Re: svn commit: r1851203 - in /ofbiz/ofbiz-framework/branches/release17.12: ./ framework/base/src/main/java/org/apache/ofbiz/base/util/UtilHttp.java framework/webapp/src/main/java/org/apache/ofbiz/web
Hi Deepak, I attached a patch at OFBIZ-10766, please try Thanks Jacques Le 23/01/2019 à 09:10, Jacques Le Roux a écrit : Thanks Deepak, Yes indeed, replaceAll() does not fit. As I said in my comment I want to only replace the "inside" slashes. I'll fix that ASAP Jacques Le 23/01/2019 à 05:33, Deepak Nigam a écrit : Hi Jacques, When there is one web app with the empty mount point (i.e. deployed on root), the auto-login cookie will not work for that particular webapp due to the change in the path of the cookie from "/" to "/" + applicationName. Because the system will try to find the cookie at the "/" but it is actually at "/" + applicationName. Thanks & Regards -- Deepak Nigam HotWax Systems Pvt. Ltd On Sun, Jan 13, 2019 at 7:13 PM wrote: Author: jleroux Date: Sun Jan 13 13:43:44 2019 New Revision: 1851203 URL: http://svn.apache.org/viewvc?rev=1851203&view=rev Log: "Applied fix from trunk for revision: 1851200" r1851200 | jleroux | 2019-01-13 14:31:13 +0100 (dim. 13 janv. 2019) | 11 lignes Reverted: Impossible secure and autologin cookie names when mountpoint contains a slash inside its name (OFBIZ-10766) In my previous commit I reverted the initial change. As I said in the Jira I had a second look and it's better to fix the problem at the root as I did initially. I wrote in my previous commit: "This method is used in other places where the name should not be changed." I checked there are no issues changing slashes to underscores in the cookies names anywhere. Modified: ofbiz/ofbiz-framework/branches/release17.12/ (props changed) ofbiz/ofbiz-framework/branches/release17.12/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilHttp.java ofbiz/ofbiz-framework/branches/release17.12/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/LoginWorker.java Propchange: ofbiz/ofbiz-framework/branches/release17.12/ -- --- svn:mergeinfo (original) +++ svn:mergeinfo Sun Jan 13 13:43:44 2019 @@ -10,4 +10,4 @@ /ofbiz/branches/json-integration-refactoring:1634077-1635900 /ofbiz/branches/multitenant20100310:921280-927264 /ofbiz/branches/release13.07:1547657 -/ofbiz/ofbiz-framework/trunk:1819499,1819598,1819800,1819805,1819811,1819947,1820038,1820262,1820374-1820375,1820441,1820457,1820644,1820658,1820790,1820823,1820949,1820966,1821012,1821036,1821112,1821115,1821144,1821186,1821219,1821226,1821230,1821386,1821613,1821628,1821965,1822125,1822310,1822377,1822383,1822393,1823467,1823562,1823876,1824314,1824316,1824732,1824803,1824847,1824855,1825192,1825211,1825216,1825233,1825450,1826374,1826502,1826592,1826671,1826674,1826780,1826805,1826938,1826997,1827439,1828255,1828316,1828346,1828424,1828512,1828514,1829690,1830936,1831074,1831078,1831234,1831608,1831831,1832577,1832662,1832756,1832800,1832944,1833173,1833211,1834181,1834191,1834736,1835235,1835887,1835891,1835953,1835964,1836144,1836871,1837857,1838032,1838256,1838381,1840189,1840199,1840828,1841657,1841662,1842372,1842921,1843225,1843893,1844943,1845418,1845420,1845466,1845544,1845552,1845558,1845933,1845995,1846097,1846107,1846214,1846594,1846632,1847398,1847478,1847670,1847715, 1847890,1848263,1848336,1848386,1848398,1848441,1848444,1848447,1848449,1848467,1848469,1848745,1848849-1848850,1849021,1849191,1849193,1849275,1849467,1849528,1849540,1849567,1849693,1850015,1850023,1850530,1850647,1850685,1850694,1850914,1850918,1850948,1850953,1851006,1851068,1851074,1851130,1851158,1851163 +/ofbiz/ofbiz-framework/trunk:1819499,1819598,1819800,1819805,1819811,1819947,1820038,1820262,1820374-1820375,1820441,1820457,1820644,1820658,1820790,1820823,1820949,1820966,1821012,1821036,1821112,1821115,1821144,1821186,1821219,1821226,1821230,1821386,1821613,1821628,1821965,1822125,1822310,1822377,1822383,1822393,1823467,1823562,1823876,1824314,1824316,1824732,1824803,1824847,1824855,1825192,1825211,1825216,1825233,1825450,1826374,1826502,1826592,1826671,1826674,1826780,1826805,1826938,1826997,1827439,1828255,1828316,1828346,1828424,1828512,1828514,1829690,1830936,1831074,1831078,1831234,1831608,1831831,1832577,1832662,1832756,1832800,1832944,1833173,1833211,1834181,1834191,1834736,1835235,1835887,1835891,1835953,1835964,1836144,1836871,1837857,1838032,1838256,1838381,1840189,1840199,1840828,1841657,1841662,1842372,1842921,1843225,1843893,1844943,1845418,1845420,1845466,1845544,1845552,1845558,1845933,1845995,1846097,1846107,1846214,1846594,1846632,1847398,1847478,1847670,1847715, 1847890,1848263,1848336,1848386,1848398,1848441,1848444,1848447,1848449,1848467,1848469,1848745,1848849-1848850,1849021,1849191,1849193,1849275,1849467,1849528,1849540,1849567,1849693,1850015,1850023,1850530,1850647,1850685,1850694,1850914,1850918,1850948,1850953,1851006,1851068,1851074,1851130,1851158,1851163,1851200 Mod
Re: For a better user experience, don't post here. Subcribe to the official mailing lists. See: OFBiz MLs.
OK, https://ofbiz.apache.org/mailing-lists.html is back w/o changes, no sure what's happened Anyway forget it Jacques Le 23/01/2019 à 10:12, Jacques Le Roux a écrit : Hi David, Indeed, someone broke it recently Hi team, could someone please check why it's broken? In the meantime I have subscribed you (da...@davidwid.com), please try Thanks Jacques Le 22/01/2019 à 21:14, da...@davidwid.com a écrit : This link got me: Page Not Found home/404 error 404 image The page cannot be found The page you are looking for might have been removed, had its name changed or is temporarily unavailable I'm new and want to ask a question. David _ Sent from http://ofbiz.135035.n4.nabble.com
Re: [DISCUSSION] turn off OOTB JWT authorization/SSO functionality
Hi Jacopo, thanks for your repsonse! I think it would be better to divide the concerns of the different concerns here and have a separate configuration to turn internal SSO on/off and to provide a secret for the JWT handling. For example, if you want to use the JWT handling for another reason than internal SSO (e.g. REST interfaces) you would also be forced to use the internal SSO feature. I'll provide my latest patch soon for review. Best regards,Michael Am 23.01.19 um 07:34 schrieb Jacopo Cappellato: +1 to disabling it by default. We could consider, rather than adding a new configuration flag, to disable the feature if no secret is set in the configuration files (and do not provide a secret out of the box). Jacopo On Sat, Jan 19, 2019 at 12:57 PM Michael Brohl wrote: Hi all, during my work in [1] I realized that the OOTB JWT authorization / single sign on is switched on by default. The logic to retrieve the secret key uses a default if there is no configuration in SystemProperty or security.properties. This makes it easy to prepare a JWT (e.g. by using [2] or [3]) and login using a guessed userLoginId and this token (which can be retrieved from the code). I think we should secure this so that this cannot be done in an OOTB setting with the following additions: 1. make it configurable through a property which is initially turned off. I think thi is better than commenting the preprocessor in/out because it can be better integrated in (custom) configuration mechanisms. 2. don't use a default secret key if none is provided. The user/administrator must explicitly set a secret key and should know what he is doing then. 3. don't proceed if no secret key can be found (do not attempt a login using the JWT) I think that we should turn this feature off by default for the following reasons: 1. it opens up a security hole if the user does not remove the checkJWTLogin preprocessor (see above) 2. the functionality to have a single sign on between two OFBiz instances will only be used in rare cases (I think). It is only designed for this special case and cannot be used for standard single sign on scenarios with other systems. 3. if it is not used, it will still try to read the authorization header, key etc. *on every request* What do think? Regards, Michael [1] https://issues.apache.org/jira/browse/OFBIZ-10814 [2] https://jwt.io/ [3] http://jwtbuilder.jamiekurtz.com/ smime.p7s Description: S/MIME Cryptographic Signature
Re: For a better user experience, don't post here. Subcribe to the official mailing lists. See: OFBiz MLs.
Hi David, Indeed, someone broke it recently Hi team, could someone please check why it's broken? In the meantime I have subscribed you (da...@davidwid.com), please try Thanks Jacques Le 22/01/2019 à 21:14, da...@davidwid.com a écrit : This link got me: Page Not Found home/404 error 404 image The page cannot be found The page you are looking for might have been removed, had its name changed or is temporarily unavailable I'm new and want to ask a question. David _ Sent from http://ofbiz.135035.n4.nabble.com
Re: svn commit: r1851203 - in /ofbiz/ofbiz-framework/branches/release17.12: ./ framework/base/src/main/java/org/apache/ofbiz/base/util/UtilHttp.java framework/webapp/src/main/java/org/apache/ofbiz/web
Thanks Deepak, Yes indeed, replaceAll() does not fit. As I said in my comment I want to only replace the "inside" slashes. I'll fix that ASAP Jacques Le 23/01/2019 à 05:33, Deepak Nigam a écrit : Hi Jacques, When there is one web app with the empty mount point (i.e. deployed on root), the auto-login cookie will not work for that particular webapp due to the change in the path of the cookie from "/" to "/" + applicationName. Because the system will try to find the cookie at the "/" but it is actually at "/" + applicationName. Thanks & Regards -- Deepak Nigam HotWax Systems Pvt. Ltd On Sun, Jan 13, 2019 at 7:13 PM wrote: Author: jleroux Date: Sun Jan 13 13:43:44 2019 New Revision: 1851203 URL: http://svn.apache.org/viewvc?rev=1851203&view=rev Log: "Applied fix from trunk for revision: 1851200" r1851200 | jleroux | 2019-01-13 14:31:13 +0100 (dim. 13 janv. 2019) | 11 lignes Reverted: Impossible secure and autologin cookie names when mountpoint contains a slash inside its name (OFBIZ-10766) In my previous commit I reverted the initial change. As I said in the Jira I had a second look and it's better to fix the problem at the root as I did initially. I wrote in my previous commit: "This method is used in other places where the name should not be changed." I checked there are no issues changing slashes to underscores in the cookies names anywhere. Modified: ofbiz/ofbiz-framework/branches/release17.12/ (props changed) ofbiz/ofbiz-framework/branches/release17.12/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilHttp.java ofbiz/ofbiz-framework/branches/release17.12/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/LoginWorker.java Propchange: ofbiz/ofbiz-framework/branches/release17.12/ -- --- svn:mergeinfo (original) +++ svn:mergeinfo Sun Jan 13 13:43:44 2019 @@ -10,4 +10,4 @@ /ofbiz/branches/json-integration-refactoring:1634077-1635900 /ofbiz/branches/multitenant20100310:921280-927264 /ofbiz/branches/release13.07:1547657 -/ofbiz/ofbiz-framework/trunk:1819499,1819598,1819800,1819805,1819811,1819947,1820038,1820262,1820374-1820375,1820441,1820457,1820644,1820658,1820790,1820823,1820949,1820966,1821012,1821036,1821112,1821115,1821144,1821186,1821219,1821226,1821230,1821386,1821613,1821628,1821965,1822125,1822310,1822377,1822383,1822393,1823467,1823562,1823876,1824314,1824316,1824732,1824803,1824847,1824855,1825192,1825211,1825216,1825233,1825450,1826374,1826502,1826592,1826671,1826674,1826780,1826805,1826938,1826997,1827439,1828255,1828316,1828346,1828424,1828512,1828514,1829690,1830936,1831074,1831078,1831234,1831608,1831831,1832577,1832662,1832756,1832800,1832944,1833173,1833211,1834181,1834191,1834736,1835235,1835887,1835891,1835953,1835964,1836144,1836871,1837857,1838032,1838256,1838381,1840189,1840199,1840828,1841657,1841662,1842372,1842921,1843225,1843893,1844943,1845418,1845420,1845466,1845544,1845552,1845558,1845933,1845995,1846097,1846107,1846214,1846594,1846632,1847398,1847478,1847670,1847715, 1847890,1848263,1848336,1848386,1848398,1848441,1848444,1848447,1848449,1848467,1848469,1848745,1848849-1848850,1849021,1849191,1849193,1849275,1849467,1849528,1849540,1849567,1849693,1850015,1850023,1850530,1850647,1850685,1850694,1850914,1850918,1850948,1850953,1851006,1851068,1851074,1851130,1851158,1851163 +/ofbiz/ofbiz-framework/trunk:1819499,1819598,1819800,1819805,1819811,1819947,1820038,1820262,1820374-1820375,1820441,1820457,1820644,1820658,1820790,1820823,1820949,1820966,1821012,1821036,1821112,1821115,1821144,1821186,1821219,1821226,1821230,1821386,1821613,1821628,1821965,1822125,1822310,1822377,1822383,1822393,1823467,1823562,1823876,1824314,1824316,1824732,1824803,1824847,1824855,1825192,1825211,1825216,1825233,1825450,1826374,1826502,1826592,1826671,1826674,1826780,1826805,1826938,1826997,1827439,1828255,1828316,1828346,1828424,1828512,1828514,1829690,1830936,1831074,1831078,1831234,1831608,1831831,1832577,1832662,1832756,1832800,1832944,1833173,1833211,1834181,1834191,1834736,1835235,1835887,1835891,1835953,1835964,1836144,1836871,1837857,1838032,1838256,1838381,1840189,1840199,1840828,1841657,1841662,1842372,1842921,1843225,1843893,1844943,1845418,1845420,1845466,1845544,1845552,1845558,1845933,1845995,1846097,1846107,1846214,1846594,1846632,1847398,1847478,1847670,1847715, 1847890,1848263,1848336,1848386,1848398,1848441,1848444,1848447,1848449,1848467,1848469,1848745,1848849-1848850,1849021,1849191,1849193,1849275,1849467,1849528,1849540,1849567,1849693,1850015,1850023,1850530,1850647,1850685,1850694,1850914,1850918,1850948,1850953,1851006,1851068,1851074,1851130,1851158,1851163,1851200 Modified: ofbiz/ofbiz-framework/branches/release17.12/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilHttp.java URL:
