Multiple logins needed

>
> Hello all,
>
> I was seeing what we thought was strange behavior in our ofbiz that kept
> making us login over and over without any real reason. I have had the same
> thing using FF3 and IE7 on an XP pro sp2 workstation. It never seems to be
> the same apps that require you to re-enter so I always put it down to
> something in our version. Then I decided to try it in on the trunk demo and
> I got the same result.
>
> I logged in originally to the catalogue then work effort, project and then I
> clicked on order manager. I then got a login screen and I entered
> admin/ofbiz and got the following;
>
> The Following Errors Occurred:
>
> Error calling event: org.ofbiz.webapp.event.EventHandlerException: Problems
> processing event: java.lang.IllegalArgumentException: Could not find
> resource bundle [SecurityextUiLabels] in the locale [en_US] (Could not find
> resource bundle [SecurityextUiLabels] in the locale [en_US])
>
> I then logged in again with eh same admin/ofbiz combo and was back in the
> app.
>
> Anyone know why this is happening? Thanks.
>
> --
> View this message in context: http://www.nabble.com/Multiple-logins-needed-tp22374485p22374485.html
> Sent from the OFBiz - User mailing list archive at Nabble.com.
>

>
> Hello all,
>
> I was seeing what we thought was strange behavior in our ofbiz that kept
> making us login over and over without any real reason. I have had the same
> thing using FF3 and IE7 on an XP pro sp2 workstation. It never seems to be
> the same apps that require you to re-enter so I always put it down to
> something in our version. Then I decided to try it in on the trunk demo and
> I got the same result.
>
> I logged in originally to the catalogue then work effort, project and then I
> clicked on order manager. I then got a login screen and I entered
> admin/ofbiz and got the following;
>
> The Following Errors Occurred:
>
> Error calling event: org.ofbiz.webapp.event.EventHandlerException: Problems
> processing event: java.lang.IllegalArgumentException: Could not find
> resource bundle [SecurityextUiLabels] in the locale [en_US] (Could not find
> resource bundle [SecurityextUiLabels] in the locale [en_US])
>
> I then logged in again with eh same admin/ofbiz combo and was back in the
> app.
>
> Anyone know why this is happening? Thanks.
>
> --
> View this message in context: http://www.nabble.com/Multiple-logins-needed-tp22374485p22374485.html 
> Sent from the OFBiz - User mailing list archive at Nabble.com.
>

>
> I'm glad its real because I was starting to think I was nuts. I have tried
> many times to track it down but never seems to be the same way twice. Tried
> different browsers but thats not it. Had the same issue with Vista, XP Pro
> and 2003. Every now and then it just asks me for user/pass. It can be 5
> minutes of no use or 5 seconds. That said, I dont always get the error. This
> is something fairly new and I am a user not a developer so I really dont
> know what it means.
>
>
>
> Scott. wrote:
>>
>> Hello all,
>>
>> I was seeing what we thought was strange behavior in our ofbiz that kept
>> making us login over and over without any real reason. I have had the same
>> thing using FF3 and IE7 on an XP pro sp2 workstation. It never seems to be
>> the same apps that require you to re-enter so I always put it down to
>> something in our version. Then I decided to try it in on the trunk demo
>> and I got the same result.
>>
>> I logged in originally to the catalogue then work effort, project and then
>> I clicked on order manager. I then got a login screen and I entered
>> admin/ofbiz and got the following;
>>
>> The Following Errors Occurred:
>>
>> Error calling event: org.ofbiz.webapp.event.EventHandlerException:
>> Problems processing event: java.lang.IllegalArgumentException: Could not
>> find resource bundle [SecurityextUiLabels] in the locale [en_US] (Could
>> not find resource bundle [SecurityextUiLabels] in the locale [en_US])
>>  
>> I then logged in again with eh same admin/ofbiz combo and was back in the
>> app.
>>
>> Anyone know why this is happening? Thanks.
>>
>>
>
> --
> View this message in context: http://www.nabble.com/Multiple-logins-needed-tp22374485p22389286.html
> Sent from the OFBiz - User mailing list archive at Nabble.com.
>

> Thanks to both for confirmation. Hans reported it some time ago, and I
> saw it too.
> That's why I tested but I did not reproduce. It's a random bug I guess,
> hard to trace... We will see anyway...
>
> Jacques
>
> From: "Scott." <[hidden email]>
>>
>> I'm glad its real because I was starting to think I was nuts. I have
>> tried
>> many times to track it down but never seems to be the same way twice.
>> Tried
>> different browsers but thats not it. Had the same issue with Vista, XP
>> Pro
>> and 2003. Every now and then it just asks me for user/pass. It can be 5
>> minutes of no use or 5 seconds. That said, I dont always get the
>> error. This
>> is something fairly new and I am a user not a developer so I really dont
>> know what it means.
>>
>>
>>
>> Scott. wrote:
>>>
>>> Hello all,
>>>
>>> I was seeing what we thought was strange behavior in our ofbiz that kept
>>> making us login over and over without any real reason. I have had the
>>> same
>>> thing using FF3 and IE7 on an XP pro sp2 workstation. It never seems
>>> to be
>>> the same apps that require you to re-enter so I always put it down to
>>> something in our version. Then I decided to try it in on the trunk demo
>>> and I got the same result.
>>>
>>> I logged in originally to the catalogue then work effort, project and
>>> then
>>> I clicked on order manager. I then got a login screen and I entered
>>> admin/ofbiz and got the following;
>>>
>>> The Following Errors Occurred:
>>>
>>> Error calling event: org.ofbiz.webapp.event.EventHandlerException:
>>> Problems processing event: java.lang.IllegalArgumentException: Could not
>>> find resource bundle [SecurityextUiLabels] in the locale [en_US] (Could
>>> not find resource bundle [SecurityextUiLabels] in the locale [en_US])
>>>  
>>> I then logged in again with eh same admin/ofbiz combo and was back in
>>> the
>>> app.
>>> Anyone know why this is happening? Thanks.
>>>
>>>
>>
>> --
>> View this message in context:
>> http://www.nabble.com/Multiple-logins-needed-tp22374485p22389286.html
>> Sent from the OFBiz - User mailing list archive at Nabble.com.
>>
>
>
>

> Thanks to both for confirmation. Hans reported it some time ago, and I
> saw it too.
> That's why I tested but I did not reproduce. It's a random bug I guess,
> hard to trace... We will see anyway...
>
> Jacques
>
> From: "Scott." <[hidden email]>
>>
>> I'm glad its real because I was starting to think I was nuts. I have
>> tried
>> many times to track it down but never seems to be the same way twice.
>> Tried
>> different browsers but thats not it. Had the same issue with Vista, XP
>> Pro
>> and 2003. Every now and then it just asks me for user/pass. It can be 5
>> minutes of no use or 5 seconds. That said, I dont always get the
>> error. This
>> is something fairly new and I am a user not a developer so I really dont
>> know what it means.
>>
>>
>>
>> Scott. wrote:
>>>
>>> Hello all,
>>>
>>> I was seeing what we thought was strange behavior in our ofbiz that kept
>>> making us login over and over without any real reason. I have had the
>>> same
>>> thing using FF3 and IE7 on an XP pro sp2 workstation. It never seems
>>> to be
>>> the same apps that require you to re-enter so I always put it down to
>>> something in our version. Then I decided to try it in on the trunk demo
>>> and I got the same result.
>>>
>>> I logged in originally to the catalogue then work effort, project and
>>> then
>>> I clicked on order manager. I then got a login screen and I entered
>>> admin/ofbiz and got the following;
>>>
>>> The Following Errors Occurred:
>>>
>>> Error calling event: org.ofbiz.webapp.event.EventHandlerException:
>>> Problems processing event: java.lang.IllegalArgumentException: Could not
>>> find resource bundle [SecurityextUiLabels] in the locale [en_US] (Could
>>> not find resource bundle [SecurityextUiLabels] in the locale [en_US])
>>>
>>> I then logged in again with eh same admin/ofbiz combo and was back in
>>> the
>>> app.
>>> Anyone know why this is happening? Thanks.
>>>
>>>
>>
>> --
>> View this message in context:
>> http://www.nabble.com/Multiple-logins-needed-tp22374485p22389286.html 
>> Sent from the OFBiz - User mailing list archive at Nabble.com.
>>
>
>
>

> Here is the only thing I have seen come up in the log so far. I was  
> in the CMS application and clicked on the Party tab. I got a login  
> screen instead of being logged into PartyMgr automatically. The URL  
> had the external login key. Here is the only line I found in the log  
> that seems related:
>
> 2009-03-08 13:48:19,806 (http-0.0.0.0-8443-3) [ LoginWorker.java:
> 828:WARN ] Could not find userLogin for external login key:  
> EL339616443508
>
> ----- Original Message -----
> From: "BJ Freeman" <[hidden email]>
> To: [hidden email]
> Sent: Saturday, March 7, 2009 6:38:23 PM (GMT-0700) America/Denver
> Subject: Re: Multiple logins needed
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> to track this done take a look in the URL for something like
> externalLoginKey=EL82824678935
> if so then should login
> if not then need to track back were someone was when they clicked to  
> go
> to the place where the login happend.
>
> Just a thought
>
> Jacques Le Roux sent the following on 3/7/2009 8:51 AM:
>> Thanks to both for confirmation. Hans reported it some time ago,  
>> and I
>> saw it too.
>> That's why I tested but I did not reproduce. It's a random bug I  
>> guess,
>> hard to trace... We will see anyway...
>>
>> Jacques
>>
>> From: "Scott." <[hidden email]>
>>>
>>> I'm glad its real because I was starting to think I was nuts. I have
>>> tried
>>> many times to track it down but never seems to be the same way  
>>> twice.
>>> Tried
>>> different browsers but thats not it. Had the same issue with  
>>> Vista, XP
>>> Pro
>>> and 2003. Every now and then it just asks me for user/pass. It can  
>>> be 5
>>> minutes of no use or 5 seconds. That said, I dont always get the
>>> error. This
>>> is something fairly new and I am a user not a developer so I  
>>> really dont
>>> know what it means.
>>>
>>>
>>>
>>> Scott. wrote:
>>>>
>>>> Hello all,
>>>>
>>>> I was seeing what we thought was strange behavior in our ofbiz  
>>>> that kept
>>>> making us login over and over without any real reason. I have had  
>>>> the
>>>> same
>>>> thing using FF3 and IE7 on an XP pro sp2 workstation. It never  
>>>> seems
>>>> to be
>>>> the same apps that require you to re-enter so I always put it  
>>>> down to
>>>> something in our version. Then I decided to try it in on the  
>>>> trunk demo
>>>> and I got the same result.
>>>>
>>>> I logged in originally to the catalogue then work effort, project  
>>>> and
>>>> then
>>>> I clicked on order manager. I then got a login screen and I entered
>>>> admin/ofbiz and got the following;
>>>>
>>>> The Following Errors Occurred:
>>>>
>>>> Error calling event: org.ofbiz.webapp.event.EventHandlerException:
>>>> Problems processing event: java.lang.IllegalArgumentException:  
>>>> Could not
>>>> find resource bundle [SecurityextUiLabels] in the locale [en_US]  
>>>> (Could
>>>> not find resource bundle [SecurityextUiLabels] in the locale  
>>>> [en_US])
>>>>
>>>> I then logged in again with eh same admin/ofbiz combo and was  
>>>> back in
>>>> the
>>>> app.
>>>> Anyone know why this is happening? Thanks.
>>>>
>>>>
>>>
>>> --
>>> View this message in context:
>>> http://www.nabble.com/Multiple-logins-needed- 
>>> tp22374485p22389286.html
>>> Sent from the OFBiz - User mailing list archive at Nabble.com.
>>>
>>
>>
>>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.6 (MingW32)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>
> iD8DBQFJsxbyrP3NbaWWqE4RAnhpAKDGpCyXdcC5eJIM1LrG1T8i7rdRmwCgqCPx
> YA62kbCmOjrjThBlWNdV28g=
> =js4M
> -----END PGP SIGNATURE-----

>
> You may be describing a well known issue, and one that is part of the
> way the externalLoginKey works (so it is not likely to change). The
> externalLoginKey allows you to automatically login to another webapp
> without a username/password. In order to do this a new login key is
> generated with EVERY request to the server in order to keep it's life
> cycle pretty short. As long as it is on a secure/https page when it goes
> to the browser it is pretty safe, but it generally comes back to the
> server in a URL and so needs to be invalidated immediately so that it
> cannot be used again, as that is pretty easy to snoop.
>
> So, to make it not work is easy: just have a page open in your browser
> that has a stale externalLoginKey in its URLS.
>
> 1. load a page where you are authenticated in tab/window A
> 2. right click on a link within the webapp and open it in tab/window B
> 3. go back to tab/window A and click on any link that goes to a webapp
> that you are not already logged into and that has an externalLoginKey
> parameter
>
> The externalLoginKey will be stale, so that auto-login will fail and you
> will be presented with the login form.
>
> -David
>
>
> On Mar 8, 2009, at 1:30 PM, Vince M. Clark wrote:
>
>> Here is the only thing I have seen come up in the log so far. I was in
>> the CMS application and clicked on the Party tab. I got a login screen
>> instead of being logged into PartyMgr automatically. The URL had the
>> external login key. Here is the only line I found in the log that
>> seems related:
>>
>> 2009-03-08 13:48:19,806 (http-0.0.0.0-8443-3) [
>> LoginWorker.java:828:WARN ] Could not find userLogin for external
>> login key: EL339616443508
>>
>> ----- Original Message -----
>> From: "BJ Freeman" <[hidden email]>
>> To: [hidden email]
>> Sent: Saturday, March 7, 2009 6:38:23 PM (GMT-0700) America/Denver
>> Subject: Re: Multiple logins needed
>>
> to track this done take a look in the URL for something like
> externalLoginKey=EL82824678935
> if so then should login
> if not then need to track back were someone was when they clicked to go
> to the place where the login happend.
>
> Just a thought
>
> Jacques Le Roux sent the following on 3/7/2009 8:51 AM:
>>>> Thanks to both for confirmation. Hans reported it some time ago, and I
>>>> saw it too.
>>>> That's why I tested but I did not reproduce. It's a random bug I guess,
>>>> hard to trace... We will see anyway...
>>>>
>>>> Jacques
>>>>
>>>> From: "Scott." <[hidden email]>
>>>>>
>>>>> I'm glad its real because I was starting to think I was nuts. I have
>>>>> tried
>>>>> many times to track it down but never seems to be the same way twice.
>>>>> Tried
>>>>> different browsers but thats not it. Had the same issue with Vista, XP
>>>>> Pro
>>>>> and 2003. Every now and then it just asks me for user/pass. It can be 5
>>>>> minutes of no use or 5 seconds. That said, I dont always get the
>>>>> error. This
>>>>> is something fairly new and I am a user not a developer so I really
>>>>> dont
>>>>> know what it means.
>>>>>
>>>>>
>>>>>
>>>>> Scott. wrote:
>>>>>>
>>>>>> Hello all,
>>>>>>
>>>>>> I was seeing what we thought was strange behavior in our ofbiz that
>>>>>> kept
>>>>>> making us login over and over without any real reason. I have had the
>>>>>> same
>>>>>> thing using FF3 and IE7 on an XP pro sp2 workstation. It never seems
>>>>>> to be
>>>>>> the same apps that require you to re-enter so I always put it down to
>>>>>> something in our version. Then I decided to try it in on the trunk
>>>>>> demo
>>>>>> and I got the same result.
>>>>>>
>>>>>> I logged in originally to the catalogue then work effort, project and
>>>>>> then
>>>>>> I clicked on order manager. I then got a login screen and I entered
>>>>>> admin/ofbiz and got the following;
>>>>>>
>>>>>> The Following Errors Occurred:
>>>>>>
>>>>>> Error calling event: org.ofbiz.webapp.event.EventHandlerException:
>>>>>> Problems processing event: java.lang.IllegalArgumentException:
>>>>>> Could not
>>>>>> find resource bundle [SecurityextUiLabels] in the locale [en_US]
>>>>>> (Could
>>>>>> not find resource bundle [SecurityextUiLabels] in the locale [en_US])
>>>>>>
>>>>>> I then logged in again with eh same admin/ofbiz combo and was back in
>>>>>> the
>>>>>> app.
>>>>>> Anyone know why this is happening? Thanks.
>>>>>>
>>>>>>
>>>>>
>>>>> --
>>>>> View this message in context:
>>>>> http://www.nabble.com/Multiple-logins-needed-tp22374485p22389286.html
>>>>> Sent from the OFBiz - User mailing list archive at Nabble.com.
>>>>>
>>>>
>>>>
>>>>

>
> You may be describing a well known issue, and one that is part of the
> way the externalLoginKey works (so it is not likely to change). The
> externalLoginKey allows you to automatically login to another webapp
> without a username/password. In order to do this a new login key is
> generated with EVERY request to the server in order to keep it's life
> cycle pretty short. As long as it is on a secure/https page when it goes
> to the browser it is pretty safe, but it generally comes back to the
> server in a URL and so needs to be invalidated immediately so that it
> cannot be used again, as that is pretty easy to snoop.
>
> So, to make it not work is easy: just have a page open in your browser
> that has a stale externalLoginKey in its URLS.
>
> 1. load a page where you are authenticated in tab/window A
> 2. right click on a link within the webapp and open it in tab/window B
> 3. go back to tab/window A and click on any link that goes to a webapp
> that you are not already logged into and that has an externalLoginKey
> parameter
>
> The externalLoginKey will be stale, so that auto-login will fail and you
> will be presented with the login form.
>
> -David
>
>
> On Mar 8, 2009, at 1:30 PM, Vince M. Clark wrote:
>
>> Here is the only thing I have seen come up in the log so far. I was in
>> the CMS application and clicked on the Party tab. I got a login screen
>> instead of being logged into PartyMgr automatically. The URL had the
>> external login key. Here is the only line I found in the log that
>> seems related:
>>
>> 2009-03-08 13:48:19,806 (http-0.0.0.0-8443-3) [
>> LoginWorker.java:828:WARN ] Could not find userLogin for external
>> login key: EL339616443508
>>
>> ----- Original Message -----
>> From: "BJ Freeman" <[hidden email]>
>> To: [hidden email]
>> Sent: Saturday, March 7, 2009 6:38:23 PM (GMT-0700) America/Denver
>> Subject: Re: Multiple logins needed
>>
> to track this done take a look in the URL for something like
> externalLoginKey=EL82824678935
> if so then should login
> if not then need to track back were someone was when they clicked to go
> to the place where the login happend.
>
> Just a thought
>
> Jacques Le Roux sent the following on 3/7/2009 8:51 AM:
>>>> Thanks to both for confirmation. Hans reported it some time ago, and I
>>>> saw it too.
>>>> That's why I tested but I did not reproduce. It's a random bug I guess,
>>>> hard to trace... We will see anyway...
>>>>
>>>> Jacques
>>>>
>>>> From: "Scott." <[hidden email]>
>>>>>
>>>>> I'm glad its real because I was starting to think I was nuts. I have
>>>>> tried
>>>>> many times to track it down but never seems to be the same way twice.
>>>>> Tried
>>>>> different browsers but thats not it. Had the same issue with Vista, XP
>>>>> Pro
>>>>> and 2003. Every now and then it just asks me for user/pass. It can be 5
>>>>> minutes of no use or 5 seconds. That said, I dont always get the
>>>>> error. This
>>>>> is something fairly new and I am a user not a developer so I really
>>>>> dont
>>>>> know what it means.
>>>>>
>>>>>
>>>>>
>>>>> Scott. wrote:
>>>>>>
>>>>>> Hello all,
>>>>>>
>>>>>> I was seeing what we thought was strange behavior in our ofbiz that
>>>>>> kept
>>>>>> making us login over and over without any real reason. I have had the
>>>>>> same
>>>>>> thing using FF3 and IE7 on an XP pro sp2 workstation. It never seems
>>>>>> to be
>>>>>> the same apps that require you to re-enter so I always put it down to
>>>>>> something in our version. Then I decided to try it in on the trunk
>>>>>> demo
>>>>>> and I got the same result.
>>>>>>
>>>>>> I logged in originally to the catalogue then work effort, project and
>>>>>> then
>>>>>> I clicked on order manager. I then got a login screen and I entered
>>>>>> admin/ofbiz and got the following;
>>>>>>
>>>>>> The Following Errors Occurred:
>>>>>>
>>>>>> Error calling event: org.ofbiz.webapp.event.EventHandlerException:
>>>>>> Problems processing event: java.lang.IllegalArgumentException:
>>>>>> Could not
>>>>>> find resource bundle [SecurityextUiLabels] in the locale [en_US]
>>>>>> (Could
>>>>>> not find resource bundle [SecurityextUiLabels] in the locale [en_US])
>>>>>>
>>>>>> I then logged in again with eh same admin/ofbiz combo and was back in
>>>>>> the
>>>>>> app.
>>>>>> Anyone know why this is happening? Thanks.
>>>>>>
>>>>>>
>>>>>
>>>>> --
>>>>> View this message in context:
>>>>> http://www.nabble.com/Multiple-logins-needed-tp22374485p22389286.html
>>>>> Sent from the OFBiz - User mailing list archive at Nabble.com.
>>>>>
>>>>
>>>>
>>>>

>
> You may be describing a well known issue, and one that is part of the
> way the externalLoginKey works (so it is not likely to change). The
> externalLoginKey allows you to automatically login to another webapp
> without a username/password. In order to do this a new login key is
> generated with EVERY request to the server in order to keep it's life
> cycle pretty short. As long as it is on a secure/https page when it
> goes to the browser it is pretty safe, but it generally comes back to
> the server in a URL and so needs to be invalidated immediately so that
> it cannot be used again, as that is pretty easy to snoop.
>
> So, to make it not work is easy: just have a page open in your browser
> that has a stale externalLoginKey in its URLS.
>
> 1. load a page where you are authenticated in tab/window A
> 2. right click on a link within the webapp and open it in tab/window B
> 3. go back to tab/window A and click on any link that goes to a webapp
> that you are not already logged into and that has an externalLoginKey
> parameter
>
> The externalLoginKey will be stale, so that auto-login will fail and
> you will be presented with the login form.
>

> Quoting David E Jones <[hidden email]>:
>
>>
>> You may be describing a well known issue, and one that is part of the
>> way the externalLoginKey works (so it is not likely to change). The
>> externalLoginKey allows you to automatically login to another webapp
>> without a username/password. In order to do this a new login key is
>> generated with EVERY request to the server in order to keep it's life
>> cycle pretty short. As long as it is on a secure/https page when it
>> goes to the browser it is pretty safe, but it generally comes back to
>> the server in a URL and so needs to be invalidated immediately so  
>> that
>> it cannot be used again, as that is pretty easy to snoop.
>>
>> So, to make it not work is easy: just have a page open in your  
>> browser
>> that has a stale externalLoginKey in its URLS.
>>
>> 1. load a page where you are authenticated in tab/window A
>> 2. right click on a link within the webapp and open it in tab/
>> window B
>> 3. go back to tab/window A and click on any link that goes to a  
>> webapp
>> that you are not already logged into and that has an externalLoginKey
>> parameter
>>
>> The externalLoginKey will be stale, so that auto-login will fail and
>> you will be presented with the login form.
>>
>
> I was wondering why externalLoginKey is not a cookie? Probably  
> because of security reasons, but if it was a cookie, it would have a  
> short life cycle as JSESSIONID cookie (the cookie value will be  
> updated on every request) and working on many browser tabs at the  
> same time wouldn't require multiple logins.

>
> On Mar 11, 2009, at 5:16 PM, Bilgin Ibryam wrote:
>
>> Quoting David E Jones <[hidden email]>:
>>
>>>
>>> You may be describing a well known issue, and one that is part of  
>>> the
>>> way the externalLoginKey works (so it is not likely to change). The
>>> externalLoginKey allows you to automatically login to another webapp
>>> without a username/password. In order to do this a new login key is
>>> generated with EVERY request to the server in order to keep it's  
>>> life
>>> cycle pretty short. As long as it is on a secure/https page when it
>>> goes to the browser it is pretty safe, but it generally comes back  
>>> to
>>> the server in a URL and so needs to be invalidated immediately so  
>>> that
>>> it cannot be used again, as that is pretty easy to snoop.
>>>
>>> So, to make it not work is easy: just have a page open in your  
>>> browser
>>> that has a stale externalLoginKey in its URLS.
>>>
>>> 1. load a page where you are authenticated in tab/window A
>>> 2. right click on a link within the webapp and open it in tab/
>>> window B
>>> 3. go back to tab/window A and click on any link that goes to a  
>>> webapp
>>> that you are not already logged into and that has an  
>>> externalLoginKey
>>> parameter
>>>
>>> The externalLoginKey will be stale, so that auto-login will fail and
>>> you will be presented with the login form.
>>>
>>
>> I was wondering why externalLoginKey is not a cookie? Probably  
>> because of security reasons, but if it was a cookie, it would have  
>> a short life cycle as JSESSIONID cookie (the cookie value will be  
>> updated on every request) and working on many browser tabs at the  
>> same time wouldn't require multiple logins.
>
> That's a good idea. In theory even if the externalLoginKey were  
> updated with every request the cookie in the browser (if there is  
> only one cookie) then it would be updated and even other tabs and  
> windows should use that with their request. There is a still a  
> chance that 2 requests could end up in a race condition where one  
> gets in and causes the server-side key to update even though the  
> other request is on its way out and gets there after the server key  
> is updated, but still using the old key from the client cookie.
>
> Anyway, this is a good idea and the only reason I can think of to  
> not do it is the one you mentioned, ie the security of cookies. It  
> is very easy to spoof cookie domain names and get cookies from other  
> sites... it's a "feature" of cookies that causes problems.
>
> There may be ways to protect a cookie better, like encrypting it,  
> but even if the key is secret on the server a fast attacker, or one  
> that finds a session that has been idle for a while, then it can  
> still get the encrypted value and the server wouldn't know if it  
> came from a valid client or a forged one.
>
> Sorry, was thinking out loud... I'm not sure if there is a good  
> enough way to protect the cookie... and considering that this would  
> be substitution for the username and password, I'm not sure I like  
> it (I even have reservations about the current externalLoginKey...  
> but a better alternative is tricky...).
>
> -David
>
>

>
> hey,I got the same error
> I have no idea
> the following is my step
> 1、down the ofbiz package from website today
> 2、change the database for mysql5
> 3、don't load application directory and the specialpurpose directory
> 4、don't load the compentment of testtools and the example in the directory
> of framework
> and I change the port from 8080 to 80
> 5、my jdk is 1.5 and the development server is windows xp
> 6、I go into the directory of ofbiz.and then run "clean-all" ,I run
> "run-install" after last command
> 7、then I start the ofbiz by type "startofbiz.bat" in cmd
> and then I login in the webtools.
> I get the errors as follow
> "The Following Errors Occurred:
>
> The following error occurred during login: Service target threw an
> unexpected exception (Could not find resource bundle [SecurityextUiLabels]
> in the locale [zh_CN])
> "
> by the way .I am from China.
>
> --
> View this message in context: http://www.nabble.com/Multiple-logins-needed-tp22374485p22491095.html
> Sent from the OFBiz - User mailing list archive at Nabble.com.
>
>

> Any interesting log snippet around the error ? Is it reprodutible ?  
> R.r  (Release.revision) ?
>
> Thanks
>
> Jacques
>
> From: "kongqz" <[hidden email]>
>>
>> hey,I got the same error
>> I have no idea
>> the following is my step
>> 1、down the ofbiz package from website today
>> 2、change the database for mysql5
>> 3、don't load application directory and the specialpurpose directory
>> 4、don't load the compentment of testtools and the example in the  
>> directory
>> of framework
>> and I change the port from 8080 to 80
>> 5、my jdk is 1.5 and the development server is windows xp
>> 6、I go into the directory of ofbiz.and then run "clean-all" ,I run
>> "run-install" after last command
>> 7、then I start the ofbiz by type "startofbiz.bat" in cmd
>> and then I login in the webtools.
>> I get the errors as follow
>> "The Following Errors Occurred:
>>
>> The following error occurred during login: Service target threw an
>> unexpected exception (Could not find resource bundle  
>> [SecurityextUiLabels]
>> in the locale [zh_CN])
>> "
>> by the way .I am from China.
>>
>> --
>> View this message in context: http://www.nabble.com/Multiple-logins-needed-tp22374485p22491095.html
>> Sent from the OFBiz - User mailing list archive at Nabble.com.
>>
>
>

> For solving 2 and 3 I guess two ways:
> Mark some of the requrest (actually better the views in  
> controller)so they don't generate new externalLoginKeys.
> Or add a request parameter to every request which should not  
> generate  new externalLoginKey.
>
> WDYT? Other proposals?
>
> Bilgin
> On Mar 12, 2009, at 7:19 AM, David E Jones wrote:
>
>>
>> On Mar 11, 2009, at 5:16 PM, Bilgin Ibryam wrote:
>>
>>> Quoting David E Jones <[hidden email]>:
>>>
>>>>
>>>> You may be describing a well known issue, and one that is part of  
>>>> the
>>>> way the externalLoginKey works (so it is not likely to change). The
>>>> externalLoginKey allows you to automatically login to another  
>>>> webapp
>>>> without a username/password. In order to do this a new login key is
>>>> generated with EVERY request to the server in order to keep it's  
>>>> life
>>>> cycle pretty short. As long as it is on a secure/https page when it
>>>> goes to the browser it is pretty safe, but it generally comes  
>>>> back to
>>>> the server in a URL and so needs to be invalidated immediately so  
>>>> that
>>>> it cannot be used again, as that is pretty easy to snoop.
>>>>
>>>> So, to make it not work is easy: just have a page open in your  
>>>> browser
>>>> that has a stale externalLoginKey in its URLS.
>>>>
>>>> 1. load a page where you are authenticated in tab/window A
>>>> 2. right click on a link within the webapp and open it in tab/
>>>> window B
>>>> 3. go back to tab/window A and click on any link that goes to a  
>>>> webapp
>>>> that you are not already logged into and that has an  
>>>> externalLoginKey
>>>> parameter
>>>>
>>>> The externalLoginKey will be stale, so that auto-login will fail  
>>>> and
>>>> you will be presented with the login form.
>>>>
>>>
>>> I was wondering why externalLoginKey is not a cookie? Probably  
>>> because of security reasons, but if it was a cookie, it would have  
>>> a short life cycle as JSESSIONID cookie (the cookie value will be  
>>> updated on every request) and working on many browser tabs at the  
>>> same time wouldn't require multiple logins.
>>
>> That's a good idea. In theory even if the externalLoginKey were  
>> updated with every request the cookie in the browser (if there is  
>> only one cookie) then it would be updated and even other tabs and  
>> windows should use that with their request. There is a still a  
>> chance that 2 requests could end up in a race condition where one  
>> gets in and causes the server-side key to update even though the  
>> other request is on its way out and gets there after the server key  
>> is updated, but still using the old key from the client cookie.
>>
>> Anyway, this is a good idea and the only reason I can think of to  
>> not do it is the one you mentioned, ie the security of cookies. It  
>> is very easy to spoof cookie domain names and get cookies from  
>> other sites... it's a "feature" of cookies that causes problems.
>>
>> There may be ways to protect a cookie better, like encrypting it,  
>> but even if the key is secret on the server a fast attacker, or one  
>> that finds a session that has been idle for a while, then it can  
>> still get the encrypted value and the server wouldn't know if it  
>> came from a valid client or a forged one.
>>
>> Sorry, was thinking out loud... I'm not sure if there is a good  
>> enough way to protect the cookie... and considering that this would  
>> be substitution for the username and password, I'm not sure I like  
>> it (I even have reservations about the current externalLoginKey...  
>> but a better alternative is tricky...).
>>
>> -David
>>
>>
>

>
> On Mar 13, 2009, at 3:58 AM, Bilgin Ibryam wrote:
>
>> 2. Clickin on lookup button.
>> 3. Ajax events which render screens (like ajax pagiantion and ajax  
>> drop downs).
>
> Have you actually observed either of these? If there are issues like  
> this anywhere it is because of bad coding. Lookup windows and ajax  
> requests should always be in the same webapp, and can participate in  
> the existing session.

>
>
> -David
>
>
>> For solving 2 and 3 I guess two ways:
>> Mark some of the requrest (actually better the views in  
>> controller)so they don't generate new externalLoginKeys.
>> Or add a request parameter to every request which should not  
>> generate  new externalLoginKey.
>>
>> WDYT? Other proposals?
>>
>> Bilgin
>> On Mar 12, 2009, at 7:19 AM, David E Jones wrote:
>>
>>>
>>> On Mar 11, 2009, at 5:16 PM, Bilgin Ibryam wrote:
>>>
>>>> Quoting David E Jones <[hidden email]>:
>>>>
>>>>>
>>>>> You may be describing a well known issue, and one that is part  
>>>>> of the
>>>>> way the externalLoginKey works (so it is not likely to change).  
>>>>> The
>>>>> externalLoginKey allows you to automatically login to another  
>>>>> webapp
>>>>> without a username/password. In order to do this a new login key  
>>>>> is
>>>>> generated with EVERY request to the server in order to keep it's  
>>>>> life
>>>>> cycle pretty short. As long as it is on a secure/https page when  
>>>>> it
>>>>> goes to the browser it is pretty safe, but it generally comes  
>>>>> back to
>>>>> the server in a URL and so needs to be invalidated immediately  
>>>>> so that
>>>>> it cannot be used again, as that is pretty easy to snoop.
>>>>>
>>>>> So, to make it not work is easy: just have a page open in your  
>>>>> browser
>>>>> that has a stale externalLoginKey in its URLS.
>>>>>
>>>>> 1. load a page where you are authenticated in tab/window A
>>>>> 2. right click on a link within the webapp and open it in tab/
>>>>> window B
>>>>> 3. go back to tab/window A and click on any link that goes to a  
>>>>> webapp
>>>>> that you are not already logged into and that has an  
>>>>> externalLoginKey
>>>>> parameter
>>>>>
>>>>> The externalLoginKey will be stale, so that auto-login will fail  
>>>>> and
>>>>> you will be presented with the login form.
>>>>>
>>>>
>>>> I was wondering why externalLoginKey is not a cookie? Probably  
>>>> because of security reasons, but if it was a cookie, it would  
>>>> have a short life cycle as JSESSIONID cookie (the cookie value  
>>>> will be updated on every request) and working on many browser  
>>>> tabs at the same time wouldn't require multiple logins.
>>>
>>> That's a good idea. In theory even if the externalLoginKey were  
>>> updated with every request the cookie in the browser (if there is  
>>> only one cookie) then it would be updated and even other tabs and  
>>> windows should use that with their request. There is a still a  
>>> chance that 2 requests could end up in a race condition where one  
>>> gets in and causes the server-side key to update even though the  
>>> other request is on its way out and gets there after the server  
>>> key is updated, but still using the old key from the client cookie.
>>>
>>> Anyway, this is a good idea and the only reason I can think of to  
>>> not do it is the one you mentioned, ie the security of cookies. It  
>>> is very easy to spoof cookie domain names and get cookies from  
>>> other sites... it's a "feature" of cookies that causes problems.
>>>
>>> There may be ways to protect a cookie better, like encrypting it,  
>>> but even if the key is secret on the server a fast attacker, or  
>>> one that finds a session that has been idle for a while, then it  
>>> can still get the encrypted value and the server wouldn't know if  
>>> it came from a valid client or a forged one.
>>>
>>> Sorry, was thinking out loud... I'm not sure if there is a good  
>>> enough way to protect the cookie... and considering that this  
>>> would be substitution for the username and password, I'm not sure  
>>> I like it (I even have reservations about the current  
>>> externalLoginKey... but a better alternative is tricky...).
>>>
>>> -David
>>>
>>>
>>
>

>I can reproduce is on demo server, but not locally. Here are the steps
> 1. From ofbiz site, using the demo links log in to trunk
> 2. Log out
> 3. Enter a wrong password and try to log in.
>
> I got this error message:
>
> Error calling event: org.ofbiz.webapp.event.EventHandlerException:  Problems processing event: java.lang.IllegalArgumentException:
> Could  not find resource bundle [SecurityextUiLabels] in the locale [en_US]  (Could not find resource bundle [SecurityextUiLabels]
> in the locale  [en_US])
>
> Bilgin
>
> On Mar 13, 2009, at 12:23 PM, Jacques Le Roux wrote:
>
>> Any interesting log snippet around the error ? Is it reprodutible ?  R.r  (Release.revision) ?
>>
>> Thanks
>>
>> Jacques
>>
>> From: "kongqz" <[hidden email]>
>>>
>>> hey,I got the same error
>>> I have no idea
>>> the following is my step
>>> 1、down the ofbiz package from website today
>>> 2、change the database for mysql5
>>> 3、don't load application directory and the specialpurpose directory
>>> 4、don't load the compentment of testtools and the example in the  directory
>>> of framework
>>> and I change the port from 8080 to 80
>>> 5、my jdk is 1.5 and the development server is windows xp
>>> 6、I go into the directory of ofbiz.and then run "clean-all" ,I run
>>> "run-install" after last command
>>> 7、then I start the ofbiz by type "startofbiz.bat" in cmd
>>> and then I login in the webtools.
>>> I get the errors as follow
>>> "The Following Errors Occurred:
>>>
>>> The following error occurred during login: Service target threw an
>>> unexpected exception (Could not find resource bundle  [SecurityextUiLabels]
>>> in the locale [zh_CN])
>>> "
>>> by the way .I am from China.
>>>
>>> --
>>> View this message in context: http://www.nabble.com/Multiple-logins-needed-tp22374485p22491095.html
>>> Sent from the OFBiz - User mailing list archive at Nabble.com.
>>>
>>
>>
>
>

> Thanks Bilgin,
>
> I checked the log and then asked Contegix people to revert this file (framework/common/config/SecurityextUiLabels.xml) cetainly a
> merging issue
>
> BTW I got also this eror while trying to use Labels Manager on demo server
>
> 2009-03-15 08:26:26,651 (TP-Processor3) [ ModelScreen.java:409:ERROR] Error rendering screen
> [component://webtools/widget/LabelManagerScreens.xml#SearchLabels]: org.ofbiz.base.util.GeneralException: Error running Groovy
> script at location [component://webtools/webapp/webtools/WEB-INF/actions/labelmanager/LabelManager.groovy] (The content of
> elements
> must consist of well-formed character data or markup.). Rolling back transaction.
>
> I hope it's related (would fix 2 errors in one shoot :o)
>
> Jacques
>
> From: "Bilgin Ibryam" <[hidden email]>
>>I can reproduce is on demo server, but not locally. Here are the steps
>> 1. From ofbiz site, using the demo links log in to trunk
>> 2. Log out
>> 3. Enter a wrong password and try to log in.
>>
>> I got this error message:
>>
>> Error calling event: org.ofbiz.webapp.event.EventHandlerException:  Problems processing event:
>> java.lang.IllegalArgumentException:
>> Could  not find resource bundle [SecurityextUiLabels] in the locale [en_US]  (Could not find resource bundle
>> [SecurityextUiLabels]
>> in the locale  [en_US])
>>
>> Bilgin
>>
>> On Mar 13, 2009, at 12:23 PM, Jacques Le Roux wrote:
>>
>>> Any interesting log snippet around the error ? Is it reprodutible ?  R.r  (Release.revision) ?
>>>
>>> Thanks
>>>
>>> Jacques
>>>
>>> From: "kongqz" <[hidden email]>
>>>>
>>>> hey,I got the same error
>>>> I have no idea
>>>> the following is my step
>>>> 1、down the ofbiz package from website today
>>>> 2、change the database for mysql5
>>>> 3、don't load application directory and the specialpurpose directory
>>>> 4、don't load the compentment of testtools and the example in the  directory
>>>> of framework
>>>> and I change the port from 8080 to 80
>>>> 5、my jdk is 1.5 and the development server is windows xp
>>>> 6、I go into the directory of ofbiz.and then run "clean-all" ,I run
>>>> "run-install" after last command
>>>> 7、then I start the ofbiz by type "startofbiz.bat" in cmd
>>>> and then I login in the webtools.
>>>> I get the errors as follow
>>>> "The Following Errors Occurred:
>>>>
>>>> The following error occurred during login: Service target threw an
>>>> unexpected exception (Could not find resource bundle  [SecurityextUiLabels]
>>>> in the locale [zh_CN])
>>>> "
>>>> by the way .I am from China.
>>>>
>>>> --
>>>> View this message in context: http://www.nabble.com/Multiple-logins-needed-tp22374485p22491095.html
>>>> Sent from the OFBiz - User mailing list archive at Nabble.com.
>>>>
>>>
>>>
>>
>>
>
>