[Only sending to dev mailing list as is an application architecture related comment]
I don't have a solution to offer yet around the URL issue raised by Johan, but have a feeling it it will relate to the issue below. This is a message to highlight a deep unease I have around the OFBiz use of query arguments in URLs to carry authentication/session information between client and server. In particular, clickable links between applications in the client are rendered with the externalLoginKey query argument since each application maintains its own login mechanism and session cookie. One immediate problem I see is if a user right-clicks a link to copy the URL target, and then shares that URL, they have unwittingly also shared a credential that will allow recipients of the URL to masquerade as the original user. I assume the reason for tying session cookies to applications, rather than to the root of the OFBiz website, is to ensure a separation between back-end office applications and front-end ecommerce applications. As mentioned, I don't have a solution to offer at the moment, but perhaps we should looks at configuring the applications with the names of their session cookies. All the back-end applications could then use a single 'backend' cookie, and any front-end consumer facing application could have their own distinct session cookie. Thanks, Dan. On Thu, 29 Aug 2024 at 09:17, Jacques Le Roux <jacques.le.r...@les7arts.com> wrote: > Hi, > > Finally it's not that clear. > > As can be found in trunk demo access_logs, such URLs exist at least since > June 17 2024. > > access_log.2024-06-17:28:66.249.75.98 - - [17/Jun/2024:00:11:51 +0000] > "GET > > /partymgr/control/main%3FexternalLoginKey=ELf5183769-2759-476b-946c-2a70afe3c42d&sortField=partyId;jsessionid=EBB57C6C3C345E70501827509E05744C.jvm1 > HTTP/1.1" 500 1165 "-" "Mozilla/5.0 (Linux; Android 6.0.1; Nexus 5X > Build/MMB29P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.6422.175 > Mobile Safari/537.36 (compatible; Googlebot/2.1; + > http://www.google.com/bot.html)" > > As you can see they are rejected (HTTP 500) since then too. Actually I > guess they exist for a very long time. Have yet no idea why and how these > URLs > are generated. > > The rejection is "new" and due to a security fix done in May 20 2024 with > (OFBIZ-13092) "Prevent special encoded characters sequences in URLs" > > So we need to clearly define steps to manually generate these URLs. Then, > if it's OK, we could allow URLs containing ";jsessionid=" to bypass the > security filter. > > I copy this email to the dev ML because of its importance > > Jacques > > > Le 28/08/2024 à 15:27, Jacques Le Roux a écrit : > > Thanks Guys, > > > > I could not reproduce yet, but I think we have already enough clues to > fix that. > > Also I can find a lot of in trunk demo log. That will be helpful too. > > > > Jacques > > > > Le 27/08/2024 à 16:20, 雷咩咩 a écrit : > >> i can reproduce by login with admin, randomly click severl places, then > when click logout, see such error: > >> > >> > >> HTTP Status 500 – Internal Server Error > >> Type Exception Report > >> > >> > >> Message For security reason this URL is not accepted > >> > >> > >> Description The server encountered an unexpected condition that > prevented it from fulfilling the request. > >> > >> > >> Exception > >> > >> > >> java.lang.RuntimeException: For security reason this URL is not accepted > >> > > org.apache.ofbiz.webapp.control.ControlFilter.doFilter(ControlFilter.java:144) > >> > > org.apache.logging.log4j.web.Log4jServletFilter.doFilter(Log4jServletFilter.java:71) > >> Note The full stack trace of the root cause is available in the server > logs. > >> > >> > >> Apache Tomcat/9.0.91 > >> > >> > >> > >> > >> Regards, > >> Yang > >> > >> > >> ------------------ 原始邮件 ------------------ > >> 发件人: "user" <johanhpcro...@gmail.com>; > >> 发送时间: 2024年8月27日(星期二) 晚上9:12 > >> 收件人: "user"<u...@ofbiz.apache.org>; > >> > >> 主题: URL Issue > >> > >> > >> > >> Hi, > >> > >> Not sure if anyone would be able to assist me, I have found an issue > which > >> can also be replicated within the demo. > >> This issue normally occurs as you navigate to a module after login. It > is > >> not easily replicable, once you refresh it works and does not occur > again. > >> Replicated the issue in multiple modules. > >> It usually adds ;jsessionid=######################.jvm1 to all the URLs > and > >> this causes a navigation issue. > >> Once you submit a form or try to click the logout link, an Internal 500 > >> Internal Server Error is being returned > >> As an example: > >> https://demo-stable.ofbiz.apache.org/partymgr/control/main > >> > >> I have screenshots available, however I am not able to attach to this > mail. > >> Please let me know if you need me to upload it somewhere. > >> > >> Kind Regards, > >> Johan Cronjé -- Daniel Watford
