[jira] [Commented] (OFBIZ-11315) Add “--graph” option
[
https://issues.apache.org/jira/browse/OFBIZ-11315?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17009191#comment-17009191
]
Mathieu Lirzin commented on OFBIZ-11315:
As explained by Jacques, the --graph option is very lightweight utility
exploiting the functionality of the graph traversal code that is already used
when loading components.
This tool is useful to have in the core because it enables the management of an
important set of plugins that depend on each others and will likely require
some analysis/debugging. One motivation was to have a unified view of the
components like what is provided partially by component-load.xml files. The
difference is that the graph representation have better semantics because it
represents faithfully the partially ordered relation of component dependency
which is missing from component-load.xml.
> Add “--graph” option
>
>
> Key: OFBIZ-11315
> URL: https://issues.apache.org/jira/browse/OFBIZ-11315
> Project: OFBiz
> Issue Type: New Feature
> Components: framework
>Affects Versions: Trunk
>Reporter: Mathieu Lirzin
>Assignee: Mathieu Lirzin
>Priority: Minor
> Attachments: 0001-Implemented-Add-graph-option.patch,
> OFBIZ-11315-complete.patch,
> OFBIZ-11315_standard-no-prefix-format_0001-Implemented-Add-graph-option.patch,
> ofbiz.dot
>
>
> In order to inspect what components are loaded by OFBiz and their dependency
> relationship, it is convenient to have a visual graph representation.
> {code}
> gradlew "ofbiz --graph"
> {code}
> will output a {{ofbiz.dot}} file that can be processed with Graphviz:
> {code}
> cat ofbiz.dot | dot -T png -o ofbiz.png
> {code}
> Currently there is no dependency relationship specified by components but to
> check the kind of graph is produced it is possible to revert commit
> aae1c8a8f5fed7de717290c938297be62c0460fa
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
[jira] [Commented] (OFBIZ-11306) POC for CSRF Token
[ https://issues.apache.org/jira/browse/OFBIZ-11306?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17009067#comment-17009067 ] Jacques Le Roux commented on OFBIZ-11306: - BTW, what made you decide to abandon CSRFGuard? > POC for CSRF Token > -- > > Key: OFBIZ-11306 > URL: https://issues.apache.org/jira/browse/OFBIZ-11306 > Project: OFBiz > Issue Type: Improvement > Components: ALL APPLICATIONS >Affects Versions: Upcoming Branch >Reporter: James Yong >Assignee: Jacques Le Roux >Priority: Minor > Labels: CSRF > Fix For: Upcoming Branch > > Attachments: OFBIZ-11306-v2.patch, OFBIZ-11306.patch, > OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, > OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, > OFBIZ-11306_Plugins.patch, OFBIZ-11306_Plugins.patch > > > CRSF tokens are generated using CSRF Guard library and used in: > 1) In widget form where a hidden token field is auto-generated. > 2) In FTL form where a <@csrfTokenField> macro is used to generate the csrf > token field. > 3) In Ajax call where a <@csrfTokenAjax> macro is used to assign csrf token > to X-CSRF-Token in request header. > CSRF tokens are stored in the user sessions, and verified during POST request. > A new attribute i.e. csrf-token is added to the security tag to exempt CSRF > token check. > Certain request path, like LookupPartyName, can be exempt from CSRF token > check during Ajax POST call. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Comment Edited] (OFBIZ-11306) POC for CSRF Token
[ https://issues.apache.org/jira/browse/OFBIZ-11306?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17009013#comment-17009013 ] Jacques Le Roux edited comment on OFBIZ-11306 at 1/6/20 6:07 PM: - bq. To allow back and forth browser buttons to work, can have the token value unchanged when request.getMethod is GET. For now I did not find any issues with that. If needed indeed would be the solution. Bq. One page checkout works from my side when I last tested with the current patches. I was using Chrome and the admin user. Will test again. It's not a browser issue, clearly: _Invalid or missing CSRF token for AJAX call to path '/getChild'_ when getting to shipping options bq. Regarding the recommendation from CSRFGuard, maybe can be discussed in the Dev List when this issue is completed? I think we should not commit before checking that we did follow the CSRFGuard recommendations bq. Allowing one web app to ajax call another web app, with the former web app knowing the csrf token of the latter web app, is only possible if we convert the static js files to ftl files. But I don't think there is many use case for it. For now, I have set the security token check to false for /getAssociatedStateList in Catalog app, to allow the eCommerce app to call the uri. We need to evaluate that, it's not yet clear to me was (Author: jacques.le.roux): bq. To allow back and forth browser buttons to work, can have the token value unchanged when request.getMethod is GET. For now I did not find any issues with that. If needed indeed would the solution. Bq. One page checkout works from my side when I last tested with the current patches. I was using Chrome and the admin user. Will test again. It's not a browser issue, clearly: _Invalid or missing CSRF token for AJAX call to path '/getChild'_ when getting to shipping options bq. Regarding the recommendation from CSRFGuard, maybe can be discussed in the Dev List when this issue is completed? I think we should not commit before checking that we did follow the CSRFGuard recommendations bq. Allowing one web app to ajax call another web app, with the former web app knowing the csrf token of the latter web app, is only possible if we convert the static js files to ftl files. But I don't think there is many use case for it. For now, I have set the security token check to false for /getAssociatedStateList in Catalog app, to allow the eCommerce app to call the uri. We need to evaluate that, it's not yet clear to me > POC for CSRF Token > -- > > Key: OFBIZ-11306 > URL: https://issues.apache.org/jira/browse/OFBIZ-11306 > Project: OFBiz > Issue Type: Improvement > Components: ALL APPLICATIONS >Affects Versions: Upcoming Branch >Reporter: James Yong >Assignee: Jacques Le Roux >Priority: Minor > Labels: CSRF > Fix For: Upcoming Branch > > Attachments: OFBIZ-11306-v2.patch, OFBIZ-11306.patch, > OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, > OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, > OFBIZ-11306_Plugins.patch, OFBIZ-11306_Plugins.patch > > > CRSF tokens are generated using CSRF Guard library and used in: > 1) In widget form where a hidden token field is auto-generated. > 2) In FTL form where a <@csrfTokenField> macro is used to generate the csrf > token field. > 3) In Ajax call where a <@csrfTokenAjax> macro is used to assign csrf token > to X-CSRF-Token in request header. > CSRF tokens are stored in the user sessions, and verified during POST request. > A new attribute i.e. csrf-token is added to the security tag to exempt CSRF > token check. > Certain request path, like LookupPartyName, can be exempt from CSRF token > check during Ajax POST call. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (OFBIZ-11306) POC for CSRF Token
[ https://issues.apache.org/jira/browse/OFBIZ-11306?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17009065#comment-17009065 ] Jacques Le Roux commented on OFBIZ-11306: - Your comment bq. Regarding the recommendation from CSRFGuard, maybe can be discussed in the Dev List when this issue is completed? makes sense to me now :) > POC for CSRF Token > -- > > Key: OFBIZ-11306 > URL: https://issues.apache.org/jira/browse/OFBIZ-11306 > Project: OFBiz > Issue Type: Improvement > Components: ALL APPLICATIONS >Affects Versions: Upcoming Branch >Reporter: James Yong >Assignee: Jacques Le Roux >Priority: Minor > Labels: CSRF > Fix For: Upcoming Branch > > Attachments: OFBIZ-11306-v2.patch, OFBIZ-11306.patch, > OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, > OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, > OFBIZ-11306_Plugins.patch, OFBIZ-11306_Plugins.patch > > > CRSF tokens are generated using CSRF Guard library and used in: > 1) In widget form where a hidden token field is auto-generated. > 2) In FTL form where a <@csrfTokenField> macro is used to generate the csrf > token field. > 3) In Ajax call where a <@csrfTokenAjax> macro is used to assign csrf token > to X-CSRF-Token in request header. > CSRF tokens are stored in the user sessions, and verified during POST request. > A new attribute i.e. csrf-token is added to the security tag to exempt CSRF > token check. > Certain request path, like LookupPartyName, can be exempt from CSRF token > check during Ajax POST call. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (OFBIZ-11306) POC for CSRF Token
[ https://issues.apache.org/jira/browse/OFBIZ-11306?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17009064#comment-17009064 ] Jacques Le Roux commented on OFBIZ-11306: - Actually I forgot that you wrote above: bq. Removed CSRFGuard library So you are no longer relying on CSRFGuard at all, it's only based on CsrfUtil class, right? > POC for CSRF Token > -- > > Key: OFBIZ-11306 > URL: https://issues.apache.org/jira/browse/OFBIZ-11306 > Project: OFBiz > Issue Type: Improvement > Components: ALL APPLICATIONS >Affects Versions: Upcoming Branch >Reporter: James Yong >Assignee: Jacques Le Roux >Priority: Minor > Labels: CSRF > Fix For: Upcoming Branch > > Attachments: OFBIZ-11306-v2.patch, OFBIZ-11306.patch, > OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, > OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, > OFBIZ-11306_Plugins.patch, OFBIZ-11306_Plugins.patch > > > CRSF tokens are generated using CSRF Guard library and used in: > 1) In widget form where a hidden token field is auto-generated. > 2) In FTL form where a <@csrfTokenField> macro is used to generate the csrf > token field. > 3) In Ajax call where a <@csrfTokenAjax> macro is used to assign csrf token > to X-CSRF-Token in request header. > CSRF tokens are stored in the user sessions, and verified during POST request. > A new attribute i.e. csrf-token is added to the security tag to exempt CSRF > token check. > Certain request path, like LookupPartyName, can be exempt from CSRF token > check during Ajax POST call. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Issue Comment Deleted] (OFBIZ-11306) POC for CSRF Token
[ https://issues.apache.org/jira/browse/OFBIZ-11306?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jacques Le Roux updated OFBIZ-11306: Comment: was deleted (was: I wrote above: bq. It's OK with me. I just want to check all possibilities offered by CSRFGuard3... I was wrong, actually the article I referred there dates from before CSRFGuard3. I think we should closely follow CSRFGuard3 recommendations rather.) > POC for CSRF Token > -- > > Key: OFBIZ-11306 > URL: https://issues.apache.org/jira/browse/OFBIZ-11306 > Project: OFBiz > Issue Type: Improvement > Components: ALL APPLICATIONS >Affects Versions: Upcoming Branch >Reporter: James Yong >Assignee: Jacques Le Roux >Priority: Minor > Labels: CSRF > Fix For: Upcoming Branch > > Attachments: OFBIZ-11306-v2.patch, OFBIZ-11306.patch, > OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, > OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, > OFBIZ-11306_Plugins.patch, OFBIZ-11306_Plugins.patch > > > CRSF tokens are generated using CSRF Guard library and used in: > 1) In widget form where a hidden token field is auto-generated. > 2) In FTL form where a <@csrfTokenField> macro is used to generate the csrf > token field. > 3) In Ajax call where a <@csrfTokenAjax> macro is used to assign csrf token > to X-CSRF-Token in request header. > CSRF tokens are stored in the user sessions, and verified during POST request. > A new attribute i.e. csrf-token is added to the security tag to exempt CSRF > token check. > Certain request path, like LookupPartyName, can be exempt from CSRF token > check during Ajax POST call. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (OFBIZ-11306) POC for CSRF Token
[ https://issues.apache.org/jira/browse/OFBIZ-11306?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17009055#comment-17009055 ] Jacques Le Roux commented on OFBIZ-11306: - I wrote above: bq. It's OK with me. I just want to check all possibilities offered by CSRFGuard3... I was wrong, actually the article I referred there dates from before CSRFGuard3. I think we should closely follow CSRFGuard3 recommendations rather. > POC for CSRF Token > -- > > Key: OFBIZ-11306 > URL: https://issues.apache.org/jira/browse/OFBIZ-11306 > Project: OFBiz > Issue Type: Improvement > Components: ALL APPLICATIONS >Affects Versions: Upcoming Branch >Reporter: James Yong >Assignee: Jacques Le Roux >Priority: Minor > Labels: CSRF > Fix For: Upcoming Branch > > Attachments: OFBIZ-11306-v2.patch, OFBIZ-11306.patch, > OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, > OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, > OFBIZ-11306_Plugins.patch, OFBIZ-11306_Plugins.patch > > > CRSF tokens are generated using CSRF Guard library and used in: > 1) In widget form where a hidden token field is auto-generated. > 2) In FTL form where a <@csrfTokenField> macro is used to generate the csrf > token field. > 3) In Ajax call where a <@csrfTokenAjax> macro is used to assign csrf token > to X-CSRF-Token in request header. > CSRF tokens are stored in the user sessions, and verified during POST request. > A new attribute i.e. csrf-token is added to the security tag to exempt CSRF > token check. > Certain request path, like LookupPartyName, can be exempt from CSRF token > check during Ajax POST call. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (OFBIZ-11306) POC for CSRF Token
[ https://issues.apache.org/jira/browse/OFBIZ-11306?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17009052#comment-17009052 ] Jacques Le Roux commented on OFBIZ-11306: - Before I dive in "CSRFGuard 3 Configuration", the 1st sentence of https://www.owasp.org/index.php/CSRFGuard_3_Configuration is bq. The most important aspect of deploying OWASP CSRFGuard is configuration of the Owasp.CsrfGuard.properties file. You don't use a Owasp.CsrfGuard.properties file, why? > POC for CSRF Token > -- > > Key: OFBIZ-11306 > URL: https://issues.apache.org/jira/browse/OFBIZ-11306 > Project: OFBiz > Issue Type: Improvement > Components: ALL APPLICATIONS >Affects Versions: Upcoming Branch >Reporter: James Yong >Assignee: Jacques Le Roux >Priority: Minor > Labels: CSRF > Fix For: Upcoming Branch > > Attachments: OFBIZ-11306-v2.patch, OFBIZ-11306.patch, > OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, > OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, > OFBIZ-11306_Plugins.patch, OFBIZ-11306_Plugins.patch > > > CRSF tokens are generated using CSRF Guard library and used in: > 1) In widget form where a hidden token field is auto-generated. > 2) In FTL form where a <@csrfTokenField> macro is used to generate the csrf > token field. > 3) In Ajax call where a <@csrfTokenAjax> macro is used to assign csrf token > to X-CSRF-Token in request header. > CSRF tokens are stored in the user sessions, and verified during POST request. > A new attribute i.e. csrf-token is added to the security tag to exempt CSRF > token check. > Certain request path, like LookupPartyName, can be exempt from CSRF token > check during Ajax POST call. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (OFBIZ-11306) POC for CSRF Token
[ https://issues.apache.org/jira/browse/OFBIZ-11306?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17009013#comment-17009013 ] Jacques Le Roux commented on OFBIZ-11306: - bq. To allow back and forth browser buttons to work, can have the token value unchanged when request.getMethod is GET. For now I did not find any issues with that. If needed indeed would the solution. Bq. One page checkout works from my side when I last tested with the current patches. I was using Chrome and the admin user. Will test again. It's not a browser issue, clearly: _Invalid or missing CSRF token for AJAX call to path '/getChild'_ when getting to shipping options bq. Regarding the recommendation from CSRFGuard, maybe can be discussed in the Dev List when this issue is completed? I think we should not commit before checking that we did follow the CSRFGuard recommendations bq. Allowing one web app to ajax call another web app, with the former web app knowing the csrf token of the latter web app, is only possible if we convert the static js files to ftl files. But I don't think there is many use case for it. For now, I have set the security token check to false for /getAssociatedStateList in Catalog app, to allow the eCommerce app to call the uri. We need to evaluate that, it's not yet clear to me > POC for CSRF Token > -- > > Key: OFBIZ-11306 > URL: https://issues.apache.org/jira/browse/OFBIZ-11306 > Project: OFBiz > Issue Type: Improvement > Components: ALL APPLICATIONS >Affects Versions: Upcoming Branch >Reporter: James Yong >Assignee: Jacques Le Roux >Priority: Minor > Labels: CSRF > Fix For: Upcoming Branch > > Attachments: OFBIZ-11306-v2.patch, OFBIZ-11306.patch, > OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, > OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, > OFBIZ-11306_Plugins.patch, OFBIZ-11306_Plugins.patch > > > CRSF tokens are generated using CSRF Guard library and used in: > 1) In widget form where a hidden token field is auto-generated. > 2) In FTL form where a <@csrfTokenField> macro is used to generate the csrf > token field. > 3) In Ajax call where a <@csrfTokenAjax> macro is used to assign csrf token > to X-CSRF-Token in request header. > CSRF tokens are stored in the user sessions, and verified during POST request. > A new attribute i.e. csrf-token is added to the security tag to exempt CSRF > token check. > Certain request path, like LookupPartyName, can be exempt from CSRF token > check during Ajax POST call. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (OFBIZ-11306) POC for CSRF Token
[ https://issues.apache.org/jira/browse/OFBIZ-11306?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17009005#comment-17009005 ] Jacques Le Roux commented on OFBIZ-11306: - I wrote above: bq. As you may know, I used an older version few years ago, and things have much changed since it seems. Notably I want to read https://www.owasp.org/index.php/CSRFGuard_3_Configuration#Ajax_and_XMLHttpRequest_Support. I'm not sure you follow their recommendations, please explain/comment if needed, thanks. I guess you did something like https://stackoverflow.com/questions/38180900/how-to-inject-csrfguard-security-tokens-using-jquery-using-ajax (apart the JSP part, but I see the csrf-token in metadata anyway) It's OK with me. I just want to check all possibilities offered by CSRFGuard3... > POC for CSRF Token > -- > > Key: OFBIZ-11306 > URL: https://issues.apache.org/jira/browse/OFBIZ-11306 > Project: OFBiz > Issue Type: Improvement > Components: ALL APPLICATIONS >Affects Versions: Upcoming Branch >Reporter: James Yong >Assignee: Jacques Le Roux >Priority: Minor > Labels: CSRF > Fix For: Upcoming Branch > > Attachments: OFBIZ-11306-v2.patch, OFBIZ-11306.patch, > OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, > OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, > OFBIZ-11306_Plugins.patch, OFBIZ-11306_Plugins.patch > > > CRSF tokens are generated using CSRF Guard library and used in: > 1) In widget form where a hidden token field is auto-generated. > 2) In FTL form where a <@csrfTokenField> macro is used to generate the csrf > token field. > 3) In Ajax call where a <@csrfTokenAjax> macro is used to assign csrf token > to X-CSRF-Token in request header. > CSRF tokens are stored in the user sessions, and verified during POST request. > A new attribute i.e. csrf-token is added to the security tag to exempt CSRF > token check. > Certain request path, like LookupPartyName, can be exempt from CSRF token > check during Ajax POST call. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (OFBIZ-11306) POC for CSRF Token
[ https://issues.apache.org/jira/browse/OFBIZ-11306?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17008997#comment-17008997 ] James Yong commented on OFBIZ-11306: Hi Jacques, To allow back and forth browser buttons to work, can have the token value unchanged when request.getMethod is GET. Will fix the catalog tree and the above in the next patch. One page checkout works from my side when I last tested with the current patches. I was using Chrome and the admin user. Will test again. Regarding the recommendation from CSRFGuard, maybe can be discussed in the Dev List when this issue is completed? Allowing one web app to ajax call another web app, with the former web app knowing the csrf token of the latter web app, is only possible if we convert the static js files to ftl files. But I don't think there is many use case for it. For now, I have set the security token check to false for /getAssociatedStateList in Catalog app, to allow the eCommerce app to call the uri. > POC for CSRF Token > -- > > Key: OFBIZ-11306 > URL: https://issues.apache.org/jira/browse/OFBIZ-11306 > Project: OFBiz > Issue Type: Improvement > Components: ALL APPLICATIONS >Affects Versions: Upcoming Branch >Reporter: James Yong >Assignee: Jacques Le Roux >Priority: Minor > Labels: CSRF > Fix For: Upcoming Branch > > Attachments: OFBIZ-11306-v2.patch, OFBIZ-11306.patch, > OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, > OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, > OFBIZ-11306_Plugins.patch, OFBIZ-11306_Plugins.patch > > > CRSF tokens are generated using CSRF Guard library and used in: > 1) In widget form where a hidden token field is auto-generated. > 2) In FTL form where a <@csrfTokenField> macro is used to generate the csrf > token field. > 3) In Ajax call where a <@csrfTokenAjax> macro is used to assign csrf token > to X-CSRF-Token in request header. > CSRF tokens are stored in the user sessions, and verified during POST request. > A new attribute i.e. csrf-token is added to the security tag to exempt CSRF > token check. > Certain request path, like LookupPartyName, can be exempt from CSRF token > check during Ajax POST call. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (OFBIZ-11306) POC for CSRF Token
[ https://issues.apache.org/jira/browse/OFBIZ-11306?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17008922#comment-17008922 ] Jacques Le Roux commented on OFBIZ-11306: - Hi James, (this was supposed to be sent before ;)) bq. Also note that the html metadata is storing the csrf token used by JQuery AJAX. This token will not change to another value after it is consumed. Thanks, this clarifies things to me. I have to review more about CSRFGuard 3. As you may know, I used an older version few years ago, and things have much changed since it seems. Notably I want to read https://www.owasp.org/index.php/CSRFGuard_3_Configuration#Ajax_and_XMLHttpRequest_Support. I'm not sure you follow their recommendations, please explain/comment if needed, thanks. bq. Csrf tokens for GET and POST requests are unique for each link and not stored in the html metadata. That's better (ie safer) as long as back and forth browser buttons work. bq. My question is whether it is correct to allow one web app to ajax call another web app? Sorry, I need to review more before answering this question. It will take a bit of time... > POC for CSRF Token > -- > > Key: OFBIZ-11306 > URL: https://issues.apache.org/jira/browse/OFBIZ-11306 > Project: OFBiz > Issue Type: Improvement > Components: ALL APPLICATIONS >Affects Versions: Upcoming Branch >Reporter: James Yong >Assignee: Jacques Le Roux >Priority: Minor > Labels: CSRF > Fix For: Upcoming Branch > > Attachments: OFBIZ-11306-v2.patch, OFBIZ-11306.patch, > OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, > OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, > OFBIZ-11306_Plugins.patch, OFBIZ-11306_Plugins.patch > > > CRSF tokens are generated using CSRF Guard library and used in: > 1) In widget form where a hidden token field is auto-generated. > 2) In FTL form where a <@csrfTokenField> macro is used to generate the csrf > token field. > 3) In Ajax call where a <@csrfTokenAjax> macro is used to assign csrf token > to X-CSRF-Token in request header. > CSRF tokens are stored in the user sessions, and verified during POST request. > A new attribute i.e. csrf-token is added to the security tag to exempt CSRF > token check. > Certain request path, like LookupPartyName, can be exempt from CSRF token > check during Ajax POST call. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (OFBIZ-11306) POC for CSRF Token
[
https://issues.apache.org/jira/browse/OFBIZ-11306?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17008921#comment-17008921
]
Jacques Le Roux commented on OFBIZ-11306:
-
bq. I think it is a good practice for CRSF Token check during login. Not sure
if it will be easy to set the security csrf token check to false when deploying
to demo..
I think we can live with it. Maybe we will find a way later...
The catalog dropdown works now. For the tree clicking on main node works but
you can't extend because of
{noformat}
2020-01-06 15:42:49,563 |jsse-nio-8443-exec-6 |ControlServlet
|E| Error in request handler:
org.apache.ofbiz.webapp.control.RequestHandlerException: Invalid or missing
CSRF token for AJAX call to path '/getChild'
at org.apache.ofbiz.base.util.CsrfUtil.checkToken(CsrfUtil.java:245)
~[main/:?]
at
org.apache.ofbiz.webapp.control.RequestHandler.doRequest(RequestHandler.java:439)
~[main/:?]
{noformat}
In ecommerce the tree works well, still not the one page checkout.
Too avoid too much iterations here, maybe at some stage we will need to commit
and let people report issues where things don't work as expected...
> POC for CSRF Token
> --
>
> Key: OFBIZ-11306
> URL: https://issues.apache.org/jira/browse/OFBIZ-11306
> Project: OFBiz
> Issue Type: Improvement
> Components: ALL APPLICATIONS
>Affects Versions: Upcoming Branch
>Reporter: James Yong
>Assignee: Jacques Le Roux
>Priority: Minor
> Labels: CSRF
> Fix For: Upcoming Branch
>
> Attachments: OFBIZ-11306-v2.patch, OFBIZ-11306.patch,
> OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch,
> OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch,
> OFBIZ-11306_Plugins.patch, OFBIZ-11306_Plugins.patch
>
>
> CRSF tokens are generated using CSRF Guard library and used in:
> 1) In widget form where a hidden token field is auto-generated.
> 2) In FTL form where a <@csrfTokenField> macro is used to generate the csrf
> token field.
> 3) In Ajax call where a <@csrfTokenAjax> macro is used to assign csrf token
> to X-CSRF-Token in request header.
> CSRF tokens are stored in the user sessions, and verified during POST request.
> A new attribute i.e. csrf-token is added to the security tag to exempt CSRF
> token check.
> Certain request path, like LookupPartyName, can be exempt from CSRF token
> check during Ajax POST call.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
[jira] [Commented] (OFBIZ-10577) New Feature: Inventory Cycle Count
[ https://issues.apache.org/jira/browse/OFBIZ-10577?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17008781#comment-17008781 ] Yashwant Dhakad commented on OFBIZ-10577: - Hi Mathieu, Cycle count is an inventory auditing procedure of physical inventory whereby inventory is counted at regular intervals within a fiscal year. > New Feature: Inventory Cycle Count > -- > > Key: OFBIZ-10577 > URL: https://issues.apache.org/jira/browse/OFBIZ-10577 > Project: OFBiz > Issue Type: New Feature > Components: hhfacility >Affects Versions: Trunk >Reporter: Yashwant Dhakad >Assignee: Yashwant Dhakad >Priority: Major > Attachments: OFBIZ-10577-Database-Changes.patch > > > *Here are the design notes for cycle count workflow:* > *Find Session Screen:* In this screen, we will show all the sessions created > in the system with respect to the facility, locations, inventory count item, > current status, and created date. We have a search field to filter the > records on the basis of the facility, status. > *Find Pending Locations:* In this screen, we have a table listing all the > pending locations whose countings are pending and we can create a session for > them. All details regarding the pending locations are listed here with the > location, next count date, last count date and days extended for the count, > total inventory item and product for this location. We have facets for > filtering the records on the basis of the facility, not scanned since and > scheduled for next scan. Also, we have a global search at the top of the > screen. In Pending Locations screen, we have a Create Session button. To > create a session we can either select one or more records from the below list > or create a new session by yourself. > In Create Session screen, the basic overview is shown in the "Overview" > section and the items are listed in the "Items" section. We can create a new > line item by clicking on the 'Add' button and we can also update the item > quantity. After completing this, we can proceed with this session and mark it > with 'Pending for Review' status from the 'Status' button at the top of the > screen or we can simply 'Reject'. 'Reject' status button is available at the > top of the screen. > *Find Review Screen:* In this screen, we have a table listing all the > locations pending for the review. All the details regarding the review > sessions are listed with the facility, locations and counted inventory item. > We have facets for filtering records on the basis of the facility. By > clicking any session we can go to its detail screen, where basic details > regarding this session are listed in the 'Overview' section and items are > listed in the 'Items' section. We can select any number of rows and mark them > as 'Accept' or 'Reject'. When these items are marked as 'Accepted' then the > variance is created and these are added in the Count Progress report. Only > authorized persons can accept or reject the sessions and once the session is > accepted it is marked as 'Completed'. > *Count Progress Report:* In this screen, User can view the advanced counting > related analytics with respect to all the 'Completed' status session from > Reports Screen. We can filter the records on the basis of the facility and > within the date range. We can also see the percentage of the total locations, > inventory items counted and errors occurred during the process. Item variance > details are listed in the below section in tabular form. > Following changes to the existing data model to support end to end counting > process flow: > *New entities:* > *InventoryCount* > inventoryCountId > uploadedByUserLogin > facilityId > statusId > createdDatetime > *InventoryCountItem* > inventoryCountId > inventoryCountItemSeqId > inventoryItemId > itemStatusId > locationSeqId > productId > productIdentifier > quantity > *InventoryCountVariance* > inventoryCountId > inventoryCountItemSeqId > inventoryItemId > productId > productIdentifier > locationSeqId > systemQuantityOnHand > actualQuantityOnHand > varianceQuantityOnHand > totalCost > actualCost > costVariance > actualValue > totalValue > valueVariance > unitCost > *ProductCategoryFacilityLocation* > facilityId > locationSeqId > productCategoryId > fromDate > thruDate > isCountable > *Extended entity:* > *FacilityLocation* > locked > lastCountDate > nextCountDate > *ProductCategory* > isCountable > We will prevent following inbound and outbound transactions within the > application if the location is locked for counting: > Inventory Transfer > Issuance against Sales Order > Sales Return receiving > Inventory receive > Issuance and return inventory in m
[jira] [Commented] (OFBIZ-10934) Performance Increase: Using replace() instead of replaceAll() when a regex is not used increases performance
[ https://issues.apache.org/jira/browse/OFBIZ-10934?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17008711#comment-17008711 ] Jacques Le Roux commented on OFBIZ-10934: - Hi, What is the status here? > Performance Increase: Using replace() instead of replaceAll() when a regex is > not used increases performance > > > Key: OFBIZ-10934 > URL: https://issues.apache.org/jira/browse/OFBIZ-10934 > Project: OFBiz > Issue Type: Improvement > Components: framework >Affects Versions: Trunk >Reporter: bd2019us >Priority: Trivial > Labels: pull-request-available > Attachments: OFBIZ-10934.patch, OFBIZ10934-MORE.patch, affected_files > > > Affected files: > # framework/base/src/main/java/org/apache/ofbiz/base/util/UtilHttp.java > # > framework/widget/src/main/java/org/apache/ofbiz/widget/renderer/macro/MacroFormRenderer.java > # > framework/entity/src/main/java/org/apache/ofbiz/entity/condition/EntityOperator.java > # framework/base/src/main/java/org/apache/ofbiz/base/util/KeyStoreUtil.java > When replaceAll() is utilized and no regex is used, replaceAll() can be > replaced with replace() for better performance. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (OFBIZ-11315) Add “--graph” option
[
https://issues.apache.org/jira/browse/OFBIZ-11315?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17008687#comment-17008687
]
Jacques Le Roux commented on OFBIZ-11315:
-
Hi Paul,
It's true that some code would need to be added.
Build time is not concerned as long as you don't trigger the "--graph" task:
{noformat}
C:\projectsASF\Git\ofbiz-framework>gradlew ofbiz
Starting a Gradle Daemon, 7 busy Daemons could not be reused, use --status for
details
> Configure project :
You are using one or more deprecated Asciidoctor task or plugins. To help with
migration run with --warnings=all
> Task :compileJava
> Task :compileGroovy
> Task :processResources UP-TO-DATE
> Task :classes
> Task :ofbiz
Config.java using configuration file start.properties
Set OFBIZ_HOME to - C:\projectsASF\Git\ofbiz-framework
[...]
{noformat}
So I don't think it's an issue for production. Maintaining the code is also not
a concern regarding to build and running OFBiz in production or not. So I don't
think it's a burden. Morevoer it's very few code:
[^OFBIZ-11315_standard-no-prefix-format_0001-Implemented-Add-graph-option.patch]
. So if ever it's no longer used it's easy to remove, a revert on a single
commit is always simple. It's not always the case with multiple commits...
> Add “--graph” option
>
>
> Key: OFBIZ-11315
> URL: https://issues.apache.org/jira/browse/OFBIZ-11315
> Project: OFBiz
> Issue Type: New Feature
> Components: framework
>Affects Versions: Trunk
>Reporter: Mathieu Lirzin
>Assignee: Mathieu Lirzin
>Priority: Minor
> Attachments: 0001-Implemented-Add-graph-option.patch,
> OFBIZ-11315-complete.patch,
> OFBIZ-11315_standard-no-prefix-format_0001-Implemented-Add-graph-option.patch,
> ofbiz.dot
>
>
> In order to inspect what components are loaded by OFBiz and their dependency
> relationship, it is convenient to have a visual graph representation.
> {code}
> gradlew "ofbiz --graph"
> {code}
> will output a {{ofbiz.dot}} file that can be processed with Graphviz:
> {code}
> cat ofbiz.dot | dot -T png -o ofbiz.png
> {code}
> Currently there is no dependency relationship specified by components but to
> check the kind of graph is produced it is possible to revert commit
> aae1c8a8f5fed7de717290c938297be62c0460fa
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
[jira] [Comment Edited] (OFBIZ-11315) Add “--graph” option
[
https://issues.apache.org/jira/browse/OFBIZ-11315?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17007483#comment-17007483
]
Jacques Le Roux edited comment on OFBIZ-11315 at 1/6/20 9:46 AM:
-
This is the result I got: [^ofbiz.dot] I could visualize it locally using
Graphviz. It's raw for the moment compared to what is at
https://cwiki.apache.org/confluence/display/OFBIZ/Component+and+Component+Set+Dependencies
was (Author: jacques.le.roux):
This is the result I got: [^ofbiz.dot] I could visualize it locally using
Grpahviz. It's raw for the moment compared to what is at
https://cwiki.apache.org/confluence/display/OFBIZ/Component+and+Component+Set+Dependencies
> Add “--graph” option
>
>
> Key: OFBIZ-11315
> URL: https://issues.apache.org/jira/browse/OFBIZ-11315
> Project: OFBiz
> Issue Type: New Feature
> Components: framework
>Affects Versions: Trunk
>Reporter: Mathieu Lirzin
>Assignee: Mathieu Lirzin
>Priority: Minor
> Attachments: 0001-Implemented-Add-graph-option.patch,
> OFBIZ-11315-complete.patch,
> OFBIZ-11315_standard-no-prefix-format_0001-Implemented-Add-graph-option.patch,
> ofbiz.dot
>
>
> In order to inspect what components are loaded by OFBiz and their dependency
> relationship, it is convenient to have a visual graph representation.
> {code}
> gradlew "ofbiz --graph"
> {code}
> will output a {{ofbiz.dot}} file that can be processed with Graphviz:
> {code}
> cat ofbiz.dot | dot -T png -o ofbiz.png
> {code}
> Currently there is no dependency relationship specified by components but to
> check the kind of graph is produced it is possible to revert commit
> aae1c8a8f5fed7de717290c938297be62c0460fa
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
[jira] [Commented] (OFBIZ-6510) Replace webtools/control/view/ModelInduceFromDb with widgets
[ https://issues.apache.org/jira/browse/OFBIZ-6510?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17008620#comment-17008620 ] Benjamin Jugl commented on OFBIZ-6510: -- [~nmalin]: Mostly because I was unaware of its existence. I just converted the groovy-event into Java and gave it a (imho) clearer structure. Since that development has been collecting dust for some time now, I should have double-checked if something suitable already existed. Thank you for pointing me there, I will check if it is suitable for this purpose and maybe provide another patch. > Replace webtools/control/view/ModelInduceFromDb with widgets > > > Key: OFBIZ-6510 > URL: https://issues.apache.org/jira/browse/OFBIZ-6510 > Project: OFBiz > Issue Type: Improvement > Components: framework >Affects Versions: Trunk >Reporter: Christian Carlow >Assignee: Michael Brohl >Priority: Major > Attachments: OFBIZ-6510.patch, OFBIZ-6510.patch, OFBIZ-6510.patch, > OFBIZ-6510_ModelInduceFromDb.patch, OFBIZ-6510_ModelInduceFromDb_002.patch > > > The page is written in JSP probably from very long ago when FTL and widgets > didn't even exist yet. It should be implemented in widgets now that they are > available. -- This message was sent by Atlassian Jira (v8.3.4#803005)
