svn commit: r1732881 - /ofbiz/branches/release15.12/build.xml

Author: jleroux
Date: Mon Feb 29 12:12:41 2016
New Revision: 1732881

URL: http://svn.apache.org/viewvc?rev=1732881&view=rev
Log:
Somehow these changes were missing in R15.12, so this totally replaces contract by notsoserial in all targets of main build

Modified:
    ofbiz/branches/release15.12/build.xml

Modified: ofbiz/branches/release15.12/build.xml
URL: http://svn.apache.org/viewvc/ofbiz/branches/release15.12/build.xml?rev=1732881&r1=1732880&r2=1732881&view=diff
==============================================================================
--- ofbiz/branches/release15.12/build.xml (original)
+++ ofbiz/branches/release15.12/build.xml Mon Feb 29 12:12:41 2016
@@ -594,11 +594,14 @@ under the License.
         </java>
     </target>
     <target name="start-secure"
-            description="Same than start but pre-loading the contrast-rO0 lib (from OFBiz roo dir) to secure OFBiz from the deserialization issue">
+            description="Same than start but pre-loading the notsoserial Java agent (from tools/security/notsoserial) to protect OFBiz from the Java deserialization vulnerability">
         <java jar="ofbiz.jar" fork="true">
             <jvmarg value="${memory.initial.param}"/>
             <jvmarg value="${memory.max.param}"/>
-            <jvmarg value="-javaagent:${ofbiz.home.dir}/contrast-rO0.jar"/>
+            <jvmarg value="-javaagent:${ofbiz.home.dir}/tools/security/notsoserial/notsoserial-1.0-SNAPSHOT.jar"/>
+            <jvmarg value="-Dnotsoserial.whitelist=${ofbiz.home.dir}/tools/security/notsoserial/empty.txt"/>
+            <jvmarg value="-Dnotsoserial.dryrun=${ofbiz.home.dir}/tools/security/notsoserial/is-deserialized.txt"/>
+            <jvmarg value="-Dnotsoserial.trace=${ofbiz.home.dir}/tools/security/notsoserial/deserialize-trace.txt"/>
             <arg value="start"/>
             <arg value="-portoffset=${portoffset}"/>
         </java>
@@ -613,11 +616,14 @@ under the License.
         </java>
     </target>
     <target name="start-batch-secure"
-        description="Same than start-batch but pre-loading the contrast-rO0 lib (from OFBiz roo dir) to secure OFBiz from the deserialization issue">
+        description="Same than start-batch but pre-loading the notsoserial Java agent (from tools/security/notsoserial) to protect OFBiz from the Java deserialization vulnerability">
         <java jar="ofbiz.jar" fork="true" spawn="true">
             <jvmarg value="${memory.initial.param}"/>
             <jvmarg value="${memory.max.param}"/>
-            <jvmarg value="-javaagent:${ofbiz.home.dir}/contrast-rO0.jar"/>
+            <jvmarg value="-javaagent:${ofbiz.home.dir}/tools/security/notsoserial/notsoserial-1.0-SNAPSHOT.jar"/>
+            <jvmarg value="-Dnotsoserial.whitelist=${ofbiz.home.dir}/tools/security/notsoserial/empty.txt"/>
+            <jvmarg value="-Dnotsoserial.dryrun=${ofbiz.home.dir}/tools/security/notsoserial/is-deserialized.txt"/>
+            <jvmarg value="-Dnotsoserial.trace=${ofbiz.home.dir}/tools/security/notsoserial/deserialize-trace.txt"/>
             <arg value="start-batch"/>
             <arg value="-portoffset=${portoffset}"/>
         </java>
@@ -644,6 +650,19 @@ under the License.
             <arg value="-portoffset=${portoffset}"/><!-- Not sure this makes sense and is useful at all -->
         </java>
     </target>
+    <target name="start-pos-secure"
+        description="Same than start-pos but pre-loading the notsoserial Java agent (from tools/security/notsoserial) to protect OFBiz from the Java deserialization vulnerability">
+        <java jar="ofbiz.jar" fork="true">
+            <jvmarg value="${memory.initial.param}"/>
+            <jvmarg value="${memory.max.param}"/>
+            <jvmarg value="-javaagent:${ofbiz.home.dir}/tools/security/notsoserial/notsoserial-1.0-SNAPSHOT.jar"/>
+            <jvmarg value="-Dnotsoserial.whitelist=${ofbiz.home.dir}/tools/security/notsoserial/empty.txt"/>
+            <jvmarg value="-Dnotsoserial.dryrun=${ofbiz.home.dir}/tools/security/notsoserial/is-deserialized.txt"/>
+            <jvmarg value="-Dnotsoserial.trace=${ofbiz.home.dir}/tools/security/notsoserial/deserialize-trace.txt"/>
+            <arg value="pos"/>
+            <arg value="-portoffset=${portoffset}"/><!-- Not sure this makes sense and is useful at all -->
+        </java>
+    </target>
     <target name="start-both"
             description="Start OFBiz in both Web and POS (Point of sale) modes. Use -Dportoffset=portNumber to shift all ports with the portNumber value.">
         <java jar="ofbiz.jar" fork="true">
@@ -654,11 +673,14 @@ under the License.
         </java>
     </target>
     <target name="start-both-secure"
-        description="Same than start-pos but pre-loading the contrast-rO0 lib (from OFBiz roo dir) to secure OFBiz from the deserialization issue">
+        description="Same than start-both but pre-loading the notsoserial Java agent (from tools/security/notsoserial) to protect OFBiz from the Java deserialization vulnerability">
         <java jar="ofbiz.jar" fork="true">
             <jvmarg value="${memory.initial.param}"/>
-            <jvmarg value="-javaagent:${ofbiz.home.dir}/contrast-rO0.jar"/>
             <jvmarg value="${memory.max.param}"/>
+            <jvmarg value="-javaagent:${ofbiz.home.dir}/tools/security/notsoserial/notsoserial-1.0-SNAPSHOT.jar"/>
+            <jvmarg value="-Dnotsoserial.whitelist=${ofbiz.home.dir}/tools/security/notsoserial/empty.txt"/>
+            <jvmarg value="-Dnotsoserial.dryrun=${ofbiz.home.dir}/tools/security/notsoserial/is-deserialized.txt"/>
+            <jvmarg value="-Dnotsoserial.trace=${ofbiz.home.dir}/tools/security/notsoserial/deserialize-trace.txt"/>
             <arg value="both"/>
             <arg value="-portoffset=${portoffset}"/>
         </java>