svn commit: r758734 - in /ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/event: ServiceEventHandler.java ServiceMultiEventHandler.java

Author: jonesde
Date: Thu Mar 26 16:45:29 2009
New Revision: 758734

URL: http://svn.apache.org/viewvc?rev=758734&view=rev
Log:
Small change to error message for non-secure parameters to mention the form field that will hopefully help it mean more to more people; also changed the service-multi handler to be consistent with the service one

Modified:
    ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/event/ServiceEventHandler.java
    ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/event/ServiceMultiEventHandler.java

Modified: ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/event/ServiceEventHandler.java
URL: http://svn.apache.org/viewvc/ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/event/ServiceEventHandler.java?rev=758734&r1=758733&r2=758734&view=diff
==============================================================================
--- ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/event/ServiceEventHandler.java (original)
+++ ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/event/ServiceEventHandler.java Thu Mar 26 16:45:29 2009
@@ -267,7 +267,7 @@
                     // NOTE: the RequestHandler will check the HttpSerletRequest security to make sure it is secure if the request-map -> security -> https=true, but we can't just look at the request.isSecure() method here because it is allowed to send secure requests for request-map with https=false
                     if (requestMap != null && requestMap.securityHttps) {
                         if (urlOnlyParameterNames.contains(name)) {
-                            String errMsg = "Found URL parameter [" + name + "] passed to secure (https) request-map with uri [" + requestMap.uri + "] with an event that calls service [" + serviceName + "]; this is not allowed for security reasons! The data should be encrypted by making it part of the request body instead of the request URL.";
+                            String errMsg = "Found URL parameter [" + name + "] passed to secure (https) request-map with uri [" + requestMap.uri + "] with an event that calls service [" + serviceName + "]; this is not allowed for security reasons! The data should be encrypted by making it part of the request body (a form field) instead of the request URL.";
                             Debug.logError("=============== " + errMsg + "; In session [" + session.getId() + "]", module);
                             // NOTE: this forces service call event parameters to be in the body and not in the URL! can be issues with existing links, like Delete links or whatever, and those need to be changed to forms!
                             throw new EventHandlerException(errMsg);

Modified: ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/event/ServiceMultiEventHandler.java
URL: http://svn.apache.org/viewvc/ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/event/ServiceMultiEventHandler.java?rev=758734&r1=758733&r2=758734&view=diff
==============================================================================
--- ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/event/ServiceMultiEventHandler.java (original)
+++ ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/event/ServiceMultiEventHandler.java Thu Mar 26 16:45:29 2009
@@ -228,9 +228,10 @@
                             // NOTE: the RequestHandler will check the HttpSerletRequest security to make sure it is secure if the request-map -> security -> https=true, but we can't just look at the request.isSecure() method here because it is allowed to send secure requests for request-map with https=false
                             if (requestMap != null && requestMap.securityHttps) {
                                 if (urlOnlyParameterNames.contains(name)) {
-                                    String errMsg = "Found URL parameter [" + name + "] passed to secure (https) request-map with uri [" + requestMap.uri + "] with an event that calls service [" + serviceName + "]; this is not allowed for security reasons! The data should be encrypted by making it part of the request body instead of the request URL.";
-                                    Debug.logWarning("=============== " + errMsg, module);
-                                    // TODO: restore this once more issues with existing links, like Delete links in forms, are resolved, for now just log warnings: throw new EventHandlerException(errMsg);
+                                    String errMsg = "Found URL parameter [" + name + "] passed to secure (https) request-map with uri [" + requestMap.uri + "] with an event that calls service [" + serviceName + "]; this is not allowed for security reasons! The data should be encrypted by making it part of the request body (a form field) instead of the request URL.";
+                                    Debug.logError("=============== " + errMsg + "; In session [" + session.getId() + "]", module);
+                                    // NOTE: this forces service call event parameters to be in the body and not in the URL! can be issues with existing links, like Delete links or whatever, and those need to be changed to forms!
+                                    throw new EventHandlerException(errMsg);
                                 }
                             }