Hi all,
currently i'm struggling with the handling of digital download products. (Version is 1057550 but would guess we will merge to current trunk very soon again) The "normal" handling works fine. Configuring the product, adding the content, buying, download using the "downloadDigitalProduct" method works as intended. But in my system the contend is accessible using the "stream" url. (e.g. /content/control/stream?contentId=12231) So if somebody knows ofbiz he might get access to all downloads by simply guessing the content ids. There seems be a way using a custom genericContentPermission Service. But to be honest, for something like digital downloads i would guess there is a standard mechanism like the one in downloadDigitalProducts which protects this files in general, without writing a custom permission service. (which i haven't discovered yet) But if its required to write a new one, are there any suggestions to get this working an efficient way? I'm thinking of checking the ProductContentType to make sure the digital downloads are not served using the stream. But that sounds not very efficient to me. And it also leads to some leaks as soon as the configuration gets inconsistent. (For some reason the ProductContent is removed, but not the Content and Resource entity.) Not more secure but although even slower, checking the OrderRoleAndProductContentInfo to make the user has the permission to get this content, but even than, i have to ensure its a digital download content. My last idea, adding a custom attribute to the content when creating (uploading the file) the content. But that feels like a quick fix to me. Therefore i'm open to any suggestions. Best Regards, Guido Esch direkt gruppe networks direkt GmbH Griegstraße 75, Haus 2 22763 Hamburg Fon: +49 (40) 88155-0 Fax: +49 (40) 88155-5200 mailto:[hidden email] www.direkt-gruppe.de ________________________________ Rechtliche Hinweise: networks direkt Gesellschaft fuer Informationstechnologie mbH * Geschaeftsfuehrer * Dipl.-Inform. (FH) Gerald Jenner * Dipl.-Ing. (FH) Kai Petersen * Dipl.-Inform. (FH) Nils Schultz * Sitz Hamburg * AG Hamburg HRB 83072 * USt-IdNr. DE812564499 solutions direkt Gesellschaft fuer Loesungsentwicklung mbH * Geschaeftsfuehrer * Dipl.-Inform. Markus Breilmann * Dipl.-Inform. (FH) Nils Schultz * Sitz Hamburg * AG Hamburg HRB 83605 * USt-IdNr. DE813614829 marketing solutions direkt Gesellschaft fuer innovatives Marketing mbH * Geschaeftsfuehrer * Karsten Kirsch * Kai Jasper Meifort * Sven Severin * Sitz Hamburg * AG Hamburg HRB 104217 * USt-IdNr. DE814956207 Anschrift * Griegstrasse 75, Haus 2 * 22763 Hamburg Diese elektronische Nachricht enthaelt vertrauliche Informationen, die nur fuer die im Text bezeichneten Personen bestimmt sind. Die Nachricht ist durch das Briefgeheimnis geschuetzt und unterliegt gegebenenfalls den Regeln zum Schutz der Vertraulichkeit. Jede Benutzung, Versendung, Herstellung von Kopien oder Veroeffentlichung durch andere Personen ist ohne Zustimmung des Absenders untersagt. Wenn Sie diese Nachricht irrtuemlich erhalten haben, bitten wir Sie hoeflichst, sie auf Ihren Systemen zu loeschen und den Absender umgehend zu benachrichtigen. This electronic mail transmission contains confidential information intended only for the person(s) named. It is subject to the laws of mail secrecy and may be protected by legal privileges. Any use, distribution, copying or disclosure by another person is strictly prohibited without the consent of the sender. If this transmission has been received in error, you are kindly requested to delete it from your system and to contact the sender immediately. |
If you make sure the link can only be accessed by loggedin users, and
the download is linked to an completed order, security should be fine? On Mon, 2011-05-16 at 14:04 +0000, Esch, Guido wrote: > Hi all, > > > currently i'm struggling with the handling of digital download products. (Version is 1057550 but would guess we will merge to current trunk very soon again) The "normal" handling works fine. Configuring the product, adding the content, buying, download using the "downloadDigitalProduct" method works as intended. > But in my system the contend is accessible using the "stream" url. (e.g. /content/control/stream?contentId=12231) So if somebody knows ofbiz he might get access to all downloads by simply guessing the content ids. There seems be a way using a custom genericContentPermission Service. But to be honest, for something like digital downloads i would guess there is a standard mechanism like the one in downloadDigitalProducts which protects this files in general, without writing a custom permission service. (which i haven't discovered yet) But if its required to write a new one, are there any suggestions to get this working an efficient way? I'm thinking of checking the ProductContentType to make sure the digital downloads are not served using the stream. But that sounds not very efficient to me. And it also leads to some leaks as soon as the configuration gets inconsistent. (For some reason the ProductContent is removed, but not the Content and Resource entity.) Not more secure but although even slower, checking the OrderRoleAndProductContentInfo to make the user has the permission to get this content, but even than, i have to ensure its a digital download content. My last idea, adding a custom attribute to the content when creating (uploading the file) the content. But that feels like a quick fix to me. Therefore i'm open to any suggestions. > > Best Regards, > > Guido Esch > > direkt gruppe > > networks direkt GmbH > Griegstraße 75, Haus 2 > 22763 Hamburg > Fon: +49 (40) 88155-0 > Fax: +49 (40) 88155-5200 > > mailto:[hidden email] > www.direkt-gruppe.de > > > > > > > > > > > ________________________________ > > Rechtliche Hinweise: > > networks direkt Gesellschaft fuer Informationstechnologie mbH * Geschaeftsfuehrer * Dipl.-Inform. (FH) Gerald Jenner * Dipl.-Ing. (FH) Kai Petersen * Dipl.-Inform. (FH) Nils Schultz * Sitz Hamburg * AG Hamburg HRB 83072 * USt-IdNr. DE812564499 > > solutions direkt Gesellschaft fuer Loesungsentwicklung mbH * Geschaeftsfuehrer * Dipl.-Inform. Markus Breilmann * Dipl.-Inform. (FH) Nils Schultz * Sitz Hamburg * AG Hamburg HRB 83605 * USt-IdNr. DE813614829 > > marketing solutions direkt Gesellschaft fuer innovatives Marketing mbH * Geschaeftsfuehrer * Karsten Kirsch * Kai Jasper Meifort * Sven Severin * Sitz Hamburg * AG Hamburg HRB 104217 * USt-IdNr. DE814956207 > > Anschrift * Griegstrasse 75, Haus 2 * 22763 Hamburg > > Diese elektronische Nachricht enthaelt vertrauliche Informationen, die nur fuer die im Text bezeichneten Personen bestimmt sind. Die Nachricht ist durch das Briefgeheimnis geschuetzt und unterliegt gegebenenfalls den Regeln zum Schutz der Vertraulichkeit. Jede Benutzung, Versendung, Herstellung von Kopien oder Veroeffentlichung durch andere Personen ist ohne Zustimmung des Absenders untersagt. Wenn Sie diese Nachricht irrtuemlich erhalten haben, bitten wir Sie hoeflichst, sie auf Ihren Systemen zu loeschen und den Absender umgehend zu benachrichtigen. > > This electronic mail transmission contains confidential information intended only for the person(s) named. It is subject to the laws of mail secrecy and may be protected by legal privileges. Any use, distribution, copying or disclosure by another person is strictly prohibited without the consent of the sender. If this transmission has been received in error, you are kindly requested to delete it from your system and to contact the sender immediately. -- Ofbiz on twitter: http://twitter.com/apache_ofbiz Myself on twitter: http://twitter.com/hansbak Antwebsystems.com: Quality services for competitive rates. |
not exactly. The requirement might differ on the different types of content. For digital download content, you are right. For all other content types it should be accessible for anyone. (e.g. the standard fancy flash banner, every shop needs)
Am 17.05.2011 um 07:03 schrieb Hans Bakker: If you make sure the link can only be accessed by loggedin users, and the download is linked to an completed order, security should be fine? On Mon, 2011-05-16 at 14:04 +0000, Esch, Guido wrote: Hi all, currently i'm struggling with the handling of digital download products. (Version is 1057550 but would guess we will merge to current trunk very soon again) The "normal" handling works fine. Configuring the product, adding the content, buying, download using the "downloadDigitalProduct" method works as intended. But in my system the contend is accessible using the "stream" url. (e.g. /content/control/stream?contentId=12231) So if somebody knows ofbiz he might get access to all downloads by simply guessing the content ids. There seems be a way using a custom genericContentPermission Service. But to be honest, for something like digital downloads i would guess there is a standard mechanism like the one in downloadDigitalProducts which protects this files in general, without writing a custom permission service. (which i haven't discovered yet) But if its required to write a new one, are there any suggestions to get this working an efficient way? I'm thinking of checking the ProductContentType to make sure the digital downloads are not served using the stream. But that sounds not very efficient to me. And it also leads to some leaks as soon as the configuration gets inconsistent. (For some reason the ProductContent is removed, but not the Content and Resource entity.) Not more secure but although even slower, checking the OrderRoleAndProductContentInfo to make the user has the permission to get this content, but even than, i have to ensure its a digital download content. My last idea, adding a custom attribute to the content when creating (uploading the file) the content. But that feels like a quick fix to me. Therefore i'm open to any suggestions. Best Regards, Guido Esch direkt gruppe networks direkt GmbH Griegstraße 75, Haus 2 22763 Hamburg Fon: +49 (40) 88155-0 Fax: +49 (40) 88155-5200 mailto:[hidden email] www.direkt-gruppe.de<http://www.direkt-gruppe.de> ________________________________ Rechtliche Hinweise: networks direkt Gesellschaft fuer Informationstechnologie mbH * Geschaeftsfuehrer * Dipl.-Inform. (FH) Gerald Jenner * Dipl.-Ing. (FH) Kai Petersen * Dipl.-Inform. (FH) Nils Schultz * Sitz Hamburg * AG Hamburg HRB 83072 * USt-IdNr. DE812564499 solutions direkt Gesellschaft fuer Loesungsentwicklung mbH * Geschaeftsfuehrer * Dipl.-Inform. Markus Breilmann * Dipl.-Inform. (FH) Nils Schultz * Sitz Hamburg * AG Hamburg HRB 83605 * USt-IdNr. DE813614829 marketing solutions direkt Gesellschaft fuer innovatives Marketing mbH * Geschaeftsfuehrer * Karsten Kirsch * Kai Jasper Meifort * Sven Severin * Sitz Hamburg * AG Hamburg HRB 104217 * USt-IdNr. DE814956207 Anschrift * Griegstrasse 75, Haus 2 * 22763 Hamburg Diese elektronische Nachricht enthaelt vertrauliche Informationen, die nur fuer die im Text bezeichneten Personen bestimmt sind. Die Nachricht ist durch das Briefgeheimnis geschuetzt und unterliegt gegebenenfalls den Regeln zum Schutz der Vertraulichkeit. Jede Benutzung, Versendung, Herstellung von Kopien oder Veroeffentlichung durch andere Personen ist ohne Zustimmung des Absenders untersagt. Wenn Sie diese Nachricht irrtuemlich erhalten haben, bitten wir Sie hoeflichst, sie auf Ihren Systemen zu loeschen und den Absender umgehend zu benachrichtigen. This electronic mail transmission contains confidential information intended only for the person(s) named. It is subject to the laws of mail secrecy and may be protected by legal privileges. Any use, distribution, copying or disclosure by another person is strictly prohibited without the consent of the sender. If this transmission has been received in error, you are kindly requested to delete it from your system and to contact the sender immediately. -- Ofbiz on twitter: http://twitter.com/apache_ofbiz Myself on twitter: http://twitter.com/hansbak Antwebsystems.com<http://Antwebsystems.com>: Quality services for competitive rates. Mit freundlichem Gruß Guido Esch direkt gruppe networks direkt GmbH Griegstraße 75, Haus 2 22763 Hamburg Fon: +49 (40) 88155-0 Fax: +49 (40) 88155-5200 mailto:[hidden email] www.direkt-gruppe.de ________________________________ Rechtliche Hinweise: networks direkt Gesellschaft fuer Informationstechnologie mbH * Geschaeftsfuehrer * Dipl.-Inform. (FH) Gerald Jenner * Dipl.-Ing. (FH) Kai Petersen * Dipl.-Inform. (FH) Nils Schultz * Sitz Hamburg * AG Hamburg HRB 83072 * USt-IdNr. DE812564499 solutions direkt Gesellschaft fuer Loesungsentwicklung mbH * Geschaeftsfuehrer * Dipl.-Inform. Markus Breilmann * Dipl.-Inform. (FH) Nils Schultz * Sitz Hamburg * AG Hamburg HRB 83605 * USt-IdNr. DE813614829 marketing solutions direkt Gesellschaft fuer innovatives Marketing mbH * Geschaeftsfuehrer * Karsten Kirsch * Kai Jasper Meifort * Sven Severin * Sitz Hamburg * AG Hamburg HRB 104217 * USt-IdNr. DE814956207 Anschrift * Griegstrasse 75, Haus 2 * 22763 Hamburg Diese elektronische Nachricht enthaelt vertrauliche Informationen, die nur fuer die im Text bezeichneten Personen bestimmt sind. Die Nachricht ist durch das Briefgeheimnis geschuetzt und unterliegt gegebenenfalls den Regeln zum Schutz der Vertraulichkeit. Jede Benutzung, Versendung, Herstellung von Kopien oder Veroeffentlichung durch andere Personen ist ohne Zustimmung des Absenders untersagt. Wenn Sie diese Nachricht irrtuemlich erhalten haben, bitten wir Sie hoeflichst, sie auf Ihren Systemen zu loeschen und den Absender umgehend zu benachrichtigen. This electronic mail transmission contains confidential information intended only for the person(s) named. It is subject to the laws of mail secrecy and may be protected by legal privileges. Any use, distribution, copying or disclosure by another person is strictly prohibited without the consent of the sender. If this transmission has been received in error, you are kindly requested to delete it from your system and to contact the sender immediately. |
Hi Guido,
I am facing the same issue too, and thinking about writing custom service or modified the current one. anybody has same issue could help us or give opinion maybe? best regards, Johnson Chandra On Tue, May 17, 2011 at 5:42 PM, Esch, Guido <[hidden email]>wrote: > not exactly. The requirement might differ on the different types of > content. For digital download content, you are right. For all other content > types it should be accessible for anyone. (e.g. the standard fancy flash > banner, every shop needs) > > > > > > Am 17.05.2011 um 07:03 schrieb Hans Bakker: > > If you make sure the link can only be accessed by loggedin users, and > the download is linked to an completed order, security should be fine? > > On Mon, 2011-05-16 at 14:04 +0000, Esch, Guido wrote: > Hi all, > > > currently i'm struggling with the handling of digital download products. > (Version is 1057550 but would guess we will merge to current trunk very soon > again) The "normal" handling works fine. Configuring the product, adding the > content, buying, download using the "downloadDigitalProduct" method works as > intended. > But in my system the contend is accessible using the "stream" url. (e.g. > /content/control/stream?contentId=12231) So if somebody knows ofbiz he might > get access to all downloads by simply guessing the content ids. There seems > be a way using a custom genericContentPermission Service. But to be honest, > for something like digital downloads i would guess there is a standard > mechanism like the one in downloadDigitalProducts which protects this files > in general, without writing a custom permission service. (which i haven't > discovered yet) But if its required to write a new one, are there any > suggestions to get this working an efficient way? I'm thinking of checking > the ProductContentType to make sure the digital downloads are not served > using the stream. But that sounds not very efficient to me. And it also > leads to some leaks as soon as the configuration gets inconsistent. (For > some reason the ProductContent is removed, but not the Content and Resource > entity.) Not more secure but although even slower, checking the > OrderRoleAndProductContentInfo to make the user has the permission to get > this content, but even than, i have to ensure its a digital download > content. My last idea, adding a custom attribute to the content when > creating (uploading the file) the content. But that feels like a quick fix > to me. Therefore i'm open to any suggestions. > > Best Regards, > > Guido Esch > > direkt gruppe > > networks direkt GmbH > Griegstraße 75, Haus 2 > 22763 Hamburg > Fon: +49 (40) 88155-0 > Fax: +49 (40) 88155-5200 > > mailto:[hidden email] > www.direkt-gruppe.de<http://www.direkt-gruppe.de> > > > > > > > > > > > ________________________________ > > Rechtliche Hinweise: > > networks direkt Gesellschaft fuer Informationstechnologie mbH * > Geschaeftsfuehrer * Dipl.-Inform. (FH) Gerald Jenner * Dipl.-Ing. (FH) Kai > Petersen * Dipl.-Inform. (FH) Nils Schultz * Sitz Hamburg * AG Hamburg HRB > 83072 * USt-IdNr. DE812564499 > > solutions direkt Gesellschaft fuer Loesungsentwicklung mbH * > Geschaeftsfuehrer * Dipl.-Inform. Markus Breilmann * Dipl.-Inform. (FH) Nils > Schultz * Sitz Hamburg * AG Hamburg HRB 83605 * USt-IdNr. DE813614829 > > marketing solutions direkt Gesellschaft fuer innovatives Marketing mbH * > Geschaeftsfuehrer * Karsten Kirsch * Kai Jasper Meifort * Sven Severin * > Sitz Hamburg * AG Hamburg HRB 104217 * USt-IdNr. DE814956207 > > Anschrift * Griegstrasse 75, Haus 2 * 22763 Hamburg > > Diese elektronische Nachricht enthaelt vertrauliche Informationen, die nur > fuer die im Text bezeichneten Personen bestimmt sind. Die Nachricht ist > durch das Briefgeheimnis geschuetzt und unterliegt gegebenenfalls den Regeln > zum Schutz der Vertraulichkeit. Jede Benutzung, Versendung, Herstellung von > Kopien oder Veroeffentlichung durch andere Personen ist ohne Zustimmung des > Absenders untersagt. Wenn Sie diese Nachricht irrtuemlich erhalten haben, > bitten wir Sie hoeflichst, sie auf Ihren Systemen zu loeschen und den > Absender umgehend zu benachrichtigen. > > This electronic mail transmission contains confidential information > intended only for the person(s) named. It is subject to the laws of mail > secrecy and may be protected by legal privileges. Any use, distribution, > copying or disclosure by another person is strictly prohibited without the > consent of the sender. If this transmission has been received in error, you > are kindly requested to delete it from your system and to contact the sender > immediately. > > -- > Ofbiz on twitter: http://twitter.com/apache_ofbiz > Myself on twitter: http://twitter.com/hansbak > Antwebsystems.com<http://Antwebsystems.com>: Quality services for > competitive rates. > > > Mit freundlichem Gruß > Guido Esch > > direkt gruppe > > networks direkt GmbH > Griegstraße 75, Haus 2 > 22763 Hamburg > Fon: +49 (40) 88155-0 > Fax: +49 (40) 88155-5200 > > mailto:[hidden email] > www.direkt-gruppe.de > > > > > > > > > > > ________________________________ > > Rechtliche Hinweise: > > networks direkt Gesellschaft fuer Informationstechnologie mbH * > Geschaeftsfuehrer * Dipl.-Inform. (FH) Gerald Jenner * Dipl.-Ing. (FH) Kai > Petersen * Dipl.-Inform. (FH) Nils Schultz * Sitz Hamburg * AG Hamburg HRB > 83072 * USt-IdNr. DE812564499 > > solutions direkt Gesellschaft fuer Loesungsentwicklung mbH * > Geschaeftsfuehrer * Dipl.-Inform. Markus Breilmann * Dipl.-Inform. (FH) Nils > Schultz * Sitz Hamburg * AG Hamburg HRB 83605 * USt-IdNr. DE813614829 > > marketing solutions direkt Gesellschaft fuer innovatives Marketing mbH * > Geschaeftsfuehrer * Karsten Kirsch * Kai Jasper Meifort * Sven Severin * > Sitz Hamburg * AG Hamburg HRB 104217 * USt-IdNr. DE814956207 > > Anschrift * Griegstrasse 75, Haus 2 * 22763 Hamburg > > Diese elektronische Nachricht enthaelt vertrauliche Informationen, die nur > fuer die im Text bezeichneten Personen bestimmt sind. Die Nachricht ist > durch das Briefgeheimnis geschuetzt und unterliegt gegebenenfalls den Regeln > zum Schutz der Vertraulichkeit. Jede Benutzung, Versendung, Herstellung von > Kopien oder Veroeffentlichung durch andere Personen ist ohne Zustimmung des > Absenders untersagt. Wenn Sie diese Nachricht irrtuemlich erhalten haben, > bitten wir Sie hoeflichst, sie auf Ihren Systemen zu loeschen und den > Absender umgehend zu benachrichtigen. > > This electronic mail transmission contains confidential information > intended only for the person(s) named. It is subject to the laws of mail > secrecy and may be protected by legal privileges. Any use, distribution, > copying or disclosure by another person is strictly prohibited without the > consent of the sender. If this transmission has been received in error, you > are kindly requested to delete it from your system and to contact the sender > immediately. > |
This isn't a very tough problem, it always has three parts: 1. authenticate the user 2. authorization that the user has access to the resource 3. if all is well, stream the resource to the client, otherwise blow up The trick comes in #2 with what qualifies as authorization, and that will vary in different circumstances. Sometimes you just want to associate the user with an order, or with a content resource through an order, or with... -David On May 19, 2011, at 11:11 AM, MelonJaya wrote: > Hi Guido, > > I am facing the same issue too, and thinking about writing custom service or > modified the current one. > anybody has same issue could help us or give opinion maybe? > > best regards, > Johnson Chandra > > > On Tue, May 17, 2011 at 5:42 PM, Esch, Guido <[hidden email]>wrote: > >> not exactly. The requirement might differ on the different types of >> content. For digital download content, you are right. For all other content >> types it should be accessible for anyone. (e.g. the standard fancy flash >> banner, every shop needs) >> >> >> >> >> >> Am 17.05.2011 um 07:03 schrieb Hans Bakker: >> >> If you make sure the link can only be accessed by loggedin users, and >> the download is linked to an completed order, security should be fine? >> >> On Mon, 2011-05-16 at 14:04 +0000, Esch, Guido wrote: >> Hi all, >> >> >> currently i'm struggling with the handling of digital download products. >> (Version is 1057550 but would guess we will merge to current trunk very soon >> again) The "normal" handling works fine. Configuring the product, adding the >> content, buying, download using the "downloadDigitalProduct" method works as >> intended. >> But in my system the contend is accessible using the "stream" url. (e.g. >> /content/control/stream?contentId=12231) So if somebody knows ofbiz he might >> get access to all downloads by simply guessing the content ids. There seems >> be a way using a custom genericContentPermission Service. But to be honest, >> for something like digital downloads i would guess there is a standard >> mechanism like the one in downloadDigitalProducts which protects this files >> in general, without writing a custom permission service. (which i haven't >> discovered yet) But if its required to write a new one, are there any >> suggestions to get this working an efficient way? I'm thinking of checking >> the ProductContentType to make sure the digital downloads are not served >> using the stream. But that sounds not very efficient to me. And it also >> leads to some leaks as soon as the configuration gets inconsistent. (For >> some reason the ProductContent is removed, but not the Content and Resource >> entity.) Not more secure but although even slower, checking the >> OrderRoleAndProductContentInfo to make the user has the permission to get >> this content, but even than, i have to ensure its a digital download >> content. My last idea, adding a custom attribute to the content when >> creating (uploading the file) the content. But that feels like a quick fix >> to me. Therefore i'm open to any suggestions. >> >> Best Regards, >> >> Guido Esch >> >> direkt gruppe >> >> networks direkt GmbH >> Griegstraße 75, Haus 2 >> 22763 Hamburg >> Fon: +49 (40) 88155-0 >> Fax: +49 (40) 88155-5200 >> >> mailto:[hidden email] >> www.direkt-gruppe.de<http://www.direkt-gruppe.de> >> >> >> >> >> >> >> >> >> >> >> ________________________________ >> >> Rechtliche Hinweise: >> >> networks direkt Gesellschaft fuer Informationstechnologie mbH * >> Geschaeftsfuehrer * Dipl.-Inform. (FH) Gerald Jenner * Dipl.-Ing. (FH) Kai >> Petersen * Dipl.-Inform. (FH) Nils Schultz * Sitz Hamburg * AG Hamburg HRB >> 83072 * USt-IdNr. DE812564499 >> >> solutions direkt Gesellschaft fuer Loesungsentwicklung mbH * >> Geschaeftsfuehrer * Dipl.-Inform. Markus Breilmann * Dipl.-Inform. (FH) Nils >> Schultz * Sitz Hamburg * AG Hamburg HRB 83605 * USt-IdNr. DE813614829 >> >> marketing solutions direkt Gesellschaft fuer innovatives Marketing mbH * >> Geschaeftsfuehrer * Karsten Kirsch * Kai Jasper Meifort * Sven Severin * >> Sitz Hamburg * AG Hamburg HRB 104217 * USt-IdNr. DE814956207 >> >> Anschrift * Griegstrasse 75, Haus 2 * 22763 Hamburg >> >> Diese elektronische Nachricht enthaelt vertrauliche Informationen, die nur >> fuer die im Text bezeichneten Personen bestimmt sind. Die Nachricht ist >> durch das Briefgeheimnis geschuetzt und unterliegt gegebenenfalls den Regeln >> zum Schutz der Vertraulichkeit. Jede Benutzung, Versendung, Herstellung von >> Kopien oder Veroeffentlichung durch andere Personen ist ohne Zustimmung des >> Absenders untersagt. Wenn Sie diese Nachricht irrtuemlich erhalten haben, >> bitten wir Sie hoeflichst, sie auf Ihren Systemen zu loeschen und den >> Absender umgehend zu benachrichtigen. >> >> This electronic mail transmission contains confidential information >> intended only for the person(s) named. It is subject to the laws of mail >> secrecy and may be protected by legal privileges. Any use, distribution, >> copying or disclosure by another person is strictly prohibited without the >> consent of the sender. If this transmission has been received in error, you >> are kindly requested to delete it from your system and to contact the sender >> immediately. >> >> -- >> Ofbiz on twitter: http://twitter.com/apache_ofbiz >> Myself on twitter: http://twitter.com/hansbak >> Antwebsystems.com<http://Antwebsystems.com>: Quality services for >> competitive rates. >> >> >> Mit freundlichem Gruß >> Guido Esch >> >> direkt gruppe >> >> networks direkt GmbH >> Griegstraße 75, Haus 2 >> 22763 Hamburg >> Fon: +49 (40) 88155-0 >> Fax: +49 (40) 88155-5200 >> >> mailto:[hidden email] >> www.direkt-gruppe.de >> >> >> >> >> >> >> >> >> >> >> ________________________________ >> >> Rechtliche Hinweise: >> >> networks direkt Gesellschaft fuer Informationstechnologie mbH * >> Geschaeftsfuehrer * Dipl.-Inform. (FH) Gerald Jenner * Dipl.-Ing. (FH) Kai >> Petersen * Dipl.-Inform. (FH) Nils Schultz * Sitz Hamburg * AG Hamburg HRB >> 83072 * USt-IdNr. DE812564499 >> >> solutions direkt Gesellschaft fuer Loesungsentwicklung mbH * >> Geschaeftsfuehrer * Dipl.-Inform. Markus Breilmann * Dipl.-Inform. (FH) Nils >> Schultz * Sitz Hamburg * AG Hamburg HRB 83605 * USt-IdNr. DE813614829 >> >> marketing solutions direkt Gesellschaft fuer innovatives Marketing mbH * >> Geschaeftsfuehrer * Karsten Kirsch * Kai Jasper Meifort * Sven Severin * >> Sitz Hamburg * AG Hamburg HRB 104217 * USt-IdNr. DE814956207 >> >> Anschrift * Griegstrasse 75, Haus 2 * 22763 Hamburg >> >> Diese elektronische Nachricht enthaelt vertrauliche Informationen, die nur >> fuer die im Text bezeichneten Personen bestimmt sind. Die Nachricht ist >> durch das Briefgeheimnis geschuetzt und unterliegt gegebenenfalls den Regeln >> zum Schutz der Vertraulichkeit. Jede Benutzung, Versendung, Herstellung von >> Kopien oder Veroeffentlichung durch andere Personen ist ohne Zustimmung des >> Absenders untersagt. Wenn Sie diese Nachricht irrtuemlich erhalten haben, >> bitten wir Sie hoeflichst, sie auf Ihren Systemen zu loeschen und den >> Absender umgehend zu benachrichtigen. >> >> This electronic mail transmission contains confidential information >> intended only for the person(s) named. It is subject to the laws of mail >> secrecy and may be protected by legal privileges. Any use, distribution, >> copying or disclosure by another person is strictly prohibited without the >> consent of the sender. If this transmission has been received in error, you >> are kindly requested to delete it from your system and to contact the sender >> immediately. >> |
Hi, I was wondering if there where any hosting packages that might be affordable for first time users. I don't want to take any site live but still would like to have it on the web for me and my son's testing purposes.
We have been long time members of the xoops and impresscms comunity. We have live xoops, impress, drupal & prestashop sites on our little vps. There is no way we will ever be able to run ofbiz with that vps. So I figure I would ask about hosting and see what all you guys and gals say. Of course we have a test domain to use. Thanks for your time in advance Billy |
Administrator
|
I'm not sure to understand you question. Are you looking for hosting providers?
https://cwiki.apache.org/confluence/display/OFBIZ/Apache+OFBiz+Service+Providers#ApacheOFBizServiceProviders-HostingProviders Jacques Bill Leftwich wrote: > Hi, I was wondering if there where any hosting packages that might be affordable for first time users. I don't want to take any > site live but still would like to have it on the web for me and my son's testing purposes. > > We have been long time members of the xoops and impresscms comunity. We have live xoops, impress, drupal & prestashop sites on > our little vps. There is no way we will ever be able to run ofbiz with that vps. > > So I figure I would ask about hosting and see what all you guys and gals say. Of course we have a test domain to use. > > Thanks for your time in advance > Billy |
In reply to this post by Esch, Guido
Hi Guido,
if the DataResource.isPublic flag is set to Y then the system will not run the permission service and the resource will be available to all the users. Otherwise the permission service will be executed before the resource is streamed back to the user. As you have mentioned the default permission service is genericContentPermission but you can create a new custom one and use it in place of genericContentPermission by setting the following property: stream.permission.service in applications/content/config/content.properties My bet is that you will need to create your custom permission service and it shouldn't be a difficult task because you can focus on your specific requirements and choose to only deal with them; I am sure you will get help/suggestion from this list if you will need it; at this point my only suggestion is: before you start make sure that your use cases are clear and well defined (what are the actors and what are the content types, and what are the rules to give access to content to actors); as soon as you will have them it will be easier to implement a service like: <service name="customContentPermission" engine="..." auth="true" location="..." invoke="customContentPermission"> <description>Custom Content Permission Service</description> <implements service="permissionInterface"/> <attribute name="contentId" type="String" mode="IN" optional="true"/> </service> In it you will receive(when the "stream" uri is hit) the "userLogin" object and the "contentId" you will run your custom logic and then you will return the Boolean hasPermission field back. I hope it helps, Jacopo On May 17, 2011, at 11:42 AM, Esch, Guido wrote: > not exactly. The requirement might differ on the different types of content. For digital download content, you are right. For all other content types it should be accessible for anyone. (e.g. the standard fancy flash banner, every shop needs) > > > > > > Am 17.05.2011 um 07:03 schrieb Hans Bakker: > > If you make sure the link can only be accessed by loggedin users, and > the download is linked to an completed order, security should be fine? > > On Mon, 2011-05-16 at 14:04 +0000, Esch, Guido wrote: > Hi all, > > > currently i'm struggling with the handling of digital download products. (Version is 1057550 but would guess we will merge to current trunk very soon again) The "normal" handling works fine. Configuring the product, adding the content, buying, download using the "downloadDigitalProduct" method works as intended. > But in my system the contend is accessible using the "stream" url. (e.g. /content/control/stream?contentId=12231) So if somebody knows ofbiz he might get access to all downloads by simply guessing the content ids. There seems be a way using a custom genericContentPermission Service. But to be honest, for something like digital downloads i would guess there is a standard mechanism like the one in downloadDigitalProducts which protects this files in general, without writing a custom permission service. (which i haven't discovered yet) But if its required to write a new one, are there any suggestions to get this working an efficient way? I'm thinking of checking the ProductContentType to make sure the digital downloads are not served using the stream. But that sounds not very efficient to me. And it also leads to some leaks as soon as the configuration gets inconsistent. (For some reason the ProductContent is removed, but not the Content and Resource entity.) Not more secure but although even slower, checking the OrderRoleAndProductContentInfo to make the user has the permission to get this content, but even than, i have to ensure its a digital download content. My last idea, adding a custom attribute to the content when creating (uploading the file) the content. But that feels like a quick fix to me. Therefore i'm open to any suggestions. > > Best Regards, > > Guido Esch > > direkt gruppe > > networks direkt GmbH > Griegstraße 75, Haus 2 > 22763 Hamburg > Fon: +49 (40) 88155-0 > Fax: +49 (40) 88155-5200 > > mailto:[hidden email] > www.direkt-gruppe.de<http://www.direkt-gruppe.de> > > > > > > > > > > > ________________________________ > > Rechtliche Hinweise: > > networks direkt Gesellschaft fuer Informationstechnologie mbH * Geschaeftsfuehrer * Dipl.-Inform. (FH) Gerald Jenner * Dipl.-Ing. (FH) Kai Petersen * Dipl.-Inform. (FH) Nils Schultz * Sitz Hamburg * AG Hamburg HRB 83072 * USt-IdNr. DE812564499 > > solutions direkt Gesellschaft fuer Loesungsentwicklung mbH * Geschaeftsfuehrer * Dipl.-Inform. Markus Breilmann * Dipl.-Inform. (FH) Nils Schultz * Sitz Hamburg * AG Hamburg HRB 83605 * USt-IdNr. DE813614829 > > marketing solutions direkt Gesellschaft fuer innovatives Marketing mbH * Geschaeftsfuehrer * Karsten Kirsch * Kai Jasper Meifort * Sven Severin * Sitz Hamburg * AG Hamburg HRB 104217 * USt-IdNr. DE814956207 > > Anschrift * Griegstrasse 75, Haus 2 * 22763 Hamburg > > Diese elektronische Nachricht enthaelt vertrauliche Informationen, die nur fuer die im Text bezeichneten Personen bestimmt sind. Die Nachricht ist durch das Briefgeheimnis geschuetzt und unterliegt gegebenenfalls den Regeln zum Schutz der Vertraulichkeit. Jede Benutzung, Versendung, Herstellung von Kopien oder Veroeffentlichung durch andere Personen ist ohne Zustimmung des Absenders untersagt. Wenn Sie diese Nachricht irrtuemlich erhalten haben, bitten wir Sie hoeflichst, sie auf Ihren Systemen zu loeschen und den Absender umgehend zu benachrichtigen. > > This electronic mail transmission contains confidential information intended only for the person(s) named. It is subject to the laws of mail secrecy and may be protected by legal privileges. Any use, distribution, copying or disclosure by another person is strictly prohibited without the consent of the sender. If this transmission has been received in error, you are kindly requested to delete it from your system and to contact the sender immediately. > > -- > Ofbiz on twitter: http://twitter.com/apache_ofbiz > Myself on twitter: http://twitter.com/hansbak > Antwebsystems.com<http://Antwebsystems.com>: Quality services for competitive rates. > > > Mit freundlichem Gruß > Guido Esch > > direkt gruppe > > networks direkt GmbH > Griegstraße 75, Haus 2 > 22763 Hamburg > Fon: +49 (40) 88155-0 > Fax: +49 (40) 88155-5200 > > mailto:[hidden email] > www.direkt-gruppe.de > > > > > > > > > > > ________________________________ > > Rechtliche Hinweise: > > networks direkt Gesellschaft fuer Informationstechnologie mbH * Geschaeftsfuehrer * Dipl.-Inform. (FH) Gerald Jenner * Dipl.-Ing. (FH) Kai Petersen * Dipl.-Inform. (FH) Nils Schultz * Sitz Hamburg * AG Hamburg HRB 83072 * USt-IdNr. DE812564499 > > solutions direkt Gesellschaft fuer Loesungsentwicklung mbH * Geschaeftsfuehrer * Dipl.-Inform. Markus Breilmann * Dipl.-Inform. (FH) Nils Schultz * Sitz Hamburg * AG Hamburg HRB 83605 * USt-IdNr. DE813614829 > > marketing solutions direkt Gesellschaft fuer innovatives Marketing mbH * Geschaeftsfuehrer * Karsten Kirsch * Kai Jasper Meifort * Sven Severin * Sitz Hamburg * AG Hamburg HRB 104217 * USt-IdNr. DE814956207 > > Anschrift * Griegstrasse 75, Haus 2 * 22763 Hamburg > > Diese elektronische Nachricht enthaelt vertrauliche Informationen, die nur fuer die im Text bezeichneten Personen bestimmt sind. Die Nachricht ist durch das Briefgeheimnis geschuetzt und unterliegt gegebenenfalls den Regeln zum Schutz der Vertraulichkeit. Jede Benutzung, Versendung, Herstellung von Kopien oder Veroeffentlichung durch andere Personen ist ohne Zustimmung des Absenders untersagt. Wenn Sie diese Nachricht irrtuemlich erhalten haben, bitten wir Sie hoeflichst, sie auf Ihren Systemen zu loeschen und den Absender umgehend zu benachrichtigen. > > This electronic mail transmission contains confidential information intended only for the person(s) named. It is subject to the laws of mail secrecy and may be protected by legal privileges. Any use, distribution, copying or disclosure by another person is strictly prohibited without the consent of the sender. If this transmission has been received in error, you are kindly requested to delete it from your system and to contact the sender immediately. |
Hi Jacopo,
thanks a lot for this details. I didn't realize the isPublic treatment for permission services. For none public resources it sounds like a straight forward task getting this to work. Time to tweak the digital download admin screen services a bit to make sure the content is not public. Based on this i can follow your suggestions to get this done. Best Regards, Guido Am 22.05.2011 um 09:18 schrieb Jacopo Cappellato: Hi Guido, if the DataResource.isPublic flag is set to Y then the system will not run the permission service and the resource will be available to all the users. Otherwise the permission service will be executed before the resource is streamed back to the user. As you have mentioned the default permission service is genericContentPermission but you can create a new custom one and use it in place of genericContentPermission by setting the following property: stream.permission.service in applications/content/config/content.properties My bet is that you will need to create your custom permission service and it shouldn't be a difficult task because you can focus on your specific requirements and choose to only deal with them; I am sure you will get help/suggestion from this list if you will need it; at this point my only suggestion is: before you start make sure that your use cases are clear and well defined (what are the actors and what are the content types, and what are the rules to give access to content to actors); as soon as you will have them it will be easier to implement a service like: <service name="customContentPermission" engine="..." auth="true" location="..." invoke="customContentPermission"> <description>Custom Content Permission Service</description> <implements service="permissionInterface"/> <attribute name="contentId" type="String" mode="IN" optional="true"/> </service> In it you will receive(when the "stream" uri is hit) the "userLogin" object and the "contentId" you will run your custom logic and then you will return the Boolean hasPermission field back. I hope it helps, Jacopo On May 17, 2011, at 11:42 AM, Esch, Guido wrote: not exactly. The requirement might differ on the different types of content. For digital download content, you are right. For all other content types it should be accessible for anyone. (e.g. the standard fancy flash banner, every shop needs) Am 17.05.2011 um 07:03 schrieb Hans Bakker: If you make sure the link can only be accessed by loggedin users, and the download is linked to an completed order, security should be fine? On Mon, 2011-05-16 at 14:04 +0000, Esch, Guido wrote: Hi all, currently i'm struggling with the handling of digital download products. (Version is 1057550 but would guess we will merge to current trunk very soon again) The "normal" handling works fine. Configuring the product, adding the content, buying, download using the "downloadDigitalProduct" method works as intended. But in my system the contend is accessible using the "stream" url. (e.g. /content/control/stream?contentId=12231) So if somebody knows ofbiz he might get access to all downloads by simply guessing the content ids. There seems be a way using a custom genericContentPermission Service. But to be honest, for something like digital downloads i would guess there is a standard mechanism like the one in downloadDigitalProducts which protects this files in general, without writing a custom permission service. (which i haven't discovered yet) But if its required to write a new one, are there any suggestions to get this working an efficient way? I'm thinking of checking the ProductContentType to make sure the digital downloads are not served using the stream. But that sounds not very efficient to me. And it also leads to some leaks as soon as the configuration gets inconsistent. (For some reason the ProductContent is removed, but not the Content and Resource entity.) Not more secure but although even slower, checking the OrderRoleAndProductContentInfo to make the user has the permission to get this content, but even than, i have to ensure its a digital download content. My last idea, adding a custom attribute to the content when creating (uploading the file) the content. But that feels like a quick fix to me. Therefore i'm open to any suggestions. Best Regards, Guido Esch direkt gruppe networks direkt GmbH Griegstraße 75, Haus 2 22763 Hamburg Fon: +49 (40) 88155-0 Fax: +49 (40) 88155-5200 mailto:[hidden email] www.direkt-gruppe.de<http://www.direkt-gruppe.de> ________________________________ Rechtliche Hinweise: networks direkt Gesellschaft fuer Informationstechnologie mbH * Geschaeftsfuehrer * Dipl.-Inform. (FH) Gerald Jenner * Dipl.-Ing. (FH) Kai Petersen * Dipl.-Inform. (FH) Nils Schultz * Sitz Hamburg * AG Hamburg HRB 83072 * USt-IdNr. DE812564499 solutions direkt Gesellschaft fuer Loesungsentwicklung mbH * Geschaeftsfuehrer * Dipl.-Inform. Markus Breilmann * Dipl.-Inform. (FH) Nils Schultz * Sitz Hamburg * AG Hamburg HRB 83605 * USt-IdNr. DE813614829 marketing solutions direkt Gesellschaft fuer innovatives Marketing mbH * Geschaeftsfuehrer * Karsten Kirsch * Kai Jasper Meifort * Sven Severin * Sitz Hamburg * AG Hamburg HRB 104217 * USt-IdNr. DE814956207 Anschrift * Griegstrasse 75, Haus 2 * 22763 Hamburg Diese elektronische Nachricht enthaelt vertrauliche Informationen, die nur fuer die im Text bezeichneten Personen bestimmt sind. Die Nachricht ist durch das Briefgeheimnis geschuetzt und unterliegt gegebenenfalls den Regeln zum Schutz der Vertraulichkeit. Jede Benutzung, Versendung, Herstellung von Kopien oder Veroeffentlichung durch andere Personen ist ohne Zustimmung des Absenders untersagt. Wenn Sie diese Nachricht irrtuemlich erhalten haben, bitten wir Sie hoeflichst, sie auf Ihren Systemen zu loeschen und den Absender umgehend zu benachrichtigen. This electronic mail transmission contains confidential information intended only for the person(s) named. It is subject to the laws of mail secrecy and may be protected by legal privileges. Any use, distribution, copying or disclosure by another person is strictly prohibited without the consent of the sender. If this transmission has been received in error, you are kindly requested to delete it from your system and to contact the sender immediately. -- Ofbiz on twitter: http://twitter.com/apache_ofbiz Myself on twitter: http://twitter.com/hansbak Antwebsystems.com<http://Antwebsystems.com>: Quality services for competitive rates. Mit freundlichem Gruß Guido Esch direkt gruppe networks direkt GmbH Griegstraße 75, Haus 2 22763 Hamburg Fon: +49 (40) 88155-0 Fax: +49 (40) 88155-5200 mailto:[hidden email] www.direkt-gruppe.de<http://www.direkt-gruppe.de> ________________________________ Rechtliche Hinweise: networks direkt Gesellschaft fuer Informationstechnologie mbH * Geschaeftsfuehrer * Dipl.-Inform. (FH) Gerald Jenner * Dipl.-Ing. (FH) Kai Petersen * Dipl.-Inform. (FH) Nils Schultz * Sitz Hamburg * AG Hamburg HRB 83072 * USt-IdNr. DE812564499 solutions direkt Gesellschaft fuer Loesungsentwicklung mbH * Geschaeftsfuehrer * Dipl.-Inform. Markus Breilmann * Dipl.-Inform. (FH) Nils Schultz * Sitz Hamburg * AG Hamburg HRB 83605 * USt-IdNr. DE813614829 marketing solutions direkt Gesellschaft fuer innovatives Marketing mbH * Geschaeftsfuehrer * Karsten Kirsch * Kai Jasper Meifort * Sven Severin * Sitz Hamburg * AG Hamburg HRB 104217 * USt-IdNr. DE814956207 Anschrift * Griegstrasse 75, Haus 2 * 22763 Hamburg Diese elektronische Nachricht enthaelt vertrauliche Informationen, die nur fuer die im Text bezeichneten Personen bestimmt sind. Die Nachricht ist durch das Briefgeheimnis geschuetzt und unterliegt gegebenenfalls den Regeln zum Schutz der Vertraulichkeit. Jede Benutzung, Versendung, Herstellung von Kopien oder Veroeffentlichung durch andere Personen ist ohne Zustimmung des Absenders untersagt. Wenn Sie diese Nachricht irrtuemlich erhalten haben, bitten wir Sie hoeflichst, sie auf Ihren Systemen zu loeschen und den Absender umgehend zu benachrichtigen. This electronic mail transmission contains confidential information intended only for the person(s) named. It is subject to the laws of mail secrecy and may be protected by legal privileges. Any use, distribution, copying or disclosure by another person is strictly prohibited without the consent of the sender. If this transmission has been received in error, you are kindly requested to delete it from your system and to contact the sender immediately. Mit freundlichem Gruß Guido Esch direkt gruppe networks direkt GmbH Griegstraße 75, Haus 2 22763 Hamburg Fon: +49 (40) 88155-0 Fax: +49 (40) 88155-5200 mailto:[hidden email] www.direkt-gruppe.de ________________________________ Rechtliche Hinweise: networks direkt Gesellschaft fuer Informationstechnologie mbH * Geschaeftsfuehrer * Dipl.-Inform. (FH) Gerald Jenner * Dipl.-Ing. (FH) Kai Petersen * Dipl.-Inform. (FH) Nils Schultz * Sitz Hamburg * AG Hamburg HRB 83072 * USt-IdNr. DE812564499 solutions direkt Gesellschaft fuer Loesungsentwicklung mbH * Geschaeftsfuehrer * Dipl.-Inform. Markus Breilmann * Dipl.-Inform. (FH) Nils Schultz * Sitz Hamburg * AG Hamburg HRB 83605 * USt-IdNr. DE813614829 marketing solutions direkt Gesellschaft fuer innovatives Marketing mbH * Geschaeftsfuehrer * Karsten Kirsch * Kai Jasper Meifort * Sven Severin * Sitz Hamburg * AG Hamburg HRB 104217 * USt-IdNr. DE814956207 Anschrift * Griegstrasse 75, Haus 2 * 22763 Hamburg Diese elektronische Nachricht enthaelt vertrauliche Informationen, die nur fuer die im Text bezeichneten Personen bestimmt sind. Die Nachricht ist durch das Briefgeheimnis geschuetzt und unterliegt gegebenenfalls den Regeln zum Schutz der Vertraulichkeit. Jede Benutzung, Versendung, Herstellung von Kopien oder Veroeffentlichung durch andere Personen ist ohne Zustimmung des Absenders untersagt. Wenn Sie diese Nachricht irrtuemlich erhalten haben, bitten wir Sie hoeflichst, sie auf Ihren Systemen zu loeschen und den Absender umgehend zu benachrichtigen. This electronic mail transmission contains confidential information intended only for the person(s) named. It is subject to the laws of mail secrecy and may be protected by legal privileges. Any use, distribution, copying or disclosure by another person is strictly prohibited without the consent of the sender. If this transmission has been received in error, you are kindly requested to delete it from your system and to contact the sender immediately. |
Free forum by Nabble | Edit this page |