backHome and backLast not secured
Locked
backHome and backLast not secured
 
Administrator
|
Is it normal that the backHome and backLast are not securised ?
<request-map uri="backHome"> <response name="success" type="view-home"/> </request-map> <request-map uri="backLast"> <response name="success" type="view-last"/> </request-map> Jacques |
Re: backHome and backLast not secured
|
Where do these come from? The "view-home" and "view-last" response types should NEVER be used generically like this and instead should be specific for the particular request flow they are part of. Along with that, they should require https or not depending on the other requests they are working with. -David On Apr 25, 2009, at 12:32 PM, Jacques Le Roux wrote: > Is it normal that the backHome and backLast are not securised ? > > <request-map uri="backHome"> > <response name="success" type="view-home"/> > </request-map> > <request-map uri="backLast"> > <response name="success" type="view-last"/> > </request-map> > > Jacques > |
Re: backHome and backLast not secured
|
an explanation WHY not use generically would help a lot....
remember, these requests simply display an already displayed view again without any processing. Hans On Sat, 2009-04-25 at 19:10 -0600, David E Jones wrote: > Where do these come from? > > The "view-home" and "view-last" response types should NEVER be used > generically like this and instead should be specific for the > particular request flow they are part of. Along with that, they should > require https or not depending on the other requests they are working > with. > > -David > > > On Apr 25, 2009, at 12:32 PM, Jacques Le Roux wrote: > > > Is it normal that the backHome and backLast are not securised ? > > > > <request-map uri="backHome"> > > <response name="success" type="view-home"/> > > </request-map> > > <request-map uri="backLast"> > > <response name="success" type="view-last"/> > > </request-map> > > > > Jacques > > > Antwebsystems.com: Quality OFBiz services for competitive rates |
Re: backHome and backLast not secured
|
|
In reply to this post by David E Jones-3
but do not waste too much time on this, they are not used anywhere.....
On Sat, 2009-04-25 at 19:10 -0600, David E Jones wrote: > Where do these come from? > > The "view-home" and "view-last" response types should NEVER be used > generically like this and instead should be specific for the > particular request flow they are part of. Along with that, they should > require https or not depending on the other requests they are working > with. > > -David > > > On Apr 25, 2009, at 12:32 PM, Jacques Le Roux wrote: > > > Is it normal that the backHome and backLast are not securised ? > > > > <request-map uri="backHome"> > > <response name="success" type="view-home"/> > > </request-map> > > <request-map uri="backLast"> > > <response name="success" type="view-last"/> > > </request-map> > > > > Jacques > > > Antwebsystems.com: Quality OFBiz services for competitive rates |
Re: backHome and backLast not secured
|
Administrator
|
In reply to this post by Jacques Le Roux
Hi Hans,
OK, I just noticed that we were switching from https to http in backend, this is pretty rare (actually it's the only case I know, but I may miss others) that's why. BTW we hve a problem with r768643 and r768644 since (at least) backHome is used in many places Jacques From: "Hans Bakker" <[hidden email]> >I do not think this makes a difference (add or not) because these > display a view which was displayed before. > > > On Sat, 2009-04-25 at 20:32 +0200, Jacques Le Roux wrote: >> Is it normal that the backHome and backLast are not securised ? >> >> <request-map uri="backHome"> >> <response name="success" type="view-home"/> >> </request-map> >> <request-map uri="backLast"> >> <response name="success" type="view-last"/> >> </request-map> >> >> Jacques >> > -- > Antwebsystems.com: Quality OFBiz services for competitive rates > |
Re: backHome and backLast not secured
|
In reply to this post by hans_bakker
Hans Bakker a écrit :
> but do not waste too much time on this, they are not used anywhere..... > I thinks the view-last and view-home is good to manage user screen process. On many case, we have some user who do a search and operate some data modification. After operate their modification, they whant return to the last search result. Example, you list customer that missing last name, and for each put missed field. Actualy you need, do the search, select customer, save tel number, return to search, do the search. With view-last we can do : make the search, select customer, save tel number, select customer, save tel number, ... I try to implement this with view-last but if we call with request we have some previous parameters that break the last search, and if we call with reques-redirect, we lost security. If you add security on new uri backLast when can do that. Nicolas > On Sat, 2009-04-25 at 19:10 -0600, David E Jones wrote: > >> Where do these come from? >> >> The "view-home" and "view-last" response types should NEVER be used >> generically like this and instead should be specific for the >> particular request flow they are part of. Along with that, they should >> require https or not depending on the other requests they are working >> with. >> >> -David >> >> >> On Apr 25, 2009, at 12:32 PM, Jacques Le Roux wrote: >> >> >>> Is it normal that the backHome and backLast are not securised ? >>> >>> <request-map uri="backHome"> >>> <response name="success" type="view-home"/> >>> </request-map> >>> <request-map uri="backLast"> >>> <response name="success" type="view-last"/> >>> </request-map> >>> >>> Jacques >>> >>> -- Nicolas MALIN Consultant Tél : 06.17.66.40.06 Site projet : http://www.neogia.org/ ------- Société LibrenBerry Tél : 02.48.02.56.12 Site : http://www.librenberry.net/ |
Re: backHome and backLast not secured
|
|
I was wrong that it was not used, (forgot about it, wrote it myself)
it is currently used in the create contact mechanisms in the party profile and in the mean time i have put it back with security as jacques pointed out. regards, Hans On Mon, 2009-04-27 at 19:55 +0200, Malin Nicolas wrote: > Hans Bakker a écrit : > > but do not waste too much time on this, they are not used anywhere..... > > > I thinks the view-last and view-home is good to manage user screen > process. On many case, we have some user who do a search and operate > some data modification. After operate their modification, they whant > return to the last search result. > > Example, you list customer that missing last name, and for each put > missed field. Actualy you need, do the search, select customer, save tel > number, return to search, do the search. > With view-last we can do : > make the search, select customer, save tel number, select customer, save > tel number, ... > > I try to implement this with view-last but if we call with request we > have some previous parameters that break the last search, and if we call > with reques-redirect, we lost security. > > If you add security on new uri backLast when can do that. > > Nicolas > > > On Sat, 2009-04-25 at 19:10 -0600, David E Jones wrote: > > > >> Where do these come from? > >> > >> The "view-home" and "view-last" response types should NEVER be used > >> generically like this and instead should be specific for the > >> particular request flow they are part of. Along with that, they should > >> require https or not depending on the other requests they are working > >> with. > >> > >> -David > >> > >> > >> On Apr 25, 2009, at 12:32 PM, Jacques Le Roux wrote: > >> > >> > >>> Is it normal that the backHome and backLast are not securised ? > >>> > >>> <request-map uri="backHome"> > >>> <response name="success" type="view-home"/> > >>> </request-map> > >>> <request-map uri="backLast"> > >>> <response name="success" type="view-last"/> > >>> </request-map> > >>> > >>> Jacques > >>> > >>> > > Antwebsystems.com: Quality OFBiz services for competitive rates |
Re: backHome and backLast not secured
|
Administrator
|
Also as David pointed out, they should be used only with requests using https since now they are always secured. So they are ok for
backend (is there any exceptions in backend where we dont secure URIs ?) but not for eCommerce for instance. We could have also the pair not secured for these cases, like backHomeS and backLastS for these one and backHome and backLast for the non secured pair. Then al this could be set in common-controller. Though beware, some links are secured in eCommerce too, like checking out for instance... My 2 cts Jacques From: "Hans Bakker" <[hidden email]> >I was wrong that it was not used, (forgot about it, wrote it myself) > > it is currently used in the create contact mechanisms in the party > profile and in the mean time i have put it back with security as jacques > pointed out. > > regards, > Hans > > On Mon, 2009-04-27 at 19:55 +0200, Malin Nicolas wrote: >> Hans Bakker a écrit : >> > but do not waste too much time on this, they are not used anywhere..... >> > >> I thinks the view-last and view-home is good to manage user screen >> process. On many case, we have some user who do a search and operate >> some data modification. After operate their modification, they whant >> return to the last search result. >> >> Example, you list customer that missing last name, and for each put >> missed field. Actualy you need, do the search, select customer, save tel >> number, return to search, do the search. >> With view-last we can do : >> make the search, select customer, save tel number, select customer, save >> tel number, ... >> >> I try to implement this with view-last but if we call with request we >> have some previous parameters that break the last search, and if we call >> with reques-redirect, we lost security. >> >> If you add security on new uri backLast when can do that. >> >> Nicolas >> >> > On Sat, 2009-04-25 at 19:10 -0600, David E Jones wrote: >> > >> >> Where do these come from? >> >> >> >> The "view-home" and "view-last" response types should NEVER be used >> >> generically like this and instead should be specific for the >> >> particular request flow they are part of. Along with that, they should >> >> require https or not depending on the other requests they are working >> >> with. >> >> >> >> -David >> >> >> >> >> >> On Apr 25, 2009, at 12:32 PM, Jacques Le Roux wrote: >> >> >> >> >> >>> Is it normal that the backHome and backLast are not securised ? >> >>> >> >>> <request-map uri="backHome"> >> >>> <response name="success" type="view-home"/> >> >>> </request-map> >> >>> <request-map uri="backLast"> >> >>> <response name="success" type="view-last"/> >> >>> </request-map> >> >>> >> >>> Jacques >> >>> >> >>> >> >> > -- > Antwebsystems.com: Quality OFBiz services for competitive rates > |
Re: backHome and backLast not secured
|
|
On Apr 28, 2009, at 12:53 AM, Jacques Le Roux wrote: > Also as David pointed out, they should be used only with requests > using https since now they are always secured. Actually no, I didn't say that, I said: "Along with that, they should require https or not depending on the other requests they are working with." You can see that quote below. In general if you re-read what I wrote I was recommending against having such generic requests and using some specific to the set of screens being created. -David > So they are ok for backend (is there any exceptions in backend where > we dont secure URIs ?) but not for eCommerce for instance. We could > have also the pair not secured for these cases, like backHomeS and > backLastS for these one and backHome and backLast for the non > secured pair. Then al this could be set in common-controller. Though > beware, some links are secured in eCommerce too, like checking out > for instance... > > My 2 cts > > Jacques > > From: "Hans Bakker" <[hidden email]> >> I was wrong that it was not used, (forgot about it, wrote it myself) >> >> it is currently used in the create contact mechanisms in the party >> profile and in the mean time i have put it back with security as >> jacques >> pointed out. >> >> regards, >> Hans >> >> On Mon, 2009-04-27 at 19:55 +0200, Malin Nicolas wrote: >>> Hans Bakker a écrit : >>> > but do not waste too much time on this, they are not used >>> anywhere..... >>> > >>> I thinks the view-last and view-home is good to manage user screen >>> process. On many case, we have some user who do a search and operate >>> some data modification. After operate their modification, they whant >>> return to the last search result. >>> >>> Example, you list customer that missing last name, and for each put >>> missed field. Actualy you need, do the search, select customer, >>> save tel >>> number, return to search, do the search. >>> With view-last we can do : >>> make the search, select customer, save tel number, select >>> customer, save >>> tel number, ... >>> >>> I try to implement this with view-last but if we call with request >>> we >>> have some previous parameters that break the last search, and if >>> we call >>> with reques-redirect, we lost security. >>> >>> If you add security on new uri backLast when can do that. >>> >>> Nicolas >>> >>> > On Sat, 2009-04-25 at 19:10 -0600, David E Jones wrote: >>> > >>> >> Where do these come from? >>> >> >>> >> The "view-home" and "view-last" response types should NEVER be >>> used >>> >> generically like this and instead should be specific for the >>> >> particular request flow they are part of. Along with that, they >>> should >>> >> require https or not depending on the other requests they are >>> working >>> >> with. >>> >> >>> >> -David >>> >> >>> >> >>> >> On Apr 25, 2009, at 12:32 PM, Jacques Le Roux wrote: >>> >> >>> >> >>> >>> Is it normal that the backHome and backLast are not securised ? >>> >>> >>> >>> <request-map uri="backHome"> >>> >>> <response name="success" type="view-home"/> >>> >>> </request-map> >>> >>> <request-map uri="backLast"> >>> >>> <response name="success" type="view-last"/> >>> >>> </request-map> >>> >>> >>> >>> Jacques >>> >>> >>> >>> >>> >>> >> -- >> Antwebsystems.com: Quality OFBiz services for competitive rates > > |
Re: backHome and backLast not secured
|
|
Hi David,
many screens in the party manager have a 'back' button which uses this request. One can discuss if this button is required...however if used, i do not see anything wrong with this generic request. i another mail i ask you to give reasons for this statement. Regards, Hans On Tue, 2009-04-28 at 05:53 -0600, David E Jones wrote: > On Apr 28, 2009, at 12:53 AM, Jacques Le Roux wrote: > > > Also as David pointed out, they should be used only with requests > > using https since now they are always secured. > > Actually no, I didn't say that, I said: "Along with that, they should > require https or not depending on the other requests they are working > with." You can see that quote below. In general if you re-read what I > wrote I was recommending against having such generic requests and > using some specific to the set of screens being created. > > -David > > > > So they are ok for backend (is there any exceptions in backend where > > we dont secure URIs ?) but not for eCommerce for instance. We could > > have also the pair not secured for these cases, like backHomeS and > > backLastS for these one and backHome and backLast for the non > > secured pair. Then al this could be set in common-controller. Though > > beware, some links are secured in eCommerce too, like checking out > > for instance... > > > > My 2 cts > > > > Jacques > > > > From: "Hans Bakker" <[hidden email]> > >> I was wrong that it was not used, (forgot about it, wrote it myself) > >> > >> it is currently used in the create contact mechanisms in the party > >> profile and in the mean time i have put it back with security as > >> jacques > >> pointed out. > >> > >> regards, > >> Hans > >> > >> On Mon, 2009-04-27 at 19:55 +0200, Malin Nicolas wrote: > >>> Hans Bakker a écrit : > >>> > but do not waste too much time on this, they are not used > >>> anywhere..... > >>> > > >>> I thinks the view-last and view-home is good to manage user screen > >>> process. On many case, we have some user who do a search and operate > >>> some data modification. After operate their modification, they whant > >>> return to the last search result. > >>> > >>> Example, you list customer that missing last name, and for each put > >>> missed field. Actualy you need, do the search, select customer, > >>> save tel > >>> number, return to search, do the search. > >>> With view-last we can do : > >>> make the search, select customer, save tel number, select > >>> customer, save > >>> tel number, ... > >>> > >>> I try to implement this with view-last but if we call with request > >>> we > >>> have some previous parameters that break the last search, and if > >>> we call > >>> with reques-redirect, we lost security. > >>> > >>> If you add security on new uri backLast when can do that. > >>> > >>> Nicolas > >>> > >>> > On Sat, 2009-04-25 at 19:10 -0600, David E Jones wrote: > >>> > > >>> >> Where do these come from? > >>> >> > >>> >> The "view-home" and "view-last" response types should NEVER be > >>> used > >>> >> generically like this and instead should be specific for the > >>> >> particular request flow they are part of. Along with that, they > >>> should > >>> >> require https or not depending on the other requests they are > >>> working > >>> >> with. > >>> >> > >>> >> -David > >>> >> > >>> >> > >>> >> On Apr 25, 2009, at 12:32 PM, Jacques Le Roux wrote: > >>> >> > >>> >> > >>> >>> Is it normal that the backHome and backLast are not securised ? > >>> >>> > >>> >>> <request-map uri="backHome"> > >>> >>> <response name="success" type="view-home"/> > >>> >>> </request-map> > >>> >>> <request-map uri="backLast"> > >>> >>> <response name="success" type="view-last"/> > >>> >>> </request-map> > >>> >>> > >>> >>> Jacques > >>> >>> > >>> >>> > >>> > >>> > >> -- > >> Antwebsystems.com: Quality OFBiz services for competitive rates > > > > > Antwebsystems.com: Quality OFBiz services for competitive rates |
Re: backHome and backLast not secured
|
|
In reply to this post by Jacques Le Roux
Jacques Le Roux a écrit :
> Also as David pointed out, they should be used only with requests > using https since now they are always secured. So they are ok for > backend (is there any exceptions in backend where we dont secure URIs > ?) but not for eCommerce for instance. We could have also the pair not > secured for these cases, like backHomeS and backLastS for these one > and backHome and backLast for the non secured pair. Then al this could > be set in common-controller. Though beware, some links are secured in > eCommerce too, like checking out for instance... I vote for that, just find a good generic name for uri Nicolas > > My 2 cts > > Jacques > > From: "Hans Bakker" <[hidden email]> >> I was wrong that it was not used, (forgot about it, wrote it myself) >> >> it is currently used in the create contact mechanisms in the party >> profile and in the mean time i have put it back with security as jacques >> pointed out. >> >> regards, >> Hans >> >> On Mon, 2009-04-27 at 19:55 +0200, Malin Nicolas wrote: >>> Hans Bakker a écrit : >>> > but do not waste too much time on this, they are not used >>> anywhere..... >>> > >>> I thinks the view-last and view-home is good to manage user screen >>> process. On many case, we have some user who do a search and operate >>> some data modification. After operate their modification, they whant >>> return to the last search result. >>> >>> Example, you list customer that missing last name, and for each put >>> missed field. Actualy you need, do the search, select customer, save >>> tel >>> number, return to search, do the search. >>> With view-last we can do : >>> make the search, select customer, save tel number, select customer, >>> save >>> tel number, ... >>> >>> I try to implement this with view-last but if we call with request we >>> have some previous parameters that break the last search, and if we >>> call >>> with reques-redirect, we lost security. >>> >>> If you add security on new uri backLast when can do that. >>> >>> Nicolas >>> >>> > On Sat, 2009-04-25 at 19:10 -0600, David E Jones wrote: >>> > >>> >> Where do these come from? >>> >> >>> >> The "view-home" and "view-last" response types should NEVER be used >>> >> generically like this and instead should be specific for the >>> >> particular request flow they are part of. Along with that, they >>> should >>> >> require https or not depending on the other requests they are >>> working >>> >> with. >>> >> >>> >> -David >>> >> >>> >> >>> >> On Apr 25, 2009, at 12:32 PM, Jacques Le Roux wrote: >>> >> >>> >> >>> >>> Is it normal that the backHome and backLast are not securised ? >>> >>> >>> >>> <request-map uri="backHome"> >>> >>> <response name="success" type="view-home"/> >>> >>> </request-map> >>> >>> <request-map uri="backLast"> >>> >>> <response name="success" type="view-last"/> >>> >>> </request-map> >>> >>> >>> >>> Jacques >>> >>> >>> >>> >>> >>> >> -- >> Antwebsystems.com: Quality OFBiz services for competitive rates >> > > > |
Re: backHome and backLast not secured
|
Administrator
|
In reply to this post by David E Jones-3
From: "David E Jones" <[hidden email]>
> > On Apr 28, 2009, at 12:53 AM, Jacques Le Roux wrote: > >> Also as David pointed out, they should be used only with requests using https since now they are always secured. > > Actually no, I didn't say that, I said: "Along with that, they should require https or not depending on the other requests they > are working with." You can see that quote below. In general if you re-read what I wrote I was recommending against having such > generic requests and using some specific to the set of screens being created. I understood what you said, but I don't understand why. What are we missing ? Hans introduced this functionnality at r758522. He wrote <<5. added 'save-home' and save 'current' in the same pattern as 'save-last' function in the controler.xml 6. added 'view-home' in the same pattern as 'view-last'>> I see 'view-home' as a fast-reward (I mean like back to 1st page if you prefer). Are you afraid that if people use several process (browsers's tabs or windows) they could mix their "home" (1st page) and end in odd results. Actually this may happen but apart that I don't see any other problems. Jacques > -David > > >> So they are ok for backend (is there any exceptions in backend where we dont secure URIs ?) but not for eCommerce for instance. >> We could have also the pair not secured for these cases, like backHomeS and backLastS for these one and backHome and backLast >> for the non secured pair. Then al this could be set in common-controller. Though beware, some links are secured in eCommerce >> too, like checking out for instance... >> >> My 2 cts >> >> Jacques >> >> From: "Hans Bakker" <[hidden email]> >>> I was wrong that it was not used, (forgot about it, wrote it myself) >>> >>> it is currently used in the create contact mechanisms in the party >>> profile and in the mean time i have put it back with security as jacques >>> pointed out. >>> >>> regards, >>> Hans >>> >>> On Mon, 2009-04-27 at 19:55 +0200, Malin Nicolas wrote: >>>> Hans Bakker a écrit : >>>> > but do not waste too much time on this, they are not used >>>> anywhere..... >>>> > >>>> I thinks the view-last and view-home is good to manage user screen >>>> process. On many case, we have some user who do a search and operate >>>> some data modification. After operate their modification, they whant >>>> return to the last search result. >>>> >>>> Example, you list customer that missing last name, and for each put >>>> missed field. Actualy you need, do the search, select customer, save tel >>>> number, return to search, do the search. >>>> With view-last we can do : >>>> make the search, select customer, save tel number, select customer, save >>>> tel number, ... >>>> >>>> I try to implement this with view-last but if we call with request we >>>> have some previous parameters that break the last search, and if we call >>>> with reques-redirect, we lost security. >>>> >>>> If you add security on new uri backLast when can do that. >>>> >>>> Nicolas >>>> >>>> > On Sat, 2009-04-25 at 19:10 -0600, David E Jones wrote: >>>> > >>>> >> Where do these come from? >>>> >> >>>> >> The "view-home" and "view-last" response types should NEVER be >>>> used >>>> >> generically like this and instead should be specific for the >>>> >> particular request flow they are part of. Along with that, they >>>> should >>>> >> require https or not depending on the other requests they are >>>> working >>>> >> with. >>>> >> >>>> >> -David >>>> >> >>>> >> >>>> >> On Apr 25, 2009, at 12:32 PM, Jacques Le Roux wrote: >>>> >> >>>> >> >>>> >>> Is it normal that the backHome and backLast are not securised ? >>>> >>> >>>> >>> <request-map uri="backHome"> >>>> >>> <response name="success" type="view-home"/> >>>> >>> </request-map> >>>> >>> <request-map uri="backLast"> >>>> >>> <response name="success" type="view-last"/> >>>> >>> </request-map> >>>> >>> >>>> >>> Jacques >>>> >>> >>>> >>> >>>> >>>> >>> -- >>> Antwebsystems.com: Quality OFBiz services for competitive rates >> >> > > |
«
Return to OFBiz - Dev
|
1 view|%1 views
| Free forum by Nabble | Edit this page |