Multiple logins needed

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
20 messages Options
Reply | Threaded
Open this post in threaded view
|

Multiple logins needed

Scott.
Hello all,

I was seeing what we thought was strange behavior in our ofbiz that kept making us login over and over without any real reason. I have had the same thing using FF3 and IE7 on an XP pro sp2 workstation. It never seems to be the same apps that require you to re-enter so I always put it down to something in our version. Then I decided to try it in on the trunk demo and I got the same result.

I logged in originally to the catalogue then work effort, project and then I clicked on order manager. I then got a login screen and I entered admin/ofbiz and got the following;

The Following Errors Occurred:

Error calling event: org.ofbiz.webapp.event.EventHandlerException: Problems processing event: java.lang.IllegalArgumentException: Could not find resource bundle [SecurityextUiLabels] in the locale [en_US] (Could not find resource bundle [SecurityextUiLabels] in the locale [en_US])
 
I then logged in again with eh same admin/ofbiz combo and was back in the app.

Anyone know why this is happening? Thanks.
Reply | Threaded
Open this post in threaded view
|

Re: Multiple logins needed

Jacques Le Roux
Administrator
I tried on alternate server and got any problems (Release.revision : trunk.751084)

Jacques

From: "Scott." <[hidden email]>

>
> Hello all,
>
> I was seeing what we thought was strange behavior in our ofbiz that kept
> making us login over and over without any real reason. I have had the same
> thing using FF3 and IE7 on an XP pro sp2 workstation. It never seems to be
> the same apps that require you to re-enter so I always put it down to
> something in our version. Then I decided to try it in on the trunk demo and
> I got the same result.
>
> I logged in originally to the catalogue then work effort, project and then I
> clicked on order manager. I then got a login screen and I entered
> admin/ofbiz and got the following;
>
> The Following Errors Occurred:
>
> Error calling event: org.ofbiz.webapp.event.EventHandlerException: Problems
> processing event: java.lang.IllegalArgumentException: Could not find
> resource bundle [SecurityextUiLabels] in the locale [en_US] (Could not find
> resource bundle [SecurityextUiLabels] in the locale [en_US])
>
> I then logged in again with eh same admin/ofbiz combo and was back in the
> app.
>
> Anyone know why this is happening? Thanks.
>
> --
> View this message in context: http://www.nabble.com/Multiple-logins-needed-tp22374485p22374485.html
> Sent from the OFBiz - User mailing list archive at Nabble.com.
>

Reply | Threaded
Open this post in threaded view
|

Re: Multiple logins needed

Vince Clark
This problem has been reported many times. It is mysterious, but definitely real.

----- Original Message -----
From: "Jacques Le Roux" <[hidden email]>
To: [hidden email]
Sent: Saturday, March 7, 2009 3:41:36 AM (GMT-0700) America/Denver
Subject: Re: Multiple logins needed

I tried on alternate server and got any problems (Release.revision : trunk.751084)

Jacques

From: "Scott." <[hidden email]>

>
> Hello all,
>
> I was seeing what we thought was strange behavior in our ofbiz that kept
> making us login over and over without any real reason. I have had the same
> thing using FF3 and IE7 on an XP pro sp2 workstation. It never seems to be
> the same apps that require you to re-enter so I always put it down to
> something in our version. Then I decided to try it in on the trunk demo and
> I got the same result.
>
> I logged in originally to the catalogue then work effort, project and then I
> clicked on order manager. I then got a login screen and I entered
> admin/ofbiz and got the following;
>
> The Following Errors Occurred:
>
> Error calling event: org.ofbiz.webapp.event.EventHandlerException: Problems
> processing event: java.lang.IllegalArgumentException: Could not find
> resource bundle [SecurityextUiLabels] in the locale [en_US] (Could not find
> resource bundle [SecurityextUiLabels] in the locale [en_US])
>
> I then logged in again with eh same admin/ofbiz combo and was back in the
> app.
>
> Anyone know why this is happening? Thanks.
>
> --
> View this message in context: http://www.nabble.com/Multiple-logins-needed-tp22374485p22374485.html 
> Sent from the OFBiz - User mailing list archive at Nabble.com.
>

Reply | Threaded
Open this post in threaded view
|

Re: Multiple logins needed

Scott.
In reply to this post by Scott.
I'm glad its real because I was starting to think I was nuts. I have tried many times to track it down but never seems to be the same way twice. Tried different browsers but thats not it. Had the same issue with Vista, XP Pro and 2003. Every now and then it just asks me for user/pass. It can be 5 minutes of no use or 5 seconds. That said, I dont always get the error. This is something fairly new and I am a user not a developer so I really dont know what it means.


Scott. wrote
Hello all,

I was seeing what we thought was strange behavior in our ofbiz that kept making us login over and over without any real reason. I have had the same thing using FF3 and IE7 on an XP pro sp2 workstation. It never seems to be the same apps that require you to re-enter so I always put it down to something in our version. Then I decided to try it in on the trunk demo and I got the same result.

I logged in originally to the catalogue then work effort, project and then I clicked on order manager. I then got a login screen and I entered admin/ofbiz and got the following;

The Following Errors Occurred:

Error calling event: org.ofbiz.webapp.event.EventHandlerException: Problems processing event: java.lang.IllegalArgumentException: Could not find resource bundle [SecurityextUiLabels] in the locale [en_US] (Could not find resource bundle [SecurityextUiLabels] in the locale [en_US])
 
I then logged in again with eh same admin/ofbiz combo and was back in the app.

Anyone know why this is happening? Thanks.
Reply | Threaded
Open this post in threaded view
|

Re: Multiple logins needed

Jacques Le Roux
Administrator
Thanks to both for confirmation. Hans reported it some time ago, and I saw it too.
That's why I tested but I did not reproduce. It's a random bug I guess, hard to trace... We will see anyway...

Jacques

From: "Scott." <[hidden email]>

>
> I'm glad its real because I was starting to think I was nuts. I have tried
> many times to track it down but never seems to be the same way twice. Tried
> different browsers but thats not it. Had the same issue with Vista, XP Pro
> and 2003. Every now and then it just asks me for user/pass. It can be 5
> minutes of no use or 5 seconds. That said, I dont always get the error. This
> is something fairly new and I am a user not a developer so I really dont
> know what it means.
>
>
>
> Scott. wrote:
>>
>> Hello all,
>>
>> I was seeing what we thought was strange behavior in our ofbiz that kept
>> making us login over and over without any real reason. I have had the same
>> thing using FF3 and IE7 on an XP pro sp2 workstation. It never seems to be
>> the same apps that require you to re-enter so I always put it down to
>> something in our version. Then I decided to try it in on the trunk demo
>> and I got the same result.
>>
>> I logged in originally to the catalogue then work effort, project and then
>> I clicked on order manager. I then got a login screen and I entered
>> admin/ofbiz and got the following;
>>
>> The Following Errors Occurred:
>>
>> Error calling event: org.ofbiz.webapp.event.EventHandlerException:
>> Problems processing event: java.lang.IllegalArgumentException: Could not
>> find resource bundle [SecurityextUiLabels] in the locale [en_US] (Could
>> not find resource bundle [SecurityextUiLabels] in the locale [en_US])
>>  
>> I then logged in again with eh same admin/ofbiz combo and was back in the
>> app.
>>
>> Anyone know why this is happening? Thanks.
>>
>>
>
> --
> View this message in context: http://www.nabble.com/Multiple-logins-needed-tp22374485p22389286.html
> Sent from the OFBiz - User mailing list archive at Nabble.com.
>

Reply | Threaded
Open this post in threaded view
|

Re: Multiple logins needed

BJ Freeman
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

to track this done take a look in the URL for something like
externalLoginKey=EL82824678935
if so then should login
if not then need to track back were someone was when they clicked to go
to the place where the login happend.

Just a thought

Jacques Le Roux sent the following on 3/7/2009 8:51 AM:

> Thanks to both for confirmation. Hans reported it some time ago, and I
> saw it too.
> That's why I tested but I did not reproduce. It's a random bug I guess,
> hard to trace... We will see anyway...
>
> Jacques
>
> From: "Scott." <[hidden email]>
>>
>> I'm glad its real because I was starting to think I was nuts. I have
>> tried
>> many times to track it down but never seems to be the same way twice.
>> Tried
>> different browsers but thats not it. Had the same issue with Vista, XP
>> Pro
>> and 2003. Every now and then it just asks me for user/pass. It can be 5
>> minutes of no use or 5 seconds. That said, I dont always get the
>> error. This
>> is something fairly new and I am a user not a developer so I really dont
>> know what it means.
>>
>>
>>
>> Scott. wrote:
>>>
>>> Hello all,
>>>
>>> I was seeing what we thought was strange behavior in our ofbiz that kept
>>> making us login over and over without any real reason. I have had the
>>> same
>>> thing using FF3 and IE7 on an XP pro sp2 workstation. It never seems
>>> to be
>>> the same apps that require you to re-enter so I always put it down to
>>> something in our version. Then I decided to try it in on the trunk demo
>>> and I got the same result.
>>>
>>> I logged in originally to the catalogue then work effort, project and
>>> then
>>> I clicked on order manager. I then got a login screen and I entered
>>> admin/ofbiz and got the following;
>>>
>>> The Following Errors Occurred:
>>>
>>> Error calling event: org.ofbiz.webapp.event.EventHandlerException:
>>> Problems processing event: java.lang.IllegalArgumentException: Could not
>>> find resource bundle [SecurityextUiLabels] in the locale [en_US] (Could
>>> not find resource bundle [SecurityextUiLabels] in the locale [en_US])
>>>  
>>> I then logged in again with eh same admin/ofbiz combo and was back in
>>> the
>>> app.
>>> Anyone know why this is happening? Thanks.
>>>
>>>
>>
>> --
>> View this message in context:
>> http://www.nabble.com/Multiple-logins-needed-tp22374485p22389286.html
>> Sent from the OFBiz - User mailing list archive at Nabble.com.
>>
>
>
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFJsxbyrP3NbaWWqE4RAnhpAKDGpCyXdcC5eJIM1LrG1T8i7rdRmwCgqCPx
YA62kbCmOjrjThBlWNdV28g=
=js4M
-----END PGP SIGNATURE-----
Reply | Threaded
Open this post in threaded view
|

Re: Multiple logins needed

Vince Clark
Here is the only thing I have seen come up in the log so far. I was in the CMS application and clicked on the Party tab. I got a login screen instead of being logged into PartyMgr automatically. The URL had the external login key. Here is the only line I found in the log that seems related:

2009-03-08 13:48:19,806 (http-0.0.0.0-8443-3) [ LoginWorker.java:828:WARN ] Could not find userLogin for external login key: EL339616443508

----- Original Message -----
From: "BJ Freeman" <[hidden email]>
To: [hidden email]
Sent: Saturday, March 7, 2009 6:38:23 PM (GMT-0700) America/Denver
Subject: Re: Multiple logins needed

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

to track this done take a look in the URL for something like
externalLoginKey=EL82824678935
if so then should login
if not then need to track back were someone was when they clicked to go
to the place where the login happend.

Just a thought

Jacques Le Roux sent the following on 3/7/2009 8:51 AM:

> Thanks to both for confirmation. Hans reported it some time ago, and I
> saw it too.
> That's why I tested but I did not reproduce. It's a random bug I guess,
> hard to trace... We will see anyway...
>
> Jacques
>
> From: "Scott." <[hidden email]>
>>
>> I'm glad its real because I was starting to think I was nuts. I have
>> tried
>> many times to track it down but never seems to be the same way twice.
>> Tried
>> different browsers but thats not it. Had the same issue with Vista, XP
>> Pro
>> and 2003. Every now and then it just asks me for user/pass. It can be 5
>> minutes of no use or 5 seconds. That said, I dont always get the
>> error. This
>> is something fairly new and I am a user not a developer so I really dont
>> know what it means.
>>
>>
>>
>> Scott. wrote:
>>>
>>> Hello all,
>>>
>>> I was seeing what we thought was strange behavior in our ofbiz that kept
>>> making us login over and over without any real reason. I have had the
>>> same
>>> thing using FF3 and IE7 on an XP pro sp2 workstation. It never seems
>>> to be
>>> the same apps that require you to re-enter so I always put it down to
>>> something in our version. Then I decided to try it in on the trunk demo
>>> and I got the same result.
>>>
>>> I logged in originally to the catalogue then work effort, project and
>>> then
>>> I clicked on order manager. I then got a login screen and I entered
>>> admin/ofbiz and got the following;
>>>
>>> The Following Errors Occurred:
>>>
>>> Error calling event: org.ofbiz.webapp.event.EventHandlerException:
>>> Problems processing event: java.lang.IllegalArgumentException: Could not
>>> find resource bundle [SecurityextUiLabels] in the locale [en_US] (Could
>>> not find resource bundle [SecurityextUiLabels] in the locale [en_US])
>>>
>>> I then logged in again with eh same admin/ofbiz combo and was back in
>>> the
>>> app.
>>> Anyone know why this is happening? Thanks.
>>>
>>>
>>
>> --
>> View this message in context:
>> http://www.nabble.com/Multiple-logins-needed-tp22374485p22389286.html 
>> Sent from the OFBiz - User mailing list archive at Nabble.com.
>>
>
>
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org 

iD8DBQFJsxbyrP3NbaWWqE4RAnhpAKDGpCyXdcC5eJIM1LrG1T8i7rdRmwCgqCPx
YA62kbCmOjrjThBlWNdV28g=
=js4M
-----END PGP SIGNATURE-----
Reply | Threaded
Open this post in threaded view
|

Re: Multiple logins needed

David E Jones-3

You may be describing a well known issue, and one that is part of the  
way the externalLoginKey works (so it is not likely to change). The  
externalLoginKey allows you to automatically login to another webapp  
without a username/password. In order to do this a new login key is  
generated with EVERY request to the server in order to keep it's life  
cycle pretty short. As long as it is on a secure/https page when it  
goes to the browser it is pretty safe, but it generally comes back to  
the server in a URL and so needs to be invalidated immediately so that  
it cannot be used again, as that is pretty easy to snoop.

So, to make it not work is easy: just have a page open in your browser  
that has a stale externalLoginKey in its URLS.

1. load a page where you are authenticated in tab/window A
2. right click on a link within the webapp and open it in tab/window B
3. go back to tab/window A and click on any link that goes to a webapp  
that you are not already logged into and that has an externalLoginKey  
parameter

The externalLoginKey will be stale, so that auto-login will fail and  
you will be presented with the login form.

-David


On Mar 8, 2009, at 1:30 PM, Vince M. Clark wrote:

> Here is the only thing I have seen come up in the log so far. I was  
> in the CMS application and clicked on the Party tab. I got a login  
> screen instead of being logged into PartyMgr automatically. The URL  
> had the external login key. Here is the only line I found in the log  
> that seems related:
>
> 2009-03-08 13:48:19,806 (http-0.0.0.0-8443-3) [ LoginWorker.java:
> 828:WARN ] Could not find userLogin for external login key:  
> EL339616443508
>
> ----- Original Message -----
> From: "BJ Freeman" <[hidden email]>
> To: [hidden email]
> Sent: Saturday, March 7, 2009 6:38:23 PM (GMT-0700) America/Denver
> Subject: Re: Multiple logins needed
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> to track this done take a look in the URL for something like
> externalLoginKey=EL82824678935
> if so then should login
> if not then need to track back were someone was when they clicked to  
> go
> to the place where the login happend.
>
> Just a thought
>
> Jacques Le Roux sent the following on 3/7/2009 8:51 AM:
>> Thanks to both for confirmation. Hans reported it some time ago,  
>> and I
>> saw it too.
>> That's why I tested but I did not reproduce. It's a random bug I  
>> guess,
>> hard to trace... We will see anyway...
>>
>> Jacques
>>
>> From: "Scott." <[hidden email]>
>>>
>>> I'm glad its real because I was starting to think I was nuts. I have
>>> tried
>>> many times to track it down but never seems to be the same way  
>>> twice.
>>> Tried
>>> different browsers but thats not it. Had the same issue with  
>>> Vista, XP
>>> Pro
>>> and 2003. Every now and then it just asks me for user/pass. It can  
>>> be 5
>>> minutes of no use or 5 seconds. That said, I dont always get the
>>> error. This
>>> is something fairly new and I am a user not a developer so I  
>>> really dont
>>> know what it means.
>>>
>>>
>>>
>>> Scott. wrote:
>>>>
>>>> Hello all,
>>>>
>>>> I was seeing what we thought was strange behavior in our ofbiz  
>>>> that kept
>>>> making us login over and over without any real reason. I have had  
>>>> the
>>>> same
>>>> thing using FF3 and IE7 on an XP pro sp2 workstation. It never  
>>>> seems
>>>> to be
>>>> the same apps that require you to re-enter so I always put it  
>>>> down to
>>>> something in our version. Then I decided to try it in on the  
>>>> trunk demo
>>>> and I got the same result.
>>>>
>>>> I logged in originally to the catalogue then work effort, project  
>>>> and
>>>> then
>>>> I clicked on order manager. I then got a login screen and I entered
>>>> admin/ofbiz and got the following;
>>>>
>>>> The Following Errors Occurred:
>>>>
>>>> Error calling event: org.ofbiz.webapp.event.EventHandlerException:
>>>> Problems processing event: java.lang.IllegalArgumentException:  
>>>> Could not
>>>> find resource bundle [SecurityextUiLabels] in the locale [en_US]  
>>>> (Could
>>>> not find resource bundle [SecurityextUiLabels] in the locale  
>>>> [en_US])
>>>>
>>>> I then logged in again with eh same admin/ofbiz combo and was  
>>>> back in
>>>> the
>>>> app.
>>>> Anyone know why this is happening? Thanks.
>>>>
>>>>
>>>
>>> --
>>> View this message in context:
>>> http://www.nabble.com/Multiple-logins-needed- 
>>> tp22374485p22389286.html
>>> Sent from the OFBiz - User mailing list archive at Nabble.com.
>>>
>>
>>
>>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.6 (MingW32)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>
> iD8DBQFJsxbyrP3NbaWWqE4RAnhpAKDGpCyXdcC5eJIM1LrG1T8i7rdRmwCgqCPx
> YA62kbCmOjrjThBlWNdV28g=
> =js4M
> -----END PGP SIGNATURE-----

Reply | Threaded
Open this post in threaded view
|

Re: Multiple logins needed

BJ Freeman
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

My reason for mentioning the externalLoginKey  was to see if a link that
ask for login did not have it.
but thanks for the explaination.
should go in the FAQ's LOL


David E Jones sent the following on 3/8/2009 1:25 PM:

>
> You may be describing a well known issue, and one that is part of the
> way the externalLoginKey works (so it is not likely to change). The
> externalLoginKey allows you to automatically login to another webapp
> without a username/password. In order to do this a new login key is
> generated with EVERY request to the server in order to keep it's life
> cycle pretty short. As long as it is on a secure/https page when it goes
> to the browser it is pretty safe, but it generally comes back to the
> server in a URL and so needs to be invalidated immediately so that it
> cannot be used again, as that is pretty easy to snoop.
>
> So, to make it not work is easy: just have a page open in your browser
> that has a stale externalLoginKey in its URLS.
>
> 1. load a page where you are authenticated in tab/window A
> 2. right click on a link within the webapp and open it in tab/window B
> 3. go back to tab/window A and click on any link that goes to a webapp
> that you are not already logged into and that has an externalLoginKey
> parameter
>
> The externalLoginKey will be stale, so that auto-login will fail and you
> will be presented with the login form.
>
> -David
>
>
> On Mar 8, 2009, at 1:30 PM, Vince M. Clark wrote:
>
>> Here is the only thing I have seen come up in the log so far. I was in
>> the CMS application and clicked on the Party tab. I got a login screen
>> instead of being logged into PartyMgr automatically. The URL had the
>> external login key. Here is the only line I found in the log that
>> seems related:
>>
>> 2009-03-08 13:48:19,806 (http-0.0.0.0-8443-3) [
>> LoginWorker.java:828:WARN ] Could not find userLogin for external
>> login key: EL339616443508
>>
>> ----- Original Message -----
>> From: "BJ Freeman" <[hidden email]>
>> To: [hidden email]
>> Sent: Saturday, March 7, 2009 6:38:23 PM (GMT-0700) America/Denver
>> Subject: Re: Multiple logins needed
>>
> to track this done take a look in the URL for something like
> externalLoginKey=EL82824678935
> if so then should login
> if not then need to track back were someone was when they clicked to go
> to the place where the login happend.
>
> Just a thought
>
> Jacques Le Roux sent the following on 3/7/2009 8:51 AM:
>>>> Thanks to both for confirmation. Hans reported it some time ago, and I
>>>> saw it too.
>>>> That's why I tested but I did not reproduce. It's a random bug I guess,
>>>> hard to trace... We will see anyway...
>>>>
>>>> Jacques
>>>>
>>>> From: "Scott." <[hidden email]>
>>>>>
>>>>> I'm glad its real because I was starting to think I was nuts. I have
>>>>> tried
>>>>> many times to track it down but never seems to be the same way twice.
>>>>> Tried
>>>>> different browsers but thats not it. Had the same issue with Vista, XP
>>>>> Pro
>>>>> and 2003. Every now and then it just asks me for user/pass. It can be 5
>>>>> minutes of no use or 5 seconds. That said, I dont always get the
>>>>> error. This
>>>>> is something fairly new and I am a user not a developer so I really
>>>>> dont
>>>>> know what it means.
>>>>>
>>>>>
>>>>>
>>>>> Scott. wrote:
>>>>>>
>>>>>> Hello all,
>>>>>>
>>>>>> I was seeing what we thought was strange behavior in our ofbiz that
>>>>>> kept
>>>>>> making us login over and over without any real reason. I have had the
>>>>>> same
>>>>>> thing using FF3 and IE7 on an XP pro sp2 workstation. It never seems
>>>>>> to be
>>>>>> the same apps that require you to re-enter so I always put it down to
>>>>>> something in our version. Then I decided to try it in on the trunk
>>>>>> demo
>>>>>> and I got the same result.
>>>>>>
>>>>>> I logged in originally to the catalogue then work effort, project and
>>>>>> then
>>>>>> I clicked on order manager. I then got a login screen and I entered
>>>>>> admin/ofbiz and got the following;
>>>>>>
>>>>>> The Following Errors Occurred:
>>>>>>
>>>>>> Error calling event: org.ofbiz.webapp.event.EventHandlerException:
>>>>>> Problems processing event: java.lang.IllegalArgumentException:
>>>>>> Could not
>>>>>> find resource bundle [SecurityextUiLabels] in the locale [en_US]
>>>>>> (Could
>>>>>> not find resource bundle [SecurityextUiLabels] in the locale [en_US])
>>>>>>
>>>>>> I then logged in again with eh same admin/ofbiz combo and was back in
>>>>>> the
>>>>>> app.
>>>>>> Anyone know why this is happening? Thanks.
>>>>>>
>>>>>>
>>>>>
>>>>> --
>>>>> View this message in context:
>>>>> http://www.nabble.com/Multiple-logins-needed-tp22374485p22389286.html
>>>>> Sent from the OFBiz - User mailing list archive at Nabble.com.
>>>>>
>>>>
>>>>
>>>>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFJtEDtrP3NbaWWqE4RAikSAJ9aTk0zhqpx7oG5KzimJoKJaXVE+gCgyB1R
Axj2p4E4hZw7KXcpUmiPfpo=
=m3Nc
-----END PGP SIGNATURE-----
Reply | Threaded
Open this post in threaded view
|

Re: Multiple logins needed

BJ Freeman
In reply to this post by David E Jones-3
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

http://docs.ofbiz.org/display/OFBIZ/FAQ+Why+do+I+have+to+login+when+there+is+a+externalLoginKey

David E Jones sent the following on 3/8/2009 1:25 PM:

>
> You may be describing a well known issue, and one that is part of the
> way the externalLoginKey works (so it is not likely to change). The
> externalLoginKey allows you to automatically login to another webapp
> without a username/password. In order to do this a new login key is
> generated with EVERY request to the server in order to keep it's life
> cycle pretty short. As long as it is on a secure/https page when it goes
> to the browser it is pretty safe, but it generally comes back to the
> server in a URL and so needs to be invalidated immediately so that it
> cannot be used again, as that is pretty easy to snoop.
>
> So, to make it not work is easy: just have a page open in your browser
> that has a stale externalLoginKey in its URLS.
>
> 1. load a page where you are authenticated in tab/window A
> 2. right click on a link within the webapp and open it in tab/window B
> 3. go back to tab/window A and click on any link that goes to a webapp
> that you are not already logged into and that has an externalLoginKey
> parameter
>
> The externalLoginKey will be stale, so that auto-login will fail and you
> will be presented with the login form.
>
> -David
>
>
> On Mar 8, 2009, at 1:30 PM, Vince M. Clark wrote:
>
>> Here is the only thing I have seen come up in the log so far. I was in
>> the CMS application and clicked on the Party tab. I got a login screen
>> instead of being logged into PartyMgr automatically. The URL had the
>> external login key. Here is the only line I found in the log that
>> seems related:
>>
>> 2009-03-08 13:48:19,806 (http-0.0.0.0-8443-3) [
>> LoginWorker.java:828:WARN ] Could not find userLogin for external
>> login key: EL339616443508
>>
>> ----- Original Message -----
>> From: "BJ Freeman" <[hidden email]>
>> To: [hidden email]
>> Sent: Saturday, March 7, 2009 6:38:23 PM (GMT-0700) America/Denver
>> Subject: Re: Multiple logins needed
>>
> to track this done take a look in the URL for something like
> externalLoginKey=EL82824678935
> if so then should login
> if not then need to track back were someone was when they clicked to go
> to the place where the login happend.
>
> Just a thought
>
> Jacques Le Roux sent the following on 3/7/2009 8:51 AM:
>>>> Thanks to both for confirmation. Hans reported it some time ago, and I
>>>> saw it too.
>>>> That's why I tested but I did not reproduce. It's a random bug I guess,
>>>> hard to trace... We will see anyway...
>>>>
>>>> Jacques
>>>>
>>>> From: "Scott." <[hidden email]>
>>>>>
>>>>> I'm glad its real because I was starting to think I was nuts. I have
>>>>> tried
>>>>> many times to track it down but never seems to be the same way twice.
>>>>> Tried
>>>>> different browsers but thats not it. Had the same issue with Vista, XP
>>>>> Pro
>>>>> and 2003. Every now and then it just asks me for user/pass. It can be 5
>>>>> minutes of no use or 5 seconds. That said, I dont always get the
>>>>> error. This
>>>>> is something fairly new and I am a user not a developer so I really
>>>>> dont
>>>>> know what it means.
>>>>>
>>>>>
>>>>>
>>>>> Scott. wrote:
>>>>>>
>>>>>> Hello all,
>>>>>>
>>>>>> I was seeing what we thought was strange behavior in our ofbiz that
>>>>>> kept
>>>>>> making us login over and over without any real reason. I have had the
>>>>>> same
>>>>>> thing using FF3 and IE7 on an XP pro sp2 workstation. It never seems
>>>>>> to be
>>>>>> the same apps that require you to re-enter so I always put it down to
>>>>>> something in our version. Then I decided to try it in on the trunk
>>>>>> demo
>>>>>> and I got the same result.
>>>>>>
>>>>>> I logged in originally to the catalogue then work effort, project and
>>>>>> then
>>>>>> I clicked on order manager. I then got a login screen and I entered
>>>>>> admin/ofbiz and got the following;
>>>>>>
>>>>>> The Following Errors Occurred:
>>>>>>
>>>>>> Error calling event: org.ofbiz.webapp.event.EventHandlerException:
>>>>>> Problems processing event: java.lang.IllegalArgumentException:
>>>>>> Could not
>>>>>> find resource bundle [SecurityextUiLabels] in the locale [en_US]
>>>>>> (Could
>>>>>> not find resource bundle [SecurityextUiLabels] in the locale [en_US])
>>>>>>
>>>>>> I then logged in again with eh same admin/ofbiz combo and was back in
>>>>>> the
>>>>>> app.
>>>>>> Anyone know why this is happening? Thanks.
>>>>>>
>>>>>>
>>>>>
>>>>> --
>>>>> View this message in context:
>>>>> http://www.nabble.com/Multiple-logins-needed-tp22374485p22389286.html
>>>>> Sent from the OFBiz - User mailing list archive at Nabble.com.
>>>>>
>>>>
>>>>
>>>>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFJtEJQrP3NbaWWqE4RAhw6AJ9xB64pm2ITXgqYio2DKv3TLQ1fMgCfZFqj
dhGNvJjcA3TAIcfA8v7E4C8=
=Y7UI
-----END PGP SIGNATURE-----
Reply | Threaded
Open this post in threaded view
|

Re: Multiple logins needed

Bilgin Ibryam
In reply to this post by David E Jones-3
Quoting David E Jones <[hidden email]>:

>
> You may be describing a well known issue, and one that is part of the
> way the externalLoginKey works (so it is not likely to change). The
> externalLoginKey allows you to automatically login to another webapp
> without a username/password. In order to do this a new login key is
> generated with EVERY request to the server in order to keep it's life
> cycle pretty short. As long as it is on a secure/https page when it
> goes to the browser it is pretty safe, but it generally comes back to
> the server in a URL and so needs to be invalidated immediately so that
> it cannot be used again, as that is pretty easy to snoop.
>
> So, to make it not work is easy: just have a page open in your browser
> that has a stale externalLoginKey in its URLS.
>
> 1. load a page where you are authenticated in tab/window A
> 2. right click on a link within the webapp and open it in tab/window B
> 3. go back to tab/window A and click on any link that goes to a webapp
> that you are not already logged into and that has an externalLoginKey
> parameter
>
> The externalLoginKey will be stale, so that auto-login will fail and
> you will be presented with the login form.
>

I was wondering why externalLoginKey is not a cookie? Probably because  
of security reasons, but if it was a cookie, it would have a short  
life cycle as JSESSIONID cookie (the cookie value will be updated on  
every request) and working on many browser tabs at the same time  
wouldn't require multiple logins.

Bilgin


----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.

Reply | Threaded
Open this post in threaded view
|

Re: Multiple logins needed

David E Jones-3

On Mar 11, 2009, at 5:16 PM, Bilgin Ibryam wrote:

> Quoting David E Jones <[hidden email]>:
>
>>
>> You may be describing a well known issue, and one that is part of the
>> way the externalLoginKey works (so it is not likely to change). The
>> externalLoginKey allows you to automatically login to another webapp
>> without a username/password. In order to do this a new login key is
>> generated with EVERY request to the server in order to keep it's life
>> cycle pretty short. As long as it is on a secure/https page when it
>> goes to the browser it is pretty safe, but it generally comes back to
>> the server in a URL and so needs to be invalidated immediately so  
>> that
>> it cannot be used again, as that is pretty easy to snoop.
>>
>> So, to make it not work is easy: just have a page open in your  
>> browser
>> that has a stale externalLoginKey in its URLS.
>>
>> 1. load a page where you are authenticated in tab/window A
>> 2. right click on a link within the webapp and open it in tab/
>> window B
>> 3. go back to tab/window A and click on any link that goes to a  
>> webapp
>> that you are not already logged into and that has an externalLoginKey
>> parameter
>>
>> The externalLoginKey will be stale, so that auto-login will fail and
>> you will be presented with the login form.
>>
>
> I was wondering why externalLoginKey is not a cookie? Probably  
> because of security reasons, but if it was a cookie, it would have a  
> short life cycle as JSESSIONID cookie (the cookie value will be  
> updated on every request) and working on many browser tabs at the  
> same time wouldn't require multiple logins.

That's a good idea. In theory even if the externalLoginKey were  
updated with every request the cookie in the browser (if there is only  
one cookie) then it would be updated and even other tabs and windows  
should use that with their request. There is a still a chance that 2  
requests could end up in a race condition where one gets in and causes  
the server-side key to update even though the other request is on its  
way out and gets there after the server key is updated, but still  
using the old key from the client cookie.

Anyway, this is a good idea and the only reason I can think of to not  
do it is the one you mentioned, ie the security of cookies. It is very  
easy to spoof cookie domain names and get cookies from other sites...  
it's a "feature" of cookies that causes problems.

There may be ways to protect a cookie better, like encrypting it, but  
even if the key is secret on the server a fast attacker, or one that  
finds a session that has been idle for a while, then it can still get  
the encrypted value and the server wouldn't know if it came from a  
valid client or a forged one.

Sorry, was thinking out loud... I'm not sure if there is a good enough  
way to protect the cookie... and considering that this would be  
substitution for the username and password, I'm not sure I like it (I  
even have reservations about the current externalLoginKey... but a  
better alternative is tricky...).

-David


Reply | Threaded
Open this post in threaded view
|

Re: Multiple logins needed

kongqz
In reply to this post by Scott.
hey,I got the same error
I have no idea
the following is my step
1、down the ofbiz package from website today
2、change the database for mysql5
3、don't load application directory and the specialpurpose directory
4、don't load the compentment of testtools and the example in the directory of framework
 and I change the port from 8080 to 80
5、my jdk is 1.5 and the development server is windows xp
6、I go into the directory of ofbiz.and then run "clean-all" ,I run "run-install" after last command
7、then I start the ofbiz by type "startofbiz.bat" in cmd
and then I login in the webtools.
I get the errors as follow
"The Following Errors Occurred:

The following error occurred during login: Service target threw an unexpected exception (Could not find resource bundle [SecurityextUiLabels] in the locale [zh_CN])
"
by the way .I am from China.
Reply | Threaded
Open this post in threaded view
|

Re: Multiple logins needed

Bilgin Ibryam
In reply to this post by David E Jones-3
I agree cookies are not secure and so not a good candite for keeping  
externalLoginKeys. It would be great if browsers could store such  
information in more secure places (like in memory) and send it with  
every request...
Anyway, I guest 3 more cases when externalLoginKey are "expired" and  
login is required:

1. This one is already fixed, I put it here only informative. Last  
week form widget links were rendered with empty src=" "  tag, this  
cause the brawser to make a new request to the same url, and rendering  
the same page expires the externalLoginKeys.
2. Clickin on lookup button.
3. Ajax events which render screens (like ajax pagiantion and ajax  
drop downs).

For solving 2 and 3 I guess two ways:
Mark some of the requrest (actually better the views in controller)so  
they don't generate new externalLoginKeys.
Or add a request parameter to every request which should not generate  
new externalLoginKey.

WDYT? Other proposals?

Bilgin
On Mar 12, 2009, at 7:19 AM, David E Jones wrote:

>
> On Mar 11, 2009, at 5:16 PM, Bilgin Ibryam wrote:
>
>> Quoting David E Jones <[hidden email]>:
>>
>>>
>>> You may be describing a well known issue, and one that is part of  
>>> the
>>> way the externalLoginKey works (so it is not likely to change). The
>>> externalLoginKey allows you to automatically login to another webapp
>>> without a username/password. In order to do this a new login key is
>>> generated with EVERY request to the server in order to keep it's  
>>> life
>>> cycle pretty short. As long as it is on a secure/https page when it
>>> goes to the browser it is pretty safe, but it generally comes back  
>>> to
>>> the server in a URL and so needs to be invalidated immediately so  
>>> that
>>> it cannot be used again, as that is pretty easy to snoop.
>>>
>>> So, to make it not work is easy: just have a page open in your  
>>> browser
>>> that has a stale externalLoginKey in its URLS.
>>>
>>> 1. load a page where you are authenticated in tab/window A
>>> 2. right click on a link within the webapp and open it in tab/
>>> window B
>>> 3. go back to tab/window A and click on any link that goes to a  
>>> webapp
>>> that you are not already logged into and that has an  
>>> externalLoginKey
>>> parameter
>>>
>>> The externalLoginKey will be stale, so that auto-login will fail and
>>> you will be presented with the login form.
>>>
>>
>> I was wondering why externalLoginKey is not a cookie? Probably  
>> because of security reasons, but if it was a cookie, it would have  
>> a short life cycle as JSESSIONID cookie (the cookie value will be  
>> updated on every request) and working on many browser tabs at the  
>> same time wouldn't require multiple logins.
>
> That's a good idea. In theory even if the externalLoginKey were  
> updated with every request the cookie in the browser (if there is  
> only one cookie) then it would be updated and even other tabs and  
> windows should use that with their request. There is a still a  
> chance that 2 requests could end up in a race condition where one  
> gets in and causes the server-side key to update even though the  
> other request is on its way out and gets there after the server key  
> is updated, but still using the old key from the client cookie.
>
> Anyway, this is a good idea and the only reason I can think of to  
> not do it is the one you mentioned, ie the security of cookies. It  
> is very easy to spoof cookie domain names and get cookies from other  
> sites... it's a "feature" of cookies that causes problems.
>
> There may be ways to protect a cookie better, like encrypting it,  
> but even if the key is secret on the server a fast attacker, or one  
> that finds a session that has been idle for a while, then it can  
> still get the encrypted value and the server wouldn't know if it  
> came from a valid client or a forged one.
>
> Sorry, was thinking out loud... I'm not sure if there is a good  
> enough way to protect the cookie... and considering that this would  
> be substitution for the username and password, I'm not sure I like  
> it (I even have reservations about the current externalLoginKey...  
> but a better alternative is tricky...).
>
> -David
>
>

Reply | Threaded
Open this post in threaded view
|

Re: Multiple logins needed

Jacques Le Roux
Administrator
In reply to this post by kongqz
Any interesting log snippet around the error ? Is it reprodutible ? R.r  (Release.revision) ?

Thanks

Jacques

From: "kongqz" <[hidden email]>

>
> hey,I got the same error
> I have no idea
> the following is my step
> 1、down the ofbiz package from website today
> 2、change the database for mysql5
> 3、don't load application directory and the specialpurpose directory
> 4、don't load the compentment of testtools and the example in the directory
> of framework
> and I change the port from 8080 to 80
> 5、my jdk is 1.5 and the development server is windows xp
> 6、I go into the directory of ofbiz.and then run "clean-all" ,I run
> "run-install" after last command
> 7、then I start the ofbiz by type "startofbiz.bat" in cmd
> and then I login in the webtools.
> I get the errors as follow
> "The Following Errors Occurred:
>
> The following error occurred during login: Service target threw an
> unexpected exception (Could not find resource bundle [SecurityextUiLabels]
> in the locale [zh_CN])
> "
> by the way .I am from China.
>
> --
> View this message in context: http://www.nabble.com/Multiple-logins-needed-tp22374485p22491095.html
> Sent from the OFBiz - User mailing list archive at Nabble.com.
>
>


Reply | Threaded
Open this post in threaded view
|

Re: Multiple logins needed

Bilgin Ibryam
I can reproduce is on demo server, but not locally. Here are the steps
1. From ofbiz site, using the demo links log in to trunk
2. Log out
3. Enter a wrong password and try to log in.

I got this error message:

Error calling event: org.ofbiz.webapp.event.EventHandlerException:  
Problems processing event: java.lang.IllegalArgumentException: Could  
not find resource bundle [SecurityextUiLabels] in the locale [en_US]  
(Could not find resource bundle [SecurityextUiLabels] in the locale  
[en_US])

Bilgin

On Mar 13, 2009, at 12:23 PM, Jacques Le Roux wrote:

> Any interesting log snippet around the error ? Is it reprodutible ?  
> R.r  (Release.revision) ?
>
> Thanks
>
> Jacques
>
> From: "kongqz" <[hidden email]>
>>
>> hey,I got the same error
>> I have no idea
>> the following is my step
>> 1、down the ofbiz package from website today
>> 2、change the database for mysql5
>> 3、don't load application directory and the specialpurpose directory
>> 4、don't load the compentment of testtools and the example in the  
>> directory
>> of framework
>> and I change the port from 8080 to 80
>> 5、my jdk is 1.5 and the development server is windows xp
>> 6、I go into the directory of ofbiz.and then run "clean-all" ,I run
>> "run-install" after last command
>> 7、then I start the ofbiz by type "startofbiz.bat" in cmd
>> and then I login in the webtools.
>> I get the errors as follow
>> "The Following Errors Occurred:
>>
>> The following error occurred during login: Service target threw an
>> unexpected exception (Could not find resource bundle  
>> [SecurityextUiLabels]
>> in the locale [zh_CN])
>> "
>> by the way .I am from China.
>>
>> --
>> View this message in context: http://www.nabble.com/Multiple-logins-needed-tp22374485p22491095.html
>> Sent from the OFBiz - User mailing list archive at Nabble.com.
>>
>
>

Reply | Threaded
Open this post in threaded view
|

Re: Multiple logins needed

David E Jones-3
In reply to this post by Bilgin Ibryam

On Mar 13, 2009, at 3:58 AM, Bilgin Ibryam wrote:

> 2. Clickin on lookup button.
> 3. Ajax events which render screens (like ajax pagiantion and ajax  
> drop downs).

Have you actually observed either of these? If there are issues like  
this anywhere it is because of bad coding. Lookup windows and ajax  
requests should always be in the same webapp, and can participate in  
the existing session.

The externalLoginKey is only for situations where you are jumping to  
different webapps, and there is no reason to do that for lookups and  
AJAX stuff (especially since you can generally add about 2 lines of  
XML to the controller.xml file to reuse resources even if they are  
defined in another component).

-David


> For solving 2 and 3 I guess two ways:
> Mark some of the requrest (actually better the views in  
> controller)so they don't generate new externalLoginKeys.
> Or add a request parameter to every request which should not  
> generate  new externalLoginKey.
>
> WDYT? Other proposals?
>
> Bilgin
> On Mar 12, 2009, at 7:19 AM, David E Jones wrote:
>
>>
>> On Mar 11, 2009, at 5:16 PM, Bilgin Ibryam wrote:
>>
>>> Quoting David E Jones <[hidden email]>:
>>>
>>>>
>>>> You may be describing a well known issue, and one that is part of  
>>>> the
>>>> way the externalLoginKey works (so it is not likely to change). The
>>>> externalLoginKey allows you to automatically login to another  
>>>> webapp
>>>> without a username/password. In order to do this a new login key is
>>>> generated with EVERY request to the server in order to keep it's  
>>>> life
>>>> cycle pretty short. As long as it is on a secure/https page when it
>>>> goes to the browser it is pretty safe, but it generally comes  
>>>> back to
>>>> the server in a URL and so needs to be invalidated immediately so  
>>>> that
>>>> it cannot be used again, as that is pretty easy to snoop.
>>>>
>>>> So, to make it not work is easy: just have a page open in your  
>>>> browser
>>>> that has a stale externalLoginKey in its URLS.
>>>>
>>>> 1. load a page where you are authenticated in tab/window A
>>>> 2. right click on a link within the webapp and open it in tab/
>>>> window B
>>>> 3. go back to tab/window A and click on any link that goes to a  
>>>> webapp
>>>> that you are not already logged into and that has an  
>>>> externalLoginKey
>>>> parameter
>>>>
>>>> The externalLoginKey will be stale, so that auto-login will fail  
>>>> and
>>>> you will be presented with the login form.
>>>>
>>>
>>> I was wondering why externalLoginKey is not a cookie? Probably  
>>> because of security reasons, but if it was a cookie, it would have  
>>> a short life cycle as JSESSIONID cookie (the cookie value will be  
>>> updated on every request) and working on many browser tabs at the  
>>> same time wouldn't require multiple logins.
>>
>> That's a good idea. In theory even if the externalLoginKey were  
>> updated with every request the cookie in the browser (if there is  
>> only one cookie) then it would be updated and even other tabs and  
>> windows should use that with their request. There is a still a  
>> chance that 2 requests could end up in a race condition where one  
>> gets in and causes the server-side key to update even though the  
>> other request is on its way out and gets there after the server key  
>> is updated, but still using the old key from the client cookie.
>>
>> Anyway, this is a good idea and the only reason I can think of to  
>> not do it is the one you mentioned, ie the security of cookies. It  
>> is very easy to spoof cookie domain names and get cookies from  
>> other sites... it's a "feature" of cookies that causes problems.
>>
>> There may be ways to protect a cookie better, like encrypting it,  
>> but even if the key is secret on the server a fast attacker, or one  
>> that finds a session that has been idle for a while, then it can  
>> still get the encrypted value and the server wouldn't know if it  
>> came from a valid client or a forged one.
>>
>> Sorry, was thinking out loud... I'm not sure if there is a good  
>> enough way to protect the cookie... and considering that this would  
>> be substitution for the username and password, I'm not sure I like  
>> it (I even have reservations about the current externalLoginKey...  
>> but a better alternative is tricky...).
>>
>> -David
>>
>>
>

Reply | Threaded
Open this post in threaded view
|

Re: Multiple logins needed

Bilgin Ibryam

On Mar 13, 2009, at 10:12 PM, David E Jones wrote:

>
> On Mar 13, 2009, at 3:58 AM, Bilgin Ibryam wrote:
>
>> 2. Clickin on lookup button.
>> 3. Ajax events which render screens (like ajax pagiantion and ajax  
>> drop downs).
>
> Have you actually observed either of these? If there are issues like  
> this anywhere it is because of bad coding. Lookup windows and ajax  
> requests should always be in the same webapp, and can participate in  
> the existing session.
Yes, these are cases where externalLoginKey is updated. Lookup and  
ajax are request in the same webapp, but the problem is that the  
method for generating new externalLoginKey is invoked from  
ScreenRender.populateContextForRequest before a screen is rendered. So  
whenever a screen is rendered (this include also lookup and ajax  
screens) new externalLoginKey is generated and expires the one on the  
main page.
>
>
> The externalLoginKey is only for situations where you are jumping to  
> different webapps, and there is no reason to do that for lookups and  
> AJAX stuff (especially since you can generally add about 2 lines of  
> XML to the controller.xml file to reuse resources even if they are  
> defined in another component).
I think I was not clear. For ajax and lookups externalLoginKey is not  
used, but during the rendering the lookup or ajax response screen, a  
new externalLoginKey is generated, and this expires externalLoginKey  
on the main page. So if you try to jump to another application exactly  
after lookup or ajax pagination or ajax sorting use, login will be  
required.

Looking more for it, I see that ScreenTextViewHandler,  
ScreenXmlViewHandler and ScreenFopViewHandler also call  
ScreenRenderer.populateContextForRequest method, and cause generating  
new externalLoginKey, but this view handlers don't need  
externalLoginKey at all.

Any advice how to fix all that?

Bilgin


>
>
> -David
>
>
>> For solving 2 and 3 I guess two ways:
>> Mark some of the requrest (actually better the views in  
>> controller)so they don't generate new externalLoginKeys.
>> Or add a request parameter to every request which should not  
>> generate  new externalLoginKey.
>>
>> WDYT? Other proposals?
>>
>> Bilgin
>> On Mar 12, 2009, at 7:19 AM, David E Jones wrote:
>>
>>>
>>> On Mar 11, 2009, at 5:16 PM, Bilgin Ibryam wrote:
>>>
>>>> Quoting David E Jones <[hidden email]>:
>>>>
>>>>>
>>>>> You may be describing a well known issue, and one that is part  
>>>>> of the
>>>>> way the externalLoginKey works (so it is not likely to change).  
>>>>> The
>>>>> externalLoginKey allows you to automatically login to another  
>>>>> webapp
>>>>> without a username/password. In order to do this a new login key  
>>>>> is
>>>>> generated with EVERY request to the server in order to keep it's  
>>>>> life
>>>>> cycle pretty short. As long as it is on a secure/https page when  
>>>>> it
>>>>> goes to the browser it is pretty safe, but it generally comes  
>>>>> back to
>>>>> the server in a URL and so needs to be invalidated immediately  
>>>>> so that
>>>>> it cannot be used again, as that is pretty easy to snoop.
>>>>>
>>>>> So, to make it not work is easy: just have a page open in your  
>>>>> browser
>>>>> that has a stale externalLoginKey in its URLS.
>>>>>
>>>>> 1. load a page where you are authenticated in tab/window A
>>>>> 2. right click on a link within the webapp and open it in tab/
>>>>> window B
>>>>> 3. go back to tab/window A and click on any link that goes to a  
>>>>> webapp
>>>>> that you are not already logged into and that has an  
>>>>> externalLoginKey
>>>>> parameter
>>>>>
>>>>> The externalLoginKey will be stale, so that auto-login will fail  
>>>>> and
>>>>> you will be presented with the login form.
>>>>>
>>>>
>>>> I was wondering why externalLoginKey is not a cookie? Probably  
>>>> because of security reasons, but if it was a cookie, it would  
>>>> have a short life cycle as JSESSIONID cookie (the cookie value  
>>>> will be updated on every request) and working on many browser  
>>>> tabs at the same time wouldn't require multiple logins.
>>>
>>> That's a good idea. In theory even if the externalLoginKey were  
>>> updated with every request the cookie in the browser (if there is  
>>> only one cookie) then it would be updated and even other tabs and  
>>> windows should use that with their request. There is a still a  
>>> chance that 2 requests could end up in a race condition where one  
>>> gets in and causes the server-side key to update even though the  
>>> other request is on its way out and gets there after the server  
>>> key is updated, but still using the old key from the client cookie.
>>>
>>> Anyway, this is a good idea and the only reason I can think of to  
>>> not do it is the one you mentioned, ie the security of cookies. It  
>>> is very easy to spoof cookie domain names and get cookies from  
>>> other sites... it's a "feature" of cookies that causes problems.
>>>
>>> There may be ways to protect a cookie better, like encrypting it,  
>>> but even if the key is secret on the server a fast attacker, or  
>>> one that finds a session that has been idle for a while, then it  
>>> can still get the encrypted value and the server wouldn't know if  
>>> it came from a valid client or a forged one.
>>>
>>> Sorry, was thinking out loud... I'm not sure if there is a good  
>>> enough way to protect the cookie... and considering that this  
>>> would be substitution for the username and password, I'm not sure  
>>> I like it (I even have reservations about the current  
>>> externalLoginKey... but a better alternative is tricky...).
>>>
>>> -David
>>>
>>>
>>
>

Reply | Threaded
Open this post in threaded view
|

Re: Multiple logins needed

Jacques Le Roux
Administrator
In reply to this post by Bilgin Ibryam
Thanks Bilgin,

I checked the log and then asked Contegix people to revert this file (framework/common/config/SecurityextUiLabels.xml) cetainly a
merging issue

BTW I got also this eror while trying to use Labels Manager on demo server

2009-03-15 08:26:26,651 (TP-Processor3) [ ModelScreen.java:409:ERROR] Error rendering screen
[component://webtools/widget/LabelManagerScreens.xml#SearchLabels]: org.ofbiz.base.util.GeneralException: Error running Groovy
script at location [component://webtools/webapp/webtools/WEB-INF/actions/labelmanager/LabelManager.groovy] (The content of elements
must consist of well-formed character data or markup.). Rolling back transaction.

I hope it's related (would fix 2 errors in one shoot :o)

Jacques

From: "Bilgin Ibryam" <[hidden email]>

>I can reproduce is on demo server, but not locally. Here are the steps
> 1. From ofbiz site, using the demo links log in to trunk
> 2. Log out
> 3. Enter a wrong password and try to log in.
>
> I got this error message:
>
> Error calling event: org.ofbiz.webapp.event.EventHandlerException:  Problems processing event: java.lang.IllegalArgumentException:
> Could  not find resource bundle [SecurityextUiLabels] in the locale [en_US]  (Could not find resource bundle [SecurityextUiLabels]
> in the locale  [en_US])
>
> Bilgin
>
> On Mar 13, 2009, at 12:23 PM, Jacques Le Roux wrote:
>
>> Any interesting log snippet around the error ? Is it reprodutible ?  R.r  (Release.revision) ?
>>
>> Thanks
>>
>> Jacques
>>
>> From: "kongqz" <[hidden email]>
>>>
>>> hey,I got the same error
>>> I have no idea
>>> the following is my step
>>> 1、down the ofbiz package from website today
>>> 2、change the database for mysql5
>>> 3、don't load application directory and the specialpurpose directory
>>> 4、don't load the compentment of testtools and the example in the  directory
>>> of framework
>>> and I change the port from 8080 to 80
>>> 5、my jdk is 1.5 and the development server is windows xp
>>> 6、I go into the directory of ofbiz.and then run "clean-all" ,I run
>>> "run-install" after last command
>>> 7、then I start the ofbiz by type "startofbiz.bat" in cmd
>>> and then I login in the webtools.
>>> I get the errors as follow
>>> "The Following Errors Occurred:
>>>
>>> The following error occurred during login: Service target threw an
>>> unexpected exception (Could not find resource bundle  [SecurityextUiLabels]
>>> in the locale [zh_CN])
>>> "
>>> by the way .I am from China.
>>>
>>> --
>>> View this message in context: http://www.nabble.com/Multiple-logins-needed-tp22374485p22491095.html
>>> Sent from the OFBiz - User mailing list archive at Nabble.com.
>>>
>>
>>
>
>


Reply | Threaded
Open this post in threaded view
|

Re: Multiple logins needed

Jacques Le Roux
Administrator
This has not fixed the issue

Jacques

From: "Jacques Le Roux" <[hidden email]>

> Thanks Bilgin,
>
> I checked the log and then asked Contegix people to revert this file (framework/common/config/SecurityextUiLabels.xml) cetainly a
> merging issue
>
> BTW I got also this eror while trying to use Labels Manager on demo server
>
> 2009-03-15 08:26:26,651 (TP-Processor3) [ ModelScreen.java:409:ERROR] Error rendering screen
> [component://webtools/widget/LabelManagerScreens.xml#SearchLabels]: org.ofbiz.base.util.GeneralException: Error running Groovy
> script at location [component://webtools/webapp/webtools/WEB-INF/actions/labelmanager/LabelManager.groovy] (The content of
> elements
> must consist of well-formed character data or markup.). Rolling back transaction.
>
> I hope it's related (would fix 2 errors in one shoot :o)
>
> Jacques
>
> From: "Bilgin Ibryam" <[hidden email]>
>>I can reproduce is on demo server, but not locally. Here are the steps
>> 1. From ofbiz site, using the demo links log in to trunk
>> 2. Log out
>> 3. Enter a wrong password and try to log in.
>>
>> I got this error message:
>>
>> Error calling event: org.ofbiz.webapp.event.EventHandlerException:  Problems processing event:
>> java.lang.IllegalArgumentException:
>> Could  not find resource bundle [SecurityextUiLabels] in the locale [en_US]  (Could not find resource bundle
>> [SecurityextUiLabels]
>> in the locale  [en_US])
>>
>> Bilgin
>>
>> On Mar 13, 2009, at 12:23 PM, Jacques Le Roux wrote:
>>
>>> Any interesting log snippet around the error ? Is it reprodutible ?  R.r  (Release.revision) ?
>>>
>>> Thanks
>>>
>>> Jacques
>>>
>>> From: "kongqz" <[hidden email]>
>>>>
>>>> hey,I got the same error
>>>> I have no idea
>>>> the following is my step
>>>> 1、down the ofbiz package from website today
>>>> 2、change the database for mysql5
>>>> 3、don't load application directory and the specialpurpose directory
>>>> 4、don't load the compentment of testtools and the example in the  directory
>>>> of framework
>>>> and I change the port from 8080 to 80
>>>> 5、my jdk is 1.5 and the development server is windows xp
>>>> 6、I go into the directory of ofbiz.and then run "clean-all" ,I run
>>>> "run-install" after last command
>>>> 7、then I start the ofbiz by type "startofbiz.bat" in cmd
>>>> and then I login in the webtools.
>>>> I get the errors as follow
>>>> "The Following Errors Occurred:
>>>>
>>>> The following error occurred during login: Service target threw an
>>>> unexpected exception (Could not find resource bundle  [SecurityextUiLabels]
>>>> in the locale [zh_CN])
>>>> "
>>>> by the way .I am from China.
>>>>
>>>> --
>>>> View this message in context: http://www.nabble.com/Multiple-logins-needed-tp22374485p22491095.html
>>>> Sent from the OFBiz - User mailing list archive at Nabble.com.
>>>>
>>>
>>>
>>
>>
>
>