Getting "The data should be encrypted by making it part of the request body instead of the request URL." errors in Back Office

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
10 messages Options
Reply | Threaded
Open this post in threaded view
|

Getting "The data should be encrypted by making it part of the request body instead of the request URL." errors in Back Office

cjhorton
Hi All,

I updated to the latest Trunk version yesterday and I am getting the following error message at various locations in the back office.  I get the same error message on Jacques's server: https://lamouline.myvnc.com:28443/webtools/control/main.

This one occurred in the Manufacturing Component when I try to perform any action on a Production Run(schedule, quick start, etc.).  I get a similar message to the following depending on what I try to do.


The Following Errors Occurred:

Error calling event: org.ofbiz.webapp.event.EventHandlerException: Found URL parameter [productionRunId] passed to secure (https) request-map with uri [quickStartAllProductionRunTasks] with an event that calls service [quickStartAllProductionRunTasks]; this is not allowed for security reasons! The data should be encrypted by making it part of the request body instead of the request URL.


This occurred in the Order Component when I go into an order and in the Shipment Information tab I select "New Shipment for Ship Group [00001].


The Following Errors Occurred:

Error calling event: org.ofbiz.webapp.event.EventHandlerException: Found URL parameter [statusId] passed to secure (https) request-map with uri [createShipment] with an event that calls service [createShipment]; this is not allowed for security reasons! The data should be encrypted by making it part of the request body instead of the request URL.

Here is the log section of the errors:

2009-03-25 17:28:50,107 (http-0.0.0.0-8443-4) [ ModelForm.java:1363:INFO ] preparePager: Found rows = -1
2009-03-25 17:28:50,165 (http-0.0.0.0-8443-4) [ ControlServlet.java:299:INFO ] [[[ShowProductionRun] Request Done- total:0.842,since last([ShowProductionRu...):0.842]]
2009-03-25 17:28:58,054 (http-0.0.0.0-8443-4) [ ControlServlet.java:130:INFO ] [[[quickChangeProductionRunStatus] Request Begun, encoding=[UTF-8]- total:0.0,since last(Begin):0.0]]
2009-03-25 17:28:58,058 (http-0.0.0.0-8443-4) [ServiceEventHandler.java:271:ERROR] =============== Found URL parameter [productionRunId] passed to secure (https) request-map with uri [quickChangeProductionRunStatus] with an event that calls service [quickChangeProductionRunStatus]; this is not allowed for security reasons! The data should be encrypted by making it part of the request body instead of the request URL.; In session [EB208FE8F2D2ECA295F2AB3A3568FA8E.jvm1]
2009-03-25 17:28:58,059 (http-0.0.0.0-8443-4) [ RequestHandler.java:379:ERROR] Request quickChangeProductionRunStatus caused an error with the following message: Error calling event: org.ofbiz.webapp.event.EventHandlerException: Found URL parameter [productionRunId] passed to secure (https) request-map with uri [quickChangeProductionRunStatus] with an event that calls service [quickChangeProductionRunStatus]; this is not allowed for security reasons! The data should be encrypted by making it part of the request body instead of the request URL.
2009-03-25 17:28:58,060 (http-0.0.0.0-8443-4) [ RequestHandler.java:649:INFO ] Rendering View [ProductionRunDeclaration], sessionId=EB208FE8F2D2ECA295F2AB3A3568FA8E.jvm1
2009-03-25 17:28:58,405 (http-0.0.0.0-8443-4) [ ModelForm.java:1345:INFO ] preparePager: low - high = 0 - 20
2009-03-25 17:28:58,406 (http-0.0.0.0-8443-4) [ ModelForm.java:1363:INFO ] preparePager: Found rows = -1
2009-03-25 17:28:58,407 (http-0.0.0.0-8443-4) [ ModelForm.java:1345:INFO ] preparePager: low - high = 0 - 20
2009-03-25 17:28:58,408 (http-0.0.0.0-8443-4) [ ModelForm.java:1363:INFO ] preparePager: Found rows = 0
2009-03-25 17:28:58,432 (http-0.0.0.0-8443-4) [ ModelForm.java:1345:INFO ] preparePager: low - high = 0 - 20
2009-03-25 17:28:58,434 (http-0.0.0.0-8443-4) [ ModelForm.java:1363:INFO ] preparePager: Found rows = 2
2009-03-25 17:28:58,509 (http-0.0.0.0-8443-4) [ ModelForm.java:1345:INFO ] preparePager: low - high = 0 - 20
2009-03-25 17:28:58,510 (http-0.0.0.0-8443-4) [ ModelForm.java:1363:INFO ] preparePager: Found rows = -1
2009-03-25 17:28:58,538 (http-0.0.0.0-8443-4) [ ControlServlet.java:299:INFO ] [[[quickChangeProductionRunStatus] Request Done- total:0.484,since last([quickChangeProdu...):0.484]]
2009-03-25 17:29:04,098 (http-0.0.0.0-8443-4) [ ControlServlet.java:130:INFO ] [[[quickStartAllProductionRunTasks] Request Begun, encoding=[UTF-8]- total:0.0,since last(Begin):0.0]]
2009-03-25 17:29:04,119 (http-0.0.0.0-8443-4) [ ConfigXMLReader.java:118:INFO ] controller loaded: 0.0020s, 15 requests, 13 views in file:/home/cjhorton/development/ofbiz/framework/common/webcommon/WEB-INF/common-controller.xml
2009-03-25 17:29:04,123 (http-0.0.0.0-8443-4) [ ConfigXMLReader.java:118:INFO ] controller loaded: 0.013s, 146 requests, 69 views in jndi:/0.0.0.0/manufacturing/WEB-INF/controller.xml
2009-03-25 17:29:04,136 (http-0.0.0.0-8443-4) [ServiceEventHandler.java:271:ERROR] =============== Found URL parameter [productionRunId] passed to secure (https) request-map with uri [quickStartAllProductionRunTasks] with an event that calls service [quickStartAllProductionRunTasks]; this is not allowed for security reasons! The data should be encrypted by making it part of the request body instead of the request URL.; In session [EB208FE8F2D2ECA295F2AB3A3568FA8E.jvm1]
2009-03-25 17:29:04,136 (http-0.0.0.0-8443-4) [ RequestHandler.java:379:ERROR] Request quickStartAllProductionRunTasks caused an error with the following message: Error calling event: org.ofbiz.webapp.event.EventHandlerException: Found URL parameter [productionRunId] passed to secure (https) request-map with uri [quickStartAllProductionRunTasks] with an event that calls service [quickStartAllProductionRunTasks]; this is not allowed for security reasons! The data should be encrypted by making it part of the request body instead of the request URL.
2009-03-25 17:29:04,137 (http-0.0.0.0-8443-4) [ RequestHandler.java:649:INFO ] Rendering View [ProductionRunDeclaration], sessionId=EB208FE8F2D2ECA295F2AB3A3568FA8E.jvm1
2009-03-25 17:29:04,160 (http-0.0.0.0-8443-4) [ ScreenFactory.java:129:INFO ] Got 13 screens in 0.017s from: file:/home/cjhorton/development/ofbiz/applications/manufacturing/widget/manufacturing/JobshopScreens.xml
2009-03-25 17:29:04,232 (http-0.0.0.0-8443-4) [ ScreenFactory.java:129:INFO ] Got 1 screens in 0.01s from: file:/home/cjhorton/development/ofbiz/applications/manufacturing/widget/manufacturing/CommonScreens.xml
2009-03-25 17:29:04,248 (http-0.0.0.0-8443-4) [ ScreenFactory.java:129:INFO ] Got 1 screens in 0.01s from: file:/home/cjhorton/development/ofbiz/applications/commonext/widget/CommonScreens.xml
2009-03-25 17:29:04,292 (http-0.0.0.0-8443-4) [ ScreenFactory.java:129:INFO ] Got 22 screens in 0.015s from: file:/home/cjhorton/development/ofbiz/framework/common/widget/CommonScreens.xml
2009-03-25 17:29:04,580 (http-0.0.0.0-8443-4) [ ModelForm.java:1345:INFO ] preparePager: low - high = 0 - 20
2009-03-25 17:29:04,581 (http-0.0.0.0-8443-4) [ ModelForm.java:1363:INFO ] preparePager: Found rows = -1
2009-03-25 17:29:04,611 (http-0.0.0.0-8443-4) [ ModelForm.java:1345:INFO ] preparePager: low - high = 0 - 20
2009-03-25 17:29:04,612 (http-0.0.0.0-8443-4) [ ModelForm.java:1363:INFO ] preparePager: Found rows = 0
2009-03-25 17:29:04,614 (http-0.0.0.0-8443-4) [ ModelForm.java:1345:INFO ] preparePager: low - high = 0 - 20
2009-03-25 17:29:04,614 (http-0.0.0.0-8443-4) [ ModelForm.java:1363:INFO ] preparePager: Found rows = 2
2009-03-25 17:29:04,678 (http-0.0.0.0-8443-4) [ ModelForm.java:1345:INFO ] preparePager: low - high = 0 - 20
2009-03-25 17:29:04,679 (http-0.0.0.0-8443-4) [ ModelForm.java:1363:INFO ] preparePager: Found rows = -1
2009-03-25 17:29:04,716 (http-0.0.0.0-8443-4) [ ControlServlet.java:299:INFO ] [[[quickStartAllProductionRunTasks] Request Done- total:0.618,since last([quickStartAllPro...):0.618]]
2009-03-25 17:32:09,018 (http-0.0.0.0-8443-4) [ ControlServlet.java:130:INFO ] [[[changeProductionRunTaskStatus] Request Begun, encoding=[UTF-8]- total:0.0,since last(Begin):0.0]]
2009-03-25 17:32:09,041 (http-0.0.0.0-8443-4) [ ConfigXMLReader.java:118:INFO ] controller loaded: 0.0s, 15 requests, 13 views in file:/home/cjhorton/development/ofbiz/framework/common/webcommon/WEB-INF/common-controller.xml
2009-03-25 17:32:09,048 (http-0.0.0.0-8443-4) [ ConfigXMLReader.java:118:INFO ] controller loaded: 0.017s, 146 requests, 69 views in jndi:/0.0.0.0/manufacturing/WEB-INF/controller.xml
2009-03-25 17:32:09,053 (http-0.0.0.0-8443-4) [ServiceEventHandler.java:271:ERROR] =============== Found URL parameter [productionRunId] passed to secure (https) request-map with uri [changeProductionRunTaskStatus] with an event that calls service [changeProductionRunTaskStatus]; this is not allowed for security reasons! The data should be encrypted by making it part of the request body instead of the request URL.; In session [EB208FE8F2D2ECA295F2AB3A3568FA8E.jvm1]
2009-03-25 17:32:09,054 (http-0.0.0.0-8443-4) [ RequestHandler.java:379:ERROR] Request changeProductionRunTaskStatus caused an error with the following message: Error calling event: org.ofbiz.webapp.event.EventHandlerException: Found URL parameter [productionRunId] passed to secure (https) request-map with uri [changeProductionRunTaskStatus] with an event that calls service [changeProductionRunTaskStatus]; this is not allowed for security reasons! The data should be encrypted by making it part of the request body instead of the request URL.
2009-03-25 17:32:09,054 (http-0.0.0.0-8443-4) [ RequestHandler.java:649:INFO ] Rendering View [ProductionRunDeclaration], sessionId=EB208FE8F2D2ECA295F2AB3A3568FA8E.jvm1
2009-03-25 17:32:09,084 (http-0.0.0.0-8443-4) [ ScreenFactory.java:129:INFO ] Got 13 screens in 0.023s from: file:/home/cjhorton/development/ofbiz/applications/manufacturing/widget/manufacturing/JobshopScreens.xml
2009-03-25 17:32:09,256 (http-0.0.0.0-8443-4) [ ScreenFactory.java:129:INFO ] Got 1 screens in 0.01s from: file:/home/cjhorton/development/ofbiz/applications/manufacturing/widget/manufacturing/CommonScreens.xml
2009-03-25 17:32:09,281 (http-0.0.0.0-8443-4) [ ScreenFactory.java:129:INFO ] Got 1 screens in 0.01s from: file:/home/cjhorton/development/ofbiz/applications/commonext/widget/CommonScreens.xml
2009-03-25 17:32:09,325 (http-0.0.0.0-8443-4) [ ScreenFactory.java:129:INFO ] Got 22 screens in 0.014s from: fil

I figured I would post it while i start examining what is going on.

Thanks,

CJ
Reply | Threaded
Open this post in threaded view
|

Re: Getting "The data should be encrypted by making it part of the request body instead of the request URL." errors in Back Office

Jacques Le Roux
Administrator
I should work soon on this on a global way. It's related to https://issues.apache.org/jira/browse/OFBIZ-2243

I began but it's still a WIP

Jacques

From: "cjhorton" <[hidden email]>

>
> Hi All,
>
> I updated to the latest Trunk version yesterday and I am getting the
> following error message at various locations in the back office.  I get the
> same error message on Jacques's server:
> https://lamouline.myvnc.com:28443/webtools/control/main.
>
> This one occurred in the Manufacturing Component when I try to perform any
> action on a Production Run(schedule, quick start, etc.).  I get a similar
> message to the following depending on what I try to do.
>
>
> The Following Errors Occurred:
>
> Error calling event: org.ofbiz.webapp.event.EventHandlerException: Found URL
> parameter [productionRunId] passed to secure (https) request-map with uri
> [quickStartAllProductionRunTasks] with an event that calls service
> [quickStartAllProductionRunTasks]; this is not allowed for security reasons!
> The data should be encrypted by making it part of the request body instead
> of the request URL.
>
>
> This occurred in the Order Component when I go into an order and in the
> Shipment Information tab I select "New Shipment for Ship Group [00001].
>
>
> The Following Errors Occurred:
>
> Error calling event: org.ofbiz.webapp.event.EventHandlerException: Found URL
> parameter [statusId] passed to secure (https) request-map with uri
> [createShipment] with an event that calls service [createShipment]; this is
> not allowed for security reasons! The data should be encrypted by making it
> part of the request body instead of the request URL.
>
> Here is the log section of the errors:
>
> 2009-03-25 17:28:50,107 (http-0.0.0.0-8443-4) [ ModelForm.java:1363:INFO ]
> preparePager: Found rows = -1
> 2009-03-25 17:28:50,165 (http-0.0.0.0-8443-4) [ ControlServlet.java:299:INFO
> ] [[[ShowProductionRun] Request Done- total:0.842,since
> last([ShowProductionRu...):0.842]]
> 2009-03-25 17:28:58,054 (http-0.0.0.0-8443-4) [ ControlServlet.java:130:INFO
> ] [[[quickChangeProductionRunStatus] Request Begun, encoding=[UTF-8]-
> total:0.0,since last(Begin):0.0]]
> 2009-03-25 17:28:58,058 (http-0.0.0.0-8443-4)
> [ServiceEventHandler.java:271:ERROR] =============== Found URL parameter
> [productionRunId] passed to secure (https) request-map with uri
> [quickChangeProductionRunStatus] with an event that calls service
> [quickChangeProductionRunStatus]; this is not allowed for security reasons!
> The data should be encrypted by making it part of the request body instead
> of the request URL.; In session [EB208FE8F2D2ECA295F2AB3A3568FA8E.jvm1]
> 2009-03-25 17:28:58,059 (http-0.0.0.0-8443-4) [
> RequestHandler.java:379:ERROR] Request quickChangeProductionRunStatus caused
> an error with the following message: Error calling event:
> org.ofbiz.webapp.event.EventHandlerException: Found URL parameter
> [productionRunId] passed to secure (https) request-map with uri
> [quickChangeProductionRunStatus] with an event that calls service
> [quickChangeProductionRunStatus]; this is not allowed for security reasons!
> The data should be encrypted by making it part of the request body instead
> of the request URL.
> 2009-03-25 17:28:58,060 (http-0.0.0.0-8443-4) [ RequestHandler.java:649:INFO
> ] Rendering View [ProductionRunDeclaration],
> sessionId=EB208FE8F2D2ECA295F2AB3A3568FA8E.jvm1
> 2009-03-25 17:28:58,405 (http-0.0.0.0-8443-4) [ ModelForm.java:1345:INFO ]
> preparePager: low - high = 0 - 20
> 2009-03-25 17:28:58,406 (http-0.0.0.0-8443-4) [ ModelForm.java:1363:INFO ]
> preparePager: Found rows = -1
> 2009-03-25 17:28:58,407 (http-0.0.0.0-8443-4) [ ModelForm.java:1345:INFO ]
> preparePager: low - high = 0 - 20
> 2009-03-25 17:28:58,408 (http-0.0.0.0-8443-4) [ ModelForm.java:1363:INFO ]
> preparePager: Found rows = 0
> 2009-03-25 17:28:58,432 (http-0.0.0.0-8443-4) [ ModelForm.java:1345:INFO ]
> preparePager: low - high = 0 - 20
> 2009-03-25 17:28:58,434 (http-0.0.0.0-8443-4) [ ModelForm.java:1363:INFO ]
> preparePager: Found rows = 2
> 2009-03-25 17:28:58,509 (http-0.0.0.0-8443-4) [ ModelForm.java:1345:INFO ]
> preparePager: low - high = 0 - 20
> 2009-03-25 17:28:58,510 (http-0.0.0.0-8443-4) [ ModelForm.java:1363:INFO ]
> preparePager: Found rows = -1
> 2009-03-25 17:28:58,538 (http-0.0.0.0-8443-4) [ ControlServlet.java:299:INFO
> ] [[[quickChangeProductionRunStatus] Request Done- total:0.484,since
> last([quickChangeProdu...):0.484]]
> 2009-03-25 17:29:04,098 (http-0.0.0.0-8443-4) [ ControlServlet.java:130:INFO
> ] [[[quickStartAllProductionRunTasks] Request Begun, encoding=[UTF-8]-
> total:0.0,since last(Begin):0.0]]
> 2009-03-25 17:29:04,119 (http-0.0.0.0-8443-4) [
> ConfigXMLReader.java:118:INFO ] controller loaded: 0.0020s, 15 requests, 13
> views in
> file:/home/cjhorton/development/ofbiz/framework/common/webcommon/WEB-INF/common-controller.xml
> 2009-03-25 17:29:04,123 (http-0.0.0.0-8443-4) [
> ConfigXMLReader.java:118:INFO ] controller loaded: 0.013s, 146 requests, 69
> views in jndi:/0.0.0.0/manufacturing/WEB-INF/controller.xml
> 2009-03-25 17:29:04,136 (http-0.0.0.0-8443-4)
> [ServiceEventHandler.java:271:ERROR] =============== Found URL parameter
> [productionRunId] passed to secure (https) request-map with uri
> [quickStartAllProductionRunTasks] with an event that calls service
> [quickStartAllProductionRunTasks]; this is not allowed for security reasons!
> The data should be encrypted by making it part of the request body instead
> of the request URL.; In session [EB208FE8F2D2ECA295F2AB3A3568FA8E.jvm1]
> 2009-03-25 17:29:04,136 (http-0.0.0.0-8443-4) [
> RequestHandler.java:379:ERROR] Request quickStartAllProductionRunTasks
> caused an error with the following message: Error calling event:
> org.ofbiz.webapp.event.EventHandlerException: Found URL parameter
> [productionRunId] passed to secure (https) request-map with uri
> [quickStartAllProductionRunTasks] with an event that calls service
> [quickStartAllProductionRunTasks]; this is not allowed for security reasons!
> The data should be encrypted by making it part of the request body instead
> of the request URL.
> 2009-03-25 17:29:04,137 (http-0.0.0.0-8443-4) [ RequestHandler.java:649:INFO
> ] Rendering View [ProductionRunDeclaration],
> sessionId=EB208FE8F2D2ECA295F2AB3A3568FA8E.jvm1
> 2009-03-25 17:29:04,160 (http-0.0.0.0-8443-4) [ ScreenFactory.java:129:INFO
> ] Got 13 screens in 0.017s from:
> file:/home/cjhorton/development/ofbiz/applications/manufacturing/widget/manufacturing/JobshopScreens.xml
> 2009-03-25 17:29:04,232 (http-0.0.0.0-8443-4) [ ScreenFactory.java:129:INFO
> ] Got 1 screens in 0.01s from:
> file:/home/cjhorton/development/ofbiz/applications/manufacturing/widget/manufacturing/CommonScreens.xml
> 2009-03-25 17:29:04,248 (http-0.0.0.0-8443-4) [ ScreenFactory.java:129:INFO
> ] Got 1 screens in 0.01s from:
> file:/home/cjhorton/development/ofbiz/applications/commonext/widget/CommonScreens.xml
> 2009-03-25 17:29:04,292 (http-0.0.0.0-8443-4) [ ScreenFactory.java:129:INFO
> ] Got 22 screens in 0.015s from:
> file:/home/cjhorton/development/ofbiz/framework/common/widget/CommonScreens.xml
> 2009-03-25 17:29:04,580 (http-0.0.0.0-8443-4) [ ModelForm.java:1345:INFO ]
> preparePager: low - high = 0 - 20
> 2009-03-25 17:29:04,581 (http-0.0.0.0-8443-4) [ ModelForm.java:1363:INFO ]
> preparePager: Found rows = -1
> 2009-03-25 17:29:04,611 (http-0.0.0.0-8443-4) [ ModelForm.java:1345:INFO ]
> preparePager: low - high = 0 - 20
> 2009-03-25 17:29:04,612 (http-0.0.0.0-8443-4) [ ModelForm.java:1363:INFO ]
> preparePager: Found rows = 0
> 2009-03-25 17:29:04,614 (http-0.0.0.0-8443-4) [ ModelForm.java:1345:INFO ]
> preparePager: low - high = 0 - 20
> 2009-03-25 17:29:04,614 (http-0.0.0.0-8443-4) [ ModelForm.java:1363:INFO ]
> preparePager: Found rows = 2
> 2009-03-25 17:29:04,678 (http-0.0.0.0-8443-4) [ ModelForm.java:1345:INFO ]
> preparePager: low - high = 0 - 20
> 2009-03-25 17:29:04,679 (http-0.0.0.0-8443-4) [ ModelForm.java:1363:INFO ]
> preparePager: Found rows = -1
> 2009-03-25 17:29:04,716 (http-0.0.0.0-8443-4) [ ControlServlet.java:299:INFO
> ] [[[quickStartAllProductionRunTasks] Request Done- total:0.618,since
> last([quickStartAllPro...):0.618]]
> 2009-03-25 17:32:09,018 (http-0.0.0.0-8443-4) [ ControlServlet.java:130:INFO
> ] [[[changeProductionRunTaskStatus] Request Begun, encoding=[UTF-8]-
> total:0.0,since last(Begin):0.0]]
> 2009-03-25 17:32:09,041 (http-0.0.0.0-8443-4) [
> ConfigXMLReader.java:118:INFO ] controller loaded: 0.0s, 15 requests, 13
> views in
> file:/home/cjhorton/development/ofbiz/framework/common/webcommon/WEB-INF/common-controller.xml
> 2009-03-25 17:32:09,048 (http-0.0.0.0-8443-4) [
> ConfigXMLReader.java:118:INFO ] controller loaded: 0.017s, 146 requests, 69
> views in jndi:/0.0.0.0/manufacturing/WEB-INF/controller.xml
> 2009-03-25 17:32:09,053 (http-0.0.0.0-8443-4)
> [ServiceEventHandler.java:271:ERROR] =============== Found URL parameter
> [productionRunId] passed to secure (https) request-map with uri
> [changeProductionRunTaskStatus] with an event that calls service
> [changeProductionRunTaskStatus]; this is not allowed for security reasons!
> The data should be encrypted by making it part of the request body instead
> of the request URL.; In session [EB208FE8F2D2ECA295F2AB3A3568FA8E.jvm1]
> 2009-03-25 17:32:09,054 (http-0.0.0.0-8443-4) [
> RequestHandler.java:379:ERROR] Request changeProductionRunTaskStatus caused
> an error with the following message: Error calling event:
> org.ofbiz.webapp.event.EventHandlerException: Found URL parameter
> [productionRunId] passed to secure (https) request-map with uri
> [changeProductionRunTaskStatus] with an event that calls service
> [changeProductionRunTaskStatus]; this is not allowed for security reasons!
> The data should be encrypted by making it part of the request body instead
> of the request URL.
> 2009-03-25 17:32:09,054 (http-0.0.0.0-8443-4) [ RequestHandler.java:649:INFO
> ] Rendering View [ProductionRunDeclaration],
> sessionId=EB208FE8F2D2ECA295F2AB3A3568FA8E.jvm1
> 2009-03-25 17:32:09,084 (http-0.0.0.0-8443-4) [ ScreenFactory.java:129:INFO
> ] Got 13 screens in 0.023s from:
> file:/home/cjhorton/development/ofbiz/applications/manufacturing/widget/manufacturing/JobshopScreens.xml
> 2009-03-25 17:32:09,256 (http-0.0.0.0-8443-4) [ ScreenFactory.java:129:INFO
> ] Got 1 screens in 0.01s from:
> file:/home/cjhorton/development/ofbiz/applications/manufacturing/widget/manufacturing/CommonScreens.xml
> 2009-03-25 17:32:09,281 (http-0.0.0.0-8443-4) [ ScreenFactory.java:129:INFO
> ] Got 1 screens in 0.01s from:
> file:/home/cjhorton/development/ofbiz/applications/commonext/widget/CommonScreens.xml
> 2009-03-25 17:32:09,325 (http-0.0.0.0-8443-4) [ ScreenFactory.java:129:INFO
> ] Got 22 screens in 0.014s from: fil
>
> I figured I would post it while i start examining what is going on.
>
> Thanks,
>
> CJ
> --
> View this message in context:
> http://www.nabble.com/Getting-%22The-data-should-be-encrypted-by-making-it-part-of-the-request-body-instead-of-the-request-URL.%22-errors-in-Back-Office-tp22712428p22712428.html
> Sent from the OFBiz - User mailing list archive at Nabble.com.
>


Reply | Threaded
Open this post in threaded view
|

Re: Getting "The data should be encrypted by making it part of the request body instead of the request URL." errors in Back Office

David E Jones-3
In reply to this post by cjhorton

The error message pretty much says it all: the request passed  
parameters in the URL that are not allowed in the URL because they are  
insecure, ie they should be passed in form fields which are in the  
message body which are secure.

Quite a bit of discussion has gone on related to this, including  
notification of the change and such. It is not a bug so much as older  
code that needs to be updated to be more secure, because of a new  
security policy we are trying to more strictly enforce.

The most valuable feedback you can offer, and what is unfortunately  
missing in this message, is each page that has links that are like  
this. For example, you mention the manufacturing component, but which  
requests? What does your browser have in the URL box on the page with  
the bad link in it? Also, what it he URL of the link itself that is bad?

Those things will help us find and fix these quickly. It really only  
takes a few minutes for each one.

On a more technical note: at this point all such problems should be in  
links that are manually coded in FTL files. All links in widget XML  
files should be handled at this point (with possible exceptions, but  
these should be more rare).

Anyway, what we need is URLs!

-David


On Mar 25, 2009, at 4:38 PM, cjhorton wrote:

>
> Hi All,
>
> I updated to the latest Trunk version yesterday and I am getting the
> following error message at various locations in the back office.  I  
> get the
> same error message on Jacques's server:
> https://lamouline.myvnc.com:28443/webtools/control/main.
>
> This one occurred in the Manufacturing Component when I try to  
> perform any
> action on a Production Run(schedule, quick start, etc.).  I get a  
> similar
> message to the following depending on what I try to do.
>
>
> The Following Errors Occurred:
>
> Error calling event: org.ofbiz.webapp.event.EventHandlerException:  
> Found URL
> parameter [productionRunId] passed to secure (https) request-map  
> with uri
> [quickStartAllProductionRunTasks] with an event that calls service
> [quickStartAllProductionRunTasks]; this is not allowed for security  
> reasons!
> The data should be encrypted by making it part of the request body  
> instead
> of the request URL.
>
>
> This occurred in the Order Component when I go into an order and in  
> the
> Shipment Information tab I select "New Shipment for Ship Group  
> [00001].
>
>
> The Following Errors Occurred:
>
> Error calling event: org.ofbiz.webapp.event.EventHandlerException:  
> Found URL
> parameter [statusId] passed to secure (https) request-map with uri
> [createShipment] with an event that calls service [createShipment];  
> this is
> not allowed for security reasons! The data should be encrypted by  
> making it
> part of the request body instead of the request URL.
>
> Here is the log section of the errors:
>
> 2009-03-25 17:28:50,107 (http-0.0.0.0-8443-4) [ ModelForm.java:
> 1363:INFO ]
> preparePager: Found rows = -1
> 2009-03-25 17:28:50,165 (http-0.0.0.0-8443-4) [ ControlServlet.java:
> 299:INFO
> ] [[[ShowProductionRun] Request Done- total:0.842,since
> last([ShowProductionRu...):0.842]]
> 2009-03-25 17:28:58,054 (http-0.0.0.0-8443-4) [ ControlServlet.java:
> 130:INFO
> ] [[[quickChangeProductionRunStatus] Request Begun, encoding=[UTF-8]-
> total:0.0,since last(Begin):0.0]]
> 2009-03-25 17:28:58,058 (http-0.0.0.0-8443-4)
> [ServiceEventHandler.java:271:ERROR] =============== Found URL  
> parameter
> [productionRunId] passed to secure (https) request-map with uri
> [quickChangeProductionRunStatus] with an event that calls service
> [quickChangeProductionRunStatus]; this is not allowed for security  
> reasons!
> The data should be encrypted by making it part of the request body  
> instead
> of the request URL.; In session  
> [EB208FE8F2D2ECA295F2AB3A3568FA8E.jvm1]
> 2009-03-25 17:28:58,059 (http-0.0.0.0-8443-4) [
> RequestHandler.java:379:ERROR] Request  
> quickChangeProductionRunStatus caused
> an error with the following message: Error calling event:
> org.ofbiz.webapp.event.EventHandlerException: Found URL parameter
> [productionRunId] passed to secure (https) request-map with uri
> [quickChangeProductionRunStatus] with an event that calls service
> [quickChangeProductionRunStatus]; this is not allowed for security  
> reasons!
> The data should be encrypted by making it part of the request body  
> instead
> of the request URL.
> 2009-03-25 17:28:58,060 (http-0.0.0.0-8443-4) [ RequestHandler.java:
> 649:INFO
> ] Rendering View [ProductionRunDeclaration],
> sessionId=EB208FE8F2D2ECA295F2AB3A3568FA8E.jvm1
> 2009-03-25 17:28:58,405 (http-0.0.0.0-8443-4) [ ModelForm.java:
> 1345:INFO ]
> preparePager: low - high = 0 - 20
> 2009-03-25 17:28:58,406 (http-0.0.0.0-8443-4) [ ModelForm.java:
> 1363:INFO ]
> preparePager: Found rows = -1
> 2009-03-25 17:28:58,407 (http-0.0.0.0-8443-4) [ ModelForm.java:
> 1345:INFO ]
> preparePager: low - high = 0 - 20
> 2009-03-25 17:28:58,408 (http-0.0.0.0-8443-4) [ ModelForm.java:
> 1363:INFO ]
> preparePager: Found rows = 0
> 2009-03-25 17:28:58,432 (http-0.0.0.0-8443-4) [ ModelForm.java:
> 1345:INFO ]
> preparePager: low - high = 0 - 20
> 2009-03-25 17:28:58,434 (http-0.0.0.0-8443-4) [ ModelForm.java:
> 1363:INFO ]
> preparePager: Found rows = 2
> 2009-03-25 17:28:58,509 (http-0.0.0.0-8443-4) [ ModelForm.java:
> 1345:INFO ]
> preparePager: low - high = 0 - 20
> 2009-03-25 17:28:58,510 (http-0.0.0.0-8443-4) [ ModelForm.java:
> 1363:INFO ]
> preparePager: Found rows = -1
> 2009-03-25 17:28:58,538 (http-0.0.0.0-8443-4) [ ControlServlet.java:
> 299:INFO
> ] [[[quickChangeProductionRunStatus] Request Done- total:0.484,since
> last([quickChangeProdu...):0.484]]
> 2009-03-25 17:29:04,098 (http-0.0.0.0-8443-4) [ ControlServlet.java:
> 130:INFO
> ] [[[quickStartAllProductionRunTasks] Request Begun, encoding=[UTF-8]-
> total:0.0,since last(Begin):0.0]]
> 2009-03-25 17:29:04,119 (http-0.0.0.0-8443-4) [
> ConfigXMLReader.java:118:INFO ] controller loaded: 0.0020s, 15  
> requests, 13
> views in
> file:/home/cjhorton/development/ofbiz/framework/common/webcommon/WEB-
> INF/common-controller.xml
> 2009-03-25 17:29:04,123 (http-0.0.0.0-8443-4) [
> ConfigXMLReader.java:118:INFO ] controller loaded: 0.013s, 146  
> requests, 69
> views in jndi:/0.0.0.0/manufacturing/WEB-INF/controller.xml
> 2009-03-25 17:29:04,136 (http-0.0.0.0-8443-4)
> [ServiceEventHandler.java:271:ERROR] =============== Found URL  
> parameter
> [productionRunId] passed to secure (https) request-map with uri
> [quickStartAllProductionRunTasks] with an event that calls service
> [quickStartAllProductionRunTasks]; this is not allowed for security  
> reasons!
> The data should be encrypted by making it part of the request body  
> instead
> of the request URL.; In session  
> [EB208FE8F2D2ECA295F2AB3A3568FA8E.jvm1]
> 2009-03-25 17:29:04,136 (http-0.0.0.0-8443-4) [
> RequestHandler.java:379:ERROR] Request quickStartAllProductionRunTasks
> caused an error with the following message: Error calling event:
> org.ofbiz.webapp.event.EventHandlerException: Found URL parameter
> [productionRunId] passed to secure (https) request-map with uri
> [quickStartAllProductionRunTasks] with an event that calls service
> [quickStartAllProductionRunTasks]; this is not allowed for security  
> reasons!
> The data should be encrypted by making it part of the request body  
> instead
> of the request URL.
> 2009-03-25 17:29:04,137 (http-0.0.0.0-8443-4) [ RequestHandler.java:
> 649:INFO
> ] Rendering View [ProductionRunDeclaration],
> sessionId=EB208FE8F2D2ECA295F2AB3A3568FA8E.jvm1
> 2009-03-25 17:29:04,160 (http-0.0.0.0-8443-4) [ ScreenFactory.java:
> 129:INFO
> ] Got 13 screens in 0.017s from:
> file:/home/cjhorton/development/ofbiz/applications/manufacturing/
> widget/manufacturing/JobshopScreens.xml
> 2009-03-25 17:29:04,232 (http-0.0.0.0-8443-4) [ ScreenFactory.java:
> 129:INFO
> ] Got 1 screens in 0.01s from:
> file:/home/cjhorton/development/ofbiz/applications/manufacturing/
> widget/manufacturing/CommonScreens.xml
> 2009-03-25 17:29:04,248 (http-0.0.0.0-8443-4) [ ScreenFactory.java:
> 129:INFO
> ] Got 1 screens in 0.01s from:
> file:/home/cjhorton/development/ofbiz/applications/commonext/widget/
> CommonScreens.xml
> 2009-03-25 17:29:04,292 (http-0.0.0.0-8443-4) [ ScreenFactory.java:
> 129:INFO
> ] Got 22 screens in 0.015s from:
> file:/home/cjhorton/development/ofbiz/framework/common/widget/
> CommonScreens.xml
> 2009-03-25 17:29:04,580 (http-0.0.0.0-8443-4) [ ModelForm.java:
> 1345:INFO ]
> preparePager: low - high = 0 - 20
> 2009-03-25 17:29:04,581 (http-0.0.0.0-8443-4) [ ModelForm.java:
> 1363:INFO ]
> preparePager: Found rows = -1
> 2009-03-25 17:29:04,611 (http-0.0.0.0-8443-4) [ ModelForm.java:
> 1345:INFO ]
> preparePager: low - high = 0 - 20
> 2009-03-25 17:29:04,612 (http-0.0.0.0-8443-4) [ ModelForm.java:
> 1363:INFO ]
> preparePager: Found rows = 0
> 2009-03-25 17:29:04,614 (http-0.0.0.0-8443-4) [ ModelForm.java:
> 1345:INFO ]
> preparePager: low - high = 0 - 20
> 2009-03-25 17:29:04,614 (http-0.0.0.0-8443-4) [ ModelForm.java:
> 1363:INFO ]
> preparePager: Found rows = 2
> 2009-03-25 17:29:04,678 (http-0.0.0.0-8443-4) [ ModelForm.java:
> 1345:INFO ]
> preparePager: low - high = 0 - 20
> 2009-03-25 17:29:04,679 (http-0.0.0.0-8443-4) [ ModelForm.java:
> 1363:INFO ]
> preparePager: Found rows = -1
> 2009-03-25 17:29:04,716 (http-0.0.0.0-8443-4) [ ControlServlet.java:
> 299:INFO
> ] [[[quickStartAllProductionRunTasks] Request Done- total:0.618,since
> last([quickStartAllPro...):0.618]]
> 2009-03-25 17:32:09,018 (http-0.0.0.0-8443-4) [ ControlServlet.java:
> 130:INFO
> ] [[[changeProductionRunTaskStatus] Request Begun, encoding=[UTF-8]-
> total:0.0,since last(Begin):0.0]]
> 2009-03-25 17:32:09,041 (http-0.0.0.0-8443-4) [
> ConfigXMLReader.java:118:INFO ] controller loaded: 0.0s, 15  
> requests, 13
> views in
> file:/home/cjhorton/development/ofbiz/framework/common/webcommon/WEB-
> INF/common-controller.xml
> 2009-03-25 17:32:09,048 (http-0.0.0.0-8443-4) [
> ConfigXMLReader.java:118:INFO ] controller loaded: 0.017s, 146  
> requests, 69
> views in jndi:/0.0.0.0/manufacturing/WEB-INF/controller.xml
> 2009-03-25 17:32:09,053 (http-0.0.0.0-8443-4)
> [ServiceEventHandler.java:271:ERROR] =============== Found URL  
> parameter
> [productionRunId] passed to secure (https) request-map with uri
> [changeProductionRunTaskStatus] with an event that calls service
> [changeProductionRunTaskStatus]; this is not allowed for security  
> reasons!
> The data should be encrypted by making it part of the request body  
> instead
> of the request URL.; In session  
> [EB208FE8F2D2ECA295F2AB3A3568FA8E.jvm1]
> 2009-03-25 17:32:09,054 (http-0.0.0.0-8443-4) [
> RequestHandler.java:379:ERROR] Request changeProductionRunTaskStatus  
> caused
> an error with the following message: Error calling event:
> org.ofbiz.webapp.event.EventHandlerException: Found URL parameter
> [productionRunId] passed to secure (https) request-map with uri
> [changeProductionRunTaskStatus] with an event that calls service
> [changeProductionRunTaskStatus]; this is not allowed for security  
> reasons!
> The data should be encrypted by making it part of the request body  
> instead
> of the request URL.
> 2009-03-25 17:32:09,054 (http-0.0.0.0-8443-4) [ RequestHandler.java:
> 649:INFO
> ] Rendering View [ProductionRunDeclaration],
> sessionId=EB208FE8F2D2ECA295F2AB3A3568FA8E.jvm1
> 2009-03-25 17:32:09,084 (http-0.0.0.0-8443-4) [ ScreenFactory.java:
> 129:INFO
> ] Got 13 screens in 0.023s from:
> file:/home/cjhorton/development/ofbiz/applications/manufacturing/
> widget/manufacturing/JobshopScreens.xml
> 2009-03-25 17:32:09,256 (http-0.0.0.0-8443-4) [ ScreenFactory.java:
> 129:INFO
> ] Got 1 screens in 0.01s from:
> file:/home/cjhorton/development/ofbiz/applications/manufacturing/
> widget/manufacturing/CommonScreens.xml
> 2009-03-25 17:32:09,281 (http-0.0.0.0-8443-4) [ ScreenFactory.java:
> 129:INFO
> ] Got 1 screens in 0.01s from:
> file:/home/cjhorton/development/ofbiz/applications/commonext/widget/
> CommonScreens.xml
> 2009-03-25 17:32:09,325 (http-0.0.0.0-8443-4) [ ScreenFactory.java:
> 129:INFO
> ] Got 22 screens in 0.014s from: fil
>
> I figured I would post it while i start examining what is going on.
>
> Thanks,
>
> CJ
> --
> View this message in context: http://www.nabble.com/Getting-%22The-data-should-be-encrypted-by-making-it-part-of-the-request-body-instead-of-the-request-URL.%22-errors-in-Back-Office-tp22712428p22712428.html
> Sent from the OFBiz - User mailing list archive at Nabble.com.
>

Reply | Threaded
Open this post in threaded view
|

Re: Getting "The data should be encrypted by making it part of the request body instead of the request URL." errors in Back Office

cjhorton
David,

What you said makes perfect sense and is a very reasonable request.  I will
try and think more along these lines when I make posts like this.  Since
there could be quite a few of these, is there a preferred place/method to
post them?

I went ahead and listed the ones I found in the Manufacturing Component
below.

I hope this format is sufficient.  If there is a more recommended way to
list these please let me know.  Or if I should post them elsewhere please
let me know.

Page:(Show and Edit yield same issue)

https://localhost:8443/manufacturing/control/ShowProductionRun?productionRunId=10000
https://localhost:8443/manufacturing/control/EditProductionRun?productionRunId=10000

Links:

https://localhost:8443/manufacturing/control/scheduleProductionRun?productionRunId=10000&statusId=PRUN_SCHEDULED


https://localhost:8443/manufacturing/control/changeProductionRunStatusToPrinted?productionRunId=10000

https://localhost:8443/manufacturing/control/quickChangeProductionRunStatus?productionRunId=10000&statusId=PRUN_COMPLETED

https://localhost:8443/manufacturing/control/quickChangeProductionRunStatus?productionRunId=10000&statusId=PRUN_CLOSED

https://localhost:8443/manufacturing/control/cancelProductionRun?productionRunId=10000

Page:

https://localhost:8443/manufacturing/control/ProductionRunTasks?productionRunId=10000

Links:

https://localhost:8443/manufacturing/control/deleteProductionRunRoutingTask?workEffortId=10001&productionRunId=10000

Page:

https://localhost:8443/manufacturing/control/ProductionRunComponents?productionRunId=10000

Links:

https://localhost:8443/manufacturing/control/deleteProductionRunComponent?workEffortId=10001&fromDate=2009-03-25%2018:17:52.023&productId=ETH_BRAND&workEffortGoodStdTypeId=PRUNT_PROD_NEEDED&productionRunId=10000

Page:

https://localhost:8443/manufacturing/control/ProductionRunFixedAssets?productionRunId=10000

Links:

https://localhost:8443/manufacturing/control/removeWorkEffortFixedAssetAssign?workEffortId=10001&fixedAssetId=DEMO_MACHINE_GROUP&fromDate=2009-03-25%2018:17:50.858&productionRunId=10000

Page:

https://localhost:8443/manufacturing/control/EditRoutingTaskAssoc?workEffortId=10010

Links:

https://localhost:8443/manufacturing/control/RemoveRoutingTaskAssoc?workEffortId=10010&workEffortIdFrom=10010&workEffortIdTo=TASK01&fromDate=2009-03-26%2013:55:55.447&workEffortAssocTypeId=ROUTING_COMPONENT

Page:

https://localhost:8443/manufacturing/control/EditRoutingProductLink?workEffortId=10010

Links:

https://localhost:8443/manufacturing/control/removeRoutingProductLink?workEffortId=10010&productId=PC001&fromDate=2009-03-26%2013:55:27.000&workEffortGoodStdTypeId=ROU_PROD_TEMPLATE

Page:

https://localhost:8443/manufacturing/control/FindCalendar

Links:

https://localhost:8443/manufacturing/control/RemoveCalendar?calendarId=DEFAULT

Page:

https://localhost:8443/manufacturing/control/ListCalendarWeek

Links:

https://localhost:8443/manufacturing/control/RemoveCalendarWeek?calendarWeekId=DEFAULT

Page:

https://localhost:8443/manufacturing/control/EditCostCalcs

Links:

https://localhost:8443/manufacturing/control/removeCostComponentCalc?costComponentCalcId=EXAMPLE_COST
Reply | Threaded
Open this post in threaded view
|

Re: Getting "The data should be encrypted by making it part of the request body instead of the request URL." errors in Back Office

David E Jones-3

That's great, CJay, thanks for submitting those.

Either here or on the dev mailing list is fine, and the format you've  
used below is fine as well.

-David


On Mar 26, 2009, at 1:01 PM, CJay Horton wrote:

> David,
>
> What you said makes perfect sense and is a very reasonable request.  
> I will
> try and think more along these lines when I make posts like this.  
> Since
> there could be quite a few of these, is there a preferred place/
> method to
> post them?
>
> I went ahead and listed the ones I found in the Manufacturing  
> Component
> below.
>
> I hope this format is sufficient.  If there is a more recommended  
> way to
> list these please let me know.  Or if I should post them elsewhere  
> please
> let me know.
>
> Page:(Show and Edit yield same issue)
>
> https://localhost:8443/manufacturing/control/ShowProductionRun?productionRunId=10000
> https://localhost:8443/manufacturing/control/EditProductionRun?productionRunId=10000
>
> Links:
>
> https://localhost:8443/manufacturing/control/scheduleProductionRun?productionRunId=10000&statusId=PRUN_SCHEDULED
>
>
> https://localhost:8443/manufacturing/control/changeProductionRunStatusToPrinted?productionRunId=10000
>
> https://localhost:8443/manufacturing/control/quickChangeProductionRunStatus?productionRunId=10000&statusId=PRUN_COMPLETED
>
> https://localhost:8443/manufacturing/control/quickChangeProductionRunStatus?productionRunId=10000&statusId=PRUN_CLOSED
>
> https://localhost:8443/manufacturing/control/cancelProductionRun?productionRunId=10000
>
> Page:
>
> https://localhost:8443/manufacturing/control/ProductionRunTasks?productionRunId=10000
>
> Links:
>
> https://localhost:8443/manufacturing/control/deleteProductionRunRoutingTask?workEffortId=10001&productionRunId=10000
>
> Page:
>
> https://localhost:8443/manufacturing/control/ProductionRunComponents?productionRunId=10000
>
> Links:
>
> https://localhost:8443/manufacturing/control/deleteProductionRunComponent?workEffortId=10001&fromDate=2009-03-25%2018:17:52.023&productId=ETH_BRAND&workEffortGoodStdTypeId=PRUNT_PROD_NEEDED&productionRunId=10000
>
> Page:
>
> https://localhost:8443/manufacturing/control/ProductionRunFixedAssets?productionRunId=10000
>
> Links:
>
> https://localhost:8443/manufacturing/control/removeWorkEffortFixedAssetAssign?workEffortId=10001&fixedAssetId=DEMO_MACHINE_GROUP&fromDate=2009-03-25%2018:17:50.858&productionRunId=10000
>
> Page:
>
> https://localhost:8443/manufacturing/control/EditRoutingTaskAssoc?workEffortId=10010
>
> Links:
>
> https://localhost:8443/manufacturing/control/RemoveRoutingTaskAssoc?workEffortId=10010&workEffortIdFrom=10010&workEffortIdTo=TASK01&fromDate=2009-03-26%2013:55:55.447&workEffortAssocTypeId=ROUTING_COMPONENT
>
> Page:
>
> https://localhost:8443/manufacturing/control/EditRoutingProductLink?workEffortId=10010
>
> Links:
>
> https://localhost:8443/manufacturing/control/removeRoutingProductLink?workEffortId=10010&productId=PC001&fromDate=2009-03-26%2013:55:27.000&workEffortGoodStdTypeId=ROU_PROD_TEMPLATE
>
> Page:
>
> https://localhost:8443/manufacturing/control/FindCalendar
>
> Links:
>
> https://localhost:8443/manufacturing/control/RemoveCalendar?calendarId=DEFAULT
>
> Page:
>
> https://localhost:8443/manufacturing/control/ListCalendarWeek
>
> Links:
>
> https://localhost:8443/manufacturing/control/RemoveCalendarWeek?calendarWeekId=DEFAULT
>
> Page:
>
> https://localhost:8443/manufacturing/control/EditCostCalcs
>
> Links:
>
> https://localhost:8443/manufacturing/control/removeCostComponentCalc?costComponentCalcId=EXAMPLE_COST

Reply | Threaded
Open this post in threaded view
|

Re: Getting "The data should be encrypted by making it part of the request body instead of the request URL." errors in Back Office

cjhorton
Reply | Threaded
Open this post in threaded view
|

Re: Getting "The data should be encrypted by making it part of the request body instead of the request URL." errors in Back Office

Jacques Le Roux
Administrator
Thanks CJay,

I have created a Jira issue which will allow to know which links have been changed.
Please post the links you find there and follow the "procedure"
https://issues.apache.org/jira/browse/OFBIZ-2256

Jacques

From: "CJay Horton" <[hidden email]>

Reply | Threaded
Open this post in threaded view
|

Re: Getting "The data should be encrypted by making it part of the request body instead of the request URL." errors in Back Office

Jacques Le Roux
Administrator
In reply to this post by Jacques Le Roux
Done for XML files at r759700

Jacques

From: "Jacques Le Roux" <[hidden email]>

>I should work soon on this on a global way. It's related to https://issues.apache.org/jira/browse/OFBIZ-2243
>
> I began but it's still a WIP
>
> Jacques
>
> From: "cjhorton" <[hidden email]>
>>
>> Hi All,
>>
>> I updated to the latest Trunk version yesterday and I am getting the
>> following error message at various locations in the back office.  I get the
>> same error message on Jacques's server:
>> https://lamouline.myvnc.com:28443/webtools/control/main.
>>
>> This one occurred in the Manufacturing Component when I try to perform any
>> action on a Production Run(schedule, quick start, etc.).  I get a similar
>> message to the following depending on what I try to do.
>>
>>
>> The Following Errors Occurred:
>>
>> Error calling event: org.ofbiz.webapp.event.EventHandlerException: Found URL
>> parameter [productionRunId] passed to secure (https) request-map with uri
>> [quickStartAllProductionRunTasks] with an event that calls service
>> [quickStartAllProductionRunTasks]; this is not allowed for security reasons!
>> The data should be encrypted by making it part of the request body instead
>> of the request URL.
>>
>>
>> This occurred in the Order Component when I go into an order and in the
>> Shipment Information tab I select "New Shipment for Ship Group [00001].
>>
>>
>> The Following Errors Occurred:
>>
>> Error calling event: org.ofbiz.webapp.event.EventHandlerException: Found URL
>> parameter [statusId] passed to secure (https) request-map with uri
>> [createShipment] with an event that calls service [createShipment]; this is
>> not allowed for security reasons! The data should be encrypted by making it
>> part of the request body instead of the request URL.
>>
>> Here is the log section of the errors:
>>
>> 2009-03-25 17:28:50,107 (http-0.0.0.0-8443-4) [ ModelForm.java:1363:INFO ]
>> preparePager: Found rows = -1
>> 2009-03-25 17:28:50,165 (http-0.0.0.0-8443-4) [ ControlServlet.java:299:INFO
>> ] [[[ShowProductionRun] Request Done- total:0.842,since
>> last([ShowProductionRu...):0.842]]
>> 2009-03-25 17:28:58,054 (http-0.0.0.0-8443-4) [ ControlServlet.java:130:INFO
>> ] [[[quickChangeProductionRunStatus] Request Begun, encoding=[UTF-8]-
>> total:0.0,since last(Begin):0.0]]
>> 2009-03-25 17:28:58,058 (http-0.0.0.0-8443-4)
>> [ServiceEventHandler.java:271:ERROR] =============== Found URL parameter
>> [productionRunId] passed to secure (https) request-map with uri
>> [quickChangeProductionRunStatus] with an event that calls service
>> [quickChangeProductionRunStatus]; this is not allowed for security reasons!
>> The data should be encrypted by making it part of the request body instead
>> of the request URL.; In session [EB208FE8F2D2ECA295F2AB3A3568FA8E.jvm1]
>> 2009-03-25 17:28:58,059 (http-0.0.0.0-8443-4) [
>> RequestHandler.java:379:ERROR] Request quickChangeProductionRunStatus caused
>> an error with the following message: Error calling event:
>> org.ofbiz.webapp.event.EventHandlerException: Found URL parameter
>> [productionRunId] passed to secure (https) request-map with uri
>> [quickChangeProductionRunStatus] with an event that calls service
>> [quickChangeProductionRunStatus]; this is not allowed for security reasons!
>> The data should be encrypted by making it part of the request body instead
>> of the request URL.
>> 2009-03-25 17:28:58,060 (http-0.0.0.0-8443-4) [ RequestHandler.java:649:INFO
>> ] Rendering View [ProductionRunDeclaration],
>> sessionId=EB208FE8F2D2ECA295F2AB3A3568FA8E.jvm1
>> 2009-03-25 17:28:58,405 (http-0.0.0.0-8443-4) [ ModelForm.java:1345:INFO ]
>> preparePager: low - high = 0 - 20
>> 2009-03-25 17:28:58,406 (http-0.0.0.0-8443-4) [ ModelForm.java:1363:INFO ]
>> preparePager: Found rows = -1
>> 2009-03-25 17:28:58,407 (http-0.0.0.0-8443-4) [ ModelForm.java:1345:INFO ]
>> preparePager: low - high = 0 - 20
>> 2009-03-25 17:28:58,408 (http-0.0.0.0-8443-4) [ ModelForm.java:1363:INFO ]
>> preparePager: Found rows = 0
>> 2009-03-25 17:28:58,432 (http-0.0.0.0-8443-4) [ ModelForm.java:1345:INFO ]
>> preparePager: low - high = 0 - 20
>> 2009-03-25 17:28:58,434 (http-0.0.0.0-8443-4) [ ModelForm.java:1363:INFO ]
>> preparePager: Found rows = 2
>> 2009-03-25 17:28:58,509 (http-0.0.0.0-8443-4) [ ModelForm.java:1345:INFO ]
>> preparePager: low - high = 0 - 20
>> 2009-03-25 17:28:58,510 (http-0.0.0.0-8443-4) [ ModelForm.java:1363:INFO ]
>> preparePager: Found rows = -1
>> 2009-03-25 17:28:58,538 (http-0.0.0.0-8443-4) [ ControlServlet.java:299:INFO
>> ] [[[quickChangeProductionRunStatus] Request Done- total:0.484,since
>> last([quickChangeProdu...):0.484]]
>> 2009-03-25 17:29:04,098 (http-0.0.0.0-8443-4) [ ControlServlet.java:130:INFO
>> ] [[[quickStartAllProductionRunTasks] Request Begun, encoding=[UTF-8]-
>> total:0.0,since last(Begin):0.0]]
>> 2009-03-25 17:29:04,119 (http-0.0.0.0-8443-4) [
>> ConfigXMLReader.java:118:INFO ] controller loaded: 0.0020s, 15 requests, 13
>> views in
>> file:/home/cjhorton/development/ofbiz/framework/common/webcommon/WEB-INF/common-controller.xml
>> 2009-03-25 17:29:04,123 (http-0.0.0.0-8443-4) [
>> ConfigXMLReader.java:118:INFO ] controller loaded: 0.013s, 146 requests, 69
>> views in jndi:/0.0.0.0/manufacturing/WEB-INF/controller.xml
>> 2009-03-25 17:29:04,136 (http-0.0.0.0-8443-4)
>> [ServiceEventHandler.java:271:ERROR] =============== Found URL parameter
>> [productionRunId] passed to secure (https) request-map with uri
>> [quickStartAllProductionRunTasks] with an event that calls service
>> [quickStartAllProductionRunTasks]; this is not allowed for security reasons!
>> The data should be encrypted by making it part of the request body instead
>> of the request URL.; In session [EB208FE8F2D2ECA295F2AB3A3568FA8E.jvm1]
>> 2009-03-25 17:29:04,136 (http-0.0.0.0-8443-4) [
>> RequestHandler.java:379:ERROR] Request quickStartAllProductionRunTasks
>> caused an error with the following message: Error calling event:
>> org.ofbiz.webapp.event.EventHandlerException: Found URL parameter
>> [productionRunId] passed to secure (https) request-map with uri
>> [quickStartAllProductionRunTasks] with an event that calls service
>> [quickStartAllProductionRunTasks]; this is not allowed for security reasons!
>> The data should be encrypted by making it part of the request body instead
>> of the request URL.
>> 2009-03-25 17:29:04,137 (http-0.0.0.0-8443-4) [ RequestHandler.java:649:INFO
>> ] Rendering View [ProductionRunDeclaration],
>> sessionId=EB208FE8F2D2ECA295F2AB3A3568FA8E.jvm1
>> 2009-03-25 17:29:04,160 (http-0.0.0.0-8443-4) [ ScreenFactory.java:129:INFO
>> ] Got 13 screens in 0.017s from:
>> file:/home/cjhorton/development/ofbiz/applications/manufacturing/widget/manufacturing/JobshopScreens.xml
>> 2009-03-25 17:29:04,232 (http-0.0.0.0-8443-4) [ ScreenFactory.java:129:INFO
>> ] Got 1 screens in 0.01s from:
>> file:/home/cjhorton/development/ofbiz/applications/manufacturing/widget/manufacturing/CommonScreens.xml
>> 2009-03-25 17:29:04,248 (http-0.0.0.0-8443-4) [ ScreenFactory.java:129:INFO
>> ] Got 1 screens in 0.01s from:
>> file:/home/cjhorton/development/ofbiz/applications/commonext/widget/CommonScreens.xml
>> 2009-03-25 17:29:04,292 (http-0.0.0.0-8443-4) [ ScreenFactory.java:129:INFO
>> ] Got 22 screens in 0.015s from:
>> file:/home/cjhorton/development/ofbiz/framework/common/widget/CommonScreens.xml
>> 2009-03-25 17:29:04,580 (http-0.0.0.0-8443-4) [ ModelForm.java:1345:INFO ]
>> preparePager: low - high = 0 - 20
>> 2009-03-25 17:29:04,581 (http-0.0.0.0-8443-4) [ ModelForm.java:1363:INFO ]
>> preparePager: Found rows = -1
>> 2009-03-25 17:29:04,611 (http-0.0.0.0-8443-4) [ ModelForm.java:1345:INFO ]
>> preparePager: low - high = 0 - 20
>> 2009-03-25 17:29:04,612 (http-0.0.0.0-8443-4) [ ModelForm.java:1363:INFO ]
>> preparePager: Found rows = 0
>> 2009-03-25 17:29:04,614 (http-0.0.0.0-8443-4) [ ModelForm.java:1345:INFO ]
>> preparePager: low - high = 0 - 20
>> 2009-03-25 17:29:04,614 (http-0.0.0.0-8443-4) [ ModelForm.java:1363:INFO ]
>> preparePager: Found rows = 2
>> 2009-03-25 17:29:04,678 (http-0.0.0.0-8443-4) [ ModelForm.java:1345:INFO ]
>> preparePager: low - high = 0 - 20
>> 2009-03-25 17:29:04,679 (http-0.0.0.0-8443-4) [ ModelForm.java:1363:INFO ]
>> preparePager: Found rows = -1
>> 2009-03-25 17:29:04,716 (http-0.0.0.0-8443-4) [ ControlServlet.java:299:INFO
>> ] [[[quickStartAllProductionRunTasks] Request Done- total:0.618,since
>> last([quickStartAllPro...):0.618]]
>> 2009-03-25 17:32:09,018 (http-0.0.0.0-8443-4) [ ControlServlet.java:130:INFO
>> ] [[[changeProductionRunTaskStatus] Request Begun, encoding=[UTF-8]-
>> total:0.0,since last(Begin):0.0]]
>> 2009-03-25 17:32:09,041 (http-0.0.0.0-8443-4) [
>> ConfigXMLReader.java:118:INFO ] controller loaded: 0.0s, 15 requests, 13
>> views in
>> file:/home/cjhorton/development/ofbiz/framework/common/webcommon/WEB-INF/common-controller.xml
>> 2009-03-25 17:32:09,048 (http-0.0.0.0-8443-4) [
>> ConfigXMLReader.java:118:INFO ] controller loaded: 0.017s, 146 requests, 69
>> views in jndi:/0.0.0.0/manufacturing/WEB-INF/controller.xml
>> 2009-03-25 17:32:09,053 (http-0.0.0.0-8443-4)
>> [ServiceEventHandler.java:271:ERROR] =============== Found URL parameter
>> [productionRunId] passed to secure (https) request-map with uri
>> [changeProductionRunTaskStatus] with an event that calls service
>> [changeProductionRunTaskStatus]; this is not allowed for security reasons!
>> The data should be encrypted by making it part of the request body instead
>> of the request URL.; In session [EB208FE8F2D2ECA295F2AB3A3568FA8E.jvm1]
>> 2009-03-25 17:32:09,054 (http-0.0.0.0-8443-4) [
>> RequestHandler.java:379:ERROR] Request changeProductionRunTaskStatus caused
>> an error with the following message: Error calling event:
>> org.ofbiz.webapp.event.EventHandlerException: Found URL parameter
>> [productionRunId] passed to secure (https) request-map with uri
>> [changeProductionRunTaskStatus] with an event that calls service
>> [changeProductionRunTaskStatus]; this is not allowed for security reasons!
>> The data should be encrypted by making it part of the request body instead
>> of the request URL.
>> 2009-03-25 17:32:09,054 (http-0.0.0.0-8443-4) [ RequestHandler.java:649:INFO
>> ] Rendering View [ProductionRunDeclaration],
>> sessionId=EB208FE8F2D2ECA295F2AB3A3568FA8E.jvm1
>> 2009-03-25 17:32:09,084 (http-0.0.0.0-8443-4) [ ScreenFactory.java:129:INFO
>> ] Got 13 screens in 0.023s from:
>> file:/home/cjhorton/development/ofbiz/applications/manufacturing/widget/manufacturing/JobshopScreens.xml
>> 2009-03-25 17:32:09,256 (http-0.0.0.0-8443-4) [ ScreenFactory.java:129:INFO
>> ] Got 1 screens in 0.01s from:
>> file:/home/cjhorton/development/ofbiz/applications/manufacturing/widget/manufacturing/CommonScreens.xml
>> 2009-03-25 17:32:09,281 (http-0.0.0.0-8443-4) [ ScreenFactory.java:129:INFO
>> ] Got 1 screens in 0.01s from:
>> file:/home/cjhorton/development/ofbiz/applications/commonext/widget/CommonScreens.xml
>> 2009-03-25 17:32:09,325 (http-0.0.0.0-8443-4) [ ScreenFactory.java:129:INFO
>> ] Got 22 screens in 0.014s from: fil
>>
>> I figured I would post it while i start examining what is going on.
>>
>> Thanks,
>>
>> CJ
>> --
>> View this message in context:
>> http://www.nabble.com/Getting-%22The-data-should-be-encrypted-by-making-it-part-of-the-request-body-instead-of-the-request-URL.%22-errors-in-Back-Office-tp22712428p22712428.html
>> Sent from the OFBiz - User mailing list archive at Nabble.com.
>>
>
>


Reply | Threaded
Open this post in threaded view
|

Re: Getting "The data should be encrypted by making it part of the request body instead of the request URL." errors in Back Office

rohit
In reply to this post by Jacques Le Roux
Hi,

There are a few more URL's which have the same problem. I see that the JIRA issue 2256 has been closed so i am pasting the URL here:

https://www.example.com/catalog/control/RemoveFeatureFromProduct?productId=11001&productFeatureId=10165&fromDate=2003-11-20%2013:50:07.796

I am using the latest SVN #763884.

Rohit


jacques.le.roux wrote
Thanks CJay,

I have created a Jira issue which will allow to know which links have been changed.
Please post the links you find there and follow the "procedure"
https://issues.apache.org/jira/browse/OFBIZ-2256

Jacques

From: "CJay Horton" <jayhorton@gmail.com>
> Here are some more as of 758871:
>
> Page:
>
> https://localhost:8443/ecommerce/control/orderstatus?orderId=WSCO10001
>
> Links:
>
> https://localhost:8443/ecommerce/control/cancelOrderItem?orderItemSeqId=00003
>
> Page:
>
> https://localhost:8443/ecommerce/control/updatePostalAddress
>
> Links:
>
> https://localhost:8443/ecommerce/control/createPartyContactMechPurpose?contactMechId=10003&useValues=true
>
> Page:
>
> https://localhost:8443/ecommerce/control/viewprofile
>
> Links:
>
> https://localhost:8443/ecommerce/control/setprofiledefault/viewprofile?productStoreId=9000&defaultPayMeth=10001&partyId=10000
>
> https://localhost:8443/ecommerce/control/deleteCustomerTaxAuthInfo?partyId=10000&taxAuthPartyId=ON_TAXMAN&taxAuthGeoId=ON&fromDate=2009-03-26%2017:48:43.350
>
> https://localhost:8443/ecommerce/control/readmessage?communicationEventId=10001
>
> Page:
>
> https://localhost:8443/ecommerce/control/messagelist?showSent=true
>
> Links:
>
> https://localhost:8443/ecommerce/control/readmessage?communicationEventId=10000
>
> Page:
>
> https://localhost:8443/ordermgr/control/orderview?orderId=WSCO10000
>
> Links:
>
> https://localhost:8443/facility/control/createShipment?primaryOrderId=WSCO10000&primaryShipGroupSeqId=00001&statusId=SHIPMENT_INPUT&originFacilityId=WebStoreWarehouse&externalLoginKey=EL830506554502
>

Reply | Threaded
Open this post in threaded view
|

Re: Getting "The data should be encrypted by making it part of the request body instead of the request URL." errors in Back Office

Jacques Le Roux
Administrator
Please use https://issues.apache.org/jira/browse/OFBIZ-2260 for report (Jira is unavailable currently)

Jacques

From: "rohit2006" <[hidden email]>

> Hi,
>
> There are a few more URL's which have the same problem. I see that the JIRA
> issue 2256 has been closed so i am pasting the URL here:
>
> https://www.example.com/catalog/control/RemoveFeatureFromProduct?productId=11001&productFeatureId=10165&fromDate=2003-11-20%2013:50:07.796
>
> I am using the latest SVN #763884.
>
> Rohit
>
>
>
> jacques.le.roux wrote:
>>
>> Thanks CJay,
>>
>> I have created a Jira issue which will allow to know which links have been
>> changed.
>> Please post the links you find there and follow the "procedure"
>> https://issues.apache.org/jira/browse/OFBIZ-2256
>>
>> Jacques
>>
>> From: "CJay Horton" <[hidden email]>
>>> Here are some more as of 758871:
>>>
>>> Page:
>>>
>>> https://localhost:8443/ecommerce/control/orderstatus?orderId=WSCO10001
>>>
>>> Links:
>>>
>>> https://localhost:8443/ecommerce/control/cancelOrderItem?orderItemSeqId=00003
>>>
>>> Page:
>>>
>>> https://localhost:8443/ecommerce/control/updatePostalAddress
>>>
>>> Links:
>>>
>>> https://localhost:8443/ecommerce/control/createPartyContactMechPurpose?contactMechId=10003&useValues=true
>>>
>>> Page:
>>>
>>> https://localhost:8443/ecommerce/control/viewprofile
>>>
>>> Links:
>>>
>>> https://localhost:8443/ecommerce/control/setprofiledefault/viewprofile?productStoreId=9000&defaultPayMeth=10001&partyId=10000
>>>
>>> https://localhost:8443/ecommerce/control/deleteCustomerTaxAuthInfo?partyId=10000&taxAuthPartyId=ON_TAXMAN&taxAuthGeoId=ON&fromDate=2009-03-26%2017:48:43.350
>>>
>>> https://localhost:8443/ecommerce/control/readmessage?communicationEventId=10001
>>>
>>> Page:
>>>
>>> https://localhost:8443/ecommerce/control/messagelist?showSent=true
>>>
>>> Links:
>>>
>>> https://localhost:8443/ecommerce/control/readmessage?communicationEventId=10000
>>>
>>> Page:
>>>
>>> https://localhost:8443/ordermgr/control/orderview?orderId=WSCO10000
>>>
>>> Links:
>>>
>>> https://localhost:8443/facility/control/createShipment?primaryOrderId=WSCO10000&primaryShipGroupSeqId=00001&statusId=SHIPMENT_INPUT&originFacilityId=WebStoreWarehouse&externalLoginKey=EL830506554502
>>>
>>
>>
>>
>>
>
> --
> View this message in context:
> http://www.nabble.com/Getting-%22The-data-should-be-encrypted-by-making-it-part-of-the-request-body-instead-of-the-request-URL.%22-errors-in-Back-Office-tp22712428p22984658.html
> Sent from the OFBiz - User mailing list archive at Nabble.com.
>