Problem with https

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

Problem with https

matarazzo angelo
Hello, Everyone
I have seen the new security improvement, but I would like to know if there is a global property in order to ignore https="true" for every request.

To ignore https in every controller.xml, I have set https=N in url.properties
and I have also modified ConfigXml.java in this way

-  if (securityElement != null) {
-               this.securityHttps = "true".equals(securityElement.getAttribute("https"));

+ if (securityElement != null) {
+              this.securityHttps = false;

So I don't use secure URLs.
Waht do you think about global property and my solution?
Any advice would be greatly appreciated.  
Thank you
Reply | Threaded
Open this post in threaded view
|

Re: Problem with https

Adrian Crum
You could do that, but why? Are your customers not concerned about security?

-Adrian

Angelo Matarazzo wrote:

> Hello, Everyone
> I have seen the new security improvement, but I would like to know if there
> is a global property in order to ignore https="true" for every request.
>
> To ignore https in every controller.xml, I have set https=N in
> url.properties
> and I have also modified ConfigXml.java in this way
>
> -  if (securityElement != null) {
> -               this.securityHttps =
> "true".equals(securityElement.getAttribute("https"));
>
> + if (securityElement != null) {
> +              this.securityHttps = false;
>
> So I don't use secure URLs.
> Waht do you think about global property and my solution?
> Any advice would be greatly appreciated.  
> Thank you
Reply | Threaded
Open this post in threaded view
|

Re: Problem with https

David E Jones-3
In reply to this post by matarazzo angelo

On Mar 31, 2009, at 2:07 PM, Angelo Matarazzo wrote:

>
> Hello, Everyone
> I have seen the new security improvement, but I would like to know  
> if there
> is a global property in order to ignore https="true" for every  
> request.
>
> To ignore https in every controller.xml, I have set https=N in
> url.properties
> and I have also modified ConfigXml.java in this way
>
> -  if (securityElement != null) {
> -               this.securityHttps =
> "true".equals(securityElement.getAttribute("https"));
>
> + if (securityElement != null) {
> +              this.securityHttps = false;

Wouldn't this change make the https attribute of the security element  
in the controller.xml file always ignored, ie never used?

You could certainly do this in a local patch (though I wouldn't  
recommend it...), but no we would not want to make sure changes in the  
project.

-David


> So I don't use secure URLs.
> Waht do you think about global property and my solution?
> Any advice would be greatly appreciated.
> Thank you
> --
> View this message in context: http://www.nabble.com/Problem-with-https-tp22810404p22810404.html
> Sent from the OFBiz - User mailing list archive at Nabble.com.
>

Reply | Threaded
Open this post in threaded view
|

Re: Problem with https

matarazzo angelo
In reply to this post by matarazzo angelo
Hi Adrian, David,
for my project  at the first I wouldn't use certificate or  self-certified certificate.
Before security improvement, I only setted https="false" in url.properties file and I had no problem about certificates and secure connections. After security improvement, I thought it would be a good idea to include in a .properties(ie securityService.properties) file a property like httpsService="false" (default is "true" ) in order to choose whether use or not SSL and secure URLs.
In this way ConfigXml.java is

+private String securityService=UtilProperties.getPropertyValue("securityService.properties", "httpsService");

+if (securityElement != null) {
+ if ("false".equals(securityService))
+              this.securityHttps = false;
+ else {
+       this.securityHttps = "true".equals(securityElement.getAttribute("https"));
+ }


What do you think about this idea?

Angelo Matarazzo wrote
Hello, Everyone
I have seen the new security improvement, but I would like to know if there is a global property in order to ignore https="true" for every request.

To ignore https in every controller.xml, I have set https=N in url.properties
and I have also modified ConfigXml.java in this way

-  if (securityElement != null) {
-               this.securityHttps = "true".equals(securityElement.getAttribute("https"));

+ if (securityElement != null) {
+              this.securityHttps = false;

So I don't use secure URLs.
Waht do you think about global property and my solution?
Any advice would be greatly appreciated.  
Thank you
Reply | Threaded
Open this post in threaded view
|

Re: Problem with https

David E Jones-3

I'm not sure if I understand what you're running into. What would be  
most helpful to make progress on this is if you describe the problem  
you're having, and then hopefully this proposed solution to the  
problem would make more sense. In the problem description please  
include steps to reproduce, and a description of the error or other  
unexpected behavior you're seeing so that it is possible for someone  
else to try to reproduce this, and know whether or not they have  
successfully reproduced it.

The problem part is the most important thing, but more details about  
your proposed changes would be helpful too. For example, there is no  
"ConfigXml.java" file, and in your code change snippets there are no  
line numbers.

-David


On Apr 1, 2009, at 3:23 AM, Angelo Matarazzo wrote:

>
> Hi Adrian, David,
> for my project  at the first I wouldn't use certificate or  self-
> certified
> certificate.
> Before security improvement, I only setted https="false" in  
> url.properties
> file and I had no problem about certificates and secure connections.  
> After
> security improvement, I thought it would be a good idea to include  
> in a
> .properties(ie securityService.properties) file a property like
> httpsService="false" (default is "true" ) in order to choose whether  
> use or
> not SSL and secure URLs.
> In this way ConfigXml.java is
>
> +private String
> securityService
> =UtilProperties.getPropertyValue("securityService.properties",
> "httpsService");
>
> +if (securityElement != null) {
> + if ("false".equals(securityService))
> +              this.securityHttps = false;
> + else {
> +       this.securityHttps =
> "true".equals(securityElement.getAttribute("https"));
> + }
>
>
> What do you think about this idea?
>
>
> Angelo Matarazzo wrote:
>>
>> Hello, Everyone
>> I have seen the new security improvement, but I would like to know if
>> there is a global property in order to ignore https="true" for every
>> request.
>>
>> To ignore https in every controller.xml, I have set https=N in
>> url.properties
>> and I have also modified ConfigXml.java in this way
>>
>> -  if (securityElement != null) {
>> -               this.securityHttps =
>> "true".equals(securityElement.getAttribute("https"));
>>
>> + if (securityElement != null) {
>> +              this.securityHttps = false;
>>
>> So I don't use secure URLs.
>> Waht do you think about global property and my solution?
>> Any advice would be greatly appreciated.
>> Thank you
>>
>
> --
> View this message in context: http://www.nabble.com/Problem-with-https-tp22810404p22822761.html
> Sent from the OFBiz - User mailing list archive at Nabble.com.
>

Reply | Threaded
Open this post in threaded view
|

Re: Problem with https

matarazzo angelo
In reply to this post by matarazzo angelo
Hi David,
thank you for trying to help me.
I try now to better explain the issue.

Before the Secure URL chage was introduced, whenever I had to test my OFBiz installation using unsecure only access,
I did set the port.https.enabled= 'N' in the url.properties file.

This was very usefull in several cases (ie firewalls only allowing http).

This only change was enough to have the complete OFBiz installation to operate on http only (no https).

If I do the same now that the secure URL is there, I cannot avoid the use of https.

How to gain again the easy (one single change in one single file) https disable feature in OFBiz now?

Many thanks,
Angelo
Angelo Matarazzo wrote
Hello, Everyone
I have seen the new security improvement, but I would like to know if there is a global property in order to ignore https="true" for every request.

To ignore https in every controller.xml, I have set https=N in url.properties
and I have also modified ConfigXml.java in this way

-  if (securityElement != null) {
-               this.securityHttps = "true".equals(securityElement.getAttribute("https"));

+ if (securityElement != null) {
+              this.securityHttps = false;

So I don't use secure URLs.
Waht do you think about global property and my solution?
Any advice would be greatly appreciated.  
Thank you