- Add security headers:
- X-Frame-Options
- X-Content-Type-Options
- Content-Security-Policy
- Permissions-Policy
- Do not send server information header
Committed-by: Eduard Heimbuch <eduard.heimbuch@cloudogu.com>
Co-authored-by: Eduard Heimbuch <eduard.heimbuch@cloudogu.com>
Co-authored-by: René Pfeuffer <rene.pfeuffer@cloudogu.com>
- Avoiding read attempts for stores that do not exist (AbstractStore).
- Use of ReadWrite locks (everything withLockedFileForRead or withLockedFileForWrite)
- Caching of JAXB Context (TypedStoreContext.java)
- Avoid unnecessary writes to the UserGroupCache
Committed-by: Eduard Heimbuch <eduard.heimbuch@cloudogu.com>
Co-authored-by: René Pfeuffer <rene.pfeuffer@cloudogu.com>
This change allows our ui libraries to be built separately. It is therefore to utilize different build tools for individual projects, as well as using build caches for the local build.
Co-authored-by: Sebastian Sdorra <sebastian.sdorra@cloudogu.com>
Co-authored-by: Matthias Thieroff <matthias.thieroff@cloudogu.com>
This sets Java 11 for compilation. To do so, this has to use the gradle smp plugin with the pull request scm-manager/gradle-smp-plugin#16. If the smp plugin is not released as version 0.10.4, the version has to be corrected for org.scm-manager.smpin the various build.gradle files.
It might be necessary to delete all build folders when switching between Java 8 and Java 11:
rm -rf build */build scm-plugins/*/build
Co-authored-by: Eduard Heimbuch <eduard.heimbuch@cloudogu.com>
Split large frontend components into own bundles. This way we decrease loading times and load the bundles right as they are used. We replace SystemJS with our own implementation to load the lazy modules right as there are required.
Co-authored-by: Sebastian Sdorra <sebastian.sdorra@cloudogu.com>
Add security notifications in SCM-Manager to inform running instances about known security issues. These alerts can be core or plugin specific and will be shown to every user in the header.
Co-authored-by: Matthias Thieroff <matthias.thieroff@cloudogu.com>
Co-authored-by: Philipp Ahrendt <philipp.ahrendt@cloudogu.com>
Co-authored-by: Sebastian Sdorra <sebastian.sdorra@cloudogu.com>
Set line ending explicitly to LF because on Windows using the system line ending does not get along well with our git settings.
Co-authored-by: Sebastian Sdorra <sebastian.sdorra@cloudogu.com>
Update Gradle to 7.3. in order to profit from the performance improvement and to prepare for dependency lockfiles. Due to the upgrade to 7.x we had to use a license plugin which supports Gradle 7.
Using a default user with a default password has the implicit risk, that this user is not changed and therefore this system can be compromised. With this change, SCM-Manager does not create the default user with the default password on startup any more, but it shows an initial form where the initial values for the administration user have to be entered by the user. To secure this form, a random token is created on startup and printed in the log.
To implement this form, the concept of an InitializationStep is introduced. This extension point can be implemented to offer different setup tasks. The creation of the administration user is the first implementation, others might be things like first plugin selections or the like.
Frontend components are selected by the name of these initialization steps, whose names will be added to the index resource
(whichever is active at the moment) and will be show accordingly.
Co-authored-by: Eduard Heimbuch <eduard.heimbuch@cloudogu.com>
Updates legman to version 2, which allows the usage of the MicrometerPlugin. The plugin will collect metrics for subscriber invocations and the underlying executor.
Furthermore this change will fix the usage of wrong subject context in the asynchronous events.
