diff --git a/README.md b/README.md index 5ebba5e2..25cf0cd6 100644 --- a/README.md +++ b/README.md @@ -78,16 +78,19 @@ Refer to [Repository and proxy modifications](https://openliberty.io/docs/ref/co ## Enterprise Functionality -This section describes the optional enterprise functionality that can be enabled via the Dockerfile during `build` time, by setting particular build-arguments (`ARG`) and calling `RUN configure.sh`. Each of these options trigger the inclusion of specific configuration via XML snippets (except for `VERBOSE`), described below: +This section describes the optional enterprise functionality that can be enabled via the Dockerfile during `build` time, by setting particular build-arguments (`ARG`) and calling `RUN configure.sh`. Each of these options trigger the inclusion/exclusion of specific configuration via XML snippets (except for `VERBOSE`), described below: -* `TLS` (`SSL` is deprecated) - * Description: Enable Transport Security in Liberty by adding the `transportSecurity-1.0` feature (includes support for SSL). - * XML Snippet Location: [keystore.xml](/releases/latest/kernel-slim/helpers/build/configuration_snippets/keystore.xml). +* `EXCLUDE_CONFIG_SSO_FEATURES` + * Description: When set to `true` the `sso_features.xml` config will be excluded from feature installation (see [SECURITY.md](/SECURITY.md) for usage). + * XML Snippet Location: [sso-features.xml](/releases/latest/kernel-slim/helpers/build/configuration_snippets/sso-features.xml) * `HZ_SESSION_CACHE` * Description: Enable the persistence of HTTP sessions using JCache by adding the `sessionCache-1.0` feature. * XML Snippet Location: [hazelcast-sessioncache.xml](/releases/latest/kernel-slim/helpers/build/configuration_snippets/hazelcast-sessioncache.xml) +* `TLS` (`SSL` is deprecated) + * Description: Enable Transport Security in Liberty by adding the `transportSecurity-1.0` feature (includes support for SSL). + * XML Snippet Location: [keystore.xml](/releases/latest/kernel-slim/helpers/build/configuration_snippets/keystore.xml). * `VERBOSE` - * Description: When set to `true` it outputs the commands and results to stdout from `configure.sh`. Otherwise, default setting is `false` and `configure.sh` is silenced. + * Description: When set to `true` it outputs the commands and results to stdout from `features.sh` and `configure.sh`. Otherwise, default setting is `false` and `features.sh` and `configure.sh` are silenced. ### Deprecated Enterprise Functionality diff --git a/SECURITY.md b/SECURITY.md index 92260624..0e025461 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -38,7 +38,20 @@ The following variables configure container security for Single Sign-On using th * Providers usually require the use of HTTPS. Specify `ARG TLS=true` in your Dockerfile. - * Your Dockerfile must call `RUN configure.sh` for these to take effect. + * Your Dockerfile must call `RUN configure.sh` for these to take effect. + +#### The `` and `appSecurity-2.0` configured features include an incompatible combination of features. + + * When specifying the `SEC_SSO_PROVIDERS` ARG, you might get an incompatible set of features with `appSecurity-2.0` similar to the snippet below: + + ``` + CWWKF0044E: The persistence-3.1 and appSecurity-2.0 features cannot be loaded at the same time. + The persistence-3.1 feature of Jakarta EE 10 is incompatible with the appSecurity-2.0 feature of Java EE 6. + The persistence-3.1 and appSecurity-2.0 configured features include an incompatible combination of features. + Your configuration is not supported. Update the configuration to use features that support either the Jakarta EE or Java EE programming models, but not both. + ``` + + * To avoid this error, set `ARG EXCLUDE_CONFIG_SSO_FEATURES=true` in your Dockerfile. ### Configuration needed at image build time or at container deploy time: diff --git a/releases/23.0.0.3/full/helpers/build/configure.sh b/releases/23.0.0.3/full/helpers/build/configure.sh index 895d2860..12ca9304 100755 --- a/releases/23.0.0.3/full/helpers/build/configure.sh +++ b/releases/23.0.0.3/full/helpers/build/configure.sh @@ -86,7 +86,9 @@ function main() { fi if [[ -n "$SEC_SSO_PROVIDERS" ]]; then - cp $SNIPPETS_SOURCE/sso-features.xml $SNIPPETS_TARGET_DEFAULTS + if [[ "$EXCLUDE_CONFIG_SSO_FEATURES" != "true" ]]; then + cp $SNIPPETS_SOURCE/sso-features.xml $SNIPPETS_TARGET_DEFAULTS + fi parseProviders $SEC_SSO_PROVIDERS fi diff --git a/releases/23.0.0.3/kernel-slim/helpers/build/features.sh b/releases/23.0.0.3/kernel-slim/helpers/build/features.sh index 17d43812..a0cd1263 100755 --- a/releases/23.0.0.3/kernel-slim/helpers/build/features.sh +++ b/releases/23.0.0.3/kernel-slim/helpers/build/features.sh @@ -20,7 +20,7 @@ if [ -n "$INFINISPAN_SERVICE_NAME" ] || [ "${HZ_SESSION_CACHE}" == "client" ] || fi # SSO -if [[ -n "$SEC_SSO_PROVIDERS" ]]; then +if [[ -n "$SEC_SSO_PROVIDERS" ]] && [[ "$EXCLUDE_CONFIG_SSO_FEATURES" != "true" ]]; then cp $SNIPPETS_SOURCE/sso-features.xml $SNIPPETS_TARGET_DEFAULTS fi diff --git a/releases/23.0.0.6/full/helpers/build/configure.sh b/releases/23.0.0.6/full/helpers/build/configure.sh index 895d2860..12ca9304 100755 --- a/releases/23.0.0.6/full/helpers/build/configure.sh +++ b/releases/23.0.0.6/full/helpers/build/configure.sh @@ -86,7 +86,9 @@ function main() { fi if [[ -n "$SEC_SSO_PROVIDERS" ]]; then - cp $SNIPPETS_SOURCE/sso-features.xml $SNIPPETS_TARGET_DEFAULTS + if [[ "$EXCLUDE_CONFIG_SSO_FEATURES" != "true" ]]; then + cp $SNIPPETS_SOURCE/sso-features.xml $SNIPPETS_TARGET_DEFAULTS + fi parseProviders $SEC_SSO_PROVIDERS fi diff --git a/releases/23.0.0.6/kernel-slim/helpers/build/features.sh b/releases/23.0.0.6/kernel-slim/helpers/build/features.sh index 17d43812..a0cd1263 100755 --- a/releases/23.0.0.6/kernel-slim/helpers/build/features.sh +++ b/releases/23.0.0.6/kernel-slim/helpers/build/features.sh @@ -20,7 +20,7 @@ if [ -n "$INFINISPAN_SERVICE_NAME" ] || [ "${HZ_SESSION_CACHE}" == "client" ] || fi # SSO -if [[ -n "$SEC_SSO_PROVIDERS" ]]; then +if [[ -n "$SEC_SSO_PROVIDERS" ]] && [[ "$EXCLUDE_CONFIG_SSO_FEATURES" != "true" ]]; then cp $SNIPPETS_SOURCE/sso-features.xml $SNIPPETS_TARGET_DEFAULTS fi diff --git a/releases/23.0.0.8/full/helpers/build/configure.sh b/releases/23.0.0.8/full/helpers/build/configure.sh index 895d2860..12ca9304 100755 --- a/releases/23.0.0.8/full/helpers/build/configure.sh +++ b/releases/23.0.0.8/full/helpers/build/configure.sh @@ -86,7 +86,9 @@ function main() { fi if [[ -n "$SEC_SSO_PROVIDERS" ]]; then - cp $SNIPPETS_SOURCE/sso-features.xml $SNIPPETS_TARGET_DEFAULTS + if [[ "$EXCLUDE_CONFIG_SSO_FEATURES" != "true" ]]; then + cp $SNIPPETS_SOURCE/sso-features.xml $SNIPPETS_TARGET_DEFAULTS + fi parseProviders $SEC_SSO_PROVIDERS fi diff --git a/releases/23.0.0.8/kernel-slim/helpers/build/features.sh b/releases/23.0.0.8/kernel-slim/helpers/build/features.sh index 17d43812..a0cd1263 100755 --- a/releases/23.0.0.8/kernel-slim/helpers/build/features.sh +++ b/releases/23.0.0.8/kernel-slim/helpers/build/features.sh @@ -20,7 +20,7 @@ if [ -n "$INFINISPAN_SERVICE_NAME" ] || [ "${HZ_SESSION_CACHE}" == "client" ] || fi # SSO -if [[ -n "$SEC_SSO_PROVIDERS" ]]; then +if [[ -n "$SEC_SSO_PROVIDERS" ]] && [[ "$EXCLUDE_CONFIG_SSO_FEATURES" != "true" ]]; then cp $SNIPPETS_SOURCE/sso-features.xml $SNIPPETS_TARGET_DEFAULTS fi diff --git a/releases/latest/beta/helpers/build/configure.sh b/releases/latest/beta/helpers/build/configure.sh index 895d2860..12ca9304 100755 --- a/releases/latest/beta/helpers/build/configure.sh +++ b/releases/latest/beta/helpers/build/configure.sh @@ -86,7 +86,9 @@ function main() { fi if [[ -n "$SEC_SSO_PROVIDERS" ]]; then - cp $SNIPPETS_SOURCE/sso-features.xml $SNIPPETS_TARGET_DEFAULTS + if [[ "$EXCLUDE_CONFIG_SSO_FEATURES" != "true" ]]; then + cp $SNIPPETS_SOURCE/sso-features.xml $SNIPPETS_TARGET_DEFAULTS + fi parseProviders $SEC_SSO_PROVIDERS fi diff --git a/releases/latest/full/helpers/build/configure.sh b/releases/latest/full/helpers/build/configure.sh index 895d2860..12ca9304 100755 --- a/releases/latest/full/helpers/build/configure.sh +++ b/releases/latest/full/helpers/build/configure.sh @@ -86,7 +86,9 @@ function main() { fi if [[ -n "$SEC_SSO_PROVIDERS" ]]; then - cp $SNIPPETS_SOURCE/sso-features.xml $SNIPPETS_TARGET_DEFAULTS + if [[ "$EXCLUDE_CONFIG_SSO_FEATURES" != "true" ]]; then + cp $SNIPPETS_SOURCE/sso-features.xml $SNIPPETS_TARGET_DEFAULTS + fi parseProviders $SEC_SSO_PROVIDERS fi diff --git a/releases/latest/kernel-slim/helpers/build/features.sh b/releases/latest/kernel-slim/helpers/build/features.sh index 17d43812..a0cd1263 100755 --- a/releases/latest/kernel-slim/helpers/build/features.sh +++ b/releases/latest/kernel-slim/helpers/build/features.sh @@ -20,7 +20,7 @@ if [ -n "$INFINISPAN_SERVICE_NAME" ] || [ "${HZ_SESSION_CACHE}" == "client" ] || fi # SSO -if [[ -n "$SEC_SSO_PROVIDERS" ]]; then +if [[ -n "$SEC_SSO_PROVIDERS" ]] && [[ "$EXCLUDE_CONFIG_SSO_FEATURES" != "true" ]]; then cp $SNIPPETS_SOURCE/sso-features.xml $SNIPPETS_TARGET_DEFAULTS fi