Merge branch 'develop' into fb_embedded_pipelineExtract

gradle.properties

@@ -10,7 +10,7 @@ org.gradle.caching=true
 org.gradle.parallel=true
 # comment out and Gradle will attempt to determine the optimal number of executor threads to use
 # (this could be memory-intensive)
-org.gradle.workers.max=6
+org.gradle.workers.max=3
 # Default to using 2GB of memory for the JVM.
 org.gradle.jvmargs=-Xmx2048m -XX:+UseParallelGC
 # Uncomment to restrict the number of concurrent npm build tasks. Useful for systems with limited resources.
@@ -62,7 +62,7 @@ windowsProteomicsBinariesVersion=1.0
 # The current version numbers for the gradle plugins.
 artifactoryPluginVersion=4.31.9
 gradleNodePluginVersion=3.5.1
-gradlePluginsVersion=2.2.2
+gradlePluginsVersion=2.3.0
 owaspDependencyCheckPluginVersion=8.4.3
 versioningPluginVersion=1.1.2
 
@@ -292,8 +292,7 @@ springBootTomcatVersion=10.1.18
 
 springVersion=6.1.3
 
-# Do not upgrade until BaseDaoImpl stops calling getGeneratedKeys(), Issue 49462
-sqliteJdbcVersion=3.42.0.1
+sqliteJdbcVersion=3.45.1.0
 
 # NLP and SAML bring stax2-api in as a transitive dependency but with very different versions. We force the later version.
 stax2ApiVersion=4.2.1

server/configs/application.properties

@@ -4,12 +4,13 @@ server.port=@@serverPort@@
 
 #server.ssl.enabled=true
 #server.ssl.enabled-protocols=TLSv1.3,TLSv1.2,TLSv1.1
-#server.ssl.key-alias=my_selfsigned
-#server.ssl.key-store=/path/to/key-store-file
-#server.ssl.key-store-password=pwd
+#server.ssl.protocol=TLS
+#server.ssl.key-alias=tomcat
+#server.ssl.key-store=@@keyStore@@
+#server.ssl.key-store-password=@@keyStorePassword@@
 # Typically either PKCS12 or JKS
 #server.ssl.key-store-type=PKCS12
-#server.ssl.ciphers=ciphers
+#server.ssl.ciphers=HIGH:!ADH:!EXP:!SSLv2:!SSLv3:!MEDIUM:!LOW:!NULL:!aNULL
 
 # HTTP-only port for servers that need to handle both HTTPS (configure via server.port and server.ssl above) and HTTP
 #context.httpPort=8080
@@ -35,14 +36,6 @@ context.resources.jdbc.labkeyDataSource.validationQuery=SELECT 1
 #context.resources.jdbc.@@extraJdbcDataSource@@.username=@@extraJdbcUsername@@
 #context.resources.jdbc.@@extraJdbcDataSource@@.password=@@extraJdbcPassword@@
 
-# Retain legacy syntax until automated tests are updated to configure via the 'context.resources.jdbc.' prefix
-#context.dataSourceName[1]=jdbc/@@extraJdbcDataSource@@
-#context.driverClassName[1]=@@extraJdbcDriverClassName@@
-#context.url[1]=@@extraJdbcUrl@@
-#context.username[1]=@@extraJdbcUsername@@
-#context.password[1]=@@extraJdbcPassword@@
-
-
 #useLocalBuild#context.webAppLocation=@@pathToServer@@/build/deploy/labkeyWebapp
 context.encryptionKey=@@encryptionKey@@
 
@@ -103,17 +96,15 @@ mail.smtpUser=@@smtpUser@@
 # HTTP session timeout for users - defaults to 30 minutes
 #server.servlet.session.timeout=30m
 
-## Make management endpoints accessible with LabKey at ROOT context path
-server.servlet.context-path=/actuator
-management.endpoints.web.base-path=/
+
 #Enable shutdown endpoint
 management.endpoint.shutdown.enabled=true
 # turn off other endpoints
 management.endpoints.enabled-by-default=false
 # allow access via http
 management.endpoints.web.exposure.include=*
-# Use a separate port for the actuator
-#management.server.port=8081
+# Use a separate port for management endpoints. Required if LabKey is using default (ROOT) context path
+management.server.port=@@shutdownPort@@
 
 # Don't show the Spring banner on startup
 spring.main.banner-mode=off
@@ -171,20 +162,20 @@ spring.main.banner-mode=off
 #    report-uri  https://www.labkey.org/admin-contentsecuritypolicyreport.api?${CSP.REPORT.PARAMS} ;
 
 # Default CSP for TeamCity and dev deployments
-#setupTask#csp.report=\
-#setupTask#    default-src 'self' https: http: ;\
-#setupTask#    connect-src 'self' localhost:* ws: ${LABKEY.ALLOWED.CONNECTIONS} ;\
-#setupTask#    object-src 'none' ;\
-#setupTask#    style-src 'self' https: 'unsafe-inline' ;\
-#setupTask#    img-src 'self' https: data: ;\
-#setupTask#    font-src 'self' http: https: data: ;\
-#setupTask#    script-src 'unsafe-eval' 'strict-dynamic' 'nonce-${REQUEST.SCRIPT.NONCE}' ;\
-#setupTask#    base-uri 'self' ;\
-#setupTask#    frame-ancestors 'self' ;\
-#setupTask#    report-uri /admin-contentsecuritypolicyreport.api?${CSP.REPORT.PARAMS} ;
+csp.report=\
+    default-src 'self' https: http: ;\
+    connect-src 'self' localhost:* ws: ${LABKEY.ALLOWED.CONNECTIONS} ;\
+    object-src 'none' ;\
+    style-src 'self' https: 'unsafe-inline' ;\
+    img-src 'self' https: data: ;\
+    font-src 'self' http: https: data: ;\
+    script-src 'unsafe-eval' 'strict-dynamic' 'nonce-${REQUEST.SCRIPT.NONCE}' ;\
+    base-uri 'self' ;\
+    frame-ancestors 'self' ;\
+    report-uri /admin-contentsecuritypolicyreport.api?${CSP.REPORT.PARAMS} ;
 
 # Use a non-temp directory for tomcat
-#setupTask#server.tomcat.basedir=@@pathToServer@@/build/deploy/embedded
+server.tomcat.basedir=.
 
 # Enable tomcat access log
 server.tomcat.accesslog.enabled=true

server/embedded/src/org/labkey/embedded/LabKeyServer.java

@@ -25,6 +25,8 @@ public class LabKeyServer
     private static final Log LOG = LogFactory.getLog(LabKeyServer.class);
 
     private static final String TERMINATE_ON_STARTUP_FAILURE = "terminateOnStartupFailure";
+    private static final String JARS_TO_SKIP = "tomcat.util.scan.StandardJarScanFilter.jarsToSkip";
+    private static final String JARS_TO_SCAN = "tomcat.util.scan.StandardJarScanFilter.jarsToScan";
     private static final String SERVER_GUID = "serverGUID";
     public static final String SERVER_GUID_PARAMETER_NAME = "org.labkey.mothership." + SERVER_GUID;
     static final String MAX_TOTAL_CONNECTIONS_DEFAULT = "50";
@@ -48,6 +50,17 @@ public static void main(String[] args)
             System.setProperty(TERMINATE_ON_STARTUP_FAILURE, "true");
         }
 
+        // Restrict Tomcat's jar scanning to the absolute minimum to speed up server startup. Downside is we need to
+        // update the jarsToScan list any time we add a new @WebListener annotation... but this happens very rarely.
+        // More elegant approaches (e.g., constructing, configuring, and setting a JarScanner/JarScanFilter pair in
+        // LabKeyTomcatServletWebServerFactory.postProcessContext()) don't seem to work. There's evidence that Spring
+        // Boot overwrites settings and also that Tomcat's property vs. code behavior differs.
+        if (System.getProperty(JARS_TO_SKIP) == null && System.getProperty(JARS_TO_SCAN) == null)
+        {
+            System.setProperty(JARS_TO_SKIP, "*");
+            System.setProperty(JARS_TO_SCAN, "rstudio-??.?*.jar,cas-??.?*.jar,core-??.?*.jar,connectors-??.?*.jar,devtools-??.?*.jar");
+        }
+
         SpringApplication application = new SpringApplication(LabKeyServer.class);
         application.addListeners(new ApplicationPidFileWriter("./labkey.pid"));
         application.run(args);