diff --git a/container_files/httpd/conf/midpoint.conf b/container_files/httpd/conf/midpoint.conf
index 2d63bda..656489c 100644
--- a/container_files/httpd/conf/midpoint.conf
+++ b/container_files/httpd/conf/midpoint.conf
@@ -3,4 +3,4 @@ Timeout 2400
ProxyTimeout 2400
ProxyBadHeader Ignore
-ProxyPass /midpoint ajp://localhost:9090/midpoint timeout=2400 retry=0
+ProxyPass /midpoint ajp://localhost:9090/midpoint secret=s3cr3t timeout=2400 retry=0
diff --git a/container_files/httpd/conf/midpoint.conf.auth.internal b/container_files/httpd/conf/midpoint.conf.auth.internal
index 2d63bda..57a9992 100644
--- a/container_files/httpd/conf/midpoint.conf.auth.internal
+++ b/container_files/httpd/conf/midpoint.conf.auth.internal
@@ -3,4 +3,4 @@ Timeout 2400
ProxyTimeout 2400
ProxyBadHeader Ignore
-ProxyPass /midpoint ajp://localhost:9090/midpoint timeout=2400 retry=0
+ProxyPass /midpoint ajp://localhost:9090/midpoint secret=s3cr3t timeout=2400 retry=0
diff --git a/container_files/httpd/conf/midpoint.conf.auth.shibboleth b/container_files/httpd/conf/midpoint.conf.auth.shibboleth
index ca38a30..e8fcc24 100644
--- a/container_files/httpd/conf/midpoint.conf.auth.shibboleth
+++ b/container_files/httpd/conf/midpoint.conf.auth.shibboleth
@@ -3,7 +3,7 @@ Timeout 2400
ProxyTimeout 2400
ProxyBadHeader Ignore
-ProxyPass /midpoint ajp://localhost:9090/midpoint timeout=2400 retry=0
+ProxyPass /midpoint ajp://localhost:9090/midpoint secret=s3cr3t timeout=2400 retry=0
<Location /midpoint>
AuthType shibboleth
diff --git a/container_files/usr-local-bin/start-midpoint.sh b/container_files/usr-local-bin/start-midpoint.sh
index e729fec..4b19fb3 100755
--- a/container_files/usr-local-bin/start-midpoint.sh
+++ b/container_files/usr-local-bin/start-midpoint.sh
@@ -52,6 +52,7 @@ java -Xmx$MP_MEM_MAX -Xms$MP_MEM_INIT -Dfile.encoding=UTF8 \
-Dspring.profiles.active="`$MP_DIR/active-spring-profiles`" \
-Dserver.tomcat.ajp.enabled=$AJP_ENABLED \
-Dserver.tomcat.ajp.port=$AJP_PORT \
+ -Dserver.tomcat.ajp.secret=s3cr3t \
-Dlogging.path=/tmp/logtomcat \
$MP_JAVA_OPTS \
-jar $MP_DIR/lib/midpoint.war &>/tmp/logmidpoint-console
diff --git a/demo/grouper/midpoint_server/container_files/mp-home/post-initial-objects/securityPolicy/000-security-policy.xml b/demo/grouper/midpoint_server/container_files/mp-home/post-initial-objects/securityPolicy/000-security-policy.xml
index 4b39fd3..77aa0f3 100644
--- a/demo/grouper/midpoint_server/container_files/mp-home/post-initial-objects/securityPolicy/000-security-policy.xml
+++ b/demo/grouper/midpoint_server/container_files/mp-home/post-initial-objects/securityPolicy/000-security-policy.xml
@@ -70,7 +70,7 @@
Default GUI authentication sequence.
</description>
<channel>
- <channelId>http://midpoint.evolveum.com/xml/ns/public/model/channels-3#user</channelId>
+ <channelId>http://midpoint.evolveum.com/xml/ns/public/common/channels-3#user</channelId>
<default>true</default>
<urlSuffix>gui-default</urlSuffix>
</channel>
@@ -86,7 +86,7 @@
Special GUI authentication sequence that is using just the internal user password.
</description>
<channel>
- <channelId>http://midpoint.evolveum.com/xml/ns/public/model/channels-3#user</channelId>
+ <channelId>http://midpoint.evolveum.com/xml/ns/public/common/channels-3#user</channelId>
<default>false</default>
<urlSuffix>emergency</urlSuffix>
</channel>
@@ -104,7 +104,7 @@
Authentication sequence for REST service.
</description>
<channel>
- <channelId>http://midpoint.evolveum.com/xml/ns/public/model/channels-3#rest</channelId>
+ <channelId>http://midpoint.evolveum.com/xml/ns/public/common/channels-3#rest</channelId>
<default>true</default>
<urlSuffix>rest-default</urlSuffix>
</channel>
@@ -120,7 +120,7 @@
Authentication sequence for actuator.
</description>
<channel>
- <channelId>http://midpoint.evolveum.com/xml/ns/public/model/channels-3#actuator</channelId>
+ <channelId>http://midpoint.evolveum.com/xml/ns/public/common/channels-3#actuator</channelId>
<default>true</default>
<urlSuffix>actuator-default</urlSuffix>
</channel>
diff --git a/demo/grouper/midpoint_server/container_files/mp-home/post-initial-objects/systemConfigurations/010-system-configuration.xml b/demo/grouper/midpoint_server/container_files/mp-home/post-initial-objects/systemConfigurations/010-system-configuration.xml
index 7355929..cfe767f 100644
--- a/demo/grouper/midpoint_server/container_files/mp-home/post-initial-objects/systemConfigurations/010-system-configuration.xml
+++ b/demo/grouper/midpoint_server/container_files/mp-home/post-initial-objects/systemConfigurations/010-system-configuration.xml
@@ -1,51 +1,81 @@
+<?xml version="1.0" encoding="UTF-8"?>
<!--
- ~ Copyright (c) 2019 Evolveum and contributors
+ ~ Copyright (c) 2010-2019 Evolveum and contributors
~
~ This work is dual-licensed under the Apache License 2.0
~ and European Union Public License. See LICENSE file for details.
-->
-
-<systemConfiguration xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3" xmlns:apti="http://midpoint.evolveum.com/xml/ns/public/common/api-types-3" xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3" xmlns:icfs="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3" xmlns:org="http://midpoint.evolveum.com/xml/ns/public/common/org-3" xmlns:q="http://prism.evolveum.com/xml/ns/public/query-3" xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3" xmlns:t="http://prism.evolveum.com/xml/ns/public/types-3" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" oid="00000000-0000-0000-0000-000000000001" version="2">
+<systemConfiguration oid="00000000-0000-0000-0000-000000000001" version="0"
+ xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
+ xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
+ xmlns:mext="http://midpoint.evolveum.com/xml/ns/public/model/extension-3"
+ xmlns:org="http://midpoint.evolveum.com/xml/ns/public/common/org-3"
+ xmlns:t="http://prism.evolveum.com/xml/ns/public/types-3"
+ xmlns:icfs="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3"
+ xmlns:apti="http://midpoint.evolveum.com/xml/ns/public/common/api-types-3"
+ xmlns:q="http://prism.evolveum.com/xml/ns/public/query-3"
+ xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3"
+ xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<name>SystemConfiguration</name>
- <globalSecurityPolicyRef xmlns:tns="http://midpoint.evolveum.com/xml/ns/public/common/common-3" oid="00000000-0000-0000-0000-000000000120" relation="org:default" type="tns:SecurityPolicyType"/>
+ <!-- <globalAccountSynchronizationSettings> -->
+ <!-- <assignmentPolicyEnforcement>relative</assignmentPolicyEnforcement> -->
+ <!-- </globalAccountSynchronizationSettings> -->
+ <globalSecurityPolicyRef oid="00000000-0000-0000-0000-000000000120"/>
<logging>
- <classLogger id="1">
+ <classLogger>
<level>ERROR</level>
<package>ro.isdc.wro.extensions.processor.css.Less4jProcessor</package>
</classLogger>
- <classLogger id="2">
+ <classLogger>
+ <!-- disabled because of MID-744, helper insert messages on ERROR
+ level which should not be there (probably should be on TRACE) -->
<level>OFF</level>
<package>org.hibernate.engine.jdbc.spi.SqlExceptionHelper</package>
</classLogger>
- <classLogger id="3">
+ <!-- Disabled because we treat locking-related exceptions in the repository.
+ Otherwise the log is filled-in with (innocent but ugly-looking) messages like
+ "ERROR (o.h.engine.jdbc.batch.internal.BatchingBatch): HHH000315: Exception executing batch [Deadlock detected.
+ The current transaction was rolled back." -->
+ <classLogger>
<level>OFF</level>
<package>org.hibernate.engine.jdbc.batch.internal.BatchingBatch</package>
</classLogger>
- <classLogger id="4">
+ <!-- Disabled because of the same reason; this time concerning messages like
+ "INFO (org.hibernate.engine.jdbc.batch.internal.AbstractBatchImpl):
+ HHH000010: On release of batch it still contained JDBC statements" -->
+ <classLogger>
<level>WARN</level>
<package>org.hibernate.engine.jdbc.batch.internal.AbstractBatchImpl</package>
</classLogger>
- <classLogger id="5">
+ <!-- Diesabled because of MID-4636 -->
+ <classLogger>
<level>OFF</level>
<package>org.hibernate.internal.ExceptionMapperStandardImpl</package>
</classLogger>
- <classLogger id="6">
+ <classLogger>
+ <!-- disabled because of MID-1612, jasper library needs to be fixed -->
<level>OFF</level>
<package>net.sf.jasperreports.engine.fill.JRFillDataset</package>
</classLogger>
- <classLogger id="7">
+ <classLogger>
+ <!-- disabled because we don't need to see every property file
+ loading message (unnecessary log pollution) -->
<level>WARN</level>
<package>org.apache.wicket.resource.PropertiesFactory</package>
</classLogger>
- <classLogger id="8">
+ <classLogger>
+ <!-- disabled because we don't need to see every log message for every key
+ when resource bundle doesn't exist for specific locale (unnecessary log pollution) -->
<level>ERROR</level>
<package>org.springframework.context.support.ResourceBundleMessageSource</package>
</classLogger>
- <classLogger id="9">
+ <classLogger>
+ <!-- Standard useful logger -->
<level>INFO</level>
<package>com.evolveum.midpoint.model.impl.lens.projector.Projector</package>
</classLogger>
- <classLogger id="10">
+ <classLogger>
+ <!-- Standard useful logger -->
<level>INFO</level>
<package>com.evolveum.midpoint.model.impl.lens.Clockwork</package>
</classLogger>
@@ -53,18 +83,20 @@
<level>DEBUG</level>
<package>com.evolveum.polygon.connector.grouper</package>
</classLogger>
- <appender id="11" xsi:type="c:FileAppenderConfigurationType">
+
+ <appender xsi:type="c:FileAppenderConfigurationType" name="MIDPOINT_LOG"
+ xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<pattern>%date [%X{subsystem}] [%thread] %level \(%logger\): %msg%n</pattern>
- <name>MIDPOINT_LOG</name>
<fileName>${midpoint.home}/log/midpoint.log</fileName>
<filePattern>${midpoint.home}/log/midpoint-%d{yyyy-MM-dd}.%i.log</filePattern>
<maxHistory>10</maxHistory>
<maxFileSize>100MB</maxFileSize>
<append>true</append>
</appender>
- <appender id="12" xsi:type="c:FileAppenderConfigurationType">
+ <!-- Appender for profiling purposes -->
+ <appender xsi:type="c:FileAppenderConfigurationType" name="MIDPOINT_PROFILE_LOG"
+ xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<pattern>%date %level: %msg%n</pattern>
- <name>MIDPOINT_PROFILE_LOG</name>
<fileName>${midpoint.home}/log/midpoint-profile.log</fileName>
<filePattern>${midpoint.home}/log/midpoint-profile-%d{yyyy-MM-dd}.%i.log</filePattern>
<maxHistory>10</maxHistory>
@@ -212,7 +244,7 @@
<name>demo/grouper</name>
</deploymentInformation>
<adminGuiConfiguration>
- <userDashboardLink id="13">
+ <userDashboardLink>
<targetUrl>/self/profile</targetUrl>
<label>Profile</label>
<description>View/edit your profile</description>
@@ -223,7 +255,7 @@
<authorization>http://midpoint.evolveum.com/xml/ns/public/security/authorization-ui-3#selfProfile</authorization>
<authorization>http://midpoint.evolveum.com/xml/ns/public/security/authorization-ui-3#selfAll</authorization>
</userDashboardLink>
- <userDashboardLink id="14">
+ <userDashboardLink>
<targetUrl>/self/credentials</targetUrl>
<label>Credentials</label>
<description>View/edit your credentials</description>
@@ -234,7 +266,7 @@
<authorization>http://midpoint.evolveum.com/xml/ns/public/security/authorization-ui-3#selfCredentials</authorization>
<authorization>http://midpoint.evolveum.com/xml/ns/public/security/authorization-ui-3#selfAll</authorization>
</userDashboardLink>
- <userDashboardLink id="15">
+ <userDashboardLink>
<targetUrl>/admin/users</targetUrl>
<label>List users</label>
<icon>
@@ -243,7 +275,7 @@
<color>red</color>
<authorization>http://midpoint.evolveum.com/xml/ns/public/security/authorization-ui-3#users</authorization>
</userDashboardLink>
- <userDashboardLink id="16">
+ <userDashboardLink>
<targetUrl>/admin/resources</targetUrl>
<label>List resources</label>
<icon>
@@ -536,4 +568,216 @@
<useLegacyApproversSpecification>never</useLegacyApproversSpecification>
<useDefaultApprovalPolicyRules>never</useDefaultApprovalPolicyRules>
</workflowConfiguration>
+
+ <expressions>
+ <expressionProfile>
+ <identifier>safe</identifier>
+ <description>
+ "Safe" expression profile. It is supposed to contain only operations that are "safe",
+ i.e. operations that have very little risk to harm the system, circumvent midPoint security
+ and so on. Use of those operations should be reasonably safe in all expressions.
+ However, there are limitations. This profile may incomplete or it may even be not completely secure.
+ Proper security testing of this profile was not yet conducted. It is provided here "AS IS",
+ without any guarantees. Use at your own risk.
+ </description>
+ <decision>deny</decision> <!-- default decision of those evaluators that are not explicitly enumerated. -->
+ <evaluator>
+ <type>asIs</type>
+ <decision>allow</decision>
+ </evaluator>
+ <evaluator>
+ <type>path</type>
+ <decision>allow</decision>
+ </evaluator>
+ <evaluator>
+ <type>value</type>
+ <decision>allow</decision>
+ </evaluator>
+ <evaluator>
+ <type>const</type>
+ <decision>allow</decision>
+ </evaluator>
+ <evaluator>
+ <type>script</type>
+ <decision>deny</decision> <!-- default decision of those script languages that are not explicitly enumerated. -->
+ <script>
+ <language>http://midpoint.evolveum.com/xml/ns/public/expression/language#Groovy</language>
+ <decision>allow</decision>
+ <typeChecking>true</typeChecking>
+ <permissionProfile>script-safe</permissionProfile>
+ </script>
+ </evaluator>
+ </expressionProfile>
+ <permissionProfile>
+ <identifier>script-safe</identifier>
+ <decision>deny</decision> <!-- Default decision for those classes that are not explicitly enumerated. -->
+ <package>
+ <name>com.evolveum.midpoint.xml.ns._public.common.common_3</name>
+ <description>MidPoint common schema - generated bean classes</description>
+ <decision>allow</decision>
+ </package>
+ <package>
+ <name>com.evolveum.prism.xml.ns._public.types_3</name>
+ <description>Prism schema - bean classes</description>
+ <decision>allow</decision>
+ </package>
+ <class>
+ <name>java.lang.Integer</name>
+ <decision>allow</decision>
+ </class>
+ <class>
+ <name>java.lang.Object</name>
+ <description>Basic Java operations.</description>
+ <decision>deny</decision>
+ <method>
+ <name>equals</name>
+ <decision>allow</decision>
+ </method><method>
+ <name>hashCode</name>
+ <decision>allow</decision>
+ </method>
+ </class>
+ <class>
+ <name>java.lang.String</name>
+ <description>String operations are generally safe. But Groovy is adding execute() method which is very dangerous.</description>
+ <decision>allow</decision> <!-- Default decision for those methods that are not explicitly enumerated. -->
+ <method>
+ <name>execute</name>
+ <decision>deny</decision>
+ </method>
+ </class>
+ <class>
+ <name>java.lang.CharSequence</name>
+ <decision>allow</decision>
+ </class>
+ <class>
+ <name>java.lang.Enum</name>
+ <decision>allow</decision>
+ </class>
+ <class>
+ <name>java.util.List</name>
+ <description>List operations are generally safe. But Groovy is adding execute() method which is very dangerous.</description>
+ <decision>allow</decision>
+ <method>
+ <name>execute</name>
+ <decision>deny</decision>
+ </method>
+ </class>
+ <class>
+ <name>java.util.ArrayList</name>
+ <description>List operations are generally safe. But Groovy is adding execute() method which is very dangerous.</description>
+ <decision>allow</decision>
+ <method>
+ <name>execute</name>
+ <decision>deny</decision>
+ </method>
+ </class>
+ <class>
+ <name>java.util.Map</name>
+ <decision>allow</decision>
+ </class>
+ <class>
+ <name>java.util.HashMap</name>
+ <decision>allow</decision>
+ </class>
+ <class>
+ <name>java.util.Date</name>
+ <decision>allow</decision>
+ </class>
+ <class>
+ <name>javax.xml.namespace.QName</name>
+ <decision>allow</decision>
+ </class>
+ <class>
+ <name>javax.xml.datatype.XMLGregorianCalendar</name>
+ <decision>allow</decision>
+ </class>
+ <class>
+ <name>java.lang.System</name>
+ <description>Just a few methods of System are safe enough.</description>
+ <decision>deny</decision>
+ <method>
+ <name>currentTimeMillis</name>
+ <decision>allow</decision>
+ </method>
+ </class>
+ <class>
+ <name>java.lang.IllegalStateException</name>
+ <description>Basic Java exception. Also used in test.</description>
+ <decision>allow</decision>
+ </class>
+ <class>
+ <name>java.lang.IllegalArgumentException</name>
+ <description>Basic Java exception.</description>
+ <decision>allow</decision>
+ </class>
+ <class>
+ <name>com.evolveum.midpoint.model.common.expression.functions.BasicExpressionFunctions</name>
+ <description>MidPoint basic functions library</description>
+ <decision>allow</decision>
+ </class>
+ <class>
+ <name>com.evolveum.midpoint.model.common.expression.functions.LogExpressionFunctions</name>
+ <description>MidPoint logging functions library</description>
+ <decision>allow</decision>
+ </class>
+ <class>
+ <name>com.evolveum.midpoint.report.impl.ReportFunctions</name>
+ <description>MidPoint report functions library</description>
+ <decision>allow</decision>
+ </class>
+ <class>
+ <name>org.apache.commons.lang.StringUtils</name>
+ <description>Apache Commons: Strings</description>
+ <decision>allow</decision>
+ </class>
+
+ <!-- Following may be needed for audit reports. But they may not be completely safe.
+ Therefore the following section is commented out. Please closely evaluate those rules
+ before using them. -->
+ <!-- <class>
+ <name>com.evolveum.midpoint.schema.expression.VariablesMap</name>
+ <description>Expression variables map.</description>
+ <decision>deny</decision>
+ <method>
+ <name>get</name>
+ <decision>allow</decision>
+ </method>
+ <method>
+ <name>remove</name>
+ <decision>allow</decision>
+ </method>
+ </class>
+ <class>
+ <name>com.evolveum.midpoint.schema.expression.TypedValue</name>
+ <description>Typed values, holding expression variables. Read-only access.</description>
+ <decision>deny</decision>
+ <method>
+ <name>getValue</name>
+ <decision>allow</decision>
+ </method>
+ </class>
+ <class>
+ <name>com.evolveum.midpoint.report.impl.ReportUtils</name>
+ <decision>deny</decision>
+ <method>
+ <name>convertDateTime</name>
+ <decision>allow</decision>
+ </method>
+ <method>
+ <name>getPropertyString</name>
+ <decision>allow</decision>
+ </method>
+ <method>
+ <name>printDelta</name>
+ <decision>allow</decision>
+ </method>
+ </class>
+ <class>
+ <name>com.evolveum.midpoint.prism.PrismReferenceValue</name>
+ <decision>allow</decision>
+ </class> -->
+ </permissionProfile>
+ </expressions>
+
</systemConfiguration>
diff --git a/download-midpoint.sh b/download-midpoint.sh
index c317e1b..0f808e0 100755
--- a/download-midpoint.sh
+++ b/download-midpoint.sh
@@ -10,7 +10,7 @@ else
# But if we need to incorporate interim changes to I2 distribution during
# midPoint development cycle, we can specify concrete file from "midpoint-tier"
# download directory by using its name (like "latest-stable").
- MP_VERSION="4.1"
+ MP_VERSION="4.2-SNAPSHOT"
else
MP_VERSION=$tag
fi