It looks like you've encountered a complex issue with OFBiz's AJAX call
handling, specifically how the `*SetTimeZoneFromBrowser*` request is
failing due to URL pattern mismatches, leading to a *405 error* .
*Issue Breakdown *
- The request `*SetTimeZoneFromBrowser*` is defined in `
*common-controller.xml*`, making it globally available.
- JavaScript attempts to execute it via a *relative URL*, causing
inconsistencies when combined with REST-style URLs.
- The `*ControlServlet*` fails to recognize the request format, leading to
the 405 error .
*Proposed Solution*
- Instead of using relative calls, '*a dedicated webapp*' (`common-js`) is
suggested for handling these requests, ensuring proper routing.
- The webapp would act as a relay, avoiding exposure of `framework/common`
and separating theming from functional requests.
- Example fix:
```js
$.ajax({
url: "/common-js/control/SetTimeZoneFromBrowser",
type: "POST",
async: false,
});
```
--------------------------------------------------------------
Implementing a *switch-case structure* can help manage different AJAX
requests effectively, but it needs additional adjustments to fully resolve
the '405 error issue' you described in Apache OFBiz. Below is a 'full
implementation strategy' that addresses the problem while ensuring security
and proper request routing.
---
Suggest Solution: Using a Dedicated WebApp with Dynamic Routing
Since the issue arises due to 'incorrect request routing in REST-style
URLs', we will:
1. Use a dedicated web app (`commonext`) to handle such AJAX requests.
2. Implement a switch-case structure in JavaScript to dynamically adjust
request URLs.
3. Ensure security by managing authentication separately for the web app.
---
Step-by-Step Implementation
1. Configure the Dedicated WebApp (`commonext`)
Modify `webapp.xml` to set up a new web app that will act as a relay for
common requests.
------------------------ xml
*<web-app name="commonext" location="commonext" app-bar-display="true">
<security security-constraint="true"/></web-app>*
------------------------
2. Define Request Handlers in `commonext-controller.xml`
Create handler mappings in `commonext-controller.xml` to process requests
properly.
*---------------------------xml<request-map uri="SetTimeZoneFromBrowser">
<security https-required="true" auth-required="false"/> <event
type="service" name="setTimeZoneService"
invoke="org.ofbiz.common.SetTimeZone"/> <response name="json"
type="json"/></request-map>----------------------------*
3. Update the JavaScript AJAX Calls
Modify the AJAX call in JavaScript to ensure requests are directed through
`commonext`.
*------------------------ jsfunction getRequestUrl(requestType) { switch
(requestType) { case "timezone": return
"/commonext/control/SetTimeZoneFromBrowser"; case "inventory":
return "/commonext/control/GetStockDetails"; case "order":
return "/commonext/control/FetchOrderStatus"; default:
return "/commonext/control/DefaultHandler"; }}*
*$.ajax({ url: getRequestUrl("timezone"), type: "POST", async:
false, success: function(response) { console.log("Request
successful!", response); }, error: function(error) {
console.log("Error in request!", error); }});*
-----------------------------------
4. Address Authentication Issue
Since separate web apps maintain independent sessions, use token-based
authentication or a cookie-based method.
- Option 1: SSO (Single Sign-On)
- Implement an OAuth-based authentication system .
- Users authenticate once, and tokens are passed across multiple web apps.
- Option 2: Secure Cookie-Based Authentication
- Generate a security token upon login.
- Store the token in a HTTP-only, secure cookie .
- Validate the token before processing requests in `commonext`.
---
### *Expected Results *
>> AJAX requests will no longer fail due to incorrect REST-style URL
handling.
>> Requests will be correctly routed via `commonext`, resolving the '405
error'.
>> Authentication is properly handled without exposing core framework
security.
This approach provides a 'scalable and maintainable solution' for handling
common OFBiz AJAX requests while ensuring security compliance.
with regards
Arifa Hashmi
On Fri, 2 May 2025 at 13:39, Nicolas Malin <[email protected]> wrote:
> Hi all,
>
> I'm in front of a particular issue where the fix isn't really easy and
> need to share :) .
>
> I detected a problem with some ajax call did by js script that failed
> with error 405 like :
>
> https://demo-next.ofbiz.apache.org/webtools/control/entity/find/SetTimeZoneFromBrowser
>
> To reproduce just display the page
> https://demo-next.ofbiz.apache.org/webtools/control/entity/find/Party
> and analyze network traffic.
>
> Ok the reason :
>
> SetTimeZoneFromBrowser is a request define in common-controller.xml, so
> available on all component. In js the call is realize by :
> ```js
> $.ajax({
> url: "SetTimeZoneFromBrowser",
> type: "POST",
> async: false,...
> ```
> So the navigator use the relative url to execute the call. In general
> case we have a page like
> https://demo-next.ofbiz.apache.org/$component/control/$request so js
> script realized their call with
> https://demo-next.ofbiz.apache.org/$component/control/$request-js . Like
> each request-js are present on common-controller.xml all component that
> include it can response.
>
> With rest url, the uri pattern is more complex and the script js that
> generate a relative call like we have upper :
>
> https://demo-next.ofbiz.apache.org/webtools/control/entity/find/SetTimeZoneFromBrowse
> .
> The ControlServlet behind failed to retrieve the correct request and
> generate a http error 405
>
>
> How to fix :
> After different tries, I propose to remove all relative call and create
> a dedicate webapp for that.
> ```js
> $.ajax({
> url: "/common-js/control/SetTimeZoneFromBrowser",
> type: "POST",
> async: false,...
> ```
> Open a new webapp on commonext to do that and redirect all relative call
> to it.
> I propose to implement it on commonext because framework/common need to
> keep without exposure. Common-theme is dedicate expose theming
> information and not a direct relay to common request. So commonext seems
> to be the better solution to be a relay for common request manage by the
> common-controller.
>
> The problem with this solution, all webapp are their session separate,
> so access to a json request through commonext generate an security issue
> if the request have auth enable. We can enable the sso on ofbiz for that
> but do we need that for all OFBiz webapp by defaut. We can imagine a
> spotted solution to use cookies system like autologin with more
> security, only on commonext to be sure to allow the functionality on
> many configuration.
>
> Thanks to take this read time and if you have any sharing on it to found
> the better solution.
>
> Nicolas
>
