This tutorial is intended to provide instructions for applying a configuration-based fix to address a security vulnerability in the SHRINE proxy subsystem.
- Start tomcat with shrine already installed correctly, started at least once, and can at minimum show ontology terms. shrine-proxy.war must be expanded in tomcat's webapps directory
- Stop tomcat
- Edit tomcat/webapps/shrine-proxy/WEB-INF/classes/shrine-proxy-acl.xml to only whitelist URLs for your own shrine (tomcat) host and i2b2 (jboss) host. The following example uses one of our internal QA nodes called shrine-qa3.catalyst:
Remove the following lines:
- Do not add anything to the blacklist section.
Include entries that specify localhost, fully-qualified host names and IP addresses for both the shrine node and i2b2 node as accessed by your tomcat. Here is an example:
Start tomcat again. After tomcat has completed its startup confirm the configuration by running a test query. If it does not work, then you will see messages in tomcat/logs/proxy.log that look like this:
If you encounter an error, add the correct URL(s) into the whitelist and try again.
5. Please let your hub administrators know that you have made a configuration change so that we can verify from the hub.