OFBiz OFBiz - User

Secure URLs end for link, hyperlink and sub-hyperlink

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
10 messages Options
Jacques Le Roux
Reply | Threaded
Open this post in threaded view
|

Secure URLs end for link, hyperlink and sub-hyperlink

Jacques Le Roux
Administrator
After the changes recently introduced. The campaign to secure URLs for link, hyperlink and sub-hyperlink is now finished.
Please report any related errors you may cross

Thanks

Jacques
BJ Freeman
Reply | Threaded
Open this post in threaded view
|

Re: Secure URLs end for link, hyperlink and sub-hyperlink

BJ Freeman
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Thanks for the effort, Jacques.


Jacques Le Roux sent the following on 4/5/2009 7:59 AM:
> After the changes recently introduced. The campaign to secure URLs for link, hyperlink and sub-hyperlink is now finished.
> Please report any related errors you may cross
>
> Thanks
>
> Jacques
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFJ2MgWrP3NbaWWqE4RAqr+AJ437qkqdVkjM5fQRrGVSZNR1VqZfwCguCS7
r1xIFtlWXo5KiUyzzELx9wI=
=+dmt
-----END PGP SIGNATURE-----
Jacopo Cappellato-4
Reply | Threaded
Open this post in threaded view
|

Re: Secure URLs end for link, hyperlink and sub-hyperlink

Jacopo Cappellato-4
In reply to this post by Jacques Le Roux
thanks so much for your work, Jacques.

Jacopo

On Apr 5, 2009, at 8:29 PM, Jacques Le Roux wrote:

> After the changes recently introduced. The campaign to secure URLs  
> for link, hyperlink and sub-hyperlink is now finished.
> Please report any related errors you may cross
>
> Thanks
>
> Jacques


smime.p7s (3K) Download Attachment
matarazzo angelo
Reply | Threaded
Open this post in threaded view
|

Re: Secure URLs end for link, hyperlink and sub-hyperlink

matarazzo angelo
In reply to this post by Jacques Le Roux
Hi, Jaques
I don't know if my problem is a error but I think you can help me.
My question is:
"Can I change the protocol for all the traffic to http from https? If yes,
how do I go about doing it?"

I followed the advices here
http://www.nabble.com/changing-https-to-http-td11412198.html#a22907203

I setted port.https.enabled="N" in url.properties file.

Before changes

I went here
http://abna22216ecs:8080/webtools/

I inserted  user:    admin
              password:ofbiz

The request
http://localhost:8080/webtools/control/login worked!

Now,after security improvement

The request
http://localhost:8080/webtools/control/login doesn't work!

The error is:
org.ofbiz.webapp.control.RequestHandlerException: Not accepting insecure form data posted to a secure request

How can I change the protocol for all the traffic to http from https now?

Thanks,

Angelo

jacques.le.roux wrote
After the changes recently introduced. The campaign to secure URLs for link, hyperlink and sub-hyperlink is now finished.
Please report any related errors you may cross

Thanks

Jacques
Jacques Le Roux
Reply | Threaded
Open this post in threaded view
|

Re: Secure URLs end for link, hyperlink and sub-hyperlink

Jacques Le Roux
Administrator
This sounds like port.https.enabled="N" in url.properties file is not longer working.

Quick answer : 2 alternatives
Harder but safer, you will have to revert related changes and get back to previous situation (should not be too hard though)
Hack : look at RequestHandler.java line 184

Jacques

From: "Angelo Matarazzo" <[hidden email]>

> Hi, Jaques
> I don't know if my problem is a error but I think you can help me.
> My question is:
> "Can I change the protocol for all the traffic to http from https? If yes,
> how do I go about doing it?"
>
> I followed the advices here
> http://www.nabble.com/changing-https-to-http-td11412198.html#a22907203
>
> I setted port.https.enabled="N" in url.properties file.
>
> Before changes
>
> I went here
> http://abna22216ecs:8080/webtools/
>
> I inserted  user:    admin
>              password:ofbiz
>
> The request
> http://localhost:8080/webtools/control/login worked!
>
> Now,after security improvement
>
> The request
> http://localhost:8080/webtools/control/login doesn't work!
>
> The error is:
> org.ofbiz.webapp.control.RequestHandlerException: Not accepting insecure
> form data posted to a secure request
>
> How can I change the protocol for all the traffic to http from https now?
>
> Thanks,
>
> Angelo
>
>
> jacques.le.roux wrote:
>>
>> After the changes recently introduced. The campaign to secure URLs for
>> link, hyperlink and sub-hyperlink is now finished.
>> Please report any related errors you may cross
>>
>> Thanks
>>
>> Jacques
>>
>>
>
> --
> View this message in context:
> http://www.nabble.com/Secure-URLs-end-for-link%2C-hyperlink-and-sub-hyperlink-tp22894715p22934649.html
> Sent from the OFBiz - User mailing list archive at Nabble.com.
>


matarazzo angelo
Reply | Threaded
Open this post in threaded view
|

Re: Secure URLs end for link, hyperlink and sub-hyperlink

matarazzo angelo
In reply to this post by Jacques Le Roux
Hi Jacques,
I understood the problem.
I have looked at RequestHandler.java line 184.
At line 179 there is   if (!request.isSecure() && requestMap.securityHttps).
Now with "http://localhost:8080"  request.isSecure() is "false" but requestMap.securityHttps depends on ConfigXMLReader.java at line 384 'this.securityHttps = "true".equals(securityElement.getAttribute("https"));'
In your opinion is it good idea change ConfigXMLReader.java in this way?


-  if (securityElement != null) {
-               this.securityHttps = "true".equals(securityElement.getAttribute("https"));

     

+boolean useHttpsDefault = UtilProperties.propertyValueEqualsIgnoreCase("url.properties", "port.https.enabled", "Y");


+if (securityElement != null) {
+ if (useHttpsDefault))
      this.securityHttps = "true".equals(securityElement.getAttribute("https"));
+            
+ else {
+          this.securityHttps = false;
+ }

Thanks,
Angelo


jacques.le.roux wrote
After the changes recently introduced. The campaign to secure URLs for link, hyperlink and sub-hyperlink is now finished.
Please report any related errors you may cross

Thanks

Jacques
David E Jones-3
Reply | Threaded
Open this post in threaded view
|

Re: Secure URLs end for link, hyperlink and sub-hyperlink

David E Jones-3

Angelo,

This issue should be addressed in SVN rev 763855. Please read the  
commit log as deploying in this way is not recommended as it opens a  
security hole.

Also, as a general recommendation for future reference so that your  
feedback and requests are better received: if you find an issue report  
it in as much detail as possible (including steps to reproduce, what  
you expected to happen, and what actually happened including EXACT  
error message quotes, along with whatever you find about it), and do  
so by creating an issue in Jira. That way you won't have to send the  
same complaint over and over, and we won't have to guess about what  
you're seeing and what is happening.

Anyway, thanks for reporting this and I hope your experience is  
overall good with OFBiz!

-David


On Apr 9, 2009, at 2:33 AM, Angelo Matarazzo wrote:

>
> Hi Jacques,
> I understood the problem.
> I have looked at RequestHandler.java line 184.
> At line 179 there is   if (!request.isSecure() &&  
> requestMap.securityHttps).
> Now with "http://localhost:8080"  request.isSecure() is "false" but
> requestMap.securityHttps depends on ConfigXMLReader.java at line 384
> 'this.securityHttps =  
> "true".equals(securityElement.getAttribute("https"));'
> In your opinion is it good idea change ConfigXMLReader.java in this  
> way?
>
>
> -  if (securityElement != null) {
> -               this.securityHttps =
> "true".equals(securityElement.getAttribute("https"));
>
>
>
> +boolean useHttpsDefault =
> UtilProperties.propertyValueEqualsIgnoreCase("url.properties",
> "port.https.enabled", "Y");
>
>
> +if (securityElement != null) {
> + if (useHttpsDefault))
>      this.securityHttps =
> "true".equals(securityElement.getAttribute("https"));
> +
> + else {
> +          this.securityHttps = false;
> + }
>
> Thanks,
> Angelo
>
>
>
> jacques.le.roux wrote:
>>
>> After the changes recently introduced. The campaign to secure URLs  
>> for
>> link, hyperlink and sub-hyperlink is now finished.
>> Please report any related errors you may cross
>>
>> Thanks
>>
>> Jacques
>>
>>
>
> --
> View this message in context: http://www.nabble.com/Secure-URLs-end-for-link%2C-hyperlink-and-sub-hyperlink-tp22894715p22966638.html
> Sent from the OFBiz - User mailing list archive at Nabble.com.
>

Jacques Le Roux
Reply | Threaded
Open this post in threaded view
|

Re: Secure URLs end for link, hyperlink and sub-hyperlink

Jacques Le Roux
Administrator
In reply to this post by matarazzo angelo
Hi Angelo,

David has officially fixed this issue at r763855, but please read his comment!

Jacques
PS: Oops just read David's post, anyway...

From: "Angelo Matarazzo" <[hidden email]>

> Hi Jacques,
> I understood the problem.
> I have looked at RequestHandler.java line 184.
> At line 179 there is   if (!request.isSecure() && requestMap.securityHttps).
> Now with "http://localhost:8080"  request.isSecure() is "false" but
> requestMap.securityHttps depends on ConfigXMLReader.java at line 384
> 'this.securityHttps = "true".equals(securityElement.getAttribute("https"));'
> In your opinion is it good idea change ConfigXMLReader.java in this way?
>
>
> -  if (securityElement != null) {
> -               this.securityHttps =
> "true".equals(securityElement.getAttribute("https"));
>
>
>
> +boolean useHttpsDefault =
> UtilProperties.propertyValueEqualsIgnoreCase("url.properties",
> "port.https.enabled", "Y");
>
>
> +if (securityElement != null) {
> + if (useHttpsDefault))
>      this.securityHttps =
> "true".equals(securityElement.getAttribute("https"));
> +
> + else {
> +          this.securityHttps = false;
> + }
>
> Thanks,
> Angelo
>
>
>
> jacques.le.roux wrote:
>>
>> After the changes recently introduced. The campaign to secure URLs for
>> link, hyperlink and sub-hyperlink is now finished.
>> Please report any related errors you may cross
>>
>> Thanks
>>
>> Jacques
>>
>>
>
> --
> View this message in context:
> http://www.nabble.com/Secure-URLs-end-for-link%2C-hyperlink-and-sub-hyperlink-tp22894715p22966638.html
> Sent from the OFBiz - User mailing list archive at Nabble.com.
>


matarazzo angelo
Reply | Threaded
Open this post in threaded view
|

Re: Secure URLs end for link, hyperlink and sub-hyperlink

matarazzo angelo
In reply to this post by Jacques Le Roux
Hi, David, Jacques
You have right about security hole.
But after security improvement "port.https.enabled" was useless (or not?).
Sorry for my bad reporting way.
But I'wasn't sure if my issue should  be reported in Jira.
However, thanks a lot
Angelo

jacques.le.roux wrote
After the changes recently introduced. The campaign to secure URLs for link, hyperlink and sub-hyperlink is now finished.
Please report any related errors you may cross

Thanks

Jacques
Jacques Le Roux
Reply | Threaded
Open this post in threaded view
|

Re: Secure URLs end for link, hyperlink and sub-hyperlink

Jacques Le Roux
Administrator
Actually David reestablished this feature which was already a hole, you are free to use it ;o)
It was a question of reporting in Jira (you were right for that) but to give more informations, details, etc.

Anyway thanks for the report!

Jacques

From: "Angelo Matarazzo" <[hidden email]>

> Hi, David, Jacques
> You have right about security hole.
> But after security improvement "port.https.enabled" was useless (or not?).
> Sorry for my bad reporting way.
> But I'wasn't sure if my issue should  be reported in Jira.
> However, thanks a lot
> Angelo
>
>
> jacques.le.roux wrote:
>>
>> After the changes recently introduced. The campaign to secure URLs for
>> link, hyperlink and sub-hyperlink is now finished.
>> Please report any related errors you may cross
>>
>> Thanks
>>
>> Jacques
>>
>>
>
> --
> View this message in context:
> http://www.nabble.com/Secure-URLs-end-for-link%2C-hyperlink-and-sub-hyperlink-tp22894715p22984646.html
> Sent from the OFBiz - User mailing list archive at Nabble.com.
>


Free forum by Nabble Edit this page