GATE is an e-assessment system specifically designed to support programming education.
This system is able to help with the process of exercise management and assessment for large programming classes at university level. The implemented system can be configured to allow for self-assessments of students and can check solutions submitted by studens for plagiarism.
Please read the whole procedure in advance to executing it.
- Install Java (17 is recommended, 21 also works)
- On *nix (such as Debian) use the
openjdk-17-jre-headless
package - On Windows you can use Liberica OpenJDK 17
- On *nix (such as Debian) use the
- Install Apache Tomcat 9 (e.g., on Debian-based systems use the
tomcat9
package)- After installation Tomcat usually listens on locahost:8080
- For development it is recommended to download the binary archive and integrate Tomcat into the used IDE, e.g. into Eclipse.
- Install MariaDB
- For a development machine on Windows XAMPP is recommended which comes with phpMyAdmin a nice administration interface for MariaDB
- For development Eclipse (IDE for Enterprise Java Developers) >= 2022-09 is recommended
- It may be necessary to build GATE once using the Maven compile goal to ensure that all required dependencies are available locally (in particular, hibernate-jpamodelgen).
- For production use, it is recommended to run Apache Tomcat behind Apache httpd, connecting Tomcat using mod_proxy_ajp, terminate SSL/TLS in httpd and probably use Shibboleth for Single-Sign on.
- Configure the VHost with mod_proxy_ajp:
ProxyPreserveHost On ProxyStatus On ProxyPass / ajp://localhost:8009/ secret=SECRET
- Make sure Tomcat is not accessible directly (e.g., ports 8080, 8009, 8443); e.g. make port
8009
listen on::1
only and comment all otherConnector
s inserver.xml
. - Clustering is possible (needs in
Server/Engine[@jvmRoute]
to be configured inserver.xml
asjvm1
orjvm2
):<Proxy "balancer://mycluster"> BalancerMember ajp://srv1:8009 secret=SECRET route=jvm1 BalancerMember ajp://srv2:8009 secret=SECRET route=jvm2 ProxySet lbmethod=byrequests stickysession=JSESSIONID </Proxy> ProxyPass "/" "balancer://mycluster/"
- Make sure Tomcat is not accessible directly (e.g., ports 8080, 8009, 8443); e.g. make port
- How to configure Shibboleth:
- Install shibd and configure it (cf. https://www.switch.ch/aai/guides/sp/installation-2.5/), make sure the
ApplicationDefault
configuration inshibboleth2.xml
containsattributePrefix="AJP_"
(cf. https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPJavaInstall; please also make sure theAJP
connector in Tomcatserver.xml
does not block the Shibboleth request attributes, e.g. by settingallowedRequestAttributesPattern=".*"
or more restrictive"^(Shib-.*|givenName|eppn|sn|mail|persistent-id)$"
), has a large enough proxys packet size (packetSize="65536"
), andeppn
is set for theREMOTE_USER
inshibboleth2.xml
(should matchuserAttribute
, see below); also make sure/Shibboleth.sso/Logout
can be used for logout (cf.src/main/java/de/tuclausthal/submissioninterface/servlets/controller/Logout.java
) - Enable Shibboleth protection for the
Overview
servlet:ProxyPass /Shibboleth.sso/ ! ProxyPass /Shibboleth/ ! ProxyPass /shibboleth-sp/ ! <Location /gate/servlets/Overview> AuthType shibboleth ShibRequireSession On require valid-user </Location> ProxyIOBufferSize 65536
- For debugging: Please not that the Shibboleth attributes passed to Tomcat don't show up when iterating over the request variables. They need to be explicitly named (e.g.,
uid
orShib-Identity-Provider
).
- Install shibd and configure it (cf. https://www.switch.ch/aai/guides/sp/installation-2.5/), make sure the
- Configure the VHost with mod_proxy_ajp:
- For building the whole package you need maven (also often available as a package on *nix systems)
- For running the cron task regularly with the predefined script
submissiondir/runtests.sh
you need thelockfile
tool (usually part of theprocmail
package on *nix systems) - For using Docker-based tests you need to install Docker
- Decide what user and password to use (for production use a dedicated user is recommended)
- Create a new database
- Import
mysql.sql
src/main/resources/hibernate.cfg.xml
for the database configuration- Set the database name, username and password here
src/main/webapp/WEB-INF/web.xml
for Tomcat and GATE specific configurations- Adjust the
datapath
here, please make sure that this is accessible by Tomcat (should be read-only), use e.g./srv/gate/
orc:\gate
here. Create subdirectories namedlectures
andlogs
that are writable for the tomcat user where the user data and logs are stored.- On *nix the system Tomcat runs as the user
tomcat
, so make sure that the user has appropriate permissions, also on Debian-based systems, Tomcat might be sandboxed by systemd. Create a file/etc/systemd/system/tomcat9.service.d/gate.conf
containing:(afterwards, issue[Service] ReadWritePaths=/srv/gate/lectures/
systemctl daemon-reload
andsystemctl restart tomcat
)
- On *nix the system Tomcat runs as the user
- For development:
- Adjust
login
tode.tuclausthal.submissioninterface.authfilter.authentication.login.impl.Form
- Adjust
verify
tode.tuclausthal.submissioninterface.authfilter.authentication.verify.impl.FakeVerify
to disable any authentication
- Adjust
- For production use:
- Check the other configuration options, especially the mail related ones
- For LDAP authentication set
login
tode.tuclausthal.submissioninterface.authfilter.authentication.login.impl.Form
andverify
tode.tuclausthal.submissioninterface.authfilter.authentication.verify.impl.LDAPVerify
, configure LDAP related settings for theAuthenticationFilter
(PROVIDER_URL
,SECURITY_AUTHENTICATION
,SECURITY_PRINCIPAL
,matrikelNumberAttribute
(optional), anduserAttribute
), please also look atsrc/main/java/de/tuclausthal/submissioninterface/authfilter/authentication/verify/impl/LDAPVerify.java
whether special adjustments are needed (e.g. first and last name generation) - For Shibboleth set
login
tode.tuclausthal.submissioninterface.authfilter.authentication.login.impl.Shibboleth
andverify
tode.tuclausthal.submissioninterface.authfilter.authentication.verify.impl.ShibbolethVerify
, configure Shibboleth related settings for theAuthenticationFilter
(userAttribute
and (optional)matrikelNumberAttribute
); required fields from the Identity-Provider aresn
,givenName
,mail
, and the configureduserAttribute
(usuallyeppn
).
- Adjust the
submissiondir/runtests.sh
for adjusting the pathssrc/main/webapp/WEB-INF/studiengaenge.txt
for updating the list of study programs that are used for auto completion for the users of GATE
- Clone the repository
- Adjust the config files
- Run
mvn clean verify
- The built
.war
file can then be found in thetarget
directory
Alternatively you can also use GitLab CI/CD functionality and download the built .war
file.
- Prepare the
datapath
in which the submissions will be stored (see the "Configuration files" section above)- Copy
submissiondir/*
andSecurityManager/NoExitSecurityManager.jar
to that folder - If you want to use the JPlag plagiarism system, compile JPlag 2.12 into a single .jar (using the maven goal
assembly:assembly
inside thejplag
directory and copy the final.jar
(from the target folder) asjplag.jar
into the root of thedatapath
- No files directly inside the data directory should be writable by the tomcat user.
- Copy
- On Windows: Make sure the
JAVA_HOME
environment variable is set and points to the JDK directory (e.g.C:\Program Files\BellSoft\LibericaJDK-17\
) - Prepare Tomcat
- If you want to have the user names on the Tomcat access log, you can use
%{username}r
(as a replacement for%u
) for configuring theAccessLogValve
pattern
, cf. https://tomcat.apache.org/tomcat-9.0-doc/config/valve.html#Access_Log_Valve - Rename the built
.war
file to e.g.gate
, because the name is then used to build the URL under which GATE will be accessible using Tomcat - Copy the
.war
file to thewebapps
folder of Tomcat (usually inC:\Program Files\Apache Tomcat 9\webapps
or/var/lib/tomcat9/webapps/
) - New versions of GATE can be easily deployed by just overriding the
.war
file in thewebapps
folder
- If you want to have the user names on the Tomcat access log, you can use
- Create first user with superuser permissions: Execute
util.CreateFirstUser
with parameters:loginname emailaddress firtsname lastname
. Alternatively, you can also manually insert a new row into theusers
table. - Set up the cron task that performs regular tasks such as automatically start the plagiarism check in background
- You can use the shipped script
submissiondir/runtests.sh
which should be indatapath
and configure/etc/crontab
:*/10 * * * * tomcat /srv/submissioninterface/runtests.sh
- Please make sure that you receive mails for the tomcat user in order to get errors of the cron task runner
- You can use the shipped script
- Restart Tomcat
- For using Docker-based tests
- Build the local
safe-docker
image, based onsafe-docker/Dockerfile
(e.g.,docker build --tag safe-docker .
in thesafe-docker
folder of this repository). So far, the image is only prepared for supporting Haskell, you might want to extend it according to your needs. - Copy
safe-docker/safe-docker
to/usr/local/bin/safe-docker
and make sure it is owned byroot:root
and has the permissions700
, you might want to check the parameters passed todocker
. Requires the packageslibipc-run-perl
andlibdata-guid-perl packages
on Debian-based systems. - On Debian-based systems you might need to lift some systemd restrictions by creating the file
/etc/systemd/system/tomcat9.service.d/gate-safe-docker.conf
containing:[Service] NoNewPrivileges=false PrivateTmp=no ReadWritePaths=/tmp/
- Set up
sudo
by insertingtomcat ALL= NOPASSWD: /usr/local/bin/safe-docker
in/etc/sudoers.d/gate-safe-docker
- Build the local
Now GATE can be access using e.g. http://localhost:8080/GATE/ depending on your concrete local setup. It is recommended to run the self-test to check whether everything looks ok: http://localhost:8080/GATE/servlets/SelfTest