From 0d0b48017977ba02ef9d3276b4f71a0a3d80ad46 Mon Sep 17 00:00:00 2001
From: Adam Rauch <adam@labkey.com>
Date: Tue, 13 Feb 2024 23:14:57 -0500
Subject: [PATCH 1/3] Speed up server startup by restricting jar scanning to
 bare minimum (#722)

---
 .../src/org/labkey/embedded/LabKeyServer.java       | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/server/embedded/src/org/labkey/embedded/LabKeyServer.java b/server/embedded/src/org/labkey/embedded/LabKeyServer.java
index 08662804ab..2a330e3416 100644
--- a/server/embedded/src/org/labkey/embedded/LabKeyServer.java
+++ b/server/embedded/src/org/labkey/embedded/LabKeyServer.java
@@ -24,6 +24,8 @@ public class LabKeyServer
     private static final Log LOG = LogFactory.getLog(LabKeyServer.class);
 
     private static final String TERMINATE_ON_STARTUP_FAILURE = "terminateOnStartupFailure";
+    private static final String JARS_TO_SKIP = "tomcat.util.scan.StandardJarScanFilter.jarsToSkip";
+    private static final String JARS_TO_SCAN = "tomcat.util.scan.StandardJarScanFilter.jarsToScan";
     private static final String SERVER_GUID = "serverGUID";
     public static final String SERVER_GUID_PARAMETER_NAME = "org.labkey.mothership." + SERVER_GUID;
     static final String MAX_TOTAL_CONNECTIONS_DEFAULT = "50";
@@ -40,6 +42,17 @@ public static void main(String[] args)
             System.setProperty(TERMINATE_ON_STARTUP_FAILURE, "true");
         }
 
+        // Restrict Tomcat's jar scanning to the absolute minimum to speed up server startup. Downside is we need to
+        // update the jarsToScan list any time we add a new @WebListener annotation... but this happens very rarely.
+        // More elegant approaches (e.g., constructing, configuring, and setting a JarScanner/JarScanFilter pair in
+        // LabKeyTomcatServletWebServerFactory.postProcessContext()) don't seem to work. There's evidence that Spring
+        // Boot overwrites settings and also that Tomcat's property vs. code behavior differs.
+        if (System.getProperty(JARS_TO_SKIP) == null && System.getProperty(JARS_TO_SCAN) == null)
+        {
+            System.setProperty(JARS_TO_SKIP, "*");
+            System.setProperty(JARS_TO_SCAN, "rstudio-??.?*.jar,cas-??.?*.jar,core-??.?*.jar,connectors-??.?*.jar,devtools-??.?*.jar");
+        }
+
         SpringApplication application = new SpringApplication(LabKeyServer.class);
         application.addListeners(new ApplicationPidFileWriter("./labkey.pid"));
         application.run(args);

From 694e6f1291ad5d84c19c6b64180b8ba7338b49b2 Mon Sep 17 00:00:00 2001
From: Josh Eckels <jeckels@labkey.com>
Date: Fri, 16 Feb 2024 19:41:49 -0800
Subject: [PATCH 2/3] Issue 49462: Upgrade SQLite JDBC driver (#724)

---
 gradle.properties | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/gradle.properties b/gradle.properties
index f27d44b402..8c049c004b 100644
--- a/gradle.properties
+++ b/gradle.properties
@@ -292,8 +292,7 @@ springBootTomcatVersion=10.1.18
 
 springVersion=6.1.3
 
-# Do not upgrade until BaseDaoImpl stops calling getGeneratedKeys(), Issue 49462
-sqliteJdbcVersion=3.42.0.1
+sqliteJdbcVersion=3.45.1.0
 
 # NLP and SAML bring stax2-api in as a transitive dependency but with very different versions. We force the later version.
 stax2ApiVersion=4.2.1

From 24d3443853a743b22bb82d408de629ce8a648cdf Mon Sep 17 00:00:00 2001
From: Trey Chadick <tchad@labkey.com>
Date: Mon, 19 Feb 2024 11:53:36 -0800
Subject: [PATCH 3/3] Update properties for embedded Tomcat (#688)

- Update SSL properties to work on TeamCity
- Use alternate port for shutdown endpoint
- Remove context path hacks for shutdown endpoint
- Remove obsolete `extraJdbc*` properties
- `gradle.properties`: revert accidental change to `org.gradle.workers.max`
---
 gradle.properties                     |  4 +--
 server/configs/application.properties | 49 +++++++++++----------------
 2 files changed, 22 insertions(+), 31 deletions(-)

diff --git a/gradle.properties b/gradle.properties
index 8c049c004b..0a56d38680 100644
--- a/gradle.properties
+++ b/gradle.properties
@@ -10,7 +10,7 @@ org.gradle.caching=true
 org.gradle.parallel=true
 # comment out and Gradle will attempt to determine the optimal number of executor threads to use
 # (this could be memory-intensive)
-org.gradle.workers.max=6
+org.gradle.workers.max=3
 # Default to using 2GB of memory for the JVM.
 org.gradle.jvmargs=-Xmx2048m -XX:+UseParallelGC
 # Uncomment to restrict the number of concurrent npm build tasks. Useful for systems with limited resources.
@@ -62,7 +62,7 @@ windowsProteomicsBinariesVersion=1.0
 # The current version numbers for the gradle plugins.
 artifactoryPluginVersion=4.31.9
 gradleNodePluginVersion=3.5.1
-gradlePluginsVersion=2.2.2
+gradlePluginsVersion=2.3.0
 owaspDependencyCheckPluginVersion=8.4.3
 versioningPluginVersion=1.1.2
 
diff --git a/server/configs/application.properties b/server/configs/application.properties
index d4011a9077..7db54770d5 100644
--- a/server/configs/application.properties
+++ b/server/configs/application.properties
@@ -4,12 +4,13 @@ server.port=@@serverPort@@
 
 #server.ssl.enabled=true
 #server.ssl.enabled-protocols=TLSv1.3,TLSv1.2,TLSv1.1
-#server.ssl.key-alias=my_selfsigned
-#server.ssl.key-store=/path/to/key-store-file
-#server.ssl.key-store-password=pwd
+#server.ssl.protocol=TLS
+#server.ssl.key-alias=tomcat
+#server.ssl.key-store=@@keyStore@@
+#server.ssl.key-store-password=@@keyStorePassword@@
 # Typically either PKCS12 or JKS
 #server.ssl.key-store-type=PKCS12
-#server.ssl.ciphers=ciphers
+#server.ssl.ciphers=HIGH:!ADH:!EXP:!SSLv2:!SSLv3:!MEDIUM:!LOW:!NULL:!aNULL
 
 # HTTP-only port for servers that need to handle both HTTPS (configure via server.port and server.ssl above) and HTTP
 #context.httpPort=8080
@@ -35,14 +36,6 @@ context.resources.jdbc.labkeyDataSource.validationQuery=SELECT 1
 #context.resources.jdbc.@@extraJdbcDataSource@@.username=@@extraJdbcUsername@@
 #context.resources.jdbc.@@extraJdbcDataSource@@.password=@@extraJdbcPassword@@
 
-# Retain legacy syntax until automated tests are updated to configure via the 'context.resources.jdbc.' prefix
-#context.dataSourceName[1]=jdbc/@@extraJdbcDataSource@@
-#context.driverClassName[1]=@@extraJdbcDriverClassName@@
-#context.url[1]=@@extraJdbcUrl@@
-#context.username[1]=@@extraJdbcUsername@@
-#context.password[1]=@@extraJdbcPassword@@
-
-
 #useLocalBuild#context.webAppLocation=@@pathToServer@@/build/deploy/labkeyWebapp
 context.encryptionKey=@@encryptionKey@@
 
@@ -103,17 +96,15 @@ mail.smtpUser=@@smtpUser@@
 # HTTP session timeout for users - defaults to 30 minutes
 #server.servlet.session.timeout=30m
 
-## Make management endpoints accessible with LabKey at ROOT context path
-server.servlet.context-path=/actuator
-management.endpoints.web.base-path=/
+
 #Enable shutdown endpoint
 management.endpoint.shutdown.enabled=true
 # turn off other endpoints
 management.endpoints.enabled-by-default=false
 # allow access via http
 management.endpoints.web.exposure.include=*
-# Use a separate port for the actuator
-#management.server.port=8081
+# Use a separate port for management endpoints. Required if LabKey is using default (ROOT) context path
+management.server.port=@@shutdownPort@@
 
 # Don't show the Spring banner on startup
 spring.main.banner-mode=off
@@ -171,20 +162,20 @@ spring.main.banner-mode=off
 #    report-uri  https://www.labkey.org/admin-contentsecuritypolicyreport.api?${CSP.REPORT.PARAMS} ;
 
 # Default CSP for TeamCity and dev deployments
-#setupTask#csp.report=\
-#setupTask#    default-src 'self' https: http: ;\
-#setupTask#    connect-src 'self' localhost:* ws: ${LABKEY.ALLOWED.CONNECTIONS} ;\
-#setupTask#    object-src 'none' ;\
-#setupTask#    style-src 'self' https: 'unsafe-inline' ;\
-#setupTask#    img-src 'self' https: data: ;\
-#setupTask#    font-src 'self' http: https: data: ;\
-#setupTask#    script-src 'unsafe-eval' 'strict-dynamic' 'nonce-${REQUEST.SCRIPT.NONCE}' ;\
-#setupTask#    base-uri 'self' ;\
-#setupTask#    frame-ancestors 'self' ;\
-#setupTask#    report-uri /admin-contentsecuritypolicyreport.api?${CSP.REPORT.PARAMS} ;
+csp.report=\
+    default-src 'self' https: http: ;\
+    connect-src 'self' localhost:* ws: ${LABKEY.ALLOWED.CONNECTIONS} ;\
+    object-src 'none' ;\
+    style-src 'self' https: 'unsafe-inline' ;\
+    img-src 'self' https: data: ;\
+    font-src 'self' http: https: data: ;\
+    script-src 'unsafe-eval' 'strict-dynamic' 'nonce-${REQUEST.SCRIPT.NONCE}' ;\
+    base-uri 'self' ;\
+    frame-ancestors 'self' ;\
+    report-uri /admin-contentsecuritypolicyreport.api?${CSP.REPORT.PARAMS} ;
 
 # Use a non-temp directory for tomcat
-#setupTask#server.tomcat.basedir=@@pathToServer@@/build/deploy/embedded
+server.tomcat.basedir=.
 
 # Enable tomcat access log
 server.tomcat.accesslog.enabled=true