From b9079685498a1eb345f862ee8116f3c61d9158e8 Mon Sep 17 00:00:00 2001 From: Chris Knoll Date: Thu, 22 Jan 2026 21:43:24 -0500 Subject: [PATCH 1/8] App configuration changes: - Converted application.properties to application.yaml - Consolidated security auth configuration under security.auth - Updated code references to renamed properties. - Updated Readme.md with updated property names. --- README.md | 38 +- pom.xml | 486 +----------------- .../java/org/ohdsi/webapi/AuthDataSource.java | 10 +- .../org/ohdsi/webapi/OidcConfCreator.java | 17 +- .../webapi/auth/AuthProviderService.java | 12 +- .../ohdsi/webapi/security/SSOController.java | 4 +- .../security/SecurityConfigurationInfo.java | 2 +- .../org/ohdsi/webapi/service/UserService.java | 2 +- .../shiro/management/AtlasGoogleSecurity.java | 4 +- .../management/AtlasRegularSecurity.java | 90 ++-- .../webapi/shiro/mapper/ADUserMapper.java | 10 +- .../webapi/shiro/mapper/LdapUserMapper.java | 10 +- .../user/importer/UserImportController.java | 4 +- .../providers/ActiveDirectoryProvider.java | 24 +- .../providers/DefaultLdapProvider.java | 18 +- .../service/UserImportServiceImpl.java | 2 +- src/main/resources/application.properties | 288 ----------- src/main/resources/application.yaml | 365 +++++++++++++ .../java/org/ohdsi/webapi/test/ITStarter.java | 8 +- .../resources/application-test.properties | 2 +- 20 files changed, 509 insertions(+), 887 deletions(-) delete mode 100644 src/main/resources/application.properties create mode 100644 src/main/resources/application.yaml diff --git a/README.md b/README.md index e617554ffa..2e7a2e0470 100644 --- a/README.md +++ b/README.md @@ -56,40 +56,42 @@ java -jar target/WebAPI.jar \ Notes: - Batch uses a table prefix and the security datasource can be overridden if you choose a separate connection, but both are optional when you keep everything on the main datasource/schema. -## SAML Auth support +## SAML Auth support (Updated for 3.0) The following parameters are used: -- `security.saml.idpMetadataLocation=classpath:saml/dev/idp-metadata.xml` - path to metadata used by identity provider -- `security.saml.metadataLocation=saml/dev/sp-metadata.xml` - service provider metadata path -- `security.saml.keyManager.keyStoreFile=classpath:saml/samlKeystore.jks` - path to keystore -- `security.saml.keyManager.storePassword=nalle123` - keystore password -- `security.saml.keyManager.passwords.arachnenetwork=nalle123` - private key password -- `security.saml.keyManager.defaultKey=apollo` - keystore alias -- `security.saml.sloUrl=https://localhost:8443/cas/logout` - identity provider logout URL -- `security.saml.callbackUrl=http://localhost:8080/WebAPI/user/saml/callback` - URL called from identity provider after login +- `security.auth.saml.idpMetadataLocation=classpath:saml/dev/idp-metadata.xml` - path to metadata used by identity provider +- `security.auth.saml.metadataLocation=saml/dev/sp-metadata.xml` - service provider metadata path +- `security.auth.saml.keyManager.keyStoreFile=classpath:saml/samlKeystore.jks` - path to keystore +- `security.auth.saml.keyManager.storePassword=nalle123` - keystore password +- `security.auth.saml.keyManager.passwords.arachnenetwork=nalle123` - private key password +- `security.auth.saml.keyManager.defaultKey=apollo` - keystore alias +- `security.auth.saml.sloUrl=https://localhost:8443/cas/logout` - identity provider logout URL +- `security.auth.saml.callbackUrl=http://localhost:8080/WebAPI/user/saml/callback` - URL called from identity provider after login Sample idp metadata and sp metadata config files for okta: - `saml/dev/idp-metadata-okta.xml` - `saml/dev/sp-metadata-okta.xml` -## Managing auth providers +## Managing auth providers (Updated for v3.0) The following parameters are used to enable/disable certain provider: -- `security.auth.windows.enabled` -- `security.auth.kerberos.enabled` -- `security.auth.openid.enabled` -- `security.auth.facebook.enabled` -- `security.auth.github.enabled` -- `security.auth.google.enabled` -- `security.auth.jdbc.enabled` -- `security.auth.ldap.enabled` - `security.auth.ad.enabled` - `security.auth.cas.enabled` +- `security.auth.jdbc.enabled` +- `security.auth.kerberos.enabled` +- `security.auth.ldap.enabled` +- `security.auth.oauth.facebook.enabled` +- `security.auth.oauth.github.enabled` +- `security.auth.oauth.google.enabled` +- `security.auth.openid.enabled` +- `security.auth.windows.enabled` Acceptable values are `true` and `false` +Default paramaters for each of these authentication providers are provided as an example in the embedded application.yaml file. All providers are disabled by default. + ## Geospatial support Instructions can be found at [webapi-component-geospatial](https://github.com/OHDSI/webapi-component-geospatial) diff --git a/pom.xml b/pom.xml index 33d89ebd96..691c4d07b4 100644 --- a/pom.xml +++ b/pom.xml @@ -10,8 +10,12 @@ WebAPI war - ${BUILD_NUMBER} + org.ohdsi.webapi.WebApi + false + false + none UTF-8 + 3.5.6 @@ -23,291 +27,26 @@ 1.5 - 1.12.1 3.1.9 1.19.1 3.1.2 6.0.5 2.18.2 - org.ohdsi.webapi.WebApi - false - false - none 21 21 21 21 - - - org.postgresql.Driver - jdbc:postgresql://localhost:5433/postgres?currentSchema=webapi - postgres - mypass - - postgresql - webapi - postgresql - - org.postgresql.Driver - ${datasource.url} - ${datasource.username} - ${datasource.password} - classpath:db/migration/postgresql - - ${datasource.ohdsi.schema} - false - ${datasource.ohdsi.schema} - - CDM_NAME - 5 - - false - - 5 - - - 60 - /etc/krb5.conf - - - ${datasource.ohdsi.schema}.BATCH_ - ISOLATION_READ_COMMITTED - default - - DisabledSecurity - 43200 - http://localhost - false - http://localhost/Atlas/#/welcome - http://localhost:8080/WebAPI/user/oauth/callback - - query - - - - - - - - - - - - {:} - http://localhost/index.html#/welcome/ - - - cn={0},dc=example,dc=org - ldap://localhost:389 - - - - (&(objectClass=person)(CN={0})) - displayName - givenName - initials - sn - cn - cn - uid - CN=Users,DC=example,DC=org - - CN=Users,DC=example,DC=org - @example.org - - - (&(objectClass=person)(cn=%s)) - true - 30000 - public - (&(objectClass=person)(userPrincipalName=%s)) - displayname - givenname - initials - sn - cn - sAMAccountName - cn - - - - - - casticket - - ${datasource.ohdsi.schema} - ${datasource.url} - ${datasource.driverClassName} - ${datasource.username} - ${datasource.password} - - select password from ${security.db.datasource.schema}.users where lower(email) = lower(?) - true - - - - false - - true - 3 - 10 - 10 - - false - - - - - - - - - - 60 - - true - true - true - true - true - true - true - true - true - true - - SELECT 1 - 2000 - 5 - 1 - 5000 - true - authDataSource - - - - - true - - - 8080 - - - - /WebAPI - 1.17.4 3.1.9 - 600000 - 12 - 10000 - https://localhost:8888/api/v1/analyze - Basic YWRtaW5Ab2R5c3NldXNpbmMuY29tOnBhc3N3b3Jk - - http://localhost:8080/WebAPI/executionservice/callbacks/submission/{id}/status/update/{password} - http://localhost:8080/WebAPI/executionservice/callbacks/submission/{id}/result/{password} - 100 - - - false - - PBEWithMD5AndDES - - - OHDSI - - - true - - - false - false - 200 - true - info - info - info - info - info - info - warn - - - jcache - - - 10 - 20 - 2147483647 - - - - - admin - Moderator - - txt - - - true - false - - false - - - - - - - - - - - 0 0 2 * * * - 30 - 3600000 - false - - 3 - - true - true - 47 49 - * * - false - - - true - en - - - true - - - 600000 - - - 10 - - false - /tmp/atlas/audit/audit.log - /tmp/atlas/audit/audit-%d{yyyy-MM-dd}-%i.log - /tmp/atlas/audit/audit-extra.log - false - - false - ./data/cache - @@ -316,56 +55,6 @@ ${basedir}/src/test/java ${basedir}/target/classes ${basedir}/target/test-classes - - - src/main/resources - true - - **/*.properties - log4j.xml - - - - src/main/resources - false - - **/*.* - - - **/*.properties - log4j.xml - - - - - - src/test/resources - true - - **/*.properties - - - application-test.properties - - - - src/test/resources - false - - application-test.properties - - - - src/test/resources - false - - **/*.* - - - **/*.properties - - - org.apache.maven.plugins @@ -442,7 +131,6 @@ spring-boot-maven-plugin ${spring.boot.version} - false false org.ohdsi.webapi.WebApi @@ -454,10 +142,10 @@ --add-opens java.naming/com.sun.jndi.ldap=ALL-UNNAMED - ${buildinfo.atlas.milestone.id} ${buildinfo.webapi.milestone.id} - ${buildinfo.atlas.release.tag} ${buildinfo.webapi.release.tag} + ${git.branch} + ${git.commit.id.abbrev} @@ -497,7 +185,7 @@ -parameters - + **/trexsql/** @@ -581,27 +269,14 @@ - - central - Maven Central - https://repo.maven.apache.org/maven2 - ohdsi repo.ohdsi.org https://repo.ohdsi.org/nexus/content/groups/public - - jitpack.io - https://jitpack.io - - - central - https://repo.maven.apache.org/maven2 - ohdsi repo.ohdsi.org @@ -1051,12 +726,6 @@ - - - com.nimbusds - oauth2-oidc-sdk - 11.20.1 - org.pac4j pac4j-http @@ -1260,7 +929,7 @@ - trexsql + tcache true @@ -1268,7 +937,7 @@ com.github.p-hoffmann trexsql-ext - v0.1.23 + v0.1.18 @@ -1277,7 +946,7 @@ org.apache.maven.plugins maven-compiler-plugin - + @@ -1293,30 +962,6 @@ webapi-oracle - - oracle.jdbc.OracleDriver - jdbc:oracle:thin:@127.0.0.1:1521/ohdsi - user - password - oracle - ${datasource.driverClassName} - ${datasource.url} - user - pass - OHDSI - ${datasource.ohdsi.schema} - ${datasource.ohdsi.schema} - ${datasource.ohdsi.schema}.BATCH_ - - classpath:db/migration/oracle - org.hibernate.dialect.Oracle10gDialect - ${datasource.url} - ${datasource.driverClassName} - ${datasource.username} - ${datasource.password} - select password from ${security.db.datasource.schema}.user where \ - lower(email) = lower(?) - com.oracle.database.jdbc @@ -1325,107 +970,12 @@ - - webapi-postgresql - - org.postgresql.Driver - jdbc:postgresql://54.209.111.128:5432/vocabularyv5 - USER - PASS - postgresql - ohdsi - ${datasource.driverClassName} - ${datasource.url} - userWithWritesToOhdsiSchema - PASS - ${datasource.ohdsi.schema} - ${datasource.ohdsi.schema} - classpath:db/migration/postgresql - ${datasource.ohdsi.schema}.BATCH_ - org.hibernate.dialect.PostgreSQLDialect - ${datasource.url} - ${datasource.driverClassName} - ${datasource.username} - ${datasource.password} - select password from ${security.db.datasource.schema}.users_data where \ - lower(email) = lower(?) - - - - webapi-docker - - unknown - unknown - true - none - true - org.postgresql.Driver - jdbc:postgresql://54.209.111.128:5432/vocabularyv5 - USER - PASS - postgresql - ohdsi - ${datasource.driverClassName} - ${datasource.url} - userWithWritesToOhdsiSchema - PASS - ${datasource.ohdsi.schema} - ${datasource.ohdsi.schema} - classpath:db/migration/postgresql - ${datasource.ohdsi.schema}.BATCH_ - org.hibernate.dialect.PostgreSQLDialect - ${datasource.url} - ${datasource.driverClassName} - ${datasource.username} - ${datasource.password} - select password from ${security.db.datasource.schema}.users_data where \ - lower(email) = lower(?) - - - - ohdsi.snapshots - repo.ohdsi.org-snapshots - https://repo.ohdsi.org/nexus/content/repositories/snapshots - - false - - - true - - - - webapi-mssql - - com.microsoft.sqlserver.jdbc.SQLServerDriver - jdbc:sqlserver://server - USER - PASS - sql server - OHDSI_schema - ${datasource.driverClassName} - ${datasource.url} - FLYWAY_USER - FLYWAY_PASS - ${datasource.ohdsi.schema} - ${datasource.ohdsi.schema} - classpath:db/migration/sqlserver - ${datasource.ohdsi.schema}.BATCH_ - org.hibernate.dialect.SQLServer2012Dialect - ${datasource.url} - ${datasource.driverClassName} - ${datasource.username} - ${datasource.password} - select password from ${security.db.datasource.schema}.user where \ - lower(email) = lower(?) - + webapi-netezza - - true - org.netezza @@ -1462,10 +1012,7 @@ webapi-impala - true 2.6.15 - - ...path/to/impala/jdbc/drivers... @@ -1503,7 +1050,6 @@ webapi-spark - true ${basedir}/src/main/extras/spark @@ -1847,10 +1393,6 @@ webapi-redshift - - - ...path/to/redshift/jdbc/drivers... - com.amazonaws @@ -1880,7 +1422,6 @@ webapi-snowflake - true 3.26.1 @@ -1894,7 +1435,6 @@ webapi-iris - true 3.10.2 @@ -1943,6 +1483,8 @@ + + war diff --git a/src/main/java/org/ohdsi/webapi/AuthDataSource.java b/src/main/java/org/ohdsi/webapi/AuthDataSource.java index 0d1d4cee34..24bcc507c8 100644 --- a/src/main/java/org/ohdsi/webapi/AuthDataSource.java +++ b/src/main/java/org/ohdsi/webapi/AuthDataSource.java @@ -34,15 +34,15 @@ public class AuthDataSource { private final Logger logger = LoggerFactory.getLogger(AuthDataSource.class); - @Value("${security.db.datasource.driverClassName}") + @Value("${security.auth.jdbc.datasource.driverClassName}") private String driverClassName; - @Value("${security.db.datasource.url}") + @Value("${security.auth.jdbc.datasource.url}") private String url; - @Value("${security.db.datasource.username}") + @Value("${security.auth.jdbc.datasource.username}") private String username; - @Value("${security.db.datasource.password}") + @Value("${security.auth.jdbc.datasource.password}") private String password; - @Value("${security.db.datasource.schema}") + @Value("${security.auth.jdbc.datasource.schema}") private String schema; @Value("${spring.datasource.hikari.connection-test-query}") private String testQuery; diff --git a/src/main/java/org/ohdsi/webapi/OidcConfCreator.java b/src/main/java/org/ohdsi/webapi/OidcConfCreator.java index 92aa5699db..96c358323b 100644 --- a/src/main/java/org/ohdsi/webapi/OidcConfCreator.java +++ b/src/main/java/org/ohdsi/webapi/OidcConfCreator.java @@ -24,6 +24,7 @@ import org.slf4j.Logger; import org.slf4j.LoggerFactory; import org.springframework.beans.factory.annotation.Value; +import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty; import org.springframework.stereotype.Component; import java.util.HashMap; @@ -38,28 +39,28 @@ public class OidcConfCreator { private volatile OidcConfiguration cachedConfiguration; private final Object lock = new Object(); - @Value("${security.oid.clientId}") + @Value("${security.auth.oid.clientId}") private String clientId; - @Value("${security.oid.apiSecret}") + @Value("${security.auth.oid.apiSecret}") private String apiSecret; - @Value("${security.oid.url}") + @Value("${security.auth.oid.url}") private String url; - @Value("${security.oid.externalUrl:}") + @Value("${security.auth.oid.externalUrl:}") private String externalUrl; - @Value("${security.oid.logoutUrl}") + @Value("${security.auth.oid.logoutUrl}") private String logoutUrl; - @Value("${security.oid.extraScopes}") + @Value("${security.auth.oid.extraScopes}") private String extraScopes; - @Value("#{${security.oid.customParams:{T(java.util.Collections).emptyMap()}}}") + @Value("#{${security.auth.oid.customParams:{T(java.util.Collections).emptyMap()}}}") private Map customParams = new HashMap<>(); - @Value("${security.oauth.callback.api}") + @Value("${security.auth.oauth.callback.api}") private String oauthApiCallback; /** diff --git a/src/main/java/org/ohdsi/webapi/auth/AuthProviderService.java b/src/main/java/org/ohdsi/webapi/auth/AuthProviderService.java index d82ce0c889..bd8982e588 100644 --- a/src/main/java/org/ohdsi/webapi/auth/AuthProviderService.java +++ b/src/main/java/org/ohdsi/webapi/auth/AuthProviderService.java @@ -52,22 +52,22 @@ public class AuthProviderService { @Value("${security.auth.cas.enabled}") private boolean casAuthEnabled; - @Value("${security.auth.openid.enabled}") + @Value("${security.auth.oid.enabled}") private boolean openidAuthEnabled; - @Value("${security.auth.facebook.enabled}") + @Value("${security.auth.oauth.facebook.enabled}") private boolean facebookAuthEnabled; - @Value("${security.auth.github.enabled}") + @Value("${security.auth.oauth.github.enabled}") private boolean githubAuthEnabled; - @Value("${security.auth.google.enabled}") + @Value("${security.auth.oauth.google.enabled}") private boolean googleAuthEnabled; - @Value("${security.auth.saml.enabled:false}") + @Value("${security.auth.saml.enabled}") private boolean samlAuthEnabled; - @Value("${security.oid.logoutUrl:}") + @Value("${security.auth.oid.logoutUrl:}") private String oidcLogoutUrl; /** diff --git a/src/main/java/org/ohdsi/webapi/security/SSOController.java b/src/main/java/org/ohdsi/webapi/security/SSOController.java index a1a47d99d0..b9c50fd627 100644 --- a/src/main/java/org/ohdsi/webapi/security/SSOController.java +++ b/src/main/java/org/ohdsi/webapi/security/SSOController.java @@ -49,9 +49,9 @@ @Controller @Path("/saml/") public class SSOController { - @Value("${security.saml.metadataLocation}") + @Value("${security.auth.saml.metadataLocation}") private String metadataLocation; - @Value("${security.saml.sloUrl}") + @Value("${security.auth.saml.sloUrl}") private String sloUri; @Value("${security.origin}") private String origin; diff --git a/src/main/java/org/ohdsi/webapi/security/SecurityConfigurationInfo.java b/src/main/java/org/ohdsi/webapi/security/SecurityConfigurationInfo.java index 4eb477ee2c..ab49bb6ff0 100644 --- a/src/main/java/org/ohdsi/webapi/security/SecurityConfigurationInfo.java +++ b/src/main/java/org/ohdsi/webapi/security/SecurityConfigurationInfo.java @@ -15,7 +15,7 @@ public class SecurityConfigurationInfo extends ConfigurationInfo { private static final String KEY = "security"; public SecurityConfigurationInfo(@Value("${security.provider}") String securityProvider, - @Value("${security.saml.enabled}") Boolean samlEnabled, + @Value("${security.auth.saml.enabled}") Boolean samlEnabled, Security atlasSecurity) { boolean enabled = !Objects.equals(securityProvider, Constants.SecurityProviders.DISABLED); diff --git a/src/main/java/org/ohdsi/webapi/service/UserService.java b/src/main/java/org/ohdsi/webapi/service/UserService.java index 51de0648c9..ab990c8131 100644 --- a/src/main/java/org/ohdsi/webapi/service/UserService.java +++ b/src/main/java/org/ohdsi/webapi/service/UserService.java @@ -36,7 +36,7 @@ public class UserService { @Value("${trexsql.enabled:false}") private boolean trexsqlCacheEnabled; - @Value("${security.ad.default.import.group}#{T(java.util.Collections).emptyList()}") + @Value("${security.auth.ad.default.import.group}#{T(java.util.Collections).emptyList()}") private List defaultRoles; private Map roleCreatorPermissionsTemplate = new LinkedHashMap<>(); diff --git a/src/main/java/org/ohdsi/webapi/shiro/management/AtlasGoogleSecurity.java b/src/main/java/org/ohdsi/webapi/shiro/management/AtlasGoogleSecurity.java index 2b53cab3ed..4cd31e2ca4 100644 --- a/src/main/java/org/ohdsi/webapi/shiro/management/AtlasGoogleSecurity.java +++ b/src/main/java/org/ohdsi/webapi/shiro/management/AtlasGoogleSecurity.java @@ -28,12 +28,12 @@ public class AtlasGoogleSecurity extends AtlasSecurity { // Execute in console to get the ID: // gcloud config get-value account | tr -cd "[0-9]" - @Value("${security.googleIap.cloudProjectId}") + @Value("${security.auth.googleIap.cloudProjectId}") private Long googleCloudProjectId; // Execute in console to get the ID: // gcloud compute backend-services describe my-backend-service --global --format="value(id)" - @Value("${security.googleIap.backendServiceId}") + @Value("${security.auth.googleIap.backendServiceId}") private Long googleBackendServiceId; public AtlasGoogleSecurity(EntityPermissionSchemaResolver permissionSchemaResolver) { diff --git a/src/main/java/org/ohdsi/webapi/shiro/management/AtlasRegularSecurity.java b/src/main/java/org/ohdsi/webapi/shiro/management/AtlasRegularSecurity.java index 5290807ebc..a87e4b95b0 100644 --- a/src/main/java/org/ohdsi/webapi/shiro/management/AtlasRegularSecurity.java +++ b/src/main/java/org/ohdsi/webapi/shiro/management/AtlasRegularSecurity.java @@ -88,106 +88,106 @@ public class AtlasRegularSecurity extends AtlasSecurity { @Value("${security.token.expiration}") private int tokenExpirationIntervalInSeconds; - @Value("${security.oauth.callback.ui}") + @Value("${security.auth.oauth.callback.ui}") private String oauthUiCallback; - @Value("${security.oauth.callback.api}") + @Value("${security.auth.oauth.callback.api}") private String oauthApiCallback; - @Value("${security.oauth.callback.urlResolver}") + @Value("${security.auth.oauth.callback.urlResolver}") private String oauthCallbackUrlResolver; - @Value("${security.oauth.google.apiKey}") + @Value("${security.auth.oauth.google.apiKey}") private String googleApiKey; - @Value("${security.oauth.google.apiSecret}") + @Value("${security.auth.oauth.google.apiSecret}") private String googleApiSecret; - @Value("${security.oauth.facebook.apiKey}") + @Value("${security.auth.oauth.facebook.apiKey}") private String facebookApiKey; - @Value("${security.oauth.facebook.apiSecret}") + @Value("${security.auth.oauth.facebook.apiSecret}") private String facebookApiSecret; - @Value("${security.oauth.github.apiKey}") + @Value("${security.auth.oauth.github.apiKey}") private String githubApiKey; - @Value("${security.oauth.github.apiSecret}") + @Value("${security.auth.oauth.github.apiSecret}") private String githubApiSecret; - @Value("${security.kerberos.spn}") + @Value("${security.auth.kerberos.spn}") private String kerberosSpn; - @Value("${security.kerberos.keytabPath}") + @Value("${security.auth.kerberos.keytabPath}") private String kerberosKeytabPath; - @Value("${security.ldap.dn}") + @Value("${security.auth.ldap.dn}") private String userDnTemplate; - @Value("${security.ldap.url}") + @Value("${security.auth.ldap.url}") private String ldapUrl; - @Value("${security.ldap.searchString}") + @Value("${security.auth.ldap.searchString}") private String ldapSearchString; - @Value("${security.ldap.searchBase}") + @Value("${security.auth.ldap.searchBase}") private String ldapSearchBase; - @Value("${security.ad.url}") + @Value("${security.auth.ad.url}") private String adUrl; - @Value("${security.ad.searchBase}") + @Value("${security.auth.ad.searchBase}") private String adSearchBase; - @Value("${security.ad.principalSuffix}") + @Value("${security.auth.ad.principalSuffix}") private String adPrincipalSuffix; - @Value("${security.ad.system.username}") + @Value("${security.auth.ad.system.username}") private String adSystemUsername; - @Value("${security.ad.system.password}") + @Value("${security.auth.ad.system.password}") private String adSystemPassword; - @Value("${security.db.datasource.authenticationQuery}") + @Value("${security.auth.jdbc.datasource.authenticationQuery}") private String jdbcAuthenticationQuery; - @Value("${security.ad.searchFilter}") + @Value("${security.auth.ad.searchFilter}") private String adSearchFilter; - @Value("${security.ad.searchString}") + @Value("${security.auth.ad.searchString}") private String adSearchString; - @Value("${security.ad.ignore.partial.result.exception}") + @Value("${security.auth.ad.ignore.partial.result.exception}") private Boolean adIgnorePartialResultException; - @Value("${security.google.accessToken.enabled}") + @Value("${security.auth.google.accessToken.enabled}") private Boolean googleAccessTokenEnabled; - @Value("${security.saml.keyManager.storePassword}") + @Value("${security.auth.saml.keyManager.storePassword}") private String keyStorePassword; - @Value("${security.saml.keyManager.passwords.arachnenetwork}") + @Value("${security.auth.saml.keyManager.passwords.arachnenetwork}") private String privateKeyPassword; - @Value("${security.saml.entityId}") + @Value("${security.auth.saml.entityId}") private String identityProviderEntityId; - @Value("${security.saml.idpMetadataLocation}") + @Value("${security.auth.saml.idpMetadataLocation}") private String metadataLocation; - @Value("${security.saml.keyManager.keyStoreFile}") + @Value("${security.auth.saml.keyManager.keyStoreFile}") private String keyStoreFile; - @Value("${security.saml.keyManager.defaultKey}") + @Value("${security.auth.saml.keyManager.defaultKey}") private String alias; - @Value("${security.saml.metadataLocation}") + @Value("${security.auth.saml.metadataLocation}") private String spMetadataLocation; - @Value("${security.saml.callbackUrl}") + @Value("${security.auth.saml.callbackUrl}") private String samlCallbackUrl; - @Value("${security.saml.maximumAuthenticationLifetime}") + @Value("${security.auth.saml.maximumAuthenticationLifetime}") private int maximumAuthenticationLifetime; @Autowired @@ -210,25 +210,25 @@ public class AtlasRegularSecurity extends AtlasSecurity { @Autowired private LdapUserMapper ldapUserMapper; - @Value("${security.oid.redirectUrl}") + @Value("${security.auth.oid.redirectUrl}") private String redirectUrl; - @Value("${security.cas.loginUrl}") + @Value("${security.auth.cas.loginUrl}") private String casLoginUrl; - @Value("${security.cas.callbackUrl}") + @Value("${security.auth.cas.callbackUrl}") private String casCallbackUrl; - @Value("${security.cas.serverUrl}") + @Value("${security.auth.cas.serverUrl}") private String casServerUrl; - @Value("${security.cas.cassvcs}") + @Value("${security.auth.cas.cassvcs}") private String casSvcs; - @Value("${security.cas.casticket}") + @Value("${security.auth.cas.casticket}") private String casticket; - @Value("${security.saml.enabled:false}") + @Value("${security.auth.saml.enabled:false}") private boolean samlEnabled; @Value("${security.auth.windows.enabled}") @@ -249,16 +249,16 @@ public class AtlasRegularSecurity extends AtlasSecurity { @Value("${security.auth.cas.enabled}") private boolean casAuthEnabled; - @Value("${security.auth.openid.enabled}") + @Value("${security.auth.oid.enabled}") private boolean openidAuthEnabled; - @Value("${security.auth.facebook.enabled}") + @Value("${security.auth.oauth.facebook.enabled}") private boolean facebookAuthEnabled; - @Value("${security.auth.github.enabled}") + @Value("${security.auth.oauth.github.enabled}") private boolean githubAuthEnabled; - @Value("${security.auth.google.enabled}") + @Value("${security.auth.oauth.google.enabled}") private boolean googleAuthEnabled; private RestTemplate restTemplate = new RestTemplate(); diff --git a/src/main/java/org/ohdsi/webapi/shiro/mapper/ADUserMapper.java b/src/main/java/org/ohdsi/webapi/shiro/mapper/ADUserMapper.java index e7a9ffb918..c5157c0ce6 100644 --- a/src/main/java/org/ohdsi/webapi/shiro/mapper/ADUserMapper.java +++ b/src/main/java/org/ohdsi/webapi/shiro/mapper/ADUserMapper.java @@ -5,19 +5,19 @@ @Component public class ADUserMapper extends UserMapper { - @Value("${security.ad.userMapping.firstnameAttr}") + @Value("${security.auth.ad.userMapping.firstnameAttr}") private String firstnameKey; - @Value("${security.ad.userMapping.middlenameAttr}") + @Value("${security.auth.ad.userMapping.middlenameAttr}") private String middlenameKey; - @Value("${security.ad.userMapping.lastnameAttr}") + @Value("${security.auth.ad.userMapping.lastnameAttr}") private String lastnameKey; - @Value("${security.ad.userMapping.usernameAttr}") + @Value("${security.auth.ad.userMapping.usernameAttr}") private String usernameKey; - @Value("${security.ad.userMapping.displaynameAttr}") + @Value("${security.auth.ad.userMapping.displaynameAttr}") private String displaynameKey; @Override diff --git a/src/main/java/org/ohdsi/webapi/shiro/mapper/LdapUserMapper.java b/src/main/java/org/ohdsi/webapi/shiro/mapper/LdapUserMapper.java index 4fdf4f467b..1fe6129e7d 100644 --- a/src/main/java/org/ohdsi/webapi/shiro/mapper/LdapUserMapper.java +++ b/src/main/java/org/ohdsi/webapi/shiro/mapper/LdapUserMapper.java @@ -5,19 +5,19 @@ @Component public class LdapUserMapper extends UserMapper { - @Value("${security.ldap.userMapping.firstnameAttr}") + @Value("${security.auth.ldap.userMapping.firstnameAttr}") private String firstnameKey; - @Value("${security.ldap.userMapping.middlenameAttr}") + @Value("${security.auth.ldap.userMapping.middlenameAttr}") private String middlenameKey; - @Value("${security.ldap.userMapping.lastnameAttr}") + @Value("${security.auth.ldap.userMapping.lastnameAttr}") private String lastnameKey; - @Value("${security.ldap.userMapping.usernameAttr}") + @Value("${security.auth.ldap.userMapping.usernameAttr}") private String usernameKey; - @Value("${security.ldap.userMapping.displaynameAttr}") + @Value("${security.auth.ldap.userMapping.displaynameAttr}") private String displaynameKey; @Override diff --git a/src/main/java/org/ohdsi/webapi/user/importer/UserImportController.java b/src/main/java/org/ohdsi/webapi/user/importer/UserImportController.java index cc4653228e..d68e5f19b6 100644 --- a/src/main/java/org/ohdsi/webapi/user/importer/UserImportController.java +++ b/src/main/java/org/ohdsi/webapi/user/importer/UserImportController.java @@ -57,10 +57,10 @@ public class UserImportController { @Autowired private GenericConversionService conversionService; - @Value("${security.ad.url}") + @Value("${security.auth.ad.url}") private String adUrl; - @Value("${security.ldap.url}") + @Value("${security.auth.ldap.url}") private String ldapUrl; @GET diff --git a/src/main/java/org/ohdsi/webapi/user/importer/providers/ActiveDirectoryProvider.java b/src/main/java/org/ohdsi/webapi/user/importer/providers/ActiveDirectoryProvider.java index 926c051c7b..b8be287d42 100644 --- a/src/main/java/org/ohdsi/webapi/user/importer/providers/ActiveDirectoryProvider.java +++ b/src/main/java/org/ohdsi/webapi/user/importer/providers/ActiveDirectoryProvider.java @@ -24,40 +24,40 @@ import static org.ohdsi.webapi.user.importer.providers.OhdsiLdapUtils.valueAsList; @Component -@ConditionalOnProperty("security.ad.url") +@ConditionalOnProperty("security.auth.ad.url") public class ActiveDirectoryProvider extends AbstractLdapProvider { - @Value("${security.ad.url}") + @Value("${security.auth.ad.url}") private String adUrl; - @Value("${security.ad.searchBase}") + @Value("${security.auth.ad.searchBase}") private String adSearchBase; - @Value("${security.ad.principalSuffix}") + @Value("${security.auth.ad.principalSuffix}") private String adPrincipalSuffix; - @Value("${security.ad.system.username}") + @Value("${security.auth.ad.system.username}") private String adSystemUsername; - @Value("${security.ad.system.password}") + @Value("${security.auth.ad.system.password}") private String adSystemPassword; - @Value("${security.ad.referral:#{null}}") + @Value("${security.auth.ad.referral:#{null}}") private String referral; - @Value("${security.ad.ignore.partial.result.exception:false}") + @Value("${security.auth.ad.ignore.partial.result.exception:false}") private Boolean adIgnorePartialResultException; - @Value("${security.ad.result.count.limit:30000}") + @Value("${security.auth.ad.result.count.limit:30000}") private Long countLimit; - @Value("${security.ad.searchFilter}") + @Value("${security.auth.ad.searchFilter}") private String adSearchFilter; - @Value("${security.ad.userImport.loginAttr}") + @Value("${security.auth.ad.userImport.loginAttr}") private String loginAttr; - @Value("${security.ad.userImport.usernameAttr}") + @Value("${security.auth.ad.userImport.usernameAttr}") private String usernameAttr; private String[] userAttributes; diff --git a/src/main/java/org/ohdsi/webapi/user/importer/providers/DefaultLdapProvider.java b/src/main/java/org/ohdsi/webapi/user/importer/providers/DefaultLdapProvider.java index d1435b9d59..dc13889a91 100644 --- a/src/main/java/org/ohdsi/webapi/user/importer/providers/DefaultLdapProvider.java +++ b/src/main/java/org/ohdsi/webapi/user/importer/providers/DefaultLdapProvider.java @@ -33,34 +33,34 @@ import static org.ohdsi.webapi.user.importer.providers.OhdsiLdapUtils.valueAsString; @Component -@ConditionalOnProperty("security.ldap.url") +@ConditionalOnProperty(name = "security.auth.ldap.enabled", havingValue = "true", matchIfMissing = false) public class DefaultLdapProvider extends AbstractLdapProvider { private static final String DN = "DN"; private static final String[] RETURNING_ATTRS = {DN, "cn", "ou"}; private static final String[] USER_ATTRIBUTES = {DN, "uid", "cn"}; - @Value("${security.ldap.url}") + @Value("${security.auth.ldap.url}") private String ldapUrl; - @Value("${security.ldap.baseDn}") + @Value("${security.auth.ldap.baseDn}") private String baseDn; - @Value("${security.ldap.system.username}") + @Value("${security.auth.ldap.system.username}") private String systemUsername; - @Value("${security.ldap.referral:#{null}}") + @Value("${security.auth.ldap.referral:#{null}}") private String referral; - @Value("${security.ldap.system.password}") + @Value("${security.auth.ldap.system.password}") private String systemPassword; - @Value("${security.ldap.ignore.partial.result.exception:false}") + @Value("${security.auth.ldap.ignore.partial.result.exception:false}") private Boolean ldapIgnorePartialResultException; - @Value("${security.ldap.userImport.loginAttr}") + @Value("${security.auth.ldap.userImport.loginAttr}") private String loginAttr; - @Value("${security.ldap.userImport.usernameAttr}") + @Value("${security.auth.ldap.userImport.usernameAttr}") private String usernameAttr; private String[] userAttributes; diff --git a/src/main/java/org/ohdsi/webapi/user/importer/service/UserImportServiceImpl.java b/src/main/java/org/ohdsi/webapi/user/importer/service/UserImportServiceImpl.java index bb4abdf61c..9555333e72 100644 --- a/src/main/java/org/ohdsi/webapi/user/importer/service/UserImportServiceImpl.java +++ b/src/main/java/org/ohdsi/webapi/user/importer/service/UserImportServiceImpl.java @@ -61,7 +61,7 @@ public class UserImportServiceImpl implements UserImportService { private final RoleGroupRepository roleGroupMappingRepository; - @Value("${security.ad.default.import.group}#{T(java.util.Collections).emptyList()}") + @Value("${security.auth.ad.default.import.group}#{T(java.util.Collections).emptyList()}") private List defaultRoles; public UserImportServiceImpl(@Autowired(required = false) ActiveDirectoryProvider activeDirectoryProvider, diff --git a/src/main/resources/application.properties b/src/main/resources/application.properties deleted file mode 100644 index 70003061ca..0000000000 --- a/src/main/resources/application.properties +++ /dev/null @@ -1,288 +0,0 @@ -#BuildNumber Version property stub until migration to spring boot 2 -build.number=NA - -spring.profiles.active=${spring.profiles.active} - -# Logging -logging.level.org.springframework.web=${logging.level.org.springframework.web} -logging.level.org.hibernate=${logging.level.org.hibernate} -logging.level.root=${logging.level.root} -logging.level.org.ohdsi=${logging.level.org.ohdsi} -logging.level.org.springframework.orm=${logging.level.org.springframework.orm} -logging.level.org.springframework.jdbc=${logging.level.org.springframework.jdbc} -logging.level.org.apache.shiro=${logging.level.org.apache.shiro} - -spring.jackson.serialization.write-dates-as-timestamps=true - -#Primary DataSource -datasource.driverClassName=${datasource.driverClassName} -datasource.url=${datasource.url} -datasource.username=${datasource.username} -datasource.password=${datasource.password} -datasource.dialect=${datasource.dialect} -datasource.ohdsi.schema=${datasource.ohdsi.schema} -datasource.dialect.source=${datasource.dialect.source} - -#CDM properties -source.name=${source.name} -cdm.version=${cdm.version} - -#R Service Host -r.serviceHost=${r.serviceHost} - -#DataSource for Change Managment / Migration -spring.flyway.enabled=true -spring.flyway.driver-class-name=${datasource.driverClassName} -spring.flyway.url=${datasource.url} -spring.flyway.user=${flyway.datasource.username} -spring.flyway.password=${flyway.datasource.password} -# Flyway schema history table name -spring.flyway.table=schema_version -# check that migration scripts location exists -spring.flyway.fail-on-missing-locations=true -spring.flyway.locations=${flyway.locations} -# locations of migrations scripts -# schemas to manage/update (e.g. ohdsi/results schema) -NOTE: CASE SENSITIVE! -spring.flyway.schemas=${datasource.ohdsi.schema} -#Baseline - start flyway managment with existing objects -spring.flyway.baseline-on-migrate=true -#Due to issue https://github.com/flyway/flyway/issues/752 use default baselineVersion=1 (Note equality to 1.0.0.0, so scripts with that version will be omitted) -#spring.flyway.baseline-version=1.0.0.0 -spring.flyway.validate-on-migrate=${flyway.validateOnMigrate} -# Enable out of order migrations due to distributed development nature of WebAPI -spring.flyway.out-of-order=false -# Flyway Placeholders: -spring.flyway.placeholders.ohdsiSchema=${datasource.ohdsi.schema} - -#Disable any auto init -#http://docs.spring.io/spring-boot/docs/current/reference/html/howto-database-initialization.html -spring.datasource.initialize=false -#JPA / Spring Data -spring.jpa.show-sql=${spring.jpa.show-sql} -# JPA Default Schema -spring.jpa.properties.hibernate.default_schema=${datasource.ohdsi.schema} -spring.jpa.properties.hibernate.generate_statistics=${spring.jpa.properties.hibernate.generate_statistics} -spring.jpa.properties.hibernate.jdbc.batch_size=${spring.jpa.properties.hibernate.jdbc.batch_size} -spring.jpa.properties.hibernate.order_inserts=${spring.jpa.properties.hibernate.order_inserts} - -#Spring Autoconfig -spring.autoconfigure.exclude=org.springframework.boot.autoconfigure.ldap.LdapAutoConfiguration - -#Jersey WADL disabled to silence missing JAXBContext warning -jersey.config.server.wadl.disableWadl=true - -#Spring Cache -spring.cache.jcache.config=classpath:appCache.xml -spring.cache.type=${spring.cache.type} - -#JAX-RS -jersey.resources.root.package=org.ohdsi.webapi - -#Spring boot auto starts jobs upon application start -spring.batch.job.enabled=false -#Disable auto init of spring batch tables -spring.batch.initializer.enabled=false -#Custom properties -spring.batch.repository.tableprefix=${spring.batch.repository.tableprefix} -spring.batch.repository.isolationLevelForCreate=${spring.batch.repository.isolationLevelForCreate} -spring.batch.taskExecutor.corePoolSize=${spring.batch.taskExecutor.corePoolSize} -spring.batch.taskExecutor.maxPoolSize=${spring.batch.taskExecutor.maxPoolSize} -spring.batch.taskExecutor.queueCapacity=${spring.batch.taskExecutor.queueCapacity} -spring.batch.taskExecutor.threadGroupName=${spring.batch.taskExecutor.threadGroupName} -spring.batch.taskExecutor.threadNamePrefix=${spring.batch.taskExecutor.threadNamePrefix} - -# EMBEDDED SERVER CONFIGURATION (ServerProperties) -server.port = ${server.port} -server.ssl.enabled = ${security.ssl.enabled} -server.ssl.key-store = ${server.ssl.key-store} -server.ssl.key-store-password = ${server.ssl.key-store-password} -server.ssl.key-password = ${server.ssl.key-password} -# the context path, defaults to '/' -server.context-path=/WebAPI -security.cas.loginUrl=${security.cas.loginUrl} -security.cas.callbackUrl=${security.cas.callbackUrl} -security.cas.serverUrl=${security.cas.serverUrl} -security.cas.cassvcs=${security.cas.cassvcs} -security.cas.casticket=${security.cas.casticket} -# Full Text Search settings -solr.endpoint = ${solr.endpoint} -solr.query.prefix = ${solr.query.prefix} -# Enabling Compression -compression=true -compressableMimeType=application/json,application/xml,text/html,text/xml,text/plain - - -#Disabled to support Basic Auth and RESTful interface -#http://docs.spring.io/spring-security/site/docs/3.2.x-SNAPSHOT/reference/html5/#when-to-use-csrf-protection -csrf.disable=true - -sparql.endpoint=http://virtuoso.ohdsi.org:8890/sparql?default-graph-uri=&query= - -security.defaultGlobalReadPermissions=${security.defaultGlobalReadPermissions} -security.provider=${security.provider} -security.cors.enabled=${security.cors.enabled} -security.token.expiration=${security.token.expiration} -security.origin=${security.origin} -security.ssl.enabled=${security.ssl.enabled} -security.oauth.callback.ui=${security.oauth.callback.ui} -security.oauth.callback.api=${security.oauth.callback.api} -security.oauth.callback.urlResolver=${security.oauth.callback.urlResolver} -security.oauth.google.apiKey=${security.oauth.google.apiKey} -security.oauth.google.apiSecret=${security.oauth.google.apiSecret} -security.oauth.facebook.apiKey=${security.oauth.facebook.apiKey} -security.oauth.facebook.apiSecret=${security.oauth.facebook.apiSecret} -security.oauth.github.apiKey=${security.oauth.github.apiKey} -security.oauth.github.apiSecret=${security.oauth.github.apiSecret} -security.oid.clientId=${security.oid.clientId} -security.oid.apiSecret=${security.oid.apiSecret} -security.oid.url=${security.oid.url} -security.oid.redirectUrl=${security.oid.redirectUrl} -security.oid.logoutUrl=${security.oid.logoutUrl} -security.oid.extraScopes=${security.oid.extraScopes} -security.oid.customParams=${security.oid.customParams} -security.db.datasource.driverClassName=${security.db.datasource.driverClassName} -security.db.datasource.url=${security.db.datasource.url} -security.db.datasource.username=${security.db.datasource.username} -security.db.datasource.password=${security.db.datasource.password} -security.db.datasource.schema=${security.db.datasource.schema} -security.db.datasource.authenticationQuery=${security.db.datasource.authenticationQuery} -security.ldap.dn=${security.ldap.dn} -security.ldap.url=${security.ldap.url} -security.ldap.baseDn=${security.ldap.baseDn} -security.ldap.system.username=${security.ldap.system.username} -security.ldap.system.password=${security.ldap.system.password} -security.ldap.searchString=${security.ldap.searchString} -security.ldap.searchBase=${security.ldap.searchBase} -security.ldap.userMapping.displaynameAttr=${security.ldap.userMapping.displaynameAttr} -security.ldap.userMapping.firstnameAttr=${security.ldap.userMapping.firstnameAttr} -security.ldap.userMapping.middlenameAttr=${security.ldap.userMapping.middlenameAttr} -security.ldap.userMapping.lastnameAttr=${security.ldap.userMapping.lastnameAttr} -security.ldap.userMapping.usernameAttr=${security.ldap.userMapping.usernameAttr} -security.ldap.userImport.usernameAttr=${security.ldap.userImport.usernameAttr} -security.ldap.userImport.loginAttr=${security.ldap.userImport.loginAttr} -security.ad.url=${security.ad.url} -security.ad.searchBase=${security.ad.searchBase} -security.ad.principalSuffix=${security.ad.principalSuffix} -security.ad.system.username=${security.ad.system.username} -security.ad.system.password=${security.ad.system.password} -security.ad.searchFilter=${security.ad.searchFilter} -security.ad.searchString=${security.ad.searchString} -security.ad.ignore.partial.result.exception=${security.ad.ignore.partial.result.exception} -security.ad.result.count.limit=${security.ad.result.count.limit} -security.ad.default.import.group=${security.ad.default.import.group} -security.ad.userMapping.displaynameAttr=${security.ad.userMapping.displaynameAttr} -security.ad.userMapping.firstnameAttr=${security.ad.userMapping.firstnameAttr} -security.ad.userMapping.middlenameAttr=${security.ad.userMapping.middlenameAttr} -security.ad.userMapping.lastnameAttr=${security.ad.userMapping.lastnameAttr} -security.ad.userMapping.usernameAttr=${security.ad.userMapping.usernameAttr} -security.ad.userImport.usernameAttr=${security.ad.userImport.usernameAttr} -security.ad.userImport.loginAttr=${security.ad.userImport.loginAttr} - -security.saml.enabled=${security.saml.enabled} -security.saml.entityId=${security.saml.entityId} -security.saml.idpMetadataLocation=${security.saml.idpMetadataLocation} -security.saml.keyManager.keyStoreFile=${security.saml.keyManager.keyStoreFile} -security.saml.keyManager.storePassword=${security.saml.keyManager.storePassword} -security.saml.keyManager.defaultKey=${security.saml.keyManager.defaultKey} -security.saml.keyManager.passwords.arachnenetwork=${security.saml.keyManager.passwords.arachnenetwork} -security.saml.metadataLocation=${security.saml.metadataLocation} -security.saml.callbackUrl=${security.saml.callbackUrl} -security.saml.sloUrl=${security.saml.sloUrl} -security.saml.maximumAuthenticationLifetime=${security.saml.maximumAuthenticationLifetime} - -security.googleIap.cloudProjectId=${security.googleIap.cloudProjectId} -security.googleIap.backendServiceId=${security.googleIap.backendServiceId} -security.google.accessToken.enabled=${security.google.accessToken.enabled} - -security.kerberos.spn=${security.kerberos.spn} -security.kerberos.keytabPath=${security.kerberos.keytabPath} - -security.maxLoginAttempts=${security.maxLoginAttempts} -security.duration.initial=${security.duration.initial} -security.duration.increment=${security.duration.increment} - -security.auth.windows.enabled=${security.auth.windows.enabled} -security.auth.kerberos.enabled=${security.auth.kerberos.enabled} -security.auth.openid.enabled=${security.auth.openid.enabled} -security.auth.facebook.enabled=${security.auth.facebook.enabled} -security.auth.github.enabled=${security.auth.github.enabled} -security.auth.google.enabled=${security.auth.google.enabled} -security.auth.jdbc.enabled=${security.auth.jdbc.enabled} -security.auth.ldap.enabled=${security.auth.ldap.enabled} -security.auth.ad.enabled=${security.auth.ad.enabled} -security.auth.cas.enabled=${security.auth.cas.enabled} - - -#Hikari -spring.datasource.hikari.connection-test-query=${spring.datasource.hikari.connection-test-query} -spring.datasource.hikari.connection-test-query-timeout=${spring.datasource.hikari.connection-test-query-timeout} -spring.datasource.hikari.maximum-pool-size=${spring.datasource.hikari.maximum-pool-size} -spring.datasource.hikari.minimum-idle=${spring.datasource.hikari.minimum-idle} -spring.datasource.hikari.connection-timeout=${spring.datasource.hikari.connection-timeout} -spring.datasource.hikari.register-mbeans=${spring.datasource.hikari.register-mbeans} -spring.datasource.hikari.mbean-name=${spring.datasource.hikari.mbean-name} - -person.viewDates=${person.viewDates} - -#Heracles settings -heracles.smallcellcount=${heracles.smallcellcount} - -jasypt.encryptor.enabled=${jasypt.encryptor.enabled} -jasypt.encryptor.password=${jasypt.encryptor.password} -jasypt.encryptor.algorithm=${jasypt.encryptor.algorithm} - -#Kerberos settings -kerberos.timeout=${kerberos.timeout} -kerberos.configPath=${kerberos.configPath} -kerberos.kinitPath=${kerberos.kinitPath} - -#Organization Settings -organization.name=${organization.name} - -#JdbcTemplate -jdbc.suppressInvalidApiException=${jdbc.suppressInvalidApiException} - -#Sensitive info settings -sensitiveinfo.admin.role=${sensitiveinfo.admin.role} -sensitiveinfo.moderator.role=${sensitiveinfo.moderator.role} -sensitiveinfo.analysis.extensions=${sensitiveinfo.analysis.extensions} -analysis.result.zipVolumeSizeMb=${analysis.result.zipVolumeSizeMb} - -#Cache Config -cdm.result.cache.warming.enable=${cdm.result.cache.warming.enable} -cdm.cache.achilles.warming.enable=${cdm.cache.achilles.warming.enable} -cdm.cache.cron.warming.enable=${cdm.cache.cron.warming.enable} -cdm.cache.cron.expression=${cdm.cache.cron.expression} - -cache.generation.invalidAfterDays=${cache.generation.invalidAfterDays} -cache.generation.cleanupInterval=${cache.generation.cleanupInterval} -cache.generation.useAsync=${cache.generation.useAsync} -cache.jobs.count=${cache.jobs.count} - -# Achilles cache -cache.achilles.usePersonCount=${cache.achilles.usePersonCount} - -#Atlas geo spatial -atlasgis.enabled=${gis.enabled} - -#I18n -i18n.enabled=${i18n.enabled} -i18n.defaultLocale=${i18n.defaultLocale} - -#Tags -tag.enabled=${tag.enabled} -tag.refreshStat.period=${tag.refreshStat.period} - -#Versioning -versioning.maxAttempt=${versioning.maxAttempt} - -#Audit trail -audit.trail.enabled=${audit.trail.enabled} -audit.trail.log.file=${audit.trail.log.file} -audit.trail.log.file.pattern=${audit.trail.log.file.pattern} -audit.trail.log.extraFile=${audit.trail.log.extraFile} - -# Trexsql configuration -trexsql.enabled=${trexsql.enabled} -trexsql.cache-path=${trexsql.cache-path} -trexsql.extensions-path=${trexsql.extensions-path} diff --git a/src/main/resources/application.yaml b/src/main/resources/application.yaml new file mode 100644 index 0000000000..d47f77fb3f --- /dev/null +++ b/src/main/resources/application.yaml @@ -0,0 +1,365 @@ +analysis: + result: + zipVolumeSizeMb: 100 +atlasgis: + enabled: false +audit: + trail: + enabled: false + log: + extraFile: /tmp/atlas/audit/audit-extra.log + file: /tmp/atlas/audit/audit.log + file.pattern: /tmp/atlas/audit/audit-%d{yyyy-MM-dd}-%i.log +build: + number: NA +cache: + achilles: + usePersonCount: true + generation: + cleanupInterval: 3600000 + invalidAfterDays: 30 + useAsync: false + jobs: + count: 3 +cdm: + cache: + achilles: + warming: + enable: false + cron: + # cron expression to warm cdm cache + # cron expression format (asterisk means 'every' - '*' in seconds means 'every second') + # default value is '0 0 2 * * *' which means "at 2am every day" + # ┌───────second (0-59) + # │ ┌────── minute (0-59) + # │ │ ┌────── hour (0-23) + # │ │ │ ┌────── day of the month (1-31) + # │ │ │ │ ┌────── month (1-12) + # │ │ │ │ │ ┌────── day of the week (0-7) + # * * * * * * + expression: 0 0 2 * * * + warming: + enable: false + result: + cache: + warming: + enable: false + version: 5 +compressableMimeType: application/json,application/xml,text/html,text/xml,text/plain +compression: true +csrf: + disable: true +datasource: + dialect: postgresql + dialect.source: postgresql + driverClassName: org.postgresql.Driver + ohdsi: + schema: webapi + password: app1 + url: jdbc:postgresql://localhost:5432/YOUR_DATABASE_NAME + username: ohdsi_app_user +execution: + invalidation: + period: 600000 + maxage: + hours: 12 + status: + period: 10000 +executionengine: + resultCallback: + resultExclusions: "" + token: Basic YWRtaW5Ab2R5c3NldXNpbmMuY29tOnBhc3N3b3Jk + updateStatusCallback: "http://localhost:8080/WebAPI/executionservice/callbacks/submission/{id}/status/update/{password}" + url: https://localhost:8888/api/v1/analyze + +heracles: + smallcellcount: 5 +i18n: + defaultLocale: en + enabled: true +jasypt: + encryptor: + algorithm: PBEWithMD5AndDES + enabled: false + password: "" +jdbc: + suppressInvalidApiException: true +jersey: + config: + server: + wadl: + disableWadl: true + resources: + root: + package: org.ohdsi.webapi +kerberos: + configPath: /etc/krb5.conf + kinitPath: "" + timeout: 60 +logging: + level: + org: + apache: + shiro: warn + hibernate: info + ohdsi: info + springframework: + jdbc: info + orm: info + web: info + root: info +organization: + name: OHDSI +person: + viewDates: false +r: + serviceHost: ${r.serviceHost} +security: + auth: + ad: # Active Directory Settings + enabled: false + default: + import: + group: public + ignore: + partial: + result: + exception: true + principalSuffix: "@example.org" + result: + count: + limit: 30000 + searchBase: CN=Users,DC=example,DC=org + searchFilter: (&(objectClass=person)(cn=%s)) + searchString: (&(objectClass=person)(userPrincipalName=%s)) + system: + password: "" + username: "" + url: "" + userImport: + loginAttr: sAMAccountName + usernameAttr: cn + userMapping: + displaynameAttr: displayname + firstnameAttr: givenname + lastnameAttr: sn + middlenameAttr: initials + usernameAttr: cn + + cas: # Central Authentication Security (CAS) + enabled: false + callbackUrl: "" + cassvcs: "" + casticket: casticket + loginUrl: "" + serverUrl: "" + + google: # TODO: Need documentation on authentication via google token. + accessToken: + enabled: false + + googleIap: # Google Cloud Identity-Aware Proxy (IAP) + enabled: false + backendServiceId: "" + cloudProjectId: "" + + jdbc: # Java Database Connectivity (JDBC) Authentication + enabled: false + datasource: + authenticationQuery: select password from ${security.auth.jdbc.datasource.schema}.your_schema.users where lower(email) = lower(?) + driverClassName: org.postgresql.Driver + password: app1dbsecurity_pass + schema: your_schema + url: jdbc:postgresql://localhost:5436/SECURITY_DB + username: dbsecurity_user + + kerberos: # Kerberos + enabled: false + keytabPath: "" + spn: "" + + ldap: # Lightweight Directory Access (LDAP) + enabled: false + baseDn: "" + dn: cn={0},dc=example,dc=org + searchBase: CN=Users,DC=example,DC=org + searchString: (&(objectClass=person)(CN={0})) + system: + password: "" + username: "" + url: ldap://localhost:389 + userImport: + loginAttr: uid + usernameAttr: cn + userMapping: + displaynameAttr: displayName + firstnameAttr: givenName + lastnameAttr: sn + middlenameAttr: initials + usernameAttr: cn + + oauth: # OAuth + enabled: false + callback: + api: http://localhost:8080/WebAPI/user/oauth/callback + ui: http://localhost/Atlas/#/welcome + urlResolver: query + facebook: + enabled: false + apiKey: "" + apiSecret: "" + github: + enabled: false + apiKey: "" + apiSecret: "" + google: + enabled: false + apiKey: "" + apiSecret: "" + + oid: # OpenID + enabled: false + apiSecret: "" + clientId: "" + customParams: "{:}" + extraScopes: "" + logoutUrl: "" + redirectUrl: http://localhost/index.html#/welcome/ + url: "" + + saml: # SAML (Security Assertion Markup Language) + enabled: false + callbackUrl: "" + entityId: "" + idpMetadataLocation: "" + keyManager: + defaultKey: "" + keyStoreFile: "" + passwords: + arachnenetwork: "" + storePassword: "" + maximumAuthenticationLifetime: 60 + metadataLocation: "" + sloUrl: "" + + windows: + enabled: true + + cors: # Cross origin requests + enabled: true + + # If defaultGlobalReadPermissions is set to true (default), then all users can see every artifact. + # If it is set to false, WebAPI will filter out the artifacts that a user does not explicitly have read permissions to + defaultGlobalReadPermissions: true + + duration: + increment: 10 + initial: 10 + + maxLoginAttempts: 3 + origin: http://localhost + provider: DisabledSecurity + + ssl: + enabled: false + token: + expiration: 360000 + +# Sensitive Info settings +sensitiveinfo: + admin: + role: admin + analysis: + # Use "-" for files without extension, "*" for all files, extension must not include a leading dot. Use comma to separate values. + # In case of "*" other values will be ignored + extensions: txt + moderator: + role: Moderator + +# EMBEDDED SERVER CONFIGURATION (ServerProperties) +server: + context-path: /WebAPI + port: 8080 + ssl: + enabled: false + key-password: "" + key-store: "" + key-store-password: "" +solr: + endpoint: ${solr.endpoint} + query: + prefix: ${solr.query.prefix} +source: + name: CDM_NAME +sparql: + endpoint: http://virtuoso.ohdsi.org:8890/sparql?default-graph-uri=&query= +spring: + autoconfigure: + exclude: org.springframework.boot.autoconfigure.ldap.LdapAutoConfiguration + batch: + initializer: + enabled: false + job: + enabled: false + repository: + isolationLevelForCreate: ISOLATION_READ_COMMITTED + tableprefix: ${datasource.ohdsi.schema}.BATCH_ + taskExecutor: + corePoolSize: 10 + maxPoolSize: 20 + queueCapacity: 2147483647 + threadGroupName: "" + threadNamePrefix: "" + cache: + jcache: + config: classpath:appCache.xml + type: jcache + datasource: + hikari: + connection-test-query: SELECT 1 + connection-test-query-timeout: 2000 + connection-timeout: 5000 + maximum-pool-size: 5 + mbean-name: authDataSource + minimum-idle: 1 + register-mbeans: true + initialize: false + flyway: + baseline-on-migrate: true + driver-class-name: ${datasource.driverClassName} + enabled: true + fail-on-missing-locations: true + locations: classpath:db/migration/postgresql + out-of-order: false + password: admin1 + placeholders: + ohdsiSchema: ${datasource.ohdsi.schema} + schemas: ${datasource.ohdsi.schema} + table: schema_version + url: ${datasource.url} + user: ohdsi_admin_user + validate-on-migrate: false + jackson: + serialization: + write-dates-as-timestamps: true + jpa: + properties: + hibernate: + default_schema: ${datasource.ohdsi.schema} + generate_statistics: false + jdbc: + batch_size: 200 + order_inserts: true + show-sql: false + profiles: + active: default +tag: + enabled: true + refreshStat: + period: 600000 +trexsql: + cache-path: ./data/cache + enabled: false + extensions-path: "" +versioning: + maxAttempt: 10 diff --git a/src/test/java/org/ohdsi/webapi/test/ITStarter.java b/src/test/java/org/ohdsi/webapi/test/ITStarter.java index 94e17a5e8c..a24451d910 100644 --- a/src/test/java/org/ohdsi/webapi/test/ITStarter.java +++ b/src/test/java/org/ohdsi/webapi/test/ITStarter.java @@ -39,10 +39,10 @@ public static void before() throws IOException { String jdbcUrl = pg.getPostgresDatabase().getConnection().getMetaData().getURL(); System.setProperty("datasource.url", jdbcUrl); System.setProperty("spring.flyway.url", jdbcUrl); - System.setProperty("security.db.datasource.url", jdbcUrl); - System.setProperty("security.db.datasource.username", "postgres"); - System.setProperty("security.db.datasource.password", "postgres"); - System.setProperty("security.db.datasource.schema", "public"); + System.setProperty("security.auth.jdbc.datasource.url", jdbcUrl); + System.setProperty("security.auth.jdbc.datasource.username", "postgres"); + System.setProperty("security.auth.jdbc.datasource.password", "postgres"); + System.setProperty("security.auth.jdbc.datasource.schema", "public"); } catch (SQLException e) { throw new RuntimeException(e); } diff --git a/src/test/resources/application-test.properties b/src/test/resources/application-test.properties index 77c4a365a4..50529fafb1 100644 --- a/src/test/resources/application-test.properties +++ b/src/test/resources/application-test.properties @@ -1,5 +1,5 @@ baseUri=http://localhost:${local.server.port}${server.context-path} -security.db.datasource.url=http://localhost:${datasource.url}/arachne_portal_enterprise +security.auth.jdbc.datasource.url=http://localhost:${datasource.url}/arachne_portal_enterprise vocabularyservice.endpoint=${baseUri}/vocabulary cdmResultsService.endpoint=${baseUri}/cdmresults #GET vocabularies From 09e873ae73218cfaab0be117966985ac06a6bda3 Mon Sep 17 00:00:00 2001 From: Chris Knoll Date: Thu, 22 Jan 2026 21:57:28 -0500 Subject: [PATCH 2/8] Added 'how to launch' info to Readme.md. --- README.md | 56 +++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 56 insertions(+) diff --git a/README.md b/README.md index 2e7a2e0470..435746d726 100644 --- a/README.md +++ b/README.md @@ -24,6 +24,62 @@ The API Documentation is found at [http://webapidoc.ohdsi.org/](http://webapidoc Documentation can be found a the [Web API Installation Guide](https://github.com/OHDSI/WebAPI/wiki) which covers the system requirements and installation instructions. +## WebAPI Configuration in version 3.0 + +Application configuration has moved from a maven build-based pipeline (in version 2.x) to external configuration in WebAPI 3.0 (and using a new YAML format) as described in this [Atlas Sandbox project](https://github.com/OHDSI/AtlasWebAPISandbox/tree/main/ExternalConfig). + +### VS.Code Launch settings Example + +In VS Code, to launch the app using an external config, you can define a new launch settings in your local .vscode/launch.json file: + +``` +{ + "configurations": [ + { + "type": "java", + "name": "WebApi", + "request": "launch", + "mainClass": "org.ohdsi.webapi.WebApi", + "projectName": "WebAPI", + "vmArgs": "-Dspring.config.additional-location=file:C:/localsource/VSCodeWorkspace/webapi30-application.yaml" + } + ] +} +``` +_Note the format of Windows paths in this example_ + +This will pass the necessary VM arg to load additional Spring configuration from the specified file. For example, for a local Postgres install with Windows Authentication enabled: + +``` +datasource: + dialect: postgresql + dialect.source: postgresql + driverClassName: org.postgresql.Driver + ohdsi: + schema: webapi + password: app1 + url: jdbc:postgresql://localhost:5436/OHDSI_30 + username: ohdsi_app_user +security: + auth: + windows: + enabled: true + origin: http://localhost + provider: AtlasRegularSecurity +``` +### Deploying WAR to Tomcat + +You can provide the enviornment variable `spring.config.additional-location` using a context.xml that is uploaded along with the WAR: + +``` + + + +``` + ## JAR Build (Executable) WebAPI can also be built as a self-contained executable JAR with embedded Tomcat: From e446df21e1d475b5ecbf47890505a77382cc0c0c Mon Sep 17 00:00:00 2001 From: Chris Knoll Date: Fri, 23 Jan 2026 13:12:02 -0500 Subject: [PATCH 3/8] Rename auth.oid to auth.openId for clarity. --- .../java/org/ohdsi/webapi/OidcConfCreator.java | 14 +++++++------- .../org/ohdsi/webapi/auth/AuthProviderService.java | 4 ++-- .../shiro/management/AtlasRegularSecurity.java | 4 ++-- src/main/resources/application.yaml | 2 +- 4 files changed, 12 insertions(+), 12 deletions(-) diff --git a/src/main/java/org/ohdsi/webapi/OidcConfCreator.java b/src/main/java/org/ohdsi/webapi/OidcConfCreator.java index 96c358323b..281a960824 100644 --- a/src/main/java/org/ohdsi/webapi/OidcConfCreator.java +++ b/src/main/java/org/ohdsi/webapi/OidcConfCreator.java @@ -39,25 +39,25 @@ public class OidcConfCreator { private volatile OidcConfiguration cachedConfiguration; private final Object lock = new Object(); - @Value("${security.auth.oid.clientId}") + @Value("${security.auth.openId.clientId}") private String clientId; - @Value("${security.auth.oid.apiSecret}") + @Value("${security.auth.openId.apiSecret}") private String apiSecret; - @Value("${security.auth.oid.url}") + @Value("${security.auth.openId.url}") private String url; - @Value("${security.auth.oid.externalUrl:}") + @Value("${security.auth.openId.externalUrl:}") private String externalUrl; - @Value("${security.auth.oid.logoutUrl}") + @Value("${security.auth.openId.logoutUrl}") private String logoutUrl; - @Value("${security.auth.oid.extraScopes}") + @Value("${security.auth.openId.extraScopes}") private String extraScopes; - @Value("#{${security.auth.oid.customParams:{T(java.util.Collections).emptyMap()}}}") + @Value("#{${security.auth.openId.customParams:{T(java.util.Collections).emptyMap()}}}") private Map customParams = new HashMap<>(); @Value("${security.auth.oauth.callback.api}") diff --git a/src/main/java/org/ohdsi/webapi/auth/AuthProviderService.java b/src/main/java/org/ohdsi/webapi/auth/AuthProviderService.java index bd8982e588..766abb7dbb 100644 --- a/src/main/java/org/ohdsi/webapi/auth/AuthProviderService.java +++ b/src/main/java/org/ohdsi/webapi/auth/AuthProviderService.java @@ -52,7 +52,7 @@ public class AuthProviderService { @Value("${security.auth.cas.enabled}") private boolean casAuthEnabled; - @Value("${security.auth.oid.enabled}") + @Value("${security.auth.openId.enabled}") private boolean openidAuthEnabled; @Value("${security.auth.oauth.facebook.enabled}") @@ -67,7 +67,7 @@ public class AuthProviderService { @Value("${security.auth.saml.enabled}") private boolean samlAuthEnabled; - @Value("${security.auth.oid.logoutUrl:}") + @Value("${security.auth.openId.logoutUrl:}") private String oidcLogoutUrl; /** diff --git a/src/main/java/org/ohdsi/webapi/shiro/management/AtlasRegularSecurity.java b/src/main/java/org/ohdsi/webapi/shiro/management/AtlasRegularSecurity.java index a87e4b95b0..c5ca7837c4 100644 --- a/src/main/java/org/ohdsi/webapi/shiro/management/AtlasRegularSecurity.java +++ b/src/main/java/org/ohdsi/webapi/shiro/management/AtlasRegularSecurity.java @@ -210,7 +210,7 @@ public class AtlasRegularSecurity extends AtlasSecurity { @Autowired private LdapUserMapper ldapUserMapper; - @Value("${security.auth.oid.redirectUrl}") + @Value("${security.auth.openId.redirectUrl}") private String redirectUrl; @Value("${security.auth.cas.loginUrl}") @@ -249,7 +249,7 @@ public class AtlasRegularSecurity extends AtlasSecurity { @Value("${security.auth.cas.enabled}") private boolean casAuthEnabled; - @Value("${security.auth.oid.enabled}") + @Value("${security.auth.openId.enabled}") private boolean openidAuthEnabled; @Value("${security.auth.oauth.facebook.enabled}") diff --git a/src/main/resources/application.yaml b/src/main/resources/application.yaml index d47f77fb3f..9eb8f5082b 100644 --- a/src/main/resources/application.yaml +++ b/src/main/resources/application.yaml @@ -217,7 +217,7 @@ security: apiKey: "" apiSecret: "" - oid: # OpenID + openId: # OpenID enabled: false apiSecret: "" clientId: "" From 2c0dbcfdebaaf5a24bb131726ab53a1ce4f04914 Mon Sep 17 00:00:00 2001 From: Chris Knoll Date: Fri, 23 Jan 2026 20:12:29 -0500 Subject: [PATCH 4/8] remove 'enable' from auth.oauth since there is no generic 'oauth', oauth groups google, facebook and github, wich each has their own enable flag. --- src/main/resources/application.yaml | 1 - 1 file changed, 1 deletion(-) diff --git a/src/main/resources/application.yaml b/src/main/resources/application.yaml index 9eb8f5082b..b879102a2f 100644 --- a/src/main/resources/application.yaml +++ b/src/main/resources/application.yaml @@ -199,7 +199,6 @@ security: usernameAttr: cn oauth: # OAuth - enabled: false callback: api: http://localhost:8080/WebAPI/user/oauth/callback ui: http://localhost/Atlas/#/welcome From 6dd83960dde3e98b1edc71befc290c58736d6303 Mon Sep 17 00:00:00 2001 From: Peter Hoffmann <954078+p-hoffmann@users.noreply.github.com> Date: Sat, 24 Jan 2026 18:47:53 +0800 Subject: [PATCH 5/8] fix docker build --- .github/workflows/ci.yaml | 7 ++----- .github/workflows/release.yaml | 33 ++++++++++++++++----------------- Dockerfile | 9 +++------ pom.xml | 4 ++-- 4 files changed, 23 insertions(+), 30 deletions(-) diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index 4f676c1688..4ef3a84208 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -14,9 +14,6 @@ jobs: # The type of runner that the job will run on runs-on: ubuntu-latest - env: - MAVEN_PROFILE: webapi-postgresql - # Steps represent a sequence of tasks that will be executed as part of the job steps: # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it @@ -38,10 +35,10 @@ jobs: ${{ runner.os }}-maven- - name: Build code - run: mvn -B -DskipTests=true -DskipUnitTests=true -P${{ env.MAVEN_PROFILE }} package + run: mvn -B -DskipTests=true -DskipUnitTests=true package - name: Test - run: mvn -B -P${{ env.MAVEN_PROFILE }} test + run: mvn -B test # Check that the docker image builds correctly # Push to ghcr.io for commits on master or webapi-3.0. diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index fc5254089c..82bf0b9f13 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -10,16 +10,13 @@ env: jobs: upload: - env: - MAVEN_PROFILE: webapi-postgresql - # The type of runner that the job will run on runs-on: ubuntu-latest # Steps represent a sequence of tasks that will be executed as part of the job steps: # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it - - uses: actions/checkout@v2 + - uses: actions/checkout@v4 - uses: actions/setup-java@v4 with: @@ -37,10 +34,10 @@ jobs: ${{ runner.os }}-maven- - name: Build JAR - run: mvn -B -DskipTests=true -DskipUnitTests=true -P${{ env.MAVEN_PROFILE }} package + run: mvn -B -DskipTests=true -DskipUnitTests=true -Dpackaging.type=jar package - name: Build WAR - run: mvn -B -DskipTests=true -DskipUnitTests=true -P${{ env.MAVEN_PROFILE }},war package + run: mvn -B -DskipTests=true -DskipUnitTests=true package # Upload both JAR and WAR to GitHub release - name: Upload to GitHub @@ -50,32 +47,34 @@ jobs: repo-token: ${{ secrets.GITHUB_TOKEN }} # Build and push tagged release docker image to - # ohdsi/atlas: and ohdsi/atlas:latest. + # ohdsi/webapi: and ohdsi/webapi:latest. docker: # The type of runner that the job will run on runs-on: ubuntu-latest # Steps represent a sequence of tasks that will be executed as part of the job steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v4 # Add Docker labels and tags - name: Docker meta id: docker_meta - uses: crazy-max/ghaction-docker-meta@v1 + uses: docker/metadata-action@v5 with: images: ${{ env.DOCKER_IMAGE }} - tag-match: v(.*) - tag-match-group: 1 + tags: | + type=semver,pattern={{version}} + type=semver,pattern={{major}}.{{minor}} + type=raw,value=latest # Setup docker build environment - name: Set up QEMU - uses: docker/setup-qemu-action@v1 + uses: docker/setup-qemu-action@v3 - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v1 + uses: docker/setup-buildx-action@v3 - name: Login to DockerHub - uses: docker/login-action@v1 + uses: docker/login-action@v3 with: username: ${{ secrets.DOCKER_HUB_USERNAME }} password: ${{ secrets.DOCKER_HUB_ACCESS_TOKEN }} @@ -83,15 +82,15 @@ jobs: - name: Set build parameters id: build_params run: | - echo "::set-output name=sha8::${GITHUB_SHA::8}" + echo "sha8=${GITHUB_SHA::8}" >> $GITHUB_OUTPUT - name: Build and push id: docker_build - uses: docker/build-push-action@v2 + uses: docker/build-push-action@v5 with: context: ./ file: ./Dockerfile - # Allow running the image on the architectures supported by nginx-unprivileged:alpine. + # Allow running the image on the architectures supported by the base image. platforms: linux/amd64,linux/arm64 push: true build-args: | diff --git a/Dockerfile b/Dockerfile index b1ebb7211d..1385bd48e0 100644 --- a/Dockerfile +++ b/Dockerfile @@ -2,18 +2,15 @@ FROM maven:3.9-eclipse-temurin-21 AS builder WORKDIR /code -ARG MAVEN_PROFILE=webapi-docker,trexsql +ARG MAVEN_PROFILE=trexsql ARG MAVEN_PARAMS="" # can use maven options, e.g. -DskipTests=true -DskipUnitTests=true ARG OPENTELEMETRY_JAVA_AGENT_VERSION=1.17.0 RUN curl -LSsO https://github.com/open-telemetry/opentelemetry-java-instrumentation/releases/download/v${OPENTELEMETRY_JAVA_AGENT_VERSION}/opentelemetry-javaagent.jar -# Download dependencies +# Download dependencies (for Docker layer caching) COPY pom.xml /code/ -RUN mkdir .git \ - && mvn package \ - -Dpackaging.type=jar \ - -P${MAVEN_PROFILE} +RUN mvn dependency:go-offline -DskipTests -P${MAVEN_PROFILE} ARG GIT_BRANCH=unknown ARG GIT_COMMIT_ID_ABBREV=unknown diff --git a/pom.xml b/pom.xml index 691c4d07b4..58e8c79911 100644 --- a/pom.xml +++ b/pom.xml @@ -929,7 +929,7 @@ - tcache + trexsql true @@ -937,7 +937,7 @@ com.github.p-hoffmann trexsql-ext - v0.1.18 + v0.1.23 From 851ac0f617bdc102c98a0c3207ee7e19288a75b3 Mon Sep 17 00:00:00 2001 From: Peter Hoffmann <954078+p-hoffmann@users.noreply.github.com> Date: Sat, 24 Jan 2026 18:59:21 +0800 Subject: [PATCH 6/8] fix --- Dockerfile | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/Dockerfile b/Dockerfile index 1385bd48e0..528dfadec0 100644 --- a/Dockerfile +++ b/Dockerfile @@ -8,14 +8,11 @@ ARG MAVEN_PARAMS="" # can use maven options, e.g. -DskipTests=true -DskipUnitTes ARG OPENTELEMETRY_JAVA_AGENT_VERSION=1.17.0 RUN curl -LSsO https://github.com/open-telemetry/opentelemetry-java-instrumentation/releases/download/v${OPENTELEMETRY_JAVA_AGENT_VERSION}/opentelemetry-javaagent.jar -# Download dependencies (for Docker layer caching) -COPY pom.xml /code/ -RUN mvn dependency:go-offline -DskipTests -P${MAVEN_PROFILE} - ARG GIT_BRANCH=unknown ARG GIT_COMMIT_ID_ABBREV=unknown # Compile code and repackage it +COPY pom.xml /code/ COPY src /code/src RUN mvn package ${MAVEN_PARAMS} \ -Dpackaging.type=jar \ From 71c6338c30e64cc5dd2a62e6d7b26385704de22a Mon Sep 17 00:00:00 2001 From: Peter Hoffmann <954078+p-hoffmann@users.noreply.github.com> Date: Sat, 24 Jan 2026 19:13:46 +0800 Subject: [PATCH 7/8] update env variables --- docker/auth-test/docker-compose.yml | 36 ++++++++++++++--------------- 1 file changed, 18 insertions(+), 18 deletions(-) diff --git a/docker/auth-test/docker-compose.yml b/docker/auth-test/docker-compose.yml index 8a7ebf69d6..b77c6d7b8b 100644 --- a/docker/auth-test/docker-compose.yml +++ b/docker/auth-test/docker-compose.yml @@ -58,24 +58,24 @@ services: - SECURITY_AUTH_CAS_ENABLED=false - SECURITY_AUTH_WINDOWS_ENABLED=false - SECURITY_AUTH_KERBEROS_ENABLED=false - - SECURITY_AUTH_GOOGLE_ENABLED=false - - SECURITY_AUTH_FACEBOOK_ENABLED=false - - SECURITY_AUTH_GITHUB_ENABLED=false - - SECURITY_OID_CLIENTID=webapi-client - - SECURITY_OID_APISECRET=webapi-secret - - SECURITY_OID_URL=http://mock-oauth2:9090/default/.well-known/openid-configuration - - SECURITY_OID_EXTERNALURL=http://localhost:9090/default - - SECURITY_OID_LOGOUTURL=http://localhost:9090/default/endsession - - SECURITY_OID_EXTRASCOPES=profile email - - SECURITY_OAUTH_CALLBACK_UI=http://localhost:18080/WebAPI/#/welcome - - SECURITY_OAUTH_CALLBACK_API=http://localhost:18080/WebAPI/user/oauth/callback - - SECURITY_OAUTH_CALLBACK_URLRESOLVER=query - - SECURITY_DB_DATASOURCE_URL=jdbc:postgresql://postgres:5432/ohdsi - - SECURITY_DB_DATASOURCE_DRIVERCLASSNAME=org.postgresql.Driver - - SECURITY_DB_DATASOURCE_USERNAME=postgres - - SECURITY_DB_DATASOURCE_PASSWORD=postgres - - SECURITY_DB_DATASOURCE_SCHEMA=webapi - - SECURITY_DB_DATASOURCE_AUTHENTICATIONQUERY=select password, firstname, middlename, lastname from webapi.users where lower(email) = lower(?) + - SECURITY_AUTH_OAUTH_GOOGLE_ENABLED=false + - SECURITY_AUTH_OAUTH_FACEBOOK_ENABLED=false + - SECURITY_AUTH_OAUTH_GITHUB_ENABLED=false + - SECURITY_AUTH_OPENID_CLIENTID=webapi-client + - SECURITY_AUTH_OPENID_APISECRET=webapi-secret + - SECURITY_AUTH_OPENID_URL=http://mock-oauth2:9090/default/.well-known/openid-configuration + - SECURITY_AUTH_OPENID_EXTERNALURL=http://localhost:9090/default + - SECURITY_AUTH_OPENID_LOGOUTURL=http://localhost:9090/default/endsession + - SECURITY_AUTH_OPENID_EXTRASCOPES=profile email + - SECURITY_AUTH_OAUTH_CALLBACK_UI=http://localhost:18080/WebAPI/#/welcome + - SECURITY_AUTH_OAUTH_CALLBACK_API=http://localhost:18080/WebAPI/user/oauth/callback + - SECURITY_AUTH_OAUTH_CALLBACK_URLRESOLVER=query + - SECURITY_AUTH_JDBC_DATASOURCE_URL=jdbc:postgresql://postgres:5432/ohdsi + - SECURITY_AUTH_JDBC_DATASOURCE_DRIVERCLASSNAME=org.postgresql.Driver + - SECURITY_AUTH_JDBC_DATASOURCE_USERNAME=postgres + - SECURITY_AUTH_JDBC_DATASOURCE_PASSWORD=postgres + - SECURITY_AUTH_JDBC_DATASOURCE_SCHEMA=webapi + - SECURITY_AUTH_JDBC_DATASOURCE_AUTHENTICATIONQUERY=select password, firstname, middlename, lastname from webapi.users where lower(email) = lower(?) - LOGGING_LEVEL_ORG_OHDSI_WEBAPI_SECURITY=DEBUG - LOGGING_LEVEL_ORG_SPRINGFRAMEWORK_SECURITY=DEBUG ports: From 3ddfb9b5561e8213f4882a426cdccea8360f9302 Mon Sep 17 00:00:00 2001 From: Peter Hoffmann <954078+p-hoffmann@users.noreply.github.com> Date: Sat, 24 Jan 2026 19:33:21 +0800 Subject: [PATCH 8/8] readd oauth2-oidc-sdk --- pom.xml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/pom.xml b/pom.xml index 58e8c79911..80550ad142 100644 --- a/pom.xml +++ b/pom.xml @@ -309,6 +309,12 @@ + + com.nimbusds + oauth2-oidc-sdk + 11.13 + + com.github.jknack