This tutorial is intended to provide instructions for applying a configuration-based fix to address a security vulnerability in the SHRINE proxy subsystem.

  1. Start tomcat with shrine already installed correctly, started at least once, and can at minimum show ontology terms. shrine-proxy.war must be expanded in tomcat's webapps directory
  2. Stop tomcat
  3. Edit tomcat/webapps/shrine-proxy/WEB-INF/classes/shrine-proxy-acl.xml to only whitelist URLs for your own shrine (tomcat) host and i2b2 (jboss) host.  The following example uses one of our internal QA nodes called shrine-qa3.catalyst:

    1. Remove the following lines:

      <host>https://</host>
<host>http://</host>
    2. Do not add anything to the blacklist section.

    3. Include entries that specify localhost, fully-qualified host names and IP addresses for both the shrine node and i2b2 node as accessed by your tomcat.  Here is an example:

      <lists>
<whitelist>
       <host>https://shrine-qa3.catalyst:6443</host>
       <host>https://localhost:6443</host>
       <host>https://10.118.12.40:6443</host>
       <host>http://shrine-qa3-i2b2.catalyst:9090</host>
       <host>http://10.118.12.60:9090</host>
</whitelist>
</lists>

  4. Start tomcat again.  After tomcat has completed its startup confirm the configuration by running a test query.  If it does not work, then you will see messages in tomcat/logs/proxy.log that look like this:

    2019-Jan-02-16:54:54.480 ERROR [SHRINE][ShrineProxyServlet][http-nio-6443-exec-5] ProxyServlet error:

net.shrine.proxy.ShrineMessageFormatException: redirectURL not in white list or is in black list: http://shrine-qa2-i2b2.catalyst:9090/i2b2/services/PMService/getServices
        at net.shrine.proxy.DefaultShrineProxy.redirect(ShrineProxy.scala:91)
        at net.shrine.proxy.ShrineProxyServlet.doPost(ShrineProxyServlet.scala:56)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:648)

    If you encounter an error, add the correct URL(s) into the whitelist and try again.  

    5. Please let your hub administrators know that you have made a configuration change so that we can verify from the hub.