Administrator
|
After the changes recently introduced. The campaign to secure URLs for link, hyperlink and sub-hyperlink is now finished.
Please report any related errors you may cross Thanks Jacques |
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1 Thanks for the effort, Jacques. Jacques Le Roux sent the following on 4/5/2009 7:59 AM: > After the changes recently introduced. The campaign to secure URLs for link, hyperlink and sub-hyperlink is now finished. > Please report any related errors you may cross > > Thanks > > Jacques > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFJ2MgWrP3NbaWWqE4RAqr+AJ437qkqdVkjM5fQRrGVSZNR1VqZfwCguCS7 r1xIFtlWXo5KiUyzzELx9wI= =+dmt -----END PGP SIGNATURE----- |
In reply to this post by Jacques Le Roux
thanks so much for your work, Jacques.
Jacopo On Apr 5, 2009, at 8:29 PM, Jacques Le Roux wrote: > After the changes recently introduced. The campaign to secure URLs > for link, hyperlink and sub-hyperlink is now finished. > Please report any related errors you may cross > > Thanks > > Jacques smime.p7s (3K) Download Attachment |
In reply to this post by Jacques Le Roux
Hi, Jaques
I don't know if my problem is a error but I think you can help me. My question is: "Can I change the protocol for all the traffic to http from https? If yes, how do I go about doing it?" I followed the advices here http://www.nabble.com/changing-https-to-http-td11412198.html#a22907203 I setted port.https.enabled="N" in url.properties file. Before changes I went here http://abna22216ecs:8080/webtools/ I inserted user: admin password:ofbiz The request http://localhost:8080/webtools/control/login worked! Now,after security improvement The request http://localhost:8080/webtools/control/login doesn't work! The error is: org.ofbiz.webapp.control.RequestHandlerException: Not accepting insecure form data posted to a secure request How can I change the protocol for all the traffic to http from https now? Thanks, Angelo
|
Administrator
|
This sounds like port.https.enabled="N" in url.properties file is not longer working.
Quick answer : 2 alternatives Harder but safer, you will have to revert related changes and get back to previous situation (should not be too hard though) Hack : look at RequestHandler.java line 184 Jacques From: "Angelo Matarazzo" <[hidden email]> > Hi, Jaques > I don't know if my problem is a error but I think you can help me. > My question is: > "Can I change the protocol for all the traffic to http from https? If yes, > how do I go about doing it?" > > I followed the advices here > http://www.nabble.com/changing-https-to-http-td11412198.html#a22907203 > > I setted port.https.enabled="N" in url.properties file. > > Before changes > > I went here > http://abna22216ecs:8080/webtools/ > > I inserted user: admin > password:ofbiz > > The request > http://localhost:8080/webtools/control/login worked! > > Now,after security improvement > > The request > http://localhost:8080/webtools/control/login doesn't work! > > The error is: > org.ofbiz.webapp.control.RequestHandlerException: Not accepting insecure > form data posted to a secure request > > How can I change the protocol for all the traffic to http from https now? > > Thanks, > > Angelo > > > jacques.le.roux wrote: >> >> After the changes recently introduced. The campaign to secure URLs for >> link, hyperlink and sub-hyperlink is now finished. >> Please report any related errors you may cross >> >> Thanks >> >> Jacques >> >> > > -- > View this message in context: > http://www.nabble.com/Secure-URLs-end-for-link%2C-hyperlink-and-sub-hyperlink-tp22894715p22934649.html > Sent from the OFBiz - User mailing list archive at Nabble.com. > |
In reply to this post by Jacques Le Roux
Hi Jacques,
I understood the problem. I have looked at RequestHandler.java line 184. At line 179 there is if (!request.isSecure() && requestMap.securityHttps). Now with "http://localhost:8080" request.isSecure() is "false" but requestMap.securityHttps depends on ConfigXMLReader.java at line 384 'this.securityHttps = "true".equals(securityElement.getAttribute("https"));' In your opinion is it good idea change ConfigXMLReader.java in this way? - if (securityElement != null) { - this.securityHttps = "true".equals(securityElement.getAttribute("https")); +boolean useHttpsDefault = UtilProperties.propertyValueEqualsIgnoreCase("url.properties", "port.https.enabled", "Y"); +if (securityElement != null) { + if (useHttpsDefault)) this.securityHttps = "true".equals(securityElement.getAttribute("https")); + + else { + this.securityHttps = false; + } Thanks, Angelo
|
Angelo, This issue should be addressed in SVN rev 763855. Please read the commit log as deploying in this way is not recommended as it opens a security hole. Also, as a general recommendation for future reference so that your feedback and requests are better received: if you find an issue report it in as much detail as possible (including steps to reproduce, what you expected to happen, and what actually happened including EXACT error message quotes, along with whatever you find about it), and do so by creating an issue in Jira. That way you won't have to send the same complaint over and over, and we won't have to guess about what you're seeing and what is happening. Anyway, thanks for reporting this and I hope your experience is overall good with OFBiz! -David On Apr 9, 2009, at 2:33 AM, Angelo Matarazzo wrote: > > Hi Jacques, > I understood the problem. > I have looked at RequestHandler.java line 184. > At line 179 there is if (!request.isSecure() && > requestMap.securityHttps). > Now with "http://localhost:8080" request.isSecure() is "false" but > requestMap.securityHttps depends on ConfigXMLReader.java at line 384 > 'this.securityHttps = > "true".equals(securityElement.getAttribute("https"));' > In your opinion is it good idea change ConfigXMLReader.java in this > way? > > > - if (securityElement != null) { > - this.securityHttps = > "true".equals(securityElement.getAttribute("https")); > > > > +boolean useHttpsDefault = > UtilProperties.propertyValueEqualsIgnoreCase("url.properties", > "port.https.enabled", "Y"); > > > +if (securityElement != null) { > + if (useHttpsDefault)) > this.securityHttps = > "true".equals(securityElement.getAttribute("https")); > + > + else { > + this.securityHttps = false; > + } > > Thanks, > Angelo > > > > jacques.le.roux wrote: >> >> After the changes recently introduced. The campaign to secure URLs >> for >> link, hyperlink and sub-hyperlink is now finished. >> Please report any related errors you may cross >> >> Thanks >> >> Jacques >> >> > > -- > View this message in context: http://www.nabble.com/Secure-URLs-end-for-link%2C-hyperlink-and-sub-hyperlink-tp22894715p22966638.html > Sent from the OFBiz - User mailing list archive at Nabble.com. > |
Administrator
|
In reply to this post by matarazzo angelo
Hi Angelo,
David has officially fixed this issue at r763855, but please read his comment! Jacques PS: Oops just read David's post, anyway... From: "Angelo Matarazzo" <[hidden email]> > Hi Jacques, > I understood the problem. > I have looked at RequestHandler.java line 184. > At line 179 there is if (!request.isSecure() && requestMap.securityHttps). > Now with "http://localhost:8080" request.isSecure() is "false" but > requestMap.securityHttps depends on ConfigXMLReader.java at line 384 > 'this.securityHttps = "true".equals(securityElement.getAttribute("https"));' > In your opinion is it good idea change ConfigXMLReader.java in this way? > > > - if (securityElement != null) { > - this.securityHttps = > "true".equals(securityElement.getAttribute("https")); > > > > +boolean useHttpsDefault = > UtilProperties.propertyValueEqualsIgnoreCase("url.properties", > "port.https.enabled", "Y"); > > > +if (securityElement != null) { > + if (useHttpsDefault)) > this.securityHttps = > "true".equals(securityElement.getAttribute("https")); > + > + else { > + this.securityHttps = false; > + } > > Thanks, > Angelo > > > > jacques.le.roux wrote: >> >> After the changes recently introduced. The campaign to secure URLs for >> link, hyperlink and sub-hyperlink is now finished. >> Please report any related errors you may cross >> >> Thanks >> >> Jacques >> >> > > -- > View this message in context: > http://www.nabble.com/Secure-URLs-end-for-link%2C-hyperlink-and-sub-hyperlink-tp22894715p22966638.html > Sent from the OFBiz - User mailing list archive at Nabble.com. > |
In reply to this post by Jacques Le Roux
Hi, David, Jacques
You have right about security hole. But after security improvement "port.https.enabled" was useless (or not?). Sorry for my bad reporting way. But I'wasn't sure if my issue should be reported in Jira. However, thanks a lot Angelo
|
Administrator
|
Actually David reestablished this feature which was already a hole, you are free to use it ;o)
It was a question of reporting in Jira (you were right for that) but to give more informations, details, etc. Anyway thanks for the report! Jacques From: "Angelo Matarazzo" <[hidden email]> > Hi, David, Jacques > You have right about security hole. > But after security improvement "port.https.enabled" was useless (or not?). > Sorry for my bad reporting way. > But I'wasn't sure if my issue should be reported in Jira. > However, thanks a lot > Angelo > > > jacques.le.roux wrote: >> >> After the changes recently introduced. The campaign to secure URLs for >> link, hyperlink and sub-hyperlink is now finished. >> Please report any related errors you may cross >> >> Thanks >> >> Jacques >> >> > > -- > View this message in context: > http://www.nabble.com/Secure-URLs-end-for-link%2C-hyperlink-and-sub-hyperlink-tp22894715p22984646.html > Sent from the OFBiz - User mailing list archive at Nabble.com. > |
Free forum by Nabble | Edit this page |