hi, I got login to work by adding the changes below to my controller using ofbiz4.0. I don't think I follow the reason with OFBTOOLS base persmission not taking effect in the ofbiz-component as explained in OFBIZ-829. But I agree with Si Chen on OFBIZ-829 "The right way is to assume no permission until one of the list of permissions is met." Seems more intitutive. For now I can workaround it so thanks all. -Milind
<preprocessor> <!-- Events to run on every request before security (chains exempt) --> <!-- <event type="java" path="org.ofbiz.webapp.event.TestEvent" invoke="test"/> --> <event type="java" path="org.ofbiz.webapp.control.LoginWorker" invoke="checkExternalLoginKey"/> </preprocessor> <!-- Request Mappings --> <request-map uri="checkLogin" edit="false"> <description>Verify a user is logged in.</description> <security https="false" auth="false"/> <event type="java" path="org.ofbiz.webapp.control.LoginWorker" invoke="checkLogin" /> <response name="success" type="view" value="main" /> <response name="error" type="view" value="login" /> </request-map> <request-map uri="login"> <security https="false" auth="false"/> <event type="java" path="org.ofbiz.webapp.control.LoginWorker" invoke="login"/> <response name="success" type="view" value="main"/> <response name="error" type="view" value="login"/> </request-map> <request-map uri="main"> <security https="false" auth="true" /> <response name="success" type="view" value="main"/> </request-map> <view-map name="login" type="screen" page="component://marketing/widget/CommonScreens.xml#login" /> > Not with a direct link to the comment where is the explanation ;p > Actually it was more a didactic post > > Jacques > > From: "BJ Freeman" <[EMAIL PROTECTED]> >> LOL >> that was the first link I sent on this thread. >> >> Jacques Le Roux sent the following on 7/30/2008 2:18 PM: >>> OFBiz Wiki is your friend. Just look for OFBTOOLS. >>> >>> You would have get >>> http://docs.ofbiz.org/display/OFBTECH/OFBiz+security?focusedCommentId=3615#comment-3615 >>> >>> >>> Jacques >>> >>> ----- Original Message ----- From: "Milind W" >>> <[EMAIL PROTECTED]> >>> To: <user@ofbiz.apache.org> >>> Sent: Wednesday, July 30, 2008 8:31 PM >>> Subject: Re: how to set security and permissions precedence >>> >>> >>>> Let me try to break up questions. >>>> Should'nt adding >>>> base-permission="OFBTOOLS" >>>> to the ofbiz-entity.xml force the user to login with a user id that is >>>> associated to the OFBTOOLS security group? >>>> I can see the application I created and the line seems to have no >>>> effect. >>>> What is the purpose of the line? >>>> Thanks >>>> -Milind >>>> >>>>> Please not that opentaps is not at the same level of revision that >>>>> ofbiz >>>>> it >>>>> there have been changes to security. >>>>> there are examples in the >>>>> framework/example >>>>> and >>>>> framework/exampleext >>>>> I believe this to better tutorial >>>>> since they work already. >>>>> >>>>> >>>>> Balaji Sundar sent the following on 7/29/2008 9:40 PM: >>>>>> >>>>>> >>>>>> BJ Freeman wrote: >>>>>>> http://docs.ofbiz.org/display/OFBTECH/OFBiz+security >>>>>>> >>>>>>> Milind W sent the following on 7/29/2008 7:58 PM: >>>>>>>> hi, >>>>>>>> Security Permissions >>>>>>>> I am using ofbiz rev.79258 >>>>>>>> I want to understand how security works so I made the following >>>>>>>> modifications to hello1 >>>>>>>> 1)I added base-permission="OFBTOOLS" to the ofbiz-component.xml >>>>>>>> I could still see the application I was assuming the application >>>>>>>> would >>>>>>>> as >>>>>>>> me to login or prevent me from seeing the page. >>>>>>>> 2)I added <security> to the main request >>>>>>>> <request-map uri="main"> >>>>>>>> <security https="false" auth="true"/> >>>>>>>> <response name="success" type="view" value="main"/> >>>>>>>> </request-map> >>>>>>>> This displays "java.lang.NullPointerException" in the browser. >>>>>>>> How do permissions precedence work starting from the UI to the >>>>>>>> entity >>>>>>>> layer. >>>>>>>> Help appreciated. >>>>>>>> Thanks >>>>>>>> -Milind >>>>>>>> >>>>>>>> Here is the log >>>>>>>> 2008-07-29 19:07:17,031 (http-0.0.0.0-8080-1) [ >>>>>>>> RequestHandler.java:243:INFO ] [Processing Request]: main >>>>>>>> sessionId=6E6BB45A4B5AB75A10A9B9404FA622A5.jvm1 >>>>>>>> 2008-07-29 19:07:17,031 (http-0.0.0.0-8080-1) [ >>>>>>>> RequestManager.java:159:WARN ] [RequestManager.getEventType] Type >>>>>>>> of >>>>>>>> event >>>>>>>> for request "checkLogin" not found >>>>>>>> 2008-07-29 19:07:17,031 (http-0.0.0.0-8080-1) [ >>>>>>>> RequestManager.java:146:WARN ] [RequestManager.getEventPath] Path >>>>>>>> of >>>>>>>> event >>>>>>>> for request "checkLogin" not found >>>>>>>> 2008-07-29 19:07:17,031 (http-0.0.0.0-8080-1) [ >>>>>>>> RequestManager.java:172:WARN ] [RequestManager.getEventMethod] >>>>>>>> Method >>>>>>>> of >>>>>>>> event for request "checkLogin" not found >>>>>>>> 2008-07-29 19:07:17,031 (http-0.0.0.0-8080-1) [ >>>>>>>> ControlServlet.java:205:ERROR] >>>>>>>> ---- runtime exception report >>>>>>>> -------------------------------------------------- >>>>>>>> Error in request handler: >>>>>>>> Exception: java.lang.NullPointerException >>>>>>>> Message: null >>>>>>>> ---- stack trace >>>>>>>> --------------------------------------------------------------- >>>>>>>> java.lang.NullPointerException >>>>>>>> javolution.util.FastMap.getEntry(Unknown Source) >>>>>>>> javolution.util.FastMap.containsKey(Unknown Source) >>>>>>>> org.ofbiz.webapp.control.RequestManager.getHandlerClass(RequestManager.java:78) >>>>>>>> >>>>>>>> org.ofbiz.webapp.event.EventFactory.loadEventHandler(EventFactory.java:102) >>>>>>>> >>>>>>>> org.ofbiz.webapp.event.EventFactory.getEventHandler(EventFactory.java:86) >>>>>>>> >>>>>>>> org.ofbiz.webapp.control.RequestHandler.runEvent(RequestHandler.java:453) >>>>>>>> >>>>>>>> org.ofbiz.webapp.control.RequestHandler.doRequest(RequestHandler.java:259) >>>>>>>> >>>>>>>> org.ofbiz.webapp.control.ControlServlet.doGet(ControlServlet.java:198) >>>>>>>> >>>>>>>> javax.servlet.http.HttpServlet.service(HttpServlet.java:690) >>>>>>>> javax.servlet.http.HttpServlet.service(HttpServlet.java:803) >>>>>>>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290) >>>>>>>> >>>>>>>> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) >>>>>>>> >>>>>>>> org.ofbiz.webapp.control.ContextFilter.doFilter(ContextFilter.java:255) >>>>>>>> >>>>>>>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) >>>>>>>> >>>>>>>> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) >>>>>>>> >>>>>>>> org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233) >>>>>>>> >>>>>>>> org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:175) >>>>>>>> >>>>>>>> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:128) >>>>>>>> >>>>>>>> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) >>>>>>>> >>>>>>>> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) >>>>>>>> >>>>>>>> org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:568) >>>>>>>> >>>>>>>> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:286) >>>>>>>> >>>>>>>> org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:844) >>>>>>>> >>>>>>>> org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:583) >>>>>>>> >>>>>>>> org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:447) >>>>>>>> >>>>>>>> java.lang.Thread.run(Thread.java:595) >>>>>>>> -------------------------------------------------------------------------------- >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>> >>>>>>> >>>>>> >>>>>> http://www.opensourcestrategies.com/ofbiz/security.php >>>>>> http://www.opensourcestrategies.com/ofbiz/security.php >>>>> >>>>> >>>> >>>> >>> >>> >>> >> >