Hi,

Using "openltablets/ws:5.23.5", the from clause (tomcat:9.0.30-jdk11) pulls a total of 15 vulnerabilities marked as high. "tomcat:9.0.30-jdk11 Using "9.0-jdk11-openjdk-slim" (equivalent to tomcat:9.0.37-jdk11-openjdk-slim) has 0 vulnerabilities.

My suggestion is to update the docker files respectively for the WS and Webstudio and change the "From" clause to "9.0-jdk11-openjdk-slim". This would ensure that:

• We ingest minor fixes (non breaking changes) for Tomcat such as vulnerability fix (the same way it is currently done for jdk11) every time we pull.
• Remove unnecessary dependencies such as perl, python, curl that are not required for the openlproject by using the "slim" tag.

Additionally, running a scan in the build pipeline (such as aquasec/trivy) would provide some level of awareness.

Hi,

Version 5.24.X, in the installation PDF (page 34), the paragraph regarding deployment behind a load balancer refers to the Tomcat RemoteIpValve. This Valve is not well maintained by the Apache Project, and its homologue filter has a lot more features, such as support for X-Forwarded-Host.

In scenarios where the Host (rather than the IP) is modified by the proxy, the RemoteIpValve simply won't cut it.

Could you please consider updating the procedure toward using the Filter? I.e. Add the filter to the web-inf/web.xml.

We wasted a bit of time on this, I guess this can be useful for others.

Thank you.

Reference: https://github.com/apache/tomcat/blob/9.0.x/java/org/apache/catalina/filters/RemoteIpFilter.java https://github.com/apache/tomcat/blob/9.0.x/java/org/apache/catalina/valves/RemoteIpValve.java

Hi all,

I run mvn clean verify then i got failed , anything i missed on that

[INFO] --- maven-invoker-plugin:3.1.0:run (default) @ openl-maven-plugin --- [INFO] Building: openl-compilation-big-tableparts\pom.xml [INFO] run post-build script verify.groovy [INFO] openl-compilation-big-tableparts\pom.xml ......... FAILED (3.5 s) [INFO] The post-build script returned false. [INFO] Building: openl-compilation-error-in-sources\pom.xml [INFO] openl-compilation-error-in-sources\pom.xml ....... SUCCESS (3.0 s) [INFO] Building: openl-compilation-error-in-tests\pom.xml [INFO] openl-compilation-error-in-tests\pom.xml ......... SUCCESS (3.0 s) [INFO] Building: openl-custom-properties-file-name-processor\pom.xml [INFO] openl-custom-properties-file-name-processor\pom.xml FAILED (3.0 s) [INFO] The build exited with code 1. See C:\Users\Quang\Downloads\openl-tablets-master\Util\openl-maven-pl ugin\target\its\openl-custom-properties-file-name-processor\build.log for details. [INFO] Building: openl-data-in-dependent-module\pom.xml [INFO] openl-data-in-dependent-module\pom.xml ........... FAILED (3.0 s) [INFO] The build exited with code 1. See C:\Users\Quang\Downloads\openl-tablets-master\Util\openl-maven-pl ugin\target\its\openl-data-in-dependent-module\build.log for details. [INFO] Building: openl-empty\pom.xml [INFO] openl-empty\pom.xml .............................. SUCCESS (3.0 s) [INFO] Building: openl-external-parameters\pom.xml [INFO] openl-external-parameters\pom.xml ................ FAILED (3.0 s) [INFO] The build exited with code 1. See C:\Users\Quang\Downloads\openl-tablets-master\Util\openl-maven-pl ugin\target\its\openl-external-parameters\build.log for details. [INFO] Building: openl-gen-datatypes\pom.xml [INFO] run post-build script verify.groovy [INFO] openl-gen-datatypes\pom.xml ...................... FAILED (3.0 s) [INFO] The post-build script returned false. [INFO] Building: openl-lib-threshold-default\pom.xml [INFO] run post-build script verify.groovy [INFO] openl-lib-threshold-default\pom.xml .............. SUCCESS (3.0 s) [INFO] Building: openl-lib-threshold-increased\pom.xml [INFO] openl-lib-threshold-increased\pom.xml ............ FAILED (3.0 s) [INFO] The build exited with code 1. See C:\Users\Quang\Downloads\openl-tablets-master\Util\openl-maven-pl ugin\target\its\openl-lib-threshold-increased\build.log for details. [INFO] Building: openl-mixed-datatypes\pom.xml [INFO] run post-build script verify.groovy [INFO] openl-mixed-datatypes\pom.xml .................... FAILED (3.1 s) [INFO] The post-build script returned false. [INFO] Building: openl-multimodule\pom.xml [INFO] run post-build script verify.groovy [INFO] openl-multimodule\pom.xml ........................ FAILED (3.0 s) [INFO] The post-build script returned false. [INFO] Building: openl-recompile-without-clean\pom.xml [INFO] run post-build script verify.groovy [INFO] openl-recompile-without-clean\pom.xml ............ FAILED (3.0 s) [INFO] The post-build script returned false. [INFO] Building: openl-simple-multimodule\pom.xml [INFO] openl-simple-multimodule\pom.xml ................. FAILED (3.0 s) [INFO] The build exited with code 1. See C:\Users\Quang\Downloads\openl-tablets-master\Util\openl-maven-pl ugin\target\its\openl-simple-multimodule\build.log for details. [INFO] Building: openl-test-user-error\pom.xml [INFO] run post-build script verify.groovy [INFO] openl-test-user-error\pom.xml .................... FAILED (3.0 s) [INFO] The post-build script returned false. [INFO] Building: openl-testedmethod-has-two-candidates\pom.xml [INFO] run post-build script verify.groovy [INFO] openl-testedmethod-has-two-candidates\pom.xml .... FAILED (3.0 s) [INFO] The post-build script returned false. [INFO] Building: openl-tests-big-testsuite\pom.xml [INFO] run post-build script verify.groovy [INFO] openl-tests-big-testsuite\pom.xml ................ FAILED (3.0 s) [INFO] The post-build script returned false. [INFO] Building: openl-tests-failure\pom.xml [INFO] run post-build script verify.groovy [INFO] openl-tests-failure\pom.xml ...................... FAILED (3.1 s) [INFO] The post-build script returned false. [INFO] Building: openl-tests-separated\pom.xml [INFO] run post-build script verify.groovy [INFO] openl-tests-separated\pom.xml .................... FAILED (3.0 s) [INFO] The post-build script returned false. [INFO] ------------------------------------------------- [INFO] Build Summary: [INFO] Passed: 4, Failed: 15, Errors: 0, Skipped: 0

I'm wondering if it is possible to preconfigure the webstudio and webservices applications, so that they can be just deployed on a tomcat (mostly this will even be a docker machine), so that one can skip the webstudio installation wizard steps?

Also i'm interested whether it is possible deploy a project as a webservice directly, without having to touch the webstudio.

With this one could have a cont. deployment of current installation incl. the rules, which makes life easier.

Note: i saw that you're deploying to travis with building via maven, which is not the thing i want...

thanks

https://github.com/openl-tablets/openl-tablets/blob/5dc057699e5c74624a0e61d940f0fe113a354948/STUDIO/org.openl.rules.webstudio/src/org/openl/rules/webstudio/security/LdapToOpenLUserDetailsMapper.java#L112

The current Spring Security LDAP implementation works when the LDAP properties samAccountName and userPrincipalName are identical, though in cases where these differ, the userPrincipalName={0} search filter prevents an account from being located.

Would you consider externalizing the search string, or at least part, so that this can be adjusted as needed?

Thank you!

I am using OpenL webstudio v5.26.0 in OAuth2 user mode with the following configuration:

security.oauth2.client-id=3b529f33-8494-43a1-a364-19b0af9a091e security.oauth2.client-secret= security.oauth2.issuer-uri= security.oauth2.scope=openid,profile,email security.oauth2.grant-type=authorization_code security.oauth2.attribute.username=email security.oauth2.attribute.first-name=given_name security.oauth2.attribute.last-name=family_name security.oauth2.attribute.display-name=name security.oauth2.attribute.email=email security.oauth2.attribute.groups=groups

Which is giving 403 after authentication.

If we add security.default-group=Viewers then all authorized users are being part of Viewers group. But for the first time it is redirecting to https://:/<context_path>/web/public/notification.txt. Unlike #540 in OAuth2 user mode in Admin > Users tab details like Username, First Name, Last Name, Email, Display Name are being populated correctly.

When I used the following command to run latest docker image with postgresql driver, The logs said there is no postgresql driver found. Because the latest version use Jetty server instead of tomcat, so which path shoud I use to mount?

docker run --rm -d -p 9080:8080 -v /usr/local/poc/postgresql-42.4.0.jar:/usr/local/tomcat/lib/jdbc.jar openltablets/webstudio

We had SAML configured webstudio with the following configuration in v5.24.11: security.saml.app-url=https://server:port/openl-webstudio security.saml.saml-server-metadata-url= security.saml.default-group=Viewers security.saml.attribute.first-name=http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname security.saml.attribute.last-name=http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname security.saml.attribute.groups=http://schemas.microsoft.com/ws/2008/06/identity/claims/role security.saml.is-app-after-balancer=true security.saml.server-name=https://server:port security.saml.context-path=/openl-webstudio security.saml.server-certificate= security.saml.server-key-alias=changeit security.saml.public-key-alias=changeit

These configuration was working fine with reply URL as: server:port/openl-webstudio/saml/SSO and logout URL as: server:port/openl-webstudio/sal/SingleSignOut

After migrating to webstudio v5.26.0 We added security.saml.entity-id=. But we were getting error while login stating: The reply URL 'https://server:port/openl-webstudio/login/saml2/sso/webstudio' specified in the request does not match with the application 'Azure AppID'... . We changed the reply URL to https://server:port/openl-webstudio/login/saml2/sso/webstudio in the Azure portal but now we are getting 401 in webstudio and it is redirecting to server:port/open-webstudio/saml2/authenticate/webstudio.

Hi, I have used openl tablet rules engine to filter data. it's ok in WebStudio, but when running the java application, it fails binding the method defined in excel TBasic table. Please provide a solution to this. The error is like:

and the java code is like:

and the content of TBasic Table is like: messageTest.xlsx

Looking forward to your reply，thank you!

This adds a new property to the openl-ruleservice-webservices-publisher-beans.xml file, which disables parameter names.

So with this property enabled the wsdl method parameters will be called arg0, arg1, ...

We are planning to update an OpenL Server running on version 5.18.3. The server currently uses the now removed WebServicesRuleServicePublisher. And many local services are depending on the arg0, arg1, ... naming.

Would be nice if this can be included in upstream openl, so we can use the newer versions with our existing setup.

After adding the Datatype Alias SignatureReq <String>, then trying to Run / Trace a method , the selection of the String datatype instead displays the options for the SignatureReq datatype.

Please see gif, and Common.xslx Common(1).xlsx

v5.21.3

New vulnerability detected with openl tablets 5.26.3 version. This affects both ws and webstudio projects.

CVE-2022-41966 XStream serializes Java objects to XML and back again. Versions prior to 1.4.20 may allow a remote attacker to terminate the application with a stack overflow error, resulting in a denial of service only via manipulation the processed input stream. The attack uses the hash code implementation for collections and maps to force recursive hash calculation causing a stack overflow. This issue is patched in version 1.4.20 which handles the stack overflow and raises an InputManipulationException instead. A potential workaround for users who only use HashMap or HashSet and whose XML refers these only as default map or set, is to change the default implementation of java.util.Map and java.util per the code example in the referenced advisory. However, this implies that your application does not care about the implementation of the map and all elements are comparable.

A SSRF vulnerability in parsing the href attribute of XOP:Include in MTOM requests in versions of Apache CXF before 3.5.5 and 3.4.10 allows an attacker to perform SSRF style attacks on webservices that take at least one parameter of any type.

Spring Security, versions 5.7 prior to 5.7.5, and 5.6 prior to 5.6.9, and older unsupported versions could be susceptible to a privilege escalation under certain conditions. A malicious user or attacker can modify a request initiated by the Client (via the browser) to the Authorization Server which can lead to a privilege escalation on the subsequent approval. This scenario can happen if the Authorization Server responds with an OAuth2 Access Token Response containing an empty scope list (per RFC 6749, Section 5.1) on the subsequent request to the token endpoint to obtain the access token.