Hello, Everyone
I have seen the new security improvement, but I would like to know if there is a global property in order to ignore https="true" for every request. To ignore https in every controller.xml, I have set https=N in url.properties and I have also modified ConfigXml.java in this way - if (securityElement != null) { - this.securityHttps = "true".equals(securityElement.getAttribute("https")); + if (securityElement != null) { + this.securityHttps = false; So I don't use secure URLs. Waht do you think about global property and my solution? Any advice would be greatly appreciated. Thank you |
You could do that, but why? Are your customers not concerned about security?
-Adrian Angelo Matarazzo wrote: > Hello, Everyone > I have seen the new security improvement, but I would like to know if there > is a global property in order to ignore https="true" for every request. > > To ignore https in every controller.xml, I have set https=N in > url.properties > and I have also modified ConfigXml.java in this way > > - if (securityElement != null) { > - this.securityHttps = > "true".equals(securityElement.getAttribute("https")); > > + if (securityElement != null) { > + this.securityHttps = false; > > So I don't use secure URLs. > Waht do you think about global property and my solution? > Any advice would be greatly appreciated. > Thank you |
In reply to this post by matarazzo angelo
On Mar 31, 2009, at 2:07 PM, Angelo Matarazzo wrote: > > Hello, Everyone > I have seen the new security improvement, but I would like to know > if there > is a global property in order to ignore https="true" for every > request. > > To ignore https in every controller.xml, I have set https=N in > url.properties > and I have also modified ConfigXml.java in this way > > - if (securityElement != null) { > - this.securityHttps = > "true".equals(securityElement.getAttribute("https")); > > + if (securityElement != null) { > + this.securityHttps = false; Wouldn't this change make the https attribute of the security element in the controller.xml file always ignored, ie never used? You could certainly do this in a local patch (though I wouldn't recommend it...), but no we would not want to make sure changes in the project. -David > So I don't use secure URLs. > Waht do you think about global property and my solution? > Any advice would be greatly appreciated. > Thank you > -- > View this message in context: http://www.nabble.com/Problem-with-https-tp22810404p22810404.html > Sent from the OFBiz - User mailing list archive at Nabble.com. > |
In reply to this post by matarazzo angelo
Hi Adrian, David,
for my project at the first I wouldn't use certificate or self-certified certificate. Before security improvement, I only setted https="false" in url.properties file and I had no problem about certificates and secure connections. After security improvement, I thought it would be a good idea to include in a .properties(ie securityService.properties) file a property like httpsService="false" (default is "true" ) in order to choose whether use or not SSL and secure URLs. In this way ConfigXml.java is +private String securityService=UtilProperties.getPropertyValue("securityService.properties", "httpsService"); +if (securityElement != null) { + if ("false".equals(securityService)) + this.securityHttps = false; + else { + this.securityHttps = "true".equals(securityElement.getAttribute("https")); + } What do you think about this idea?
|
I'm not sure if I understand what you're running into. What would be most helpful to make progress on this is if you describe the problem you're having, and then hopefully this proposed solution to the problem would make more sense. In the problem description please include steps to reproduce, and a description of the error or other unexpected behavior you're seeing so that it is possible for someone else to try to reproduce this, and know whether or not they have successfully reproduced it. The problem part is the most important thing, but more details about your proposed changes would be helpful too. For example, there is no "ConfigXml.java" file, and in your code change snippets there are no line numbers. -David On Apr 1, 2009, at 3:23 AM, Angelo Matarazzo wrote: > > Hi Adrian, David, > for my project at the first I wouldn't use certificate or self- > certified > certificate. > Before security improvement, I only setted https="false" in > url.properties > file and I had no problem about certificates and secure connections. > After > security improvement, I thought it would be a good idea to include > in a > .properties(ie securityService.properties) file a property like > httpsService="false" (default is "true" ) in order to choose whether > use or > not SSL and secure URLs. > In this way ConfigXml.java is > > +private String > securityService > =UtilProperties.getPropertyValue("securityService.properties", > "httpsService"); > > +if (securityElement != null) { > + if ("false".equals(securityService)) > + this.securityHttps = false; > + else { > + this.securityHttps = > "true".equals(securityElement.getAttribute("https")); > + } > > > What do you think about this idea? > > > Angelo Matarazzo wrote: >> >> Hello, Everyone >> I have seen the new security improvement, but I would like to know if >> there is a global property in order to ignore https="true" for every >> request. >> >> To ignore https in every controller.xml, I have set https=N in >> url.properties >> and I have also modified ConfigXml.java in this way >> >> - if (securityElement != null) { >> - this.securityHttps = >> "true".equals(securityElement.getAttribute("https")); >> >> + if (securityElement != null) { >> + this.securityHttps = false; >> >> So I don't use secure URLs. >> Waht do you think about global property and my solution? >> Any advice would be greatly appreciated. >> Thank you >> > > -- > View this message in context: http://www.nabble.com/Problem-with-https-tp22810404p22822761.html > Sent from the OFBiz - User mailing list archive at Nabble.com. > |
In reply to this post by matarazzo angelo
Hi David,
thank you for trying to help me. I try now to better explain the issue. Before the Secure URL chage was introduced, whenever I had to test my OFBiz installation using unsecure only access, I did set the port.https.enabled= 'N' in the url.properties file. This was very usefull in several cases (ie firewalls only allowing http). This only change was enough to have the complete OFBiz installation to operate on http only (no https). If I do the same now that the secure URL is there, I cannot avoid the use of https. How to gain again the easy (one single change in one single file) https disable feature in OFBiz now? Many thanks, Angelo
|
Free forum by Nabble | Edit this page |