[maven-release-plugin][skip ci] prepare release 14.9

As DbNodeServiceImplTest>BaseNodeServiceTest.testLargeStrings:1061 » AlfrescoRuntime now fails

This reverts commit 386696d58b.

.github/dependabot.yml

@@ -0,0 +1,181 @@
+version: 2
+registries:
+  maven-repository-artifacts-alfresco-com-nexus-content-groups-int:
+    type: maven-repository
+    url: https://artifacts.alfresco.com/nexus/content/groups/internal
+    username: ${{secrets.NEXUS_USERNAME}}
+    password: ${{secrets.NEXUS_PASSWORD}}
+updates:
+- package-ecosystem: maven
+  directory: "/"
+  schedule:
+    interval: daily
+    time: "22:00"
+    timezone: Africa/Abidjan
+  open-pull-requests-limit: 99
+  ignore:
+  - dependency-name: com.google.code.gson:gson
+    versions:
+    - "> 2.8.6"
+  - dependency-name: io.fabric8:fabric8-maven-plugin
+    versions:
+    - "> 4.4.0"
+  - dependency-name: javax.servlet:javax.servlet-api
+    versions:
+    - "> 3.0.1"
+  - dependency-name: org.acegisecurity:acegi-security
+    versions:
+    - "> 0.8.2_patched"
+  - dependency-name: org.activiti:activiti-engine
+    versions:
+    - "> 5.23.0"
+  - dependency-name: org.activiti:activiti-engine
+    versions:
+    - ">= 7.1.a, < 7.2"
+  - dependency-name: org.activiti:activiti-spring
+    versions:
+    - "> 5.23.0"
+  - dependency-name: org.activiti:activiti-spring
+    versions:
+    - ">= 7.1.a, < 7.2"
+  - dependency-name: org.apache.camel:camel-activemq
+    versions:
+    - "> 3.7.1"
+  - dependency-name: org.apache.camel:camel-amqp
+    versions:
+    - "> 3.7.1"
+  - dependency-name: org.apache.camel:camel-direct
+    versions:
+    - "> 3.7.1"
+  - dependency-name: org.apache.camel:camel-directvm
+    versions:
+    - "> 3.7.1"
+  - dependency-name: org.apache.camel:camel-jackson
+    versions:
+    - "> 3.7.1"
+  - dependency-name: org.apache.camel:camel-mock
+    versions:
+    - "> 3.7.1"
+  - dependency-name: org.apache.camel:camel-spring
+    versions:
+    - "> 3.7.1"
+  - dependency-name: org.apache.chemistry.opencmis:chemistry-opencmis-client-impl
+    versions:
+    - "> 1.0.0"
+  - dependency-name: org.apache.chemistry.opencmis:chemistry-opencmis-commons-impl
+    versions:
+    - "> 1.0.0"
+  - dependency-name: org.apache.chemistry.opencmis:chemistry-opencmis-server-bindings
+    versions:
+    - "> 1.0.0"
+  - dependency-name: org.apache.chemistry.opencmis:chemistry-opencmis-test-tck
+    versions:
+    - "> 1.0.0"
+  - dependency-name: org.freemarker:freemarker
+    versions:
+    - "> 2.3.20-alfresco-patched-20200421"
+  - dependency-name: org.keycloak:keycloak-adapter-core
+    versions:
+    - "> 12.0.2"
+  - dependency-name: org.keycloak:keycloak-adapter-spi
+    versions:
+    - "> 12.0.2"
+  - dependency-name: org.keycloak:keycloak-authz-client
+    versions:
+    - "> 12.0.2"
+  - dependency-name: org.keycloak:keycloak-common
+    versions:
+    - "> 12.0.2"
+  - dependency-name: org.keycloak:keycloak-core
+    versions:
+    - "> 12.0.2"
+  - dependency-name: org.keycloak:keycloak-servlet-adapter-spi
+    versions:
+    - "> 12.0.2"
+  - dependency-name: org.eclipse.jetty:jetty-server
+    versions:
+    - 9.4.38.v20210224
+  - dependency-name: org.alfresco.tas:cmis
+    versions:
+    - "1.28"
+  - dependency-name: org.springframework:spring-webmvc
+    versions:
+    - 5.3.4
+    - 5.3.5
+  - dependency-name: org.springframework:spring-web
+    versions:
+    - 5.3.4
+    - 5.3.5
+  - dependency-name: org.springframework:spring-tx
+    versions:
+    - 5.3.4
+    - 5.3.5
+  - dependency-name: org.springframework:spring-orm
+    versions:
+    - 5.3.4
+    - 5.3.5
+  - dependency-name: org.springframework:spring-test
+    versions:
+    - 5.3.4
+    - 5.3.5
+  - dependency-name: org.springframework:spring-jms
+    versions:
+    - 5.3.4
+    - 5.3.5
+  - dependency-name: org.springframework:spring-jdbc
+    versions:
+    - 5.3.4
+    - 5.3.5
+  - dependency-name: org.springframework:spring-expression
+    versions:
+    - 5.3.4
+    - 5.3.5
+  - dependency-name: org.springframework:spring-core
+    versions:
+    - 5.3.4
+    - 5.3.5
+  - dependency-name: org.springframework:spring-context-support
+    versions:
+    - 5.3.4
+    - 5.3.5
+  - dependency-name: org.springframework:spring-context
+    versions:
+    - 5.3.4
+    - 5.3.5
+  - dependency-name: org.springframework:spring-beans
+    versions:
+    - 5.3.4
+    - 5.3.5
+  - dependency-name: org.springframework:spring-aop
+    versions:
+    - 5.3.4
+    - 5.3.5
+  - dependency-name: org.alfresco.tas:restapi
+    versions:
+    - "1.55"
+  - dependency-name: org.eclipse.jetty:jetty-security
+    versions:
+    - 11.0.1
+  - dependency-name: org.alfresco.aos-module:alfresco-vti-bin
+    versions:
+    - 1.4.0-M1
+  - dependency-name: org.alfresco.aos-module:alfresco-aos-module-distributionzip
+    versions:
+    - 1.4.0-M1
+  - dependency-name: org.alfresco.aos-module:alfresco-aos-module
+    versions:
+    - 1.4.0-M1
+  - dependency-name: org.alfresco.surf:spring-webscripts-api
+    versions:
+    - "8.16"
+  - dependency-name: org.alfresco.surf:spring-webscripts:tests
+    versions:
+    - "8.16"
+  - dependency-name: org.alfresco.surf:spring-webscripts
+    versions:
+    - "8.16"
+  - dependency-name: org.alfresco.surf:spring-surf-core-configservice
+    versions:
+    - "8.16"
+  registries:
+  - maven-repository-artifacts-alfresco-com-nexus-content-groups-int

amps/ags/pom.xml

@@ -7,7 +7,7 @@
    <parent>
       <groupId>org.alfresco</groupId>
       <artifactId>alfresco-community-repo-amps</artifactId>
-      <version>11.141-SNAPSHOT</version>
+      <version>14.9</version>
    </parent>
 
    <modules>

amps/ags/rm-automation/pom.xml

@@ -7,7 +7,7 @@
    <parent>
       <groupId>org.alfresco</groupId>
       <artifactId>alfresco-governance-services-community-parent</artifactId>
-      <version>11.141-SNAPSHOT</version>
+      <version>14.9</version>
    </parent>
 
    <modules>

amps/ags/rm-automation/rm-automation-community-rest-api/pom.xml

@@ -7,7 +7,7 @@
    <parent>
       <groupId>org.alfresco</groupId>
       <artifactId>alfresco-governance-services-automation-community-repo</artifactId>
-      <version>11.141-SNAPSHOT</version>
+      <version>14.9</version>
    </parent>
 
 
@@ -40,7 +40,7 @@
       <dependency>
          <groupId>org.slf4j</groupId>
          <artifactId>slf4j-log4j12</artifactId>
-         <version>1.7.26</version>
+         <version>1.7.32</version>
          <scope>test</scope>
       </dependency>
       <dependency>
@@ -82,7 +82,7 @@
       <dependency>
          <groupId>com.github.docker-java</groupId>
          <artifactId>docker-java</artifactId>
-         <version>3.2.11</version>
+         <version>3.2.12</version>
       </dependency>
    </dependencies>
 </project>

amps/ags/rm-automation/rm-automation-community-rest-api/src/test/java/org/alfresco/rest/rm/community/base/BaseRMRestTest.java

@@ -619,11 +619,27 @@ public class BaseRMRestTest extends RestTest
      * @return
      */
     public List<String> searchForContentAsUser(UserModel user, String term)
+    {
+        String query = "cm:name:*" + term + "*";
+        return searchForContentAsUser(user,query,"afts");
+    }
+
+    /**
+     * Returns search results for the given search term
+     *
+     * @param user
+     * @param term
+     * @param query language
+     * @return
+     * @throws Exception
+     */
+    public List<String> searchForContentAsUser(UserModel user, String q, String queryLanguage)
     {
         getRestAPIFactory().getRmRestWrapper().authenticateUser(user);
         RestRequestQueryModel queryReq = new RestRequestQueryModel();
         SearchRequest query = new SearchRequest(queryReq);
-        queryReq.setQuery("cm:name:*" + term + "*");
+        queryReq.setQuery(q);
+        queryReq.setLanguage(queryLanguage);
 
         List<String> names = new ArrayList<>();
         // wait for solr indexing

amps/ags/rm-community/pom.xml

@@ -7,7 +7,7 @@
    <parent>
       <groupId>org.alfresco</groupId>
       <artifactId>alfresco-governance-services-community-parent</artifactId>
-      <version>11.141-SNAPSHOT</version>
+      <version>14.9</version>
    </parent>
 
    <modules>

amps/ags/rm-community/rm-community-repo/pom.xml

@@ -8,7 +8,7 @@
    <parent>
       <groupId>org.alfresco</groupId>
       <artifactId>alfresco-governance-services-community-repo-parent</artifactId>
-      <version>11.141-SNAPSHOT</version>
+      <version>14.9</version>
    </parent>
 
    <properties>

amps/ags/rm-community/rm-community-repo/source/java/org/alfresco/module/org_alfresco_module_rm/capability/RMAfterInvocationProvider.java

@@ -306,7 +306,7 @@ public class RMAfterInvocationProvider extends RMSecurityCommon
         }
     }
 
-    private boolean isUnfiltered(NodeRef nodeRef)
+    protected boolean isUnfiltered(NodeRef nodeRef)
     {
         return !nodeService.hasAspect(nodeRef, RecordsManagementModel.ASPECT_FILE_PLAN_COMPONENT);
 

amps/ags/rm-community/rm-community-rest-api-explorer/pom.xml

@@ -7,7 +7,7 @@
     <parent>
         <groupId>org.alfresco</groupId>
         <artifactId>alfresco-governance-services-community-repo-parent</artifactId>
-        <version>11.141-SNAPSHOT</version>
+        <version>14.9</version>
     </parent>
 
     <build>

amps/pom.xml

@@ -7,7 +7,7 @@
     <parent>
         <groupId>org.alfresco</groupId>
         <artifactId>alfresco-community-repo</artifactId>
-        <version>11.141-SNAPSHOT</version>
+        <version>14.9</version>
     </parent>
 
     <modules>

amps/share-services/pom.xml

@@ -8,7 +8,7 @@
     <parent>
         <groupId>org.alfresco</groupId>
         <artifactId>alfresco-community-repo-amps</artifactId>
-        <version>11.141-SNAPSHOT</version>
+        <version>14.9</version>
     </parent>
 
     <properties>

core/pom.xml

@@ -7,7 +7,7 @@
    <parent>
       <groupId>org.alfresco</groupId>
       <artifactId>alfresco-community-repo</artifactId>
-      <version>11.141-SNAPSHOT</version>
+      <version>14.9</version>
    </parent>
 
    <dependencies>

data-model/pom.xml

@@ -7,7 +7,7 @@
     <parent>
         <groupId>org.alfresco</groupId>
         <artifactId>alfresco-community-repo</artifactId>
-        <version>11.141-SNAPSHOT</version>
+        <version>14.9</version>
     </parent>
 
     <properties>

packaging/distribution/pom.xml

@@ -9,6 +9,6 @@
     <parent>
         <groupId>org.alfresco</groupId>
         <artifactId>alfresco-community-repo-packaging</artifactId>
-        <version>11.141-SNAPSHOT</version>
+        <version>14.9</version>
     </parent>
 </project>

packaging/docker-alfresco/pom.xml

@@ -7,7 +7,7 @@
     <parent>
         <groupId>org.alfresco</groupId>
         <artifactId>alfresco-community-repo-packaging</artifactId>
-        <version>11.141-SNAPSHOT</version>
+        <version>14.9</version>
     </parent>
 
     <properties>

packaging/pom.xml

@@ -7,7 +7,7 @@
     <parent>
         <groupId>org.alfresco</groupId>
         <artifactId>alfresco-community-repo</artifactId>
-        <version>11.141-SNAPSHOT</version>
+        <version>14.9</version>
     </parent>
 
     <modules>

packaging/tests/pom.xml

@@ -6,7 +6,7 @@
     <parent>
         <groupId>org.alfresco</groupId>
         <artifactId>alfresco-community-repo-packaging</artifactId>
-        <version>11.141-SNAPSHOT</version>
+        <version>14.9</version>
     </parent>
 
     <modules>

packaging/tests/tas-cmis/pom.xml

@@ -9,7 +9,7 @@
     <parent>
         <groupId>org.alfresco</groupId>
         <artifactId>alfresco-community-repo-tests</artifactId>
-        <version>11.141-SNAPSHOT</version>
+        <version>14.9</version>
     </parent>
 
     <developers>

packaging/tests/tas-email/pom.xml

@@ -9,7 +9,7 @@
     <parent>
         <groupId>org.alfresco</groupId>
         <artifactId>alfresco-community-repo-tests</artifactId>
-        <version>11.141-SNAPSHOT</version>
+        <version>14.9</version>
     </parent>
 
     <developers>

packaging/tests/tas-integration/pom.xml

@@ -9,7 +9,7 @@
     <parent>
         <groupId>org.alfresco</groupId>
         <artifactId>alfresco-community-repo-tests</artifactId>
-        <version>11.141-SNAPSHOT</version>
+        <version>14.9</version>
     </parent>
 
     <developers>

packaging/tests/tas-restapi/pom.xml

@@ -9,7 +9,7 @@
     <parent>
         <groupId>org.alfresco</groupId>
         <artifactId>alfresco-community-repo-tests</artifactId>
-        <version>11.141-SNAPSHOT</version>
+        <version>14.9</version>
     </parent>
 
     <developers>

packaging/tests/tas-webdav/pom.xml

@@ -9,7 +9,7 @@
     <parent>
         <groupId>org.alfresco</groupId>
         <artifactId>alfresco-community-repo-tests</artifactId>
-        <version>11.141-SNAPSHOT</version>
+        <version>14.9</version>
     </parent>
 
     <developers>

packaging/war/pom.xml

@@ -7,7 +7,7 @@
     <parent>
         <groupId>org.alfresco</groupId>
         <artifactId>alfresco-community-repo-packaging</artifactId>
-        <version>11.141-SNAPSHOT</version>
+        <version>14.9</version>
     </parent>
 
     <properties>

pom.xml

@@ -2,7 +2,7 @@
 <project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
     <modelVersion>4.0.0</modelVersion>
     <artifactId>alfresco-community-repo</artifactId>
-    <version>11.141-SNAPSHOT</version>
+    <version>14.9</version>
     <packaging>pom</packaging>
     <name>Alfresco Community Repo Parent</name>
 
@@ -23,7 +23,7 @@
 
     <properties>
         <acs.version.major>7</acs.version.major>
-        <acs.version.minor>1</acs.version.minor>
+        <acs.version.minor>2</acs.version.minor>
         <acs.version.revision>0</acs.version.revision>
         <acs.version.label />
         <amp.min.version>${acs.version.major}.0.0</amp.min.version>
@@ -59,9 +59,9 @@
         <dependency.antlr.version>3.5.2</dependency.antlr.version>
         <dependency.jackson.version>2.12.3</dependency.jackson.version>
         <dependency.jackson-databind.version>2.12.4</dependency.jackson-databind.version>
-        <dependency.cxf.version>3.4.4</dependency.cxf.version>
+        <dependency.cxf.version>3.4.5</dependency.cxf.version>
         <dependency.opencmis.version>1.0.0</dependency.opencmis.version>
-        <dependency.webscripts.version>8.23</dependency.webscripts.version>
+        <dependency.webscripts.version>8.24</dependency.webscripts.version>
         <dependency.bouncycastle.version>1.69</dependency.bouncycastle.version>
         <dependency.mockito-core.version>3.11.2</dependency.mockito-core.version>
         <dependency.mockito-all.version>1.10.19</dependency.mockito-all.version>
@@ -73,15 +73,15 @@
         <dependency.httpcore.version>4.4.14</dependency.httpcore.version>
         <dependency.commons-httpclient.version>3.1-HTTPCLIENT-1265</dependency.commons-httpclient.version>
         <dependency.xercesImpl.version>2.12.1</dependency.xercesImpl.version>
-        <dependency.slf4j.version>1.7.30</dependency.slf4j.version>
+        <dependency.slf4j.version>1.7.32</dependency.slf4j.version>
         <dependency.gytheio.version>0.12</dependency.gytheio.version>
-        <dependency.groovy.version>2.5.9</dependency.groovy.version>
+        <dependency.groovy.version>3.0.9</dependency.groovy.version>
         <dependency.tika.version>1.27</dependency.tika.version>
-        <dependency.spring-security.version>5.5.1</dependency.spring-security.version>
+        <dependency.spring-security.version>5.5.2</dependency.spring-security.version>
         <dependency.truezip.version>7.7.10</dependency.truezip.version>
         <dependency.poi.version>4.1.2</dependency.poi.version>
         <dependency.ooxml-schemas.version>1.4</dependency.ooxml-schemas.version>
-        <dependency.keycloak.version>13.0.1</dependency.keycloak.version>
+        <dependency.keycloak.version>15.0.2</dependency.keycloak.version>
         <dependency.jboss.logging.version>3.4.2.Final</dependency.jboss.logging.version>
         <dependency.camel.version>3.7.4</dependency.camel.version>
         <dependency.activemq.version>5.16.1</dependency.activemq.version>
@@ -108,10 +108,10 @@
         <alfresco.api-explorer.version>7.1.0.1</alfresco.api-explorer.version> <!-- Also in alfresco-enterprise-share -->
         <alfresco.maven-plugin.version>2.2.0</alfresco.maven-plugin.version>
 
-        <dependency.postgresql.version>42.2.20</dependency.postgresql.version>
+        <dependency.postgresql.version>42.2.24</dependency.postgresql.version>
         <dependency.mysql.version>8.0.25</dependency.mysql.version>
         <dependency.mysql-image.version>8</dependency.mysql-image.version>
-        <dependency.mariadb.version>2.7.2</dependency.mariadb.version>
+        <dependency.mariadb.version>2.7.4</dependency.mariadb.version>
         <dependency.tas-utility.version>3.0.45</dependency.tas-utility.version>
         <dependency.rest-assured.version>3.3.0</dependency.rest-assured.version>
         <dependency.tas-restapi.version>1.64</dependency.tas-restapi.version>
@@ -142,7 +142,7 @@
         <connection>scm:git:https://github.com/Alfresco/alfresco-community-repo.git</connection>
         <developerConnection>scm:git:https://github.com/Alfresco/alfresco-community-repo.git</developerConnection>
         <url>https://github.com/Alfresco/alfresco-community-repo</url>
-        <tag>HEAD</tag>
+        <tag>14.9</tag>
     </scm>
 
     <distributionManagement>
@@ -638,7 +638,7 @@
             <dependency>
                 <groupId>org.jsoup</groupId>
                 <artifactId>jsoup</artifactId>
-                <version>1.14.2</version>
+                <version>1.14.3</version>
             </dependency>
             <!-- upgrade dependency from TIKA -->
             <dependency>
@@ -870,7 +870,7 @@
                 <plugin>
                     <groupId>io.fabric8</groupId>
                     <artifactId>docker-maven-plugin</artifactId>
-                    <version>0.34.1</version>
+                    <version>0.37.0</version>
                 </plugin>
                 <plugin>
                     <artifactId>maven-surefire-plugin</artifactId>
@@ -891,7 +891,7 @@
                 <plugin>
                     <groupId>org.apache.maven.plugins</groupId>
                     <artifactId>maven-javadoc-plugin</artifactId>
-                    <version>3.3.0</version>
+                    <version>3.3.1</version>
                 </plugin>
                 <plugin>
                     <groupId>org.apache.maven.plugins</groupId>

remote-api/pom.xml

@@ -7,7 +7,7 @@
     <parent>
         <groupId>org.alfresco</groupId>
         <artifactId>alfresco-community-repo</artifactId>
-        <version>11.141-SNAPSHOT</version>
+        <version>14.9</version>
     </parent>
 
     <dependencies>
@@ -47,7 +47,7 @@
         <dependency>
             <groupId>org.apache.santuario</groupId>
             <artifactId>xmlsec</artifactId>
-            <version>1.5.8</version>
+            <version>2.2.3</version>
         </dependency>
         <!-- newer version, see REPO-3133 -->
         <dependency>

remote-api/src/main/java/org/alfresco/opencmis/CMISServletDispatcher.java

@@ -27,17 +27,14 @@ package org.alfresco.opencmis;
 
 import java.io.IOException;
 import java.io.InputStream;
-import java.io.PrintWriter;
 import java.net.MalformedURLException;
 import java.net.URL;
 import java.util.ArrayList;
-import java.util.Collection;
 import java.util.Collections;
 import java.util.Enumeration;
 import java.util.EventListener;
 import java.util.Iterator;
 import java.util.List;
-import java.util.Locale;
 import java.util.Map;
 import java.util.Set;
 
@@ -48,19 +45,17 @@ import javax.servlet.Servlet;
 import javax.servlet.ServletConfig;
 import javax.servlet.ServletContext;
 import javax.servlet.ServletException;
-import javax.servlet.ServletOutputStream;
 import javax.servlet.ServletRegistration;
 import javax.servlet.SessionCookieConfig;
 import javax.servlet.SessionTrackingMode;
 import javax.servlet.descriptor.JspConfigDescriptor;
-import javax.servlet.http.Cookie;
 import javax.servlet.http.HttpServlet;
-import javax.servlet.http.HttpServletResponse;
 
 import org.alfresco.error.AlfrescoRuntimeException;
 import org.alfresco.opencmis.CMISDispatcherRegistry.Binding;
 import org.alfresco.opencmis.CMISDispatcherRegistry.Endpoint;
 import org.alfresco.repo.tenant.TenantAdminService;
+import org.alfresco.rest.framework.core.exceptions.JsonpCallbackNotAllowedException;
 import org.alfresco.service.descriptor.Descriptor;
 import org.alfresco.service.descriptor.DescriptorService;
 import org.apache.chemistry.opencmis.commons.enums.CmisVersion;
@@ -69,7 +64,6 @@ import org.apache.chemistry.opencmis.server.impl.CmisRepositoryContextListener;
 import org.apache.chemistry.opencmis.server.impl.atompub.CmisAtomPubServlet;
 import org.springframework.extensions.webscripts.WebScriptRequest;
 import org.springframework.extensions.webscripts.WebScriptResponse;
-import org.springframework.extensions.webscripts.servlet.WebScriptServletRuntime;
 
 /**
  * Dispatches OpenCMIS requests to a servlet e.g. the OpenCMIS AtomPub servlet.
@@ -90,6 +84,8 @@ public abstract class CMISServletDispatcher implements CMISDispatcher
 	protected CmisVersion cmisVersion;
 	protected TenantAdminService tenantAdminService;
 
+	private boolean allowUnsecureCallbackJSONP;
+
     private Set<String> nonAttachContentTypes = Collections.emptySet(); // pre-configured whitelist, eg. images & pdf
 
 	public void setTenantAdminService(TenantAdminService tenantAdminService)
@@ -151,7 +147,17 @@ public abstract class CMISServletDispatcher implements CMISDispatcher
 
 		return this.currentDescriptor;
 	}
-	
+
+	public void setAllowUnsecureCallbackJSONP(boolean allowUnsecureCallbackJSONP)
+	{
+		this.allowUnsecureCallbackJSONP = allowUnsecureCallbackJSONP;
+	}
+
+	public boolean isAllowUnsecureCallbackJSONP()
+	{
+		return allowUnsecureCallbackJSONP;
+	}
+
 	public void init()
 	{
 		Endpoint endpoint = new Endpoint(getBinding(), version);
@@ -219,12 +225,22 @@ public abstract class CMISServletDispatcher implements CMISDispatcher
 			CMISHttpServletResponse httpResWrapper = getHttpResponse(res);
 	    	CMISHttpServletRequest httpReqWrapper = getHttpRequest(req);
 
-	    	servlet.service(httpReqWrapper, httpResWrapper);
+			// check for "callback" query param
+			if (!allowUnsecureCallbackJSONP && httpReqWrapper.getParameter("callback") != null)
+			{
+				throw new JsonpCallbackNotAllowedException();
+			}
+			servlet.service(httpReqWrapper, httpResWrapper);
 		}
 		catch(ServletException e)
 		{
 			throw new AlfrescoRuntimeException("", e);
 		}
+		catch (JsonpCallbackNotAllowedException e)
+		{
+			res.setStatus(403);
+			res.getWriter().append(e.getMessage());
+		}
 	}
 
     /**

remote-api/src/main/java/org/alfresco/repo/web/scripts/bulkimport/AbstractBulkFileSystemImportWebScript.java

@@ -30,8 +30,19 @@ import java.net.InetAddress;
 import java.net.UnknownHostException;
 import java.util.Arrays;
 import java.util.Date;
+import java.util.HashMap;
+import java.util.Map;
+import java.util.Objects;
+import java.util.OptionalInt;
+import java.util.function.Function;
+import java.util.function.Supplier;
+
+import com.google.common.primitives.Ints;
 
 import org.alfresco.repo.bulkimport.BulkFilesystemImporter;
+import org.alfresco.repo.bulkimport.BulkImportParameters;
+import org.alfresco.repo.bulkimport.NodeImporter;
+import org.alfresco.repo.bulkimport.impl.MultiThreadedBulkFilesystemImporter;
 import org.alfresco.repo.model.Repository;
 import org.alfresco.service.cmr.model.FileFolderService;
 import org.alfresco.service.cmr.model.FileInfo;
@@ -39,8 +50,12 @@ import org.alfresco.service.cmr.model.FileNotFoundException;
 import org.alfresco.service.cmr.repository.NodeRef;
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
+import org.springframework.extensions.surf.util.I18NUtil;
+import org.springframework.extensions.webscripts.Cache;
 import org.springframework.extensions.webscripts.DeclarativeWebScript;
+import org.springframework.extensions.webscripts.Status;
 import org.springframework.extensions.webscripts.WebScriptException;
+import org.springframework.extensions.webscripts.WebScriptRequest;
 
 /**
  * contains common fields and methods for the import web scripts.
@@ -60,10 +75,10 @@ public class AbstractBulkFileSystemImportWebScript extends DeclarativeWebScript
     // Web scripts parameters (common)
 	protected static final String PARAMETER_REPLACE_EXISTING        = "replaceExisting";
 	protected static final String PARAMETER_EXISTING_FILE_MODE      = "existingFileMode";
-	protected static final String PARAMETER_VALUE_REPLACE_EXISTING 	= "replaceExisting";
+	protected static final String PARAMETER_VALUE_REPLACE_EXISTING 	= "true";
 	protected static final String PARAMETER_SOURCE_DIRECTORY       	= "sourceDirectory";
 	protected static final String PARAMETER_DISABLE_RULES		    = "disableRules";
-	protected static final String PARAMETER_VALUE_DISABLE_RULES		= "disableRules";
+	protected static final String PARAMETER_VALUE_DISABLE_RULES		= "true";
 
 	protected static final String IMPORT_ALREADY_IN_PROGRESS_MODEL_KEY = "importInProgress";
 	protected static final String IMPORT_ALREADY_IN_PROGRESS_ERROR_KEY ="bfsit.error.importAlreadyInProgress";
@@ -75,7 +90,7 @@ public class AbstractBulkFileSystemImportWebScript extends DeclarativeWebScript
 	protected Repository repository;
 	   
 	protected volatile boolean importInProgress;
-    
+
 	protected NodeRef getTargetNodeRef(String targetNodeRefStr, String targetPath) throws FileNotFoundException
 	{
 		NodeRef targetNodeRef;
@@ -219,4 +234,198 @@ public class AbstractBulkFileSystemImportWebScript extends DeclarativeWebScript
 		this.repository = repository;
 	}
 
+	protected class MultithreadedImportWebScriptLogic
+	{
+		private final MultiThreadedBulkFilesystemImporter bulkImporter;
+		private final Supplier<NodeImporter> nodeImporterFactory;
+		private final WebScriptRequest request;
+		private final Status status;
+		private final Cache cache;
+
+		public MultithreadedImportWebScriptLogic(MultiThreadedBulkFilesystemImporter bulkImporter, Supplier<NodeImporter> nodeImporterFactory, WebScriptRequest request, Status status, Cache cache)
+		{
+			this.bulkImporter = Objects.requireNonNull(bulkImporter);
+			this.nodeImporterFactory = Objects.requireNonNull(nodeImporterFactory);
+			this.request = Objects.requireNonNull(request);
+			this.status = Objects.requireNonNull(status);
+			this.cache = Objects.requireNonNull(cache);
+		}
+
+		public Map<String, Object> executeImport()
+		{
+			Map<String, Object> model  = new HashMap<>();
+			cache.setNeverCache(true);
+			String targetPath = null;
+
+			try
+			{
+				targetPath = request.getParameter(PARAMETER_TARGET_PATH);
+				if (isRunning())
+				{
+					model.put(IMPORT_ALREADY_IN_PROGRESS_MODEL_KEY, I18NUtil.getMessage(IMPORT_ALREADY_IN_PROGRESS_ERROR_KEY));
+					return model;
+				}
+
+				final BulkImportParameters bulkImportParameters = getBulkImportParameters();
+				final NodeImporter nodeImporter = nodeImporterFactory.get();
+
+				bulkImporter.asyncBulkImport(bulkImportParameters, nodeImporter);
+
+				waitForImportToBegin();
+
+				// redirect to the status Web Script
+				status.setCode(Status.STATUS_MOVED_TEMPORARILY);
+				status.setRedirect(true);
+				status.setLocation(request.getServiceContextPath() + WEB_SCRIPT_URI_BULK_FILESYSTEM_IMPORT_STATUS);
+			}
+			catch (WebScriptException | IllegalArgumentException e)
+			{
+				status.setCode(Status.STATUS_BAD_REQUEST, e.getMessage());
+				status.setRedirect(true);
+			}
+			catch (FileNotFoundException fnfe)
+			{
+				status.setCode(Status.STATUS_BAD_REQUEST,"The repository path '" + targetPath + "' does not exist !");
+				status.setRedirect(true);
+			}
+			catch (Throwable t)
+			{
+				throw new WebScriptException(Status.STATUS_INTERNAL_SERVER_ERROR, buildTextMessage(t), t);
+			}
+
+			return model;
+		}
+
+		private void waitForImportToBegin() throws InterruptedException
+		{
+			// ACE-3047 fix, since bulk import is started asynchronously there is a chance that client
+			// will get into the status page before import is actually started.
+			// In this case wrong information (for previous import) will be displayed.
+			// So lets ensure that import started before redirecting client to status page.
+			int i = 0;
+			while (!bulkImporter.getStatus().inProgress() && i < 10)
+			{
+				Thread.sleep(100);
+				i++;
+			}
+		}
+
+		private BulkImportParameters getBulkImportParameters() throws FileNotFoundException
+		{
+			final BulkImportParametersExtractor extractor = new BulkImportParametersExtractor(request::getParameter,
+					AbstractBulkFileSystemImportWebScript.this::getTargetNodeRef,
+					bulkImporter.getDefaultBatchSize(),
+					bulkImporter.getDefaultNumThreads());
+			return extractor.extract();
+		}
+
+		private boolean isRunning()
+		{
+			return bulkImporter.getStatus().inProgress();
+		}
+	}
+
+	protected static class BulkImportParametersExtractor
+	{
+		private final Function<String, String> paramsProvider;
+		private final NodeRefCreator nodeRefCreator;
+		private final int defaultBatchSize;
+		private final int defaultNumThreads;
+
+		public BulkImportParametersExtractor(final Function<String, String> paramsProvider, final NodeRefCreator nodeRefCreator,
+											 final int defaultBatchSize, final int defaultNumThreads)
+		{
+			this.paramsProvider = Objects.requireNonNull(paramsProvider);
+			this.nodeRefCreator = Objects.requireNonNull(nodeRefCreator);
+			this.defaultBatchSize = defaultBatchSize;
+			this.defaultNumThreads = defaultNumThreads;
+		}
+
+		public BulkImportParameters extract() throws FileNotFoundException
+		{
+			BulkImportParameters result = new BulkImportParameters();
+
+			result.setTarget(getTargetNodeRef());
+			setExistingFileMode(result);
+			result.setNumThreads(getOptionalPositiveInteger(PARAMETER_NUM_THREADS).orElse(defaultNumThreads));
+			result.setBatchSize(getOptionalPositiveInteger(PARAMETER_BATCH_SIZE).orElse(defaultBatchSize));
+			setDisableRules(result);
+
+			return result;
+		}
+
+		private void setExistingFileMode(BulkImportParameters params)
+		{
+			String replaceExistingStr = getParamStringValue(PARAMETER_REPLACE_EXISTING);
+			String existingFileModeStr = getParamStringValue(PARAMETER_EXISTING_FILE_MODE);
+
+			if (!isNullOrEmpty(replaceExistingStr) && !isNullOrEmpty(existingFileModeStr))
+			{
+				// Check that we haven't had both the deprecated and new (existingFileMode)
+				// parameters supplied.
+				throw new IllegalStateException(
+						String.format("Only one of these parameters may be used, not both: %s, %s",
+								PARAMETER_REPLACE_EXISTING,
+								PARAMETER_EXISTING_FILE_MODE));
+			}
+
+			if (!isNullOrEmpty(existingFileModeStr))
+			{
+				params.setExistingFileMode(BulkImportParameters.ExistingFileMode.valueOf(existingFileModeStr));
+			}
+			else
+			{
+				params.setReplaceExisting(PARAMETER_VALUE_REPLACE_EXISTING.equals(replaceExistingStr));
+			}
+		}
+
+		private void setDisableRules(final BulkImportParameters params)
+		{
+			final String disableRulesStr = getParamStringValue(PARAMETER_DISABLE_RULES);
+			params.setDisableRulesService(!isNullOrEmpty(disableRulesStr) && PARAMETER_VALUE_DISABLE_RULES.equals(disableRulesStr));
+		}
+
+		private NodeRef getTargetNodeRef() throws FileNotFoundException
+		{
+			String targetNodeRefStr = getParamStringValue(PARAMETER_TARGET_NODEREF);
+			String targetPath = getParamStringValue(PARAMETER_TARGET_PATH);
+			return nodeRefCreator.fromNodeRefAndPath(targetNodeRefStr, targetPath);
+		}
+
+		private OptionalInt getOptionalPositiveInteger(final String paramName)
+		{
+			final String strValue = getParamStringValue(paramName);
+			if (isNullOrEmpty(strValue))
+			{
+				return OptionalInt.empty();
+			}
+
+			final Integer asInt = Ints.tryParse(strValue);
+			if (asInt == null || asInt < 1)
+			{
+				throw new WebScriptException("Error: parameter '" + paramName + "' must be an integer > 0.");
+			}
+
+			return OptionalInt.of(asInt);
+		}
+
+		private String getParamStringValue(String paramName)
+		{
+			Objects.requireNonNull(paramName);
+
+			return paramsProvider.apply(paramName);
+		}
+
+		private boolean isNullOrEmpty(String str)
+		{
+			return str == null || str.trim().length() == 0;
+		}
+
+		@FunctionalInterface
+		protected interface NodeRefCreator
+		{
+			NodeRef fromNodeRefAndPath(String nodeRef, String path) throws FileNotFoundException;
+		}
+	}
+
 }

remote-api/src/main/java/org/alfresco/repo/web/scripts/bulkimport/copy/BulkFilesystemImportWebScript.java

@@ -27,17 +27,12 @@
 package org.alfresco.repo.web.scripts.bulkimport.copy;
 
 import java.io.File;
-import java.util.HashMap;
 import java.util.Map;
 
-import org.alfresco.repo.bulkimport.BulkImportParameters;
 import org.alfresco.repo.bulkimport.NodeImporter;
 import org.alfresco.repo.bulkimport.impl.MultiThreadedBulkFilesystemImporter;
 import org.alfresco.repo.bulkimport.impl.StreamingNodeImporterFactory;
 import org.alfresco.repo.web.scripts.bulkimport.AbstractBulkFileSystemImportWebScript;
-import org.alfresco.service.cmr.model.FileNotFoundException;
-import org.alfresco.service.cmr.repository.NodeRef;
-import org.springframework.extensions.surf.util.I18NUtil;
 import org.springframework.extensions.webscripts.Cache;
 import org.springframework.extensions.webscripts.Status;
 import org.springframework.extensions.webscripts.WebScriptException;
@@ -69,170 +64,22 @@ public class BulkFilesystemImportWebScript extends AbstractBulkFileSystemImportW
     @Override
     protected Map<String, Object> executeImpl(final WebScriptRequest request, final Status status, final Cache cache)
     {
-        Map<String, Object> model  = new HashMap<String, Object>();
-        String targetNodeRefStr = null;
-        String targetPath = null;
-        String sourceDirectoryStr = null;
-        @Deprecated String replaceExistingStr = null;
-        String existingFileModeStr = null;
-        String batchSizeStr = null;
-        String numThreadsStr = null;
-        String disableRulesStr = null;
+        final MultithreadedImportWebScriptLogic importLogic = new MultithreadedImportWebScriptLogic(bulkImporter,
+                () -> createNodeImporter(request), request, status, cache);
+        return importLogic.executeImport();
+    }
 
-        cache.setNeverCache(true);
-        
-        try
+    private NodeImporter createNodeImporter(WebScriptRequest request)
+    {
+        final String sourceDirectoryStr = request.getParameter(PARAMETER_SOURCE_DIRECTORY);
+        if (sourceDirectoryStr == null || sourceDirectoryStr.trim().length() == 0)
         {
-            if(!bulkImporter.getStatus().inProgress())
-            {
-                NodeRef targetNodeRef = null;
-                File sourceDirectory = null;
-                boolean replaceExisting = false;
-                BulkImportParameters.ExistingFileMode existingFileMode = null;
-                int batchSize = bulkImporter.getDefaultBatchSize();
-                int numThreads = bulkImporter.getDefaultNumThreads();
-                boolean disableRules = false;
-                
-                // Retrieve, validate and convert parameters
-                targetNodeRefStr = request.getParameter(PARAMETER_TARGET_NODEREF);
-                targetPath = request.getParameter(PARAMETER_TARGET_PATH);
-                sourceDirectoryStr = request.getParameter(PARAMETER_SOURCE_DIRECTORY);
-                replaceExistingStr = request.getParameter(PARAMETER_REPLACE_EXISTING);
-                existingFileModeStr = request.getParameter(PARAMETER_EXISTING_FILE_MODE);
-
-                batchSizeStr = request.getParameter(PARAMETER_BATCH_SIZE);
-                numThreadsStr = request.getParameter(PARAMETER_NUM_THREADS);
-                disableRulesStr = request.getParameter(PARAMETER_DISABLE_RULES);
-
-                targetNodeRef = getTargetNodeRef(targetNodeRefStr, targetPath);
-                
-                if (sourceDirectoryStr == null || sourceDirectoryStr.trim().length() == 0)
-                {
-                    throw new RuntimeException("Error: mandatory parameter '" + PARAMETER_SOURCE_DIRECTORY + "' was not provided.");
-                }
-                
-                sourceDirectory = new File(sourceDirectoryStr.trim());
-
-                if (replaceExistingStr != null && existingFileModeStr != null)
-                {
-                    // Check that we haven't had both the deprecated and new (existingFileMode)
-                    // parameters supplied.
-                    throw new IllegalStateException(
-                            String.format("Only one of these parameters may be used, not both: %s, %s",
-                                    PARAMETER_REPLACE_EXISTING,
-                                    PARAMETER_EXISTING_FILE_MODE));
-                }
-
-                if (replaceExistingStr != null && replaceExistingStr.trim().length() > 0)
-                {
-                    replaceExisting = PARAMETER_VALUE_REPLACE_EXISTING.equals(replaceExistingStr);
-                }
-
-                if (existingFileModeStr != null && existingFileModeStr.trim().length() > 0)
-                {
-                    existingFileMode = BulkImportParameters.ExistingFileMode.valueOf(existingFileModeStr);
-                }
-
-                if (disableRulesStr != null && disableRulesStr.trim().length() > 0)
-                {
-                    disableRules = PARAMETER_VALUE_DISABLE_RULES.equals(disableRulesStr);
-                }
-
-                // Initiate the import
-                NodeImporter nodeImporter = nodeImporterFactory.getNodeImporter(sourceDirectory);
-                BulkImportParameters bulkImportParameters = new BulkImportParameters();
-                
-                if (numThreadsStr != null && numThreadsStr.trim().length() > 0)
-                {
-                	try
-                	{
-                		numThreads = Integer.parseInt(numThreadsStr);
-                		if(numThreads < 1)
-                		{
-                            throw new RuntimeException("Error: parameter '" + PARAMETER_NUM_THREADS + "' must be an integer > 0.");
-                		}
-                        bulkImportParameters.setNumThreads(numThreads);
-                	}
-                	catch(NumberFormatException e)
-                	{
-                        throw new RuntimeException("Error: parameter '" + PARAMETER_NUM_THREADS + "' must be an integer > 0.");
-                	}
-                }
-                
-                if (batchSizeStr != null && batchSizeStr.trim().length() > 0)
-                {
-                	try
-                	{
-                		batchSize = Integer.parseInt(batchSizeStr);
-                		if(batchSize < 1)
-                		{
-                            throw new RuntimeException("Error: parameter '" + PARAMETER_BATCH_SIZE + "' must be an integer > 0.");
-                		}
-                        bulkImportParameters.setBatchSize(batchSize);
-                	}
-                	catch(NumberFormatException e)
-                	{
-                        throw new RuntimeException("Error: parameter '" + PARAMETER_BATCH_SIZE + "' must be an integer > 0.");
-                	}
-                }
-
-                if (existingFileMode != null)
-                {
-                    bulkImportParameters.setExistingFileMode(existingFileMode);
-                }
-                else
-                {
-                    // Fall back to the old/deprecated way.
-                    bulkImportParameters.setReplaceExisting(replaceExisting);
-                }
-
-                bulkImportParameters.setTarget(targetNodeRef);
-                bulkImportParameters.setDisableRulesService(disableRules);
-
-                bulkImporter.asyncBulkImport(bulkImportParameters, nodeImporter);
-
-                // ACE-3047 fix, since bulk import is started asynchronously there is a chance that client 
-                // will get into the status page before import is actually started.
-                // In this case wrong information (for previous import) will be displayed.
-                // So lets ensure that import started before redirecting client to status page.
-                int i = 0;
-                while (!bulkImporter.getStatus().inProgress() && i < 10)
-                {
-                	Thread.sleep(100);
-                	i++;
-                }
-                
-                // redirect to the status Web Script
-                status.setCode(Status.STATUS_MOVED_TEMPORARILY);
-                status.setRedirect(true);
-                status.setLocation(request.getServiceContextPath() + WEB_SCRIPT_URI_BULK_FILESYSTEM_IMPORT_STATUS);
-            }
-            else
-            {
-            	model.put(IMPORT_ALREADY_IN_PROGRESS_MODEL_KEY, I18NUtil.getMessage(IMPORT_ALREADY_IN_PROGRESS_ERROR_KEY));
-            }
+            throw new WebScriptException("Error: mandatory parameter '" + PARAMETER_SOURCE_DIRECTORY + "' was not provided.");
         }
-        catch (WebScriptException wse)
-        {
-        	status.setCode(Status.STATUS_BAD_REQUEST, wse.getMessage());
-        	status.setRedirect(true);
-        }
-        catch (FileNotFoundException fnfe)
-        {
-        	status.setCode(Status.STATUS_BAD_REQUEST,"The repository path '" + targetPath + "' does not exist !");
-        	status.setRedirect(true);
-        }
-        catch(IllegalArgumentException iae)
-        {
-        	status.setCode(Status.STATUS_BAD_REQUEST,iae.getMessage());
-        	status.setRedirect(true);
-        }
-        catch (Throwable t)
-        {
-            throw new WebScriptException(Status.STATUS_INTERNAL_SERVER_ERROR, buildTextMessage(t), t);
-        }
-        
-        return model;
+
+        final File sourceDirectory = new File(sourceDirectoryStr.trim());
+
+        return nodeImporterFactory.getNodeImporter(sourceDirectory);
     }
 
 }

remote-api/src/main/java/org/alfresco/rest/framework/core/exceptions/JsonpCallbackNotAllowedException.java

@@ -0,0 +1,49 @@
+/*
+ * #%L
+ * Alfresco Remote API
+ * %%
+ * Copyright (C) 2005 - 2021 Alfresco Software Limited
+ * %%
+ * This file is part of the Alfresco software. 
+ * If the software was purchased under a paid Alfresco license, the terms of 
+ * the paid license agreement will prevail.  Otherwise, the software is 
+ * provided under the following open source license terms:
+ * 
+ * Alfresco is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Lesser General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ * 
+ * Alfresco is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU Lesser General Public License for more details.
+ * 
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with Alfresco. If not, see <http://www.gnu.org/licenses/>.
+ * #L%
+ */
+package org.alfresco.rest.framework.core.exceptions;
+
+/**
+ * JSONP callback not allowed
+ *
+ * @author Vitor Moreira
+ */
+public class JsonpCallbackNotAllowedException extends ApiException
+{
+    private static final long serialVersionUID = 7198491358180044895L;
+
+    public static String DEFAULT_MESSAGE_ID = "framework.exception.JsonpCallbackNotAllowed";
+
+    public JsonpCallbackNotAllowedException()
+    {
+        super(DEFAULT_MESSAGE_ID);
+    }
+
+    public JsonpCallbackNotAllowedException(String msgId)
+    {
+        super(msgId);
+    }
+
+}

remote-api/src/main/resources/alfresco/messages/rest-framework-messages.properties

@@ -14,4 +14,6 @@ framework.exception.UnsupportedResourceOperation=The operation is unsupported
 framework.exception.DeletedResource=In this version of the REST API resource {0} has been deleted
 framework.exception.RequestEntityTooLarge=The file can't be uploaded because it's larger than the maximum upload size
 framework.exception.InsufficientStorage=The file upload exceeds the content storage allowance
+framework.exception.JsonpCallbackNotAllowed=For security reasons the callback parameter is not allowed
 framework.no.stacktrace=For security reasons the stack trace is no longer displayed, but the property is kept for previous versions
+

remote-api/src/main/resources/alfresco/public-rest-context.xml

@@ -1070,7 +1070,7 @@
         <property name="enabled" value="${system.api.discovery.enabled}" />
         <property name="thumbnailService" ref="ThumbnailService" />
         <property name="restApiDirectUrlConfig" ref="restApiDirectUrlConfig" />
-        <property name="contentService" ref="ContentService" />
+        <property name="contentService" ref="contentService" />
     </bean>
 
     <bean id="org.alfresco.rest.api.probes.ProbeEntityResource.get" class="org.alfresco.rest.api.probes.ProbeEntityResource">
@@ -1138,6 +1138,7 @@
         <property name="cmisVersion"        value="1.1"/>
         <property name="tenantAdminService" ref="tenantAdminService"/>
         <property name="nonAttachContentTypes" ref="nodes.nonAttachContentTypes"/>
+        <property name="allowUnsecureCallbackJSONP" value="${allow.unsecure.callback.jsonp}"/>
     </bean>
 
     <bean   id="webscript.org.alfresco.api.opencmis.OpenCMIS.get" 

remote-api/src/test/java/org/alfresco/AppContext01TestSuite.java

@@ -42,6 +42,7 @@ import org.junit.runners.Suite;
     org.alfresco.rest.api.tests.TestPublicApiAtomPub10TCK.class,
     org.alfresco.rest.api.tests.TestPublicApiAtomPub11TCK.class,
     org.alfresco.rest.api.tests.TestPublicApiBrowser11TCK.class,
+    org.alfresco.repo.web.scripts.bulkimport.BulkImportParametersExtractorTest.class
 })
 public class AppContext01TestSuite
 {

remote-api/src/test/java/org/alfresco/repo/web/scripts/bulkimport/BulkImportParametersExtractorTest.java

@@ -0,0 +1,252 @@
+/*
+ * #%L
+ * Alfresco Remote API
+ * %%
+ * Copyright (C) 2005 - 2021 Alfresco Software Limited
+ * %%
+ * This file is part of the Alfresco software.
+ * If the software was purchased under a paid Alfresco license, the terms of
+ * the paid license agreement will prevail.  Otherwise, the software is
+ * provided under the following open source license terms:
+ *
+ * Alfresco is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Lesser General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * Alfresco is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with Alfresco. If not, see <http://www.gnu.org/licenses/>.
+ * #L%
+ */
+package org.alfresco.repo.web.scripts.bulkimport;
+
+import static org.alfresco.repo.web.scripts.bulkimport.AbstractBulkFileSystemImportWebScript.PARAMETER_BATCH_SIZE;
+import static org.alfresco.repo.web.scripts.bulkimport.AbstractBulkFileSystemImportWebScript.PARAMETER_DISABLE_RULES;
+import static org.alfresco.repo.web.scripts.bulkimport.AbstractBulkFileSystemImportWebScript.PARAMETER_NUM_THREADS;
+import static org.alfresco.repo.web.scripts.bulkimport.AbstractBulkFileSystemImportWebScript.PARAMETER_TARGET_NODEREF;
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertFalse;
+import static org.junit.Assert.assertNotNull;
+import static org.junit.Assert.assertNull;
+import static org.junit.Assert.assertThrows;
+import static org.junit.Assert.assertTrue;
+import static org.junit.Assert.fail;
+
+import java.util.Map;
+
+import org.alfresco.repo.bulkimport.BulkImportParameters;
+import org.alfresco.repo.bulkimport.BulkImportParameters.ExistingFileMode;
+import org.alfresco.repo.web.scripts.bulkimport.AbstractBulkFileSystemImportWebScript.BulkImportParametersExtractor;
+import org.alfresco.service.cmr.model.FileNotFoundException;
+import org.alfresco.service.cmr.repository.NodeRef;
+import org.junit.Test;
+import org.springframework.extensions.webscripts.WebScriptException;
+
+public class BulkImportParametersExtractorTest
+{
+    private static final String TEST_NODE_REF = "workspace://SpacesStore/this-is-just-a-test-ref";
+    private static final String TEST_MISSING_NODE_REF = "workspace://SpacesStore/this-is-just-a-not-existing-test-ref";
+    private static final Integer DEFAULT_BATCH_SIZE = 1234;
+    private static final Integer DEFAULT_NUMBER_OF_THREADS = 4321;
+
+    @Test
+    public void shouldExtractTargetRef() throws FileNotFoundException
+    {
+        final BulkImportParametersExtractor extractor = givenExtractor(Map.of(
+                PARAMETER_TARGET_NODEREF, TEST_NODE_REF));
+
+        final BulkImportParameters params = extractor.extract();
+
+        assertNotNull(params);
+        assertNotNull(params.getTarget());
+        assertEquals(TEST_NODE_REF, params.getTarget().toString());
+    }
+
+    @Test
+    public void shouldFallbackToDefaultValues() throws FileNotFoundException
+    {
+        final BulkImportParametersExtractor extractor = givenExtractor(Map.of(
+                PARAMETER_TARGET_NODEREF, TEST_NODE_REF));
+
+        final BulkImportParameters params = extractor.extract();
+
+        assertEquals(DEFAULT_BATCH_SIZE, params.getBatchSize());
+        assertEquals(DEFAULT_NUMBER_OF_THREADS, params.getNumThreads());
+        assertFalse(params.isDisableRulesService());
+        assertEquals(ExistingFileMode.SKIP, params.getExistingFileMode());
+        assertNull(params.getLoggingInterval());
+    }
+
+    @Test
+    public void shouldExtractDisableFolderRulesFlagWhenSetToTrue() throws FileNotFoundException
+    {
+        final BulkImportParametersExtractor extractor = givenExtractor(Map.of(
+                PARAMETER_TARGET_NODEREF, TEST_NODE_REF,
+                PARAMETER_DISABLE_RULES, "true"
+                                                                             ));
+
+        final BulkImportParameters params = extractor.extract();
+
+        assertTrue(params.isDisableRulesService());
+    }
+
+    @Test
+    public void shouldExtractDisableFolderRulesFlagWhenSetToFalse() throws FileNotFoundException
+    {
+        final BulkImportParametersExtractor extractor = givenExtractor(Map.of(
+                PARAMETER_TARGET_NODEREF, TEST_NODE_REF,
+                PARAMETER_DISABLE_RULES, "false"
+                                                                             ));
+
+        final BulkImportParameters params = extractor.extract();
+
+        assertFalse(params.isDisableRulesService());
+    }
+
+    @Test
+    public void shouldExtractDisableFolderRulesFlagWhenSetToNotBooleanValue() throws FileNotFoundException
+    {
+        final BulkImportParametersExtractor extractor = givenExtractor(Map.of(
+                PARAMETER_TARGET_NODEREF, TEST_NODE_REF,
+                PARAMETER_DISABLE_RULES, "unknown"
+                                                                             ));
+
+        final BulkImportParameters params = extractor.extract();
+
+        assertFalse(params.isDisableRulesService());
+    }
+
+    @Test
+    public void shouldPropagateFileNotFoundExceptionWhenTargetIsNotFound()
+    {
+        final BulkImportParametersExtractor extractor = givenExtractor(Map.of(
+                PARAMETER_TARGET_NODEREF, TEST_MISSING_NODE_REF));
+
+        assertThrows(FileNotFoundException.class, extractor::extract);
+    }
+
+    @Test
+    public void shouldExtractValidBatchSize() throws FileNotFoundException
+    {
+        final BulkImportParametersExtractor extractor = givenExtractor(Map.of(
+                PARAMETER_TARGET_NODEREF, TEST_NODE_REF,
+                PARAMETER_BATCH_SIZE, "1"));
+
+        final BulkImportParameters params = extractor.extract();
+
+        assertEquals(Integer.valueOf(1), params.getBatchSize());
+    }
+
+    @Test
+    public void shouldFailWithWebScriptExceptionWhenInvalidBatchSizeIsRequested() throws FileNotFoundException
+    {
+        final BulkImportParametersExtractor extractor = givenExtractor(Map.of(
+                PARAMETER_TARGET_NODEREF, TEST_NODE_REF,
+                PARAMETER_BATCH_SIZE, "not-a-number"));
+
+        try
+        {
+            extractor.extract();
+        } catch (WebScriptException e)
+        {
+            assertNotNull(e.getMessage());
+            assertTrue(e.getMessage().contains(PARAMETER_BATCH_SIZE));
+            return;
+        }
+
+        fail("Expected exception to be thrown.");
+    }
+
+    @Test
+    public void shouldFailWithWebScriptExceptionWhenNegativeBatchSizeIsRequested() throws FileNotFoundException
+    {
+        final BulkImportParametersExtractor extractor = givenExtractor(Map.of(
+                PARAMETER_TARGET_NODEREF, TEST_NODE_REF,
+                PARAMETER_BATCH_SIZE, "-1"));
+
+        try
+        {
+            extractor.extract();
+        } catch (WebScriptException e)
+        {
+            assertNotNull(e.getMessage());
+            assertTrue(e.getMessage().contains(PARAMETER_BATCH_SIZE));
+            return;
+        }
+
+        fail("Expected exception to be thrown.");
+    }
+
+    @Test
+    public void shouldExtractValidNumberOfThreads() throws FileNotFoundException
+    {
+        final BulkImportParametersExtractor extractor = givenExtractor(Map.of(
+                PARAMETER_TARGET_NODEREF, TEST_NODE_REF,
+                PARAMETER_NUM_THREADS, "1"));
+
+        final BulkImportParameters params = extractor.extract();
+
+        assertEquals(Integer.valueOf(1), params.getNumThreads());
+    }
+
+    @Test
+    public void shouldFailWithWebScriptExceptionWhenInvalidNumberOfThreadsIsRequested() throws FileNotFoundException
+    {
+        final BulkImportParametersExtractor extractor = givenExtractor(Map.of(
+                PARAMETER_TARGET_NODEREF, TEST_NODE_REF,
+                PARAMETER_NUM_THREADS, "not-a-number"));
+
+        try
+        {
+            extractor.extract();
+        } catch (WebScriptException e)
+        {
+            assertNotNull(e.getMessage());
+            assertTrue(e.getMessage().contains(PARAMETER_NUM_THREADS));
+            return;
+        }
+
+        fail("Expected exception to be thrown.");
+    }
+
+    @Test
+    public void shouldFailWithWebScriptExceptionWhenNegativeNumberOfThreadsIsRequested() throws FileNotFoundException
+    {
+        final BulkImportParametersExtractor extractor = givenExtractor(Map.of(
+                PARAMETER_TARGET_NODEREF, TEST_NODE_REF,
+                PARAMETER_NUM_THREADS, "-1"));
+
+        try
+        {
+            extractor.extract();
+        } catch (WebScriptException e)
+        {
+            assertNotNull(e.getMessage());
+            assertTrue(e.getMessage().contains(PARAMETER_NUM_THREADS));
+            return;
+        }
+
+        fail("Expected exception to be thrown.");
+    }
+
+    private BulkImportParametersExtractor givenExtractor(Map<String, String> params)
+    {
+
+        return new BulkImportParametersExtractor(params::get, this::testRefCreator, DEFAULT_BATCH_SIZE, DEFAULT_NUMBER_OF_THREADS);
+    }
+
+    private NodeRef testRefCreator(String nodeRef, String path) throws FileNotFoundException
+    {
+        if (TEST_MISSING_NODE_REF.equals(nodeRef))
+        {
+            throw new FileNotFoundException(new NodeRef(nodeRef));
+        }
+        return new NodeRef(nodeRef);
+    }
+
+}

remote-api/src/test/java/org/alfresco/rest/api/tests/TestCMIS.java

@@ -60,8 +60,11 @@ import org.alfresco.cmis.client.impl.AlfrescoObjectFactoryImpl;
 import org.alfresco.cmis.client.type.AlfrescoType;
 import org.alfresco.model.ContentModel;
 import org.alfresco.model.RenditionModel;
+import org.alfresco.opencmis.CMISDispatcher;
 import org.alfresco.opencmis.CMISDispatcherRegistry.Binding;
+import org.alfresco.opencmis.CMISServletDispatcher;
 import org.alfresco.opencmis.PublicApiAlfrescoCmisServiceFactory;
+import org.alfresco.opencmis.PublicApiBrowserCMISDispatcher;
 import org.alfresco.opencmis.dictionary.CMISStrictDictionaryService;
 import org.alfresco.opencmis.dictionary.QNameFilter;
 import org.alfresco.opencmis.dictionary.QNameFilterImpl;
@@ -99,6 +102,7 @@ import org.alfresco.rest.api.tests.client.data.NodeRating.Aggregate;
 import org.alfresco.rest.api.tests.client.data.Person;
 import org.alfresco.rest.api.tests.client.data.SiteRole;
 import org.alfresco.rest.api.tests.client.data.Tag;
+import org.alfresco.rest.framework.core.exceptions.JsonpCallbackNotAllowedException;
 import org.alfresco.service.cmr.lock.LockService;
 import org.alfresco.service.cmr.lock.LockType;
 import org.alfresco.service.cmr.model.FileFolderService;
@@ -153,6 +157,7 @@ import org.junit.Ignore;
 import org.junit.Test;
 import org.junit.experimental.categories.Category;
 import org.springframework.context.ApplicationContext;
+import org.springframework.extensions.surf.util.I18NUtil;
 import org.springframework.extensions.surf.util.URLEncoder;
 
 public class TestCMIS extends EnterpriseTestApi
@@ -517,6 +522,73 @@ public class TestCMIS extends EnterpriseTestApi
         assertEquals(200, response.getStatusCode());
     }
 
+    /**
+     * MNT-22428 Check the return from http://localhost:8080/alfresco/api/-default-/public/cmis/versions/1.1/browser/root&callback= when jsonp callback is disabled
+     *
+     * @throws Exception
+     */
+    @Test
+    public void testBrowserDisabledJSONPCallback() throws Exception
+    {
+        // disables unsecure callback jsonp
+        final PublicApiBrowserCMISDispatcher dispatcher = ctx.getBean(PublicApiBrowserCMISDispatcher.class);
+        dispatcher.setAllowUnsecureCallbackJSONP(false);
+
+        final TestNetwork network1 = getTestFixture().getRandomNetwork();
+        Iterator<String> personIt = network1.getPersonIds().iterator();
+        final String personId = personIt.next();
+        assertNotNull(personId);
+        Person person = repoService.getPerson(personId);
+        assertNotNull(person);
+
+        publicApiClient.setRequestContext(new RequestContext(network1.getId(), personId));
+
+        // request with a callback parameter
+        HttpResponse response;
+        final Map<String, String> params = Map.of("callback", "");
+        response = publicApiClient.get(network1.getId() + "/public/cmis/versions/1.1/browser/root", params);
+        assertEquals(403, response.getStatusCode());
+
+        String exceptionMessage = I18NUtil.getMessage(JsonpCallbackNotAllowedException.DEFAULT_MESSAGE_ID, params);
+        assertTrue(response.getResponse().endsWith(exceptionMessage));
+
+        // request without a callback parameter
+        response = publicApiClient.get(network1.getId() + "/public/cmis/versions/1.1/browser/root", null);
+        assertEquals(200, response.getStatusCode());
+    }
+
+    /*
+     * MNT-22428 Check the return from http://localhost:8080/alfresco/api/-default-/public/cmis/versions/1.1/browser/root&callback= when jsonp callback is enabled
+     *
+     * @throws Exception
+     */
+    @Test
+    public void testBrowserEnabledJSONPCallback() throws Exception
+    {
+        // enables unsecure callback jsonp
+        final PublicApiBrowserCMISDispatcher dispatcher = ctx.getBean(PublicApiBrowserCMISDispatcher.class);
+        dispatcher.setAllowUnsecureCallbackJSONP(true);
+
+        final TestNetwork network1 = getTestFixture().getRandomNetwork();
+        Iterator<String> personIt = network1.getPersonIds().iterator();
+        final String personId = personIt.next();
+        assertNotNull(personId);
+        Person person = repoService.getPerson(personId);
+        assertNotNull(person);
+
+        publicApiClient.setRequestContext(new RequestContext(network1.getId(), personId));
+
+        // request with a callback parameter
+        HttpResponse response;
+        final Map<String, String> params = Map.of("callback", "someFunction");
+        response = publicApiClient.get(network1.getId() + "/public/cmis/versions/1.1/browser/root", params);
+        assertEquals(200, response.getStatusCode());
+
+        // request without a callback parameter
+        response = publicApiClient.get(network1.getId() + "/public/cmis/versions/1.1/browser/root", null);
+        assertEquals(200, response.getStatusCode());
+    }
+
     /**
      * REPO-2041 / MNT-16236 Upload via cmis binding atom and browser files with different maxContentSize
      */

repository/pom.xml

@@ -7,7 +7,7 @@
     <parent>
         <groupId>org.alfresco</groupId>
         <artifactId>alfresco-community-repo</artifactId>
-        <version>11.141-SNAPSHOT</version>
+        <version>14.9</version>
     </parent>
 
     <dependencies>
@@ -191,7 +191,7 @@
         <dependency>
             <groupId>org.apache.maven</groupId>
             <artifactId>maven-artifact</artifactId>
-            <version>3.8.1</version>
+            <version>3.8.3</version>
         </dependency>
         <dependency>
             <groupId>de.schlichtherle.truezip</groupId>

repository/src/main/resources/alfresco/repository.properties

@@ -3,7 +3,7 @@
 repository.name=Main Repository
 
 # Schema number
-version.schema=15002
+version.schema=16000
 
 # Directory configuration
 
@@ -1308,3 +1308,6 @@ system.tempFileCleaner.maxTimeToRun=
 
 # Property to long running migration to remove alf_server in v7+ patch.db-V7.1.0-remove-alf_server-table
 system.remove-alf_server-table-from-db.ignored=true
+
+# When using JSONP, allows unsecure usage of "callback" functions. Disabled by default for security reasons
+allow.unsecure.callback.jsonp=false