geosolutions-it#7172: migration to GeoStore 1.8-SNAPSHOT to inherit l…

…atest spring compatibility

docs/developer-guide/mapstore-migration-guide.md

@@ -21,6 +21,47 @@ This is a list of things to check if you want to update from a previous version
 - Follow the instructions below, in order, from your version to the one you want to update to.
 
 
+## Migration from 2021.02.00 to 2021.03.00
+
+This release includes several libraries upgrade on the backend side,
+in particular the following have been migrated to the latest available versions:
+
+| Library      | Old |New|
+| ----------- | ----------- |--|
+| Spring| 3.0.5|5.3.9|
+| Spring-security| 3.0.5        |5.3.10|
+| CXF| 2.3.2        |3.4.4|
+| Hibernate|      3.3.2   |5.5.0|
+| JPA| 1.0        |2.1|
+| hibernate-generic-dao| 0.5.1        |1.3.0-SNAPSHOT|
+| h2| 1.3.168        |1.3.175|
+| servlet-api| 2.5        |3.1|
+
+This requires also an upgrade of Tomcat to at least version 8.5.x
+
+### Updating projects configuration
+
+Projects need the following to update to this MapStore release:
+
+ - upgrade Tomcat to 8.5 or greater
+ - update your geostore-spring-security.xml file to add the following setting, needed to disable CSRF validation, that MapStore services do not implement yet:
+
+```xml
+<security:http ... >
+    ...
+    <security:csrf disabled="true"/>
+    ...
+</security:http>
+```
+
+ - remove the spring log4j listener from web.xml
+
+```xml
+ <!-- spring context loader
+    <listener>
+		<listener-class>org.springframework.web.util.Log4jConfigListener</listener-class>
+    </listener>-->
+```
 ## Migration from 2021.01.02 to 2021.02.00
 
 ### Theme updates and CSS variables

java/pom.xml

@@ -4,7 +4,7 @@
   <groupId>it.geosolutions.mapstore</groupId>
   <artifactId>mapstore-java</artifactId>
   <packaging>pom</packaging>
-  <version>1.2-SNAPSHOT</version>
+  <version>1.3-SNAPSHOT</version>
   <name>MapStore 2</name>
   <url>http://www.geo-solutions.it</url>
 

java/services/pom.xml

@@ -4,13 +4,14 @@
   <groupId>it.geosolutions.mapstore</groupId>
   <artifactId>mapstore-services</artifactId>
   <packaging>jar</packaging>
-  <version>1.2-SNAPSHOT</version>
+  <version>1.3-SNAPSHOT</version>
   <name>MapStore 2 - Backend Services</name>
   <url>http://www.geo-solutions.it</url>
 
   <properties>
     <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
-    <spring.version>3.0.5.RELEASE</spring.version>
+    <spring.version>5.3.9</spring.version>
+    <spring.security.version>5.3.10.RELEASE</spring.security.version>
   </properties>
 
   <dependencies>
@@ -38,22 +39,22 @@
     <dependency>
         <groupId>org.springframework.security</groupId>
         <artifactId>spring-security-core</artifactId>
-        <version>${spring.version}</version>
+        <version>${spring.security.version}</version>
     </dependency>
     <dependency>
         <groupId>org.springframework.security</groupId>
         <artifactId>spring-security-web</artifactId>
-        <version>${spring.version}</version>
+        <version>${spring.security.version}</version>
     </dependency>
     <dependency>
         <groupId>org.springframework.security</groupId>
         <artifactId>spring-security-config</artifactId>
-        <version>${spring.version}</version>
+        <version>${spring.security.version}</version>
     </dependency>
     <dependency>
         <groupId>org.springframework.security</groupId>
         <artifactId>spring-security-ldap</artifactId>
-        <version>${spring.version}</version>
+        <version>${spring.security.version}</version>
     </dependency>
     <dependency>
         <groupId>org.springframework</groupId>
@@ -77,11 +78,13 @@
       <scope>test</scope>
     </dependency>
     <!-- servlet -->
+    <!-- https://mvnrepository.com/artifact/javax.servlet/javax.servlet-api -->
     <dependency>
-          <groupId>javax.servlet</groupId>
-          <artifactId>servlet-api</artifactId>
-          <version>2.5</version>
+        <groupId>javax.servlet</groupId>
+        <artifactId>javax.servlet-api</artifactId>
+        <version>3.0.1</version>
     </dependency>
+
     <!-- json-lib -->
     <dependency>
         <groupId>net.sf.json-lib</groupId>

java/services/src/main/java/it/geosolutions/mapstore/controllers/configs/ConfigsController.java

@@ -44,6 +44,12 @@ public class ConfigsController extends BaseConfigController {
      */
     @RequestMapping(value="/{resource}", method = RequestMethod.GET) // TODO: search in configs directory base
     public @ResponseBody byte[] loadResource(@PathVariable("resource") String resourceName, @RequestParam(value="overrides", defaultValue="true") boolean applyOverrides) throws IOException {
-        return toBytes(readResource( Paths.get(getConfigsFolder(),  resourceName + ".json").toString(), applyOverrides, Paths.get(getConfigsFolder(),  resourceName + ".json.patch").toString()));
+        return toBytes(readResource( Paths.get(getConfigsFolder(),  normalizeExtension(resourceName, "json")).toString(), applyOverrides, Paths.get(getConfigsFolder(),  resourceName + ".json.patch").toString()));
     }
+
+	private String normalizeExtension(String name, String extension) {
+		if(name.toLowerCase().endsWith("." + extension.toLowerCase()))
+			return name;
+		return name + "." + extension;
+	}
 }

java/services/src/main/java/it/geosolutions/mapstore/controllers/rest/config/LoadAssetsController.java

@@ -53,13 +53,21 @@ public class LoadAssetsController extends BaseConfigController {
      */
     @RequestMapping(value="/load/{resource}", method = RequestMethod.GET)
     public @ResponseBody byte[] loadResource(@PathVariable("resource") String resourceName, @RequestParam(value="overrides", defaultValue="true") boolean applyOverrides) throws IOException {
+    	resourceName = normalizeResource(resourceName, "json");
         if (isAllowed(resourceName)) {
             return toBytes(readResource(resourceName + ".json", applyOverrides, resourceName + ".json.patch"));
         }
         throw new ResourceNotAllowedException("Resource is not allowed");
     }
 
-    /**
+    private String normalizeResource(String name, String extension) {
+    	if(name.toLowerCase().endsWith("." + extension.toLowerCase())) {
+    		return name.substring(0, name.length() - 1 - extension.length());
+    	}
+    	return name;
+	}
+
+	/**
      * Loads an asset from the datadir, if defined, from the webapp root folder otherwise.
      * Allows loading externalized assets (javascript bundles, translation files, and so on).
      * The rest of the URL from /loadasset/ is intended to be the path to resource.

java/web/pom.xml

@@ -4,7 +4,7 @@
   <groupId>it.geosolutions.mapstore</groupId>
   <artifactId>mapstore-webapp</artifactId>
   <packaging>war</packaging>
-  <version>1.2-SNAPSHOT</version>
+  <version>1.3-SNAPSHOT</version>
   <name>MapStore 2 - WAR</name>
   <url>http://www.geo-solutions.it</url>
 
@@ -19,7 +19,7 @@
     <dependency>
         <groupId>it.geosolutions.mapstore</groupId>
         <artifactId>mapstore-services</artifactId>
-        <version>1.2-SNAPSHOT</version>
+        <version>1.3-SNAPSHOT</version>
     </dependency>
 
     <!-- ================================================================ -->
@@ -28,7 +28,7 @@
     <dependency>
       <groupId>it.geosolutions.geostore</groupId>
       <artifactId>geostore-webapp</artifactId>
-      <version>1.7-SNAPSHOT</version>
+      <version>1.8-SNAPSHOT</version>
       <type>war</type>
       <scope>runtime</scope>
     </dependency>
@@ -56,9 +56,9 @@
     </dependency>
     <!-- servlet -->
     <dependency>
-          <groupId>javax.servlet</groupId>
-          <artifactId>servlet-api</artifactId>
-          <version>2.5</version>
+        <groupId>javax.servlet</groupId>
+        <artifactId>javax.servlet-api</artifactId>
+        <version>3.0.1</version>
     </dependency>
     <!-- gzip compression filter -->
     <dependency>
@@ -86,7 +86,9 @@
                 WEB-INF/lib/commons-io-1.1.jar,
                 WEB-INF/lib/commons-logging-1.0.4.jar,
                 WEB-INF/lib/commons-pool-1.3.jar,
-                WEB-INF/lib/spring-*-3.1.0*.jar
+                WEB-INF/lib/slf4j-api-1.5*.jar,
+                WEB-INF/lib/slf4j-log4j12-1.5*.jar,
+                WEB-INF/lib/spring-tx-5.2.15*.jar
                 </packagingExcludes>
                 <overlays>
                     <overlay>

java/web/src/main/webapp/WEB-INF/web.xml

@@ -25,11 +25,6 @@
 	<!-- <context-param> <param-name>log4jConfigLocation</param-name> <param-value>file:${config.dir}/log4j.xml</param-value>
 		</context-param> -->
 
-	<!-- spring context loader -->
-	<listener>
-		<listener-class>org.springframework.web.util.Log4jConfigListener</listener-class>
-	</listener>
-
 	<!--
       - Loads the root application context of this web app at startup.
       - The application context is then available via

pom.xml

@@ -4,7 +4,7 @@
   <groupId>it.geosolutions.mapstore</groupId>
   <artifactId>mapstore-root</artifactId>
   <packaging>pom</packaging>
-  <version>1.2-SNAPSHOT</version>
+  <version>1.3-SNAPSHOT</version>
   <name>MapStore Root</name>
 
   <properties>

product/config/db/geostore-spring-security-db.xml

@@ -22,6 +22,7 @@
 
 	<security:http auto-config="true" create-session="never" >
 		<security:http-basic entry-point-ref="restAuthenticationEntryPoint"/>
+        <security:csrf disabled="true"/>
 		<security:custom-filter ref="authenticationTokenProcessingFilter" before="FORM_LOGIN_FILTER"/>
 		<security:custom-filter ref="sessionTokenProcessingFilter" after="FORM_LOGIN_FILTER"/>
 		<security:anonymous />

product/config/ldap/geostore-spring-security-ldap.xml

@@ -22,6 +22,7 @@
 
 	<security:http auto-config="true" create-session="never" >
 		<security:http-basic entry-point-ref="restAuthenticationEntryPoint"/>
+        <security:csrf disabled="true"/>
 		<security:custom-filter ref="authenticationTokenProcessingFilter" before="FORM_LOGIN_FILTER"/>
 		<security:custom-filter ref="sessionTokenProcessingFilter" after="FORM_LOGIN_FILTER"/>
 		<security:anonymous />

product/pom.xml

@@ -4,7 +4,7 @@
   <groupId>it.geosolutions.mapstore</groupId>
   <artifactId>mapstore-product</artifactId>
   <packaging>war</packaging>
-  <version>1.2-SNAPSHOT</version>
+  <version>1.3-SNAPSHOT</version>
   <name>MapStore Product Web Application</name>
 
   <properties>
@@ -17,7 +17,7 @@
     <dependency>
       <groupId>it.geosolutions.mapstore</groupId>
       <artifactId>mapstore-webapp</artifactId>
-      <version>1.2-SNAPSHOT</version>
+      <version>1.3-SNAPSHOT</version>
       <type>war</type>
       <scope>runtime</scope>
     </dependency>

project/custom/templates/web/src/main/webapp/WEB-INF/web.xml

@@ -22,11 +22,6 @@
       <param-value>/proxy.properties</param-value>
     </context-param>
 
-    <!-- spring context loader -->
-    <listener>
-		<listener-class>org.springframework.web.util.Log4jConfigListener</listener-class>
-    </listener>
-
 	<!--
       - Loads the root application context of this web app at startup.
       - The application context is then available via

project/standard/templates/web/pom.xml

@@ -382,8 +382,10 @@
                 <packagingExcludes>WEB-INF/lib/commons-codec-1.2.jar,
                 WEB-INF/lib/commons-io-1.1.jar,
                 WEB-INF/lib/commons-logging-1.0.4.jar,
-		WEB-INF/lib/commons-pool-1.3.jar,
-		WEB-INF/lib/spring-*-3.1.0*.jar
+                WEB-INF/lib/commons-pool-1.3.jar,
+                WEB-INF/lib/slf4j-api-1.5*.jar,
+                WEB-INF/lib/slf4j-log4j12-1.5*.jar,
+                WEB-INF/lib/spring-tx-*-5.2.15*.jar
                 </packagingExcludes>
                 <overlays>
                     <overlay>

project/standard/templates/web/src/main/webapp/WEB-INF/web.xml

@@ -22,11 +22,6 @@
       <param-value>/proxy.properties</param-value>
     </context-param>
 
-    <!-- spring context loader -->
-    <listener>
-		<listener-class>org.springframework.web.util.Log4jConfigListener</listener-class>
-    </listener>
-
 	<!--
       - Loads the root application context of this web app at startup.
       - The application context is then available via

release/bin-war/pom.xml

@@ -18,7 +18,7 @@
         <dependency>
             <groupId>it.geosolutions.mapstore</groupId>
             <artifactId>mapstore-product</artifactId>
-            <version>1.2-SNAPSHOT</version>
+            <version>1.3-SNAPSHOT</version>
             <type>war</type>
             <scope>runtime</scope>
         </dependency>

web/client/api/GeoStoreDAO.js

@@ -158,10 +158,10 @@ const Api = {
                 password: password
             }
         } : {}, options))).then((response) => {
-            authData = response.data;
+            authData = response.data?.sessionToken ?? response.data;
             return axios.get("users/user/details", this.addBaseUrl(merge({
                 headers: {
-                    'Authorization': 'Bearer ' + response.data.access_token
+                    'Authorization': 'Bearer ' + authData?.access_token
                 },
                 params: {
                     includeattributes: true

web/src/config/db/geostore-spring-security-db.xml

@@ -22,6 +22,7 @@
 
 	<security:http auto-config="true" create-session="never" >
 		<security:http-basic entry-point-ref="restAuthenticationEntryPoint"/>
+        <security:csrf disabled="true"/>
 		<security:custom-filter ref="authenticationTokenProcessingFilter" before="FORM_LOGIN_FILTER"/>
 		<security:custom-filter ref="sessionTokenProcessingFilter" after="FORM_LOGIN_FILTER"/>
 		<security:anonymous />

web/src/config/ldap/geostore-spring-security-ldap.xml

@@ -22,6 +22,7 @@
 
 	<security:http auto-config="true" create-session="never" >
 		<security:http-basic entry-point-ref="restAuthenticationEntryPoint"/>
+        <security:csrf disabled="true"/>
 		<security:custom-filter ref="authenticationTokenProcessingFilter" before="FORM_LOGIN_FILTER"/>
 		<security:custom-filter ref="sessionTokenProcessingFilter" after="FORM_LOGIN_FILTER"/>
 		<security:anonymous />