svn commit: r1847248 [3/3] - in /ofbiz/ofbiz-framework/branche
Locked
svn commit: r1847248 [3/3] - in /ofbiz/ofbiz-framework/branche
 
|
Added: ofbiz/ofbiz-framework/branches/release17.12/docs/asciidoc/user-manual.adoc
URL: http://svn.apache.org/viewvc/ofbiz/ofbiz-framework/branches/release17.12/docs/asciidoc/user-manual.adoc?rev=1847248&view=auto ============================================================================== --- ofbiz/ofbiz-framework/branches/release17.12/docs/asciidoc/user-manual.adoc (added) +++ ofbiz/ofbiz-framework/branches/release17.12/docs/asciidoc/user-manual.adoc Fri Nov 23 12:00:10 2018 @@ -0,0 +1,156 @@ +//// +Licensed to the Apache Software Foundation (ASF) under one +or more contributor license agreements. See the NOTICE file +distributed with this work for additional information +regarding copyright ownership. The ASF licenses this file +to you under the Apache License, Version 2.0 (the +"License"); you may not use this file except in compliance +with the License. You may obtain a copy of the License at + +http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, +software distributed under the License is distributed on an +"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +KIND, either express or implied. See the License for the +specific language governing permissions and limitations +under the License. +//// += Apache OFBiz User Manual +The Apache OFBiz Project +Release 17.12 +:imagesdir: ./images +ifdef::backend-pdf[] +:title-logo-image: image::OFBiz-Logo.svg[Apache OFBiz Logo, pdfwidth=4.25in, align=center] +:source-highlighter: rouge +endif::[] + +== Introduction to OFBiz + +Welcome to _Apache OFBiz_! A powerful top level Apache software project. +OFBiz is an Enterprise Resource Planning (ERP) System written in Java and +houses a large set of libraries, entities, services and features to run +all aspects of your business. + +This manual will describe all aspects of this powerful ERP system. The manual +starts with the basics of what OFBiz is and how it works, and describes high +level concepts like the entity engine, service engine, widget system and so on. +In addition the manual explains the core application of this framework like the +Party Manager, Order Manager, Accounting system, and others. + +If you wish to contribute to OFBiz and help make it better, you may wish to read +the "Apache OFBiz Developer Manual" for a deeper understanding of the +architectural concepts of the framework. + +=== What is Apache OFBiz + +It is hard to define OFBiz because it offers many different solutions targeted +at different levels of interests (users, developers, business owners). At a low +level it may considered a web framework, at another level, it may +considered a full fledged ERP system, and yet it can also be considered a +business automation suite. + +=== The main parts of Apache OFBiz + +Perhaps to better understand what OFBiz is, it may be necessary to understand +its main parts and the purpose that each part plays. Thus the main parts or +sub-systems are summarized below. + +==== Web MVC Framework + +The lowest or most foundational part of Apache OFBiz is a classical web MVC +(Model View Controller) framework. This part of the system is designed for basic +routing of web requests and may be considered as the infrastructure or plumbing +where everything is wired together. + +==== Entity Engine + +The entity engine allows OFBiz users to define entities, data, and queries in a +database-independent domain specific language (DSL) based on XML. Thus, without +learning any SQL users can create and interact with databases in a +platform-independent manner and Apache OFBiz would make the translations under +the hood to each database system. + +==== Service Engine + +Apache OFBiz is designed specifically around a Service Oriented Architecture +(SOA). Services are units of business logic that take a set of input values and +produces a set of output values. + +Services are programming-language-independent. It does not matter whether a +service is implemented using Java, Groovy, Jython, or something else because +services are an abstraction away from the underlying technology. This provides +maximum flexibility for designing business logic without worrying about +interoperability between different languages. + +==== Widget System + +Whether the output is HTML, CSV, PDF, or something else, Apache OFBiz provides a +system for creating user interface that is independent of the actual +implementation. This makes it possible to publish the same widget to HTML, PDF, +CSV or some other output format. + +However, the widget system allows users, if needed, to drop down to any +platform-specific code and mix it with widget designs, thus providing a mix +between ease of use, platform independence and customizability. + +==== Data Model Library + +Apache OFBiz is heavily inspired by a book called the "The Data Model Resource +Book". This book provides a "A Library of Universal Data Models for All +Enterprises". These models cover things like parties, orders, invoices, +payments, general ledgers, quotes and much more. + +By using OFBiz, adopters start with a full pre-designed data model that covers +common and universal business requirements. Hundreds of entities are defined +which save many hours of thinking, designing, and testing such models. + +It is important to note that the data model library does not only cover +entities, but also the data that comes with these entities. Data is further +categorized by function (seed, demo, etc ...) + +==== Service Library + +Having a rich and powerful data model is not very useful on its own without +services that apply business logic on this data model. That is where the +services defined in Apache OFBiz come into play. + +OFBiz provides, out-of-the-box, thousands of services to create, retrieve, +update, delete, search, and do many other operations on the data model. + +==== Core Applications + +The core applications in Apache OFBiz are web applications that serve common +business needs found in most enterprises such as accounting, order management, +party management and so on. + +These core applications are built on top of the data model and service library +earlier described. The core applications are further described in the relevant +section. + +==== Plugins + +OFBiz extends any basic functionality through plugins. Plugins are very similar +to the core applications in design and structure, but are not shipped with +OFBiz by default. Thus to install a plugin a user must add it to the framework +first. + +include::../../README.adoc[tags=quickstart] + +== Core Business Applications + +Most businesses share universal needs. They require accounting functionality, +managing customers, placing orders, book-keeping, invoicing and so on. + +OFBiz is designed so that such basic universal business needs are available +through a set of core business applications. These applications all share a +unified data-model with a set of unified services to implement this +functionality. + +This section of the manual will describe each core business application +starting with a high level overview of design and purpose down to the details +of how to achieve common tasks. + +include::../../applications/accounting/src/docs/asciidoc/accounting.adoc[leveloffset=+2] + +include::../../applications/humanres/src/docs/asciidoc/humanres.adoc[leveloffset=+2] Propchange: ofbiz/ofbiz-framework/branches/release17.12/docs/asciidoc/user-manual.adoc ------------------------------------------------------------------------------ svn:eol-style = native Propchange: ofbiz/ofbiz-framework/branches/release17.12/docs/asciidoc/user-manual.adoc ------------------------------------------------------------------------------ svn:keywords = Date Rev Author URL Id Propchange: ofbiz/ofbiz-framework/branches/release17.12/docs/asciidoc/user-manual.adoc ------------------------------------------------------------------------------ svn:mime-type = text/plain Added: ofbiz/ofbiz-framework/branches/release17.12/framework/security/src/docs/asciidoc/_include/security-impersonation.adoc URL: http://svn.apache.org/viewvc/ofbiz/ofbiz-framework/branches/release17.12/framework/security/src/docs/asciidoc/_include/security-impersonation.adoc?rev=1847248&view=auto ============================================================================== --- ofbiz/ofbiz-framework/branches/release17.12/framework/security/src/docs/asciidoc/_include/security-impersonation.adoc (added) +++ ofbiz/ofbiz-framework/branches/release17.12/framework/security/src/docs/asciidoc/_include/security-impersonation.adoc Fri Nov 23 12:00:10 2018 @@ -0,0 +1,127 @@ +//// +Licensed to the Apache Software Foundation (ASF) under one +or more contributor license agreements. See the NOTICE file +distributed with this work for additional information +regarding copyright ownership. The ASF licenses this file +to you under the Apache License, Version 2.0 (the +"License"); you may not use this file except in compliance +with the License. You may obtain a copy of the License at + +http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, +software distributed under the License is distributed on an +"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +KIND, either express or implied. See the License for the +specific language governing permissions and limitations +under the License. +//// + += Impersonation +== What is Impersonation in Apache OFBiz +The Apache OFBiz Project +Release 17.12 + +:imagesdir: ../../themes/common-theme/webapp/images/img/ +ifdef::backend-pdf[] +:title-logo-image: image::OFBiz-Logo.svg[Apache OFBiz Logo, pdfwidth=4.25in, align=center] +:source-highlighter: rouge +endif::[] + +=== Introduction to User impersonation + +User Impersonation is a feature that offer a way to select a user login and impersonate it, i.e. see what the user could +see navigating through the application in his name. + +=== How do this work ? + +An authorized user _(see <<Security,security>> and <<Controls,controls>> section for configuration)_, can select a user +that will be impersonated. + +The impersonation start, if everything is well configured, in current application (partymgr for the demo). +Everything appears like if we were logged in with the userLoginId and the valid password (though we know nothing about it) + +The only thing showing that we currently are impersonating a user is the little bottom-right image : + +image::impersonate-ico.png[Impersonate icon, pdfwidth=0.5in, align=right] + +This icon indicates, when clicking on it, the user impersonated, and offer a way to depersonate. + +The impersonate period is stored for audit purpose, and if the impersonator forgot to depersonate, the period +is terminated _one hour_ after impersonation start. + +=== Security + +This feature can draw some concerns about security aspect. This paragraph will introduce every controls and properties +that have been implemented around the impersonation feature. + +[CAUTION] +These configuration steps are not to be neglected for a *production environment* since this feature offer a way to act + in place of another user. + +==== Properties + +The _security.properties_ file introduce two properties that control impersonation feature : + + +[source] +security.disable.impersonation = true + +This property, set by default to *true*, controls the activation of impersonation feature. If no configuration is done +any user trying to use impersonation will face an error message, indicating that the feature is disabled. + +To enable impersonation this property need to be set to *false* + + +[source] +security.login.authorised.during.impersonate = false + +This property controls the way impersonation occurred to the impersonated user : + +In default configuration, the impersonated user see nothing and can use the application without knowing that he is +currently impersonated. Several authorized user can impersonate a same login without any issue. + +[NOTE] +This configuration is intended for testing/QA environment allowing any authorized user to impersonate a login +to validate its configuration, test the application etc. + +Set to *true*, this configuration improve the control of the data generated by the impersonated user. Indeed, Only one +authorized user can impersonate a login at the same time, and during the impersonation process, the impersonated user +is unable to act within the application. + +Since the impersonation period is stored in database, the actions done by the +authorized user can be identified if there is the need to do so. +[NOTE] +This configuration is intended for production environment + + +==== Controls + +The permission:: + +First, to be able to use impersonation, a user need to possess _IMPERSONATE_ADMIN_ permissions. Demo data offer +_IMPERSONATION_ security group for this purpose. + +In demo data, _FULLADMIN_ security group also possess the permission. + + +Permission based user restriction:: + +An authorized user cannot impersonate any user. There are two main controls that will restrict the impersonation feature. + +Cannot impersonate Admin user::: + +It is impossible to impersonate a user that is granted any of the admin permission : + + "IMPERSONATE_ADMIN" + "ARTIFACT_INFO_VIEW" + "SERVICE_MAINT" + "ENTITY_MAINT" + "UTIL_CACHE_VIEW" + "UTIL_DEBUG_VIEW" + +Cannot impersonate more privileged user::: + +It is impossible to impersonate a user that has more permission than your user. Even if the missing persmission is +a minor one. + + Propchange: ofbiz/ofbiz-framework/branches/release17.12/framework/security/src/docs/asciidoc/_include/security-impersonation.adoc ------------------------------------------------------------------------------ svn:eol-style = native Propchange: ofbiz/ofbiz-framework/branches/release17.12/framework/security/src/docs/asciidoc/_include/security-impersonation.adoc ------------------------------------------------------------------------------ svn:keywords = Date Rev Author URL Id Propchange: ofbiz/ofbiz-framework/branches/release17.12/framework/security/src/docs/asciidoc/_include/security-impersonation.adoc ------------------------------------------------------------------------------ svn:mime-type = text/plain Added: ofbiz/ofbiz-framework/branches/release17.12/framework/security/src/docs/asciidoc/security.adoc URL: http://svn.apache.org/viewvc/ofbiz/ofbiz-framework/branches/release17.12/framework/security/src/docs/asciidoc/security.adoc?rev=1847248&view=auto ============================================================================== --- ofbiz/ofbiz-framework/branches/release17.12/framework/security/src/docs/asciidoc/security.adoc (added) +++ ofbiz/ofbiz-framework/branches/release17.12/framework/security/src/docs/asciidoc/security.adoc Fri Nov 23 12:00:10 2018 @@ -0,0 +1,23 @@ +//// +Licensed to the Apache Software Foundation (ASF) under one +or more contributor license agreements. See the NOTICE file +distributed with this work for additional information +regarding copyright ownership. The ASF licenses this file +to you under the Apache License, Version 2.0 (the +"License"); you may not use this file except in compliance +with the License. You may obtain a copy of the License at + +http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, +software distributed under the License is distributed on an +"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +KIND, either express or implied. See the License for the +specific language governing permissions and limitations +under the License. +//// + += Security + +include::_include/sy-impersonation.adoc[leveloffset=+1] + Propchange: ofbiz/ofbiz-framework/branches/release17.12/framework/security/src/docs/asciidoc/security.adoc ------------------------------------------------------------------------------ svn:eol-style = native Propchange: ofbiz/ofbiz-framework/branches/release17.12/framework/security/src/docs/asciidoc/security.adoc ------------------------------------------------------------------------------ svn:keywords = Date Rev Author URL Id Propchange: ofbiz/ofbiz-framework/branches/release17.12/framework/security/src/docs/asciidoc/security.adoc ------------------------------------------------------------------------------ svn:mime-type = text/plain Added: ofbiz/ofbiz-framework/branches/release17.12/framework/webapp/src/docs/asciidoc/_include/wa-cross-domains-SSO.adoc URL: http://svn.apache.org/viewvc/ofbiz/ofbiz-framework/branches/release17.12/framework/webapp/src/docs/asciidoc/_include/wa-cross-domains-SSO.adoc?rev=1847248&view=auto ============================================================================== --- ofbiz/ofbiz-framework/branches/release17.12/framework/webapp/src/docs/asciidoc/_include/wa-cross-domains-SSO.adoc (added) +++ ofbiz/ofbiz-framework/branches/release17.12/framework/webapp/src/docs/asciidoc/_include/wa-cross-domains-SSO.adoc Fri Nov 23 12:00:10 2018 @@ -0,0 +1,81 @@ +//// +Licensed to the Apache Software Foundation (ASF) under one +or more contributor license agreements. See the NOTICE file +distributed with this work for additional information +regarding copyright ownership. The ASF licenses this file +to you under the Apache License, Version 2.0 (the +"License"); you may not use this file except in compliance +with the License. You may obtain a copy of the License at + +http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, +software distributed under the License is distributed on an +"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +KIND, either express or implied. See the License for the +specific language governing permissions and limitations +under the License. +//// += Cross-domains Single Sign On (SSO) + +In some cases you need to split the OFBiz applications on different servers, and possibly in production on different domains. +This can happen for different reasons, most often for performance reason. + +As it's annoying to give each time a credential when changing from an OFBiz application to another on the same server, +the same applies when changing from an OFBiz application to another on another domain. + +To prevent that on the same server, the ExternalLoginKey mechanism is used. +The cross-domains SSO feature allows to navigate from a domain to another with automated SSO. + +It based on 3 technologies: + +JWT:: https://jwt.io/[JWT Official site] - +https://en.wikipedia.org/wiki/JSON_Web_Token[Wikipedia for JWT] + +CORS:: https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS[CORS (Mozilla doc)] - https://en.wikipedia.org/wiki/Cross-origin_resource_sharing[Wikipedia for CORS] + +Ajax:: Ajax, now well known I guess, in OFBiz we use jQuery for that. + +The mechanism is simple. + +.On the source side: +. When an user log in in an application (webApp) a webappName.securedLoginId cookie is created. +This cookie will be used by the mechanism to know the current logged in user. +_Note that all webappName.securedLoginId cookies are deleted when the user session is closed or time out. +Hence (apart also using an intrinsically secured cookie) the mechanim is secured, even on shared machines. +Of course if people are sharing a machine during their sessions, things could get complicated. +This unlikely later case is not taken in account._ + +. The user is given a JavaScript link which passes the URL to reach and the calling webapp name to +the sendJWT() Ajax function. + +. The sendJWT() Ajax function calls the loadJWT() Ajax function which in turn calls +the CommonEvents::loadJWT method through the common controller. + +. The CommonEvents::loadJWT method uses the calling webapp name to retrieve the userLoginId from the secured +webappName.securedLoginId cookie, creates a JWT containing the userLoginId, and returns it to the loadJWT() Ajax function. + +. Then the sendJWT() Ajax function sends an Authorization header containing the JWT to the URL to reach. +At this stage, if all things are correct, the flow leaves the source side. + +.On the server side: +. A CORS policy is needed. _Without it, the Authorization token containing the JWT will be rejected. +It's a simple policy but you need to strictly define the authorized domains. Never use the lazy "*" for domains +(ie all domains), else the https://en.wikipedia.org/wiki/Cross-origin_resource_sharing#Preflight_example[preflight request] will not work._ +Here is an example for Apache HTTPD (domain value is "https://localhost:8443" for official OFBiz demo): + +[source,] +---- +Header set Access-Control-Allow-Origin domain +Header set Access-Control-Allow-Headers "Authorization" +Header set Access-Control-Allow-Credentials "true" +---- + +. The checkJWTLogin preprocessor, similar to the checkExternalLoginKey, intercepts the JWT, checks it and +if all is OK signs the user on. That's it ! + +In the example component, the FormWidgetExamples screen contains 2 new fields in the LinksExampleForm which +demonstrate the use from a local instance to the trunk demo instance. + + +If you are interested in more details you may refer to https://issues.apache.org/jira/browse/OFBIZ-10307 Propchange: ofbiz/ofbiz-framework/branches/release17.12/framework/webapp/src/docs/asciidoc/_include/wa-cross-domains-SSO.adoc ------------------------------------------------------------------------------ svn:eol-style = native Propchange: ofbiz/ofbiz-framework/branches/release17.12/framework/webapp/src/docs/asciidoc/_include/wa-cross-domains-SSO.adoc ------------------------------------------------------------------------------ svn:keywords = Date Rev Author URL Id Propchange: ofbiz/ofbiz-framework/branches/release17.12/framework/webapp/src/docs/asciidoc/_include/wa-cross-domains-SSO.adoc ------------------------------------------------------------------------------ svn:mime-type = text/plain Added: ofbiz/ofbiz-framework/branches/release17.12/framework/webapp/src/docs/asciidoc/webapp.adoc URL: http://svn.apache.org/viewvc/ofbiz/ofbiz-framework/branches/release17.12/framework/webapp/src/docs/asciidoc/webapp.adoc?rev=1847248&view=auto ============================================================================== --- ofbiz/ofbiz-framework/branches/release17.12/framework/webapp/src/docs/asciidoc/webapp.adoc (added) +++ ofbiz/ofbiz-framework/branches/release17.12/framework/webapp/src/docs/asciidoc/webapp.adoc Fri Nov 23 12:00:10 2018 @@ -0,0 +1,23 @@ +//// +Licensed to the Apache Software Foundation (ASF) under one +or more contributor license agreements. See the NOTICE file +distributed with this work for additional information +regarding copyright ownership. The ASF licenses this file +to you under the Apache License, Version 2.0 (the +"License"); you may not use this file except in compliance +with the License. You may obtain a copy of the License at + +http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, +software distributed under the License is distributed on an +"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +KIND, either express or implied. See the License for the +specific language governing permissions and limitations +under the License. +//// += Web Applications + +The OFBiz webapp is one of the core framework components. It is tightly integrated with other framework components. + +include::_include/wa-cross-domains-SSO.adoc[leveloffset=+1] Propchange: ofbiz/ofbiz-framework/branches/release17.12/framework/webapp/src/docs/asciidoc/webapp.adoc ------------------------------------------------------------------------------ svn:eol-style = native Propchange: ofbiz/ofbiz-framework/branches/release17.12/framework/webapp/src/docs/asciidoc/webapp.adoc ------------------------------------------------------------------------------ svn:keywords = Date Rev Author URL Id Propchange: ofbiz/ofbiz-framework/branches/release17.12/framework/webapp/src/docs/asciidoc/webapp.adoc ------------------------------------------------------------------------------ svn:mime-type = text/plain |
«
Return to OFBiz - Commits
|
1 view|%1 views
| Free forum by Nabble | Edit this page |