Posted by
Vinay Agarwal on
Mar 04, 2006; 4:49pm
URL: http://ofbiz.116.s1.nabble.com/Users-After-login-username-password-are-in-the-page-URL-tp137768p137770.html
David,
Would it be better to remove parameters named "USERNAME" and "PASSWORD" from
being added to the result in makeQueryString (line 425 of
RequestHandler.java)? Of course, it would not work if those fields are named
something else but that may be OK.
Regards,
Vinay Agarwal
-----Original Message-----
From:
[hidden email] [mailto:
[hidden email]]
On Behalf Of David E. Jones
Sent: Friday, March 03, 2006 5:51 PM
To: OFBiz Users / Usage Discussion
Subject: Re: [OFBiz] Users - After login,username/password are in the page
URL
Vinay,
It sounds like you need to step back from the details and consider
the bigger picture for a second.
There are certain some cases where we need to pass the arguments in
the URL. Some of this could be refactored to put them in the session
for the case of post-login view rendering, and I think that might
work but it would be a bit of work.
Whatever the case, the code changes you are making obviously have
some issues. You need to either pull the username and password out of
the parameters map/string, or change where you are interrupting the
flow.
In the bigger picture a password (well, especially password, username
isn't generally so critical/protected) should NEVER EVER be passed in
a URL. I think this is what you are picking up on. Even over
encrypted connections (ie via HTTPS) the URL itself is not encrypted.
So, these should _only_ be sent as form field values.
-David
On Mar 3, 2006, at 3:54 PM, Vinay Agarwal wrote:
> David,
>
> Not sure if this is the way to do it, but looking at the handling
> for the
> default case on line 403
>
> renderView(nextView, requestManager.allowExtView(requestUri), request,
> response);
>
> It is not adding query string to the URL. If the same works for
> redirect
> case, then changing line 391 from
>
> callRedirect(makeLinkWithQueryString(request, response, "/" +
> nextView),
> response, request);
>
> to:
> callRedirect(nextView, response, request);
>
> would solve the problem. Is this the way to do it?
>
> Regards,
> Vinay Agarwal
>
> -----Original Message-----
> From:
[hidden email] [mailto:users-
>
[hidden email]]
> On Behalf Of Vinay Agarwal
> Sent: Friday, March 03, 2006 2:10 PM
> To: 'OFBiz Users / Usage Discussion'
> Subject: Re: [OFBiz] Users - After login,username/password are in
> the page
> URL
>
> David,
>
> The username/password are added by a call to
> makeLinkWithQueryString on line
> 391 of framework/webapp/src/org/ofbiz/webapp/control/
> RequestHandler.java.
>
> Regards,
> Vinay Agarwal
>
> -----Original Message-----
> From:
[hidden email] [mailto:users-
>
[hidden email]]
> On Behalf Of Vinay Agarwal
> Sent: Friday, March 03, 2006 1:33 PM
> To: 'OFBiz Users / Usage Discussion'
> Subject: Re: [OFBiz] Users - After login,username/password are in
> the page
> URL
>
> David,
>
> I modified the checkLoginUrl to include "request-redirect:" like the
> following
>
https://localhost:8443/ecommerce/control/checkLogin/request-
> redirect:login
>
> To reproduce this with ecommerce application in latest code, in the
> file
> ecommerce/widget/EcommcerceSetup.bsh, line
>
> globalContext.put("checkLoginUrl", LoginWorker.makeLoginUrl(request,
> "checkLogin"));
>
> is replaced by
> String loginUrl = LoginWorker.makeLoginUrl(request, "checkLogin");
> int indx = loginUrl.lastIndexOf('/') + 1;
> loginUrl = loginUrl.substring(0, indx) + "request-redirect:" +
> loginUrl.substring(indx);
> globalContext.put("checkLoginUrl", loginUrl);
>
> This could not be seen prior to this mod since the URL showed
>
https://localhost:8443/ecommerce/control/login> on the main page after login.
>
> Regards,
> Vinay Agarwal
>
> -----Original Message-----
> From:
[hidden email] [mailto:users-
>
[hidden email]]
> On Behalf Of David E. Jones
> Sent: Friday, March 03, 2006 12:49 PM
> To: OFBiz Users / Usage Discussion
> Subject: Re: [OFBiz] Users - After login,username/password are in
> the page
> URL
>
>
> Vinay,
>
> Could you send over more details about where this happened and if
> needed what preceded it? Is this modified or stock (SVN) code?
>
> Thanks,
> -David
>
>
> On Mar 3, 2006, at 1:38 PM, Vinay Agarwal wrote:
>
>> Hello,
>>
>>
>>
>> After login, I find the username and password in the page URL like
>> this
>>
>>
http://localhost:8080/control/>> main;jsessionid=26851BF0671EC5CFDEE70EC1ADA621
>> 79.jvm1?USERNAME=lauser
>> <
http://localhost:8080/control/>> main;jsessionid=26851BF0671EC5CFDEE70EC1ADA62
>> 179.jvm1?USERNAME=lauser&PASSWORD=testing> &PASSWORD=testing
>>
>>
>>
>> To my knowledge, I am not calling any script to put stuff from
>> _PREVIOUS_PARAMS_ to URL. Any suggestions on how to fix it?
>>
>>
>>
>> Regards,
>>
>> Vinay Agarwal
>>
>> <winmail.dat>
>>
>> _______________________________________________
>> Users mailing list
>>
[hidden email]
>>
http://lists.ofbiz.org/mailman/listinfo/users>
>
> _______________________________________________
> Users mailing list
>
[hidden email]
>
http://lists.ofbiz.org/mailman/listinfo/users>
> _______________________________________________
> Users mailing list
>
[hidden email]
>
http://lists.ofbiz.org/mailman/listinfo/users>
> _______________________________________________
> Users mailing list
>
[hidden email]
>
http://lists.ofbiz.org/mailman/listinfo/users_______________________________________________
Users mailing list
[hidden email]
http://lists.ofbiz.org/mailman/listinfo/users
_______________________________________________
Users mailing list
[hidden email]
http://lists.ofbiz.org/mailman/listinfo/users