[jira] [Commented] (OFBIZ-9664) OFBiz 16 migration - HTML content filtered
[ https://issues.apache.org/jira/browse/OFBIZ-9664?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16608363#comment-16608363 ] Jacques Le Roux commented on OFBIZ-9664: Thanks Sebastian, I'll just add that people should be carefull with this workaround. Because it removes some security in all other parts where sanitizer.permissive.policy is used, ie where HtmlEncoder::sanitize is used. I explained it a bit more in OFBIZ-10187 > OFBiz 16 migration - HTML content filtered > --- > > Key: OFBIZ-9664 > URL: https://issues.apache.org/jira/browse/OFBIZ-9664 > Project: OFBiz > Issue Type: Bug > Components: content, ecommerce >Affects Versions: 16.11.03 >Reporter: Sebastian Wachinger >Priority: Minor > Fix For: Trunk, 16.11.05 > > > Perhaps this is no bug, but a new feature: After migrating to OFBiz 16, > content of type "Long Text" containing HTML is now displayed in the ecommerce > shop frontend with certain attributes deleted, e.g. "class" and "id". Is > there a config file to allow those attributes to be displayed? -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Assigned] (OFBIZ-10187) OWASP sanitizer breaks proper rendering of HTML code
[
https://issues.apache.org/jira/browse/OFBIZ-10187?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Jacques Le Roux reassigned OFBIZ-10187:
---
Assignee: (was: Jacques Le Roux)
> OWASP sanitizer breaks proper rendering of HTML code
>
>
> Key: OFBIZ-10187
> URL: https://issues.apache.org/jira/browse/OFBIZ-10187
> Project: OFBiz
> Issue Type: Bug
> Components: ALL COMPONENTS
>Affects Versions: 16.11.04
>Reporter: Michael Brohl
>Priority: Critical
>
> The current implementation of the sanitizer breaks the proper rendering of
> html code. In our case, class attributes are stripped from the html content.
> Example:
> {code:java}
>
> src="<@ofbizContentUrl>/webcontent/img/slider/1.jpg"
> alt="" />
>
>
> Lorem ipsum dolor sit amet
> At vero eos et accusam et justo
>
> Lorem ipsum dolor sit amet, consetetur
> sadipscing elitr, dolores et ea rebum. Stet clita kasd gubergren, no sea
> takimata sanctus est Lorem ipsum dolor sit amet.
>
> href="<@ofbizUrl>cms/~webpage_id=100">weitere Informationen
>
>
> {code}
> will be rendered to
> {code:java}
>
> src="<@ofbizContentUrl>/webcontent/img/slider/1.jpg"
> alt="" />
>
>
> Lorem ipsum dolor sit amet
> At vero eos et accusam et justo
>
> Lorem ipsum dolor sit amet, consetetur
> sadipscing elitr, dolores et ea rebum. Stet clita kasd gubergren, no sea
> takimata sanctus est Lorem ipsum dolor sit amet.
>
> href="<@ofbizUrl>cms/~webpage_id=100">weitere Informationen
>
>
> {code}
> I do not see any reason to not allow class attributes in html code. There
> might be other problems with these rules but this is a showstopper.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
[jira] [Closed] (OFBIZ-10554) Trunk - Ecommerce - Product Content "Add Additional Images" broken
[ https://issues.apache.org/jira/browse/OFBIZ-10554?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jacques Le Roux closed OFBIZ-10554. --- Resolution: Cannot Reproduce Assignee: Jacques Le Roux Please reopen if you need, thanks > Trunk - Ecommerce - Product Content "Add Additional Images" broken > -- > > Key: OFBIZ-10554 > URL: https://issues.apache.org/jira/browse/OFBIZ-10554 > Project: OFBiz > Issue Type: Bug > Components: product >Affects Versions: Trunk >Reporter: Sebastian Wachinger >Assignee: Jacques Le Roux >Priority: Major > > Using "Add Additional Images" fails with a NullPointerException on the trunk > demo > [https://demo-trunk.ofbiz.apache.org/catalog/control/EditProductContent?productId=GZ-1000|https://demo-trunk.ofbiz.apache.org/catalog/control/EditProductContent?productId=GZ-1004] > (same on my local installation). > On the stable demo this works > [https://demo-stable.ofbiz.apache.org/catalog/control/EditProductContent?productId=GZ-1000] > (same on my respective local installation). -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Updated] (OFBIZ-10554) Trunk - Ecommerce - Product Content "Add Additional Images" broken
[ https://issues.apache.org/jira/browse/OFBIZ-10554?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jacques Le Roux updated OFBIZ-10554: Component/s: (was: ecommerce) product > Trunk - Ecommerce - Product Content "Add Additional Images" broken > -- > > Key: OFBIZ-10554 > URL: https://issues.apache.org/jira/browse/OFBIZ-10554 > Project: OFBiz > Issue Type: Bug > Components: product >Affects Versions: Trunk >Reporter: Sebastian Wachinger >Priority: Major > > Using "Add Additional Images" fails with a NullPointerException on the trunk > demo > [https://demo-trunk.ofbiz.apache.org/catalog/control/EditProductContent?productId=GZ-1000|https://demo-trunk.ofbiz.apache.org/catalog/control/EditProductContent?productId=GZ-1004] > (same on my local installation). > On the stable demo this works > [https://demo-stable.ofbiz.apache.org/catalog/control/EditProductContent?productId=GZ-1000] > (same on my respective local installation). -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (OFBIZ-10554) Trunk - Ecommerce - Product Content "Add Additional Images" broken
[ https://issues.apache.org/jira/browse/OFBIZ-10554?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16608399#comment-16608399 ] Jacques Le Roux commented on OFBIZ-10554: - Hi Sebastian, It's not related to ecommerce, but product component. Also I don't reproduce locally nor trunk demo. Are you sure there are no changes you did yesterday on trunk demo that could have an impact? They are wiped everyday (fresh restart up to date) > Trunk - Ecommerce - Product Content "Add Additional Images" broken > -- > > Key: OFBIZ-10554 > URL: https://issues.apache.org/jira/browse/OFBIZ-10554 > Project: OFBiz > Issue Type: Bug > Components: product >Affects Versions: Trunk >Reporter: Sebastian Wachinger >Priority: Major > > Using "Add Additional Images" fails with a NullPointerException on the trunk > demo > [https://demo-trunk.ofbiz.apache.org/catalog/control/EditProductContent?productId=GZ-1000|https://demo-trunk.ofbiz.apache.org/catalog/control/EditProductContent?productId=GZ-1004] > (same on my local installation). > On the stable demo this works > [https://demo-stable.ofbiz.apache.org/catalog/control/EditProductContent?productId=GZ-1000] > (same on my respective local installation). -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (OFBIZ-4361) Any ecommerce user has the ability to reset anothers password (including admin) via "Forget Your Password"
[ https://issues.apache.org/jira/browse/OFBIZ-4361?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16608411#comment-16608411 ] Michael Brohl commented on OFBIZ-4361: -- Hi [~soledad], sorry for the late reply and delay with this issue. We are currently over-occupied with projects so it might take some time to prepare everything. > Any ecommerce user has the ability to reset anothers password (including > admin) via "Forget Your Password" > -- > > Key: OFBIZ-4361 > URL: https://issues.apache.org/jira/browse/OFBIZ-4361 > Project: OFBiz > Issue Type: Bug > Components: framework >Affects Versions: Release Branch 11.04, Trunk > Environment: Ubuntu and others >Reporter: mz4wheeler >Assignee: Michael Brohl >Priority: Major > Labels: security > Attachments: OFBIZ-4361.patch, OFBIZ-4361_OneScreen.patch, > OFBIZ-4361_ReworkPasswordLogic.patch, OFBIZ-4361_ReworkPasswordLogic.patch > > > Currently, any user (via ecommerce "Forget Your Password") has the ability to > reset another users password, including "admin" without permission. By > simply entering "admin" and clicking "Email Password", the following is > displayed. > The following occurred: > A new password has been created and sent to you. Please check your Email. > This now forces the user of the ERP to change their password. It is also > possible to generate a dictionary attack against ofbiz because there is no > capta code required. This is serious security risk. > This feature could be reduced to a certain sub-set of users, whose login name > is optionally in the format of an email address, and maybe require a capta > code to prevent dictionary attacks. > For example, limit the feature to role "Customer" of type "Person" which was > generated via an ecommerce transaction. -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (OFBIZ-10427) Add a mean to handle CSRF
[
https://issues.apache.org/jira/browse/OFBIZ-10427?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16608439#comment-16608439
]
Jacques Le Roux commented on OFBIZ-10427:
-
Hi Girish,
I did not review nor tested yet. It's indeed a way to go.
The others so far being made by Gregory in the security ML. I completly missed
to put them in [my answer in dev ML|https://s.apache.org/XPhR] with my answers
to Gregory's suggestion then (3 months ago, on a related subject including
CSRF). Here they are:
{quote}> So to do that, I recommend to perform a SHA512 of the user's session
(as it is unpredictable) and then you pass this value in the body request. Then
the application checks it is okay by hashing the session value and and compare
with the value that has been passed.
{quote}
That's an idea, I'll get deeper in this. Because I believe Tomcat CSRF filter
is too limited for our use in OFBiz
{quote}> Maybe through Java Aspect? I don't know if it supported?
{quote}
We don't use Java Aspect (yet). Anyway I'll consider it also beside building
our own filter.
I must add that maybe subclassing the Tomcat filter is easier, better, etc. We
have to compare both solutions and if needed discuss them again in dev ML.
Since we already began to discuss there, at this stage I think we can start
here :)
> Add a mean to handle CSRF
> -
>
> Key: OFBIZ-10427
> URL: https://issues.apache.org/jira/browse/OFBIZ-10427
> Project: OFBiz
> Issue Type: Sub-task
> Components: framework
>Affects Versions: Trunk
>Reporter: Jacques Le Roux
>Assignee: Jacques Le Roux
>Priority: Minor
> Attachments: webtools_web.xml.patch
>
>
> I already worked on that in OFBiz but without success so far:
> https://markmail.org/message/r245yie623cdo3wz)
> The tracks I explored are:
> * https://www.owasp.org/index.php/Category:OWASP_CSRFGuard_Project (really
> not simple in OFBiz)
> *
> https://tomcat.apache.org/tomcat-8.5-doc/config/filter.html#CSRF_Prevention_Filter/Introduction
> (I think preferred)
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
[jira] [Updated] (OFBIZ-10262) Add Document Content: hr-performance-review.adoc
[ https://issues.apache.org/jira/browse/OFBIZ-10262?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Sharan Foga updated OFBIZ-10262: Attachment: (was: hr-performance-review.adoc) > Add Document Content: hr-performance-review.adoc > > > Key: OFBIZ-10262 > URL: https://issues.apache.org/jira/browse/OFBIZ-10262 > Project: OFBiz > Issue Type: Sub-task >Reporter: Sharan Foga >Assignee: Swapnil M Mane >Priority: Minor > Attachments: hr-performance-review.adoc > > > Using details from the OFBiz wiki workspaces and the Human Resources Guide > and other human resources asciidoc file, write or organise the content for > the hr-performance-review.adoc file. > A copy of the existing file will be attached. Please write document content > for hr-performance-review.adoc by updating the template then re-attach the > updated document to this issue. -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (OFBIZ-10262) Add Document Content: hr-performance-review.adoc
[ https://issues.apache.org/jira/browse/OFBIZ-10262?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16608452#comment-16608452 ] Sharan Foga commented on OFBIZ-10262: - HI [~swapnilmmane], thanks for the update and yes I think this is a good direction to take. I don't think we need to include details about fields and field validation at this stage as it's too much information to be useful at this stage. The high level outline is good for someone wanting to get a basic understanding of what it is and how to use it. Later when we do the individual online help screens then maybe we could incorporate details about the fields etc. Another thing I thought about is that after we have done the main outlines of each guide then where it say things like 'Create Performance Review' or 'Delete Performance Review Item' we could make those into links to other documents that contain the steps for doing those actual tasks. But I think the main focus will be about getting all the high level documentation for as many modules as possible done. :) > Add Document Content: hr-performance-review.adoc > > > Key: OFBIZ-10262 > URL: https://issues.apache.org/jira/browse/OFBIZ-10262 > Project: OFBiz > Issue Type: Sub-task >Reporter: Sharan Foga >Assignee: Swapnil M Mane >Priority: Minor > Attachments: hr-performance-review.adoc > > > Using details from the OFBiz wiki workspaces and the Human Resources Guide > and other human resources asciidoc file, write or organise the content for > the hr-performance-review.adoc file. > A copy of the existing file will be attached. Please write document content > for hr-performance-review.adoc by updating the template then re-attach the > updated document to this issue. -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Assigned] (OFBIZ-4310) Conversion for complex-alias needs to be implemented
[
https://issues.apache.org/jira/browse/OFBIZ-4310?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Deepak Nigam reassigned OFBIZ-4310:
---
Assignee: Deepak Nigam (was: Adam Heath)
> Conversion for complex-alias needs to be implemented
> -
>
> Key: OFBIZ-4310
> URL: https://issues.apache.org/jira/browse/OFBIZ-4310
> Project: OFBiz
> Issue Type: New Feature
> Components: framework
>Affects Versions: Release 4.0, Trunk
>Reporter: Jacques Le Roux
>Assignee: Deepak Nigam
>Priority: Minor
>
> There is a TODO in ModelViewEntity.populateReverseLinks()
> // TODO: conversion for complex-alias needs to be implemented for cache and
> in-memory eval stuff to work correctly
> This throws WARNING at OFBiz startup:
> {code}
> 2011-05-27 13:23:53,161 (main) [ModelViewEntity.java:538:WARN ]
> Conversion for complex-alias needs to be implemented for cache and in-memory
> eval stuff to work correctly, will not work for alias: quantityOrdered of
> view-entity OrderItemQuantityReportGroupByItem
> 2011-05-27 13:23:53,162 (main) [ModelViewEntity.java:538:WARN ]
> Conversion for complex-alias needs to be implemented for cache and in-memory
> eval stuff to work correctly, will not work for alias: quantityOpen of
> view-entity OrderItemQuantityReportGroupByItem
> 2011-05-27 13:23:53,162 (main) [ModelViewEntity.java:538:WARN ]
> Conversion for complex-alias needs to be implemented for cache and in-memory
> eval stuff to work correctly, will not work for alias: quantityOrdered of
> view-entity OrderItemQuantityReportGroupByProduct
> 2011-05-27 13:23:53,162 (main) [ModelViewEntity.java:538:WARN ]
> Conversion for complex-alias needs to be implemented for cache and in-memory
> eval stuff to work correctly, will not work for alias: quantityOpen of
> view-entity OrderItemQuantityReportGroupByProduct
> 2011-05-27 13:23:53,169 (main) [ModelViewEntity.java:538:WARN ]
> Conversion for complex-alias needs to be implemented for cache and in-memory
> eval stuff to work correctly, will not work for alias: quantityOrdered of
> view-entity OrderReportSalesGroupByProduct
> 2011-05-27 13:23:53,176 (main) [ModelViewEntity.java:538:WARN ]
> Conversion for complex-alias needs to be implemented for cache and in-memory
> eval stuff to work correctly, will not work for alias: quantityOrdered of
> view-entity OrderItemAndShipGrpInvResAndItemSum
> 2011-05-27 13:23:53,176 (main) [ModelViewEntity.java:538:WARN ]
> Conversion for complex-alias needs to be implemented for cache and in-memory
> eval stuff to work correctly, will not work for alias: totQuantityAvailable
> of view-entity OrderItemAndShipGrpInvResAndItemSum
> {code}
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
[jira] [Commented] (OFBIZ-4310) Conversion for complex-alias needs to be implemented
[
https://issues.apache.org/jira/browse/OFBIZ-4310?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16608728#comment-16608728
]
Deepak Nigam commented on OFBIZ-4310:
-
Using trunk and getting following warnings on the console:
2018-09-10 10:13:06,787 |delegator-startup-2 |ModelViewEntity |W|
[TestingCryptoRawView]: Conversion for complex-alias needs to be implemented
for cache and in-memory eval stuff to work correctly, will not work for alias:
rawEncryptedValue
2018-09-10 10:13:06,788 |delegator-startup-2 |ModelViewEntity |W|
[TestingCryptoRawView]: Conversion for complex-alias needs to be implemented
for cache and in-memory eval stuff to work correctly, will not work for alias:
rawSaltedEncryptedValue
2018-09-10 10:13:06,884 |delegator-startup-2 |ModelViewEntity |W|
[OrderItemQuantityReportGroupByItem]: Conversion for complex-alias needs to be
implemented for cache and in-memory eval stuff to work correctly, will not work
for alias: quantityOrdered
2018-09-10 10:13:06,885 |delegator-startup-2 |ModelViewEntity |W|
[OrderItemQuantityReportGroupByItem]: Conversion for complex-alias needs to be
implemented for cache and in-memory eval stuff to work correctly, will not work
for alias: quantityOpen
2018-09-10 10:13:06,885 |delegator-startup-2 |ModelViewEntity |W|
[OrderItemQuantityReportGroupByProduct]: Conversion for complex-alias needs to
be implemented for cache and in-memory eval stuff to work correctly, will not
work for alias: quantityOrdered
2018-09-10 10:13:06,885 |delegator-startup-2 |ModelViewEntity |W|
[OrderItemQuantityReportGroupByProduct]: Conversion for complex-alias needs to
be implemented for cache and in-memory eval stuff to work correctly, will not
work for alias: quantityOpen
2018-09-10 10:13:06,892 |delegator-startup-2 |ModelViewEntity |W|
[OrderReportSalesGroupByProduct]: Conversion for complex-alias needs to be
implemented for cache and in-memory eval stuff to work correctly, will not work
for alias: quantityOrdered
2018-09-10 10:13:06,892 |delegator-startup-2 |ModelViewEntity |W|
[OrderReportSalesGroupByProduct]: Conversion for complex-alias needs to be
implemented for cache and in-memory eval stuff to work correctly, will not work
for alias: amount
2018-09-10 10:13:06,895 |delegator-startup-2 |ModelViewEntity |W|
[OrderItemAndShipGrpInvResAndItemSum]: Conversion for complex-alias needs to be
implemented for cache and in-memory eval stuff to work correctly, will not work
for alias: quantityOrdered
2018-09-10 10:13:06,895 |delegator-startup-2 |ModelViewEntity |W|
[OrderItemAndShipGrpInvResAndItemSum]: Conversion for complex-alias needs to be
implemented for cache and in-memory eval stuff to work correctly, will not work
for alias: totQuantityAvailable
> Conversion for complex-alias needs to be implemented
> -
>
> Key: OFBIZ-4310
> URL: https://issues.apache.org/jira/browse/OFBIZ-4310
> Project: OFBiz
> Issue Type: New Feature
> Components: framework
>Affects Versions: Release 4.0, Trunk
>Reporter: Jacques Le Roux
>Assignee: Adam Heath
>Priority: Minor
>
> There is a TODO in ModelViewEntity.populateReverseLinks()
> // TODO: conversion for complex-alias needs to be implemented for cache and
> in-memory eval stuff to work correctly
> This throws WARNING at OFBiz startup:
> {code}
> 2011-05-27 13:23:53,161 (main) [ModelViewEntity.java:538:WARN ]
> Conversion for complex-alias needs to be implemented for cache and in-memory
> eval stuff to work correctly, will not work for alias: quantityOrdered of
> view-entity OrderItemQuantityReportGroupByItem
> 2011-05-27 13:23:53,162 (main) [ModelViewEntity.java:538:WARN ]
> Conversion for complex-alias needs to be implemented for cache and in-memory
> eval stuff to work correctly, will not work for alias: quantityOpen of
> view-entity OrderItemQuantityReportGroupByItem
> 2011-05-27 13:23:53,162 (main) [ModelViewEntity.java:538:WARN ]
> Conversion for complex-alias needs to be implemented for cache and in-memory
> eval stuff to work correctly, will not work for alias: quantityOrdered of
> view-entity OrderItemQuantityReportGroupByProduct
> 2011-05-27 13:23:53,162 (main) [ModelViewEntity.java:538:WARN ]
> Conversion for complex-alias needs to be implemented for cache and in-memory
> eval stuff to work correctly, will not work for alias: quantityOpen of
> view-entity OrderItemQuantityReportGroupByProduct
> 2011-05-27 13:23:53,169 (main) [ModelViewEntity.java:538:WARN ]
> Conversion for complex-alias needs to be implemented for cache and in-memory
> eval stuff to work correctly, will not work for alias: quantityOrdered of
> view-entity OrderReportSalesGroupByProduct
> 2011-05-27 13:23:53,176 (main) [ModelViewEntity.java:538:WARN ]
> Conversion for co
[jira] [Commented] (OFBIZ-10444) Investigate how to possibly use CSS Grid Layout
[
https://issues.apache.org/jira/browse/OFBIZ-10444?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16608764#comment-16608764
]
Jacques Le Roux commented on OFBIZ-10444:
-
Win7 with IE11 can't use it: https://caniuse.com/#search=css%20grid%20layout
> Investigate how to possibly use CSS Grid Layout
> ---
>
> Key: OFBIZ-10444
> URL: https://issues.apache.org/jira/browse/OFBIZ-10444
> Project: OFBiz
> Issue Type: New Feature
> Components: ALL APPLICATIONS
>Affects Versions: Trunk
>Reporter: Jacques Le Roux
>Priority: Major
> Fix For: Upcoming Branch
>
>
> After reading [https://alistapart.com/article/cult-of-the-complex], I
> suggested [here|https://markmail.org/message/lz2i4qtdr7yqu3gj] we could
> consider using CSS Grid Layout everywhere in OFBiz instead of js frameworks,
> including
> [Bootstrap|https://www.google.fr/search?q=compare+Bootstrap+to+%22CSS+Grid+Layout%22&ie=UTF-8].
> Quoting myself:
> {quote}Depending the less possible on frameworks seems a good idea to me, and
> the "CSS Grid Layout" seems simple enough to be a viable replacement.
>
> Who knows when Bootstrap will be out of date...
> {quote}
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
[jira] [Comment Edited] (OFBIZ-10444) Investigate how to possibly use CSS Grid Layout
[
https://issues.apache.org/jira/browse/OFBIZ-10444?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16608764#comment-16608764
]
Jacques Le Roux edited comment on OFBIZ-10444 at 9/10/18 6:08 AM:
--
Win7 with IE11 can only partially use it:
https://caniuse.com/#search=css%20grid%20layout
was (Author: jacques.le.roux):
Win7 with IE11 can't use it: https://caniuse.com/#search=css%20grid%20layout
> Investigate how to possibly use CSS Grid Layout
> ---
>
> Key: OFBIZ-10444
> URL: https://issues.apache.org/jira/browse/OFBIZ-10444
> Project: OFBiz
> Issue Type: New Feature
> Components: ALL APPLICATIONS
>Affects Versions: Trunk
>Reporter: Jacques Le Roux
>Priority: Major
> Fix For: Upcoming Branch
>
>
> After reading [https://alistapart.com/article/cult-of-the-complex], I
> suggested [here|https://markmail.org/message/lz2i4qtdr7yqu3gj] we could
> consider using CSS Grid Layout everywhere in OFBiz instead of js frameworks,
> including
> [Bootstrap|https://www.google.fr/search?q=compare+Bootstrap+to+%22CSS+Grid+Layout%22&ie=UTF-8].
> Quoting myself:
> {quote}Depending the less possible on frameworks seems a good idea to me, and
> the "CSS Grid Layout" seems simple enough to be a viable replacement.
>
> Who knows when Bootstrap will be out of date...
> {quote}
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
[jira] [Comment Edited] (OFBIZ-10444) Investigate how to possibly use CSS Grid Layout
[
https://issues.apache.org/jira/browse/OFBIZ-10444?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16608764#comment-16608764
]
Jacques Le Roux edited comment on OFBIZ-10444 at 9/10/18 6:09 AM:
--
Win7 with IE11 can only partially use it:
https://caniuse.com/#search=css%20grid%20layout
Opera Mini can't use it at all
was (Author: jacques.le.roux):
Win7 with IE11 can only partially use it:
https://caniuse.com/#search=css%20grid%20layout
> Investigate how to possibly use CSS Grid Layout
> ---
>
> Key: OFBIZ-10444
> URL: https://issues.apache.org/jira/browse/OFBIZ-10444
> Project: OFBiz
> Issue Type: New Feature
> Components: ALL APPLICATIONS
>Affects Versions: Trunk
>Reporter: Jacques Le Roux
>Priority: Major
> Fix For: Upcoming Branch
>
>
> After reading [https://alistapart.com/article/cult-of-the-complex], I
> suggested [here|https://markmail.org/message/lz2i4qtdr7yqu3gj] we could
> consider using CSS Grid Layout everywhere in OFBiz instead of js frameworks,
> including
> [Bootstrap|https://www.google.fr/search?q=compare+Bootstrap+to+%22CSS+Grid+Layout%22&ie=UTF-8].
> Quoting myself:
> {quote}Depending the less possible on frameworks seems a good idea to me, and
> the "CSS Grid Layout" seems simple enough to be a viable replacement.
>
> Who knows when Bootstrap will be out of date...
> {quote}
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
[jira] [Commented] (OFBIZ-10307) Navigate from a domain to another with automated signed in authentication
[
https://issues.apache.org/jira/browse/OFBIZ-10307?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16608781#comment-16608781
]
Jacques Le Roux commented on OFBIZ-10307:
-
Here is a simple way to test this mechanism:
# Apply the main patch
{noformat}
OFBIZ-10307.patch{noformat}
# Apply the test patch
{noformat}
OFBIZ-10307-test.patch{noformat}
# Get to [https://localhost:8443/catalog/control/FindCatalog]
# Click on added test button "Target URL"
You should get to [https://jleroux.nereide.fr/content/control/main] without
authenticating
> Navigate from a domain to another with automated signed in authentication
> -
>
> Key: OFBIZ-10307
> URL: https://issues.apache.org/jira/browse/OFBIZ-10307
> Project: OFBiz
> Issue Type: New Feature
> Components: framework
>Affects Versions: Trunk
>Reporter: Jacques Le Roux
>Assignee: Jacques Le Roux
>Priority: Major
> Fix For: Upcoming Branch
>
> Attachments: OFBIZ-10307-test from example.patch, OFBIZ-10307-test
> from example.patch, OFBIZ-10307-test.patch, OFBIZ-10307-test.patch,
> OFBIZ-10307-test.patch, OFBIZ-10307.patch, OFBIZ-10307.patch,
> OFBIZ-10307.patch, OFBIZ-10307.patch, OFBIZ-10307.patch, OFBIZ-10307.patch
>
>
> This will use a JWT Token authentication to get from one domain, where you
> are signed in, to another domain where you get signed in automatically.
> Something like ExternalLoginKey or Tomcat SSO, but not on the same domain.
> This will build upon the initial work done at OFBIZ-9833 which has been
> partially reverted in trunk with r1827439 (see OFBIZ-10304) and r1827441. I
> explained why and what I did at [https://s.apache.org/a5Km]
> I turned to Ajax for the "Authorization" header sending. I initially thought
> I'd just pass an "Authorization" header and use it in the
> externalServerLoginCheck preprocessor, et voilà.
> But I stumbled upon something I did not know well : CORS! And in particular
> the upstream control (Pre-verified requests):
>
> [https://en.wikipedia.org/wiki/Cross-origin_resource_sharing#Preflight_example]
> [https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS]
> [https://www.w3.org/TR/cors/]
> To be able to pass an "Authorization" header, the server must respond
> positively in the Preflight HTTP response (OPTIONS). To do this, either you
> use a Tomcat filter (or your own filter, there are examples on the Net) or
> use HTTPD (or Nginx) configuration on the target server.
> I tried Tomcat first, without success. With HTTPD it's easier just 3 lines.
> For my tests, future tests by OFBiz users and as an example, I asked infra to
> put them in our HTTPD trunk demo config:
> Header set Access-Control-Allow-Origin "https://localhost:8443";
> Header set Access-Control-Allow-Headers "Authorization"
> Header set Access-Control-Allow-Credentials "true"
> No code change (either in all web.xml files for Tomcat or Java for own
> filter), and more safety. It does not give more right to outsiders than what
> we give with the admin credential.
> In Header set Access-Control-Allow-Origin you can put more domains. I just
> used [https://localhost:8443|https://localhost:8443/] for the tests.
> It works in Chrome, Firefox and Opera and partially in IE11 (not tested in
> Edge). I did not test Safari, but I guess like other modern browsers it
> should work.
> For those (very few I guess) interested by IE11 (for Edge test yourself and
> report please), here is the solution
>
> [https://stackoverflow.com/questions/12643960/internet-explorer-10-is-ignoring-xmlhttprequest-xhr-withcredentials-true]
>
> [https://web.archive.org/web/20130308142134/http://msdn.microsoft.com/en-us/library/ms537343%28v=vs.85%29.aspx]
>
> [https://blogs.msdn.microsoft.com/ieinternals/2013/09/17/a-quick-look-at-p3p/]
> TODO (maybe) in the future, use the new Fetch API (not available yet):
> [https://developer.mozilla.org/en-US/docs/Web/API/Fetch_API]
>
> Here is a complement about the way it's architectured:
> # A change to cookies was introduced with OFBIZ-4959. Actually it was not
> really a bug rather a clean-up. The autoLogin cookies were only used by the
> ecommerce component and maybe webpos. But all applications were creating such
> cookies with a one year duration. They were useless until I needed them for
> the feature of this Jira issue. But even if they were safe (httponly) then I
> needed them to be clean, not a one year duration (to be as safe as possible,
> temporary cookies are better). So after doing it crudely, [inspired by
> Taher's suggestion|[https://s.apache.org/qLGC]] I introduced the
> keep-autologin-cookie attribute in ofbiz-component.xml. It's used to
> remove not kept cookies when login in or out. So those cooki
