[
https://issues.apache.org/jira/browse/OFBIZ-11306?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17041686#comment-17041686
]
Jacques Le Roux commented on OFBIZ-11306:
-----------------------------------------
I get the same in git-bash on Windows:
{noformat}
020-02-21 09:56:10,408 |jsse-nio-8443-exec-6 |TransactionUtil |W|
Calling transaction setRollbackOnly; this stack trace shows where this is
happening:
java.lang.Exception: Service [getEntityRefData] threw an unexpected
exception/error
at
org.apache.ofbiz.entity.transaction.TransactionUtil.setRollbackOnly(TransactionUtil.java:358)
[main/:?]
at
org.apache.ofbiz.entity.transaction.TransactionUtil.rollback(TransactionUtil.java:292)
[main/:?]
at
org.apache.ofbiz.service.ServiceDispatcher.runSync(ServiceDispatcher.java:540)
[main/:?]
at
org.apache.ofbiz.service.ServiceDispatcher.runSync(ServiceDispatcher.java:240)
[main/:?]
at
org.apache.ofbiz.service.GenericDispatcherFactory$GenericDispatcher.runSync(GenericDispatcherFactory.java:88)
[main/:?]
at
org.apache.ofbiz.widget.model.AbstractModelAction$Service.runAction(AbstractModelAction.java:710)
[main/:?]
at
org.apache.ofbiz.widget.model.AbstractModelAction.runSubActions(AbstractModelAction.java:143)
[main/:?]
at
org.apache.ofbiz.widget.model.ModelScreenWidget$Section.renderWidgetString(ModelScreenWidget.java:278)
[main/:?]
at
org.apache.ofbiz.widget.model.ModelScreen.renderScreenString(ModelScreen.java:133)
[main/:?]
at
org.apache.ofbiz.widget.renderer.ScreenRenderer.render(ScreenRenderer.java:140)
[main/:?]
at
org.apache.ofbiz.widget.renderer.ScreenRenderer.render(ScreenRenderer.java:102)
[main/:?]
at
org.apache.ofbiz.widget.renderer.macro.MacroScreenViewHandler.render(MacroScreenViewHandler.java:115)
[main/:?]
at
org.apache.ofbiz.webapp.control.RequestHandler.renderView(RequestHandler.java:1003)
[main/:?]
at
org.apache.ofbiz.webapp.control.RequestHandler.doRequest(RequestHandler.java:698)
[main/:?]
at
org.apache.ofbiz.webapp.control.ControlServlet.handle(ControlServlet.java:232)
[main/:?]
at
org.apache.ofbiz.webapp.control.ControlServlet.doGet(ControlServlet.java:96)
[main/:?]
at javax.servlet.http.HttpServlet.service(HttpServlet.java:634)
[tomcat-servlet-api-9.0.29.jar:?]
at javax.servlet.http.HttpServlet.service(HttpServlet.java:741)
[tomcat-servlet-api-9.0.29.jar:?]
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:231)
[tomcat-catalina-9.0.29.jar:9.0.29]
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
[tomcat-catalina-9.0.29.jar:9.0.29]
at
org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:53)
[tomcat-embed-websocket-9.0.27.jar:9.0.27]
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
[tomcat-catalina-9.0.29.jar:9.0.29]
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
[tomcat-catalina-9.0.29.jar:9.0.29]
at
org.apache.ofbiz.webapp.control.ContextFilter.doFilter(ContextFilter.java:187)
[main/:?]
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
[tomcat-catalina-9.0.29.jar:9.0.29]
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
[tomcat-catalina-9.0.29.jar:9.0.29]
at
org.apache.ofbiz.webapp.control.ControlFilter.doFilter(ControlFilter.java:156)
[main/:?]
at javax.servlet.http.HttpFilter.doFilter(HttpFilter.java:52)
[tomcat-servlet-api-9.0.29.jar:?]
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
[tomcat-catalina-9.0.29.jar:9.0.29]
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
[tomcat-catalina-9.0.29.jar:9.0.29]
at
org.apache.logging.log4j.web.Log4jServletFilter.doFilter(Log4jServletFilter.java:71)
[log4j-web-2.11.2.jar:2.11.2]
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
[tomcat-catalina-9.0.29.jar:9.0.29]
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
[tomcat-catalina-9.0.29.jar:9.0.29]
at
org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:202)
[tomcat-catalina-9.0.29.jar:9.0.29]
at
org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96)
[tomcat-catalina-9.0.29.jar:9.0.29]
at
org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:526)
[tomcat-catalina-9.0.29.jar:9.0.29]
at
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:139)
[tomcat-catalina-9.0.29.jar:9.0.29]
at
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:92)
[tomcat-catalina-9.0.29.jar:9.0.29]
at
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:74)
[tomcat-catalina-9.0.29.jar:9.0.29]
at
org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:678)
[tomcat-catalina-9.0.29.jar:9.0.29]
at
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:343)
[tomcat-catalina-9.0.29.jar:9.0.29]
at
org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:367)
[tomcat-coyote-9.0.29.jar:9.0.29]
at
org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:65)
[tomcat-coyote-9.0.29.jar:9.0.29]
at
org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:860)
[tomcat-coyote-9.0.29.jar:9.0.29]
at
org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1591)
[tomcat-coyote-9.0.29.jar:9.0.29]
at
org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
[tomcat-coyote-9.0.29.jar:9.0.29]
at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
[?:1.8.0_202]
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
[?:1.8.0_202]
at
org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
[tomcat-util-9.0.29.jar:9.0.29]
at java.lang.Thread.run(Thread.java:748) [?:1.8.0_202]
2020-02-21 09:56:10,414 |jsse-nio-8443-exec-6 |AbstractModelAction
|E| Error calling service with name getEntityRefData:
org.apache.ofbiz.service.GenericServiceException: Service [getEntityRefData]
target threw an unexpected exception (Unknown character property name {r} near
index 4
{noformat}
It's Linux but on Windows. I'll now try in a Linux VM...
> POC for CSRF Token
> ------------------
>
> Key: OFBIZ-11306
> URL: https://issues.apache.org/jira/browse/OFBIZ-11306
> Project: OFBiz
> Issue Type: Sub-task
> Components: ALL APPLICATIONS
> Affects Versions: Upcoming Branch
> Reporter: James Yong
> Assignee: Jacques Le Roux
> Priority: Minor
> Labels: CSRF
> Fix For: Upcoming Branch
>
> Attachments: CsrfTokenAjaxTransform.java, CsrfTokenTransform.java,
> CsrfUtil.java, OFBIZ-11306-alternative.patch, OFBIZ-11306-alternative.patch,
> OFBIZ-11306-alternative.patch, OFBIZ-11306-alternative.patch,
> OFBIZ-11306-alternative.patch, OFBIZ-11306-alternative.patch,
> OFBIZ-11306-alternative.patch, OFBIZ-11306-alternative.patch,
> OFBIZ-11306-v2.patch, OFBIZ-11306.patch, OFBIZ-11306.patch,
> OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch,
> OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch,
> OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch,
> OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch,
> OFBIZ-11306_Plugins.patch, OFBIZ-11306_Plugins.patch,
> OFBIZ-11306_Plugins.patch, OFBIZ-11306_Plugins.patch,
> OFBIZ-11306_Plugins.patch, partyTokenMap.webtools.txt
>
>
> CRSF tokens are generated using SecureRandom class (maybe later a JWT with a
> "time out").
> They are stored in the user sessions (for AJAX calls and unauthenticated HTTP
> calls) or OFBiz UtilCache (for authenticated HTTP calls), and verified during
> POST request.
> # In *controllers* a new csrf-token attribute is added to the security tag to
> exempt or force CSRF token check.
> # In *Widget Forms* a hidden token field is auto-generated.
> # In *FTL form* a CSRF token is passed through <@ofbizUrl> to automatise the
> change. Using <@ofbizUrl> macro to generate the CSRF token means there is no
> need to manually add the CSRF token field to each form in the ftl files. It
> will save time for users doing custom implementation and maintenance. While
> there is CSRF token in the form URL, the token is invalidated during form
> submission. So it's uniqueand harmless even though the CSRF token of the form
> submission is shown in the browser address bar.
> # For *Ajax calls* an ajaxPrefilter function (observer on DOM ready) is added
> through OfbizUtil.js (itself called at start in decorators and such)
> # The html metadata is storing the csrf token used by JQuery AJAX. This token
> will not change to another value after it is consumed
> # Csrf tokens for the user are removed from the UtilCache when the user logs
> out or session invalidated.
> The general rule are as follows:
> * RequestMap configured with 'get' method will be exempted from CSRF token
> check.
> * RequestMap configured with 'post' or 'all' method will be subjected to CSRF
> token check. (Note there are discussions that RequestMap with ‘all’ method
> should also not be subjected to CSRF token check. This will be done after
> ensuring a separate uri is used when posting changes.)
> * "main" request URIs are exempted from CSRF token check.
> * Setting csrf-token to false or true on the Request Map will override the
> general rules above.
> To Discuss:
> * Invalidate authenticated user session when CSRF token check fails.
> * Configure the general rules in a Service method (which will be run inside
> the constructor of RequestMap class) when determining the final
> securityCsrfToken value.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
