You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@ofbiz.apache.org by Jacques Le Roux <ja...@les7arts.com> on 2009/04/25 20:32:55 UTC
backHome and backLast not secured
Is it normal that the backHome and backLast are not securised ?
<request-map uri="backHome">
<response name="success" type="view-home"/>
</request-map>
<request-map uri="backLast">
<response name="success" type="view-last"/>
</request-map>
Jacques
Re: backHome and backLast not secured
Posted by Nicolas <ma...@librenberry.net>.
Jacques Le Roux a écrit :
> Also as David pointed out, they should be used only with requests
> using https since now they are always secured. So they are ok for
> backend (is there any exceptions in backend where we dont secure URIs
> ?) but not for eCommerce for instance. We could have also the pair not
> secured for these cases, like backHomeS and backLastS for these one
> and backHome and backLast for the non secured pair. Then al this could
> be set in common-controller. Though beware, some links are secured in
> eCommerce too, like checking out for instance...
I vote for that, just find a good generic name for uri
Nicolas
>
> My 2 cts
>
> Jacques
>
> From: "Hans Bakker" <ma...@antwebsystems.com>
>> I was wrong that it was not used, (forgot about it, wrote it myself)
>>
>> it is currently used in the create contact mechanisms in the party
>> profile and in the mean time i have put it back with security as jacques
>> pointed out.
>>
>> regards,
>> Hans
>>
>> On Mon, 2009-04-27 at 19:55 +0200, Malin Nicolas wrote:
>>> Hans Bakker a écrit :
>>> > but do not waste too much time on this, they are not used
>>> anywhere.....
>>> >
>>> I thinks the view-last and view-home is good to manage user screen
>>> process. On many case, we have some user who do a search and operate
>>> some data modification. After operate their modification, they whant
>>> return to the last search result.
>>>
>>> Example, you list customer that missing last name, and for each put
>>> missed field. Actualy you need, do the search, select customer, save
>>> tel
>>> number, return to search, do the search.
>>> With view-last we can do :
>>> make the search, select customer, save tel number, select customer,
>>> save
>>> tel number, ...
>>>
>>> I try to implement this with view-last but if we call with request we
>>> have some previous parameters that break the last search, and if we
>>> call
>>> with reques-redirect, we lost security.
>>>
>>> If you add security on new uri backLast when can do that.
>>>
>>> Nicolas
>>>
>>> > On Sat, 2009-04-25 at 19:10 -0600, David E Jones wrote:
>>> >
>>> >> Where do these come from?
>>> >>
>>> >> The "view-home" and "view-last" response types should NEVER be used
>>> >> generically like this and instead should be specific for the
>>> >> particular request flow they are part of. Along with that, they
>>> should
>>> >> require https or not depending on the other requests they are
>>> working
>>> >> with.
>>> >>
>>> >> -David
>>> >>
>>> >>
>>> >> On Apr 25, 2009, at 12:32 PM, Jacques Le Roux wrote:
>>> >>
>>> >>
>>> >>> Is it normal that the backHome and backLast are not securised ?
>>> >>>
>>> >>> <request-map uri="backHome">
>>> >>> <response name="success" type="view-home"/>
>>> >>> </request-map>
>>> >>> <request-map uri="backLast">
>>> >>> <response name="success" type="view-last"/>
>>> >>> </request-map>
>>> >>>
>>> >>> Jacques
>>> >>>
>>> >>>
>>>
>>>
>> --
>> Antwebsystems.com: Quality OFBiz services for competitive rates
>>
>
>
>
Re: backHome and backLast not secured
Posted by Hans Bakker <ma...@antwebsystems.com>.
Hi David,
many screens in the party manager have a 'back' button which uses this
request. One can discuss if this button is required...however if used, i
do not see anything wrong with this generic request.
i another mail i ask you to give reasons for this statement.
Regards,
Hans
On Tue, 2009-04-28 at 05:53 -0600, David E Jones wrote:
> On Apr 28, 2009, at 12:53 AM, Jacques Le Roux wrote:
>
> > Also as David pointed out, they should be used only with requests
> > using https since now they are always secured.
>
> Actually no, I didn't say that, I said: "Along with that, they should
> require https or not depending on the other requests they are working
> with." You can see that quote below. In general if you re-read what I
> wrote I was recommending against having such generic requests and
> using some specific to the set of screens being created.
>
> -David
>
>
> > So they are ok for backend (is there any exceptions in backend where
> > we dont secure URIs ?) but not for eCommerce for instance. We could
> > have also the pair not secured for these cases, like backHomeS and
> > backLastS for these one and backHome and backLast for the non
> > secured pair. Then al this could be set in common-controller. Though
> > beware, some links are secured in eCommerce too, like checking out
> > for instance...
> >
> > My 2 cts
> >
> > Jacques
> >
> > From: "Hans Bakker" <ma...@antwebsystems.com>
> >> I was wrong that it was not used, (forgot about it, wrote it myself)
> >>
> >> it is currently used in the create contact mechanisms in the party
> >> profile and in the mean time i have put it back with security as
> >> jacques
> >> pointed out.
> >>
> >> regards,
> >> Hans
> >>
> >> On Mon, 2009-04-27 at 19:55 +0200, Malin Nicolas wrote:
> >>> Hans Bakker a écrit :
> >>> > but do not waste too much time on this, they are not used
> >>> anywhere.....
> >>> >
> >>> I thinks the view-last and view-home is good to manage user screen
> >>> process. On many case, we have some user who do a search and operate
> >>> some data modification. After operate their modification, they whant
> >>> return to the last search result.
> >>>
> >>> Example, you list customer that missing last name, and for each put
> >>> missed field. Actualy you need, do the search, select customer,
> >>> save tel
> >>> number, return to search, do the search.
> >>> With view-last we can do :
> >>> make the search, select customer, save tel number, select
> >>> customer, save
> >>> tel number, ...
> >>>
> >>> I try to implement this with view-last but if we call with request
> >>> we
> >>> have some previous parameters that break the last search, and if
> >>> we call
> >>> with reques-redirect, we lost security.
> >>>
> >>> If you add security on new uri backLast when can do that.
> >>>
> >>> Nicolas
> >>>
> >>> > On Sat, 2009-04-25 at 19:10 -0600, David E Jones wrote:
> >>> >
> >>> >> Where do these come from?
> >>> >>
> >>> >> The "view-home" and "view-last" response types should NEVER be
> >>> used
> >>> >> generically like this and instead should be specific for the
> >>> >> particular request flow they are part of. Along with that, they
> >>> should
> >>> >> require https or not depending on the other requests they are
> >>> working
> >>> >> with.
> >>> >>
> >>> >> -David
> >>> >>
> >>> >>
> >>> >> On Apr 25, 2009, at 12:32 PM, Jacques Le Roux wrote:
> >>> >>
> >>> >>
> >>> >>> Is it normal that the backHome and backLast are not securised ?
> >>> >>>
> >>> >>> <request-map uri="backHome">
> >>> >>> <response name="success" type="view-home"/>
> >>> >>> </request-map>
> >>> >>> <request-map uri="backLast">
> >>> >>> <response name="success" type="view-last"/>
> >>> >>> </request-map>
> >>> >>>
> >>> >>> Jacques
> >>> >>>
> >>> >>>
> >>>
> >>>
> >> --
> >> Antwebsystems.com: Quality OFBiz services for competitive rates
> >
> >
>
--
Antwebsystems.com: Quality OFBiz services for competitive rates
Re: backHome and backLast not secured
Posted by Jacques Le Roux <ja...@les7arts.com>.
From: "David E Jones" <da...@hotwaxmedia.com>
>
> On Apr 28, 2009, at 12:53 AM, Jacques Le Roux wrote:
>
>> Also as David pointed out, they should be used only with requests using https since now they are always secured.
>
> Actually no, I didn't say that, I said: "Along with that, they should require https or not depending on the other requests they
> are working with." You can see that quote below. In general if you re-read what I wrote I was recommending against having such
> generic requests and using some specific to the set of screens being created.
I understood what you said, but I don't understand why. What are we missing ?
Hans introduced this functionnality at r758522. He wrote
<<5. added 'save-home' and save 'current' in the same pattern as 'save-last' function in the controler.xml
6. added 'view-home' in the same pattern as 'view-last'>>
I see 'view-home' as a fast-reward (I mean like back to 1st page if you prefer).
Are you afraid that if people use several process (browsers's tabs or windows) they could mix their "home" (1st page) and end in odd
results. Actually this may happen but apart that I don't see any other problems.
Jacques
> -David
>
>
>> So they are ok for backend (is there any exceptions in backend where we dont secure URIs ?) but not for eCommerce for instance.
>> We could have also the pair not secured for these cases, like backHomeS and backLastS for these one and backHome and backLast
>> for the non secured pair. Then al this could be set in common-controller. Though beware, some links are secured in eCommerce
>> too, like checking out for instance...
>>
>> My 2 cts
>>
>> Jacques
>>
>> From: "Hans Bakker" <ma...@antwebsystems.com>
>>> I was wrong that it was not used, (forgot about it, wrote it myself)
>>>
>>> it is currently used in the create contact mechanisms in the party
>>> profile and in the mean time i have put it back with security as jacques
>>> pointed out.
>>>
>>> regards,
>>> Hans
>>>
>>> On Mon, 2009-04-27 at 19:55 +0200, Malin Nicolas wrote:
>>>> Hans Bakker a écrit :
>>>> > but do not waste too much time on this, they are not used
>>>> anywhere.....
>>>> >
>>>> I thinks the view-last and view-home is good to manage user screen
>>>> process. On many case, we have some user who do a search and operate
>>>> some data modification. After operate their modification, they whant
>>>> return to the last search result.
>>>>
>>>> Example, you list customer that missing last name, and for each put
>>>> missed field. Actualy you need, do the search, select customer, save tel
>>>> number, return to search, do the search.
>>>> With view-last we can do :
>>>> make the search, select customer, save tel number, select customer, save
>>>> tel number, ...
>>>>
>>>> I try to implement this with view-last but if we call with request we
>>>> have some previous parameters that break the last search, and if we call
>>>> with reques-redirect, we lost security.
>>>>
>>>> If you add security on new uri backLast when can do that.
>>>>
>>>> Nicolas
>>>>
>>>> > On Sat, 2009-04-25 at 19:10 -0600, David E Jones wrote:
>>>> >
>>>> >> Where do these come from?
>>>> >>
>>>> >> The "view-home" and "view-last" response types should NEVER be
>>>> used
>>>> >> generically like this and instead should be specific for the
>>>> >> particular request flow they are part of. Along with that, they
>>>> should
>>>> >> require https or not depending on the other requests they are
>>>> working
>>>> >> with.
>>>> >>
>>>> >> -David
>>>> >>
>>>> >>
>>>> >> On Apr 25, 2009, at 12:32 PM, Jacques Le Roux wrote:
>>>> >>
>>>> >>
>>>> >>> Is it normal that the backHome and backLast are not securised ?
>>>> >>>
>>>> >>> <request-map uri="backHome">
>>>> >>> <response name="success" type="view-home"/>
>>>> >>> </request-map>
>>>> >>> <request-map uri="backLast">
>>>> >>> <response name="success" type="view-last"/>
>>>> >>> </request-map>
>>>> >>>
>>>> >>> Jacques
>>>> >>>
>>>> >>>
>>>>
>>>>
>>> --
>>> Antwebsystems.com: Quality OFBiz services for competitive rates
>>
>>
>
>
Re: backHome and backLast not secured
Posted by David E Jones <da...@hotwaxmedia.com>.
On Apr 28, 2009, at 12:53 AM, Jacques Le Roux wrote:
> Also as David pointed out, they should be used only with requests
> using https since now they are always secured.
Actually no, I didn't say that, I said: "Along with that, they should
require https or not depending on the other requests they are working
with." You can see that quote below. In general if you re-read what I
wrote I was recommending against having such generic requests and
using some specific to the set of screens being created.
-David
> So they are ok for backend (is there any exceptions in backend where
> we dont secure URIs ?) but not for eCommerce for instance. We could
> have also the pair not secured for these cases, like backHomeS and
> backLastS for these one and backHome and backLast for the non
> secured pair. Then al this could be set in common-controller. Though
> beware, some links are secured in eCommerce too, like checking out
> for instance...
>
> My 2 cts
>
> Jacques
>
> From: "Hans Bakker" <ma...@antwebsystems.com>
>> I was wrong that it was not used, (forgot about it, wrote it myself)
>>
>> it is currently used in the create contact mechanisms in the party
>> profile and in the mean time i have put it back with security as
>> jacques
>> pointed out.
>>
>> regards,
>> Hans
>>
>> On Mon, 2009-04-27 at 19:55 +0200, Malin Nicolas wrote:
>>> Hans Bakker a écrit :
>>> > but do not waste too much time on this, they are not used
>>> anywhere.....
>>> >
>>> I thinks the view-last and view-home is good to manage user screen
>>> process. On many case, we have some user who do a search and operate
>>> some data modification. After operate their modification, they whant
>>> return to the last search result.
>>>
>>> Example, you list customer that missing last name, and for each put
>>> missed field. Actualy you need, do the search, select customer,
>>> save tel
>>> number, return to search, do the search.
>>> With view-last we can do :
>>> make the search, select customer, save tel number, select
>>> customer, save
>>> tel number, ...
>>>
>>> I try to implement this with view-last but if we call with request
>>> we
>>> have some previous parameters that break the last search, and if
>>> we call
>>> with reques-redirect, we lost security.
>>>
>>> If you add security on new uri backLast when can do that.
>>>
>>> Nicolas
>>>
>>> > On Sat, 2009-04-25 at 19:10 -0600, David E Jones wrote:
>>> >
>>> >> Where do these come from?
>>> >>
>>> >> The "view-home" and "view-last" response types should NEVER be
>>> used
>>> >> generically like this and instead should be specific for the
>>> >> particular request flow they are part of. Along with that, they
>>> should
>>> >> require https or not depending on the other requests they are
>>> working
>>> >> with.
>>> >>
>>> >> -David
>>> >>
>>> >>
>>> >> On Apr 25, 2009, at 12:32 PM, Jacques Le Roux wrote:
>>> >>
>>> >>
>>> >>> Is it normal that the backHome and backLast are not securised ?
>>> >>>
>>> >>> <request-map uri="backHome">
>>> >>> <response name="success" type="view-home"/>
>>> >>> </request-map>
>>> >>> <request-map uri="backLast">
>>> >>> <response name="success" type="view-last"/>
>>> >>> </request-map>
>>> >>>
>>> >>> Jacques
>>> >>>
>>> >>>
>>>
>>>
>> --
>> Antwebsystems.com: Quality OFBiz services for competitive rates
>
>
Re: backHome and backLast not secured
Posted by Jacques Le Roux <ja...@les7arts.com>.
Also as David pointed out, they should be used only with requests using https since now they are always secured. So they are ok for
backend (is there any exceptions in backend where we dont secure URIs ?) but not for eCommerce for instance. We could have also the
pair not secured for these cases, like backHomeS and backLastS for these one and backHome and backLast for the non secured pair.
Then al this could be set in common-controller. Though beware, some links are secured in eCommerce too, like checking out for
instance...
My 2 cts
Jacques
From: "Hans Bakker" <ma...@antwebsystems.com>
>I was wrong that it was not used, (forgot about it, wrote it myself)
>
> it is currently used in the create contact mechanisms in the party
> profile and in the mean time i have put it back with security as jacques
> pointed out.
>
> regards,
> Hans
>
> On Mon, 2009-04-27 at 19:55 +0200, Malin Nicolas wrote:
>> Hans Bakker a écrit :
>> > but do not waste too much time on this, they are not used anywhere.....
>> >
>> I thinks the view-last and view-home is good to manage user screen
>> process. On many case, we have some user who do a search and operate
>> some data modification. After operate their modification, they whant
>> return to the last search result.
>>
>> Example, you list customer that missing last name, and for each put
>> missed field. Actualy you need, do the search, select customer, save tel
>> number, return to search, do the search.
>> With view-last we can do :
>> make the search, select customer, save tel number, select customer, save
>> tel number, ...
>>
>> I try to implement this with view-last but if we call with request we
>> have some previous parameters that break the last search, and if we call
>> with reques-redirect, we lost security.
>>
>> If you add security on new uri backLast when can do that.
>>
>> Nicolas
>>
>> > On Sat, 2009-04-25 at 19:10 -0600, David E Jones wrote:
>> >
>> >> Where do these come from?
>> >>
>> >> The "view-home" and "view-last" response types should NEVER be used
>> >> generically like this and instead should be specific for the
>> >> particular request flow they are part of. Along with that, they should
>> >> require https or not depending on the other requests they are working
>> >> with.
>> >>
>> >> -David
>> >>
>> >>
>> >> On Apr 25, 2009, at 12:32 PM, Jacques Le Roux wrote:
>> >>
>> >>
>> >>> Is it normal that the backHome and backLast are not securised ?
>> >>>
>> >>> <request-map uri="backHome">
>> >>> <response name="success" type="view-home"/>
>> >>> </request-map>
>> >>> <request-map uri="backLast">
>> >>> <response name="success" type="view-last"/>
>> >>> </request-map>
>> >>>
>> >>> Jacques
>> >>>
>> >>>
>>
>>
> --
> Antwebsystems.com: Quality OFBiz services for competitive rates
>
Re: backHome and backLast not secured
Posted by Hans Bakker <ma...@antwebsystems.com>.
I was wrong that it was not used, (forgot about it, wrote it myself)
it is currently used in the create contact mechanisms in the party
profile and in the mean time i have put it back with security as jacques
pointed out.
regards,
Hans
On Mon, 2009-04-27 at 19:55 +0200, Malin Nicolas wrote:
> Hans Bakker a écrit :
> > but do not waste too much time on this, they are not used anywhere.....
> >
> I thinks the view-last and view-home is good to manage user screen
> process. On many case, we have some user who do a search and operate
> some data modification. After operate their modification, they whant
> return to the last search result.
>
> Example, you list customer that missing last name, and for each put
> missed field. Actualy you need, do the search, select customer, save tel
> number, return to search, do the search.
> With view-last we can do :
> make the search, select customer, save tel number, select customer, save
> tel number, ...
>
> I try to implement this with view-last but if we call with request we
> have some previous parameters that break the last search, and if we call
> with reques-redirect, we lost security.
>
> If you add security on new uri backLast when can do that.
>
> Nicolas
>
> > On Sat, 2009-04-25 at 19:10 -0600, David E Jones wrote:
> >
> >> Where do these come from?
> >>
> >> The "view-home" and "view-last" response types should NEVER be used
> >> generically like this and instead should be specific for the
> >> particular request flow they are part of. Along with that, they should
> >> require https or not depending on the other requests they are working
> >> with.
> >>
> >> -David
> >>
> >>
> >> On Apr 25, 2009, at 12:32 PM, Jacques Le Roux wrote:
> >>
> >>
> >>> Is it normal that the backHome and backLast are not securised ?
> >>>
> >>> <request-map uri="backHome">
> >>> <response name="success" type="view-home"/>
> >>> </request-map>
> >>> <request-map uri="backLast">
> >>> <response name="success" type="view-last"/>
> >>> </request-map>
> >>>
> >>> Jacques
> >>>
> >>>
>
>
--
Antwebsystems.com: Quality OFBiz services for competitive rates
Re: backHome and backLast not secured
Posted by Malin Nicolas <ma...@librenberry.net>.
Hans Bakker a écrit :
> but do not waste too much time on this, they are not used anywhere.....
>
I thinks the view-last and view-home is good to manage user screen
process. On many case, we have some user who do a search and operate
some data modification. After operate their modification, they whant
return to the last search result.
Example, you list customer that missing last name, and for each put
missed field. Actualy you need, do the search, select customer, save tel
number, return to search, do the search.
With view-last we can do :
make the search, select customer, save tel number, select customer, save
tel number, ...
I try to implement this with view-last but if we call with request we
have some previous parameters that break the last search, and if we call
with reques-redirect, we lost security.
If you add security on new uri backLast when can do that.
Nicolas
> On Sat, 2009-04-25 at 19:10 -0600, David E Jones wrote:
>
>> Where do these come from?
>>
>> The "view-home" and "view-last" response types should NEVER be used
>> generically like this and instead should be specific for the
>> particular request flow they are part of. Along with that, they should
>> require https or not depending on the other requests they are working
>> with.
>>
>> -David
>>
>>
>> On Apr 25, 2009, at 12:32 PM, Jacques Le Roux wrote:
>>
>>
>>> Is it normal that the backHome and backLast are not securised ?
>>>
>>> <request-map uri="backHome">
>>> <response name="success" type="view-home"/>
>>> </request-map>
>>> <request-map uri="backLast">
>>> <response name="success" type="view-last"/>
>>> </request-map>
>>>
>>> Jacques
>>>
>>>
--
Nicolas MALIN
Consultant
Tél : 06.17.66.40.06
Site projet : http://www.neogia.org/
-------
Société LibrenBerry
Tél : 02.48.02.56.12
Site : http://www.librenberry.net/
Re: backHome and backLast not secured
Posted by Hans Bakker <ma...@antwebsystems.com>.
but do not waste too much time on this, they are not used anywhere.....
On Sat, 2009-04-25 at 19:10 -0600, David E Jones wrote:
> Where do these come from?
>
> The "view-home" and "view-last" response types should NEVER be used
> generically like this and instead should be specific for the
> particular request flow they are part of. Along with that, they should
> require https or not depending on the other requests they are working
> with.
>
> -David
>
>
> On Apr 25, 2009, at 12:32 PM, Jacques Le Roux wrote:
>
> > Is it normal that the backHome and backLast are not securised ?
> >
> > <request-map uri="backHome">
> > <response name="success" type="view-home"/>
> > </request-map>
> > <request-map uri="backLast">
> > <response name="success" type="view-last"/>
> > </request-map>
> >
> > Jacques
> >
>
--
Antwebsystems.com: Quality OFBiz services for competitive rates
Re: backHome and backLast not secured
Posted by Hans Bakker <ma...@antwebsystems.com>.
an explanation WHY not use generically would help a lot....
remember, these requests simply display an already displayed view again
without any processing.
Hans
On Sat, 2009-04-25 at 19:10 -0600, David E Jones wrote:
> Where do these come from?
>
> The "view-home" and "view-last" response types should NEVER be used
> generically like this and instead should be specific for the
> particular request flow they are part of. Along with that, they should
> require https or not depending on the other requests they are working
> with.
>
> -David
>
>
> On Apr 25, 2009, at 12:32 PM, Jacques Le Roux wrote:
>
> > Is it normal that the backHome and backLast are not securised ?
> >
> > <request-map uri="backHome">
> > <response name="success" type="view-home"/>
> > </request-map>
> > <request-map uri="backLast">
> > <response name="success" type="view-last"/>
> > </request-map>
> >
> > Jacques
> >
>
--
Antwebsystems.com: Quality OFBiz services for competitive rates
Re: backHome and backLast not secured
Posted by David E Jones <da...@hotwaxmedia.com>.
Where do these come from?
The "view-home" and "view-last" response types should NEVER be used
generically like this and instead should be specific for the
particular request flow they are part of. Along with that, they should
require https or not depending on the other requests they are working
with.
-David
On Apr 25, 2009, at 12:32 PM, Jacques Le Roux wrote:
> Is it normal that the backHome and backLast are not securised ?
>
> <request-map uri="backHome">
> <response name="success" type="view-home"/>
> </request-map>
> <request-map uri="backLast">
> <response name="success" type="view-last"/>
> </request-map>
>
> Jacques
>
Re: backHome and backLast not secured
Posted by Jacques Le Roux <ja...@les7arts.com>.
Hi Hans,
OK, I just noticed that we were switching from https to http in backend, this is pretty rare (actually it's the only case I know,
but I may miss others) that's why.
BTW we hve a problem with r768643 and r768644 since (at least) backHome is used in many places
Jacques
From: "Hans Bakker" <ma...@antwebsystems.com>
>I do not think this makes a difference (add or not) because these
> display a view which was displayed before.
>
>
> On Sat, 2009-04-25 at 20:32 +0200, Jacques Le Roux wrote:
>> Is it normal that the backHome and backLast are not securised ?
>>
>> <request-map uri="backHome">
>> <response name="success" type="view-home"/>
>> </request-map>
>> <request-map uri="backLast">
>> <response name="success" type="view-last"/>
>> </request-map>
>>
>> Jacques
>>
> --
> Antwebsystems.com: Quality OFBiz services for competitive rates
>