You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@ofbiz.apache.org by Milind W <ma...@mymunshi.com> on 2008/08/01 23:37:41 UTC
Re: how to set security and permissions precedence
hi,
I got login to work by adding the changes below to my controller using
ofbiz4.0.
I don't think I follow the reason with OFBTOOLS base persmission not
taking effect in the ofbiz-component as explained in OFBIZ-829.
But I agree with Si Chen on OFBIZ-829
"The right way is to assume no permission until one of the list of
permissions is met." Seems more intitutive.
For now I can workaround it so thanks all.
-Milind
<preprocessor>
<!-- Events to run on every request before security (chains
exempt) -->
<!-- <event type="java" path="org.ofbiz.webapp.event.TestEvent"
invoke="test"/> -->
<event type="java" path="org.ofbiz.webapp.control.LoginWorker"
invoke="checkExternalLoginKey"/>
</preprocessor>
<!-- Request Mappings -->
<request-map uri="checkLogin" edit="false">
<description>Verify a user is logged in.</description>
<security https="false" auth="false"/>
<event type="java" path="org.ofbiz.webapp.control.LoginWorker"
invoke="checkLogin" />
<response name="success" type="view" value="main" />
<response name="error" type="view" value="login" />
</request-map>
<request-map uri="login">
<security https="false" auth="false"/>
<event type="java" path="org.ofbiz.webapp.control.LoginWorker"
invoke="login"/>
<response name="success" type="view" value="main"/>
<response name="error" type="view" value="login"/>
</request-map>
<request-map uri="main">
<security https="false" auth="true" />
<response name="success" type="view" value="main"/>
</request-map>
<view-map name="login" type="screen"
page="component://marketing/widget/CommonScreens.xml#login" />
> Not with a direct link to the comment where is the explanation ;p
> Actually it was more a didactic post
>
> Jacques
>
> From: "BJ Freeman" <bj...@free-man.net>
>> LOL
>> that was the first link I sent on this thread.
>>
>> Jacques Le Roux sent the following on 7/30/2008 2:18 PM:
>>> OFBiz Wiki is your friend. Just look for OFBTOOLS.
>>>
>>> You would have get
>>> http://docs.ofbiz.org/display/OFBTECH/OFBiz+security?focusedCommentId=3615#comment-3615
>>>
>>>
>>> Jacques
>>>
>>> ----- Original Message ----- From: "Milind W"
>>> <ma...@mymunshi.com>
>>> To: <us...@ofbiz.apache.org>
>>> Sent: Wednesday, July 30, 2008 8:31 PM
>>> Subject: Re: how to set security and permissions precedence
>>>
>>>
>>>> Let me try to break up questions.
>>>> Should'nt adding
>>>> base-permission="OFBTOOLS"
>>>> to the ofbiz-entity.xml force the user to login with a user id that is
>>>> associated to the OFBTOOLS security group?
>>>> I can see the application I created and the line seems to have no
>>>> effect.
>>>> What is the purpose of the line?
>>>> Thanks
>>>> -Milind
>>>>
>>>>> Please not that opentaps is not at the same level of revision that
>>>>> ofbiz
>>>>> it
>>>>> there have been changes to security.
>>>>> there are examples in the
>>>>> framework/example
>>>>> and
>>>>> framework/exampleext
>>>>> I believe this to better tutorial
>>>>> since they work already.
>>>>>
>>>>>
>>>>> Balaji Sundar sent the following on 7/29/2008 9:40 PM:
>>>>>>
>>>>>>
>>>>>> BJ Freeman wrote:
>>>>>>> http://docs.ofbiz.org/display/OFBTECH/OFBiz+security
>>>>>>>
>>>>>>> Milind W sent the following on 7/29/2008 7:58 PM:
>>>>>>>> hi,
>>>>>>>> Security Permissions
>>>>>>>> I am using ofbiz rev.79258
>>>>>>>> I want to understand how security works so I made the following
>>>>>>>> modifications to hello1
>>>>>>>> 1)I added base-permission="OFBTOOLS" to the ofbiz-component.xml
>>>>>>>> I could still see the application I was assuming the application
>>>>>>>> would
>>>>>>>> as
>>>>>>>> me to login or prevent me from seeing the page.
>>>>>>>> 2)I added <security> to the main request
>>>>>>>> <request-map uri="main">
>>>>>>>> <security https="false" auth="true"/>
>>>>>>>> <response name="success" type="view" value="main"/>
>>>>>>>> </request-map>
>>>>>>>> This displays "java.lang.NullPointerException" in the browser.
>>>>>>>> How do permissions precedence work starting from the UI to the
>>>>>>>> entity
>>>>>>>> layer.
>>>>>>>> Help appreciated.
>>>>>>>> Thanks
>>>>>>>> -Milind
>>>>>>>>
>>>>>>>> Here is the log
>>>>>>>> 2008-07-29 19:07:17,031 (http-0.0.0.0-8080-1) [
>>>>>>>> RequestHandler.java:243:INFO ] [Processing Request]: main
>>>>>>>> sessionId=6E6BB45A4B5AB75A10A9B9404FA622A5.jvm1
>>>>>>>> 2008-07-29 19:07:17,031 (http-0.0.0.0-8080-1) [
>>>>>>>> RequestManager.java:159:WARN ] [RequestManager.getEventType] Type
>>>>>>>> of
>>>>>>>> event
>>>>>>>> for request "checkLogin" not found
>>>>>>>> 2008-07-29 19:07:17,031 (http-0.0.0.0-8080-1) [
>>>>>>>> RequestManager.java:146:WARN ] [RequestManager.getEventPath] Path
>>>>>>>> of
>>>>>>>> event
>>>>>>>> for request "checkLogin" not found
>>>>>>>> 2008-07-29 19:07:17,031 (http-0.0.0.0-8080-1) [
>>>>>>>> RequestManager.java:172:WARN ] [RequestManager.getEventMethod]
>>>>>>>> Method
>>>>>>>> of
>>>>>>>> event for request "checkLogin" not found
>>>>>>>> 2008-07-29 19:07:17,031 (http-0.0.0.0-8080-1) [
>>>>>>>> ControlServlet.java:205:ERROR]
>>>>>>>> ---- runtime exception report
>>>>>>>> --------------------------------------------------
>>>>>>>> Error in request handler:
>>>>>>>> Exception: java.lang.NullPointerException
>>>>>>>> Message: null
>>>>>>>> ---- stack trace
>>>>>>>> ---------------------------------------------------------------
>>>>>>>> java.lang.NullPointerException
>>>>>>>> javolution.util.FastMap.getEntry(Unknown Source)
>>>>>>>> javolution.util.FastMap.containsKey(Unknown Source)
>>>>>>>> org.ofbiz.webapp.control.RequestManager.getHandlerClass(RequestManager.java:78)
>>>>>>>>
>>>>>>>> org.ofbiz.webapp.event.EventFactory.loadEventHandler(EventFactory.java:102)
>>>>>>>>
>>>>>>>> org.ofbiz.webapp.event.EventFactory.getEventHandler(EventFactory.java:86)
>>>>>>>>
>>>>>>>> org.ofbiz.webapp.control.RequestHandler.runEvent(RequestHandler.java:453)
>>>>>>>>
>>>>>>>> org.ofbiz.webapp.control.RequestHandler.doRequest(RequestHandler.java:259)
>>>>>>>>
>>>>>>>> org.ofbiz.webapp.control.ControlServlet.doGet(ControlServlet.java:198)
>>>>>>>>
>>>>>>>> javax.servlet.http.HttpServlet.service(HttpServlet.java:690)
>>>>>>>> javax.servlet.http.HttpServlet.service(HttpServlet.java:803)
>>>>>>>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
>>>>>>>>
>>>>>>>> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
>>>>>>>>
>>>>>>>> org.ofbiz.webapp.control.ContextFilter.doFilter(ContextFilter.java:255)
>>>>>>>>
>>>>>>>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
>>>>>>>>
>>>>>>>> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
>>>>>>>>
>>>>>>>> org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
>>>>>>>>
>>>>>>>> org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:175)
>>>>>>>>
>>>>>>>> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:128)
>>>>>>>>
>>>>>>>> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
>>>>>>>>
>>>>>>>> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
>>>>>>>>
>>>>>>>> org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:568)
>>>>>>>>
>>>>>>>> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:286)
>>>>>>>>
>>>>>>>> org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:844)
>>>>>>>>
>>>>>>>> org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:583)
>>>>>>>>
>>>>>>>> org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:447)
>>>>>>>>
>>>>>>>> java.lang.Thread.run(Thread.java:595)
>>>>>>>> --------------------------------------------------------------------------------
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>
>>>>>> http://www.opensourcestrategies.com/ofbiz/security.php
>>>>>> http://www.opensourcestrategies.com/ofbiz/security.php
>>>>>
>>>>>
>>>>
>>>>
>>>
>>>
>>>
>>
>