You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ofbiz.apache.org by jl...@apache.org on 2016/02/16 20:25:19 UTC
svn commit: r1730736 - /ofbiz/trunk/build.xml
Author: jleroux
Date: Tue Feb 16 19:25:19 2016
New Revision: 1730736
URL: http://svn.apache.org/viewvc?rev=1730736&view=rev
Log:
Because I had changes pending for "Use only HTTPS in OFBiz" - OFBIZ-6849, I forgot to commit changes done for the start*-secure ant targets and notsoserial in the main build.xml files in previous commit (r1730735)
Modified:
ofbiz/trunk/build.xml
Modified: ofbiz/trunk/build.xml
URL: http://svn.apache.org/viewvc/ofbiz/trunk/build.xml?rev=1730736&r1=1730735&r2=1730736&view=diff
==============================================================================
--- ofbiz/trunk/build.xml (original)
+++ ofbiz/trunk/build.xml Tue Feb 16 19:25:19 2016
@@ -594,11 +594,14 @@ under the License.
</java>
</target>
<target name="start-secure"
- description="Same than start but pre-loading the contrast-rO0 lib (from OFBiz roo dir) to secure OFBiz from the deserialization issue">
+ description="Same than start but pre-loading the notsoserial Java agent (from tools/security/notsoserial) to protect OFBiz from the Java deserialization vulnerability">
<java jar="ofbiz.jar" fork="true">
<jvmarg value="${memory.initial.param}"/>
<jvmarg value="${memory.max.param}"/>
- <jvmarg value="-javaagent:${ofbiz.home.dir}/contrast-rO0.jar"/>
+ <jvmarg value="-javaagent:${ofbiz.home.dir}/tools/security/notsoserial/notsoserial-1.0-SNAPSHOT.jar"/>
+ <jvmarg value="-Dnotsoserial.whitelist=${ofbiz.home.dir}/tools/security/notsoserial/empty.txt"/>
+ <jvmarg value="-Dnotsoserial.dryrun=${ofbiz.home.dir}/tools/security/notsoserial/is-deserialized.txt"/>
+ <jvmarg value="-Dnotsoserial.trace=${ofbiz.home.dir}/tools/security/notsoserial/deserialize-trace.txt"/>
<arg value="start"/>
<arg value="-portoffset=${portoffset}"/>
</java>
@@ -613,11 +616,14 @@ under the License.
</java>
</target>
<target name="start-batch-secure"
- description="Same than start-batch but pre-loading the contrast-rO0 lib (from OFBiz roo dir) to secure OFBiz from the deserialization issue">
+ description="Same than start-batch but pre-loading the notsoserial Java agent (from tools/security/notsoserial) to protect OFBiz from the Java deserialization vulnerability">
<java jar="ofbiz.jar" fork="true" spawn="true">
<jvmarg value="${memory.initial.param}"/>
<jvmarg value="${memory.max.param}"/>
- <jvmarg value="-javaagent:${ofbiz.home.dir}/contrast-rO0.jar"/>
+ <jvmarg value="-javaagent:${ofbiz.home.dir}/tools/security/notsoserial/notsoserial-1.0-SNAPSHOT.jar"/>
+ <jvmarg value="-Dnotsoserial.whitelist=${ofbiz.home.dir}/tools/security/notsoserial/empty.txt"/>
+ <jvmarg value="-Dnotsoserial.dryrun=${ofbiz.home.dir}/tools/security/notsoserial/is-deserialized.txt"/>
+ <jvmarg value="-Dnotsoserial.trace=${ofbiz.home.dir}/tools/security/notsoserial/deserialize-trace.txt"/>
<arg value="start-batch"/>
<arg value="-portoffset=${portoffset}"/>
</java>
@@ -644,6 +650,19 @@ under the License.
<arg value="-portoffset=${portoffset}"/><!-- Not sure this makes sense and is useful at all -->
</java>
</target>
+ <target name="start-pos-secure"
+ description="Same than start-pos but pre-loading the notsoserial Java agent (from tools/security/notsoserial) to protect OFBiz from the Java deserialization vulnerability">
+ <java jar="ofbiz.jar" fork="true">
+ <jvmarg value="${memory.initial.param}"/>
+ <jvmarg value="${memory.max.param}"/>
+ <jvmarg value="-javaagent:${ofbiz.home.dir}/tools/security/notsoserial/notsoserial-1.0-SNAPSHOT.jar"/>
+ <jvmarg value="-Dnotsoserial.whitelist=${ofbiz.home.dir}/tools/security/notsoserial/empty.txt"/>
+ <jvmarg value="-Dnotsoserial.dryrun=${ofbiz.home.dir}/tools/security/notsoserial/is-deserialized.txt"/>
+ <jvmarg value="-Dnotsoserial.trace=${ofbiz.home.dir}/tools/security/notsoserial/deserialize-trace.txt"/>
+ <arg value="pos"/>
+ <arg value="-portoffset=${portoffset}"/><!-- Not sure this makes sense and is useful at all -->
+ </java>
+ </target>
<target name="start-both"
description="Start OFBiz in both Web and POS (Point of sale) modes. Use -Dportoffset=portNumber to shift all ports with the portNumber value.">
<java jar="ofbiz.jar" fork="true">
@@ -654,11 +673,14 @@ under the License.
</java>
</target>
<target name="start-both-secure"
- description="Same than start-pos but pre-loading the contrast-rO0 lib (from OFBiz roo dir) to secure OFBiz from the deserialization issue">
+ description="Same than start-both but pre-loading the notsoserial Java agent (from tools/security/notsoserial) to protect OFBiz from the Java deserialization vulnerability">
<java jar="ofbiz.jar" fork="true">
<jvmarg value="${memory.initial.param}"/>
- <jvmarg value="-javaagent:${ofbiz.home.dir}/contrast-rO0.jar"/>
<jvmarg value="${memory.max.param}"/>
+ <jvmarg value="-javaagent:${ofbiz.home.dir}/tools/security/notsoserial/notsoserial-1.0-SNAPSHOT.jar"/>
+ <jvmarg value="-Dnotsoserial.whitelist=${ofbiz.home.dir}/tools/security/notsoserial/empty.txt"/>
+ <jvmarg value="-Dnotsoserial.dryrun=${ofbiz.home.dir}/tools/security/notsoserial/is-deserialized.txt"/>
+ <jvmarg value="-Dnotsoserial.trace=${ofbiz.home.dir}/tools/security/notsoserial/deserialize-trace.txt"/>
<arg value="both"/>
<arg value="-portoffset=${portoffset}"/>
</java>