>>
>>
>>
>> --
>> Jean-Louis Monteiro
>> http://twitter.com/jlouismonteiro
>> http://www.tomitribe.com
>>
>>
>> On Wed, Dec 16, 2020 at 12:14 PM Thiago Henrique Hupner > >
>> wrote:
>>
>> > Hi all!
>> >
>> > I started taking a look to get a feeling of the whole process.
>> > I guess I was able to configure the TCK because I'm able to use the
>> > "runtests" script and debug in my IDE.
>> >
>> > So, as far as I could tell, there isn't any processing of security for
>> any
>> > sun-*.xml.
>> >
>> > Another thing that I noticed is that the
>> > `webModule.getAltDDs().get("sun-web.xml");` is returning null. The
>> process
>> > of
>> > including the in the "altDDs"
>> (org.apache.openejb.assembler.DeployerEjb) is
>> > trying to find the module
>> > "servlet_ee_spec_security_runAs_second_module_web.war"
>> > while the correct (I guess) is
>> > "servlet_ee_spec_security_runAs_second_module_web" (because there's a
>> entry
>> > with this key).
>> >
>> > Sorry if I'm taking a lot of time to process all this information and
>> thank
>> > you for helping me.
>> >
>> > Em ter., 15 de dez. de 2020 às 12:41, Jonathan Gallimore <
>> > jonathan.gallim...@gmail.com> escreveu:
>> >
>> > > There's a similar issue for some of the JAX-RS tests as well which I
>> had
>> > > been meaning to tackle in the same way - if you have some joy with the
>> > > Servlet tests, you'll likely fix the JAX-RS tests too.
>> > >
>> > > Thanks for looking at this Thiago - let us know how you're getting on!
>> > >
>> > > Jon
>> > >
>> > > On Tue, Dec 15, 2020 at 1:02 PM Jean-Louis Monteiro <
>> > > jlmonte...@tomitribe.com> wrote:
>> > >
>> > > > Hi Thiago,
>> > > >
>> > > > No the TCK setup is unfortunately a bit more complex.
>> > > > You can have a look at the readme from this repo
>> > > > https://github.com/apache/tomee-tck
>> > > >
>> > > > What I would recommend is either create a unit test in openejb-core
>> to
>> > > > reproduce the issue.
>> > > > Or at least create an example (starting from
>> > > examples/alternate-descriptors
>> > > > is probably good).
>> > > >
>> > > > The TCK is very simple.
>> > > > This is where you can find it
>> > > >
>> > > >
>> > >
>> >
>> https://github.com/eclipse-ee4j/jakartaee-tck/tree/master/src/com/sun/ts/tests/servlet/ee/spec/security/runAs
>> > > >
>> > > > Basically ServletTwo is secured and called with a user j2ee with
>> > > > Administrator role.
>> > > > It has @RunAs("Manager"), so it can call the EJB
Re: [TCK] Servlet status
Hi.
I tried to debug the DeploymentImpl however I wasn't able. Do you know if
this class is only used by the
full TCK run or if it used by single run?
I'm running the TCK with:
./runtests -sql skip -ds --web tomee-plume
com.sun.ts.tests.servlet.ee.spec.security.runAs
And attaching the debugger to port 5005.
I also find something weird: looks like the AnnotationDeployer class is not
run on Servlet classes.
>From what I can tell, only the EJBs are been scanned. The
com.sun.ts.tests.servlet.ee.spec.security.runAs.ServletTwo doesn't reach
there and the applications
doesn't know about the RunAs("Manager").
About the DeploymentImpl probably I'll need to get more information to
understand how it works.
For now, I've applied a patch to the DeployerEjb:
if (slash > 0) {
String moduleId = name.substring(0, slash);
// To remove ".war" from the module name
moduleId = moduleId.substring(0, moduleId.length() - 4);
name = name.substring(slash + 1);
module = modules.get(moduleId);
}
Probably I'll revisit it before sending some official patch.
Thanks!
Em qua., 16 de dez. de 2020 às 10:39, Jean-Louis Monteiro <
jlmonte...@tomitribe.com> escreveu:
> Hi Thiago,
>
> That is astonishing how deep you got in such a little amount of time.
> You have nothing to worry about or to be sorry about.
>
> We all truly appreciate the help.
>
> You are right on.
> Here are some pointers for debugging.
>
> Here is where we get notified by TCK stack about deployments and
> descriptors.
>
> https://github.com/apache/tomee-tck/blob/master/src/main/java/org/apache/openejb/cts/DeploymentImpl.java#L170
>
> L182, I added a hack the other day to support overriding the context from
> the sun descriptor.
> I acknowledge it was a hack but changing the DeployerEjb is a bit tricky
> and can break too many things
> A solution would be to fork it in TomEE TCK and clean it up so we can
> support all deployment descriptors for EAR, WAR packagings.
>
> We would use the TCK specific version to deploy and configure (finer).
>
> What do you think?
>
>
>
> --
> Jean-Louis Monteiro
> http://twitter.com/jlouismonteiro
> http://www.tomitribe.com
>
>
> On Wed, Dec 16, 2020 at 12:14 PM Thiago Henrique Hupner
> wrote:
>
> > Hi all!
> >
> > I started taking a look to get a feeling of the whole process.
> > I guess I was able to configure the TCK because I'm able to use the
> > "runtests" script and debug in my IDE.
> >
> > So, as far as I could tell, there isn't any processing of security for
> any
> > sun-*.xml.
> >
> > Another thing that I noticed is that the
> > `webModule.getAltDDs().get("sun-web.xml");` is returning null. The
> process
> > of
> > including the in the "altDDs" (org.apache.openejb.assembler.DeployerEjb)
> is
> > trying to find the module
> > "servlet_ee_spec_security_runAs_second_module_web.war"
> > while the correct (I guess) is
> > "servlet_ee_spec_security_runAs_second_module_web" (because there's a
> entry
> > with this key).
> >
> > Sorry if I'm taking a lot of time to process all this information and
> thank
> > you for helping me.
> >
> > Em ter., 15 de dez. de 2020 às 12:41, Jonathan Gallimore <
> > jonathan.gallim...@gmail.com> escreveu:
> >
> > > There's a similar issue for some of the JAX-RS tests as well which I
> had
> > > been meaning to tackle in the same way - if you have some joy with the
> > > Servlet tests, you'll likely fix the JAX-RS tests too.
> > >
> > > Thanks for looking at this Thiago - let us know how you're getting on!
> > >
> > > Jon
> > >
> > > On Tue, Dec 15, 2020 at 1:02 PM Jean-Louis Monteiro <
> > > jlmonte...@tomitribe.com> wrote:
> > >
> > > > Hi Thiago,
> > > >
> > > > No the TCK setup is unfortunately a bit more complex.
> > > > You can have a look at the readme from this repo
> > > > https://github.com/apache/tomee-tck
> > > >
> > > > What I would recommend is either create a unit test in openejb-core
> to
> > > > reproduce the issue.
> > > > Or at least create an example (starting from
> > > examples/alternate-descriptors
> > > > is probably good).
> > > >
> > > > The TCK is very simple.
> > > > This is where you can find it
> > > >
> > > >
> > >
> >
> https://github.com/eclipse-ee4j/jakartaee-tck/tree/master/src/com/sun/ts/tests/servlet/ee/spec/security/runAs
> > > >
> > > > Basically ServletTwo is secured and called with a user j2ee with
> > > > Administrator role.
> > > > It has @RunAs("Manager"), so it can call the EJB with Manager
> > > > @RolesAllowed.
> > > >
> > > > The goal is to map j2ee with javajoe which has Manager role.
> > > > Check out the comments for the following method
> > > >
> > > >
> > >
> >
> https://github.com/eclipse-ee4j/jakartaee-tck/blob/master/src/com/sun/ts/tests/servlet/ee/spec/security/runAs/Client.java#L211
> > > >
> > > > If you want to go the junit simple test, have a look at
> > > >
> > > >
> > >
> >
> https://github.com/apache/tomee/tree/master/container/openejb-core/src/test/java/org/apache/openejb/config
> > > > You can find a couple of Sun...Test
[SECURITY] CVE-2020-13931 Apache TomEE - Incorrect config on JMS Resource Adapter can lead to JMX being enabled
Severity: High Vendor: The Apache Software Foundation Versions Affected: Apache TomEE 8.0.0-M1 - 8.0.3 Apache TomEE 7.1.0 - 7.1.3 Apache TomEE 7.0.0-M1 - 7.0.8 Apache TomEE 1.0.0 - 1.7.5 Description: If Apache TomEE is configured to use the embedded ActiveMQ broker, and the broker config is misconfigured, a JMX port is opened on TCP port 1099, which does not include authentication. CVE-2020-11969 previously addressed the creation of the JMX management interface, however the incomplete fix did not cover this edge case. Mitigation: - Upgrade to TomEE 7.0.9 or later - Upgrade to TomEE 7.1.4 or later - Upgrade to TomEE 8.0.4 or later Ensure the correct VM broker name is used consistently across across the resource adapter config. Credit: Thanks to Frans Henskens for discovering and reporting this issue.
Re: [TCK] Servlet status
Hi Thiago,
That is astonishing how deep you got in such a little amount of time.
You have nothing to worry about or to be sorry about.
We all truly appreciate the help.
You are right on.
Here are some pointers for debugging.
Here is where we get notified by TCK stack about deployments and
descriptors.
https://github.com/apache/tomee-tck/blob/master/src/main/java/org/apache/openejb/cts/DeploymentImpl.java#L170
L182, I added a hack the other day to support overriding the context from
the sun descriptor.
I acknowledge it was a hack but changing the DeployerEjb is a bit tricky
and can break too many things
A solution would be to fork it in TomEE TCK and clean it up so we can
support all deployment descriptors for EAR, WAR packagings.
We would use the TCK specific version to deploy and configure (finer).
What do you think?
--
Jean-Louis Monteiro
http://twitter.com/jlouismonteiro
http://www.tomitribe.com
On Wed, Dec 16, 2020 at 12:14 PM Thiago Henrique Hupner
wrote:
> Hi all!
>
> I started taking a look to get a feeling of the whole process.
> I guess I was able to configure the TCK because I'm able to use the
> "runtests" script and debug in my IDE.
>
> So, as far as I could tell, there isn't any processing of security for any
> sun-*.xml.
>
> Another thing that I noticed is that the
> `webModule.getAltDDs().get("sun-web.xml");` is returning null. The process
> of
> including the in the "altDDs" (org.apache.openejb.assembler.DeployerEjb) is
> trying to find the module
> "servlet_ee_spec_security_runAs_second_module_web.war"
> while the correct (I guess) is
> "servlet_ee_spec_security_runAs_second_module_web" (because there's a entry
> with this key).
>
> Sorry if I'm taking a lot of time to process all this information and thank
> you for helping me.
>
> Em ter., 15 de dez. de 2020 às 12:41, Jonathan Gallimore <
> jonathan.gallim...@gmail.com> escreveu:
>
> > There's a similar issue for some of the JAX-RS tests as well which I had
> > been meaning to tackle in the same way - if you have some joy with the
> > Servlet tests, you'll likely fix the JAX-RS tests too.
> >
> > Thanks for looking at this Thiago - let us know how you're getting on!
> >
> > Jon
> >
> > On Tue, Dec 15, 2020 at 1:02 PM Jean-Louis Monteiro <
> > jlmonte...@tomitribe.com> wrote:
> >
> > > Hi Thiago,
> > >
> > > No the TCK setup is unfortunately a bit more complex.
> > > You can have a look at the readme from this repo
> > > https://github.com/apache/tomee-tck
> > >
> > > What I would recommend is either create a unit test in openejb-core to
> > > reproduce the issue.
> > > Or at least create an example (starting from
> > examples/alternate-descriptors
> > > is probably good).
> > >
> > > The TCK is very simple.
> > > This is where you can find it
> > >
> > >
> >
> https://github.com/eclipse-ee4j/jakartaee-tck/tree/master/src/com/sun/ts/tests/servlet/ee/spec/security/runAs
> > >
> > > Basically ServletTwo is secured and called with a user j2ee with
> > > Administrator role.
> > > It has @RunAs("Manager"), so it can call the EJB with Manager
> > > @RolesAllowed.
> > >
> > > The goal is to map j2ee with javajoe which has Manager role.
> > > Check out the comments for the following method
> > >
> > >
> >
> https://github.com/eclipse-ee4j/jakartaee-tck/blob/master/src/com/sun/ts/tests/servlet/ee/spec/security/runAs/Client.java#L211
> > >
> > > If you want to go the junit simple test, have a look at
> > >
> > >
> >
> https://github.com/apache/tomee/tree/master/container/openejb-core/src/test/java/org/apache/openejb/config
> > > You can find a couple of Sun...Test files.
> > >
> > > The goal is pretty simple in essence.
> > > In here
> > >
> > >
> >
> https://github.com/apache/tomee/tree/master/container/openejb-jee/src/main/java/org/apache/openejb/jee
> > > You have all descriptors supported.
> > >
> > > Under sun package, you will find deployment descriptors JAXB tree, for
> > > instance to parse
> > >
> > >
> >
> https://github.com/eclipse-ee4j/jakartaee-tck/blob/master/src/com/sun/ts/tests/servlet/ee/spec/security/runAs/servlet_ee_spec_security_runAs_second_module_web.war.sun-web.xml
> > > The role mapping is here
> > >
> > >
> >
> https://github.com/apache/tomee/blob/master/container/openejb-jee/src/main/java/org/apache/openejb/jee/sun/Servlet.java
> > >
> > > You need to convert to the JAXB tree under oejb3.
> > > The role mapping is here
> > >
> > >
> >
> https://github.com/apache/tomee/blob/master/container/openejb-jee/src/main/java/org/apache/openejb/jee/oejb3/RoleMapping.java
> > >
> > > Small trick to solve, for glassfish the mapping is done from servlet
> name
> > > to principal.
> > > For OpenEJB/TomEE the mapping is done from role to principal
> > >
> > > Hope it helps
> > >
> > > --
> > > Jean-Louis Monteiro
> > > http://twitter.com/jlouismonteiro
> > > http://www.tomitribe.com
> > >
> > >
> > > On Tue, Dec 15, 2020 at 1:46 PM Thiago Henrique Hupner <
> thi...@gmail.com
> > >
> > > wrote:
> > >
> > > > I can have a look
Re: [TCK] Servlet status
Hi all!
I started taking a look to get a feeling of the whole process.
I guess I was able to configure the TCK because I'm able to use the
"runtests" script and debug in my IDE.
So, as far as I could tell, there isn't any processing of security for any
sun-*.xml.
Another thing that I noticed is that the
`webModule.getAltDDs().get("sun-web.xml");` is returning null. The process
of
including the in the "altDDs" (org.apache.openejb.assembler.DeployerEjb) is
trying to find the module
"servlet_ee_spec_security_runAs_second_module_web.war"
while the correct (I guess) is
"servlet_ee_spec_security_runAs_second_module_web" (because there's a entry
with this key).
Sorry if I'm taking a lot of time to process all this information and thank
you for helping me.
Em ter., 15 de dez. de 2020 às 12:41, Jonathan Gallimore <
jonathan.gallim...@gmail.com> escreveu:
> There's a similar issue for some of the JAX-RS tests as well which I had
> been meaning to tackle in the same way - if you have some joy with the
> Servlet tests, you'll likely fix the JAX-RS tests too.
>
> Thanks for looking at this Thiago - let us know how you're getting on!
>
> Jon
>
> On Tue, Dec 15, 2020 at 1:02 PM Jean-Louis Monteiro <
> jlmonte...@tomitribe.com> wrote:
>
> > Hi Thiago,
> >
> > No the TCK setup is unfortunately a bit more complex.
> > You can have a look at the readme from this repo
> > https://github.com/apache/tomee-tck
> >
> > What I would recommend is either create a unit test in openejb-core to
> > reproduce the issue.
> > Or at least create an example (starting from
> examples/alternate-descriptors
> > is probably good).
> >
> > The TCK is very simple.
> > This is where you can find it
> >
> >
> https://github.com/eclipse-ee4j/jakartaee-tck/tree/master/src/com/sun/ts/tests/servlet/ee/spec/security/runAs
> >
> > Basically ServletTwo is secured and called with a user j2ee with
> > Administrator role.
> > It has @RunAs("Manager"), so it can call the EJB with Manager
> > @RolesAllowed.
> >
> > The goal is to map j2ee with javajoe which has Manager role.
> > Check out the comments for the following method
> >
> >
> https://github.com/eclipse-ee4j/jakartaee-tck/blob/master/src/com/sun/ts/tests/servlet/ee/spec/security/runAs/Client.java#L211
> >
> > If you want to go the junit simple test, have a look at
> >
> >
> https://github.com/apache/tomee/tree/master/container/openejb-core/src/test/java/org/apache/openejb/config
> > You can find a couple of Sun...Test files.
> >
> > The goal is pretty simple in essence.
> > In here
> >
> >
> https://github.com/apache/tomee/tree/master/container/openejb-jee/src/main/java/org/apache/openejb/jee
> > You have all descriptors supported.
> >
> > Under sun package, you will find deployment descriptors JAXB tree, for
> > instance to parse
> >
> >
> https://github.com/eclipse-ee4j/jakartaee-tck/blob/master/src/com/sun/ts/tests/servlet/ee/spec/security/runAs/servlet_ee_spec_security_runAs_second_module_web.war.sun-web.xml
> > The role mapping is here
> >
> >
> https://github.com/apache/tomee/blob/master/container/openejb-jee/src/main/java/org/apache/openejb/jee/sun/Servlet.java
> >
> > You need to convert to the JAXB tree under oejb3.
> > The role mapping is here
> >
> >
> https://github.com/apache/tomee/blob/master/container/openejb-jee/src/main/java/org/apache/openejb/jee/oejb3/RoleMapping.java
> >
> > Small trick to solve, for glassfish the mapping is done from servlet name
> > to principal.
> > For OpenEJB/TomEE the mapping is done from role to principal
> >
> > Hope it helps
> >
> > --
> > Jean-Louis Monteiro
> > http://twitter.com/jlouismonteiro
> > http://www.tomitribe.com
> >
> >
> > On Tue, Dec 15, 2020 at 1:46 PM Thiago Henrique Hupner >
> > wrote:
> >
> > > I can have a look at the RunAs tests.
> > >
> > > I just want to know, if I make a change in the TomEE, using `mvn clean
> > > install` would be enough to the tomee-tck use the new jars or
> > > do I need to setup anything else?
> > >
> > > Thanks
> > >
> > > Em ter., 15 de dez. de 2020 às 08:16, Jean-Louis Monteiro <
> > > jlmonte...@tomitribe.com> escreveu:
> > >
> > > > Hi community,
> > > >
> > > > I was working on the Servlet, I I have been able to bring it down to
> > > >
> > > >
> > >
> >
> https://tck.work/tomee/tests?build=1607984842299&path=com.sun.ts.tests.servlet
> > > >
> > > > 22 remaining failures.
> > > >
> > > > Based on Tomcat's following page
> > > > https://cwiki.apache.org/confluence/display/TOMCAT/Servlet+TCK+4.0
> > > >
> > > > I added some excludes for tests which were fix because of known bugs
> > > > See
> > > >
> > > >
> > >
> >
> https://github.com/apache/tomee-tck/blob/master/src/test/resources/ts.jtx#L24
> > > >
> > > > On the 22, we still have some pending tests as explained in the
> Tomcat
> > > > wiki.
> > > > I haven't excluded them because they aren't flagged as bugs on the
> TCK,
> > > so
> > > > until the challenge is accepted and fixed, we should leave them in my
> > > > opinion.
> > > >
> > > > I'm try
