how to set security and permissions precedence
Locked
12
12
how to set security and permissions precedence
 
|
hi,
Security Permissions I am using ofbiz rev.79258 I want to understand how security works so I made the following modifications to hello1 1)I added base-permission="OFBTOOLS" to the ofbiz-component.xml I could still see the application I was assuming the application would as me to login or prevent me from seeing the page. 2)I added <security> to the main request <request-map uri="main"> <security https="false" auth="true"/> <response name="success" type="view" value="main"/> </request-map> This displays "java.lang.NullPointerException" in the browser. How do permissions precedence work starting from the UI to the entity layer. Help appreciated. Thanks -Milind Here is the log 2008-07-29 19:07:17,031 (http-0.0.0.0-8080-1) [ RequestHandler.java:243:INFO ] [Processing Request]: main sessionId=6E6BB45A4B5AB75A10A9B9404FA622A5.jvm1 2008-07-29 19:07:17,031 (http-0.0.0.0-8080-1) [ RequestManager.java:159:WARN ] [RequestManager.getEventType] Type of event for request "checkLogin" not found 2008-07-29 19:07:17,031 (http-0.0.0.0-8080-1) [ RequestManager.java:146:WARN ] [RequestManager.getEventPath] Path of event for request "checkLogin" not found 2008-07-29 19:07:17,031 (http-0.0.0.0-8080-1) [ RequestManager.java:172:WARN ] [RequestManager.getEventMethod] Method of event for request "checkLogin" not found 2008-07-29 19:07:17,031 (http-0.0.0.0-8080-1) [ ControlServlet.java:205:ERROR] ---- runtime exception report -------------------------------------------------- Error in request handler: Exception: java.lang.NullPointerException Message: null ---- stack trace --------------------------------------------------------------- java.lang.NullPointerException javolution.util.FastMap.getEntry(Unknown Source) javolution.util.FastMap.containsKey(Unknown Source) org.ofbiz.webapp.control.RequestManager.getHandlerClass(RequestManager.java:78) org.ofbiz.webapp.event.EventFactory.loadEventHandler(EventFactory.java:102) org.ofbiz.webapp.event.EventFactory.getEventHandler(EventFactory.java:86) org.ofbiz.webapp.control.RequestHandler.runEvent(RequestHandler.java:453) org.ofbiz.webapp.control.RequestHandler.doRequest(RequestHandler.java:259) org.ofbiz.webapp.control.ControlServlet.doGet(ControlServlet.java:198) javax.servlet.http.HttpServlet.service(HttpServlet.java:690) javax.servlet.http.HttpServlet.service(HttpServlet.java:803) org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290) org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) org.ofbiz.webapp.control.ContextFilter.doFilter(ContextFilter.java:255) org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233) org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:175) org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:128) org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:568) org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:286) org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:844) org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:583) org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:447) java.lang.Thread.run(Thread.java:595) -------------------------------------------------------------------------------- |
Re: how to set security and permissions precedence
|
|
http://docs.ofbiz.org/display/OFBTECH/OFBiz+security
Milind W sent the following on 7/29/2008 7:58 PM: > hi, > Security Permissions > I am using ofbiz rev.79258 > I want to understand how security works so I made the following > modifications to hello1 > 1)I added base-permission="OFBTOOLS" to the ofbiz-component.xml > I could still see the application I was assuming the application would as > me to login or prevent me from seeing the page. > 2)I added <security> to the main request > <request-map uri="main"> > <security https="false" auth="true"/> > <response name="success" type="view" value="main"/> > </request-map> > This displays "java.lang.NullPointerException" in the browser. > How do permissions precedence work starting from the UI to the entity layer. > Help appreciated. > Thanks > -Milind > > Here is the log > 2008-07-29 19:07:17,031 (http-0.0.0.0-8080-1) [ > RequestHandler.java:243:INFO ] [Processing Request]: main > sessionId=6E6BB45A4B5AB75A10A9B9404FA622A5.jvm1 > 2008-07-29 19:07:17,031 (http-0.0.0.0-8080-1) [ > RequestManager.java:159:WARN ] [RequestManager.getEventType] Type of event > for request "checkLogin" not found > 2008-07-29 19:07:17,031 (http-0.0.0.0-8080-1) [ > RequestManager.java:146:WARN ] [RequestManager.getEventPath] Path of event > for request "checkLogin" not found > 2008-07-29 19:07:17,031 (http-0.0.0.0-8080-1) [ > RequestManager.java:172:WARN ] [RequestManager.getEventMethod] Method of > event for request "checkLogin" not found > 2008-07-29 19:07:17,031 (http-0.0.0.0-8080-1) [ > ControlServlet.java:205:ERROR] > ---- runtime exception report > -------------------------------------------------- > Error in request handler: > Exception: java.lang.NullPointerException > Message: null > ---- stack trace > --------------------------------------------------------------- > java.lang.NullPointerException > javolution.util.FastMap.getEntry(Unknown Source) > javolution.util.FastMap.containsKey(Unknown Source) > org.ofbiz.webapp.control.RequestManager.getHandlerClass(RequestManager.java:78) > org.ofbiz.webapp.event.EventFactory.loadEventHandler(EventFactory.java:102) > org.ofbiz.webapp.event.EventFactory.getEventHandler(EventFactory.java:86) > org.ofbiz.webapp.control.RequestHandler.runEvent(RequestHandler.java:453) > org.ofbiz.webapp.control.RequestHandler.doRequest(RequestHandler.java:259) > org.ofbiz.webapp.control.ControlServlet.doGet(ControlServlet.java:198) > javax.servlet.http.HttpServlet.service(HttpServlet.java:690) > javax.servlet.http.HttpServlet.service(HttpServlet.java:803) > org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290) > org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) > org.ofbiz.webapp.control.ContextFilter.doFilter(ContextFilter.java:255) > org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) > org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) > org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233) > org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:175) > org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:128) > org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) > org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) > org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:568) > org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:286) > org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:844) > org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:583) > org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:447) > java.lang.Thread.run(Thread.java:595) > -------------------------------------------------------------------------------- > > > > > |
Re: how to set security and permissions precedence
|
|
http://www.opensourcestrategies.com/ofbiz/security.php |
Re: how to set security and permissions precedence
|
|
Please not that opentaps is not at the same level of revision that ofbiz it
there have been changes to security. there are examples in the framework/example and framework/exampleext I believe this to better tutorial since they work already. Balaji Sundar sent the following on 7/29/2008 9:40 PM: > > > BJ Freeman wrote: >> http://docs.ofbiz.org/display/OFBTECH/OFBiz+security >> >> Milind W sent the following on 7/29/2008 7:58 PM: >>> hi, >>> Security Permissions >>> I am using ofbiz rev.79258 >>> I want to understand how security works so I made the following >>> modifications to hello1 >>> 1)I added base-permission="OFBTOOLS" to the ofbiz-component.xml >>> I could still see the application I was assuming the application would as >>> me to login or prevent me from seeing the page. >>> 2)I added <security> to the main request >>> <request-map uri="main"> >>> <security https="false" auth="true"/> >>> <response name="success" type="view" value="main"/> >>> </request-map> >>> This displays "java.lang.NullPointerException" in the browser. >>> How do permissions precedence work starting from the UI to the entity >>> layer. >>> Help appreciated. >>> Thanks >>> -Milind >>> >>> Here is the log >>> 2008-07-29 19:07:17,031 (http-0.0.0.0-8080-1) [ >>> RequestHandler.java:243:INFO ] [Processing Request]: main >>> sessionId=6E6BB45A4B5AB75A10A9B9404FA622A5.jvm1 >>> 2008-07-29 19:07:17,031 (http-0.0.0.0-8080-1) [ >>> RequestManager.java:159:WARN ] [RequestManager.getEventType] Type of >>> event >>> for request "checkLogin" not found >>> 2008-07-29 19:07:17,031 (http-0.0.0.0-8080-1) [ >>> RequestManager.java:146:WARN ] [RequestManager.getEventPath] Path of >>> event >>> for request "checkLogin" not found >>> 2008-07-29 19:07:17,031 (http-0.0.0.0-8080-1) [ >>> RequestManager.java:172:WARN ] [RequestManager.getEventMethod] Method of >>> event for request "checkLogin" not found >>> 2008-07-29 19:07:17,031 (http-0.0.0.0-8080-1) [ >>> ControlServlet.java:205:ERROR] >>> ---- runtime exception report >>> -------------------------------------------------- >>> Error in request handler: >>> Exception: java.lang.NullPointerException >>> Message: null >>> ---- stack trace >>> --------------------------------------------------------------- >>> java.lang.NullPointerException >>> javolution.util.FastMap.getEntry(Unknown Source) >>> javolution.util.FastMap.containsKey(Unknown Source) >>> org.ofbiz.webapp.control.RequestManager.getHandlerClass(RequestManager.java:78) >>> org.ofbiz.webapp.event.EventFactory.loadEventHandler(EventFactory.java:102) >>> org.ofbiz.webapp.event.EventFactory.getEventHandler(EventFactory.java:86) >>> org.ofbiz.webapp.control.RequestHandler.runEvent(RequestHandler.java:453) >>> org.ofbiz.webapp.control.RequestHandler.doRequest(RequestHandler.java:259) >>> org.ofbiz.webapp.control.ControlServlet.doGet(ControlServlet.java:198) >>> javax.servlet.http.HttpServlet.service(HttpServlet.java:690) >>> javax.servlet.http.HttpServlet.service(HttpServlet.java:803) >>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290) >>> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) >>> org.ofbiz.webapp.control.ContextFilter.doFilter(ContextFilter.java:255) >>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) >>> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) >>> org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233) >>> org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:175) >>> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:128) >>> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) >>> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) >>> org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:568) >>> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:286) >>> org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:844) >>> org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:583) >>> org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:447) >>> java.lang.Thread.run(Thread.java:595) >>> -------------------------------------------------------------------------------- >>> >>> >>> >>> >>> >> >> > > http://www.opensourcestrategies.com/ofbiz/security.php > http://www.opensourcestrategies.com/ofbiz/security.php |
Re: how to set security and permissions precedence
|
|
Let me try to break up questions.
Should'nt adding base-permission="OFBTOOLS" to the ofbiz-entity.xml force the user to login with a user id that is associated to the OFBTOOLS security group? I can see the application I created and the line seems to have no effect. What is the purpose of the line? Thanks -Milind > Please not that opentaps is not at the same level of revision that ofbiz > it > there have been changes to security. > there are examples in the > framework/example > and > framework/exampleext > I believe this to better tutorial > since they work already. > > > Balaji Sundar sent the following on 7/29/2008 9:40 PM: >> >> >> BJ Freeman wrote: >>> http://docs.ofbiz.org/display/OFBTECH/OFBiz+security >>> >>> Milind W sent the following on 7/29/2008 7:58 PM: >>>> hi, >>>> Security Permissions >>>> I am using ofbiz rev.79258 >>>> I want to understand how security works so I made the following >>>> modifications to hello1 >>>> 1)I added base-permission="OFBTOOLS" to the ofbiz-component.xml >>>> I could still see the application I was assuming the application would >>>> as >>>> me to login or prevent me from seeing the page. >>>> 2)I added <security> to the main request >>>> <request-map uri="main"> >>>> <security https="false" auth="true"/> >>>> <response name="success" type="view" value="main"/> >>>> </request-map> >>>> This displays "java.lang.NullPointerException" in the browser. >>>> How do permissions precedence work starting from the UI to the entity >>>> layer. >>>> Help appreciated. >>>> Thanks >>>> -Milind >>>> >>>> Here is the log >>>> 2008-07-29 19:07:17,031 (http-0.0.0.0-8080-1) [ >>>> RequestHandler.java:243:INFO ] [Processing Request]: main >>>> sessionId=6E6BB45A4B5AB75A10A9B9404FA622A5.jvm1 >>>> 2008-07-29 19:07:17,031 (http-0.0.0.0-8080-1) [ >>>> RequestManager.java:159:WARN ] [RequestManager.getEventType] Type of >>>> event >>>> for request "checkLogin" not found >>>> 2008-07-29 19:07:17,031 (http-0.0.0.0-8080-1) [ >>>> RequestManager.java:146:WARN ] [RequestManager.getEventPath] Path of >>>> event >>>> for request "checkLogin" not found >>>> 2008-07-29 19:07:17,031 (http-0.0.0.0-8080-1) [ >>>> RequestManager.java:172:WARN ] [RequestManager.getEventMethod] Method >>>> of >>>> event for request "checkLogin" not found >>>> 2008-07-29 19:07:17,031 (http-0.0.0.0-8080-1) [ >>>> ControlServlet.java:205:ERROR] >>>> ---- runtime exception report >>>> -------------------------------------------------- >>>> Error in request handler: >>>> Exception: java.lang.NullPointerException >>>> Message: null >>>> ---- stack trace >>>> --------------------------------------------------------------- >>>> java.lang.NullPointerException >>>> javolution.util.FastMap.getEntry(Unknown Source) >>>> javolution.util.FastMap.containsKey(Unknown Source) >>>> org.ofbiz.webapp.control.RequestManager.getHandlerClass(RequestManager.java:78) >>>> org.ofbiz.webapp.event.EventFactory.loadEventHandler(EventFactory.java:102) >>>> org.ofbiz.webapp.event.EventFactory.getEventHandler(EventFactory.java:86) >>>> org.ofbiz.webapp.control.RequestHandler.runEvent(RequestHandler.java:453) >>>> org.ofbiz.webapp.control.RequestHandler.doRequest(RequestHandler.java:259) >>>> org.ofbiz.webapp.control.ControlServlet.doGet(ControlServlet.java:198) >>>> javax.servlet.http.HttpServlet.service(HttpServlet.java:690) >>>> javax.servlet.http.HttpServlet.service(HttpServlet.java:803) >>>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290) >>>> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) >>>> org.ofbiz.webapp.control.ContextFilter.doFilter(ContextFilter.java:255) >>>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) >>>> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) >>>> org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233) >>>> org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:175) >>>> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:128) >>>> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) >>>> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) >>>> org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:568) >>>> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:286) >>>> org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:844) >>>> org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:583) >>>> org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:447) >>>> java.lang.Thread.run(Thread.java:595) >>>> -------------------------------------------------------------------------------- >>>> >>>> >>>> >>>> >>>> >>> >>> >> >> http://www.opensourcestrategies.com/ofbiz/security.php >> http://www.opensourcestrategies.com/ofbiz/security.php > > |
Re: how to set security and permissions precedence
|
|
http://lists.ofbiz.org/pipermail/jira/2006-April/003536.html
should help. also look at https://demo.hotwaxmedia.com/webtools/control/FindGeneric?entityName=SecurityGroupPermission&find=true&VIEW_SIZE=50&VIEW_INDEX=0 for how permission are grouped together the list of permission in ofbiz https://demo.hotwaxmedia.com/webtools/control/FindGeneric?entityName=SecurityPermission&find=true&VIEW_SIZE=50&VIEW_INDEX=0 Milind W sent the following on 7/30/2008 11:31 AM: > Let me try to break up questions. > Should'nt adding > base-permission="OFBTOOLS" > to the ofbiz-entity.xml force the user to login with a user id that is > associated to the OFBTOOLS security group? > I can see the application I created and the line seems to have no effect. > What is the purpose of the line? > Thanks > -Milind > >> Please not that opentaps is not at the same level of revision that ofbiz >> it >> there have been changes to security. >> there are examples in the >> framework/example >> and >> framework/exampleext >> I believe this to better tutorial >> since they work already. >> >> >> Balaji Sundar sent the following on 7/29/2008 9:40 PM: >>> >>> BJ Freeman wrote: >>>> http://docs.ofbiz.org/display/OFBTECH/OFBiz+security >>>> >>>> Milind W sent the following on 7/29/2008 7:58 PM: >>>>> hi, >>>>> Security Permissions >>>>> I am using ofbiz rev.79258 >>>>> I want to understand how security works so I made the following >>>>> modifications to hello1 >>>>> 1)I added base-permission="OFBTOOLS" to the ofbiz-component.xml >>>>> I could still see the application I was assuming the application would >>>>> as >>>>> me to login or prevent me from seeing the page. >>>>> 2)I added <security> to the main request >>>>> <request-map uri="main"> >>>>> <security https="false" auth="true"/> >>>>> <response name="success" type="view" value="main"/> >>>>> </request-map> >>>>> This displays "java.lang.NullPointerException" in the browser. >>>>> How do permissions precedence work starting from the UI to the entity >>>>> layer. >>>>> Help appreciated. >>>>> Thanks >>>>> -Milind >>>>> >>>>> Here is the log >>>>> 2008-07-29 19:07:17,031 (http-0.0.0.0-8080-1) [ >>>>> RequestHandler.java:243:INFO ] [Processing Request]: main >>>>> sessionId=6E6BB45A4B5AB75A10A9B9404FA622A5.jvm1 >>>>> 2008-07-29 19:07:17,031 (http-0.0.0.0-8080-1) [ >>>>> RequestManager.java:159:WARN ] [RequestManager.getEventType] Type of >>>>> event >>>>> for request "checkLogin" not found >>>>> 2008-07-29 19:07:17,031 (http-0.0.0.0-8080-1) [ >>>>> RequestManager.java:146:WARN ] [RequestManager.getEventPath] Path of >>>>> event >>>>> for request "checkLogin" not found >>>>> 2008-07-29 19:07:17,031 (http-0.0.0.0-8080-1) [ >>>>> RequestManager.java:172:WARN ] [RequestManager.getEventMethod] Method >>>>> of >>>>> event for request "checkLogin" not found >>>>> 2008-07-29 19:07:17,031 (http-0.0.0.0-8080-1) [ >>>>> ControlServlet.java:205:ERROR] >>>>> ---- runtime exception report >>>>> -------------------------------------------------- >>>>> Error in request handler: >>>>> Exception: java.lang.NullPointerException >>>>> Message: null >>>>> ---- stack trace >>>>> --------------------------------------------------------------- >>>>> java.lang.NullPointerException >>>>> javolution.util.FastMap.getEntry(Unknown Source) >>>>> javolution.util.FastMap.containsKey(Unknown Source) >>>>> org.ofbiz.webapp.control.RequestManager.getHandlerClass(RequestManager.java:78) >>>>> org.ofbiz.webapp.event.EventFactory.loadEventHandler(EventFactory.java:102) >>>>> org.ofbiz.webapp.event.EventFactory.getEventHandler(EventFactory.java:86) >>>>> org.ofbiz.webapp.control.RequestHandler.runEvent(RequestHandler.java:453) >>>>> org.ofbiz.webapp.control.RequestHandler.doRequest(RequestHandler.java:259) >>>>> org.ofbiz.webapp.control.ControlServlet.doGet(ControlServlet.java:198) >>>>> javax.servlet.http.HttpServlet.service(HttpServlet.java:690) >>>>> javax.servlet.http.HttpServlet.service(HttpServlet.java:803) >>>>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290) >>>>> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) >>>>> org.ofbiz.webapp.control.ContextFilter.doFilter(ContextFilter.java:255) >>>>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) >>>>> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) >>>>> org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233) >>>>> org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:175) >>>>> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:128) >>>>> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) >>>>> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) >>>>> org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:568) >>>>> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:286) >>>>> org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:844) >>>>> org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:583) >>>>> org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:447) >>>>> java.lang.Thread.run(Thread.java:595) >>>>> -------------------------------------------------------------------------------- >>>>> >>>>> >>>>> >>>>> >>>>> >>>> >>> http://www.opensourcestrategies.com/ofbiz/security.php >>> http://www.opensourcestrategies.com/ofbiz/security.php >> > > > > > |
Re: how to set security and permissions precedence
|
|
sorry forgot one link
good discussion http://mail-archives.apache.org/mod_mbox/ofbiz-dev/200710.mbox/%3C4716ED96.3050901@...%3E BJ Freeman sent the following on 7/30/2008 1:13 PM: > http://lists.ofbiz.org/pipermail/jira/2006-April/003536.html > should help. > also look at > https://demo.hotwaxmedia.com/webtools/control/FindGeneric?entityName=SecurityGroupPermission&find=true&VIEW_SIZE=50&VIEW_INDEX=0 > for how permission are grouped together > the list of permission in ofbiz > https://demo.hotwaxmedia.com/webtools/control/FindGeneric?entityName=SecurityPermission&find=true&VIEW_SIZE=50&VIEW_INDEX=0 > > > Milind W sent the following on 7/30/2008 11:31 AM: >> Let me try to break up questions. >> Should'nt adding >> base-permission="OFBTOOLS" >> to the ofbiz-entity.xml force the user to login with a user id that is >> associated to the OFBTOOLS security group? >> I can see the application I created and the line seems to have no effect. >> What is the purpose of the line? >> Thanks >> -Milind >> >>> Please not that opentaps is not at the same level of revision that ofbiz >>> it >>> there have been changes to security. >>> there are examples in the >>> framework/example >>> and >>> framework/exampleext >>> I believe this to better tutorial >>> since they work already. >>> >>> >>> Balaji Sundar sent the following on 7/29/2008 9:40 PM: >>>> BJ Freeman wrote: >>>>> http://docs.ofbiz.org/display/OFBTECH/OFBiz+security >>>>> >>>>> Milind W sent the following on 7/29/2008 7:58 PM: >>>>>> hi, >>>>>> Security Permissions >>>>>> I am using ofbiz rev.79258 >>>>>> I want to understand how security works so I made the following >>>>>> modifications to hello1 >>>>>> 1)I added base-permission="OFBTOOLS" to the ofbiz-component.xml >>>>>> I could still see the application I was assuming the application would >>>>>> as >>>>>> me to login or prevent me from seeing the page. >>>>>> 2)I added <security> to the main request >>>>>> <request-map uri="main"> >>>>>> <security https="false" auth="true"/> >>>>>> <response name="success" type="view" value="main"/> >>>>>> </request-map> >>>>>> This displays "java.lang.NullPointerException" in the browser. >>>>>> How do permissions precedence work starting from the UI to the entity >>>>>> layer. >>>>>> Help appreciated. >>>>>> Thanks >>>>>> -Milind >>>>>> >>>>>> Here is the log >>>>>> 2008-07-29 19:07:17,031 (http-0.0.0.0-8080-1) [ >>>>>> RequestHandler.java:243:INFO ] [Processing Request]: main >>>>>> sessionId=6E6BB45A4B5AB75A10A9B9404FA622A5.jvm1 >>>>>> 2008-07-29 19:07:17,031 (http-0.0.0.0-8080-1) [ >>>>>> RequestManager.java:159:WARN ] [RequestManager.getEventType] Type of >>>>>> event >>>>>> for request "checkLogin" not found >>>>>> 2008-07-29 19:07:17,031 (http-0.0.0.0-8080-1) [ >>>>>> RequestManager.java:146:WARN ] [RequestManager.getEventPath] Path of >>>>>> event >>>>>> for request "checkLogin" not found >>>>>> 2008-07-29 19:07:17,031 (http-0.0.0.0-8080-1) [ >>>>>> RequestManager.java:172:WARN ] [RequestManager.getEventMethod] Method >>>>>> of >>>>>> event for request "checkLogin" not found >>>>>> 2008-07-29 19:07:17,031 (http-0.0.0.0-8080-1) [ >>>>>> ControlServlet.java:205:ERROR] >>>>>> ---- runtime exception report >>>>>> -------------------------------------------------- >>>>>> Error in request handler: >>>>>> Exception: java.lang.NullPointerException >>>>>> Message: null >>>>>> ---- stack trace >>>>>> --------------------------------------------------------------- >>>>>> java.lang.NullPointerException >>>>>> javolution.util.FastMap.getEntry(Unknown Source) >>>>>> javolution.util.FastMap.containsKey(Unknown Source) >>>>>> org.ofbiz.webapp.control.RequestManager.getHandlerClass(RequestManager.java:78) >>>>>> org.ofbiz.webapp.event.EventFactory.loadEventHandler(EventFactory.java:102) >>>>>> org.ofbiz.webapp.event.EventFactory.getEventHandler(EventFactory.java:86) >>>>>> org.ofbiz.webapp.control.RequestHandler.runEvent(RequestHandler.java:453) >>>>>> org.ofbiz.webapp.control.RequestHandler.doRequest(RequestHandler.java:259) >>>>>> org.ofbiz.webapp.control.ControlServlet.doGet(ControlServlet.java:198) >>>>>> javax.servlet.http.HttpServlet.service(HttpServlet.java:690) >>>>>> javax.servlet.http.HttpServlet.service(HttpServlet.java:803) >>>>>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290) >>>>>> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) >>>>>> org.ofbiz.webapp.control.ContextFilter.doFilter(ContextFilter.java:255) >>>>>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) >>>>>> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) >>>>>> org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233) >>>>>> org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:175) >>>>>> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:128) >>>>>> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) >>>>>> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) >>>>>> org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:568) >>>>>> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:286) >>>>>> org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:844) >>>>>> org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:583) >>>>>> org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:447) >>>>>> java.lang.Thread.run(Thread.java:595) >>>>>> -------------------------------------------------------------------------------- >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>> http://www.opensourcestrategies.com/ofbiz/security.php >>>> http://www.opensourcestrategies.com/ofbiz/security.php >> >> >> >> > > > > |
Re: how to set security and permissions precedence
Administrator
|
In reply to this post by Milind W-2
OFBiz Wiki is your friend. Just look for OFBTOOLS.
You would have get http://docs.ofbiz.org/display/OFBTECH/OFBiz+security?focusedCommentId=3615#comment-3615 Jacques ----- Original Message ----- From: "Milind W" <[hidden email]> To: <[hidden email]> Sent: Wednesday, July 30, 2008 8:31 PM Subject: Re: how to set security and permissions precedence > Let me try to break up questions. > Should'nt adding > base-permission="OFBTOOLS" > to the ofbiz-entity.xml force the user to login with a user id that is > associated to the OFBTOOLS security group? > I can see the application I created and the line seems to have no effect. > What is the purpose of the line? > Thanks > -Milind > >> Please not that opentaps is not at the same level of revision that ofbiz >> it >> there have been changes to security. >> there are examples in the >> framework/example >> and >> framework/exampleext >> I believe this to better tutorial >> since they work already. >> >> >> Balaji Sundar sent the following on 7/29/2008 9:40 PM: >>> >>> >>> BJ Freeman wrote: >>>> http://docs.ofbiz.org/display/OFBTECH/OFBiz+security >>>> >>>> Milind W sent the following on 7/29/2008 7:58 PM: >>>>> hi, >>>>> Security Permissions >>>>> I am using ofbiz rev.79258 >>>>> I want to understand how security works so I made the following >>>>> modifications to hello1 >>>>> 1)I added base-permission="OFBTOOLS" to the ofbiz-component.xml >>>>> I could still see the application I was assuming the application would >>>>> as >>>>> me to login or prevent me from seeing the page. >>>>> 2)I added <security> to the main request >>>>> <request-map uri="main"> >>>>> <security https="false" auth="true"/> >>>>> <response name="success" type="view" value="main"/> >>>>> </request-map> >>>>> This displays "java.lang.NullPointerException" in the browser. >>>>> How do permissions precedence work starting from the UI to the entity >>>>> layer. >>>>> Help appreciated. >>>>> Thanks >>>>> -Milind >>>>> >>>>> Here is the log >>>>> 2008-07-29 19:07:17,031 (http-0.0.0.0-8080-1) [ >>>>> RequestHandler.java:243:INFO ] [Processing Request]: main >>>>> sessionId=6E6BB45A4B5AB75A10A9B9404FA622A5.jvm1 >>>>> 2008-07-29 19:07:17,031 (http-0.0.0.0-8080-1) [ >>>>> RequestManager.java:159:WARN ] [RequestManager.getEventType] Type of >>>>> event >>>>> for request "checkLogin" not found >>>>> 2008-07-29 19:07:17,031 (http-0.0.0.0-8080-1) [ >>>>> RequestManager.java:146:WARN ] [RequestManager.getEventPath] Path of >>>>> event >>>>> for request "checkLogin" not found >>>>> 2008-07-29 19:07:17,031 (http-0.0.0.0-8080-1) [ >>>>> RequestManager.java:172:WARN ] [RequestManager.getEventMethod] Method >>>>> of >>>>> event for request "checkLogin" not found >>>>> 2008-07-29 19:07:17,031 (http-0.0.0.0-8080-1) [ >>>>> ControlServlet.java:205:ERROR] >>>>> ---- runtime exception report >>>>> -------------------------------------------------- >>>>> Error in request handler: >>>>> Exception: java.lang.NullPointerException >>>>> Message: null >>>>> ---- stack trace >>>>> --------------------------------------------------------------- >>>>> java.lang.NullPointerException >>>>> javolution.util.FastMap.getEntry(Unknown Source) >>>>> javolution.util.FastMap.containsKey(Unknown Source) >>>>> org.ofbiz.webapp.control.RequestManager.getHandlerClass(RequestManager.java:78) >>>>> org.ofbiz.webapp.event.EventFactory.loadEventHandler(EventFactory.java:102) >>>>> org.ofbiz.webapp.event.EventFactory.getEventHandler(EventFactory.java:86) >>>>> org.ofbiz.webapp.control.RequestHandler.runEvent(RequestHandler.java:453) >>>>> org.ofbiz.webapp.control.RequestHandler.doRequest(RequestHandler.java:259) >>>>> org.ofbiz.webapp.control.ControlServlet.doGet(ControlServlet.java:198) >>>>> javax.servlet.http.HttpServlet.service(HttpServlet.java:690) >>>>> javax.servlet.http.HttpServlet.service(HttpServlet.java:803) >>>>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290) >>>>> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) >>>>> org.ofbiz.webapp.control.ContextFilter.doFilter(ContextFilter.java:255) >>>>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) >>>>> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) >>>>> org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233) >>>>> org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:175) >>>>> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:128) >>>>> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) >>>>> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) >>>>> org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:568) >>>>> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:286) >>>>> org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:844) >>>>> org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:583) >>>>> org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:447) >>>>> java.lang.Thread.run(Thread.java:595) >>>>> -------------------------------------------------------------------------------- >>>>> >>>>> >>>>> >>>>> >>>>> >>>> >>>> >>> >>> http://www.opensourcestrategies.com/ofbiz/security.php >>> http://www.opensourcestrategies.com/ofbiz/security.php >> >> > > |
Re: how to set security and permissions precedence
|
|
LOL
that was the first link I sent on this thread. Jacques Le Roux sent the following on 7/30/2008 2:18 PM: > OFBiz Wiki is your friend. Just look for OFBTOOLS. > > You would have get > http://docs.ofbiz.org/display/OFBTECH/OFBiz+security?focusedCommentId=3615#comment-3615 > > > Jacques > > ----- Original Message ----- From: "Milind W" <[hidden email]> > To: <[hidden email]> > Sent: Wednesday, July 30, 2008 8:31 PM > Subject: Re: how to set security and permissions precedence > > >> Let me try to break up questions. >> Should'nt adding >> base-permission="OFBTOOLS" >> to the ofbiz-entity.xml force the user to login with a user id that is >> associated to the OFBTOOLS security group? >> I can see the application I created and the line seems to have no effect. >> What is the purpose of the line? >> Thanks >> -Milind >> >>> Please not that opentaps is not at the same level of revision that ofbiz >>> it >>> there have been changes to security. >>> there are examples in the >>> framework/example >>> and >>> framework/exampleext >>> I believe this to better tutorial >>> since they work already. >>> >>> >>> Balaji Sundar sent the following on 7/29/2008 9:40 PM: >>>> >>>> >>>> BJ Freeman wrote: >>>>> http://docs.ofbiz.org/display/OFBTECH/OFBiz+security >>>>> >>>>> Milind W sent the following on 7/29/2008 7:58 PM: >>>>>> hi, >>>>>> Security Permissions >>>>>> I am using ofbiz rev.79258 >>>>>> I want to understand how security works so I made the following >>>>>> modifications to hello1 >>>>>> 1)I added base-permission="OFBTOOLS" to the ofbiz-component.xml >>>>>> I could still see the application I was assuming the application >>>>>> would >>>>>> as >>>>>> me to login or prevent me from seeing the page. >>>>>> 2)I added <security> to the main request >>>>>> <request-map uri="main"> >>>>>> <security https="false" auth="true"/> >>>>>> <response name="success" type="view" value="main"/> >>>>>> </request-map> >>>>>> This displays "java.lang.NullPointerException" in the browser. >>>>>> How do permissions precedence work starting from the UI to the entity >>>>>> layer. >>>>>> Help appreciated. >>>>>> Thanks >>>>>> -Milind >>>>>> >>>>>> Here is the log >>>>>> 2008-07-29 19:07:17,031 (http-0.0.0.0-8080-1) [ >>>>>> RequestHandler.java:243:INFO ] [Processing Request]: main >>>>>> sessionId=6E6BB45A4B5AB75A10A9B9404FA622A5.jvm1 >>>>>> 2008-07-29 19:07:17,031 (http-0.0.0.0-8080-1) [ >>>>>> RequestManager.java:159:WARN ] [RequestManager.getEventType] Type of >>>>>> event >>>>>> for request "checkLogin" not found >>>>>> 2008-07-29 19:07:17,031 (http-0.0.0.0-8080-1) [ >>>>>> RequestManager.java:146:WARN ] [RequestManager.getEventPath] Path of >>>>>> event >>>>>> for request "checkLogin" not found >>>>>> 2008-07-29 19:07:17,031 (http-0.0.0.0-8080-1) [ >>>>>> RequestManager.java:172:WARN ] [RequestManager.getEventMethod] Method >>>>>> of >>>>>> event for request "checkLogin" not found >>>>>> 2008-07-29 19:07:17,031 (http-0.0.0.0-8080-1) [ >>>>>> ControlServlet.java:205:ERROR] >>>>>> ---- runtime exception report >>>>>> -------------------------------------------------- >>>>>> Error in request handler: >>>>>> Exception: java.lang.NullPointerException >>>>>> Message: null >>>>>> ---- stack trace >>>>>> --------------------------------------------------------------- >>>>>> java.lang.NullPointerException >>>>>> javolution.util.FastMap.getEntry(Unknown Source) >>>>>> javolution.util.FastMap.containsKey(Unknown Source) >>>>>> org.ofbiz.webapp.control.RequestManager.getHandlerClass(RequestManager.java:78) >>>>>> >>>>>> org.ofbiz.webapp.event.EventFactory.loadEventHandler(EventFactory.java:102) >>>>>> >>>>>> org.ofbiz.webapp.event.EventFactory.getEventHandler(EventFactory.java:86) >>>>>> >>>>>> org.ofbiz.webapp.control.RequestHandler.runEvent(RequestHandler.java:453) >>>>>> >>>>>> org.ofbiz.webapp.control.RequestHandler.doRequest(RequestHandler.java:259) >>>>>> >>>>>> org.ofbiz.webapp.control.ControlServlet.doGet(ControlServlet.java:198) >>>>>> >>>>>> javax.servlet.http.HttpServlet.service(HttpServlet.java:690) >>>>>> javax.servlet.http.HttpServlet.service(HttpServlet.java:803) >>>>>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290) >>>>>> >>>>>> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) >>>>>> >>>>>> org.ofbiz.webapp.control.ContextFilter.doFilter(ContextFilter.java:255) >>>>>> >>>>>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) >>>>>> >>>>>> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) >>>>>> >>>>>> org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233) >>>>>> >>>>>> org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:175) >>>>>> >>>>>> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:128) >>>>>> >>>>>> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) >>>>>> >>>>>> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) >>>>>> >>>>>> org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:568) >>>>>> >>>>>> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:286) >>>>>> >>>>>> org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:844) >>>>>> >>>>>> org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:583) >>>>>> >>>>>> org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:447) >>>>>> >>>>>> java.lang.Thread.run(Thread.java:595) >>>>>> -------------------------------------------------------------------------------- >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>> >>>>> >>>> >>>> http://www.opensourcestrategies.com/ofbiz/security.php >>>> http://www.opensourcestrategies.com/ofbiz/security.php >>> >>> >> >> > > > |
Re: how to set security and permissions precedence
|
Administrator
|
Not with a direct link to the comment where is the explanation ;p
Actually it was more a didactic post Jacques From: "BJ Freeman" <[hidden email]> > LOL > that was the first link I sent on this thread. > > Jacques Le Roux sent the following on 7/30/2008 2:18 PM: >> OFBiz Wiki is your friend. Just look for OFBTOOLS. >> >> You would have get >> http://docs.ofbiz.org/display/OFBTECH/OFBiz+security?focusedCommentId=3615#comment-3615 >> >> >> Jacques >> >> ----- Original Message ----- From: "Milind W" <[hidden email]> >> To: <[hidden email]> >> Sent: Wednesday, July 30, 2008 8:31 PM >> Subject: Re: how to set security and permissions precedence >> >> >>> Let me try to break up questions. >>> Should'nt adding >>> base-permission="OFBTOOLS" >>> to the ofbiz-entity.xml force the user to login with a user id that is >>> associated to the OFBTOOLS security group? >>> I can see the application I created and the line seems to have no effect. >>> What is the purpose of the line? >>> Thanks >>> -Milind >>> >>>> Please not that opentaps is not at the same level of revision that ofbiz >>>> it >>>> there have been changes to security. >>>> there are examples in the >>>> framework/example >>>> and >>>> framework/exampleext >>>> I believe this to better tutorial >>>> since they work already. >>>> >>>> >>>> Balaji Sundar sent the following on 7/29/2008 9:40 PM: >>>>> >>>>> >>>>> BJ Freeman wrote: >>>>>> http://docs.ofbiz.org/display/OFBTECH/OFBiz+security >>>>>> >>>>>> Milind W sent the following on 7/29/2008 7:58 PM: >>>>>>> hi, >>>>>>> Security Permissions >>>>>>> I am using ofbiz rev.79258 >>>>>>> I want to understand how security works so I made the following >>>>>>> modifications to hello1 >>>>>>> 1)I added base-permission="OFBTOOLS" to the ofbiz-component.xml >>>>>>> I could still see the application I was assuming the application >>>>>>> would >>>>>>> as >>>>>>> me to login or prevent me from seeing the page. >>>>>>> 2)I added <security> to the main request >>>>>>> <request-map uri="main"> >>>>>>> <security https="false" auth="true"/> >>>>>>> <response name="success" type="view" value="main"/> >>>>>>> </request-map> >>>>>>> This displays "java.lang.NullPointerException" in the browser. >>>>>>> How do permissions precedence work starting from the UI to the entity >>>>>>> layer. >>>>>>> Help appreciated. >>>>>>> Thanks >>>>>>> -Milind >>>>>>> >>>>>>> Here is the log >>>>>>> 2008-07-29 19:07:17,031 (http-0.0.0.0-8080-1) [ >>>>>>> RequestHandler.java:243:INFO ] [Processing Request]: main >>>>>>> sessionId=6E6BB45A4B5AB75A10A9B9404FA622A5.jvm1 >>>>>>> 2008-07-29 19:07:17,031 (http-0.0.0.0-8080-1) [ >>>>>>> RequestManager.java:159:WARN ] [RequestManager.getEventType] Type of >>>>>>> event >>>>>>> for request "checkLogin" not found >>>>>>> 2008-07-29 19:07:17,031 (http-0.0.0.0-8080-1) [ >>>>>>> RequestManager.java:146:WARN ] [RequestManager.getEventPath] Path of >>>>>>> event >>>>>>> for request "checkLogin" not found >>>>>>> 2008-07-29 19:07:17,031 (http-0.0.0.0-8080-1) [ >>>>>>> RequestManager.java:172:WARN ] [RequestManager.getEventMethod] Method >>>>>>> of >>>>>>> event for request "checkLogin" not found >>>>>>> 2008-07-29 19:07:17,031 (http-0.0.0.0-8080-1) [ >>>>>>> ControlServlet.java:205:ERROR] >>>>>>> ---- runtime exception report >>>>>>> -------------------------------------------------- >>>>>>> Error in request handler: >>>>>>> Exception: java.lang.NullPointerException >>>>>>> Message: null >>>>>>> ---- stack trace >>>>>>> --------------------------------------------------------------- >>>>>>> java.lang.NullPointerException >>>>>>> javolution.util.FastMap.getEntry(Unknown Source) >>>>>>> javolution.util.FastMap.containsKey(Unknown Source) >>>>>>> org.ofbiz.webapp.control.RequestManager.getHandlerClass(RequestManager.java:78) >>>>>>> >>>>>>> org.ofbiz.webapp.event.EventFactory.loadEventHandler(EventFactory.java:102) >>>>>>> >>>>>>> org.ofbiz.webapp.event.EventFactory.getEventHandler(EventFactory.java:86) >>>>>>> >>>>>>> org.ofbiz.webapp.control.RequestHandler.runEvent(RequestHandler.java:453) >>>>>>> >>>>>>> org.ofbiz.webapp.control.RequestHandler.doRequest(RequestHandler.java:259) >>>>>>> >>>>>>> org.ofbiz.webapp.control.ControlServlet.doGet(ControlServlet.java:198) >>>>>>> >>>>>>> javax.servlet.http.HttpServlet.service(HttpServlet.java:690) >>>>>>> javax.servlet.http.HttpServlet.service(HttpServlet.java:803) >>>>>>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290) >>>>>>> >>>>>>> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) >>>>>>> >>>>>>> org.ofbiz.webapp.control.ContextFilter.doFilter(ContextFilter.java:255) >>>>>>> >>>>>>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) >>>>>>> >>>>>>> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) >>>>>>> >>>>>>> org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233) >>>>>>> >>>>>>> org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:175) >>>>>>> >>>>>>> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:128) >>>>>>> >>>>>>> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) >>>>>>> >>>>>>> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) >>>>>>> >>>>>>> org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:568) >>>>>>> >>>>>>> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:286) >>>>>>> >>>>>>> org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:844) >>>>>>> >>>>>>> org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:583) >>>>>>> >>>>>>> org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:447) >>>>>>> >>>>>>> java.lang.Thread.run(Thread.java:595) >>>>>>> -------------------------------------------------------------------------------- >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>> >>>>>> >>>>> >>>>> http://www.opensourcestrategies.com/ofbiz/security.php >>>>> http://www.opensourcestrategies.com/ofbiz/security.php >>>> >>>> >>> >>> >> >> >> > |
Re: how to set security and permissions precedence
|
|
hi,
I got login to work by adding the changes below to my controller using ofbiz4.0. I don't think I follow the reason with OFBTOOLS base persmission not taking effect in the ofbiz-component as explained in OFBIZ-829. But I agree with Si Chen on OFBIZ-829 "The right way is to assume no permission until one of the list of permissions is met." Seems more intitutive. For now I can workaround it so thanks all. -Milind <preprocessor> <!-- Events to run on every request before security (chains exempt) --> <!-- <event type="java" path="org.ofbiz.webapp.event.TestEvent" invoke="test"/> --> <event type="java" path="org.ofbiz.webapp.control.LoginWorker" invoke="checkExternalLoginKey"/> </preprocessor> <!-- Request Mappings --> <request-map uri="checkLogin" edit="false"> <description>Verify a user is logged in.</description> <security https="false" auth="false"/> <event type="java" path="org.ofbiz.webapp.control.LoginWorker" invoke="checkLogin" /> <response name="success" type="view" value="main" /> <response name="error" type="view" value="login" /> </request-map> <request-map uri="login"> <security https="false" auth="false"/> <event type="java" path="org.ofbiz.webapp.control.LoginWorker" invoke="login"/> <response name="success" type="view" value="main"/> <response name="error" type="view" value="login"/> </request-map> <request-map uri="main"> <security https="false" auth="true" /> <response name="success" type="view" value="main"/> </request-map> <view-map name="login" type="screen" page="component://marketing/widget/CommonScreens.xml#login" /> > Not with a direct link to the comment where is the explanation ;p > Actually it was more a didactic post > > Jacques > > From: "BJ Freeman" <[hidden email]> >> LOL >> that was the first link I sent on this thread. >> >> Jacques Le Roux sent the following on 7/30/2008 2:18 PM: >>> OFBiz Wiki is your friend. Just look for OFBTOOLS. >>> >>> You would have get >>> http://docs.ofbiz.org/display/OFBTECH/OFBiz+security?focusedCommentId=3615#comment-3615 >>> >>> >>> Jacques >>> >>> ----- Original Message ----- From: "Milind W" >>> <[hidden email]> >>> To: <[hidden email]> >>> Sent: Wednesday, July 30, 2008 8:31 PM >>> Subject: Re: how to set security and permissions precedence >>> >>> >>>> Let me try to break up questions. >>>> Should'nt adding >>>> base-permission="OFBTOOLS" >>>> to the ofbiz-entity.xml force the user to login with a user id that is >>>> associated to the OFBTOOLS security group? >>>> I can see the application I created and the line seems to have no >>>> effect. >>>> What is the purpose of the line? >>>> Thanks >>>> -Milind >>>> >>>>> Please not that opentaps is not at the same level of revision that >>>>> ofbiz >>>>> it >>>>> there have been changes to security. >>>>> there are examples in the >>>>> framework/example >>>>> and >>>>> framework/exampleext >>>>> I believe this to better tutorial >>>>> since they work already. >>>>> >>>>> >>>>> Balaji Sundar sent the following on 7/29/2008 9:40 PM: >>>>>> >>>>>> >>>>>> BJ Freeman wrote: >>>>>>> http://docs.ofbiz.org/display/OFBTECH/OFBiz+security >>>>>>> >>>>>>> Milind W sent the following on 7/29/2008 7:58 PM: >>>>>>>> hi, >>>>>>>> Security Permissions >>>>>>>> I am using ofbiz rev.79258 >>>>>>>> I want to understand how security works so I made the following >>>>>>>> modifications to hello1 >>>>>>>> 1)I added base-permission="OFBTOOLS" to the ofbiz-component.xml >>>>>>>> I could still see the application I was assuming the application >>>>>>>> would >>>>>>>> as >>>>>>>> me to login or prevent me from seeing the page. >>>>>>>> 2)I added <security> to the main request >>>>>>>> <request-map uri="main"> >>>>>>>> <security https="false" auth="true"/> >>>>>>>> <response name="success" type="view" value="main"/> >>>>>>>> </request-map> >>>>>>>> This displays "java.lang.NullPointerException" in the browser. >>>>>>>> How do permissions precedence work starting from the UI to the >>>>>>>> entity >>>>>>>> layer. >>>>>>>> Help appreciated. >>>>>>>> Thanks >>>>>>>> -Milind >>>>>>>> >>>>>>>> Here is the log >>>>>>>> 2008-07-29 19:07:17,031 (http-0.0.0.0-8080-1) [ >>>>>>>> RequestHandler.java:243:INFO ] [Processing Request]: main >>>>>>>> sessionId=6E6BB45A4B5AB75A10A9B9404FA622A5.jvm1 >>>>>>>> 2008-07-29 19:07:17,031 (http-0.0.0.0-8080-1) [ >>>>>>>> RequestManager.java:159:WARN ] [RequestManager.getEventType] Type >>>>>>>> of >>>>>>>> event >>>>>>>> for request "checkLogin" not found >>>>>>>> 2008-07-29 19:07:17,031 (http-0.0.0.0-8080-1) [ >>>>>>>> RequestManager.java:146:WARN ] [RequestManager.getEventPath] Path >>>>>>>> of >>>>>>>> event >>>>>>>> for request "checkLogin" not found >>>>>>>> 2008-07-29 19:07:17,031 (http-0.0.0.0-8080-1) [ >>>>>>>> RequestManager.java:172:WARN ] [RequestManager.getEventMethod] >>>>>>>> Method >>>>>>>> of >>>>>>>> event for request "checkLogin" not found >>>>>>>> 2008-07-29 19:07:17,031 (http-0.0.0.0-8080-1) [ >>>>>>>> ControlServlet.java:205:ERROR] >>>>>>>> ---- runtime exception report >>>>>>>> -------------------------------------------------- >>>>>>>> Error in request handler: >>>>>>>> Exception: java.lang.NullPointerException >>>>>>>> Message: null >>>>>>>> ---- stack trace >>>>>>>> --------------------------------------------------------------- >>>>>>>> java.lang.NullPointerException >>>>>>>> javolution.util.FastMap.getEntry(Unknown Source) >>>>>>>> javolution.util.FastMap.containsKey(Unknown Source) >>>>>>>> org.ofbiz.webapp.control.RequestManager.getHandlerClass(RequestManager.java:78) >>>>>>>> >>>>>>>> org.ofbiz.webapp.event.EventFactory.loadEventHandler(EventFactory.java:102) >>>>>>>> >>>>>>>> org.ofbiz.webapp.event.EventFactory.getEventHandler(EventFactory.java:86) >>>>>>>> >>>>>>>> org.ofbiz.webapp.control.RequestHandler.runEvent(RequestHandler.java:453) >>>>>>>> >>>>>>>> org.ofbiz.webapp.control.RequestHandler.doRequest(RequestHandler.java:259) >>>>>>>> >>>>>>>> org.ofbiz.webapp.control.ControlServlet.doGet(ControlServlet.java:198) >>>>>>>> >>>>>>>> javax.servlet.http.HttpServlet.service(HttpServlet.java:690) >>>>>>>> javax.servlet.http.HttpServlet.service(HttpServlet.java:803) >>>>>>>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290) >>>>>>>> >>>>>>>> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) >>>>>>>> >>>>>>>> org.ofbiz.webapp.control.ContextFilter.doFilter(ContextFilter.java:255) >>>>>>>> >>>>>>>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) >>>>>>>> >>>>>>>> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) >>>>>>>> >>>>>>>> org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233) >>>>>>>> >>>>>>>> org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:175) >>>>>>>> >>>>>>>> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:128) >>>>>>>> >>>>>>>> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) >>>>>>>> >>>>>>>> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) >>>>>>>> >>>>>>>> org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:568) >>>>>>>> >>>>>>>> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:286) >>>>>>>> >>>>>>>> org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:844) >>>>>>>> >>>>>>>> org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:583) >>>>>>>> >>>>>>>> org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:447) >>>>>>>> >>>>>>>> java.lang.Thread.run(Thread.java:595) >>>>>>>> -------------------------------------------------------------------------------- >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>> >>>>>>> >>>>>> >>>>>> http://www.opensourcestrategies.com/ofbiz/security.php >>>>>> http://www.opensourcestrategies.com/ofbiz/security.php >>>>> >>>>> >>>> >>>> >>> >>> >>> >> > |
Re: how to set security and permissions precedence
|
|
In reply to this post by Jacques Le Roux
Looks like I have a problem making this example work with revision#679258
It worked fine (i.e I was redirected to login screen before I could get to main) with rev#677863 Looks like the view <view-map name="login" type="screen" page="component://marketing/widget/CommonScreens.xml#login" /> is part of the problem. The CommonScreens.xml has moved and does no longer seem to have the 'login' screen. I tried finding another screen with the 'login' view. I found another one in the 'common' component and modified my hello controller to point to <view-map name="login" type="screen" page="component://common/widget/CommonScreens.xml#login"/> but it is no acting the same as previously. Please let me know what is missing (or any suggestion how best to illustrate login) so I can complete and contribute my tutorial for security. Would hate to create a tutorial that worked with one specific build. http://ofbiz.markmail.org/search/?q=Milind+W#query:Milind%20W+page:2+mid:kwgcnrsxjigfilp2+state:results Thanks -Milind > hi, > I got login to work by adding the changes below to my controller using > ofbiz4.0. > I don't think I follow the reason with OFBTOOLS base persmission not > taking effect in the ofbiz-component as explained in OFBIZ-829. > But I agree with Si Chen on OFBIZ-829 > "The right way is to assume no permission until one of the list of > permissions is met." Seems more intitutive. > For now I can workaround it so thanks all. > -Milind > > > > <preprocessor> > <!-- Events to run on every request before security (chains > exempt) --> > <!-- <event type="java" path="org.ofbiz.webapp.event.TestEvent" > invoke="test"/> --> > <event type="java" path="org.ofbiz.webapp.control.LoginWorker" > invoke="checkExternalLoginKey"/> > </preprocessor> > > <!-- Request Mappings --> > > <request-map uri="checkLogin" edit="false"> > <description>Verify a user is logged in.</description> > <security https="false" auth="false"/> > <event type="java" path="org.ofbiz.webapp.control.LoginWorker" > invoke="checkLogin" /> > <response name="success" type="view" value="main" /> > <response name="error" type="view" value="login" /> > </request-map> > > <request-map uri="login"> > <security https="false" auth="false"/> > <event type="java" path="org.ofbiz.webapp.control.LoginWorker" > invoke="login"/> > <response name="success" type="view" value="main"/> > <response name="error" type="view" value="login"/> > </request-map> > > > <request-map uri="main"> > <security https="false" auth="true" /> > <response name="success" type="view" value="main"/> > </request-map> > > <view-map name="login" type="screen" > page="component://marketing/widget/CommonScreens.xml#login" /> > > >> Not with a direct link to the comment where is the explanation ;p >> Actually it was more a didactic post >> >> Jacques >> >> From: "BJ Freeman" <[hidden email]> >>> LOL >>> that was the first link I sent on this thread. >>> >>> Jacques Le Roux sent the following on 7/30/2008 2:18 PM: >>>> OFBiz Wiki is your friend. Just look for OFBTOOLS. >>>> >>>> You would have get >>>> http://docs.ofbiz.org/display/OFBTECH/OFBiz+security?focusedCommentId=3615#comment-3615 >>>> >>>> >>>> Jacques >>>> >>>> ----- Original Message ----- From: "Milind W" >>>> <[hidden email]> >>>> To: <[hidden email]> >>>> Sent: Wednesday, July 30, 2008 8:31 PM >>>> Subject: Re: how to set security and permissions precedence >>>> >>>> >>>>> Let me try to break up questions. >>>>> Should'nt adding >>>>> base-permission="OFBTOOLS" >>>>> to the ofbiz-entity.xml force the user to login with a user id that >>>>> is >>>>> associated to the OFBTOOLS security group? >>>>> I can see the application I created and the line seems to have no >>>>> effect. >>>>> What is the purpose of the line? >>>>> Thanks >>>>> -Milind >>>>> >>>>>> Please not that opentaps is not at the same level of revision that >>>>>> ofbiz >>>>>> it >>>>>> there have been changes to security. >>>>>> there are examples in the >>>>>> framework/example >>>>>> and >>>>>> framework/exampleext >>>>>> I believe this to better tutorial >>>>>> since they work already. >>>>>> >>>>>> >>>>>> Balaji Sundar sent the following on 7/29/2008 9:40 PM: >>>>>>> >>>>>>> >>>>>>> BJ Freeman wrote: >>>>>>>> http://docs.ofbiz.org/display/OFBTECH/OFBiz+security >>>>>>>> >>>>>>>> Milind W sent the following on 7/29/2008 7:58 PM: >>>>>>>>> hi, >>>>>>>>> Security Permissions >>>>>>>>> I am using ofbiz rev.79258 >>>>>>>>> I want to understand how security works so I made the following >>>>>>>>> modifications to hello1 >>>>>>>>> 1)I added base-permission="OFBTOOLS" to the ofbiz-component.xml >>>>>>>>> I could still see the application I was assuming the application >>>>>>>>> would >>>>>>>>> as >>>>>>>>> me to login or prevent me from seeing the page. >>>>>>>>> 2)I added <security> to the main request >>>>>>>>> <request-map uri="main"> >>>>>>>>> <security https="false" auth="true"/> >>>>>>>>> <response name="success" type="view" value="main"/> >>>>>>>>> </request-map> >>>>>>>>> This displays "java.lang.NullPointerException" in the browser. >>>>>>>>> How do permissions precedence work starting from the UI to the >>>>>>>>> entity >>>>>>>>> layer. >>>>>>>>> Help appreciated. >>>>>>>>> Thanks >>>>>>>>> -Milind >>>>>>>>> >>>>>>>>> Here is the log >>>>>>>>> 2008-07-29 19:07:17,031 (http-0.0.0.0-8080-1) [ >>>>>>>>> RequestHandler.java:243:INFO ] [Processing Request]: main >>>>>>>>> sessionId=6E6BB45A4B5AB75A10A9B9404FA622A5.jvm1 >>>>>>>>> 2008-07-29 19:07:17,031 (http-0.0.0.0-8080-1) [ >>>>>>>>> RequestManager.java:159:WARN ] [RequestManager.getEventType] Type >>>>>>>>> of >>>>>>>>> event >>>>>>>>> for request "checkLogin" not found >>>>>>>>> 2008-07-29 19:07:17,031 (http-0.0.0.0-8080-1) [ >>>>>>>>> RequestManager.java:146:WARN ] [RequestManager.getEventPath] Path >>>>>>>>> of >>>>>>>>> event >>>>>>>>> for request "checkLogin" not found >>>>>>>>> 2008-07-29 19:07:17,031 (http-0.0.0.0-8080-1) [ >>>>>>>>> RequestManager.java:172:WARN ] [RequestManager.getEventMethod] >>>>>>>>> Method >>>>>>>>> of >>>>>>>>> event for request "checkLogin" not found >>>>>>>>> 2008-07-29 19:07:17,031 (http-0.0.0.0-8080-1) [ >>>>>>>>> ControlServlet.java:205:ERROR] >>>>>>>>> ---- runtime exception report >>>>>>>>> -------------------------------------------------- >>>>>>>>> Error in request handler: >>>>>>>>> Exception: java.lang.NullPointerException >>>>>>>>> Message: null >>>>>>>>> ---- stack trace >>>>>>>>> --------------------------------------------------------------- >>>>>>>>> java.lang.NullPointerException >>>>>>>>> javolution.util.FastMap.getEntry(Unknown Source) >>>>>>>>> javolution.util.FastMap.containsKey(Unknown Source) >>>>>>>>> org.ofbiz.webapp.control.RequestManager.getHandlerClass(RequestManager.java:78) >>>>>>>>> >>>>>>>>> org.ofbiz.webapp.event.EventFactory.loadEventHandler(EventFactory.java:102) >>>>>>>>> >>>>>>>>> org.ofbiz.webapp.event.EventFactory.getEventHandler(EventFactory.java:86) >>>>>>>>> >>>>>>>>> org.ofbiz.webapp.control.RequestHandler.runEvent(RequestHandler.java:453) >>>>>>>>> >>>>>>>>> org.ofbiz.webapp.control.RequestHandler.doRequest(RequestHandler.java:259) >>>>>>>>> >>>>>>>>> org.ofbiz.webapp.control.ControlServlet.doGet(ControlServlet.java:198) >>>>>>>>> >>>>>>>>> javax.servlet.http.HttpServlet.service(HttpServlet.java:690) >>>>>>>>> javax.servlet.http.HttpServlet.service(HttpServlet.java:803) >>>>>>>>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290) >>>>>>>>> >>>>>>>>> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) >>>>>>>>> >>>>>>>>> org.ofbiz.webapp.control.ContextFilter.doFilter(ContextFilter.java:255) >>>>>>>>> >>>>>>>>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) >>>>>>>>> >>>>>>>>> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) >>>>>>>>> >>>>>>>>> org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233) >>>>>>>>> >>>>>>>>> org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:175) >>>>>>>>> >>>>>>>>> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:128) >>>>>>>>> >>>>>>>>> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) >>>>>>>>> >>>>>>>>> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) >>>>>>>>> >>>>>>>>> org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:568) >>>>>>>>> >>>>>>>>> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:286) >>>>>>>>> >>>>>>>>> org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:844) >>>>>>>>> >>>>>>>>> org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:583) >>>>>>>>> >>>>>>>>> org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:447) >>>>>>>>> >>>>>>>>> java.lang.Thread.run(Thread.java:595) >>>>>>>>> -------------------------------------------------------------------------------- >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>> >>>>>>>> >>>>>>> >>>>>>> http://www.opensourcestrategies.com/ofbiz/security.php >>>>>>> http://www.opensourcestrategies.com/ofbiz/security.php >>>>>> >>>>>> >>>>> >>>>> >>>> >>>> >>>> >>> >> > > |
Re: how to set security and permissions precedence
|
Administrator
|
Did you try an "ant clean" ? There have been some changes recently that implie this cleanup.
Jacques From: "Milind W" <[hidden email]> > Looks like I have a problem making this example work with revision#679258 > > It worked fine (i.e I was redirected to login screen before I could get to > main) with rev#677863 > > Looks like the view > <view-map name="login" type="screen" > page="component://marketing/widget/CommonScreens.xml#login" /> > is part of the problem. The CommonScreens.xml has moved and does no longer > seem to have the 'login' screen. > > I tried finding another screen with the 'login' view. I found another one > in the 'common' component and modified my hello controller to point to > <view-map name="login" type="screen" > page="component://common/widget/CommonScreens.xml#login"/> > but it is no acting the same as previously. > > Please let me know what is missing (or any suggestion how best to > illustrate login) so I can complete and contribute my tutorial for > security. Would hate to create a tutorial that worked with one specific > build. > > http://ofbiz.markmail.org/search/?q=Milind+W#query:Milind%20W+page:2+mid:kwgcnrsxjigfilp2+state:results > > Thanks > -Milind > >> hi, >> I got login to work by adding the changes below to my controller using >> ofbiz4.0. >> I don't think I follow the reason with OFBTOOLS base persmission not >> taking effect in the ofbiz-component as explained in OFBIZ-829. >> But I agree with Si Chen on OFBIZ-829 >> "The right way is to assume no permission until one of the list of >> permissions is met." Seems more intitutive. >> For now I can workaround it so thanks all. >> -Milind >> >> >> >> <preprocessor> >> <!-- Events to run on every request before security (chains >> exempt) --> >> <!-- <event type="java" path="org.ofbiz.webapp.event.TestEvent" >> invoke="test"/> --> >> <event type="java" path="org.ofbiz.webapp.control.LoginWorker" >> invoke="checkExternalLoginKey"/> >> </preprocessor> >> >> <!-- Request Mappings --> >> >> <request-map uri="checkLogin" edit="false"> >> <description>Verify a user is logged in.</description> >> <security https="false" auth="false"/> >> <event type="java" path="org.ofbiz.webapp.control.LoginWorker" >> invoke="checkLogin" /> >> <response name="success" type="view" value="main" /> >> <response name="error" type="view" value="login" /> >> </request-map> >> >> <request-map uri="login"> >> <security https="false" auth="false"/> >> <event type="java" path="org.ofbiz.webapp.control.LoginWorker" >> invoke="login"/> >> <response name="success" type="view" value="main"/> >> <response name="error" type="view" value="login"/> >> </request-map> >> >> >> <request-map uri="main"> >> <security https="false" auth="true" /> >> <response name="success" type="view" value="main"/> >> </request-map> >> >> <view-map name="login" type="screen" >> page="component://marketing/widget/CommonScreens.xml#login" /> >> >> >>> Not with a direct link to the comment where is the explanation ;p >>> Actually it was more a didactic post >>> >>> Jacques >>> >>> From: "BJ Freeman" <[hidden email]> >>>> LOL >>>> that was the first link I sent on this thread. >>>> >>>> Jacques Le Roux sent the following on 7/30/2008 2:18 PM: >>>>> OFBiz Wiki is your friend. Just look for OFBTOOLS. >>>>> >>>>> You would have get >>>>> http://docs.ofbiz.org/display/OFBTECH/OFBiz+security?focusedCommentId=3615#comment-3615 >>>>> >>>>> >>>>> Jacques >>>>> >>>>> ----- Original Message ----- From: "Milind W" >>>>> <[hidden email]> >>>>> To: <[hidden email]> >>>>> Sent: Wednesday, July 30, 2008 8:31 PM >>>>> Subject: Re: how to set security and permissions precedence >>>>> >>>>> >>>>>> Let me try to break up questions. >>>>>> Should'nt adding >>>>>> base-permission="OFBTOOLS" >>>>>> to the ofbiz-entity.xml force the user to login with a user id that >>>>>> is >>>>>> associated to the OFBTOOLS security group? >>>>>> I can see the application I created and the line seems to have no >>>>>> effect. >>>>>> What is the purpose of the line? >>>>>> Thanks >>>>>> -Milind >>>>>> >>>>>>> Please not that opentaps is not at the same level of revision that >>>>>>> ofbiz >>>>>>> it >>>>>>> there have been changes to security. >>>>>>> there are examples in the >>>>>>> framework/example >>>>>>> and >>>>>>> framework/exampleext >>>>>>> I believe this to better tutorial >>>>>>> since they work already. >>>>>>> >>>>>>> >>>>>>> Balaji Sundar sent the following on 7/29/2008 9:40 PM: >>>>>>>> >>>>>>>> >>>>>>>> BJ Freeman wrote: >>>>>>>>> http://docs.ofbiz.org/display/OFBTECH/OFBiz+security >>>>>>>>> >>>>>>>>> Milind W sent the following on 7/29/2008 7:58 PM: >>>>>>>>>> hi, >>>>>>>>>> Security Permissions >>>>>>>>>> I am using ofbiz rev.79258 >>>>>>>>>> I want to understand how security works so I made the following >>>>>>>>>> modifications to hello1 >>>>>>>>>> 1)I added base-permission="OFBTOOLS" to the ofbiz-component.xml >>>>>>>>>> I could still see the application I was assuming the application >>>>>>>>>> would >>>>>>>>>> as >>>>>>>>>> me to login or prevent me from seeing the page. >>>>>>>>>> 2)I added <security> to the main request >>>>>>>>>> <request-map uri="main"> >>>>>>>>>> <security https="false" auth="true"/> >>>>>>>>>> <response name="success" type="view" value="main"/> >>>>>>>>>> </request-map> >>>>>>>>>> This displays "java.lang.NullPointerException" in the browser. >>>>>>>>>> How do permissions precedence work starting from the UI to the >>>>>>>>>> entity >>>>>>>>>> layer. >>>>>>>>>> Help appreciated. >>>>>>>>>> Thanks >>>>>>>>>> -Milind >>>>>>>>>> >>>>>>>>>> Here is the log >>>>>>>>>> 2008-07-29 19:07:17,031 (http-0.0.0.0-8080-1) [ >>>>>>>>>> RequestHandler.java:243:INFO ] [Processing Request]: main >>>>>>>>>> sessionId=6E6BB45A4B5AB75A10A9B9404FA622A5.jvm1 >>>>>>>>>> 2008-07-29 19:07:17,031 (http-0.0.0.0-8080-1) [ >>>>>>>>>> RequestManager.java:159:WARN ] [RequestManager.getEventType] Type >>>>>>>>>> of >>>>>>>>>> event >>>>>>>>>> for request "checkLogin" not found >>>>>>>>>> 2008-07-29 19:07:17,031 (http-0.0.0.0-8080-1) [ >>>>>>>>>> RequestManager.java:146:WARN ] [RequestManager.getEventPath] Path >>>>>>>>>> of >>>>>>>>>> event >>>>>>>>>> for request "checkLogin" not found >>>>>>>>>> 2008-07-29 19:07:17,031 (http-0.0.0.0-8080-1) [ >>>>>>>>>> RequestManager.java:172:WARN ] [RequestManager.getEventMethod] >>>>>>>>>> Method >>>>>>>>>> of >>>>>>>>>> event for request "checkLogin" not found >>>>>>>>>> 2008-07-29 19:07:17,031 (http-0.0.0.0-8080-1) [ >>>>>>>>>> ControlServlet.java:205:ERROR] >>>>>>>>>> ---- runtime exception report >>>>>>>>>> -------------------------------------------------- >>>>>>>>>> Error in request handler: >>>>>>>>>> Exception: java.lang.NullPointerException >>>>>>>>>> Message: null >>>>>>>>>> ---- stack trace >>>>>>>>>> --------------------------------------------------------------- >>>>>>>>>> java.lang.NullPointerException >>>>>>>>>> javolution.util.FastMap.getEntry(Unknown Source) >>>>>>>>>> javolution.util.FastMap.containsKey(Unknown Source) >>>>>>>>>> org.ofbiz.webapp.control.RequestManager.getHandlerClass(RequestManager.java:78) >>>>>>>>>> >>>>>>>>>> org.ofbiz.webapp.event.EventFactory.loadEventHandler(EventFactory.java:102) >>>>>>>>>> >>>>>>>>>> org.ofbiz.webapp.event.EventFactory.getEventHandler(EventFactory.java:86) >>>>>>>>>> >>>>>>>>>> org.ofbiz.webapp.control.RequestHandler.runEvent(RequestHandler.java:453) >>>>>>>>>> >>>>>>>>>> org.ofbiz.webapp.control.RequestHandler.doRequest(RequestHandler.java:259) >>>>>>>>>> >>>>>>>>>> org.ofbiz.webapp.control.ControlServlet.doGet(ControlServlet.java:198) >>>>>>>>>> >>>>>>>>>> javax.servlet.http.HttpServlet.service(HttpServlet.java:690) >>>>>>>>>> javax.servlet.http.HttpServlet.service(HttpServlet.java:803) >>>>>>>>>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290) >>>>>>>>>> >>>>>>>>>> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) >>>>>>>>>> >>>>>>>>>> org.ofbiz.webapp.control.ContextFilter.doFilter(ContextFilter.java:255) >>>>>>>>>> >>>>>>>>>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) >>>>>>>>>> >>>>>>>>>> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) >>>>>>>>>> >>>>>>>>>> org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233) >>>>>>>>>> >>>>>>>>>> org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:175) >>>>>>>>>> >>>>>>>>>> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:128) >>>>>>>>>> >>>>>>>>>> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) >>>>>>>>>> >>>>>>>>>> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) >>>>>>>>>> >>>>>>>>>> org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:568) >>>>>>>>>> >>>>>>>>>> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:286) >>>>>>>>>> >>>>>>>>>> org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:844) >>>>>>>>>> >>>>>>>>>> org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:583) >>>>>>>>>> >>>>>>>>>> org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:447) >>>>>>>>>> >>>>>>>>>> java.lang.Thread.run(Thread.java:595) >>>>>>>>>> -------------------------------------------------------------------------------- >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>> >>>>>>>> http://www.opensourcestrategies.com/ofbiz/security.php >>>>>>>> http://www.opensourcestrategies.com/ofbiz/security.php >>>>>>> >>>>>>> >>>>>> >>>>>> >>>>> >>>>> >>>>> >>>> >>> >> >> > > |
Re: how to set security and permissions precedence
|
|
Just tried "ant clean" it made no difference.
I can proceed to main without being redirected to login with rev#679258. Relevant log for rev#679258 2008-08-03 16:15:04,515 (http-0.0.0.0-8080-1) [RequestHandler.java:243:INFO ] [Processing Request]: main sessionId=B2364C2D58837E9163B9B9214E2228FA.jvm1 2008-08-03 16:15:04,515 (http-0.0.0.0-8080-1) [RequestHandler.java:433:INFO ] [RequestHandler.doRequest]: Response is a view. sessionId=B2364C2D58837E9163B9B9214E2228FA.jvm1 2008-08-03 16:15:04,515 (http-0.0.0.0-8080-1) [RequestHandler.java:584:INFO ] servletName=control, view=main sessionId=B2364C2D58837E9163B9B9214E2228FA.jvm1 2008-08-03 16:15:04,515 (http-0.0.0.0-8080-1) [ UtilJ2eeCompat.java:69 :INFO ] serverInfo: apache tomcat/6.0.16 2008-08-03 16:15:04,515 (http-0.0.0.0-8080-1) [ UtilJ2eeCompat.java:78 :INFO ] Apache Tomcat detected, using response.getWriter to write text out instead of response.getOutputStream and with rev#677863 2008-08-03 18:11:55,343 (http-0.0.0.0-8080-Processor4) [ RequestHandler.java:236:INFO ] [Processing Request]: main sessionId=72EE22303A9A4DCDB76F64EE41F963DA.jvm1 2008-08-03 18:11:55,343 (http-0.0.0.0-8080-Processor4) [ LoginWorker.java:262:INFO ] reqParams Map: [] 2008-08-03 18:11:55,343 (http-0.0.0.0-8080-Processor4) [ LoginWorker.java:263:INFO ] queryString: 2008-08-03 18:11:55,343 (http-0.0.0.0-8080-Processor4) [ LoginWorker.java:273:INFO ] checkLogin: queryString= 2008-08-03 18:11:55,343 (http-0.0.0.0-8080-Processor4) [ LoginWorker.java:274:INFO ] checkLogin: PathInfo=/main 2008-08-03 18:11:55,343 (http-0.0.0.0-8080-Processor4) [ RequestHandler.java:425:INFO ] [RequestHandler.doRequest]: Response is a view. sessionId=72EE22303A9A4DCDB76F64EE41F963DA.jvm1 2008-08-03 18:11:55,343 (http-0.0.0.0-8080-Processor4) [ RequestHandler.java:578:INFO ] servletName=control, view=login sessionId=72EE22303A9A4DCDB76F64EE41F963DA.jvm1 2008-08-03 18:11:55,343 (http-0.0.0.0-8080-Processor4) [ UtilJ2eeCompat.java:69 :INFO ] serverInfo: Apache Tomcat/5.5.20 2008-08-03 18:11:55,343 (http-0.0.0.0-8080-Processor4) [ UtilJ2eeCompat.java:78 :INFO ] Apache Tomcat detected, using response.getWriter to write text out instead of response.getOutputStream The loginworker seems to be invoked with rev#677863 and not with rev#679258. Any Idea? > Did you try an "ant clean" ? There have been some changes recently that > implie this cleanup. > > Jacques > > From: "Milind W" <[hidden email]> >> Looks like I have a problem making this example work with >> revision#679258 >> >> It worked fine (i.e I was redirected to login screen before I could get >> to >> main) with rev#677863 >> >> Looks like the view >> <view-map name="login" type="screen" >> page="component://marketing/widget/CommonScreens.xml#login" /> >> is part of the problem. The CommonScreens.xml has moved and does no >> longer >> seem to have the 'login' screen. >> >> I tried finding another screen with the 'login' view. I found another >> one >> in the 'common' component and modified my hello controller to point to >> <view-map name="login" type="screen" >> page="component://common/widget/CommonScreens.xml#login"/> >> but it is no acting the same as previously. >> >> Please let me know what is missing (or any suggestion how best to >> illustrate login) so I can complete and contribute my tutorial for >> security. Would hate to create a tutorial that worked with one specific >> build. >> >> http://ofbiz.markmail.org/search/?q=Milind+W#query:Milind%20W+page:2+mid:kwgcnrsxjigfilp2+state:results >> >> Thanks >> -Milind >> >>> hi, >>> I got login to work by adding the changes below to my controller using >>> ofbiz4.0. >>> I don't think I follow the reason with OFBTOOLS base persmission not >>> taking effect in the ofbiz-component as explained in OFBIZ-829. >>> But I agree with Si Chen on OFBIZ-829 >>> "The right way is to assume no permission until one of the list of >>> permissions is met." Seems more intitutive. >>> For now I can workaround it so thanks all. >>> -Milind >>> >>> >>> >>> <preprocessor> >>> <!-- Events to run on every request before security (chains >>> exempt) --> >>> <!-- <event type="java" path="org.ofbiz.webapp.event.TestEvent" >>> invoke="test"/> --> >>> <event type="java" path="org.ofbiz.webapp.control.LoginWorker" >>> invoke="checkExternalLoginKey"/> >>> </preprocessor> >>> >>> <!-- Request Mappings --> >>> >>> <request-map uri="checkLogin" edit="false"> >>> <description>Verify a user is logged in.</description> >>> <security https="false" auth="false"/> >>> <event type="java" path="org.ofbiz.webapp.control.LoginWorker" >>> invoke="checkLogin" /> >>> <response name="success" type="view" value="main" /> >>> <response name="error" type="view" value="login" /> >>> </request-map> >>> >>> <request-map uri="login"> >>> <security https="false" auth="false"/> >>> <event type="java" path="org.ofbiz.webapp.control.LoginWorker" >>> invoke="login"/> >>> <response name="success" type="view" value="main"/> >>> <response name="error" type="view" value="login"/> >>> </request-map> >>> >>> >>> <request-map uri="main"> >>> <security https="false" auth="true" /> >>> <response name="success" type="view" value="main"/> >>> </request-map> >>> >>> <view-map name="login" type="screen" >>> page="component://marketing/widget/CommonScreens.xml#login" /> >>> >>> >>>> Not with a direct link to the comment where is the explanation ;p >>>> Actually it was more a didactic post >>>> >>>> Jacques >>>> >>>> From: "BJ Freeman" <[hidden email]> >>>>> LOL >>>>> that was the first link I sent on this thread. >>>>> >>>>> Jacques Le Roux sent the following on 7/30/2008 2:18 PM: >>>>>> OFBiz Wiki is your friend. Just look for OFBTOOLS. >>>>>> >>>>>> You would have get >>>>>> http://docs.ofbiz.org/display/OFBTECH/OFBiz+security?focusedCommentId=3615#comment-3615 >>>>>> >>>>>> >>>>>> Jacques >>>>>> >>>>>> ----- Original Message ----- From: "Milind W" >>>>>> <[hidden email]> >>>>>> To: <[hidden email]> >>>>>> Sent: Wednesday, July 30, 2008 8:31 PM >>>>>> Subject: Re: how to set security and permissions precedence >>>>>> >>>>>> >>>>>>> Let me try to break up questions. >>>>>>> Should'nt adding >>>>>>> base-permission="OFBTOOLS" >>>>>>> to the ofbiz-entity.xml force the user to login with a user id that >>>>>>> is >>>>>>> associated to the OFBTOOLS security group? >>>>>>> I can see the application I created and the line seems to have no >>>>>>> effect. >>>>>>> What is the purpose of the line? >>>>>>> Thanks >>>>>>> -Milind >>>>>>> >>>>>>>> Please not that opentaps is not at the same level of revision that >>>>>>>> ofbiz >>>>>>>> it >>>>>>>> there have been changes to security. >>>>>>>> there are examples in the >>>>>>>> framework/example >>>>>>>> and >>>>>>>> framework/exampleext >>>>>>>> I believe this to better tutorial >>>>>>>> since they work already. >>>>>>>> >>>>>>>> >>>>>>>> Balaji Sundar sent the following on 7/29/2008 9:40 PM: >>>>>>>>> >>>>>>>>> >>>>>>>>> BJ Freeman wrote: >>>>>>>>>> http://docs.ofbiz.org/display/OFBTECH/OFBiz+security >>>>>>>>>> >>>>>>>>>> Milind W sent the following on 7/29/2008 7:58 PM: >>>>>>>>>>> hi, >>>>>>>>>>> Security Permissions >>>>>>>>>>> I am using ofbiz rev.79258 >>>>>>>>>>> I want to understand how security works so I made the following >>>>>>>>>>> modifications to hello1 >>>>>>>>>>> 1)I added base-permission="OFBTOOLS" to the ofbiz-component.xml >>>>>>>>>>> I could still see the application I was assuming the >>>>>>>>>>> application >>>>>>>>>>> would >>>>>>>>>>> as >>>>>>>>>>> me to login or prevent me from seeing the page. >>>>>>>>>>> 2)I added <security> to the main request >>>>>>>>>>> <request-map uri="main"> >>>>>>>>>>> <security https="false" auth="true"/> >>>>>>>>>>> <response name="success" type="view" value="main"/> >>>>>>>>>>> </request-map> >>>>>>>>>>> This displays "java.lang.NullPointerException" in the browser. >>>>>>>>>>> How do permissions precedence work starting from the UI to the >>>>>>>>>>> entity >>>>>>>>>>> layer. >>>>>>>>>>> Help appreciated. >>>>>>>>>>> Thanks >>>>>>>>>>> -Milind >>>>>>>>>>> >>>>>>>>>>> Here is the log >>>>>>>>>>> 2008-07-29 19:07:17,031 (http-0.0.0.0-8080-1) [ >>>>>>>>>>> RequestHandler.java:243:INFO ] [Processing Request]: main >>>>>>>>>>> sessionId=6E6BB45A4B5AB75A10A9B9404FA622A5.jvm1 >>>>>>>>>>> 2008-07-29 19:07:17,031 (http-0.0.0.0-8080-1) [ >>>>>>>>>>> RequestManager.java:159:WARN ] [RequestManager.getEventType] >>>>>>>>>>> Type >>>>>>>>>>> of >>>>>>>>>>> event >>>>>>>>>>> for request "checkLogin" not found >>>>>>>>>>> 2008-07-29 19:07:17,031 (http-0.0.0.0-8080-1) [ >>>>>>>>>>> RequestManager.java:146:WARN ] [RequestManager.getEventPath] >>>>>>>>>>> Path >>>>>>>>>>> of >>>>>>>>>>> event >>>>>>>>>>> for request "checkLogin" not found >>>>>>>>>>> 2008-07-29 19:07:17,031 (http-0.0.0.0-8080-1) [ >>>>>>>>>>> RequestManager.java:172:WARN ] [RequestManager.getEventMethod] >>>>>>>>>>> Method >>>>>>>>>>> of >>>>>>>>>>> event for request "checkLogin" not found >>>>>>>>>>> 2008-07-29 19:07:17,031 (http-0.0.0.0-8080-1) [ >>>>>>>>>>> ControlServlet.java:205:ERROR] >>>>>>>>>>> ---- runtime exception report >>>>>>>>>>> -------------------------------------------------- >>>>>>>>>>> Error in request handler: >>>>>>>>>>> Exception: java.lang.NullPointerException >>>>>>>>>>> Message: null >>>>>>>>>>> ---- stack trace >>>>>>>>>>> --------------------------------------------------------------- >>>>>>>>>>> java.lang.NullPointerException >>>>>>>>>>> javolution.util.FastMap.getEntry(Unknown Source) >>>>>>>>>>> javolution.util.FastMap.containsKey(Unknown Source) >>>>>>>>>>> org.ofbiz.webapp.control.RequestManager.getHandlerClass(RequestManager.java:78) >>>>>>>>>>> >>>>>>>>>>> org.ofbiz.webapp.event.EventFactory.loadEventHandler(EventFactory.java:102) >>>>>>>>>>> >>>>>>>>>>> org.ofbiz.webapp.event.EventFactory.getEventHandler(EventFactory.java:86) >>>>>>>>>>> >>>>>>>>>>> org.ofbiz.webapp.control.RequestHandler.runEvent(RequestHandler.java:453) >>>>>>>>>>> >>>>>>>>>>> org.ofbiz.webapp.control.RequestHandler.doRequest(RequestHandler.java:259) >>>>>>>>>>> >>>>>>>>>>> org.ofbiz.webapp.control.ControlServlet.doGet(ControlServlet.java:198) >>>>>>>>>>> >>>>>>>>>>> javax.servlet.http.HttpServlet.service(HttpServlet.java:690) >>>>>>>>>>> javax.servlet.http.HttpServlet.service(HttpServlet.java:803) >>>>>>>>>>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290) >>>>>>>>>>> >>>>>>>>>>> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) >>>>>>>>>>> >>>>>>>>>>> org.ofbiz.webapp.control.ContextFilter.doFilter(ContextFilter.java:255) >>>>>>>>>>> >>>>>>>>>>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) >>>>>>>>>>> >>>>>>>>>>> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) >>>>>>>>>>> >>>>>>>>>>> org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233) >>>>>>>>>>> >>>>>>>>>>> org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:175) >>>>>>>>>>> >>>>>>>>>>> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:128) >>>>>>>>>>> >>>>>>>>>>> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) >>>>>>>>>>> >>>>>>>>>>> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) >>>>>>>>>>> >>>>>>>>>>> org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:568) >>>>>>>>>>> >>>>>>>>>>> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:286) >>>>>>>>>>> >>>>>>>>>>> org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:844) >>>>>>>>>>> >>>>>>>>>>> org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:583) >>>>>>>>>>> >>>>>>>>>>> org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:447) >>>>>>>>>>> >>>>>>>>>>> java.lang.Thread.run(Thread.java:595) >>>>>>>>>>> -------------------------------------------------------------------------------- >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>> >>>>>>>>> http://www.opensourcestrategies.com/ofbiz/security.php >>>>>>>>> http://www.opensourcestrategies.com/ofbiz/security.php >>>>>>>> >>>>>>>> >>>>>>> >>>>>>> >>>>>> >>>>>> >>>>>> >>>>> >>>> >>> >>> >> >> > |
Re: how to set security and permissions precedence
|
|
bug was fix the news rev works.
Milind W sent the following on 8/3/2008 4:27 PM: > Just tried "ant clean" it made no difference. > I can proceed to main without being redirected to login with rev#679258. > > > Relevant log for rev#679258 > 2008-08-03 16:15:04,515 (http-0.0.0.0-8080-1) > [RequestHandler.java:243:INFO ] [Processing Request]: main > sessionId=B2364C2D58837E9163B9B9214E2228FA.jvm1 > 2008-08-03 16:15:04,515 (http-0.0.0.0-8080-1) > [RequestHandler.java:433:INFO ] [RequestHandler.doRequest]: Response is a > view. sessionId=B2364C2D58837E9163B9B9214E2228FA.jvm1 > 2008-08-03 16:15:04,515 (http-0.0.0.0-8080-1) > [RequestHandler.java:584:INFO ] servletName=control, view=main > sessionId=B2364C2D58837E9163B9B9214E2228FA.jvm1 > 2008-08-03 16:15:04,515 (http-0.0.0.0-8080-1) [ UtilJ2eeCompat.java:69 > :INFO ] serverInfo: apache tomcat/6.0.16 > 2008-08-03 16:15:04,515 (http-0.0.0.0-8080-1) [ UtilJ2eeCompat.java:78 > :INFO ] Apache Tomcat detected, using response.getWriter to write text out > instead of response.getOutputStream > > and with rev#677863 > 2008-08-03 18:11:55,343 (http-0.0.0.0-8080-Processor4) [ > RequestHandler.java:236:INFO ] [Processing Request]: main > sessionId=72EE22303A9A4DCDB76F64EE41F963DA.jvm1 > 2008-08-03 18:11:55,343 (http-0.0.0.0-8080-Processor4) [ > LoginWorker.java:262:INFO ] reqParams Map: [] > 2008-08-03 18:11:55,343 (http-0.0.0.0-8080-Processor4) [ > LoginWorker.java:263:INFO ] queryString: > 2008-08-03 18:11:55,343 (http-0.0.0.0-8080-Processor4) [ > LoginWorker.java:273:INFO ] checkLogin: queryString= > 2008-08-03 18:11:55,343 (http-0.0.0.0-8080-Processor4) [ > LoginWorker.java:274:INFO ] checkLogin: PathInfo=/main > 2008-08-03 18:11:55,343 (http-0.0.0.0-8080-Processor4) [ > RequestHandler.java:425:INFO ] [RequestHandler.doRequest]: Response is a > view. sessionId=72EE22303A9A4DCDB76F64EE41F963DA.jvm1 > 2008-08-03 18:11:55,343 (http-0.0.0.0-8080-Processor4) [ > RequestHandler.java:578:INFO ] servletName=control, view=login > sessionId=72EE22303A9A4DCDB76F64EE41F963DA.jvm1 > 2008-08-03 18:11:55,343 (http-0.0.0.0-8080-Processor4) [ > UtilJ2eeCompat.java:69 :INFO ] serverInfo: Apache Tomcat/5.5.20 > 2008-08-03 18:11:55,343 (http-0.0.0.0-8080-Processor4) [ > UtilJ2eeCompat.java:78 :INFO ] Apache Tomcat detected, using > response.getWriter to write text out instead of response.getOutputStream > > The loginworker seems to be invoked with rev#677863 and not with rev#679258. > Any Idea? > >> Did you try an "ant clean" ? There have been some changes recently that >> implie this cleanup. >> >> Jacques >> >> From: "Milind W" <[hidden email]> >>> Looks like I have a problem making this example work with >>> revision#679258 >>> >>> It worked fine (i.e I was redirected to login screen before I could get >>> to >>> main) with rev#677863 >>> >>> Looks like the view >>> <view-map name="login" type="screen" >>> page="component://marketing/widget/CommonScreens.xml#login" /> >>> is part of the problem. The CommonScreens.xml has moved and does no >>> longer >>> seem to have the 'login' screen. >>> >>> I tried finding another screen with the 'login' view. I found another >>> one >>> in the 'common' component and modified my hello controller to point to >>> <view-map name="login" type="screen" >>> page="component://common/widget/CommonScreens.xml#login"/> >>> but it is no acting the same as previously. >>> >>> Please let me know what is missing (or any suggestion how best to >>> illustrate login) so I can complete and contribute my tutorial for >>> security. Would hate to create a tutorial that worked with one specific >>> build. >>> >>> http://ofbiz.markmail.org/search/?q=Milind+W#query:Milind%20W+page:2+mid:kwgcnrsxjigfilp2+state:results >>> >>> Thanks >>> -Milind >>> >>>> hi, >>>> I got login to work by adding the changes below to my controller using >>>> ofbiz4.0. >>>> I don't think I follow the reason with OFBTOOLS base persmission not >>>> taking effect in the ofbiz-component as explained in OFBIZ-829. >>>> But I agree with Si Chen on OFBIZ-829 >>>> "The right way is to assume no permission until one of the list of >>>> permissions is met." Seems more intitutive. >>>> For now I can workaround it so thanks all. >>>> -Milind >>>> >>>> >>>> >>>> <preprocessor> >>>> <!-- Events to run on every request before security (chains >>>> exempt) --> >>>> <!-- <event type="java" path="org.ofbiz.webapp.event.TestEvent" >>>> invoke="test"/> --> >>>> <event type="java" path="org.ofbiz.webapp.control.LoginWorker" >>>> invoke="checkExternalLoginKey"/> >>>> </preprocessor> >>>> >>>> <!-- Request Mappings --> >>>> >>>> <request-map uri="checkLogin" edit="false"> >>>> <description>Verify a user is logged in.</description> >>>> <security https="false" auth="false"/> >>>> <event type="java" path="org.ofbiz.webapp.control.LoginWorker" >>>> invoke="checkLogin" /> >>>> <response name="success" type="view" value="main" /> >>>> <response name="error" type="view" value="login" /> >>>> </request-map> >>>> >>>> <request-map uri="login"> >>>> <security https="false" auth="false"/> >>>> <event type="java" path="org.ofbiz.webapp.control.LoginWorker" >>>> invoke="login"/> >>>> <response name="success" type="view" value="main"/> >>>> <response name="error" type="view" value="login"/> >>>> </request-map> >>>> >>>> >>>> <request-map uri="main"> >>>> <security https="false" auth="true" /> >>>> <response name="success" type="view" value="main"/> >>>> </request-map> >>>> >>>> <view-map name="login" type="screen" >>>> page="component://marketing/widget/CommonScreens.xml#login" /> >>>> >>>> >>>>> Not with a direct link to the comment where is the explanation ;p >>>>> Actually it was more a didactic post >>>>> >>>>> Jacques >>>>> >>>>> From: "BJ Freeman" <[hidden email]> >>>>>> LOL >>>>>> that was the first link I sent on this thread. >>>>>> >>>>>> Jacques Le Roux sent the following on 7/30/2008 2:18 PM: >>>>>>> OFBiz Wiki is your friend. Just look for OFBTOOLS. >>>>>>> >>>>>>> You would have get >>>>>>> http://docs.ofbiz.org/display/OFBTECH/OFBiz+security?focusedCommentId=3615#comment-3615 >>>>>>> >>>>>>> >>>>>>> Jacques >>>>>>> >>>>>>> ----- Original Message ----- From: "Milind W" >>>>>>> <[hidden email]> >>>>>>> To: <[hidden email]> >>>>>>> Sent: Wednesday, July 30, 2008 8:31 PM >>>>>>> Subject: Re: how to set security and permissions precedence >>>>>>> >>>>>>> >>>>>>>> Let me try to break up questions. >>>>>>>> Should'nt adding >>>>>>>> base-permission="OFBTOOLS" >>>>>>>> to the ofbiz-entity.xml force the user to login with a user id that >>>>>>>> is >>>>>>>> associated to the OFBTOOLS security group? >>>>>>>> I can see the application I created and the line seems to have no >>>>>>>> effect. >>>>>>>> What is the purpose of the line? >>>>>>>> Thanks >>>>>>>> -Milind >>>>>>>> >>>>>>>>> Please not that opentaps is not at the same level of revision that >>>>>>>>> ofbiz >>>>>>>>> it >>>>>>>>> there have been changes to security. >>>>>>>>> there are examples in the >>>>>>>>> framework/example >>>>>>>>> and >>>>>>>>> framework/exampleext >>>>>>>>> I believe this to better tutorial >>>>>>>>> since they work already. >>>>>>>>> >>>>>>>>> >>>>>>>>> Balaji Sundar sent the following on 7/29/2008 9:40 PM: >>>>>>>>>> >>>>>>>>>> BJ Freeman wrote: >>>>>>>>>>> http://docs.ofbiz.org/display/OFBTECH/OFBiz+security >>>>>>>>>>> >>>>>>>>>>> Milind W sent the following on 7/29/2008 7:58 PM: >>>>>>>>>>>> hi, >>>>>>>>>>>> Security Permissions >>>>>>>>>>>> I am using ofbiz rev.79258 >>>>>>>>>>>> I want to understand how security works so I made the following >>>>>>>>>>>> modifications to hello1 >>>>>>>>>>>> 1)I added base-permission="OFBTOOLS" to the ofbiz-component.xml >>>>>>>>>>>> I could still see the application I was assuming the >>>>>>>>>>>> application >>>>>>>>>>>> would >>>>>>>>>>>> as >>>>>>>>>>>> me to login or prevent me from seeing the page. >>>>>>>>>>>> 2)I added <security> to the main request >>>>>>>>>>>> <request-map uri="main"> >>>>>>>>>>>> <security https="false" auth="true"/> >>>>>>>>>>>> <response name="success" type="view" value="main"/> >>>>>>>>>>>> </request-map> >>>>>>>>>>>> This displays "java.lang.NullPointerException" in the browser. >>>>>>>>>>>> How do permissions precedence work starting from the UI to the >>>>>>>>>>>> entity >>>>>>>>>>>> layer. >>>>>>>>>>>> Help appreciated. >>>>>>>>>>>> Thanks >>>>>>>>>>>> -Milind >>>>>>>>>>>> >>>>>>>>>>>> Here is the log >>>>>>>>>>>> 2008-07-29 19:07:17,031 (http-0.0.0.0-8080-1) [ >>>>>>>>>>>> RequestHandler.java:243:INFO ] [Processing Request]: main >>>>>>>>>>>> sessionId=6E6BB45A4B5AB75A10A9B9404FA622A5.jvm1 >>>>>>>>>>>> 2008-07-29 19:07:17,031 (http-0.0.0.0-8080-1) [ >>>>>>>>>>>> RequestManager.java:159:WARN ] [RequestManager.getEventType] >>>>>>>>>>>> Type >>>>>>>>>>>> of >>>>>>>>>>>> event >>>>>>>>>>>> for request "checkLogin" not found >>>>>>>>>>>> 2008-07-29 19:07:17,031 (http-0.0.0.0-8080-1) [ >>>>>>>>>>>> RequestManager.java:146:WARN ] [RequestManager.getEventPath] >>>>>>>>>>>> Path >>>>>>>>>>>> of >>>>>>>>>>>> event >>>>>>>>>>>> for request "checkLogin" not found >>>>>>>>>>>> 2008-07-29 19:07:17,031 (http-0.0.0.0-8080-1) [ >>>>>>>>>>>> RequestManager.java:172:WARN ] [RequestManager.getEventMethod] >>>>>>>>>>>> Method >>>>>>>>>>>> of >>>>>>>>>>>> event for request "checkLogin" not found >>>>>>>>>>>> 2008-07-29 19:07:17,031 (http-0.0.0.0-8080-1) [ >>>>>>>>>>>> ControlServlet.java:205:ERROR] >>>>>>>>>>>> ---- runtime exception report >>>>>>>>>>>> -------------------------------------------------- >>>>>>>>>>>> Error in request handler: >>>>>>>>>>>> Exception: java.lang.NullPointerException >>>>>>>>>>>> Message: null >>>>>>>>>>>> ---- stack trace >>>>>>>>>>>> --------------------------------------------------------------- >>>>>>>>>>>> java.lang.NullPointerException >>>>>>>>>>>> javolution.util.FastMap.getEntry(Unknown Source) >>>>>>>>>>>> javolution.util.FastMap.containsKey(Unknown Source) >>>>>>>>>>>> org.ofbiz.webapp.control.RequestManager.getHandlerClass(RequestManager.java:78) >>>>>>>>>>>> >>>>>>>>>>>> org.ofbiz.webapp.event.EventFactory.loadEventHandler(EventFactory.java:102) >>>>>>>>>>>> >>>>>>>>>>>> org.ofbiz.webapp.event.EventFactory.getEventHandler(EventFactory.java:86) >>>>>>>>>>>> >>>>>>>>>>>> org.ofbiz.webapp.control.RequestHandler.runEvent(RequestHandler.java:453) >>>>>>>>>>>> >>>>>>>>>>>> org.ofbiz.webapp.control.RequestHandler.doRequest(RequestHandler.java:259) >>>>>>>>>>>> >>>>>>>>>>>> org.ofbiz.webapp.control.ControlServlet.doGet(ControlServlet.java:198) >>>>>>>>>>>> >>>>>>>>>>>> javax.servlet.http.HttpServlet.service(HttpServlet.java:690) >>>>>>>>>>>> javax.servlet.http.HttpServlet.service(HttpServlet.java:803) >>>>>>>>>>>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290) >>>>>>>>>>>> >>>>>>>>>>>> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) >>>>>>>>>>>> >>>>>>>>>>>> org.ofbiz.webapp.control.ContextFilter.doFilter(ContextFilter.java:255) >>>>>>>>>>>> >>>>>>>>>>>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) >>>>>>>>>>>> >>>>>>>>>>>> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) >>>>>>>>>>>> >>>>>>>>>>>> org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233) >>>>>>>>>>>> >>>>>>>>>>>> org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:175) >>>>>>>>>>>> >>>>>>>>>>>> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:128) >>>>>>>>>>>> >>>>>>>>>>>> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) >>>>>>>>>>>> >>>>>>>>>>>> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) >>>>>>>>>>>> >>>>>>>>>>>> org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:568) >>>>>>>>>>>> >>>>>>>>>>>> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:286) >>>>>>>>>>>> >>>>>>>>>>>> org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:844) >>>>>>>>>>>> >>>>>>>>>>>> org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:583) >>>>>>>>>>>> >>>>>>>>>>>> org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:447) >>>>>>>>>>>> >>>>>>>>>>>> java.lang.Thread.run(Thread.java:595) >>>>>>>>>>>> -------------------------------------------------------------------------------- >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>> http://www.opensourcestrategies.com/ofbiz/security.php >>>>>>>>>> http://www.opensourcestrategies.com/ofbiz/security.php >>>>>>>>> >>>>>>>> >>>>>>> >>>>>>> >>>> >>> > > > > > |
Re: how to set security and permissions precedence
|
|
In reply to this post by Milind W-2
here is the fix
http://svn.apache.org/viewvc?rev=682228&view=rev Milind W sent the following on 8/3/2008 4:27 PM: > Just tried "ant clean" it made no difference. > I can proceed to main without being redirected to login with rev#679258. > > > Relevant log for rev#679258 > 2008-08-03 16:15:04,515 (http-0.0.0.0-8080-1) > [RequestHandler.java:243:INFO ] [Processing Request]: main > sessionId=B2364C2D58837E9163B9B9214E2228FA.jvm1 > 2008-08-03 16:15:04,515 (http-0.0.0.0-8080-1) > [RequestHandler.java:433:INFO ] [RequestHandler.doRequest]: Response is a > view. sessionId=B2364C2D58837E9163B9B9214E2228FA.jvm1 > 2008-08-03 16:15:04,515 (http-0.0.0.0-8080-1) > [RequestHandler.java:584:INFO ] servletName=control, view=main > sessionId=B2364C2D58837E9163B9B9214E2228FA.jvm1 > 2008-08-03 16:15:04,515 (http-0.0.0.0-8080-1) [ UtilJ2eeCompat.java:69 > :INFO ] serverInfo: apache tomcat/6.0.16 > 2008-08-03 16:15:04,515 (http-0.0.0.0-8080-1) [ UtilJ2eeCompat.java:78 > :INFO ] Apache Tomcat detected, using response.getWriter to write text out > instead of response.getOutputStream > > and with rev#677863 > 2008-08-03 18:11:55,343 (http-0.0.0.0-8080-Processor4) [ > RequestHandler.java:236:INFO ] [Processing Request]: main > sessionId=72EE22303A9A4DCDB76F64EE41F963DA.jvm1 > 2008-08-03 18:11:55,343 (http-0.0.0.0-8080-Processor4) [ > LoginWorker.java:262:INFO ] reqParams Map: [] > 2008-08-03 18:11:55,343 (http-0.0.0.0-8080-Processor4) [ > LoginWorker.java:263:INFO ] queryString: > 2008-08-03 18:11:55,343 (http-0.0.0.0-8080-Processor4) [ > LoginWorker.java:273:INFO ] checkLogin: queryString= > 2008-08-03 18:11:55,343 (http-0.0.0.0-8080-Processor4) [ > LoginWorker.java:274:INFO ] checkLogin: PathInfo=/main > 2008-08-03 18:11:55,343 (http-0.0.0.0-8080-Processor4) [ > RequestHandler.java:425:INFO ] [RequestHandler.doRequest]: Response is a > view. sessionId=72EE22303A9A4DCDB76F64EE41F963DA.jvm1 > 2008-08-03 18:11:55,343 (http-0.0.0.0-8080-Processor4) [ > RequestHandler.java:578:INFO ] servletName=control, view=login > sessionId=72EE22303A9A4DCDB76F64EE41F963DA.jvm1 > 2008-08-03 18:11:55,343 (http-0.0.0.0-8080-Processor4) [ > UtilJ2eeCompat.java:69 :INFO ] serverInfo: Apache Tomcat/5.5.20 > 2008-08-03 18:11:55,343 (http-0.0.0.0-8080-Processor4) [ > UtilJ2eeCompat.java:78 :INFO ] Apache Tomcat detected, using > response.getWriter to write text out instead of response.getOutputStream > > The loginworker seems to be invoked with rev#677863 and not with rev#679258. > Any Idea? > >> Did you try an "ant clean" ? There have been some changes recently that >> implie this cleanup. >> >> Jacques >> >> From: "Milind W" <[hidden email]> >>> Looks like I have a problem making this example work with >>> revision#679258 >>> >>> It worked fine (i.e I was redirected to login screen before I could get >>> to >>> main) with rev#677863 >>> >>> Looks like the view >>> <view-map name="login" type="screen" >>> page="component://marketing/widget/CommonScreens.xml#login" /> >>> is part of the problem. The CommonScreens.xml has moved and does no >>> longer >>> seem to have the 'login' screen. >>> >>> I tried finding another screen with the 'login' view. I found another >>> one >>> in the 'common' component and modified my hello controller to point to >>> <view-map name="login" type="screen" >>> page="component://common/widget/CommonScreens.xml#login"/> >>> but it is no acting the same as previously. >>> >>> Please let me know what is missing (or any suggestion how best to >>> illustrate login) so I can complete and contribute my tutorial for >>> security. Would hate to create a tutorial that worked with one specific >>> build. >>> >>> http://ofbiz.markmail.org/search/?q=Milind+W#query:Milind%20W+page:2+mid:kwgcnrsxjigfilp2+state:results >>> >>> Thanks >>> -Milind >>> >>>> hi, >>>> I got login to work by adding the changes below to my controller using >>>> ofbiz4.0. >>>> I don't think I follow the reason with OFBTOOLS base persmission not >>>> taking effect in the ofbiz-component as explained in OFBIZ-829. >>>> But I agree with Si Chen on OFBIZ-829 >>>> "The right way is to assume no permission until one of the list of >>>> permissions is met." Seems more intitutive. >>>> For now I can workaround it so thanks all. >>>> -Milind >>>> >>>> >>>> >>>> <preprocessor> >>>> <!-- Events to run on every request before security (chains >>>> exempt) --> >>>> <!-- <event type="java" path="org.ofbiz.webapp.event.TestEvent" >>>> invoke="test"/> --> >>>> <event type="java" path="org.ofbiz.webapp.control.LoginWorker" >>>> invoke="checkExternalLoginKey"/> >>>> </preprocessor> >>>> >>>> <!-- Request Mappings --> >>>> >>>> <request-map uri="checkLogin" edit="false"> >>>> <description>Verify a user is logged in.</description> >>>> <security https="false" auth="false"/> >>>> <event type="java" path="org.ofbiz.webapp.control.LoginWorker" >>>> invoke="checkLogin" /> >>>> <response name="success" type="view" value="main" /> >>>> <response name="error" type="view" value="login" /> >>>> </request-map> >>>> >>>> <request-map uri="login"> >>>> <security https="false" auth="false"/> >>>> <event type="java" path="org.ofbiz.webapp.control.LoginWorker" >>>> invoke="login"/> >>>> <response name="success" type="view" value="main"/> >>>> <response name="error" type="view" value="login"/> >>>> </request-map> >>>> >>>> >>>> <request-map uri="main"> >>>> <security https="false" auth="true" /> >>>> <response name="success" type="view" value="main"/> >>>> </request-map> >>>> >>>> <view-map name="login" type="screen" >>>> page="component://marketing/widget/CommonScreens.xml#login" /> >>>> >>>> >>>>> Not with a direct link to the comment where is the explanation ;p >>>>> Actually it was more a didactic post >>>>> >>>>> Jacques >>>>> >>>>> From: "BJ Freeman" <[hidden email]> >>>>>> LOL >>>>>> that was the first link I sent on this thread. >>>>>> >>>>>> Jacques Le Roux sent the following on 7/30/2008 2:18 PM: >>>>>>> OFBiz Wiki is your friend. Just look for OFBTOOLS. >>>>>>> >>>>>>> You would have get >>>>>>> http://docs.ofbiz.org/display/OFBTECH/OFBiz+security?focusedCommentId=3615#comment-3615 >>>>>>> >>>>>>> >>>>>>> Jacques >>>>>>> >>>>>>> ----- Original Message ----- From: "Milind W" >>>>>>> <[hidden email]> >>>>>>> To: <[hidden email]> >>>>>>> Sent: Wednesday, July 30, 2008 8:31 PM >>>>>>> Subject: Re: how to set security and permissions precedence >>>>>>> >>>>>>> >>>>>>>> Let me try to break up questions. >>>>>>>> Should'nt adding >>>>>>>> base-permission="OFBTOOLS" >>>>>>>> to the ofbiz-entity.xml force the user to login with a user id that >>>>>>>> is >>>>>>>> associated to the OFBTOOLS security group? >>>>>>>> I can see the application I created and the line seems to have no >>>>>>>> effect. >>>>>>>> What is the purpose of the line? >>>>>>>> Thanks >>>>>>>> -Milind >>>>>>>> >>>>>>>>> Please not that opentaps is not at the same level of revision that >>>>>>>>> ofbiz >>>>>>>>> it >>>>>>>>> there have been changes to security. >>>>>>>>> there are examples in the >>>>>>>>> framework/example >>>>>>>>> and >>>>>>>>> framework/exampleext >>>>>>>>> I believe this to better tutorial >>>>>>>>> since they work already. >>>>>>>>> >>>>>>>>> >>>>>>>>> Balaji Sundar sent the following on 7/29/2008 9:40 PM: >>>>>>>>>> >>>>>>>>>> BJ Freeman wrote: >>>>>>>>>>> http://docs.ofbiz.org/display/OFBTECH/OFBiz+security >>>>>>>>>>> >>>>>>>>>>> Milind W sent the following on 7/29/2008 7:58 PM: >>>>>>>>>>>> hi, >>>>>>>>>>>> Security Permissions >>>>>>>>>>>> I am using ofbiz rev.79258 >>>>>>>>>>>> I want to understand how security works so I made the following >>>>>>>>>>>> modifications to hello1 >>>>>>>>>>>> 1)I added base-permission="OFBTOOLS" to the ofbiz-component.xml >>>>>>>>>>>> I could still see the application I was assuming the >>>>>>>>>>>> application >>>>>>>>>>>> would >>>>>>>>>>>> as >>>>>>>>>>>> me to login or prevent me from seeing the page. >>>>>>>>>>>> 2)I added <security> to the main request >>>>>>>>>>>> <request-map uri="main"> >>>>>>>>>>>> <security https="false" auth="true"/> >>>>>>>>>>>> <response name="success" type="view" value="main"/> >>>>>>>>>>>> </request-map> >>>>>>>>>>>> This displays "java.lang.NullPointerException" in the browser. >>>>>>>>>>>> How do permissions precedence work starting from the UI to the >>>>>>>>>>>> entity >>>>>>>>>>>> layer. >>>>>>>>>>>> Help appreciated. >>>>>>>>>>>> Thanks >>>>>>>>>>>> -Milind >>>>>>>>>>>> >>>>>>>>>>>> Here is the log >>>>>>>>>>>> 2008-07-29 19:07:17,031 (http-0.0.0.0-8080-1) [ >>>>>>>>>>>> RequestHandler.java:243:INFO ] [Processing Request]: main >>>>>>>>>>>> sessionId=6E6BB45A4B5AB75A10A9B9404FA622A5.jvm1 >>>>>>>>>>>> 2008-07-29 19:07:17,031 (http-0.0.0.0-8080-1) [ >>>>>>>>>>>> RequestManager.java:159:WARN ] [RequestManager.getEventType] >>>>>>>>>>>> Type >>>>>>>>>>>> of >>>>>>>>>>>> event >>>>>>>>>>>> for request "checkLogin" not found >>>>>>>>>>>> 2008-07-29 19:07:17,031 (http-0.0.0.0-8080-1) [ >>>>>>>>>>>> RequestManager.java:146:WARN ] [RequestManager.getEventPath] >>>>>>>>>>>> Path >>>>>>>>>>>> of >>>>>>>>>>>> event >>>>>>>>>>>> for request "checkLogin" not found >>>>>>>>>>>> 2008-07-29 19:07:17,031 (http-0.0.0.0-8080-1) [ >>>>>>>>>>>> RequestManager.java:172:WARN ] [RequestManager.getEventMethod] >>>>>>>>>>>> Method >>>>>>>>>>>> of >>>>>>>>>>>> event for request "checkLogin" not found >>>>>>>>>>>> 2008-07-29 19:07:17,031 (http-0.0.0.0-8080-1) [ >>>>>>>>>>>> ControlServlet.java:205:ERROR] >>>>>>>>>>>> ---- runtime exception report >>>>>>>>>>>> -------------------------------------------------- >>>>>>>>>>>> Error in request handler: >>>>>>>>>>>> Exception: java.lang.NullPointerException >>>>>>>>>>>> Message: null >>>>>>>>>>>> ---- stack trace >>>>>>>>>>>> --------------------------------------------------------------- >>>>>>>>>>>> java.lang.NullPointerException >>>>>>>>>>>> javolution.util.FastMap.getEntry(Unknown Source) >>>>>>>>>>>> javolution.util.FastMap.containsKey(Unknown Source) >>>>>>>>>>>> org.ofbiz.webapp.control.RequestManager.getHandlerClass(RequestManager.java:78) >>>>>>>>>>>> >>>>>>>>>>>> org.ofbiz.webapp.event.EventFactory.loadEventHandler(EventFactory.java:102) >>>>>>>>>>>> >>>>>>>>>>>> org.ofbiz.webapp.event.EventFactory.getEventHandler(EventFactory.java:86) >>>>>>>>>>>> >>>>>>>>>>>> org.ofbiz.webapp.control.RequestHandler.runEvent(RequestHandler.java:453) >>>>>>>>>>>> >>>>>>>>>>>> org.ofbiz.webapp.control.RequestHandler.doRequest(RequestHandler.java:259) >>>>>>>>>>>> >>>>>>>>>>>> org.ofbiz.webapp.control.ControlServlet.doGet(ControlServlet.java:198) >>>>>>>>>>>> >>>>>>>>>>>> javax.servlet.http.HttpServlet.service(HttpServlet.java:690) >>>>>>>>>>>> javax.servlet.http.HttpServlet.service(HttpServlet.java:803) >>>>>>>>>>>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290) >>>>>>>>>>>> >>>>>>>>>>>> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) >>>>>>>>>>>> >>>>>>>>>>>> org.ofbiz.webapp.control.ContextFilter.doFilter(ContextFilter.java:255) >>>>>>>>>>>> >>>>>>>>>>>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) >>>>>>>>>>>> >>>>>>>>>>>> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) >>>>>>>>>>>> >>>>>>>>>>>> org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233) >>>>>>>>>>>> >>>>>>>>>>>> org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:175) >>>>>>>>>>>> >>>>>>>>>>>> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:128) >>>>>>>>>>>> >>>>>>>>>>>> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) >>>>>>>>>>>> >>>>>>>>>>>> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) >>>>>>>>>>>> >>>>>>>>>>>> org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:568) >>>>>>>>>>>> >>>>>>>>>>>> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:286) >>>>>>>>>>>> >>>>>>>>>>>> org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:844) >>>>>>>>>>>> >>>>>>>>>>>> org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:583) >>>>>>>>>>>> >>>>>>>>>>>> org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:447) >>>>>>>>>>>> >>>>>>>>>>>> java.lang.Thread.run(Thread.java:595) >>>>>>>>>>>> -------------------------------------------------------------------------------- >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>> http://www.opensourcestrategies.com/ofbiz/security.php >>>>>>>>>> http://www.opensourcestrategies.com/ofbiz/security.php >>>>>>>>> >>>>>>>> >>>>>>> >>>>>>> >>>> >>> > > > > > |
Re: how to set security and permissions precedence
|
|
I got the updated files.
Did ant clean and then a new build. I still see the SAME behavior described in my previous email. I am attaching my controller.xml > here is the fix > http://svn.apache.org/viewvc?rev=682228&view=rev > > Milind W sent the following on 8/3/2008 4:27 PM: >> Just tried "ant clean" it made no difference. >> I can proceed to main without being redirected to login with rev#679258. >> >> >> Relevant log for rev#679258 >> 2008-08-03 16:15:04,515 (http-0.0.0.0-8080-1) >> [RequestHandler.java:243:INFO ] [Processing Request]: main >> sessionId=B2364C2D58837E9163B9B9214E2228FA.jvm1 >> 2008-08-03 16:15:04,515 (http-0.0.0.0-8080-1) >> [RequestHandler.java:433:INFO ] [RequestHandler.doRequest]: Response is >> a >> view. sessionId=B2364C2D58837E9163B9B9214E2228FA.jvm1 >> 2008-08-03 16:15:04,515 (http-0.0.0.0-8080-1) >> [RequestHandler.java:584:INFO ] servletName=control, view=main >> sessionId=B2364C2D58837E9163B9B9214E2228FA.jvm1 >> 2008-08-03 16:15:04,515 (http-0.0.0.0-8080-1) [ >> UtilJ2eeCompat.java:69 >> :INFO ] serverInfo: apache tomcat/6.0.16 >> 2008-08-03 16:15:04,515 (http-0.0.0.0-8080-1) [ >> UtilJ2eeCompat.java:78 >> :INFO ] Apache Tomcat detected, using response.getWriter to write text >> out >> instead of response.getOutputStream >> >> and with rev#677863 >> 2008-08-03 18:11:55,343 (http-0.0.0.0-8080-Processor4) [ >> RequestHandler.java:236:INFO ] [Processing Request]: main >> sessionId=72EE22303A9A4DCDB76F64EE41F963DA.jvm1 >> 2008-08-03 18:11:55,343 (http-0.0.0.0-8080-Processor4) [ >> LoginWorker.java:262:INFO ] reqParams Map: [] >> 2008-08-03 18:11:55,343 (http-0.0.0.0-8080-Processor4) [ >> LoginWorker.java:263:INFO ] queryString: >> 2008-08-03 18:11:55,343 (http-0.0.0.0-8080-Processor4) [ >> LoginWorker.java:273:INFO ] checkLogin: queryString= >> 2008-08-03 18:11:55,343 (http-0.0.0.0-8080-Processor4) [ >> LoginWorker.java:274:INFO ] checkLogin: PathInfo=/main >> 2008-08-03 18:11:55,343 (http-0.0.0.0-8080-Processor4) [ >> RequestHandler.java:425:INFO ] [RequestHandler.doRequest]: Response is a >> view. sessionId=72EE22303A9A4DCDB76F64EE41F963DA.jvm1 >> 2008-08-03 18:11:55,343 (http-0.0.0.0-8080-Processor4) [ >> RequestHandler.java:578:INFO ] servletName=control, view=login >> sessionId=72EE22303A9A4DCDB76F64EE41F963DA.jvm1 >> 2008-08-03 18:11:55,343 (http-0.0.0.0-8080-Processor4) [ >> UtilJ2eeCompat.java:69 :INFO ] serverInfo: Apache Tomcat/5.5.20 >> 2008-08-03 18:11:55,343 (http-0.0.0.0-8080-Processor4) [ >> UtilJ2eeCompat.java:78 :INFO ] Apache Tomcat detected, using >> response.getWriter to write text out instead of response.getOutputStream >> >> The loginworker seems to be invoked with rev#677863 and not with >> rev#679258. >> Any Idea? >> >>> Did you try an "ant clean" ? There have been some changes recently that >>> implie this cleanup. >>> >>> Jacques >>> >>> From: "Milind W" <[hidden email]> >>>> Looks like I have a problem making this example work with >>>> revision#679258 >>>> >>>> It worked fine (i.e I was redirected to login screen before I could >>>> get >>>> to >>>> main) with rev#677863 >>>> >>>> Looks like the view >>>> <view-map name="login" type="screen" >>>> page="component://marketing/widget/CommonScreens.xml#login" /> >>>> is part of the problem. The CommonScreens.xml has moved and does no >>>> longer >>>> seem to have the 'login' screen. >>>> >>>> I tried finding another screen with the 'login' view. I found another >>>> one >>>> in the 'common' component and modified my hello controller to point to >>>> <view-map name="login" type="screen" >>>> page="component://common/widget/CommonScreens.xml#login"/> >>>> but it is no acting the same as previously. >>>> >>>> Please let me know what is missing (or any suggestion how best to >>>> illustrate login) so I can complete and contribute my tutorial for >>>> security. Would hate to create a tutorial that worked with one >>>> specific >>>> build. >>>> >>>> http://ofbiz.markmail.org/search/?q=Milind+W#query:Milind%20W+page:2+mid:kwgcnrsxjigfilp2+state:results >>>> >>>> Thanks >>>> -Milind >>>> >>>>> hi, >>>>> I got login to work by adding the changes below to my controller >>>>> using >>>>> ofbiz4.0. >>>>> I don't think I follow the reason with OFBTOOLS base persmission not >>>>> taking effect in the ofbiz-component as explained in OFBIZ-829. >>>>> But I agree with Si Chen on OFBIZ-829 >>>>> "The right way is to assume no permission until one of the list of >>>>> permissions is met." Seems more intitutive. >>>>> For now I can workaround it so thanks all. >>>>> -Milind >>>>> >>>>> >>>>> >>>>> <preprocessor> >>>>> <!-- Events to run on every request before security (chains >>>>> exempt) --> >>>>> <!-- <event type="java" >>>>> path="org.ofbiz.webapp.event.TestEvent" >>>>> invoke="test"/> --> >>>>> <event type="java" >>>>> path="org.ofbiz.webapp.control.LoginWorker" >>>>> invoke="checkExternalLoginKey"/> >>>>> </preprocessor> >>>>> >>>>> <!-- Request Mappings --> >>>>> >>>>> <request-map uri="checkLogin" edit="false"> >>>>> <description>Verify a user is logged in.</description> >>>>> <security https="false" auth="false"/> >>>>> <event type="java" >>>>> path="org.ofbiz.webapp.control.LoginWorker" >>>>> invoke="checkLogin" /> >>>>> <response name="success" type="view" value="main" /> >>>>> <response name="error" type="view" value="login" /> >>>>> </request-map> >>>>> >>>>> <request-map uri="login"> >>>>> <security https="false" auth="false"/> >>>>> <event type="java" >>>>> path="org.ofbiz.webapp.control.LoginWorker" >>>>> invoke="login"/> >>>>> <response name="success" type="view" value="main"/> >>>>> <response name="error" type="view" value="login"/> >>>>> </request-map> >>>>> >>>>> >>>>> <request-map uri="main"> >>>>> <security https="false" auth="true" /> >>>>> <response name="success" type="view" value="main"/> >>>>> </request-map> >>>>> >>>>> <view-map name="login" type="screen" >>>>> page="component://marketing/widget/CommonScreens.xml#login" /> >>>>> >>>>> >>>>>> Not with a direct link to the comment where is the explanation ;p >>>>>> Actually it was more a didactic post >>>>>> >>>>>> Jacques >>>>>> >>>>>> From: "BJ Freeman" <[hidden email]> >>>>>>> LOL >>>>>>> that was the first link I sent on this thread. >>>>>>> >>>>>>> Jacques Le Roux sent the following on 7/30/2008 2:18 PM: >>>>>>>> OFBiz Wiki is your friend. Just look for OFBTOOLS. >>>>>>>> >>>>>>>> You would have get >>>>>>>> http://docs.ofbiz.org/display/OFBTECH/OFBiz+security?focusedCommentId=3615#comment-3615 >>>>>>>> >>>>>>>> >>>>>>>> Jacques >>>>>>>> >>>>>>>> ----- Original Message ----- From: "Milind W" >>>>>>>> <[hidden email]> >>>>>>>> To: <[hidden email]> >>>>>>>> Sent: Wednesday, July 30, 2008 8:31 PM >>>>>>>> Subject: Re: how to set security and permissions precedence >>>>>>>> >>>>>>>> >>>>>>>>> Let me try to break up questions. >>>>>>>>> Should'nt adding >>>>>>>>> base-permission="OFBTOOLS" >>>>>>>>> to the ofbiz-entity.xml force the user to login with a user id >>>>>>>>> that >>>>>>>>> is >>>>>>>>> associated to the OFBTOOLS security group? >>>>>>>>> I can see the application I created and the line seems to have no >>>>>>>>> effect. >>>>>>>>> What is the purpose of the line? >>>>>>>>> Thanks >>>>>>>>> -Milind >>>>>>>>> >>>>>>>>>> Please not that opentaps is not at the same level of revision >>>>>>>>>> that >>>>>>>>>> ofbiz >>>>>>>>>> it >>>>>>>>>> there have been changes to security. >>>>>>>>>> there are examples in the >>>>>>>>>> framework/example >>>>>>>>>> and >>>>>>>>>> framework/exampleext >>>>>>>>>> I believe this to better tutorial >>>>>>>>>> since they work already. >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> Balaji Sundar sent the following on 7/29/2008 9:40 PM: >>>>>>>>>>> >>>>>>>>>>> BJ Freeman wrote: >>>>>>>>>>>> http://docs.ofbiz.org/display/OFBTECH/OFBiz+security >>>>>>>>>>>> >>>>>>>>>>>> Milind W sent the following on 7/29/2008 7:58 PM: >>>>>>>>>>>>> hi, >>>>>>>>>>>>> Security Permissions >>>>>>>>>>>>> I am using ofbiz rev.79258 >>>>>>>>>>>>> I want to understand how security works so I made the >>>>>>>>>>>>> following >>>>>>>>>>>>> modifications to hello1 >>>>>>>>>>>>> 1)I added base-permission="OFBTOOLS" to the >>>>>>>>>>>>> ofbiz-component.xml >>>>>>>>>>>>> I could still see the application I was assuming the >>>>>>>>>>>>> application >>>>>>>>>>>>> would >>>>>>>>>>>>> as >>>>>>>>>>>>> me to login or prevent me from seeing the page. >>>>>>>>>>>>> 2)I added <security> to the main request >>>>>>>>>>>>> <request-map uri="main"> >>>>>>>>>>>>> <security https="false" auth="true"/> >>>>>>>>>>>>> <response name="success" type="view" value="main"/> >>>>>>>>>>>>> </request-map> >>>>>>>>>>>>> This displays "java.lang.NullPointerException" in the >>>>>>>>>>>>> browser. >>>>>>>>>>>>> How do permissions precedence work starting from the UI to >>>>>>>>>>>>> the >>>>>>>>>>>>> entity >>>>>>>>>>>>> layer. >>>>>>>>>>>>> Help appreciated. >>>>>>>>>>>>> Thanks >>>>>>>>>>>>> -Milind >>>>>>>>>>>>> >>>>>>>>>>>>> Here is the log >>>>>>>>>>>>> 2008-07-29 19:07:17,031 (http-0.0.0.0-8080-1) [ >>>>>>>>>>>>> RequestHandler.java:243:INFO ] [Processing Request]: main >>>>>>>>>>>>> sessionId=6E6BB45A4B5AB75A10A9B9404FA622A5.jvm1 >>>>>>>>>>>>> 2008-07-29 19:07:17,031 (http-0.0.0.0-8080-1) [ >>>>>>>>>>>>> RequestManager.java:159:WARN ] [RequestManager.getEventType] >>>>>>>>>>>>> Type >>>>>>>>>>>>> of >>>>>>>>>>>>> event >>>>>>>>>>>>> for request "checkLogin" not found >>>>>>>>>>>>> 2008-07-29 19:07:17,031 (http-0.0.0.0-8080-1) [ >>>>>>>>>>>>> RequestManager.java:146:WARN ] [RequestManager.getEventPath] >>>>>>>>>>>>> Path >>>>>>>>>>>>> of >>>>>>>>>>>>> event >>>>>>>>>>>>> for request "checkLogin" not found >>>>>>>>>>>>> 2008-07-29 19:07:17,031 (http-0.0.0.0-8080-1) [ >>>>>>>>>>>>> RequestManager.java:172:WARN ] >>>>>>>>>>>>> [RequestManager.getEventMethod] >>>>>>>>>>>>> Method >>>>>>>>>>>>> of >>>>>>>>>>>>> event for request "checkLogin" not found >>>>>>>>>>>>> 2008-07-29 19:07:17,031 (http-0.0.0.0-8080-1) [ >>>>>>>>>>>>> ControlServlet.java:205:ERROR] >>>>>>>>>>>>> ---- runtime exception report >>>>>>>>>>>>> -------------------------------------------------- >>>>>>>>>>>>> Error in request handler: >>>>>>>>>>>>> Exception: java.lang.NullPointerException >>>>>>>>>>>>> Message: null >>>>>>>>>>>>> ---- stack trace >>>>>>>>>>>>> --------------------------------------------------------------- >>>>>>>>>>>>> java.lang.NullPointerException >>>>>>>>>>>>> javolution.util.FastMap.getEntry(Unknown Source) >>>>>>>>>>>>> javolution.util.FastMap.containsKey(Unknown Source) >>>>>>>>>>>>> org.ofbiz.webapp.control.RequestManager.getHandlerClass(RequestManager.java:78) >>>>>>>>>>>>> >>>>>>>>>>>>> org.ofbiz.webapp.event.EventFactory.loadEventHandler(EventFactory.java:102) >>>>>>>>>>>>> >>>>>>>>>>>>> org.ofbiz.webapp.event.EventFactory.getEventHandler(EventFactory.java:86) >>>>>>>>>>>>> >>>>>>>>>>>>> org.ofbiz.webapp.control.RequestHandler.runEvent(RequestHandler.java:453) >>>>>>>>>>>>> >>>>>>>>>>>>> org.ofbiz.webapp.control.RequestHandler.doRequest(RequestHandler.java:259) >>>>>>>>>>>>> >>>>>>>>>>>>> org.ofbiz.webapp.control.ControlServlet.doGet(ControlServlet.java:198) >>>>>>>>>>>>> >>>>>>>>>>>>> javax.servlet.http.HttpServlet.service(HttpServlet.java:690) >>>>>>>>>>>>> javax.servlet.http.HttpServlet.service(HttpServlet.java:803) >>>>>>>>>>>>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290) >>>>>>>>>>>>> >>>>>>>>>>>>> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) >>>>>>>>>>>>> >>>>>>>>>>>>> org.ofbiz.webapp.control.ContextFilter.doFilter(ContextFilter.java:255) >>>>>>>>>>>>> >>>>>>>>>>>>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) >>>>>>>>>>>>> >>>>>>>>>>>>> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) >>>>>>>>>>>>> >>>>>>>>>>>>> org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233) >>>>>>>>>>>>> >>>>>>>>>>>>> org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:175) >>>>>>>>>>>>> >>>>>>>>>>>>> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:128) >>>>>>>>>>>>> >>>>>>>>>>>>> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) >>>>>>>>>>>>> >>>>>>>>>>>>> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) >>>>>>>>>>>>> >>>>>>>>>>>>> org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:568) >>>>>>>>>>>>> >>>>>>>>>>>>> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:286) >>>>>>>>>>>>> >>>>>>>>>>>>> org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:844) >>>>>>>>>>>>> >>>>>>>>>>>>> org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:583) >>>>>>>>>>>>> >>>>>>>>>>>>> org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:447) >>>>>>>>>>>>> >>>>>>>>>>>>> java.lang.Thread.run(Thread.java:595) >>>>>>>>>>>>> -------------------------------------------------------------------------------- >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>> http://www.opensourcestrategies.com/ofbiz/security.php >>>>>>>>>>> http://www.opensourcestrategies.com/ofbiz/security.php >>>>>>>>>> >>>>>>>>> >>>>>>>> >>>>>>>> >>>>> >>>> >> >> >> >> >> > > |
controller.xml (4K)
Re: how to set security and permissions precedence
|
Administrator
|
This works for sure from r682228, please check you locale instance...
Except of course if we don't speak about the _SAME behavior_ (see my previous posts in ML) Jacques From: "Milind W" <[hidden email]> >I got the updated files. > Did ant clean and then a new build. > I still see the SAME behavior described in my previous email. > I am attaching my controller.xml > >> here is the fix >> http://svn.apache.org/viewvc?rev=682228&view=rev >> >> Milind W sent the following on 8/3/2008 4:27 PM: >>> Just tried "ant clean" it made no difference. >>> I can proceed to main without being redirected to login with rev#679258. >>> >>> >>> Relevant log for rev#679258 >>> 2008-08-03 16:15:04,515 (http-0.0.0.0-8080-1) >>> [RequestHandler.java:243:INFO ] [Processing Request]: main >>> sessionId=B2364C2D58837E9163B9B9214E2228FA.jvm1 >>> 2008-08-03 16:15:04,515 (http-0.0.0.0-8080-1) >>> [RequestHandler.java:433:INFO ] [RequestHandler.doRequest]: Response is >>> a >>> view. sessionId=B2364C2D58837E9163B9B9214E2228FA.jvm1 >>> 2008-08-03 16:15:04,515 (http-0.0.0.0-8080-1) >>> [RequestHandler.java:584:INFO ] servletName=control, view=main >>> sessionId=B2364C2D58837E9163B9B9214E2228FA.jvm1 >>> 2008-08-03 16:15:04,515 (http-0.0.0.0-8080-1) [ >>> UtilJ2eeCompat.java:69 >>> :INFO ] serverInfo: apache tomcat/6.0.16 >>> 2008-08-03 16:15:04,515 (http-0.0.0.0-8080-1) [ >>> UtilJ2eeCompat.java:78 >>> :INFO ] Apache Tomcat detected, using response.getWriter to write text >>> out >>> instead of response.getOutputStream >>> >>> and with rev#677863 >>> 2008-08-03 18:11:55,343 (http-0.0.0.0-8080-Processor4) [ >>> RequestHandler.java:236:INFO ] [Processing Request]: main >>> sessionId=72EE22303A9A4DCDB76F64EE41F963DA.jvm1 >>> 2008-08-03 18:11:55,343 (http-0.0.0.0-8080-Processor4) [ >>> LoginWorker.java:262:INFO ] reqParams Map: [] >>> 2008-08-03 18:11:55,343 (http-0.0.0.0-8080-Processor4) [ >>> LoginWorker.java:263:INFO ] queryString: >>> 2008-08-03 18:11:55,343 (http-0.0.0.0-8080-Processor4) [ >>> LoginWorker.java:273:INFO ] checkLogin: queryString= >>> 2008-08-03 18:11:55,343 (http-0.0.0.0-8080-Processor4) [ >>> LoginWorker.java:274:INFO ] checkLogin: PathInfo=/main >>> 2008-08-03 18:11:55,343 (http-0.0.0.0-8080-Processor4) [ >>> RequestHandler.java:425:INFO ] [RequestHandler.doRequest]: Response is a >>> view. sessionId=72EE22303A9A4DCDB76F64EE41F963DA.jvm1 >>> 2008-08-03 18:11:55,343 (http-0.0.0.0-8080-Processor4) [ >>> RequestHandler.java:578:INFO ] servletName=control, view=login >>> sessionId=72EE22303A9A4DCDB76F64EE41F963DA.jvm1 >>> 2008-08-03 18:11:55,343 (http-0.0.0.0-8080-Processor4) [ >>> UtilJ2eeCompat.java:69 :INFO ] serverInfo: Apache Tomcat/5.5.20 >>> 2008-08-03 18:11:55,343 (http-0.0.0.0-8080-Processor4) [ >>> UtilJ2eeCompat.java:78 :INFO ] Apache Tomcat detected, using >>> response.getWriter to write text out instead of response.getOutputStream >>> >>> The loginworker seems to be invoked with rev#677863 and not with >>> rev#679258. >>> Any Idea? >>> >>>> Did you try an "ant clean" ? There have been some changes recently that >>>> implie this cleanup. >>>> >>>> Jacques >>>> >>>> From: "Milind W" <[hidden email]> >>>>> Looks like I have a problem making this example work with >>>>> revision#679258 >>>>> >>>>> It worked fine (i.e I was redirected to login screen before I could >>>>> get >>>>> to >>>>> main) with rev#677863 >>>>> >>>>> Looks like the view >>>>> <view-map name="login" type="screen" >>>>> page="component://marketing/widget/CommonScreens.xml#login" /> >>>>> is part of the problem. The CommonScreens.xml has moved and does no >>>>> longer >>>>> seem to have the 'login' screen. >>>>> >>>>> I tried finding another screen with the 'login' view. I found another >>>>> one >>>>> in the 'common' component and modified my hello controller to point to >>>>> <view-map name="login" type="screen" >>>>> page="component://common/widget/CommonScreens.xml#login"/> >>>>> but it is no acting the same as previously. >>>>> >>>>> Please let me know what is missing (or any suggestion how best to >>>>> illustrate login) so I can complete and contribute my tutorial for >>>>> security. Would hate to create a tutorial that worked with one >>>>> specific >>>>> build. >>>>> >>>>> http://ofbiz.markmail.org/search/?q=Milind+W#query:Milind%20W+page:2+mid:kwgcnrsxjigfilp2+state:results >>>>> >>>>> Thanks >>>>> -Milind >>>>> >>>>>> hi, >>>>>> I got login to work by adding the changes below to my controller >>>>>> using >>>>>> ofbiz4.0. >>>>>> I don't think I follow the reason with OFBTOOLS base persmission not >>>>>> taking effect in the ofbiz-component as explained in OFBIZ-829. >>>>>> But I agree with Si Chen on OFBIZ-829 >>>>>> "The right way is to assume no permission until one of the list of >>>>>> permissions is met." Seems more intitutive. >>>>>> For now I can workaround it so thanks all. >>>>>> -Milind >>>>>> >>>>>> >>>>>> >>>>>> <preprocessor> >>>>>> <!-- Events to run on every request before security (chains >>>>>> exempt) --> >>>>>> <!-- <event type="java" >>>>>> path="org.ofbiz.webapp.event.TestEvent" >>>>>> invoke="test"/> --> >>>>>> <event type="java" >>>>>> path="org.ofbiz.webapp.control.LoginWorker" >>>>>> invoke="checkExternalLoginKey"/> >>>>>> </preprocessor> >>>>>> >>>>>> <!-- Request Mappings --> >>>>>> >>>>>> <request-map uri="checkLogin" edit="false"> >>>>>> <description>Verify a user is logged in.</description> >>>>>> <security https="false" auth="false"/> >>>>>> <event type="java" >>>>>> path="org.ofbiz.webapp.control.LoginWorker" >>>>>> invoke="checkLogin" /> >>>>>> <response name="success" type="view" value="main" /> >>>>>> <response name="error" type="view" value="login" /> >>>>>> </request-map> >>>>>> >>>>>> <request-map uri="login"> >>>>>> <security https="false" auth="false"/> >>>>>> <event type="java" >>>>>> path="org.ofbiz.webapp.control.LoginWorker" >>>>>> invoke="login"/> >>>>>> <response name="success" type="view" value="main"/> >>>>>> <response name="error" type="view" value="login"/> >>>>>> </request-map> >>>>>> >>>>>> >>>>>> <request-map uri="main"> >>>>>> <security https="false" auth="true" /> >>>>>> <response name="success" type="view" value="main"/> >>>>>> </request-map> >>>>>> >>>>>> <view-map name="login" type="screen" >>>>>> page="component://marketing/widget/CommonScreens.xml#login" /> >>>>>> >>>>>> >>>>>>> Not with a direct link to the comment where is the explanation ;p >>>>>>> Actually it was more a didactic post >>>>>>> >>>>>>> Jacques >>>>>>> >>>>>>> From: "BJ Freeman" <[hidden email]> >>>>>>>> LOL >>>>>>>> that was the first link I sent on this thread. >>>>>>>> >>>>>>>> Jacques Le Roux sent the following on 7/30/2008 2:18 PM: >>>>>>>>> OFBiz Wiki is your friend. Just look for OFBTOOLS. >>>>>>>>> >>>>>>>>> You would have get >>>>>>>>> http://docs.ofbiz.org/display/OFBTECH/OFBiz+security?focusedCommentId=3615#comment-3615 >>>>>>>>> >>>>>>>>> >>>>>>>>> Jacques >>>>>>>>> >>>>>>>>> ----- Original Message ----- From: "Milind W" >>>>>>>>> <[hidden email]> >>>>>>>>> To: <[hidden email]> >>>>>>>>> Sent: Wednesday, July 30, 2008 8:31 PM >>>>>>>>> Subject: Re: how to set security and permissions precedence >>>>>>>>> >>>>>>>>> >>>>>>>>>> Let me try to break up questions. >>>>>>>>>> Should'nt adding >>>>>>>>>> base-permission="OFBTOOLS" >>>>>>>>>> to the ofbiz-entity.xml force the user to login with a user id >>>>>>>>>> that >>>>>>>>>> is >>>>>>>>>> associated to the OFBTOOLS security group? >>>>>>>>>> I can see the application I created and the line seems to have no >>>>>>>>>> effect. >>>>>>>>>> What is the purpose of the line? >>>>>>>>>> Thanks >>>>>>>>>> -Milind >>>>>>>>>> >>>>>>>>>>> Please not that opentaps is not at the same level of revision >>>>>>>>>>> that >>>>>>>>>>> ofbiz >>>>>>>>>>> it >>>>>>>>>>> there have been changes to security. >>>>>>>>>>> there are examples in the >>>>>>>>>>> framework/example >>>>>>>>>>> and >>>>>>>>>>> framework/exampleext >>>>>>>>>>> I believe this to better tutorial >>>>>>>>>>> since they work already. >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> Balaji Sundar sent the following on 7/29/2008 9:40 PM: >>>>>>>>>>>> >>>>>>>>>>>> BJ Freeman wrote: >>>>>>>>>>>>> http://docs.ofbiz.org/display/OFBTECH/OFBiz+security >>>>>>>>>>>>> >>>>>>>>>>>>> Milind W sent the following on 7/29/2008 7:58 PM: >>>>>>>>>>>>>> hi, >>>>>>>>>>>>>> Security Permissions >>>>>>>>>>>>>> I am using ofbiz rev.79258 >>>>>>>>>>>>>> I want to understand how security works so I made the >>>>>>>>>>>>>> following >>>>>>>>>>>>>> modifications to hello1 >>>>>>>>>>>>>> 1)I added base-permission="OFBTOOLS" to the >>>>>>>>>>>>>> ofbiz-component.xml >>>>>>>>>>>>>> I could still see the application I was assuming the >>>>>>>>>>>>>> application >>>>>>>>>>>>>> would >>>>>>>>>>>>>> as >>>>>>>>>>>>>> me to login or prevent me from seeing the page. >>>>>>>>>>>>>> 2)I added <security> to the main request >>>>>>>>>>>>>> <request-map uri="main"> >>>>>>>>>>>>>> <security https="false" auth="true"/> >>>>>>>>>>>>>> <response name="success" type="view" value="main"/> >>>>>>>>>>>>>> </request-map> >>>>>>>>>>>>>> This displays "java.lang.NullPointerException" in the >>>>>>>>>>>>>> browser. >>>>>>>>>>>>>> How do permissions precedence work starting from the UI to >>>>>>>>>>>>>> the >>>>>>>>>>>>>> entity >>>>>>>>>>>>>> layer. >>>>>>>>>>>>>> Help appreciated. >>>>>>>>>>>>>> Thanks >>>>>>>>>>>>>> -Milind >>>>>>>>>>>>>> >>>>>>>>>>>>>> Here is the log >>>>>>>>>>>>>> 2008-07-29 19:07:17,031 (http-0.0.0.0-8080-1) [ >>>>>>>>>>>>>> RequestHandler.java:243:INFO ] [Processing Request]: main >>>>>>>>>>>>>> sessionId=6E6BB45A4B5AB75A10A9B9404FA622A5.jvm1 >>>>>>>>>>>>>> 2008-07-29 19:07:17,031 (http-0.0.0.0-8080-1) [ >>>>>>>>>>>>>> RequestManager.java:159:WARN ] [RequestManager.getEventType] >>>>>>>>>>>>>> Type >>>>>>>>>>>>>> of >>>>>>>>>>>>>> event >>>>>>>>>>>>>> for request "checkLogin" not found >>>>>>>>>>>>>> 2008-07-29 19:07:17,031 (http-0.0.0.0-8080-1) [ >>>>>>>>>>>>>> RequestManager.java:146:WARN ] [RequestManager.getEventPath] >>>>>>>>>>>>>> Path >>>>>>>>>>>>>> of >>>>>>>>>>>>>> event >>>>>>>>>>>>>> for request "checkLogin" not found >>>>>>>>>>>>>> 2008-07-29 19:07:17,031 (http-0.0.0.0-8080-1) [ >>>>>>>>>>>>>> RequestManager.java:172:WARN ] >>>>>>>>>>>>>> [RequestManager.getEventMethod] >>>>>>>>>>>>>> Method >>>>>>>>>>>>>> of >>>>>>>>>>>>>> event for request "checkLogin" not found >>>>>>>>>>>>>> 2008-07-29 19:07:17,031 (http-0.0.0.0-8080-1) [ >>>>>>>>>>>>>> ControlServlet.java:205:ERROR] >>>>>>>>>>>>>> ---- runtime exception report >>>>>>>>>>>>>> -------------------------------------------------- >>>>>>>>>>>>>> Error in request handler: >>>>>>>>>>>>>> Exception: java.lang.NullPointerException >>>>>>>>>>>>>> Message: null >>>>>>>>>>>>>> ---- stack trace >>>>>>>>>>>>>> --------------------------------------------------------------- >>>>>>>>>>>>>> java.lang.NullPointerException >>>>>>>>>>>>>> javolution.util.FastMap.getEntry(Unknown Source) >>>>>>>>>>>>>> javolution.util.FastMap.containsKey(Unknown Source) >>>>>>>>>>>>>> org.ofbiz.webapp.control.RequestManager.getHandlerClass(RequestManager.java:78) >>>>>>>>>>>>>> >>>>>>>>>>>>>> org.ofbiz.webapp.event.EventFactory.loadEventHandler(EventFactory.java:102) >>>>>>>>>>>>>> >>>>>>>>>>>>>> org.ofbiz.webapp.event.EventFactory.getEventHandler(EventFactory.java:86) >>>>>>>>>>>>>> >>>>>>>>>>>>>> org.ofbiz.webapp.control.RequestHandler.runEvent(RequestHandler.java:453) >>>>>>>>>>>>>> >>>>>>>>>>>>>> org.ofbiz.webapp.control.RequestHandler.doRequest(RequestHandler.java:259) >>>>>>>>>>>>>> >>>>>>>>>>>>>> org.ofbiz.webapp.control.ControlServlet.doGet(ControlServlet.java:198) >>>>>>>>>>>>>> >>>>>>>>>>>>>> javax.servlet.http.HttpServlet.service(HttpServlet.java:690) >>>>>>>>>>>>>> javax.servlet.http.HttpServlet.service(HttpServlet.java:803) >>>>>>>>>>>>>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290) >>>>>>>>>>>>>> >>>>>>>>>>>>>> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) >>>>>>>>>>>>>> >>>>>>>>>>>>>> org.ofbiz.webapp.control.ContextFilter.doFilter(ContextFilter.java:255) >>>>>>>>>>>>>> >>>>>>>>>>>>>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) >>>>>>>>>>>>>> >>>>>>>>>>>>>> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) >>>>>>>>>>>>>> >>>>>>>>>>>>>> org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233) >>>>>>>>>>>>>> >>>>>>>>>>>>>> org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:175) >>>>>>>>>>>>>> >>>>>>>>>>>>>> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:128) >>>>>>>>>>>>>> >>>>>>>>>>>>>> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) >>>>>>>>>>>>>> >>>>>>>>>>>>>> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) >>>>>>>>>>>>>> >>>>>>>>>>>>>> org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:568) >>>>>>>>>>>>>> >>>>>>>>>>>>>> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:286) >>>>>>>>>>>>>> >>>>>>>>>>>>>> org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:844) >>>>>>>>>>>>>> >>>>>>>>>>>>>> org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:583) >>>>>>>>>>>>>> >>>>>>>>>>>>>> org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:447) >>>>>>>>>>>>>> >>>>>>>>>>>>>> java.lang.Thread.run(Thread.java:595) >>>>>>>>>>>>>> -------------------------------------------------------------------------------- >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>> http://www.opensourcestrategies.com/ofbiz/security.php >>>>>>>>>>>> http://www.opensourcestrategies.com/ofbiz/security.php >>>>>>>>>>> >>>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>> >>>>> >>> >>> >>> >>> >>> >> >> > |
Re: how to set security and permissions precedence
|
|
In reply to this post by Milind W-2
your controller does not conform to the current svn controllers.
please review them. Milind W sent the following on 8/3/2008 5:35 PM: > I got the updated files. > Did ant clean and then a new build. > I still see the SAME behavior described in my previous email. > I am attaching my controller.xml > >> here is the fix >> http://svn.apache.org/viewvc?rev=682228&view=rev >> >> Milind W sent the following on 8/3/2008 4:27 PM: >>> Just tried "ant clean" it made no difference. >>> I can proceed to main without being redirected to login with rev#679258. >>> >>> >>> Relevant log for rev#679258 >>> 2008-08-03 16:15:04,515 (http-0.0.0.0-8080-1) >>> [RequestHandler.java:243:INFO ] [Processing Request]: main >>> sessionId=B2364C2D58837E9163B9B9214E2228FA.jvm1 >>> 2008-08-03 16:15:04,515 (http-0.0.0.0-8080-1) >>> [RequestHandler.java:433:INFO ] [RequestHandler.doRequest]: Response is >>> a >>> view. sessionId=B2364C2D58837E9163B9B9214E2228FA.jvm1 >>> 2008-08-03 16:15:04,515 (http-0.0.0.0-8080-1) >>> [RequestHandler.java:584:INFO ] servletName=control, view=main >>> sessionId=B2364C2D58837E9163B9B9214E2228FA.jvm1 >>> 2008-08-03 16:15:04,515 (http-0.0.0.0-8080-1) [ >>> UtilJ2eeCompat.java:69 >>> :INFO ] serverInfo: apache tomcat/6.0.16 >>> 2008-08-03 16:15:04,515 (http-0.0.0.0-8080-1) [ >>> UtilJ2eeCompat.java:78 >>> :INFO ] Apache Tomcat detected, using response.getWriter to write text >>> out >>> instead of response.getOutputStream >>> >>> and with rev#677863 >>> 2008-08-03 18:11:55,343 (http-0.0.0.0-8080-Processor4) [ >>> RequestHandler.java:236:INFO ] [Processing Request]: main >>> sessionId=72EE22303A9A4DCDB76F64EE41F963DA.jvm1 >>> 2008-08-03 18:11:55,343 (http-0.0.0.0-8080-Processor4) [ >>> LoginWorker.java:262:INFO ] reqParams Map: [] >>> 2008-08-03 18:11:55,343 (http-0.0.0.0-8080-Processor4) [ >>> LoginWorker.java:263:INFO ] queryString: >>> 2008-08-03 18:11:55,343 (http-0.0.0.0-8080-Processor4) [ >>> LoginWorker.java:273:INFO ] checkLogin: queryString= >>> 2008-08-03 18:11:55,343 (http-0.0.0.0-8080-Processor4) [ >>> LoginWorker.java:274:INFO ] checkLogin: PathInfo=/main >>> 2008-08-03 18:11:55,343 (http-0.0.0.0-8080-Processor4) [ >>> RequestHandler.java:425:INFO ] [RequestHandler.doRequest]: Response is a >>> view. sessionId=72EE22303A9A4DCDB76F64EE41F963DA.jvm1 >>> 2008-08-03 18:11:55,343 (http-0.0.0.0-8080-Processor4) [ >>> RequestHandler.java:578:INFO ] servletName=control, view=login >>> sessionId=72EE22303A9A4DCDB76F64EE41F963DA.jvm1 >>> 2008-08-03 18:11:55,343 (http-0.0.0.0-8080-Processor4) [ >>> UtilJ2eeCompat.java:69 :INFO ] serverInfo: Apache Tomcat/5.5.20 >>> 2008-08-03 18:11:55,343 (http-0.0.0.0-8080-Processor4) [ >>> UtilJ2eeCompat.java:78 :INFO ] Apache Tomcat detected, using >>> response.getWriter to write text out instead of response.getOutputStream >>> >>> The loginworker seems to be invoked with rev#677863 and not with >>> rev#679258. >>> Any Idea? >>> >>>> Did you try an "ant clean" ? There have been some changes recently that >>>> implie this cleanup. >>>> >>>> Jacques >>>> >>>> From: "Milind W" <[hidden email]> >>>>> Looks like I have a problem making this example work with >>>>> revision#679258 >>>>> >>>>> It worked fine (i.e I was redirected to login screen before I could >>>>> get >>>>> to >>>>> main) with rev#677863 >>>>> >>>>> Looks like the view >>>>> <view-map name="login" type="screen" >>>>> page="component://marketing/widget/CommonScreens.xml#login" /> >>>>> is part of the problem. The CommonScreens.xml has moved and does no >>>>> longer >>>>> seem to have the 'login' screen. >>>>> >>>>> I tried finding another screen with the 'login' view. I found another >>>>> one >>>>> in the 'common' component and modified my hello controller to point to >>>>> <view-map name="login" type="screen" >>>>> page="component://common/widget/CommonScreens.xml#login"/> >>>>> but it is no acting the same as previously. >>>>> >>>>> Please let me know what is missing (or any suggestion how best to >>>>> illustrate login) so I can complete and contribute my tutorial for >>>>> security. Would hate to create a tutorial that worked with one >>>>> specific >>>>> build. >>>>> >>>>> http://ofbiz.markmail.org/search/?q=Milind+W#query:Milind%20W+page:2+mid:kwgcnrsxjigfilp2+state:results >>>>> >>>>> Thanks >>>>> -Milind >>>>> >>>>>> hi, >>>>>> I got login to work by adding the changes below to my controller >>>>>> using >>>>>> ofbiz4.0. >>>>>> I don't think I follow the reason with OFBTOOLS base persmission not >>>>>> taking effect in the ofbiz-component as explained in OFBIZ-829. >>>>>> But I agree with Si Chen on OFBIZ-829 >>>>>> "The right way is to assume no permission until one of the list of >>>>>> permissions is met." Seems more intitutive. >>>>>> For now I can workaround it so thanks all. >>>>>> -Milind >>>>>> >>>>>> >>>>>> >>>>>> <preprocessor> >>>>>> <!-- Events to run on every request before security (chains >>>>>> exempt) --> >>>>>> <!-- <event type="java" >>>>>> path="org.ofbiz.webapp.event.TestEvent" >>>>>> invoke="test"/> --> >>>>>> <event type="java" >>>>>> path="org.ofbiz.webapp.control.LoginWorker" >>>>>> invoke="checkExternalLoginKey"/> >>>>>> </preprocessor> >>>>>> >>>>>> <!-- Request Mappings --> >>>>>> >>>>>> <request-map uri="checkLogin" edit="false"> >>>>>> <description>Verify a user is logged in.</description> >>>>>> <security https="false" auth="false"/> >>>>>> <event type="java" >>>>>> path="org.ofbiz.webapp.control.LoginWorker" >>>>>> invoke="checkLogin" /> >>>>>> <response name="success" type="view" value="main" /> >>>>>> <response name="error" type="view" value="login" /> >>>>>> </request-map> >>>>>> >>>>>> <request-map uri="login"> >>>>>> <security https="false" auth="false"/> >>>>>> <event type="java" >>>>>> path="org.ofbiz.webapp.control.LoginWorker" >>>>>> invoke="login"/> >>>>>> <response name="success" type="view" value="main"/> >>>>>> <response name="error" type="view" value="login"/> >>>>>> </request-map> >>>>>> >>>>>> >>>>>> <request-map uri="main"> >>>>>> <security https="false" auth="true" /> >>>>>> <response name="success" type="view" value="main"/> >>>>>> </request-map> >>>>>> >>>>>> <view-map name="login" type="screen" >>>>>> page="component://marketing/widget/CommonScreens.xml#login" /> >>>>>> >>>>>> >>>>>>> Not with a direct link to the comment where is the explanation ;p >>>>>>> Actually it was more a didactic post >>>>>>> >>>>>>> Jacques >>>>>>> >>>>>>> From: "BJ Freeman" <[hidden email]> >>>>>>>> LOL >>>>>>>> that was the first link I sent on this thread. >>>>>>>> >>>>>>>> Jacques Le Roux sent the following on 7/30/2008 2:18 PM: >>>>>>>>> OFBiz Wiki is your friend. Just look for OFBTOOLS. >>>>>>>>> >>>>>>>>> You would have get >>>>>>>>> http://docs.ofbiz.org/display/OFBTECH/OFBiz+security?focusedCommentId=3615#comment-3615 >>>>>>>>> >>>>>>>>> >>>>>>>>> Jacques >>>>>>>>> >>>>>>>>> ----- Original Message ----- From: "Milind W" >>>>>>>>> <[hidden email]> >>>>>>>>> To: <[hidden email]> >>>>>>>>> Sent: Wednesday, July 30, 2008 8:31 PM >>>>>>>>> Subject: Re: how to set security and permissions precedence >>>>>>>>> >>>>>>>>> >>>>>>>>>> Let me try to break up questions. >>>>>>>>>> Should'nt adding >>>>>>>>>> base-permission="OFBTOOLS" >>>>>>>>>> to the ofbiz-entity.xml force the user to login with a user id >>>>>>>>>> that >>>>>>>>>> is >>>>>>>>>> associated to the OFBTOOLS security group? >>>>>>>>>> I can see the application I created and the line seems to have no >>>>>>>>>> effect. >>>>>>>>>> What is the purpose of the line? >>>>>>>>>> Thanks >>>>>>>>>> -Milind >>>>>>>>>> >>>>>>>>>>> Please not that opentaps is not at the same level of revision >>>>>>>>>>> that >>>>>>>>>>> ofbiz >>>>>>>>>>> it >>>>>>>>>>> there have been changes to security. >>>>>>>>>>> there are examples in the >>>>>>>>>>> framework/example >>>>>>>>>>> and >>>>>>>>>>> framework/exampleext >>>>>>>>>>> I believe this to better tutorial >>>>>>>>>>> since they work already. >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> Balaji Sundar sent the following on 7/29/2008 9:40 PM: >>>>>>>>>>>> BJ Freeman wrote: >>>>>>>>>>>>> http://docs.ofbiz.org/display/OFBTECH/OFBiz+security >>>>>>>>>>>>> >>>>>>>>>>>>> Milind W sent the following on 7/29/2008 7:58 PM: >>>>>>>>>>>>>> hi, >>>>>>>>>>>>>> Security Permissions >>>>>>>>>>>>>> I am using ofbiz rev.79258 >>>>>>>>>>>>>> I want to understand how security works so I made the >>>>>>>>>>>>>> following >>>>>>>>>>>>>> modifications to hello1 >>>>>>>>>>>>>> 1)I added base-permission="OFBTOOLS" to the >>>>>>>>>>>>>> ofbiz-component.xml >>>>>>>>>>>>>> I could still see the application I was assuming the >>>>>>>>>>>>>> application >>>>>>>>>>>>>> would >>>>>>>>>>>>>> as >>>>>>>>>>>>>> me to login or prevent me from seeing the page. >>>>>>>>>>>>>> 2)I added <security> to the main request >>>>>>>>>>>>>> <request-map uri="main"> >>>>>>>>>>>>>> <security https="false" auth="true"/> >>>>>>>>>>>>>> <response name="success" type="view" value="main"/> >>>>>>>>>>>>>> </request-map> >>>>>>>>>>>>>> This displays "java.lang.NullPointerException" in the >>>>>>>>>>>>>> browser. >>>>>>>>>>>>>> How do permissions precedence work starting from the UI to >>>>>>>>>>>>>> the >>>>>>>>>>>>>> entity >>>>>>>>>>>>>> layer. >>>>>>>>>>>>>> Help appreciated. >>>>>>>>>>>>>> Thanks >>>>>>>>>>>>>> -Milind >>>>>>>>>>>>>> >>>>>>>>>>>>>> Here is the log >>>>>>>>>>>>>> 2008-07-29 19:07:17,031 (http-0.0.0.0-8080-1) [ >>>>>>>>>>>>>> RequestHandler.java:243:INFO ] [Processing Request]: main >>>>>>>>>>>>>> sessionId=6E6BB45A4B5AB75A10A9B9404FA622A5.jvm1 >>>>>>>>>>>>>> 2008-07-29 19:07:17,031 (http-0.0.0.0-8080-1) [ >>>>>>>>>>>>>> RequestManager.java:159:WARN ] [RequestManager.getEventType] >>>>>>>>>>>>>> Type >>>>>>>>>>>>>> of >>>>>>>>>>>>>> event >>>>>>>>>>>>>> for request "checkLogin" not found >>>>>>>>>>>>>> 2008-07-29 19:07:17,031 (http-0.0.0.0-8080-1) [ >>>>>>>>>>>>>> RequestManager.java:146:WARN ] [RequestManager.getEventPath] >>>>>>>>>>>>>> Path >>>>>>>>>>>>>> of >>>>>>>>>>>>>> event >>>>>>>>>>>>>> for request "checkLogin" not found >>>>>>>>>>>>>> 2008-07-29 19:07:17,031 (http-0.0.0.0-8080-1) [ >>>>>>>>>>>>>> RequestManager.java:172:WARN ] >>>>>>>>>>>>>> [RequestManager.getEventMethod] >>>>>>>>>>>>>> Method >>>>>>>>>>>>>> of >>>>>>>>>>>>>> event for request "checkLogin" not found >>>>>>>>>>>>>> 2008-07-29 19:07:17,031 (http-0.0.0.0-8080-1) [ >>>>>>>>>>>>>> ControlServlet.java:205:ERROR] >>>>>>>>>>>>>> ---- runtime exception report >>>>>>>>>>>>>> -------------------------------------------------- >>>>>>>>>>>>>> Error in request handler: >>>>>>>>>>>>>> Exception: java.lang.NullPointerException >>>>>>>>>>>>>> Message: null >>>>>>>>>>>>>> ---- stack trace >>>>>>>>>>>>>> --------------------------------------------------------------- >>>>>>>>>>>>>> java.lang.NullPointerException >>>>>>>>>>>>>> javolution.util.FastMap.getEntry(Unknown Source) >>>>>>>>>>>>>> javolution.util.FastMap.containsKey(Unknown Source) >>>>>>>>>>>>>> org.ofbiz.webapp.control.RequestManager.getHandlerClass(RequestManager.java:78) >>>>>>>>>>>>>> >>>>>>>>>>>>>> org.ofbiz.webapp.event.EventFactory.loadEventHandler(EventFactory.java:102) >>>>>>>>>>>>>> >>>>>>>>>>>>>> org.ofbiz.webapp.event.EventFactory.getEventHandler(EventFactory.java:86) >>>>>>>>>>>>>> >>>>>>>>>>>>>> org.ofbiz.webapp.control.RequestHandler.runEvent(RequestHandler.java:453) >>>>>>>>>>>>>> >>>>>>>>>>>>>> org.ofbiz.webapp.control.RequestHandler.doRequest(RequestHandler.java:259) >>>>>>>>>>>>>> >>>>>>>>>>>>>> org.ofbiz.webapp.control.ControlServlet.doGet(ControlServlet.java:198) >>>>>>>>>>>>>> >>>>>>>>>>>>>> javax.servlet.http.HttpServlet.service(HttpServlet.java:690) >>>>>>>>>>>>>> javax.servlet.http.HttpServlet.service(HttpServlet.java:803) >>>>>>>>>>>>>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290) >>>>>>>>>>>>>> >>>>>>>>>>>>>> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) >>>>>>>>>>>>>> >>>>>>>>>>>>>> org.ofbiz.webapp.control.ContextFilter.doFilter(ContextFilter.java:255) >>>>>>>>>>>>>> >>>>>>>>>>>>>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) >>>>>>>>>>>>>> >>>>>>>>>>>>>> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) >>>>>>>>>>>>>> >>>>>>>>>>>>>> org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233) >>>>>>>>>>>>>> >>>>>>>>>>>>>> org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:175) >>>>>>>>>>>>>> >>>>>>>>>>>>>> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:128) >>>>>>>>>>>>>> >>>>>>>>>>>>>> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) >>>>>>>>>>>>>> >>>>>>>>>>>>>> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) >>>>>>>>>>>>>> >>>>>>>>>>>>>> org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:568) >>>>>>>>>>>>>> >>>>>>>>>>>>>> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:286) >>>>>>>>>>>>>> >>>>>>>>>>>>>> org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:844) >>>>>>>>>>>>>> >>>>>>>>>>>>>> org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:583) >>>>>>>>>>>>>> >>>>>>>>>>>>>> org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:447) >>>>>>>>>>>>>> >>>>>>>>>>>>>> java.lang.Thread.run(Thread.java:595) >>>>>>>>>>>>>> -------------------------------------------------------------------------------- >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>> http://www.opensourcestrategies.com/ofbiz/security.php >>>>>>>>>>>> http://www.opensourcestrategies.com/ofbiz/security.php >>>>>>>>> >>> >>> >>> >>> >> |
Re: how to set security and permissions precedence
|
|
I changed my controller to conform with the example controller.xml.
Now it does attempt to send me to the login screen but get the following error. org.ofbiz.widget.screen.ScreenRenderException: Error rendering screen [component://common/widget/CommonScreens.xml#login]: java.lang.IllegalArgumentException: Could not find screen with name [main-decorator] in the same file as the screen with name [login] (Could not find screen with name [main-decorator] in the same file as the screen with name [login]) Help! > your controller does not conform to the current svn controllers. > please review them. > > > Milind W sent the following on 8/3/2008 5:35 PM: >> I got the updated files. >> Did ant clean and then a new build. >> I still see the SAME behavior described in my previous email. >> I am attaching my controller.xml >> >>> here is the fix >>> http://svn.apache.org/viewvc?rev=682228&view=rev >>> >>> Milind W sent the following on 8/3/2008 4:27 PM: >>>> Just tried "ant clean" it made no difference. >>>> I can proceed to main without being redirected to login with >>>> rev#679258. >>>> >>>> >>>> Relevant log for rev#679258 >>>> 2008-08-03 16:15:04,515 (http-0.0.0.0-8080-1) >>>> [RequestHandler.java:243:INFO ] [Processing Request]: main >>>> sessionId=B2364C2D58837E9163B9B9214E2228FA.jvm1 >>>> 2008-08-03 16:15:04,515 (http-0.0.0.0-8080-1) >>>> [RequestHandler.java:433:INFO ] [RequestHandler.doRequest]: Response >>>> is >>>> a >>>> view. sessionId=B2364C2D58837E9163B9B9214E2228FA.jvm1 >>>> 2008-08-03 16:15:04,515 (http-0.0.0.0-8080-1) >>>> [RequestHandler.java:584:INFO ] servletName=control, view=main >>>> sessionId=B2364C2D58837E9163B9B9214E2228FA.jvm1 >>>> 2008-08-03 16:15:04,515 (http-0.0.0.0-8080-1) [ >>>> UtilJ2eeCompat.java:69 >>>> :INFO ] serverInfo: apache tomcat/6.0.16 >>>> 2008-08-03 16:15:04,515 (http-0.0.0.0-8080-1) [ >>>> UtilJ2eeCompat.java:78 >>>> :INFO ] Apache Tomcat detected, using response.getWriter to write text >>>> out >>>> instead of response.getOutputStream >>>> >>>> and with rev#677863 >>>> 2008-08-03 18:11:55,343 (http-0.0.0.0-8080-Processor4) [ >>>> RequestHandler.java:236:INFO ] [Processing Request]: main >>>> sessionId=72EE22303A9A4DCDB76F64EE41F963DA.jvm1 >>>> 2008-08-03 18:11:55,343 (http-0.0.0.0-8080-Processor4) [ >>>> LoginWorker.java:262:INFO ] reqParams Map: [] >>>> 2008-08-03 18:11:55,343 (http-0.0.0.0-8080-Processor4) [ >>>> LoginWorker.java:263:INFO ] queryString: >>>> 2008-08-03 18:11:55,343 (http-0.0.0.0-8080-Processor4) [ >>>> LoginWorker.java:273:INFO ] checkLogin: queryString= >>>> 2008-08-03 18:11:55,343 (http-0.0.0.0-8080-Processor4) [ >>>> LoginWorker.java:274:INFO ] checkLogin: PathInfo=/main >>>> 2008-08-03 18:11:55,343 (http-0.0.0.0-8080-Processor4) [ >>>> RequestHandler.java:425:INFO ] [RequestHandler.doRequest]: Response is >>>> a >>>> view. sessionId=72EE22303A9A4DCDB76F64EE41F963DA.jvm1 >>>> 2008-08-03 18:11:55,343 (http-0.0.0.0-8080-Processor4) [ >>>> RequestHandler.java:578:INFO ] servletName=control, view=login >>>> sessionId=72EE22303A9A4DCDB76F64EE41F963DA.jvm1 >>>> 2008-08-03 18:11:55,343 (http-0.0.0.0-8080-Processor4) [ >>>> UtilJ2eeCompat.java:69 :INFO ] serverInfo: Apache Tomcat/5.5.20 >>>> 2008-08-03 18:11:55,343 (http-0.0.0.0-8080-Processor4) [ >>>> UtilJ2eeCompat.java:78 :INFO ] Apache Tomcat detected, using >>>> response.getWriter to write text out instead of >>>> response.getOutputStream >>>> >>>> The loginworker seems to be invoked with rev#677863 and not with >>>> rev#679258. >>>> Any Idea? >>>> >>>>> Did you try an "ant clean" ? There have been some changes recently >>>>> that >>>>> implie this cleanup. >>>>> >>>>> Jacques >>>>> >>>>> From: "Milind W" <[hidden email]> >>>>>> Looks like I have a problem making this example work with >>>>>> revision#679258 >>>>>> >>>>>> It worked fine (i.e I was redirected to login screen before I could >>>>>> get >>>>>> to >>>>>> main) with rev#677863 >>>>>> >>>>>> Looks like the view >>>>>> <view-map name="login" type="screen" >>>>>> page="component://marketing/widget/CommonScreens.xml#login" /> >>>>>> is part of the problem. The CommonScreens.xml has moved and does no >>>>>> longer >>>>>> seem to have the 'login' screen. >>>>>> >>>>>> I tried finding another screen with the 'login' view. I found >>>>>> another >>>>>> one >>>>>> in the 'common' component and modified my hello controller to point >>>>>> to >>>>>> <view-map name="login" type="screen" >>>>>> page="component://common/widget/CommonScreens.xml#login"/> >>>>>> but it is no acting the same as previously. >>>>>> >>>>>> Please let me know what is missing (or any suggestion how best to >>>>>> illustrate login) so I can complete and contribute my tutorial for >>>>>> security. Would hate to create a tutorial that worked with one >>>>>> specific >>>>>> build. >>>>>> >>>>>> http://ofbiz.markmail.org/search/?q=Milind+W#query:Milind%20W+page:2+mid:kwgcnrsxjigfilp2+state:results >>>>>> >>>>>> Thanks >>>>>> -Milind >>>>>> >>>>>>> hi, >>>>>>> I got login to work by adding the changes below to my controller >>>>>>> using >>>>>>> ofbiz4.0. >>>>>>> I don't think I follow the reason with OFBTOOLS base persmission >>>>>>> not >>>>>>> taking effect in the ofbiz-component as explained in OFBIZ-829. >>>>>>> But I agree with Si Chen on OFBIZ-829 >>>>>>> "The right way is to assume no permission until one of the list of >>>>>>> permissions is met." Seems more intitutive. >>>>>>> For now I can workaround it so thanks all. >>>>>>> -Milind >>>>>>> >>>>>>> >>>>>>> >>>>>>> <preprocessor> >>>>>>> <!-- Events to run on every request before security (chains >>>>>>> exempt) --> >>>>>>> <!-- <event type="java" >>>>>>> path="org.ofbiz.webapp.event.TestEvent" >>>>>>> invoke="test"/> --> >>>>>>> <event type="java" >>>>>>> path="org.ofbiz.webapp.control.LoginWorker" >>>>>>> invoke="checkExternalLoginKey"/> >>>>>>> </preprocessor> >>>>>>> >>>>>>> <!-- Request Mappings --> >>>>>>> >>>>>>> <request-map uri="checkLogin" edit="false"> >>>>>>> <description>Verify a user is logged in.</description> >>>>>>> <security https="false" auth="false"/> >>>>>>> <event type="java" >>>>>>> path="org.ofbiz.webapp.control.LoginWorker" >>>>>>> invoke="checkLogin" /> >>>>>>> <response name="success" type="view" value="main" /> >>>>>>> <response name="error" type="view" value="login" /> >>>>>>> </request-map> >>>>>>> >>>>>>> <request-map uri="login"> >>>>>>> <security https="false" auth="false"/> >>>>>>> <event type="java" >>>>>>> path="org.ofbiz.webapp.control.LoginWorker" >>>>>>> invoke="login"/> >>>>>>> <response name="success" type="view" value="main"/> >>>>>>> <response name="error" type="view" value="login"/> >>>>>>> </request-map> >>>>>>> >>>>>>> >>>>>>> <request-map uri="main"> >>>>>>> <security https="false" auth="true" /> >>>>>>> <response name="success" type="view" value="main"/> >>>>>>> </request-map> >>>>>>> >>>>>>> <view-map name="login" type="screen" >>>>>>> page="component://marketing/widget/CommonScreens.xml#login" /> >>>>>>> >>>>>>> >>>>>>>> Not with a direct link to the comment where is the explanation ;p >>>>>>>> Actually it was more a didactic post >>>>>>>> >>>>>>>> Jacques >>>>>>>> >>>>>>>> From: "BJ Freeman" <[hidden email]> >>>>>>>>> LOL >>>>>>>>> that was the first link I sent on this thread. >>>>>>>>> >>>>>>>>> Jacques Le Roux sent the following on 7/30/2008 2:18 PM: >>>>>>>>>> OFBiz Wiki is your friend. Just look for OFBTOOLS. >>>>>>>>>> >>>>>>>>>> You would have get >>>>>>>>>> http://docs.ofbiz.org/display/OFBTECH/OFBiz+security?focusedCommentId=3615#comment-3615 >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> Jacques >>>>>>>>>> >>>>>>>>>> ----- Original Message ----- From: "Milind W" >>>>>>>>>> <[hidden email]> >>>>>>>>>> To: <[hidden email]> >>>>>>>>>> Sent: Wednesday, July 30, 2008 8:31 PM >>>>>>>>>> Subject: Re: how to set security and permissions precedence >>>>>>>>>> >>>>>>>>>> >>>>>>>>>>> Let me try to break up questions. >>>>>>>>>>> Should'nt adding >>>>>>>>>>> base-permission="OFBTOOLS" >>>>>>>>>>> to the ofbiz-entity.xml force the user to login with a user id >>>>>>>>>>> that >>>>>>>>>>> is >>>>>>>>>>> associated to the OFBTOOLS security group? >>>>>>>>>>> I can see the application I created and the line seems to have >>>>>>>>>>> no >>>>>>>>>>> effect. >>>>>>>>>>> What is the purpose of the line? >>>>>>>>>>> Thanks >>>>>>>>>>> -Milind >>>>>>>>>>> >>>>>>>>>>>> Please not that opentaps is not at the same level of revision >>>>>>>>>>>> that >>>>>>>>>>>> ofbiz >>>>>>>>>>>> it >>>>>>>>>>>> there have been changes to security. >>>>>>>>>>>> there are examples in the >>>>>>>>>>>> framework/example >>>>>>>>>>>> and >>>>>>>>>>>> framework/exampleext >>>>>>>>>>>> I believe this to better tutorial >>>>>>>>>>>> since they work already. >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> Balaji Sundar sent the following on 7/29/2008 9:40 PM: >>>>>>>>>>>>> BJ Freeman wrote: >>>>>>>>>>>>>> http://docs.ofbiz.org/display/OFBTECH/OFBiz+security >>>>>>>>>>>>>> >>>>>>>>>>>>>> Milind W sent the following on 7/29/2008 7:58 PM: >>>>>>>>>>>>>>> hi, >>>>>>>>>>>>>>> Security Permissions >>>>>>>>>>>>>>> I am using ofbiz rev.79258 >>>>>>>>>>>>>>> I want to understand how security works so I made the >>>>>>>>>>>>>>> following >>>>>>>>>>>>>>> modifications to hello1 >>>>>>>>>>>>>>> 1)I added base-permission="OFBTOOLS" to the >>>>>>>>>>>>>>> ofbiz-component.xml >>>>>>>>>>>>>>> I could still see the application I was assuming the >>>>>>>>>>>>>>> application >>>>>>>>>>>>>>> would >>>>>>>>>>>>>>> as >>>>>>>>>>>>>>> me to login or prevent me from seeing the page. >>>>>>>>>>>>>>> 2)I added <security> to the main request >>>>>>>>>>>>>>> <request-map uri="main"> >>>>>>>>>>>>>>> <security https="false" auth="true"/> >>>>>>>>>>>>>>> <response name="success" type="view" value="main"/> >>>>>>>>>>>>>>> </request-map> >>>>>>>>>>>>>>> This displays "java.lang.NullPointerException" in the >>>>>>>>>>>>>>> browser. >>>>>>>>>>>>>>> How do permissions precedence work starting from the UI to >>>>>>>>>>>>>>> the >>>>>>>>>>>>>>> entity >>>>>>>>>>>>>>> layer. >>>>>>>>>>>>>>> Help appreciated. >>>>>>>>>>>>>>> Thanks >>>>>>>>>>>>>>> -Milind >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> Here is the log >>>>>>>>>>>>>>> 2008-07-29 19:07:17,031 (http-0.0.0.0-8080-1) [ >>>>>>>>>>>>>>> RequestHandler.java:243:INFO ] [Processing Request]: main >>>>>>>>>>>>>>> sessionId=6E6BB45A4B5AB75A10A9B9404FA622A5.jvm1 >>>>>>>>>>>>>>> 2008-07-29 19:07:17,031 (http-0.0.0.0-8080-1) [ >>>>>>>>>>>>>>> RequestManager.java:159:WARN ] >>>>>>>>>>>>>>> [RequestManager.getEventType] >>>>>>>>>>>>>>> Type >>>>>>>>>>>>>>> of >>>>>>>>>>>>>>> event >>>>>>>>>>>>>>> for request "checkLogin" not found >>>>>>>>>>>>>>> 2008-07-29 19:07:17,031 (http-0.0.0.0-8080-1) [ >>>>>>>>>>>>>>> RequestManager.java:146:WARN ] >>>>>>>>>>>>>>> [RequestManager.getEventPath] >>>>>>>>>>>>>>> Path >>>>>>>>>>>>>>> of >>>>>>>>>>>>>>> event >>>>>>>>>>>>>>> for request "checkLogin" not found >>>>>>>>>>>>>>> 2008-07-29 19:07:17,031 (http-0.0.0.0-8080-1) [ >>>>>>>>>>>>>>> RequestManager.java:172:WARN ] >>>>>>>>>>>>>>> [RequestManager.getEventMethod] >>>>>>>>>>>>>>> Method >>>>>>>>>>>>>>> of >>>>>>>>>>>>>>> event for request "checkLogin" not found >>>>>>>>>>>>>>> 2008-07-29 19:07:17,031 (http-0.0.0.0-8080-1) [ >>>>>>>>>>>>>>> ControlServlet.java:205:ERROR] >>>>>>>>>>>>>>> ---- runtime exception report >>>>>>>>>>>>>>> -------------------------------------------------- >>>>>>>>>>>>>>> Error in request handler: >>>>>>>>>>>>>>> Exception: java.lang.NullPointerException >>>>>>>>>>>>>>> Message: null >>>>>>>>>>>>>>> ---- stack trace >>>>>>>>>>>>>>> --------------------------------------------------------------- >>>>>>>>>>>>>>> java.lang.NullPointerException >>>>>>>>>>>>>>> javolution.util.FastMap.getEntry(Unknown Source) >>>>>>>>>>>>>>> javolution.util.FastMap.containsKey(Unknown Source) >>>>>>>>>>>>>>> org.ofbiz.webapp.control.RequestManager.getHandlerClass(RequestManager.java:78) >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> org.ofbiz.webapp.event.EventFactory.loadEventHandler(EventFactory.java:102) >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> org.ofbiz.webapp.event.EventFactory.getEventHandler(EventFactory.java:86) >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> org.ofbiz.webapp.control.RequestHandler.runEvent(RequestHandler.java:453) >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> org.ofbiz.webapp.control.RequestHandler.doRequest(RequestHandler.java:259) >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> org.ofbiz.webapp.control.ControlServlet.doGet(ControlServlet.java:198) >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> javax.servlet.http.HttpServlet.service(HttpServlet.java:690) >>>>>>>>>>>>>>> javax.servlet.http.HttpServlet.service(HttpServlet.java:803) >>>>>>>>>>>>>>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290) >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> org.ofbiz.webapp.control.ContextFilter.doFilter(ContextFilter.java:255) >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233) >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:175) >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:128) >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:568) >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:286) >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:844) >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:583) >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:447) >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> java.lang.Thread.run(Thread.java:595) >>>>>>>>>>>>>>> -------------------------------------------------------------------------------- >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>> http://www.opensourcestrategies.com/ofbiz/security.php >>>>>>>>>>>>> http://www.opensourcestrategies.com/ofbiz/security.php >>>>>>>>>> >>>> >>>> >>>> >>>> >>> > > |
«
Return to OFBiz - User
|
1 view|%1 views
| Free forum by Nabble | Edit this page |