[ https://issues.apache.org/jira/browse/OFBIZ-11306?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17041686#comment-17041686 ]
Jacques Le Roux commented on OFBIZ-11306: ----------------------------------------- I get the same in git-bash on Windows: {noformat} 020-02-21 09:56:10,408 |jsse-nio-8443-exec-6 |TransactionUtil |W| Calling transaction setRollbackOnly; this stack trace shows where this is happening: java.lang.Exception: Service [getEntityRefData] threw an unexpected exception/error at org.apache.ofbiz.entity.transaction.TransactionUtil.setRollbackOnly(TransactionUtil.java:358) [main/:?] at org.apache.ofbiz.entity.transaction.TransactionUtil.rollback(TransactionUtil.java:292) [main/:?] at org.apache.ofbiz.service.ServiceDispatcher.runSync(ServiceDispatcher.java:540) [main/:?] at org.apache.ofbiz.service.ServiceDispatcher.runSync(ServiceDispatcher.java:240) [main/:?] at org.apache.ofbiz.service.GenericDispatcherFactory$GenericDispatcher.runSync(GenericDispatcherFactory.java:88) [main/:?] at org.apache.ofbiz.widget.model.AbstractModelAction$Service.runAction(AbstractModelAction.java:710) [main/:?] at org.apache.ofbiz.widget.model.AbstractModelAction.runSubActions(AbstractModelAction.java:143) [main/:?] at org.apache.ofbiz.widget.model.ModelScreenWidget$Section.renderWidgetString(ModelScreenWidget.java:278) [main/:?] at org.apache.ofbiz.widget.model.ModelScreen.renderScreenString(ModelScreen.java:133) [main/:?] at org.apache.ofbiz.widget.renderer.ScreenRenderer.render(ScreenRenderer.java:140) [main/:?] at org.apache.ofbiz.widget.renderer.ScreenRenderer.render(ScreenRenderer.java:102) [main/:?] at org.apache.ofbiz.widget.renderer.macro.MacroScreenViewHandler.render(MacroScreenViewHandler.java:115) [main/:?] at org.apache.ofbiz.webapp.control.RequestHandler.renderView(RequestHandler.java:1003) [main/:?] at org.apache.ofbiz.webapp.control.RequestHandler.doRequest(RequestHandler.java:698) [main/:?] at org.apache.ofbiz.webapp.control.ControlServlet.handle(ControlServlet.java:232) [main/:?] at org.apache.ofbiz.webapp.control.ControlServlet.doGet(ControlServlet.java:96) [main/:?] at javax.servlet.http.HttpServlet.service(HttpServlet.java:634) [tomcat-servlet-api-9.0.29.jar:?] at javax.servlet.http.HttpServlet.service(HttpServlet.java:741) [tomcat-servlet-api-9.0.29.jar:?] at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:231) [tomcat-catalina-9.0.29.jar:9.0.29] at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) [tomcat-catalina-9.0.29.jar:9.0.29] at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:53) [tomcat-embed-websocket-9.0.27.jar:9.0.27] at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) [tomcat-catalina-9.0.29.jar:9.0.29] at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) [tomcat-catalina-9.0.29.jar:9.0.29] at org.apache.ofbiz.webapp.control.ContextFilter.doFilter(ContextFilter.java:187) [main/:?] at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) [tomcat-catalina-9.0.29.jar:9.0.29] at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) [tomcat-catalina-9.0.29.jar:9.0.29] at org.apache.ofbiz.webapp.control.ControlFilter.doFilter(ControlFilter.java:156) [main/:?] at javax.servlet.http.HttpFilter.doFilter(HttpFilter.java:52) [tomcat-servlet-api-9.0.29.jar:?] at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) [tomcat-catalina-9.0.29.jar:9.0.29] at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) [tomcat-catalina-9.0.29.jar:9.0.29] at org.apache.logging.log4j.web.Log4jServletFilter.doFilter(Log4jServletFilter.java:71) [log4j-web-2.11.2.jar:2.11.2] at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) [tomcat-catalina-9.0.29.jar:9.0.29] at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) [tomcat-catalina-9.0.29.jar:9.0.29] at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:202) [tomcat-catalina-9.0.29.jar:9.0.29] at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96) [tomcat-catalina-9.0.29.jar:9.0.29] at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:526) [tomcat-catalina-9.0.29.jar:9.0.29] at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:139) [tomcat-catalina-9.0.29.jar:9.0.29] at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:92) [tomcat-catalina-9.0.29.jar:9.0.29] at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:74) [tomcat-catalina-9.0.29.jar:9.0.29] at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:678) [tomcat-catalina-9.0.29.jar:9.0.29] at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:343) [tomcat-catalina-9.0.29.jar:9.0.29] at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:367) [tomcat-coyote-9.0.29.jar:9.0.29] at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:65) [tomcat-coyote-9.0.29.jar:9.0.29] at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:860) [tomcat-coyote-9.0.29.jar:9.0.29] at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1591) [tomcat-coyote-9.0.29.jar:9.0.29] at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49) [tomcat-coyote-9.0.29.jar:9.0.29] at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) [?:1.8.0_202] at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) [?:1.8.0_202] at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) [tomcat-util-9.0.29.jar:9.0.29] at java.lang.Thread.run(Thread.java:748) [?:1.8.0_202] 2020-02-21 09:56:10,414 |jsse-nio-8443-exec-6 |AbstractModelAction |E| Error calling service with name getEntityRefData: org.apache.ofbiz.service.GenericServiceException: Service [getEntityRefData] target threw an unexpected exception (Unknown character property name {r} near index 4 {noformat} It's Linux but on Windows. I'll now try in a Linux VM... > POC for CSRF Token > ------------------ > > Key: OFBIZ-11306 > URL: https://issues.apache.org/jira/browse/OFBIZ-11306 > Project: OFBiz > Issue Type: Sub-task > Components: ALL APPLICATIONS > Affects Versions: Upcoming Branch > Reporter: James Yong > Assignee: Jacques Le Roux > Priority: Minor > Labels: CSRF > Fix For: Upcoming Branch > > Attachments: CsrfTokenAjaxTransform.java, CsrfTokenTransform.java, > CsrfUtil.java, OFBIZ-11306-alternative.patch, OFBIZ-11306-alternative.patch, > OFBIZ-11306-alternative.patch, OFBIZ-11306-alternative.patch, > OFBIZ-11306-alternative.patch, OFBIZ-11306-alternative.patch, > OFBIZ-11306-alternative.patch, OFBIZ-11306-alternative.patch, > OFBIZ-11306-v2.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, > OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, > OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, > OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, > OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, > OFBIZ-11306_Plugins.patch, OFBIZ-11306_Plugins.patch, > OFBIZ-11306_Plugins.patch, OFBIZ-11306_Plugins.patch, > OFBIZ-11306_Plugins.patch, partyTokenMap.webtools.txt > > > CRSF tokens are generated using SecureRandom class (maybe later a JWT with a > "time out"). > They are stored in the user sessions (for AJAX calls and unauthenticated HTTP > calls) or OFBiz UtilCache (for authenticated HTTP calls), and verified during > POST request. > # In *controllers* a new csrf-token attribute is added to the security tag to > exempt or force CSRF token check. > # In *Widget Forms* a hidden token field is auto-generated. > # In *FTL form* a CSRF token is passed through <@ofbizUrl> to automatise the > change. Using <@ofbizUrl> macro to generate the CSRF token means there is no > need to manually add the CSRF token field to each form in the ftl files. It > will save time for users doing custom implementation and maintenance. While > there is CSRF token in the form URL, the token is invalidated during form > submission. So it's uniqueand harmless even though the CSRF token of the form > submission is shown in the browser address bar. > # For *Ajax calls* an ajaxPrefilter function (observer on DOM ready) is added > through OfbizUtil.js (itself called at start in decorators and such) > # The html metadata is storing the csrf token used by JQuery AJAX. This token > will not change to another value after it is consumed > # Csrf tokens for the user are removed from the UtilCache when the user logs > out or session invalidated. > The general rule are as follows: > * RequestMap configured with 'get' method will be exempted from CSRF token > check. > * RequestMap configured with 'post' or 'all' method will be subjected to CSRF > token check. (Note there are discussions that RequestMap with ‘all’ method > should also not be subjected to CSRF token check. This will be done after > ensuring a separate uri is used when posting changes.) > * "main" request URIs are exempted from CSRF token check. > * Setting csrf-token to false or true on the Request Map will override the > general rules above. > To Discuss: > * Invalidate authenticated user session when CSRF token check fails. > * Configure the general rules in a Service method (which will be run inside > the constructor of RequestMap class) when determining the final > securityCsrfToken value. -- This message was sent by Atlassian Jira (v8.3.4#803005)