You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ofbiz.apache.org by jl...@apache.org on 2016/02/09 11:26:27 UTC
svn commit: r1729348 - in /ofbiz/trunk/framework/webapp: config/
src/org/ofbiz/webapp/control/ src/org/ofbiz/webapp/event/
Author: jleroux
Date: Tue Feb 9 10:26:26 2016
New Revision: 1729348
URL: http://svn.apache.org/viewvc?rev=1729348&view=rev
Log:
Implements "Hide sessionId in logs by default, show them using a properties" - https://issues.apache.org/jira/browse/OFBIZ-6886
There are few cases where we show the sessionId in logs (using UtilHttp.getSessionId() in or HttpSessionEvent.getSession().getId()) in other places)
Despite we secured the log access at r1489461, I feel better using a properties to opt in, false by default.
Modified:
ofbiz/trunk/framework/webapp/config/requestHandler.properties
ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/control/ControlActivationEventListener.java
ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/control/ControlEventListener.java
ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/control/RequestHandler.java
ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/event/ServiceEventHandler.java
Modified: ofbiz/trunk/framework/webapp/config/requestHandler.properties
URL: http://svn.apache.org/viewvc/ofbiz/trunk/framework/webapp/config/requestHandler.properties?rev=1729348&r1=1729347&r2=1729348&view=diff
==============================================================================
--- ofbiz/trunk/framework/webapp/config/requestHandler.properties (original)
+++ ofbiz/trunk/framework/webapp/config/requestHandler.properties Tue Feb 9 10:26:26 2016
@@ -11,4 +11,8 @@ content-disposition-type=attachment
# -- Should we use strict-transport-security? True by default.
# Use false if you don't have a certificate or not a signed one and it annoys you to set "none" for each HTTP request!
-#strict-transport-security=false
\ No newline at end of file
+#strict-transport-security=false
+
+# -- Should we show the sessionId in log? False (ie N) by default.
+show-sessionId-in-log=N
+
Modified: ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/control/ControlActivationEventListener.java
URL: http://svn.apache.org/viewvc/ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/control/ControlActivationEventListener.java?rev=1729348&r1=1729347&r2=1729348&view=diff
==============================================================================
--- ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/control/ControlActivationEventListener.java (original)
+++ ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/control/ControlActivationEventListener.java Tue Feb 9 10:26:26 2016
@@ -18,10 +18,12 @@
*******************************************************************************/
package org.ofbiz.webapp.control;
+import javax.servlet.http.HttpSession;
import javax.servlet.http.HttpSessionActivationListener;
import javax.servlet.http.HttpSessionEvent;
import org.ofbiz.base.util.Debug;
+import org.ofbiz.base.util.UtilProperties;
/**
* HttpSessionListener that gathers and tracks various information and statistics
@@ -34,11 +36,20 @@ public class ControlActivationEventListe
public void sessionWillPassivate(HttpSessionEvent event) {
ControlEventListener.countPassivateSession();
- Debug.logInfo("Passivating session: " + event.getSession().getId(), module);
+ Debug.logInfo("Passivating session: " + showSessionId(event.getSession()), module);
}
public void sessionDidActivate(HttpSessionEvent event) {
ControlEventListener.countActivateSession();
- Debug.logInfo("Activating session: " + event.getSession().getId(), module);
+ Debug.logInfo("Activating session: " + showSessionId(event.getSession()), module);
}
+
+ public static String showSessionId(HttpSession session) {
+ boolean showSessionIdInLog = UtilProperties.propertyValueEqualsIgnoreCase("requestHandler", "show-sessionId-in-log", "Y");
+ if (showSessionIdInLog) {
+ return " sessionId=" + session.getId();
+ }
+ return " hidden sessionId by default.";
+ }
+
}
Modified: ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/control/ControlEventListener.java
URL: http://svn.apache.org/viewvc/ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/control/ControlEventListener.java?rev=1729348&r1=1729347&r2=1729348&view=diff
==============================================================================
--- ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/control/ControlEventListener.java (original)
+++ ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/control/ControlEventListener.java Tue Feb 9 10:26:26 2016
@@ -63,7 +63,7 @@ public class ControlEventListener implem
session.setAttribute("org.ofbiz.log.session.stats", "Y");
}
- Debug.logInfo("Creating session: " + session.getId(), module);
+ Debug.logInfo("Creating session: " + ControlActivationEventListener.showSessionId(session), module);
}
public void sessionDestroyed(HttpSessionEvent event) {
@@ -84,7 +84,7 @@ public class ControlEventListener implem
visit.store();
}
} else {
- Debug.logWarning("Could not find visit value object in session [" + session.getId() + "] that is being destroyed", module);
+ Debug.logWarning("Could not find visit value object in session [" + ControlActivationEventListener.showSessionId(session) + "] that is being destroyed", module);
}
// Store the UserLoginSession
@@ -105,7 +105,7 @@ public class ControlEventListener implem
}
countDestroySession();
- Debug.logInfo("Destroying session: " + session.getId(), module);
+ Debug.logInfo("Destroying session: " + ControlActivationEventListener.showSessionId(session), module);
this.logStats(session, visit);
} catch (GenericEntityException e) {
try {
@@ -129,7 +129,7 @@ public class ControlEventListener implem
public void logStats(HttpSession session, GenericValue visit) {
if (Debug.verboseOn() || session.getAttribute("org.ofbiz.log.session.stats") != null) {
Debug.logInfo("<===================================================================>", module);
- Debug.logInfo("Session ID : " + session.getId(), module);
+ Debug.logInfo("Session ID : " + ControlActivationEventListener.showSessionId(session), module);
Debug.logInfo("Created Time : " + session.getCreationTime(), module);
Debug.logInfo("Last Access : " + session.getLastAccessedTime(), module);
Debug.logInfo("Max Inactive : " + session.getMaxInactiveInterval(), module);
Modified: ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/control/RequestHandler.java
URL: http://svn.apache.org/viewvc/ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/control/RequestHandler.java?rev=1729348&r1=1729347&r2=1729348&view=diff
==============================================================================
--- ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/control/RequestHandler.java (original)
+++ ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/control/RequestHandler.java Tue Feb 9 10:26:26 2016
@@ -125,7 +125,7 @@ public class RequestHandler {
GenericValue userLogin, Delegator delegator) throws RequestHandlerException, RequestHandlerExceptionAllowExternalRequests {
final boolean throwRequestHandlerExceptionOnMissingLocalRequest = EntityUtilProperties.propertyValueEqualsIgnoreCase(
- "requestHandler.properties", "throwRequestHandlerExceptionOnMissingLocalRequest", "Y", delegator);
+ "requestHandler", "throwRequestHandlerExceptionOnMissingLocalRequest", "Y", delegator);
long startTime = System.currentTimeMillis();
HttpSession session = request.getSession();
@@ -228,7 +228,7 @@ public class RequestHandler {
// not using _POST_CHAIN_VIEW_ because it shouldn't be set unless the event execution is successful
request.setAttribute("_CURRENT_CHAIN_VIEW_", overrideViewUri);
}
- if (Debug.infoOn()) Debug.logInfo("[RequestHandler]: Chain in place: requestUri=" + chainRequestUri + " overrideViewUri=" + overrideViewUri + " sessionId=" + UtilHttp.getSessionId(request), module);
+ if (Debug.infoOn()) Debug.logInfo("[RequestHandler]: Chain in place: requestUri=" + chainRequestUri + " overrideViewUri=" + overrideViewUri + showSessionId(request), module);
} else {
// Check if X509 is required and we are not secure; throw exception
if (!request.isSecure() && requestMap.securityCert) {
@@ -335,7 +335,7 @@ public class RequestHandler {
// If its the first visit run the first visit events.
if (this.trackVisit(request) && session.getAttribute("_FIRST_VISIT_EVENTS_") == null) {
if (Debug.infoOn())
- Debug.logInfo("This is the first request in this visit." + " sessionId=" + UtilHttp.getSessionId(request), module);
+ Debug.logInfo("This is the first request in this visit." + showSessionId(request), module);
session.setAttribute("_FIRST_VISIT_EVENTS_", "complete");
try {
for (ConfigXMLReader.Event event: controllerConfig.getFirstVisitEventList().values()) {
@@ -400,11 +400,11 @@ public class RequestHandler {
// Pre-Processor/First-Visit event(s) can interrupt the flow by returning null.
// Warning: this could cause problems if more then one event attempts to return a response.
if (interruptRequest) {
- if (Debug.infoOn()) Debug.logInfo("[Pre-Processor Interrupted Request, not running: [" + requestMap.uri + "], sessionId=" + UtilHttp.getSessionId(request), module);
+ if (Debug.infoOn()) Debug.logInfo("[Pre-Processor Interrupted Request, not running: [" + requestMap.uri + "]. " + showSessionId(request), module);
return;
}
- if (Debug.verboseOn()) Debug.logVerbose("[Processing Request]: " + requestMap.uri + " sessionId=" + UtilHttp.getSessionId(request), module);
+ if (Debug.verboseOn()) Debug.logVerbose("[Processing Request]: " + requestMap.uri + showSessionId(request), module);
request.setAttribute("thisRequestUri", requestMap.uri); // store the actual request URI
@@ -412,7 +412,7 @@ public class RequestHandler {
if (requestMap.securityAuth) {
// Invoke the security handler
// catch exceptions and throw RequestHandlerException if failed.
- if (Debug.verboseOn()) Debug.logVerbose("[RequestHandler]: AuthRequired. Running security check. sessionId=" + UtilHttp.getSessionId(request), module);
+ if (Debug.verboseOn()) Debug.logVerbose("[RequestHandler]: AuthRequired. Running security check. " + showSessionId(request), module);
ConfigXMLReader.Event checkLoginEvent = requestMapMap.get("checkLogin").event;
String checkLoginReturnString = null;
@@ -498,7 +498,7 @@ public class RequestHandler {
}
if (eventReturnBasedRequestResponse != null) {
//String eventReturnBasedResponse = requestResponse.value;
- if (Debug.verboseOn()) Debug.logVerbose("[Response Qualified]: " + eventReturnBasedRequestResponse.name + ", " + eventReturnBasedRequestResponse.type + ":" + eventReturnBasedRequestResponse.value + " sessionId=" + UtilHttp.getSessionId(request), module);
+ if (Debug.verboseOn()) Debug.logVerbose("[Response Qualified]: " + eventReturnBasedRequestResponse.name + ", " + eventReturnBasedRequestResponse.type + ":" + eventReturnBasedRequestResponse.value + showSessionId(request), module);
// If error, then display more error messages:
if ("error".equals(eventReturnBasedRequestResponse.name)) {
@@ -544,7 +544,7 @@ public class RequestHandler {
}
}
- if (Debug.verboseOn()) Debug.logVerbose("[RequestHandler]: previousRequest - " + previousRequest + " (" + loginPass + ")" + " sessionId=" + UtilHttp.getSessionId(request), module);
+ if (Debug.verboseOn()) Debug.logVerbose("[RequestHandler]: previousRequest - " + previousRequest + " (" + loginPass + ")" + showSessionId(request), module);
// if previous request exists, and a login just succeeded, do that now.
if (previousRequest != null && loginPass != null && loginPass.equalsIgnoreCase("TRUE")) {
@@ -553,7 +553,7 @@ public class RequestHandler {
if ("logout".equals(previousRequest) || "/logout".equals(previousRequest) || "login".equals(previousRequest) || "/login".equals(previousRequest) || "checkLogin".equals(previousRequest) || "/checkLogin".equals(previousRequest) || "/checkLogin/login".equals(previousRequest)) {
Debug.logWarning("Found special _PREVIOUS_REQUEST_ of [" + previousRequest + "], setting to null to avoid problems, not running request again", module);
} else {
- if (Debug.infoOn()) Debug.logInfo("[Doing Previous Request]: " + previousRequest + " sessionId=" + UtilHttp.getSessionId(request), module);
+ if (Debug.infoOn()) Debug.logInfo("[Doing Previous Request]: " + previousRequest + showSessionId(request), module);
// note that the previous form parameters are not setup (only the URL ones here), they will be found in the session later and handled when the old request redirect comes back
Map<String, Object> previousParamMap = UtilGenerics.checkMap(request.getSession().getAttribute("_PREVIOUS_PARAM_MAP_URL_"), String.class, Object.class);
@@ -584,7 +584,7 @@ public class RequestHandler {
throw new RequestHandlerException("Illegal response; handler could not process request [" + requestMap.uri + "] and event return [" + eventReturn + "].");
}
- if (Debug.verboseOn()) Debug.logVerbose("[Event Response Selected] type=" + nextRequestResponse.type + ", value=" + nextRequestResponse.value + ", sessionId=" + UtilHttp.getSessionId(request), module);
+ if (Debug.verboseOn()) Debug.logVerbose("[Event Response Selected] type=" + nextRequestResponse.type + ", value=" + nextRequestResponse.value + ". " + showSessionId(request), module);
// ========== Handle the responses - chains/views ==========
@@ -604,7 +604,7 @@ public class RequestHandler {
if ("request".equals(nextRequestResponse.type)) {
// chained request
- Debug.logInfo("[RequestHandler.doRequest]: Response is a chained request." + " sessionId=" + UtilHttp.getSessionId(request), module);
+ Debug.logInfo("[RequestHandler.doRequest]: Response is a chained request." + showSessionId(request), module);
doRequest(request, response, nextRequestResponse.value, userLogin, delegator);
} else {
// ======== handle views ========
@@ -632,27 +632,27 @@ public class RequestHandler {
if ("url".equals(nextRequestResponse.type)) {
- if (Debug.verboseOn()) Debug.logVerbose("[RequestHandler.doRequest]: Response is a URL redirect." + " sessionId=" + UtilHttp.getSessionId(request), module);
+ if (Debug.verboseOn()) Debug.logVerbose("[RequestHandler.doRequest]: Response is a URL redirect." + showSessionId(request), module);
callRedirect(nextRequestResponse.value, response, request, statusCodeString);
} else if ("cross-redirect".equals(nextRequestResponse.type)) {
// check for a cross-application redirect
- if (Debug.verboseOn()) Debug.logVerbose("[RequestHandler.doRequest]: Response is a Cross-Application redirect." + " sessionId=" + UtilHttp.getSessionId(request), module);
+ if (Debug.verboseOn()) Debug.logVerbose("[RequestHandler.doRequest]: Response is a Cross-Application redirect." + showSessionId(request), module);
String url = nextRequestResponse.value.startsWith("/") ? nextRequestResponse.value : "/" + nextRequestResponse.value;
callRedirect(url + this.makeQueryString(request, nextRequestResponse), response, request, statusCodeString);
} else if ("request-redirect".equals(nextRequestResponse.type)) {
- if (Debug.verboseOn()) Debug.logVerbose("[RequestHandler.doRequest]: Response is a Request redirect." + " sessionId=" + UtilHttp.getSessionId(request), module);
+ if (Debug.verboseOn()) Debug.logVerbose("[RequestHandler.doRequest]: Response is a Request redirect." + showSessionId(request), module);
callRedirect(makeLinkWithQueryString(request, response, "/" + nextRequestResponse.value, nextRequestResponse), response, request, statusCodeString);
} else if ("request-redirect-noparam".equals(nextRequestResponse.type)) {
- if (Debug.verboseOn()) Debug.logVerbose("[RequestHandler.doRequest]: Response is a Request redirect with no parameters." + " sessionId=" + UtilHttp.getSessionId(request), module);
+ if (Debug.verboseOn()) Debug.logVerbose("[RequestHandler.doRequest]: Response is a Request redirect with no parameters." + showSessionId(request), module);
callRedirect(makeLink(request, response, nextRequestResponse.value), response, request, statusCodeString);
} else if ("view".equals(nextRequestResponse.type)) {
- if (Debug.verboseOn()) Debug.logVerbose("[RequestHandler.doRequest]: Response is a view." + " sessionId=" + UtilHttp.getSessionId(request), module);
+ if (Debug.verboseOn()) Debug.logVerbose("[RequestHandler.doRequest]: Response is a view." + showSessionId(request), module);
// check for an override view, only used if "success" = eventReturn
String viewName = (UtilValidate.isNotEmpty(overrideViewUri) && (eventReturn == null || "success".equals(eventReturn))) ? overrideViewUri : nextRequestResponse.value;
renderView(viewName, requestMap.securityExternalView, request, response, saveName);
} else if ("view-last".equals(nextRequestResponse.type)) {
- if (Debug.verboseOn()) Debug.logVerbose("[RequestHandler.doRequest]: Response is a view." + " sessionId=" + UtilHttp.getSessionId(request), module);
+ if (Debug.verboseOn()) Debug.logVerbose("[RequestHandler.doRequest]: Response is a view." + showSessionId(request), module);
// check for an override view, only used if "success" = eventReturn
String viewName = (UtilValidate.isNotEmpty(overrideViewUri) && (eventReturn == null || "success".equals(eventReturn))) ? overrideViewUri : nextRequestResponse.value;
@@ -686,7 +686,7 @@ public class RequestHandler {
}
renderView(viewName, requestMap.securityExternalView, request, response, null);
} else if ("view-last-noparam".equals(nextRequestResponse.type)) {
- if (Debug.verboseOn()) Debug.logVerbose("[RequestHandler.doRequest]: Response is a view." + " sessionId=" + UtilHttp.getSessionId(request), module);
+ if (Debug.verboseOn()) Debug.logVerbose("[RequestHandler.doRequest]: Response is a view." + showSessionId(request), module);
// check for an override view, only used if "success" = eventReturn
String viewName = (UtilValidate.isNotEmpty(overrideViewUri) && (eventReturn == null || "success".equals(eventReturn))) ? overrideViewUri : nextRequestResponse.value;
@@ -703,7 +703,7 @@ public class RequestHandler {
}
renderView(viewName, requestMap.securityExternalView, request, response, null);
} else if ("view-home".equals(nextRequestResponse.type)) {
- if (Debug.verboseOn()) Debug.logVerbose("[RequestHandler.doRequest]: Response is a view." + " sessionId=" + UtilHttp.getSessionId(request), module);
+ if (Debug.verboseOn()) Debug.logVerbose("[RequestHandler.doRequest]: Response is a view." + showSessionId(request), module);
// check for an override view, only used if "success" = eventReturn
String viewName = (UtilValidate.isNotEmpty(overrideViewUri) && (eventReturn == null || "success".equals(eventReturn))) ? overrideViewUri : nextRequestResponse.value;
@@ -722,7 +722,7 @@ public class RequestHandler {
renderView(viewName, requestMap.securityExternalView, request, response, null);
} else if ("none".equals(nextRequestResponse.type)) {
// no view to render (meaning the return was processed by the event)
- if (Debug.verboseOn()) Debug.logVerbose("[RequestHandler.doRequest]: Response is handled by the event." + " sessionId=" + UtilHttp.getSessionId(request), module);
+ if (Debug.verboseOn()) Debug.logVerbose("[RequestHandler.doRequest]: Response is handled by the event." + showSessionId(request), module);
}
}
if (originalRequestMap.metrics != null) {
@@ -806,7 +806,7 @@ public class RequestHandler {
}
private void callRedirect(String url, HttpServletResponse resp, HttpServletRequest req, String statusCodeString) throws RequestHandlerException {
- if (Debug.infoOn()) Debug.logInfo("Sending redirect to: [" + url + "], sessionId=" + UtilHttp.getSessionId(req), module);
+ if (Debug.infoOn()) Debug.logInfo("Sending redirect to: [" + url + "]. " + showSessionId(req), module);
// set the attributes in the session so we can access it.
Enumeration<String> attributeNameEnum = UtilGenerics.cast(req.getAttributeNames());
Map<String, Object> reqAttrMap = new HashMap<String, Object>();
@@ -858,13 +858,13 @@ public class RequestHandler {
servletName = servletName.substring(1);
}
- if (Debug.infoOn()) Debug.logInfo("Rendering View [" + view + "], sessionId=" + UtilHttp.getSessionId(req), module);
+ if (Debug.infoOn()) Debug.logInfo("Rendering View [" + view + "]. " + showSessionId(req), module);
if (view.startsWith(servletName + "/")) {
view = view.substring(servletName.length() + 1);
if (Debug.infoOn()) Debug.logInfo("a manual control servlet request was received, removing control servlet path resulting in: view=" + view, module);
}
- if (Debug.verboseOn()) Debug.logVerbose("[Getting View Map]: " + view + " sessionId=" + UtilHttp.getSessionId(req), module);
+ if (Debug.verboseOn()) Debug.logVerbose("[Getting View Map]: " + view + showSessionId(req), module);
// before mapping the view, set a request attribute so we know where we are
req.setAttribute("_CURRENT_VIEW_", view);
@@ -919,7 +919,7 @@ public class RequestHandler {
nextPage = viewMap.page;
}
- if (Debug.verboseOn()) Debug.logVerbose("[Mapped To]: " + nextPage + " sessionId=" + UtilHttp.getSessionId(req), module);
+ if (Debug.verboseOn()) Debug.logVerbose("[Mapped To]: " + nextPage + showSessionId(req), module);
long viewStartTime = System.currentTimeMillis();
@@ -1296,4 +1296,13 @@ public class RequestHandler {
return false;
}
}
+
+ private String showSessionId(HttpServletRequest request) {
+ Delegator delegator = (Delegator) request.getAttribute("delegator");
+ boolean showSessionIdInLog = EntityUtilProperties.propertyValueEqualsIgnoreCase("requestHandler", "show-sessionId-in-log", "Y", delegator);
+ if (showSessionIdInLog) {
+ return " sessionId=" + UtilHttp.getSessionId(request);
+ }
+ return " hidden sessionId by default.";
+ }
}
Modified: ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/event/ServiceEventHandler.java
URL: http://svn.apache.org/viewvc/ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/event/ServiceEventHandler.java?rev=1729348&r1=1729347&r2=1729348&view=diff
==============================================================================
--- ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/event/ServiceEventHandler.java (original)
+++ ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/event/ServiceEventHandler.java Tue Feb 9 10:26:26 2016
@@ -56,6 +56,7 @@ import org.ofbiz.service.ServiceValidati
import org.ofbiz.webapp.control.ConfigXMLReader;
import org.ofbiz.webapp.control.ConfigXMLReader.Event;
import org.ofbiz.webapp.control.ConfigXMLReader.RequestMap;
+import org.ofbiz.webapp.control.ControlActivationEventListener;
/**
* ServiceEventHandler - Service Event Handler
@@ -407,7 +408,7 @@ public class ServiceEventHandler impleme
+ "(check before if a sub-task for this error does not exist)."
+ " If you are not sure how to create a Jira issue please have a look before at http://cwiki.apache.org/confluence/x/JIB2"
+ " Thank you in advance for your help.";
- Debug.logError("=============== " + errMsg + "; In session [" + session.getId() + "]; Note that this can be changed using the service.http.parameters.require.encrypted property in the url.properties file", module);
+ Debug.logError("=============== " + errMsg + "; In session [" + ControlActivationEventListener.showSessionId(session) + "]; Note that this can be changed using the service.http.parameters.require.encrypted property in the url.properties file", module);
// the default here is true, so anything but N/n is true
boolean requireEncryptedServiceWebParameters = !EntityUtilProperties.propertyValueEqualsIgnoreCase("url", "service.http.parameters.require.encrypted", "N", delegator);