Welcome to the trial version of NES for Spring Boot 2.7 No Remoting! This is a simple example of how to use NES with Spring Boot 2.7 with no remoting. No remoting addresses CVE-2016-1000027.
🟡 Caution: This repository demonstrates a quick and simple way to integrate with the HeroDevs NES repository. Usernames and password values are hard coded in Maven and Gradle settings files. When moving to production, take care of your username and password values in a more secure way.
This application stores Pet data in a local H2 database. The information is automatically loaded when the Spring Boot application starts and is exposed via REST endpoints.
This application uses:
- Spring Boot 2.7
- Spring Framework 5.3
- Spring Security 5.7
- Spring Data JPA 2.7
These versions are managed by Spring Boot.
This project has two folders, maven and gradle for the respective build systems. The code (located in src) is the same for both build systems. The only difference is the build system itself. The maven folder contains a pom.xml file and the gradle folder contains a build.gradle file. You can use either one to build the project.
Notes are below on the specific changes required for each build system. These changes have already been made in the pom.xml and build.gradle files in the respective folders. You can use these files as a reference for your own project.
- Add the HeroDevs repository URL and credentials:
<settings>
<servers>
<server>
<id>herodevs-nes-registry</id>
<username>any_text_here_not_used</username>
<password>YOUR_NES_ACCESS_TOKEN</password>
</server>
</servers>
</settings>- Add the HeroDevs repository to the
repositoriesandpluginRepositoriesblocks:
<repositories>
<repository>
<id>herodevs-nes-registry</id>
<url>https://registry.nes.herodevs.com/maven</url>
</repository>
</repositories>
<pluginRepositories>
<pluginRepository>
<id>herodevs-nes-registry</id>
<url>https://registry.nes.herodevs.com/maven</url>
</pluginRepository>
</pluginRepositories>- Update the Spring Boot dependency to use the HeroDevs NES for Spring Boot trial version:
<version>2.7.18-spring-boot-2.7.20-trial</version>- Exclude
spring-web
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-web</artifactId>
<exclusions>
<exclusion>
<groupId>org.springframework</groupId>
<artifactId>spring-web</artifactId>
</exclusion>
</exclusions>
</dependency>- Add dependency for
spring-webwith classifierno-remoting
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-web</artifactId>
<version>5.3.39-spring-framework-5.3.42-trial</version>
<classifier>no-remoting</classifier>
</dependency>Verify that the application is using HeroDevs NES for Spring dependencies by running the following command:
./mvnw dependency:treeYou should see dependencies like these in the output to signify that you are using HeroDevs NES for Spring:
org.springframework.boot:spring-boot-starter-aop:jar:2.7.18-spring-boot-2.7.20-trial:compile
org.springframework:spring-context:jar:5.3.39-spring-framework-5.3.41-trial:compile
org.springframework.boot:spring-boot-starter-jdbc:jar:2.7.18-spring-boot-2.7.20-trial:compile
- Add the HeroDevs repository URL and credentials:
herodevs_nes_registry_url=https://registry.nes.herodevs.com/maven
herodevs_nes_registry_user=any_text_here_not_used
herodevs_nes_registry_token=NES_TOKEN_HERE- Add the HeroDevs repository to the
pluginManagementblock- The
pluginManagementblock must be the first element in the file - The HeroDevs repository must appear before
mavenCentral()
- The
pluginManagement {
repositories {
maven {
url = uri(providers.gradleProperty("herodevs_nes_registry_url").get())
credentials {
username = providers.gradleProperty("herodevs_nes_registry_user").get()
}
}
mavenCentral()
}
}- Add the HeroDevs repository to the
repositoriesblock:
repositories {
maven {
url = uri(providers.gradleProperty("herodevs_nes_registry_url").get())
credentials {
username = providers.gradleProperty("herodevs_nes_registry_user").get()
}
}
mavenCentral()
}- Update the Spring Boot dependency to use the HeroDevs NES for Spring Boot trial version:
id 'org.springframework.boot' version '2.7.18-spring-boot-2.7.20-trial'- Exclude
spring-webfromspring-boot-starter-web:
implementation ('org.springframework.boot:spring-boot-starter-web') {
exclude group: "org.springframework", module: "spring-web"
}- Add dependency for
spring-webwith classifierno-remoting:
implementation group: 'org.springframework', name: 'spring-web', classifier: 'no-remoting'Verify that the application is using HeroDevs NES for Spring dependencies by running the following command:
./gradlew clean dependencies --configuration runtimeClasspathYou should see dependencies like these in the output to signify that you are using HeroDevs NES for Spring:
org.springframework.boot:spring-boot-starter-aop:2.7.18-spring-boot-2.7.20-trial
org.springframework:spring-context:5.3.39-spring-framework-5.3.41-trial
org.springframework.boot:spring-boot-starter-jdbc:2.7.18-spring-boot-2.7.20-trial
Run the application by executing the corresponding command for your build system.
Maven:
./mvnw spring-boot:runGradle:
./gradlew bootRunWhen the application is running, verify that the unsecured endpoint is reachable:
curl http://localhost:8080/helloPetsYou should see the following output:
Woof! Meow! Blub! Tweet!
To access the other REST endpoints, you need to authenticate. The application uses Spring Security to secure the endpoints. You can use the following command to pass the simple authentication:
curl -u user:password "http://localhost:8080/pets?name=Buddy"You should see the following output:
[{"name":"Buddy","type":"Dog"}]
Congratulations! Your Spring project is ready to be secure. Contact HeroDevs for a registry token to get full access. Simply change the herodevs_nes_registry_token field in gradle.properties or the password in settings.xml to your specific token and the next build will use NES for Spring dependencies with zero CVEs.