You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@ofbiz.apache.org by Milind W <ma...@mymunshi.com> on 2008/07/30 04:58:58 UTC
how to set security and permissions precedence
hi,
Security Permissions
I am using ofbiz rev.79258
I want to understand how security works so I made the following
modifications to hello1
1)I added base-permission="OFBTOOLS" to the ofbiz-component.xml
I could still see the application I was assuming the application would as
me to login or prevent me from seeing the page.
2)I added <security> to the main request
<request-map uri="main">
<security https="false" auth="true"/>
<response name="success" type="view" value="main"/>
</request-map>
This displays "java.lang.NullPointerException" in the browser.
How do permissions precedence work starting from the UI to the entity layer.
Help appreciated.
Thanks
-Milind
Here is the log
2008-07-29 19:07:17,031 (http-0.0.0.0-8080-1) [
RequestHandler.java:243:INFO ] [Processing Request]: main
sessionId=6E6BB45A4B5AB75A10A9B9404FA622A5.jvm1
2008-07-29 19:07:17,031 (http-0.0.0.0-8080-1) [
RequestManager.java:159:WARN ] [RequestManager.getEventType] Type of event
for request "checkLogin" not found
2008-07-29 19:07:17,031 (http-0.0.0.0-8080-1) [
RequestManager.java:146:WARN ] [RequestManager.getEventPath] Path of event
for request "checkLogin" not found
2008-07-29 19:07:17,031 (http-0.0.0.0-8080-1) [
RequestManager.java:172:WARN ] [RequestManager.getEventMethod] Method of
event for request "checkLogin" not found
2008-07-29 19:07:17,031 (http-0.0.0.0-8080-1) [
ControlServlet.java:205:ERROR]
---- runtime exception report
--------------------------------------------------
Error in request handler:
Exception: java.lang.NullPointerException
Message: null
---- stack trace
---------------------------------------------------------------
java.lang.NullPointerException
javolution.util.FastMap.getEntry(Unknown Source)
javolution.util.FastMap.containsKey(Unknown Source)
org.ofbiz.webapp.control.RequestManager.getHandlerClass(RequestManager.java:78)
org.ofbiz.webapp.event.EventFactory.loadEventHandler(EventFactory.java:102)
org.ofbiz.webapp.event.EventFactory.getEventHandler(EventFactory.java:86)
org.ofbiz.webapp.control.RequestHandler.runEvent(RequestHandler.java:453)
org.ofbiz.webapp.control.RequestHandler.doRequest(RequestHandler.java:259)
org.ofbiz.webapp.control.ControlServlet.doGet(ControlServlet.java:198)
javax.servlet.http.HttpServlet.service(HttpServlet.java:690)
javax.servlet.http.HttpServlet.service(HttpServlet.java:803)
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
org.ofbiz.webapp.control.ContextFilter.doFilter(ContextFilter.java:255)
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:175)
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:128)
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:568)
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:286)
org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:844)
org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:583)
org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:447)
java.lang.Thread.run(Thread.java:595)
--------------------------------------------------------------------------------
Re: how to set security and permissions precedence
Posted by Milind W <ma...@mymunshi.com>.
hi,
I got login to work by adding the changes below to my controller using
ofbiz4.0.
I don't think I follow the reason with OFBTOOLS base persmission not
taking effect in the ofbiz-component as explained in OFBIZ-829.
But I agree with Si Chen on OFBIZ-829
"The right way is to assume no permission until one of the list of
permissions is met." Seems more intitutive.
For now I can workaround it so thanks all.
-Milind
<preprocessor>
<!-- Events to run on every request before security (chains
exempt) -->
<!-- <event type="java" path="org.ofbiz.webapp.event.TestEvent"
invoke="test"/> -->
<event type="java" path="org.ofbiz.webapp.control.LoginWorker"
invoke="checkExternalLoginKey"/>
</preprocessor>
<!-- Request Mappings -->
<request-map uri="checkLogin" edit="false">
<description>Verify a user is logged in.</description>
<security https="false" auth="false"/>
<event type="java" path="org.ofbiz.webapp.control.LoginWorker"
invoke="checkLogin" />
<response name="success" type="view" value="main" />
<response name="error" type="view" value="login" />
</request-map>
<request-map uri="login">
<security https="false" auth="false"/>
<event type="java" path="org.ofbiz.webapp.control.LoginWorker"
invoke="login"/>
<response name="success" type="view" value="main"/>
<response name="error" type="view" value="login"/>
</request-map>
<request-map uri="main">
<security https="false" auth="true" />
<response name="success" type="view" value="main"/>
</request-map>
<view-map name="login" type="screen"
page="component://marketing/widget/CommonScreens.xml#login" />
> Not with a direct link to the comment where is the explanation ;p
> Actually it was more a didactic post
>
> Jacques
>
> From: "BJ Freeman" <bj...@free-man.net>
>> LOL
>> that was the first link I sent on this thread.
>>
>> Jacques Le Roux sent the following on 7/30/2008 2:18 PM:
>>> OFBiz Wiki is your friend. Just look for OFBTOOLS.
>>>
>>> You would have get
>>> http://docs.ofbiz.org/display/OFBTECH/OFBiz+security?focusedCommentId=3615#comment-3615
>>>
>>>
>>> Jacques
>>>
>>> ----- Original Message ----- From: "Milind W"
>>> <ma...@mymunshi.com>
>>> To: <us...@ofbiz.apache.org>
>>> Sent: Wednesday, July 30, 2008 8:31 PM
>>> Subject: Re: how to set security and permissions precedence
>>>
>>>
>>>> Let me try to break up questions.
>>>> Should'nt adding
>>>> base-permission="OFBTOOLS"
>>>> to the ofbiz-entity.xml force the user to login with a user id that is
>>>> associated to the OFBTOOLS security group?
>>>> I can see the application I created and the line seems to have no
>>>> effect.
>>>> What is the purpose of the line?
>>>> Thanks
>>>> -Milind
>>>>
>>>>> Please not that opentaps is not at the same level of revision that
>>>>> ofbiz
>>>>> it
>>>>> there have been changes to security.
>>>>> there are examples in the
>>>>> framework/example
>>>>> and
>>>>> framework/exampleext
>>>>> I believe this to better tutorial
>>>>> since they work already.
>>>>>
>>>>>
>>>>> Balaji Sundar sent the following on 7/29/2008 9:40 PM:
>>>>>>
>>>>>>
>>>>>> BJ Freeman wrote:
>>>>>>> http://docs.ofbiz.org/display/OFBTECH/OFBiz+security
>>>>>>>
>>>>>>> Milind W sent the following on 7/29/2008 7:58 PM:
>>>>>>>> hi,
>>>>>>>> Security Permissions
>>>>>>>> I am using ofbiz rev.79258
>>>>>>>> I want to understand how security works so I made the following
>>>>>>>> modifications to hello1
>>>>>>>> 1)I added base-permission="OFBTOOLS" to the ofbiz-component.xml
>>>>>>>> I could still see the application I was assuming the application
>>>>>>>> would
>>>>>>>> as
>>>>>>>> me to login or prevent me from seeing the page.
>>>>>>>> 2)I added <security> to the main request
>>>>>>>> <request-map uri="main">
>>>>>>>> <security https="false" auth="true"/>
>>>>>>>> <response name="success" type="view" value="main"/>
>>>>>>>> </request-map>
>>>>>>>> This displays "java.lang.NullPointerException" in the browser.
>>>>>>>> How do permissions precedence work starting from the UI to the
>>>>>>>> entity
>>>>>>>> layer.
>>>>>>>> Help appreciated.
>>>>>>>> Thanks
>>>>>>>> -Milind
>>>>>>>>
>>>>>>>> Here is the log
>>>>>>>> 2008-07-29 19:07:17,031 (http-0.0.0.0-8080-1) [
>>>>>>>> RequestHandler.java:243:INFO ] [Processing Request]: main
>>>>>>>> sessionId=6E6BB45A4B5AB75A10A9B9404FA622A5.jvm1
>>>>>>>> 2008-07-29 19:07:17,031 (http-0.0.0.0-8080-1) [
>>>>>>>> RequestManager.java:159:WARN ] [RequestManager.getEventType] Type
>>>>>>>> of
>>>>>>>> event
>>>>>>>> for request "checkLogin" not found
>>>>>>>> 2008-07-29 19:07:17,031 (http-0.0.0.0-8080-1) [
>>>>>>>> RequestManager.java:146:WARN ] [RequestManager.getEventPath] Path
>>>>>>>> of
>>>>>>>> event
>>>>>>>> for request "checkLogin" not found
>>>>>>>> 2008-07-29 19:07:17,031 (http-0.0.0.0-8080-1) [
>>>>>>>> RequestManager.java:172:WARN ] [RequestManager.getEventMethod]
>>>>>>>> Method
>>>>>>>> of
>>>>>>>> event for request "checkLogin" not found
>>>>>>>> 2008-07-29 19:07:17,031 (http-0.0.0.0-8080-1) [
>>>>>>>> ControlServlet.java:205:ERROR]
>>>>>>>> ---- runtime exception report
>>>>>>>> --------------------------------------------------
>>>>>>>> Error in request handler:
>>>>>>>> Exception: java.lang.NullPointerException
>>>>>>>> Message: null
>>>>>>>> ---- stack trace
>>>>>>>> ---------------------------------------------------------------
>>>>>>>> java.lang.NullPointerException
>>>>>>>> javolution.util.FastMap.getEntry(Unknown Source)
>>>>>>>> javolution.util.FastMap.containsKey(Unknown Source)
>>>>>>>> org.ofbiz.webapp.control.RequestManager.getHandlerClass(RequestManager.java:78)
>>>>>>>>
>>>>>>>> org.ofbiz.webapp.event.EventFactory.loadEventHandler(EventFactory.java:102)
>>>>>>>>
>>>>>>>> org.ofbiz.webapp.event.EventFactory.getEventHandler(EventFactory.java:86)
>>>>>>>>
>>>>>>>> org.ofbiz.webapp.control.RequestHandler.runEvent(RequestHandler.java:453)
>>>>>>>>
>>>>>>>> org.ofbiz.webapp.control.RequestHandler.doRequest(RequestHandler.java:259)
>>>>>>>>
>>>>>>>> org.ofbiz.webapp.control.ControlServlet.doGet(ControlServlet.java:198)
>>>>>>>>
>>>>>>>> javax.servlet.http.HttpServlet.service(HttpServlet.java:690)
>>>>>>>> javax.servlet.http.HttpServlet.service(HttpServlet.java:803)
>>>>>>>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
>>>>>>>>
>>>>>>>> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
>>>>>>>>
>>>>>>>> org.ofbiz.webapp.control.ContextFilter.doFilter(ContextFilter.java:255)
>>>>>>>>
>>>>>>>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
>>>>>>>>
>>>>>>>> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
>>>>>>>>
>>>>>>>> org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
>>>>>>>>
>>>>>>>> org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:175)
>>>>>>>>
>>>>>>>> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:128)
>>>>>>>>
>>>>>>>> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
>>>>>>>>
>>>>>>>> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
>>>>>>>>
>>>>>>>> org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:568)
>>>>>>>>
>>>>>>>> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:286)
>>>>>>>>
>>>>>>>> org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:844)
>>>>>>>>
>>>>>>>> org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:583)
>>>>>>>>
>>>>>>>> org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:447)
>>>>>>>>
>>>>>>>> java.lang.Thread.run(Thread.java:595)
>>>>>>>> --------------------------------------------------------------------------------
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>
>>>>>> http://www.opensourcestrategies.com/ofbiz/security.php
>>>>>> http://www.opensourcestrategies.com/ofbiz/security.php
>>>>>
>>>>>
>>>>
>>>>
>>>
>>>
>>>
>>
>
Re: how to set security and permissions precedence
Posted by BJ Freeman <bj...@free-man.net>.
bug was fix the news rev works.
Milind W sent the following on 8/3/2008 4:27 PM:
> Just tried "ant clean" it made no difference.
> I can proceed to main without being redirected to login with rev#679258.
>
>
> Relevant log for rev#679258
> 2008-08-03 16:15:04,515 (http-0.0.0.0-8080-1)
> [RequestHandler.java:243:INFO ] [Processing Request]: main
> sessionId=B2364C2D58837E9163B9B9214E2228FA.jvm1
> 2008-08-03 16:15:04,515 (http-0.0.0.0-8080-1)
> [RequestHandler.java:433:INFO ] [RequestHandler.doRequest]: Response is a
> view. sessionId=B2364C2D58837E9163B9B9214E2228FA.jvm1
> 2008-08-03 16:15:04,515 (http-0.0.0.0-8080-1)
> [RequestHandler.java:584:INFO ] servletName=control, view=main
> sessionId=B2364C2D58837E9163B9B9214E2228FA.jvm1
> 2008-08-03 16:15:04,515 (http-0.0.0.0-8080-1) [ UtilJ2eeCompat.java:69
> :INFO ] serverInfo: apache tomcat/6.0.16
> 2008-08-03 16:15:04,515 (http-0.0.0.0-8080-1) [ UtilJ2eeCompat.java:78
> :INFO ] Apache Tomcat detected, using response.getWriter to write text out
> instead of response.getOutputStream
>
> and with rev#677863
> 2008-08-03 18:11:55,343 (http-0.0.0.0-8080-Processor4) [
> RequestHandler.java:236:INFO ] [Processing Request]: main
> sessionId=72EE22303A9A4DCDB76F64EE41F963DA.jvm1
> 2008-08-03 18:11:55,343 (http-0.0.0.0-8080-Processor4) [
> LoginWorker.java:262:INFO ] reqParams Map: []
> 2008-08-03 18:11:55,343 (http-0.0.0.0-8080-Processor4) [
> LoginWorker.java:263:INFO ] queryString:
> 2008-08-03 18:11:55,343 (http-0.0.0.0-8080-Processor4) [
> LoginWorker.java:273:INFO ] checkLogin: queryString=
> 2008-08-03 18:11:55,343 (http-0.0.0.0-8080-Processor4) [
> LoginWorker.java:274:INFO ] checkLogin: PathInfo=/main
> 2008-08-03 18:11:55,343 (http-0.0.0.0-8080-Processor4) [
> RequestHandler.java:425:INFO ] [RequestHandler.doRequest]: Response is a
> view. sessionId=72EE22303A9A4DCDB76F64EE41F963DA.jvm1
> 2008-08-03 18:11:55,343 (http-0.0.0.0-8080-Processor4) [
> RequestHandler.java:578:INFO ] servletName=control, view=login
> sessionId=72EE22303A9A4DCDB76F64EE41F963DA.jvm1
> 2008-08-03 18:11:55,343 (http-0.0.0.0-8080-Processor4) [
> UtilJ2eeCompat.java:69 :INFO ] serverInfo: Apache Tomcat/5.5.20
> 2008-08-03 18:11:55,343 (http-0.0.0.0-8080-Processor4) [
> UtilJ2eeCompat.java:78 :INFO ] Apache Tomcat detected, using
> response.getWriter to write text out instead of response.getOutputStream
>
> The loginworker seems to be invoked with rev#677863 and not with rev#679258.
> Any Idea?
>
>> Did you try an "ant clean" ? There have been some changes recently that
>> implie this cleanup.
>>
>> Jacques
>>
>> From: "Milind W" <ma...@mymunshi.com>
>>> Looks like I have a problem making this example work with
>>> revision#679258
>>>
>>> It worked fine (i.e I was redirected to login screen before I could get
>>> to
>>> main) with rev#677863
>>>
>>> Looks like the view
>>> <view-map name="login" type="screen"
>>> page="component://marketing/widget/CommonScreens.xml#login" />
>>> is part of the problem. The CommonScreens.xml has moved and does no
>>> longer
>>> seem to have the 'login' screen.
>>>
>>> I tried finding another screen with the 'login' view. I found another
>>> one
>>> in the 'common' component and modified my hello controller to point to
>>> <view-map name="login" type="screen"
>>> page="component://common/widget/CommonScreens.xml#login"/>
>>> but it is no acting the same as previously.
>>>
>>> Please let me know what is missing (or any suggestion how best to
>>> illustrate login) so I can complete and contribute my tutorial for
>>> security. Would hate to create a tutorial that worked with one specific
>>> build.
>>>
>>> http://ofbiz.markmail.org/search/?q=Milind+W#query:Milind%20W+page:2+mid:kwgcnrsxjigfilp2+state:results
>>>
>>> Thanks
>>> -Milind
>>>
>>>> hi,
>>>> I got login to work by adding the changes below to my controller using
>>>> ofbiz4.0.
>>>> I don't think I follow the reason with OFBTOOLS base persmission not
>>>> taking effect in the ofbiz-component as explained in OFBIZ-829.
>>>> But I agree with Si Chen on OFBIZ-829
>>>> "The right way is to assume no permission until one of the list of
>>>> permissions is met." Seems more intitutive.
>>>> For now I can workaround it so thanks all.
>>>> -Milind
>>>>
>>>>
>>>>
>>>> <preprocessor>
>>>> <!-- Events to run on every request before security (chains
>>>> exempt) -->
>>>> <!-- <event type="java" path="org.ofbiz.webapp.event.TestEvent"
>>>> invoke="test"/> -->
>>>> <event type="java" path="org.ofbiz.webapp.control.LoginWorker"
>>>> invoke="checkExternalLoginKey"/>
>>>> </preprocessor>
>>>>
>>>> <!-- Request Mappings -->
>>>>
>>>> <request-map uri="checkLogin" edit="false">
>>>> <description>Verify a user is logged in.</description>
>>>> <security https="false" auth="false"/>
>>>> <event type="java" path="org.ofbiz.webapp.control.LoginWorker"
>>>> invoke="checkLogin" />
>>>> <response name="success" type="view" value="main" />
>>>> <response name="error" type="view" value="login" />
>>>> </request-map>
>>>>
>>>> <request-map uri="login">
>>>> <security https="false" auth="false"/>
>>>> <event type="java" path="org.ofbiz.webapp.control.LoginWorker"
>>>> invoke="login"/>
>>>> <response name="success" type="view" value="main"/>
>>>> <response name="error" type="view" value="login"/>
>>>> </request-map>
>>>>
>>>>
>>>> <request-map uri="main">
>>>> <security https="false" auth="true" />
>>>> <response name="success" type="view" value="main"/>
>>>> </request-map>
>>>>
>>>> <view-map name="login" type="screen"
>>>> page="component://marketing/widget/CommonScreens.xml#login" />
>>>>
>>>>
>>>>> Not with a direct link to the comment where is the explanation ;p
>>>>> Actually it was more a didactic post
>>>>>
>>>>> Jacques
>>>>>
>>>>> From: "BJ Freeman" <bj...@free-man.net>
>>>>>> LOL
>>>>>> that was the first link I sent on this thread.
>>>>>>
>>>>>> Jacques Le Roux sent the following on 7/30/2008 2:18 PM:
>>>>>>> OFBiz Wiki is your friend. Just look for OFBTOOLS.
>>>>>>>
>>>>>>> You would have get
>>>>>>> http://docs.ofbiz.org/display/OFBTECH/OFBiz+security?focusedCommentId=3615#comment-3615
>>>>>>>
>>>>>>>
>>>>>>> Jacques
>>>>>>>
>>>>>>> ----- Original Message ----- From: "Milind W"
>>>>>>> <ma...@mymunshi.com>
>>>>>>> To: <us...@ofbiz.apache.org>
>>>>>>> Sent: Wednesday, July 30, 2008 8:31 PM
>>>>>>> Subject: Re: how to set security and permissions precedence
>>>>>>>
>>>>>>>
>>>>>>>> Let me try to break up questions.
>>>>>>>> Should'nt adding
>>>>>>>> base-permission="OFBTOOLS"
>>>>>>>> to the ofbiz-entity.xml force the user to login with a user id that
>>>>>>>> is
>>>>>>>> associated to the OFBTOOLS security group?
>>>>>>>> I can see the application I created and the line seems to have no
>>>>>>>> effect.
>>>>>>>> What is the purpose of the line?
>>>>>>>> Thanks
>>>>>>>> -Milind
>>>>>>>>
>>>>>>>>> Please not that opentaps is not at the same level of revision that
>>>>>>>>> ofbiz
>>>>>>>>> it
>>>>>>>>> there have been changes to security.
>>>>>>>>> there are examples in the
>>>>>>>>> framework/example
>>>>>>>>> and
>>>>>>>>> framework/exampleext
>>>>>>>>> I believe this to better tutorial
>>>>>>>>> since they work already.
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> Balaji Sundar sent the following on 7/29/2008 9:40 PM:
>>>>>>>>>>
>>>>>>>>>> BJ Freeman wrote:
>>>>>>>>>>> http://docs.ofbiz.org/display/OFBTECH/OFBiz+security
>>>>>>>>>>>
>>>>>>>>>>> Milind W sent the following on 7/29/2008 7:58 PM:
>>>>>>>>>>>> hi,
>>>>>>>>>>>> Security Permissions
>>>>>>>>>>>> I am using ofbiz rev.79258
>>>>>>>>>>>> I want to understand how security works so I made the following
>>>>>>>>>>>> modifications to hello1
>>>>>>>>>>>> 1)I added base-permission="OFBTOOLS" to the ofbiz-component.xml
>>>>>>>>>>>> I could still see the application I was assuming the
>>>>>>>>>>>> application
>>>>>>>>>>>> would
>>>>>>>>>>>> as
>>>>>>>>>>>> me to login or prevent me from seeing the page.
>>>>>>>>>>>> 2)I added <security> to the main request
>>>>>>>>>>>> <request-map uri="main">
>>>>>>>>>>>> <security https="false" auth="true"/>
>>>>>>>>>>>> <response name="success" type="view" value="main"/>
>>>>>>>>>>>> </request-map>
>>>>>>>>>>>> This displays "java.lang.NullPointerException" in the browser.
>>>>>>>>>>>> How do permissions precedence work starting from the UI to the
>>>>>>>>>>>> entity
>>>>>>>>>>>> layer.
>>>>>>>>>>>> Help appreciated.
>>>>>>>>>>>> Thanks
>>>>>>>>>>>> -Milind
>>>>>>>>>>>>
>>>>>>>>>>>> Here is the log
>>>>>>>>>>>> 2008-07-29 19:07:17,031 (http-0.0.0.0-8080-1) [
>>>>>>>>>>>> RequestHandler.java:243:INFO ] [Processing Request]: main
>>>>>>>>>>>> sessionId=6E6BB45A4B5AB75A10A9B9404FA622A5.jvm1
>>>>>>>>>>>> 2008-07-29 19:07:17,031 (http-0.0.0.0-8080-1) [
>>>>>>>>>>>> RequestManager.java:159:WARN ] [RequestManager.getEventType]
>>>>>>>>>>>> Type
>>>>>>>>>>>> of
>>>>>>>>>>>> event
>>>>>>>>>>>> for request "checkLogin" not found
>>>>>>>>>>>> 2008-07-29 19:07:17,031 (http-0.0.0.0-8080-1) [
>>>>>>>>>>>> RequestManager.java:146:WARN ] [RequestManager.getEventPath]
>>>>>>>>>>>> Path
>>>>>>>>>>>> of
>>>>>>>>>>>> event
>>>>>>>>>>>> for request "checkLogin" not found
>>>>>>>>>>>> 2008-07-29 19:07:17,031 (http-0.0.0.0-8080-1) [
>>>>>>>>>>>> RequestManager.java:172:WARN ] [RequestManager.getEventMethod]
>>>>>>>>>>>> Method
>>>>>>>>>>>> of
>>>>>>>>>>>> event for request "checkLogin" not found
>>>>>>>>>>>> 2008-07-29 19:07:17,031 (http-0.0.0.0-8080-1) [
>>>>>>>>>>>> ControlServlet.java:205:ERROR]
>>>>>>>>>>>> ---- runtime exception report
>>>>>>>>>>>> --------------------------------------------------
>>>>>>>>>>>> Error in request handler:
>>>>>>>>>>>> Exception: java.lang.NullPointerException
>>>>>>>>>>>> Message: null
>>>>>>>>>>>> ---- stack trace
>>>>>>>>>>>> ---------------------------------------------------------------
>>>>>>>>>>>> java.lang.NullPointerException
>>>>>>>>>>>> javolution.util.FastMap.getEntry(Unknown Source)
>>>>>>>>>>>> javolution.util.FastMap.containsKey(Unknown Source)
>>>>>>>>>>>> org.ofbiz.webapp.control.RequestManager.getHandlerClass(RequestManager.java:78)
>>>>>>>>>>>>
>>>>>>>>>>>> org.ofbiz.webapp.event.EventFactory.loadEventHandler(EventFactory.java:102)
>>>>>>>>>>>>
>>>>>>>>>>>> org.ofbiz.webapp.event.EventFactory.getEventHandler(EventFactory.java:86)
>>>>>>>>>>>>
>>>>>>>>>>>> org.ofbiz.webapp.control.RequestHandler.runEvent(RequestHandler.java:453)
>>>>>>>>>>>>
>>>>>>>>>>>> org.ofbiz.webapp.control.RequestHandler.doRequest(RequestHandler.java:259)
>>>>>>>>>>>>
>>>>>>>>>>>> org.ofbiz.webapp.control.ControlServlet.doGet(ControlServlet.java:198)
>>>>>>>>>>>>
>>>>>>>>>>>> javax.servlet.http.HttpServlet.service(HttpServlet.java:690)
>>>>>>>>>>>> javax.servlet.http.HttpServlet.service(HttpServlet.java:803)
>>>>>>>>>>>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
>>>>>>>>>>>>
>>>>>>>>>>>> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
>>>>>>>>>>>>
>>>>>>>>>>>> org.ofbiz.webapp.control.ContextFilter.doFilter(ContextFilter.java:255)
>>>>>>>>>>>>
>>>>>>>>>>>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
>>>>>>>>>>>>
>>>>>>>>>>>> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
>>>>>>>>>>>>
>>>>>>>>>>>> org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
>>>>>>>>>>>>
>>>>>>>>>>>> org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:175)
>>>>>>>>>>>>
>>>>>>>>>>>> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:128)
>>>>>>>>>>>>
>>>>>>>>>>>> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
>>>>>>>>>>>>
>>>>>>>>>>>> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
>>>>>>>>>>>>
>>>>>>>>>>>> org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:568)
>>>>>>>>>>>>
>>>>>>>>>>>> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:286)
>>>>>>>>>>>>
>>>>>>>>>>>> org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:844)
>>>>>>>>>>>>
>>>>>>>>>>>> org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:583)
>>>>>>>>>>>>
>>>>>>>>>>>> org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:447)
>>>>>>>>>>>>
>>>>>>>>>>>> java.lang.Thread.run(Thread.java:595)
>>>>>>>>>>>> --------------------------------------------------------------------------------
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>> http://www.opensourcestrategies.com/ofbiz/security.php
>>>>>>>>>> http://www.opensourcestrategies.com/ofbiz/security.php
>>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>>
>>>>
>>>
>
>
>
>
>
Re: how to set security and permissions precedence
Posted by BJ Freeman <bj...@free-man.net>.
I am sure the community will be glad to see the documentation you
provide from you experience.
hang in there it does get easier.
Milind W sent the following on 8/4/2008 9:01 PM:
> hi BJ,
> I finally got the login to work.
> I think its sad that its difficult to learn ofbiz and I think it does not
> have to be this way and no I am not trying to learn opentaps. I was trying
> to use the login screens from the 'common' application but then starting
> running into issues with UI labels etc. I wanted to build the simplest
> application to demonstrate login and probably contribute a tutorial for
> the same.
> So I looked at the login.ftl in the 'common' (component or application not
> sure what the correct term is) and reused that.
> Now every thing works as I expect it to.
> Thanks
> -Milind
>
>
>> this is where using the example, exampleext, and the
>> wiki startup example will help.
>> this is where ofbiz is different than opentaps.
>> and the links to the information that has been give you in the past come
>> into play.
>> there is no quick way to learn ofbiz.
>> :)
>> error is saying the main decorator has not been defined in the web.xml
>> parms.
>>
>> you should check you complete component against the framework/example.
>>
>> Milind W sent the following on 8/3/2008 11:07 PM:
>>> I changed my controller to conform with the example controller.xml.
>>> Now it does attempt to send me to the login screen but get the following
>>> error.
>>>
>>> org.ofbiz.widget.screen.ScreenRenderException: Error rendering screen
>>> [component://common/widget/CommonScreens.xml#login]:
>>> java.lang.IllegalArgumentException: Could not find screen with name
>>> [main-decorator] in the same file as the screen with name [login] (Could
>>> not find screen with name [main-decorator] in the same file as the
>>> screen
>>> with name [login])
>>>
>>> Help!
>>>> your controller does not conform to the current svn controllers.
>>>> please review them.
>>>>
>>>>
>>>> Milind W sent the following on 8/3/2008 5:35 PM:
>>>>> I got the updated files.
>>>>> Did ant clean and then a new build.
>>>>> I still see the SAME behavior described in my previous email.
>>>>> I am attaching my controller.xml
>>>>>
>>>>>> here is the fix
>>>>>> http://svn.apache.org/viewvc?rev=682228&view=rev
>>>>>>
>>>>>> Milind W sent the following on 8/3/2008 4:27 PM:
>>>>>>> Just tried "ant clean" it made no difference.
>>>>>>> I can proceed to main without being redirected to login with
>>>>>>> rev#679258.
>>>>>>>
>>>>>>>
>>>>>>> Relevant log for rev#679258
>>>>>>> 2008-08-03 16:15:04,515 (http-0.0.0.0-8080-1)
>>>>>>> [RequestHandler.java:243:INFO ] [Processing Request]: main
>>>>>>> sessionId=B2364C2D58837E9163B9B9214E2228FA.jvm1
>>>>>>> 2008-08-03 16:15:04,515 (http-0.0.0.0-8080-1)
>>>>>>> [RequestHandler.java:433:INFO ] [RequestHandler.doRequest]: Response
>>>>>>> is
>>>>>>> a
>>>>>>> view. sessionId=B2364C2D58837E9163B9B9214E2228FA.jvm1
>>>>>>> 2008-08-03 16:15:04,515 (http-0.0.0.0-8080-1)
>>>>>>> [RequestHandler.java:584:INFO ] servletName=control, view=main
>>>>>>> sessionId=B2364C2D58837E9163B9B9214E2228FA.jvm1
>>>>>>> 2008-08-03 16:15:04,515 (http-0.0.0.0-8080-1) [
>>>>>>> UtilJ2eeCompat.java:69
>>>>>>> :INFO ] serverInfo: apache tomcat/6.0.16
>>>>>>> 2008-08-03 16:15:04,515 (http-0.0.0.0-8080-1) [
>>>>>>> UtilJ2eeCompat.java:78
>>>>>>> :INFO ] Apache Tomcat detected, using response.getWriter to write
>>>>>>> text
>>>>>>> out
>>>>>>> instead of response.getOutputStream
>>>>>>>
>>>>>>> and with rev#677863
>>>>>>> 2008-08-03 18:11:55,343 (http-0.0.0.0-8080-Processor4) [
>>>>>>> RequestHandler.java:236:INFO ] [Processing Request]: main
>>>>>>> sessionId=72EE22303A9A4DCDB76F64EE41F963DA.jvm1
>>>>>>> 2008-08-03 18:11:55,343 (http-0.0.0.0-8080-Processor4) [
>>>>>>> LoginWorker.java:262:INFO ] reqParams Map: []
>>>>>>> 2008-08-03 18:11:55,343 (http-0.0.0.0-8080-Processor4) [
>>>>>>> LoginWorker.java:263:INFO ] queryString:
>>>>>>> 2008-08-03 18:11:55,343 (http-0.0.0.0-8080-Processor4) [
>>>>>>> LoginWorker.java:273:INFO ] checkLogin: queryString=
>>>>>>> 2008-08-03 18:11:55,343 (http-0.0.0.0-8080-Processor4) [
>>>>>>> LoginWorker.java:274:INFO ] checkLogin: PathInfo=/main
>>>>>>> 2008-08-03 18:11:55,343 (http-0.0.0.0-8080-Processor4) [
>>>>>>> RequestHandler.java:425:INFO ] [RequestHandler.doRequest]: Response
>>>>>>> is
>>>>>>> a
>>>>>>> view. sessionId=72EE22303A9A4DCDB76F64EE41F963DA.jvm1
>>>>>>> 2008-08-03 18:11:55,343 (http-0.0.0.0-8080-Processor4) [
>>>>>>> RequestHandler.java:578:INFO ] servletName=control, view=login
>>>>>>> sessionId=72EE22303A9A4DCDB76F64EE41F963DA.jvm1
>>>>>>> 2008-08-03 18:11:55,343 (http-0.0.0.0-8080-Processor4) [
>>>>>>> UtilJ2eeCompat.java:69 :INFO ] serverInfo: Apache Tomcat/5.5.20
>>>>>>> 2008-08-03 18:11:55,343 (http-0.0.0.0-8080-Processor4) [
>>>>>>> UtilJ2eeCompat.java:78 :INFO ] Apache Tomcat detected, using
>>>>>>> response.getWriter to write text out instead of
>>>>>>> response.getOutputStream
>>>>>>>
>>>>>>> The loginworker seems to be invoked with rev#677863 and not with
>>>>>>> rev#679258.
>>>>>>> Any Idea?
>>>>>>>
>>>>>>>> Did you try an "ant clean" ? There have been some changes recently
>>>>>>>> that
>>>>>>>> implie this cleanup.
>>>>>>>>
>>>>>>>> Jacques
>>>>>>>>
>>>>>>>> From: "Milind W" <ma...@mymunshi.com>
>>>>>>>>> Looks like I have a problem making this example work with
>>>>>>>>> revision#679258
>>>>>>>>>
>>>>>>>>> It worked fine (i.e I was redirected to login screen before I
>>>>>>>>> could
>>>>>>>>> get
>>>>>>>>> to
>>>>>>>>> main) with rev#677863
>>>>>>>>>
>>>>>>>>> Looks like the view
>>>>>>>>> <view-map name="login" type="screen"
>>>>>>>>> page="component://marketing/widget/CommonScreens.xml#login" />
>>>>>>>>> is part of the problem. The CommonScreens.xml has moved and does
>>>>>>>>> no
>>>>>>>>> longer
>>>>>>>>> seem to have the 'login' screen.
>>>>>>>>>
>>>>>>>>> I tried finding another screen with the 'login' view. I found
>>>>>>>>> another
>>>>>>>>> one
>>>>>>>>> in the 'common' component and modified my hello controller to
>>>>>>>>> point
>>>>>>>>> to
>>>>>>>>> <view-map name="login" type="screen"
>>>>>>>>> page="component://common/widget/CommonScreens.xml#login"/>
>>>>>>>>> but it is no acting the same as previously.
>>>>>>>>>
>>>>>>>>> Please let me know what is missing (or any suggestion how best to
>>>>>>>>> illustrate login) so I can complete and contribute my tutorial for
>>>>>>>>> security. Would hate to create a tutorial that worked with one
>>>>>>>>> specific
>>>>>>>>> build.
>>>>>>>>>
>>>>>>>>> http://ofbiz.markmail.org/search/?q=Milind+W#query:Milind%20W+page:2+mid:kwgcnrsxjigfilp2+state:results
>>>>>>>>>
>>>>>>>>> Thanks
>>>>>>>>> -Milind
>>>>>>>>>
>>>>>>>>>> hi,
>>>>>>>>>> I got login to work by adding the changes below to my controller
>>>>>>>>>> using
>>>>>>>>>> ofbiz4.0.
>>>>>>>>>> I don't think I follow the reason with OFBTOOLS base persmission
>>>>>>>>>> not
>>>>>>>>>> taking effect in the ofbiz-component as explained in OFBIZ-829.
>>>>>>>>>> But I agree with Si Chen on OFBIZ-829
>>>>>>>>>> "The right way is to assume no permission until one of the list
>>>>>>>>>> of
>>>>>>>>>> permissions is met." Seems more intitutive.
>>>>>>>>>> For now I can workaround it so thanks all.
>>>>>>>>>> -Milind
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> <preprocessor>
>>>>>>>>>> <!-- Events to run on every request before security
>>>>>>>>>> (chains
>>>>>>>>>> exempt) -->
>>>>>>>>>> <!-- <event type="java"
>>>>>>>>>> path="org.ofbiz.webapp.event.TestEvent"
>>>>>>>>>> invoke="test"/> -->
>>>>>>>>>> <event type="java"
>>>>>>>>>> path="org.ofbiz.webapp.control.LoginWorker"
>>>>>>>>>> invoke="checkExternalLoginKey"/>
>>>>>>>>>> </preprocessor>
>>>>>>>>>>
>>>>>>>>>> <!-- Request Mappings -->
>>>>>>>>>>
>>>>>>>>>> <request-map uri="checkLogin" edit="false">
>>>>>>>>>> <description>Verify a user is logged in.</description>
>>>>>>>>>> <security https="false" auth="false"/>
>>>>>>>>>> <event type="java"
>>>>>>>>>> path="org.ofbiz.webapp.control.LoginWorker"
>>>>>>>>>> invoke="checkLogin" />
>>>>>>>>>> <response name="success" type="view" value="main" />
>>>>>>>>>> <response name="error" type="view" value="login" />
>>>>>>>>>> </request-map>
>>>>>>>>>>
>>>>>>>>>> <request-map uri="login">
>>>>>>>>>> <security https="false" auth="false"/>
>>>>>>>>>> <event type="java"
>>>>>>>>>> path="org.ofbiz.webapp.control.LoginWorker"
>>>>>>>>>> invoke="login"/>
>>>>>>>>>> <response name="success" type="view" value="main"/>
>>>>>>>>>> <response name="error" type="view" value="login"/>
>>>>>>>>>> </request-map>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> <request-map uri="main">
>>>>>>>>>> <security https="false" auth="true" />
>>>>>>>>>> <response name="success" type="view" value="main"/>
>>>>>>>>>> </request-map>
>>>>>>>>>>
>>>>>>>>>> <view-map name="login" type="screen"
>>>>>>>>>> page="component://marketing/widget/CommonScreens.xml#login" />
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>> Not with a direct link to the comment where is the explanation
>>>>>>>>>>> ;p
>>>>>>>>>>> Actually it was more a didactic post
>>>>>>>>>>>
>>>>>>>>>>> Jacques
>>>>>>>>>>>
>>>>>>>>>>> From: "BJ Freeman" <bj...@free-man.net>
>>>>>>>>>>>> LOL
>>>>>>>>>>>> that was the first link I sent on this thread.
>>>>>>>>>>>>
>>>>>>>>>>>> Jacques Le Roux sent the following on 7/30/2008 2:18 PM:
>>>>>>>>>>>>> OFBiz Wiki is your friend. Just look for OFBTOOLS.
>>>>>>>>>>>>>
>>>>>>>>>>>>> You would have get
>>>>>>>>>>>>> http://docs.ofbiz.org/display/OFBTECH/OFBiz+security?focusedCommentId=3615#comment-3615
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> Jacques
>>>>>>>>>>>>>
>>>>>>>>>>>>> ----- Original Message ----- From: "Milind W"
>>>>>>>>>>>>> <ma...@mymunshi.com>
>>>>>>>>>>>>> To: <us...@ofbiz.apache.org>
>>>>>>>>>>>>> Sent: Wednesday, July 30, 2008 8:31 PM
>>>>>>>>>>>>> Subject: Re: how to set security and permissions precedence
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>> Let me try to break up questions.
>>>>>>>>>>>>>> Should'nt adding
>>>>>>>>>>>>>> base-permission="OFBTOOLS"
>>>>>>>>>>>>>> to the ofbiz-entity.xml force the user to login with a user
>>>>>>>>>>>>>> id
>>>>>>>>>>>>>> that
>>>>>>>>>>>>>> is
>>>>>>>>>>>>>> associated to the OFBTOOLS security group?
>>>>>>>>>>>>>> I can see the application I created and the line seems to
>>>>>>>>>>>>>> have
>>>>>>>>>>>>>> no
>>>>>>>>>>>>>> effect.
>>>>>>>>>>>>>> What is the purpose of the line?
>>>>>>>>>>>>>> Thanks
>>>>>>>>>>>>>> -Milind
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Please not that opentaps is not at the same level of
>>>>>>>>>>>>>>> revision
>>>>>>>>>>>>>>> that
>>>>>>>>>>>>>>> ofbiz
>>>>>>>>>>>>>>> it
>>>>>>>>>>>>>>> there have been changes to security.
>>>>>>>>>>>>>>> there are examples in the
>>>>>>>>>>>>>>> framework/example
>>>>>>>>>>>>>>> and
>>>>>>>>>>>>>>> framework/exampleext
>>>>>>>>>>>>>>> I believe this to better tutorial
>>>>>>>>>>>>>>> since they work already.
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Balaji Sundar sent the following on 7/29/2008 9:40 PM:
>>>>>>>>>>>>>>>> BJ Freeman wrote:
>>>>>>>>>>>>>>>>> http://docs.ofbiz.org/display/OFBTECH/OFBiz+security
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> Milind W sent the following on 7/29/2008 7:58 PM:
>>>>>>>>>>>>>>>>>> hi,
>>>>>>>>>>>>>>>>>> Security Permissions
>>>>>>>>>>>>>>>>>> I am using ofbiz rev.79258
>>>>>>>>>>>>>>>>>> I want to understand how security works so I made the
>>>>>>>>>>>>>>>>>> following
>>>>>>>>>>>>>>>>>> modifications to hello1
>>>>>>>>>>>>>>>>>> 1)I added base-permission="OFBTOOLS" to the
>>>>>>>>>>>>>>>>>> ofbiz-component.xml
>>>>>>>>>>>>>>>>>> I could still see the application I was assuming the
>>>>>>>>>>>>>>>>>> application
>>>>>>>>>>>>>>>>>> would
>>>>>>>>>>>>>>>>>> as
>>>>>>>>>>>>>>>>>> me to login or prevent me from seeing the page.
>>>>>>>>>>>>>>>>>> 2)I added <security> to the main request
>>>>>>>>>>>>>>>>>> <request-map uri="main">
>>>>>>>>>>>>>>>>>> <security https="false" auth="true"/>
>>>>>>>>>>>>>>>>>> <response name="success" type="view" value="main"/>
>>>>>>>>>>>>>>>>>> </request-map>
>>>>>>>>>>>>>>>>>> This displays "java.lang.NullPointerException" in the
>>>>>>>>>>>>>>>>>> browser.
>>>>>>>>>>>>>>>>>> How do permissions precedence work starting from the UI
>>>>>>>>>>>>>>>>>> to
>>>>>>>>>>>>>>>>>> the
>>>>>>>>>>>>>>>>>> entity
>>>>>>>>>>>>>>>>>> layer.
>>>>>>>>>>>>>>>>>> Help appreciated.
>>>>>>>>>>>>>>>>>> Thanks
>>>>>>>>>>>>>>>>>> -Milind
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> Here is the log
>>>>>>>>>>>>>>>>>> 2008-07-29 19:07:17,031 (http-0.0.0.0-8080-1) [
>>>>>>>>>>>>>>>>>> RequestHandler.java:243:INFO ] [Processing Request]: main
>>>>>>>>>>>>>>>>>> sessionId=6E6BB45A4B5AB75A10A9B9404FA622A5.jvm1
>>>>>>>>>>>>>>>>>> 2008-07-29 19:07:17,031 (http-0.0.0.0-8080-1) [
>>>>>>>>>>>>>>>>>> RequestManager.java:159:WARN ]
>>>>>>>>>>>>>>>>>> [RequestManager.getEventType]
>>>>>>>>>>>>>>>>>> Type
>>>>>>>>>>>>>>>>>> of
>>>>>>>>>>>>>>>>>> event
>>>>>>>>>>>>>>>>>> for request "checkLogin" not found
>>>>>>>>>>>>>>>>>> 2008-07-29 19:07:17,031 (http-0.0.0.0-8080-1) [
>>>>>>>>>>>>>>>>>> RequestManager.java:146:WARN ]
>>>>>>>>>>>>>>>>>> [RequestManager.getEventPath]
>>>>>>>>>>>>>>>>>> Path
>>>>>>>>>>>>>>>>>> of
>>>>>>>>>>>>>>>>>> event
>>>>>>>>>>>>>>>>>> for request "checkLogin" not found
>>>>>>>>>>>>>>>>>> 2008-07-29 19:07:17,031 (http-0.0.0.0-8080-1) [
>>>>>>>>>>>>>>>>>> RequestManager.java:172:WARN ]
>>>>>>>>>>>>>>>>>> [RequestManager.getEventMethod]
>>>>>>>>>>>>>>>>>> Method
>>>>>>>>>>>>>>>>>> of
>>>>>>>>>>>>>>>>>> event for request "checkLogin" not found
>>>>>>>>>>>>>>>>>> 2008-07-29 19:07:17,031 (http-0.0.0.0-8080-1) [
>>>>>>>>>>>>>>>>>> ControlServlet.java:205:ERROR]
>>>>>>>>>>>>>>>>>> ---- runtime exception report
>>>>>>>>>>>>>>>>>> --------------------------------------------------
>>>>>>>>>>>>>>>>>> Error in request handler:
>>>>>>>>>>>>>>>>>> Exception: java.lang.NullPointerException
>>>>>>>>>>>>>>>>>> Message: null
>>>>>>>>>>>>>>>>>> ---- stack trace
>>>>>>>>>>>>>>>>>> ---------------------------------------------------------------
>>>>>>>>>>>>>>>>>> java.lang.NullPointerException
>>>>>>>>>>>>>>>>>> javolution.util.FastMap.getEntry(Unknown Source)
>>>>>>>>>>>>>>>>>> javolution.util.FastMap.containsKey(Unknown Source)
>>>>>>>>>>>>>>>>>> org.ofbiz.webapp.control.RequestManager.getHandlerClass(RequestManager.java:78)
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> org.ofbiz.webapp.event.EventFactory.loadEventHandler(EventFactory.java:102)
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> org.ofbiz.webapp.event.EventFactory.getEventHandler(EventFactory.java:86)
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> org.ofbiz.webapp.control.RequestHandler.runEvent(RequestHandler.java:453)
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> org.ofbiz.webapp.control.RequestHandler.doRequest(RequestHandler.java:259)
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> org.ofbiz.webapp.control.ControlServlet.doGet(ControlServlet.java:198)
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> javax.servlet.http.HttpServlet.service(HttpServlet.java:690)
>>>>>>>>>>>>>>>>>> javax.servlet.http.HttpServlet.service(HttpServlet.java:803)
>>>>>>>>>>>>>>>>>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> org.ofbiz.webapp.control.ContextFilter.doFilter(ContextFilter.java:255)
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:175)
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:128)
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:568)
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:286)
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:844)
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:583)
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:447)
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> java.lang.Thread.run(Thread.java:595)
>>>>>>>>>>>>>>>>>> --------------------------------------------------------------------------------
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> http://www.opensourcestrategies.com/ofbiz/security.php
>>>>>>>>>>>>>>>> http://www.opensourcestrategies.com/ofbiz/security.php
>>>>>>>
>>>>>>>
>>>
>>>
>>>
>>>
>>
>
>
>
>
>
Re: how to set security and permissions precedence
Posted by Milind W <ma...@mymunshi.com>.
hi BJ,
I finally got the login to work.
I think its sad that its difficult to learn ofbiz and I think it does not
have to be this way and no I am not trying to learn opentaps. I was trying
to use the login screens from the 'common' application but then starting
running into issues with UI labels etc. I wanted to build the simplest
application to demonstrate login and probably contribute a tutorial for
the same.
So I looked at the login.ftl in the 'common' (component or application not
sure what the correct term is) and reused that.
Now every thing works as I expect it to.
Thanks
-Milind
> this is where using the example, exampleext, and the
> wiki startup example will help.
> this is where ofbiz is different than opentaps.
> and the links to the information that has been give you in the past come
> into play.
> there is no quick way to learn ofbiz.
> :)
> error is saying the main decorator has not been defined in the web.xml
> parms.
>
> you should check you complete component against the framework/example.
>
> Milind W sent the following on 8/3/2008 11:07 PM:
>> I changed my controller to conform with the example controller.xml.
>> Now it does attempt to send me to the login screen but get the following
>> error.
>>
>> org.ofbiz.widget.screen.ScreenRenderException: Error rendering screen
>> [component://common/widget/CommonScreens.xml#login]:
>> java.lang.IllegalArgumentException: Could not find screen with name
>> [main-decorator] in the same file as the screen with name [login] (Could
>> not find screen with name [main-decorator] in the same file as the
>> screen
>> with name [login])
>>
>> Help!
>>> your controller does not conform to the current svn controllers.
>>> please review them.
>>>
>>>
>>> Milind W sent the following on 8/3/2008 5:35 PM:
>>>> I got the updated files.
>>>> Did ant clean and then a new build.
>>>> I still see the SAME behavior described in my previous email.
>>>> I am attaching my controller.xml
>>>>
>>>>> here is the fix
>>>>> http://svn.apache.org/viewvc?rev=682228&view=rev
>>>>>
>>>>> Milind W sent the following on 8/3/2008 4:27 PM:
>>>>>> Just tried "ant clean" it made no difference.
>>>>>> I can proceed to main without being redirected to login with
>>>>>> rev#679258.
>>>>>>
>>>>>>
>>>>>> Relevant log for rev#679258
>>>>>> 2008-08-03 16:15:04,515 (http-0.0.0.0-8080-1)
>>>>>> [RequestHandler.java:243:INFO ] [Processing Request]: main
>>>>>> sessionId=B2364C2D58837E9163B9B9214E2228FA.jvm1
>>>>>> 2008-08-03 16:15:04,515 (http-0.0.0.0-8080-1)
>>>>>> [RequestHandler.java:433:INFO ] [RequestHandler.doRequest]: Response
>>>>>> is
>>>>>> a
>>>>>> view. sessionId=B2364C2D58837E9163B9B9214E2228FA.jvm1
>>>>>> 2008-08-03 16:15:04,515 (http-0.0.0.0-8080-1)
>>>>>> [RequestHandler.java:584:INFO ] servletName=control, view=main
>>>>>> sessionId=B2364C2D58837E9163B9B9214E2228FA.jvm1
>>>>>> 2008-08-03 16:15:04,515 (http-0.0.0.0-8080-1) [
>>>>>> UtilJ2eeCompat.java:69
>>>>>> :INFO ] serverInfo: apache tomcat/6.0.16
>>>>>> 2008-08-03 16:15:04,515 (http-0.0.0.0-8080-1) [
>>>>>> UtilJ2eeCompat.java:78
>>>>>> :INFO ] Apache Tomcat detected, using response.getWriter to write
>>>>>> text
>>>>>> out
>>>>>> instead of response.getOutputStream
>>>>>>
>>>>>> and with rev#677863
>>>>>> 2008-08-03 18:11:55,343 (http-0.0.0.0-8080-Processor4) [
>>>>>> RequestHandler.java:236:INFO ] [Processing Request]: main
>>>>>> sessionId=72EE22303A9A4DCDB76F64EE41F963DA.jvm1
>>>>>> 2008-08-03 18:11:55,343 (http-0.0.0.0-8080-Processor4) [
>>>>>> LoginWorker.java:262:INFO ] reqParams Map: []
>>>>>> 2008-08-03 18:11:55,343 (http-0.0.0.0-8080-Processor4) [
>>>>>> LoginWorker.java:263:INFO ] queryString:
>>>>>> 2008-08-03 18:11:55,343 (http-0.0.0.0-8080-Processor4) [
>>>>>> LoginWorker.java:273:INFO ] checkLogin: queryString=
>>>>>> 2008-08-03 18:11:55,343 (http-0.0.0.0-8080-Processor4) [
>>>>>> LoginWorker.java:274:INFO ] checkLogin: PathInfo=/main
>>>>>> 2008-08-03 18:11:55,343 (http-0.0.0.0-8080-Processor4) [
>>>>>> RequestHandler.java:425:INFO ] [RequestHandler.doRequest]: Response
>>>>>> is
>>>>>> a
>>>>>> view. sessionId=72EE22303A9A4DCDB76F64EE41F963DA.jvm1
>>>>>> 2008-08-03 18:11:55,343 (http-0.0.0.0-8080-Processor4) [
>>>>>> RequestHandler.java:578:INFO ] servletName=control, view=login
>>>>>> sessionId=72EE22303A9A4DCDB76F64EE41F963DA.jvm1
>>>>>> 2008-08-03 18:11:55,343 (http-0.0.0.0-8080-Processor4) [
>>>>>> UtilJ2eeCompat.java:69 :INFO ] serverInfo: Apache Tomcat/5.5.20
>>>>>> 2008-08-03 18:11:55,343 (http-0.0.0.0-8080-Processor4) [
>>>>>> UtilJ2eeCompat.java:78 :INFO ] Apache Tomcat detected, using
>>>>>> response.getWriter to write text out instead of
>>>>>> response.getOutputStream
>>>>>>
>>>>>> The loginworker seems to be invoked with rev#677863 and not with
>>>>>> rev#679258.
>>>>>> Any Idea?
>>>>>>
>>>>>>> Did you try an "ant clean" ? There have been some changes recently
>>>>>>> that
>>>>>>> implie this cleanup.
>>>>>>>
>>>>>>> Jacques
>>>>>>>
>>>>>>> From: "Milind W" <ma...@mymunshi.com>
>>>>>>>> Looks like I have a problem making this example work with
>>>>>>>> revision#679258
>>>>>>>>
>>>>>>>> It worked fine (i.e I was redirected to login screen before I
>>>>>>>> could
>>>>>>>> get
>>>>>>>> to
>>>>>>>> main) with rev#677863
>>>>>>>>
>>>>>>>> Looks like the view
>>>>>>>> <view-map name="login" type="screen"
>>>>>>>> page="component://marketing/widget/CommonScreens.xml#login" />
>>>>>>>> is part of the problem. The CommonScreens.xml has moved and does
>>>>>>>> no
>>>>>>>> longer
>>>>>>>> seem to have the 'login' screen.
>>>>>>>>
>>>>>>>> I tried finding another screen with the 'login' view. I found
>>>>>>>> another
>>>>>>>> one
>>>>>>>> in the 'common' component and modified my hello controller to
>>>>>>>> point
>>>>>>>> to
>>>>>>>> <view-map name="login" type="screen"
>>>>>>>> page="component://common/widget/CommonScreens.xml#login"/>
>>>>>>>> but it is no acting the same as previously.
>>>>>>>>
>>>>>>>> Please let me know what is missing (or any suggestion how best to
>>>>>>>> illustrate login) so I can complete and contribute my tutorial for
>>>>>>>> security. Would hate to create a tutorial that worked with one
>>>>>>>> specific
>>>>>>>> build.
>>>>>>>>
>>>>>>>> http://ofbiz.markmail.org/search/?q=Milind+W#query:Milind%20W+page:2+mid:kwgcnrsxjigfilp2+state:results
>>>>>>>>
>>>>>>>> Thanks
>>>>>>>> -Milind
>>>>>>>>
>>>>>>>>> hi,
>>>>>>>>> I got login to work by adding the changes below to my controller
>>>>>>>>> using
>>>>>>>>> ofbiz4.0.
>>>>>>>>> I don't think I follow the reason with OFBTOOLS base persmission
>>>>>>>>> not
>>>>>>>>> taking effect in the ofbiz-component as explained in OFBIZ-829.
>>>>>>>>> But I agree with Si Chen on OFBIZ-829
>>>>>>>>> "The right way is to assume no permission until one of the list
>>>>>>>>> of
>>>>>>>>> permissions is met." Seems more intitutive.
>>>>>>>>> For now I can workaround it so thanks all.
>>>>>>>>> -Milind
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> <preprocessor>
>>>>>>>>> <!-- Events to run on every request before security
>>>>>>>>> (chains
>>>>>>>>> exempt) -->
>>>>>>>>> <!-- <event type="java"
>>>>>>>>> path="org.ofbiz.webapp.event.TestEvent"
>>>>>>>>> invoke="test"/> -->
>>>>>>>>> <event type="java"
>>>>>>>>> path="org.ofbiz.webapp.control.LoginWorker"
>>>>>>>>> invoke="checkExternalLoginKey"/>
>>>>>>>>> </preprocessor>
>>>>>>>>>
>>>>>>>>> <!-- Request Mappings -->
>>>>>>>>>
>>>>>>>>> <request-map uri="checkLogin" edit="false">
>>>>>>>>> <description>Verify a user is logged in.</description>
>>>>>>>>> <security https="false" auth="false"/>
>>>>>>>>> <event type="java"
>>>>>>>>> path="org.ofbiz.webapp.control.LoginWorker"
>>>>>>>>> invoke="checkLogin" />
>>>>>>>>> <response name="success" type="view" value="main" />
>>>>>>>>> <response name="error" type="view" value="login" />
>>>>>>>>> </request-map>
>>>>>>>>>
>>>>>>>>> <request-map uri="login">
>>>>>>>>> <security https="false" auth="false"/>
>>>>>>>>> <event type="java"
>>>>>>>>> path="org.ofbiz.webapp.control.LoginWorker"
>>>>>>>>> invoke="login"/>
>>>>>>>>> <response name="success" type="view" value="main"/>
>>>>>>>>> <response name="error" type="view" value="login"/>
>>>>>>>>> </request-map>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> <request-map uri="main">
>>>>>>>>> <security https="false" auth="true" />
>>>>>>>>> <response name="success" type="view" value="main"/>
>>>>>>>>> </request-map>
>>>>>>>>>
>>>>>>>>> <view-map name="login" type="screen"
>>>>>>>>> page="component://marketing/widget/CommonScreens.xml#login" />
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>> Not with a direct link to the comment where is the explanation
>>>>>>>>>> ;p
>>>>>>>>>> Actually it was more a didactic post
>>>>>>>>>>
>>>>>>>>>> Jacques
>>>>>>>>>>
>>>>>>>>>> From: "BJ Freeman" <bj...@free-man.net>
>>>>>>>>>>> LOL
>>>>>>>>>>> that was the first link I sent on this thread.
>>>>>>>>>>>
>>>>>>>>>>> Jacques Le Roux sent the following on 7/30/2008 2:18 PM:
>>>>>>>>>>>> OFBiz Wiki is your friend. Just look for OFBTOOLS.
>>>>>>>>>>>>
>>>>>>>>>>>> You would have get
>>>>>>>>>>>> http://docs.ofbiz.org/display/OFBTECH/OFBiz+security?focusedCommentId=3615#comment-3615
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> Jacques
>>>>>>>>>>>>
>>>>>>>>>>>> ----- Original Message ----- From: "Milind W"
>>>>>>>>>>>> <ma...@mymunshi.com>
>>>>>>>>>>>> To: <us...@ofbiz.apache.org>
>>>>>>>>>>>> Sent: Wednesday, July 30, 2008 8:31 PM
>>>>>>>>>>>> Subject: Re: how to set security and permissions precedence
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>> Let me try to break up questions.
>>>>>>>>>>>>> Should'nt adding
>>>>>>>>>>>>> base-permission="OFBTOOLS"
>>>>>>>>>>>>> to the ofbiz-entity.xml force the user to login with a user
>>>>>>>>>>>>> id
>>>>>>>>>>>>> that
>>>>>>>>>>>>> is
>>>>>>>>>>>>> associated to the OFBTOOLS security group?
>>>>>>>>>>>>> I can see the application I created and the line seems to
>>>>>>>>>>>>> have
>>>>>>>>>>>>> no
>>>>>>>>>>>>> effect.
>>>>>>>>>>>>> What is the purpose of the line?
>>>>>>>>>>>>> Thanks
>>>>>>>>>>>>> -Milind
>>>>>>>>>>>>>
>>>>>>>>>>>>>> Please not that opentaps is not at the same level of
>>>>>>>>>>>>>> revision
>>>>>>>>>>>>>> that
>>>>>>>>>>>>>> ofbiz
>>>>>>>>>>>>>> it
>>>>>>>>>>>>>> there have been changes to security.
>>>>>>>>>>>>>> there are examples in the
>>>>>>>>>>>>>> framework/example
>>>>>>>>>>>>>> and
>>>>>>>>>>>>>> framework/exampleext
>>>>>>>>>>>>>> I believe this to better tutorial
>>>>>>>>>>>>>> since they work already.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Balaji Sundar sent the following on 7/29/2008 9:40 PM:
>>>>>>>>>>>>>>> BJ Freeman wrote:
>>>>>>>>>>>>>>>> http://docs.ofbiz.org/display/OFBTECH/OFBiz+security
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> Milind W sent the following on 7/29/2008 7:58 PM:
>>>>>>>>>>>>>>>>> hi,
>>>>>>>>>>>>>>>>> Security Permissions
>>>>>>>>>>>>>>>>> I am using ofbiz rev.79258
>>>>>>>>>>>>>>>>> I want to understand how security works so I made the
>>>>>>>>>>>>>>>>> following
>>>>>>>>>>>>>>>>> modifications to hello1
>>>>>>>>>>>>>>>>> 1)I added base-permission="OFBTOOLS" to the
>>>>>>>>>>>>>>>>> ofbiz-component.xml
>>>>>>>>>>>>>>>>> I could still see the application I was assuming the
>>>>>>>>>>>>>>>>> application
>>>>>>>>>>>>>>>>> would
>>>>>>>>>>>>>>>>> as
>>>>>>>>>>>>>>>>> me to login or prevent me from seeing the page.
>>>>>>>>>>>>>>>>> 2)I added <security> to the main request
>>>>>>>>>>>>>>>>> <request-map uri="main">
>>>>>>>>>>>>>>>>> <security https="false" auth="true"/>
>>>>>>>>>>>>>>>>> <response name="success" type="view" value="main"/>
>>>>>>>>>>>>>>>>> </request-map>
>>>>>>>>>>>>>>>>> This displays "java.lang.NullPointerException" in the
>>>>>>>>>>>>>>>>> browser.
>>>>>>>>>>>>>>>>> How do permissions precedence work starting from the UI
>>>>>>>>>>>>>>>>> to
>>>>>>>>>>>>>>>>> the
>>>>>>>>>>>>>>>>> entity
>>>>>>>>>>>>>>>>> layer.
>>>>>>>>>>>>>>>>> Help appreciated.
>>>>>>>>>>>>>>>>> Thanks
>>>>>>>>>>>>>>>>> -Milind
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> Here is the log
>>>>>>>>>>>>>>>>> 2008-07-29 19:07:17,031 (http-0.0.0.0-8080-1) [
>>>>>>>>>>>>>>>>> RequestHandler.java:243:INFO ] [Processing Request]: main
>>>>>>>>>>>>>>>>> sessionId=6E6BB45A4B5AB75A10A9B9404FA622A5.jvm1
>>>>>>>>>>>>>>>>> 2008-07-29 19:07:17,031 (http-0.0.0.0-8080-1) [
>>>>>>>>>>>>>>>>> RequestManager.java:159:WARN ]
>>>>>>>>>>>>>>>>> [RequestManager.getEventType]
>>>>>>>>>>>>>>>>> Type
>>>>>>>>>>>>>>>>> of
>>>>>>>>>>>>>>>>> event
>>>>>>>>>>>>>>>>> for request "checkLogin" not found
>>>>>>>>>>>>>>>>> 2008-07-29 19:07:17,031 (http-0.0.0.0-8080-1) [
>>>>>>>>>>>>>>>>> RequestManager.java:146:WARN ]
>>>>>>>>>>>>>>>>> [RequestManager.getEventPath]
>>>>>>>>>>>>>>>>> Path
>>>>>>>>>>>>>>>>> of
>>>>>>>>>>>>>>>>> event
>>>>>>>>>>>>>>>>> for request "checkLogin" not found
>>>>>>>>>>>>>>>>> 2008-07-29 19:07:17,031 (http-0.0.0.0-8080-1) [
>>>>>>>>>>>>>>>>> RequestManager.java:172:WARN ]
>>>>>>>>>>>>>>>>> [RequestManager.getEventMethod]
>>>>>>>>>>>>>>>>> Method
>>>>>>>>>>>>>>>>> of
>>>>>>>>>>>>>>>>> event for request "checkLogin" not found
>>>>>>>>>>>>>>>>> 2008-07-29 19:07:17,031 (http-0.0.0.0-8080-1) [
>>>>>>>>>>>>>>>>> ControlServlet.java:205:ERROR]
>>>>>>>>>>>>>>>>> ---- runtime exception report
>>>>>>>>>>>>>>>>> --------------------------------------------------
>>>>>>>>>>>>>>>>> Error in request handler:
>>>>>>>>>>>>>>>>> Exception: java.lang.NullPointerException
>>>>>>>>>>>>>>>>> Message: null
>>>>>>>>>>>>>>>>> ---- stack trace
>>>>>>>>>>>>>>>>> ---------------------------------------------------------------
>>>>>>>>>>>>>>>>> java.lang.NullPointerException
>>>>>>>>>>>>>>>>> javolution.util.FastMap.getEntry(Unknown Source)
>>>>>>>>>>>>>>>>> javolution.util.FastMap.containsKey(Unknown Source)
>>>>>>>>>>>>>>>>> org.ofbiz.webapp.control.RequestManager.getHandlerClass(RequestManager.java:78)
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> org.ofbiz.webapp.event.EventFactory.loadEventHandler(EventFactory.java:102)
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> org.ofbiz.webapp.event.EventFactory.getEventHandler(EventFactory.java:86)
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> org.ofbiz.webapp.control.RequestHandler.runEvent(RequestHandler.java:453)
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> org.ofbiz.webapp.control.RequestHandler.doRequest(RequestHandler.java:259)
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> org.ofbiz.webapp.control.ControlServlet.doGet(ControlServlet.java:198)
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> javax.servlet.http.HttpServlet.service(HttpServlet.java:690)
>>>>>>>>>>>>>>>>> javax.servlet.http.HttpServlet.service(HttpServlet.java:803)
>>>>>>>>>>>>>>>>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> org.ofbiz.webapp.control.ContextFilter.doFilter(ContextFilter.java:255)
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:175)
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:128)
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:568)
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:286)
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:844)
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:583)
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:447)
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> java.lang.Thread.run(Thread.java:595)
>>>>>>>>>>>>>>>>> --------------------------------------------------------------------------------
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> http://www.opensourcestrategies.com/ofbiz/security.php
>>>>>>>>>>>>>>> http://www.opensourcestrategies.com/ofbiz/security.php
>>>>>>
>>>>>>
>>>>>>
>>>
>>
>>
>>
>>
>>
>
>
Re: how to set security and permissions precedence
Posted by Jacques Le Roux <ja...@les7arts.com>.
From: "BJ Freeman" <bj...@free-man.net>
> I have heard others say how they benefited from the videos, and others
> that say they did not.
> I can not attest either way.
> Again the ones that did not, are not here now, the ones that did are
> still part of the community and contributing.
>
> my main contribution is on the is mailing list. I figure the more people
> that know and contribute, the more benefit. I just hope to set a tone
> that others will adopt.
There are 2 kind of videos,
. Seminar, most are old now and of little value, but could be still interesting on some aspects, mostly the more recent.
. Advanced Framework which are fairly recent and anyway fundamental (ie not much sensitive to changes). If you don't want to spend
money you could use only the Advanced Framework Transcription http://docs.ofbiz.org/pages/viewpageattachments.action?pageId=4369 (at
least to evaluate your need) or wait video to be freely available. But IMHO they are a very valuable source of multiple informations
: a course is not a book (especially if it's courses transcription).
Note that I do not earn anything from these videos done by David. I bought them when they were published and I don't regret my
investment, in time and money !
Note also that the minilang documentation (available from auto-completion feature of XML editor) I did last year is mostly coming
from this source...
Jacques
Re: how to set security and permissions precedence
Posted by BJ Freeman <bj...@free-man.net>.
I think the primary objective for all of us it so get to a level of
understanding that makes this a viable situation.
widgets are the fastest way to do UI work.
the Beauty is that if you change or add to a entity the screens update
with no or little work.
also extensive work has been done in the webtools to let you investigate
the working in realtime.
learning the mini language, for simple methods would be another
important point.
as the googlecheckout component shows. you can do a lot and never touch
java.
I have heard others say how they benefited from the videos, and others
that say they did not.
I can not attest either way.
Again the ones that did not, are not here now, the ones that did are
still part of the community and contributing.
my main contribution is on the is mailing list. I figure the more people
that know and contribute, the more benefit. I just hope to set a tone
that others will adopt.
Milind W sent the following on 8/4/2008 10:19 PM:
> hi BJ,
> That arrow left the quiver sooner then I would have liked.
> But anyways as I said, I definitely agree that people who have written
> this have every right to benefit and prosper from their effort, specially
> after having given away most of it for free.
> I sincerely hope that it happens so we can continue to use and benefit
> from this framework.
> My primary objective right now is trying to get to a point as quickly as I
> can in developing real world applications.
> Secondary objective would be to contribute whatever I can to the community
> in the process.
> So that said do you think the material
> http://www.undersunconsulting.com/ecommerce/control/additem/main
> is the fastest way know to man to get past the newbie stage?
> Can anyone else weigh on this as well if they have have used these tutorials?
> How relevant are they with the new versions of ofbiz?
> Thanks
> -Milind
>
>
>> our documentation is community driven.
>> and it has significantly grown in the last few years.
>> the basics are hard to grasp for object, DB driven, programmers.
>> so a lot of the learning is unlearning.
>> I struggle with getting my mind around it for a few years.
>> now it seem so clear.
>> my dad use to say.
>> everything cost time or money, sometimes both.
>> so you ask why I stick with it.
>> because of all the software out there this seemed the most likely to fit
>> needs of my clients.
>> the tutorials are free except for the advance stuff.
>> open source does not necessarily mean free.
>> it means you get the source.
>> just like the years I spent developing the yahoo interface.
>> I would like to get some of that back before everyone becomes my
>> competitor.
>> The people that made this possible have clients that funded the code and
>> then allowed them to give it to the community. not the other way around.
>>
>>
>>
>>
>>
>>
>>
>> Milind W sent the following on 8/4/2008 8:46 PM:
>>> hi BJ,
>>> It is sad that there is no quick way to learn ofbiz (still).
>>> What makes it more difficult is the part where you have to reverse
>>> engineer the code or existing configuration to undesrtand how to do
>>> things.
>>> IMHO
>>> 1)Reverse engineering and going through existing code has its place but
>>> not as a newbie.
>>> 2)The most basic features and capabilities should be easy to learn or at
>>> least there should be tutorials for those ideally these should be free
>>> for
>>> something thats open source.
>>> 3)I do understand that people who made this possible have every right to
>>> benefit from this .
>>> 3)I guess there are some but nothing that is free so looks like the
>>> practical way to learn the framework is to spend 350$ and
>>>
>>>> this is where using the example, exampleext, and the
>>>> wiki startup example will help.
>>>> this is where ofbiz is different than opentaps.
>>>> and the links to the information that has been give you in the past
>>>> come
>>>> into play.
>>>> there is no quick way to learn ofbiz.
>>>> :)
>>>> error is saying the main decorator has not been defined in the web.xml
>>>> parms.
>>>>
>>>> you should check you complete component against the framework/example.
>>>>
>>>> Milind W sent the following on 8/3/2008 11:07 PM:
>>>>> I changed my controller to conform with the example controller.xml.
>>>>> Now it does attempt to send me to the login screen but get the
>>>>> following
>>>>> error.
>>>>>
>>>>> org.ofbiz.widget.screen.ScreenRenderException: Error rendering screen
>>>>> [component://common/widget/CommonScreens.xml#login]:
>>>>> java.lang.IllegalArgumentException: Could not find screen with name
>>>>> [main-decorator] in the same file as the screen with name [login]
>>>>> (Could
>>>>> not find screen with name [main-decorator] in the same file as the
>>>>> screen
>>>>> with name [login])
>>>>>
>>>>> Help!
>>>>>> your controller does not conform to the current svn controllers.
>>>>>> please review them.
>>>>>>
>>>>>>
>>>>>> Milind W sent the following on 8/3/2008 5:35 PM:
>>>>>>> I got the updated files.
>>>>>>> Did ant clean and then a new build.
>>>>>>> I still see the SAME behavior described in my previous email.
>>>>>>> I am attaching my controller.xml
>>>>>>>
>>>>>>>> here is the fix
>>>>>>>> http://svn.apache.org/viewvc?rev=682228&view=rev
>>>>>>>>
>>>>>>>> Milind W sent the following on 8/3/2008 4:27 PM:
>>>>>>>>> Just tried "ant clean" it made no difference.
>>>>>>>>> I can proceed to main without being redirected to login with
>>>>>>>>> rev#679258.
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> Relevant log for rev#679258
>>>>>>>>> 2008-08-03 16:15:04,515 (http-0.0.0.0-8080-1)
>>>>>>>>> [RequestHandler.java:243:INFO ] [Processing Request]: main
>>>>>>>>> sessionId=B2364C2D58837E9163B9B9214E2228FA.jvm1
>>>>>>>>> 2008-08-03 16:15:04,515 (http-0.0.0.0-8080-1)
>>>>>>>>> [RequestHandler.java:433:INFO ] [RequestHandler.doRequest]:
>>>>>>>>> Response
>>>>>>>>> is
>>>>>>>>> a
>>>>>>>>> view. sessionId=B2364C2D58837E9163B9B9214E2228FA.jvm1
>>>>>>>>> 2008-08-03 16:15:04,515 (http-0.0.0.0-8080-1)
>>>>>>>>> [RequestHandler.java:584:INFO ] servletName=control, view=main
>>>>>>>>> sessionId=B2364C2D58837E9163B9B9214E2228FA.jvm1
>>>>>>>>> 2008-08-03 16:15:04,515 (http-0.0.0.0-8080-1) [
>>>>>>>>> UtilJ2eeCompat.java:69
>>>>>>>>> :INFO ] serverInfo: apache tomcat/6.0.16
>>>>>>>>> 2008-08-03 16:15:04,515 (http-0.0.0.0-8080-1) [
>>>>>>>>> UtilJ2eeCompat.java:78
>>>>>>>>> :INFO ] Apache Tomcat detected, using response.getWriter to write
>>>>>>>>> text
>>>>>>>>> out
>>>>>>>>> instead of response.getOutputStream
>>>>>>>>>
>>>>>>>>> and with rev#677863
>>>>>>>>> 2008-08-03 18:11:55,343 (http-0.0.0.0-8080-Processor4) [
>>>>>>>>> RequestHandler.java:236:INFO ] [Processing Request]: main
>>>>>>>>> sessionId=72EE22303A9A4DCDB76F64EE41F963DA.jvm1
>>>>>>>>> 2008-08-03 18:11:55,343 (http-0.0.0.0-8080-Processor4) [
>>>>>>>>> LoginWorker.java:262:INFO ] reqParams Map: []
>>>>>>>>> 2008-08-03 18:11:55,343 (http-0.0.0.0-8080-Processor4) [
>>>>>>>>> LoginWorker.java:263:INFO ] queryString:
>>>>>>>>> 2008-08-03 18:11:55,343 (http-0.0.0.0-8080-Processor4) [
>>>>>>>>> LoginWorker.java:273:INFO ] checkLogin: queryString=
>>>>>>>>> 2008-08-03 18:11:55,343 (http-0.0.0.0-8080-Processor4) [
>>>>>>>>> LoginWorker.java:274:INFO ] checkLogin: PathInfo=/main
>>>>>>>>> 2008-08-03 18:11:55,343 (http-0.0.0.0-8080-Processor4) [
>>>>>>>>> RequestHandler.java:425:INFO ] [RequestHandler.doRequest]:
>>>>>>>>> Response
>>>>>>>>> is
>>>>>>>>> a
>>>>>>>>> view. sessionId=72EE22303A9A4DCDB76F64EE41F963DA.jvm1
>>>>>>>>> 2008-08-03 18:11:55,343 (http-0.0.0.0-8080-Processor4) [
>>>>>>>>> RequestHandler.java:578:INFO ] servletName=control, view=login
>>>>>>>>> sessionId=72EE22303A9A4DCDB76F64EE41F963DA.jvm1
>>>>>>>>> 2008-08-03 18:11:55,343 (http-0.0.0.0-8080-Processor4) [
>>>>>>>>> UtilJ2eeCompat.java:69 :INFO ] serverInfo: Apache Tomcat/5.5.20
>>>>>>>>> 2008-08-03 18:11:55,343 (http-0.0.0.0-8080-Processor4) [
>>>>>>>>> UtilJ2eeCompat.java:78 :INFO ] Apache Tomcat detected, using
>>>>>>>>> response.getWriter to write text out instead of
>>>>>>>>> response.getOutputStream
>>>>>>>>>
>>>>>>>>> The loginworker seems to be invoked with rev#677863 and not with
>>>>>>>>> rev#679258.
>>>>>>>>> Any Idea?
>>>>>>>>>
>>>>>>>>>> Did you try an "ant clean" ? There have been some changes
>>>>>>>>>> recently
>>>>>>>>>> that
>>>>>>>>>> implie this cleanup.
>>>>>>>>>>
>>>>>>>>>> Jacques
>>>>>>>>>>
>>>>>>>>>> From: "Milind W" <ma...@mymunshi.com>
>>>>>>>>>>> Looks like I have a problem making this example work with
>>>>>>>>>>> revision#679258
>>>>>>>>>>>
>>>>>>>>>>> It worked fine (i.e I was redirected to login screen before I
>>>>>>>>>>> could
>>>>>>>>>>> get
>>>>>>>>>>> to
>>>>>>>>>>> main) with rev#677863
>>>>>>>>>>>
>>>>>>>>>>> Looks like the view
>>>>>>>>>>> <view-map name="login" type="screen"
>>>>>>>>>>> page="component://marketing/widget/CommonScreens.xml#login" />
>>>>>>>>>>> is part of the problem. The CommonScreens.xml has moved and does
>>>>>>>>>>> no
>>>>>>>>>>> longer
>>>>>>>>>>> seem to have the 'login' screen.
>>>>>>>>>>>
>>>>>>>>>>> I tried finding another screen with the 'login' view. I found
>>>>>>>>>>> another
>>>>>>>>>>> one
>>>>>>>>>>> in the 'common' component and modified my hello controller to
>>>>>>>>>>> point
>>>>>>>>>>> to
>>>>>>>>>>> <view-map name="login" type="screen"
>>>>>>>>>>> page="component://common/widget/CommonScreens.xml#login"/>
>>>>>>>>>>> but it is no acting the same as previously.
>>>>>>>>>>>
>>>>>>>>>>> Please let me know what is missing (or any suggestion how best
>>>>>>>>>>> to
>>>>>>>>>>> illustrate login) so I can complete and contribute my tutorial
>>>>>>>>>>> for
>>>>>>>>>>> security. Would hate to create a tutorial that worked with one
>>>>>>>>>>> specific
>>>>>>>>>>> build.
>>>>>>>>>>>
>>>>>>>>>>> http://ofbiz.markmail.org/search/?q=Milind+W#query:Milind%20W+page:2+mid:kwgcnrsxjigfilp2+state:results
>>>>>>>>>>>
>>>>>>>>>>> Thanks
>>>>>>>>>>> -Milind
>>>>>>>>>>>
>>>>>>>>>>>> hi,
>>>>>>>>>>>> I got login to work by adding the changes below to my
>>>>>>>>>>>> controller
>>>>>>>>>>>> using
>>>>>>>>>>>> ofbiz4.0.
>>>>>>>>>>>> I don't think I follow the reason with OFBTOOLS base
>>>>>>>>>>>> persmission
>>>>>>>>>>>> not
>>>>>>>>>>>> taking effect in the ofbiz-component as explained in OFBIZ-829.
>>>>>>>>>>>> But I agree with Si Chen on OFBIZ-829
>>>>>>>>>>>> "The right way is to assume no permission until one of the list
>>>>>>>>>>>> of
>>>>>>>>>>>> permissions is met." Seems more intitutive.
>>>>>>>>>>>> For now I can workaround it so thanks all.
>>>>>>>>>>>> -Milind
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> <preprocessor>
>>>>>>>>>>>> <!-- Events to run on every request before security
>>>>>>>>>>>> (chains
>>>>>>>>>>>> exempt) -->
>>>>>>>>>>>> <!-- <event type="java"
>>>>>>>>>>>> path="org.ofbiz.webapp.event.TestEvent"
>>>>>>>>>>>> invoke="test"/> -->
>>>>>>>>>>>> <event type="java"
>>>>>>>>>>>> path="org.ofbiz.webapp.control.LoginWorker"
>>>>>>>>>>>> invoke="checkExternalLoginKey"/>
>>>>>>>>>>>> </preprocessor>
>>>>>>>>>>>>
>>>>>>>>>>>> <!-- Request Mappings -->
>>>>>>>>>>>>
>>>>>>>>>>>> <request-map uri="checkLogin" edit="false">
>>>>>>>>>>>> <description>Verify a user is logged in.</description>
>>>>>>>>>>>> <security https="false" auth="false"/>
>>>>>>>>>>>> <event type="java"
>>>>>>>>>>>> path="org.ofbiz.webapp.control.LoginWorker"
>>>>>>>>>>>> invoke="checkLogin" />
>>>>>>>>>>>> <response name="success" type="view" value="main" />
>>>>>>>>>>>> <response name="error" type="view" value="login" />
>>>>>>>>>>>> </request-map>
>>>>>>>>>>>>
>>>>>>>>>>>> <request-map uri="login">
>>>>>>>>>>>> <security https="false" auth="false"/>
>>>>>>>>>>>> <event type="java"
>>>>>>>>>>>> path="org.ofbiz.webapp.control.LoginWorker"
>>>>>>>>>>>> invoke="login"/>
>>>>>>>>>>>> <response name="success" type="view" value="main"/>
>>>>>>>>>>>> <response name="error" type="view" value="login"/>
>>>>>>>>>>>> </request-map>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> <request-map uri="main">
>>>>>>>>>>>> <security https="false" auth="true" />
>>>>>>>>>>>> <response name="success" type="view" value="main"/>
>>>>>>>>>>>> </request-map>
>>>>>>>>>>>>
>>>>>>>>>>>> <view-map name="login" type="screen"
>>>>>>>>>>>> page="component://marketing/widget/CommonScreens.xml#login" />
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>> Not with a direct link to the comment where is the explanation
>>>>>>>>>>>>> ;p
>>>>>>>>>>>>> Actually it was more a didactic post
>>>>>>>>>>>>>
>>>>>>>>>>>>> Jacques
>>>>>>>>>>>>>
>>>>>>>>>>>>> From: "BJ Freeman" <bj...@free-man.net>
>>>>>>>>>>>>>> LOL
>>>>>>>>>>>>>> that was the first link I sent on this thread.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Jacques Le Roux sent the following on 7/30/2008 2:18 PM:
>>>>>>>>>>>>>>> OFBiz Wiki is your friend. Just look for OFBTOOLS.
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> You would have get
>>>>>>>>>>>>>>> http://docs.ofbiz.org/display/OFBTECH/OFBiz+security?focusedCommentId=3615#comment-3615
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Jacques
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> ----- Original Message ----- From: "Milind W"
>>>>>>>>>>>>>>> <ma...@mymunshi.com>
>>>>>>>>>>>>>>> To: <us...@ofbiz.apache.org>
>>>>>>>>>>>>>>> Sent: Wednesday, July 30, 2008 8:31 PM
>>>>>>>>>>>>>>> Subject: Re: how to set security and permissions precedence
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> Let me try to break up questions.
>>>>>>>>>>>>>>>> Should'nt adding
>>>>>>>>>>>>>>>> base-permission="OFBTOOLS"
>>>>>>>>>>>>>>>> to the ofbiz-entity.xml force the user to login with a user
>>>>>>>>>>>>>>>> id
>>>>>>>>>>>>>>>> that
>>>>>>>>>>>>>>>> is
>>>>>>>>>>>>>>>> associated to the OFBTOOLS security group?
>>>>>>>>>>>>>>>> I can see the application I created and the line seems to
>>>>>>>>>>>>>>>> have
>>>>>>>>>>>>>>>> no
>>>>>>>>>>>>>>>> effect.
>>>>>>>>>>>>>>>> What is the purpose of the line?
>>>>>>>>>>>>>>>> Thanks
>>>>>>>>>>>>>>>> -Milind
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> Please not that opentaps is not at the same level of
>>>>>>>>>>>>>>>>> revision
>>>>>>>>>>>>>>>>> that
>>>>>>>>>>>>>>>>> ofbiz
>>>>>>>>>>>>>>>>> it
>>>>>>>>>>>>>>>>> there have been changes to security.
>>>>>>>>>>>>>>>>> there are examples in the
>>>>>>>>>>>>>>>>> framework/example
>>>>>>>>>>>>>>>>> and
>>>>>>>>>>>>>>>>> framework/exampleext
>>>>>>>>>>>>>>>>> I believe this to better tutorial
>>>>>>>>>>>>>>>>> since they work already.
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> Balaji Sundar sent the following on 7/29/2008 9:40 PM:
>>>>>>>>>>>>>>>>>> BJ Freeman wrote:
>>>>>>>>>>>>>>>>>>> http://docs.ofbiz.org/display/OFBTECH/OFBiz+security
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> Milind W sent the following on 7/29/2008 7:58 PM:
>>>>>>>>>>>>>>>>>>>> hi,
>>>>>>>>>>>>>>>>>>>> Security Permissions
>>>>>>>>>>>>>>>>>>>> I am using ofbiz rev.79258
>>>>>>>>>>>>>>>>>>>> I want to understand how security works so I made the
>>>>>>>>>>>>>>>>>>>> following
>>>>>>>>>>>>>>>>>>>> modifications to hello1
>>>>>>>>>>>>>>>>>>>> 1)I added base-permission="OFBTOOLS" to the
>>>>>>>>>>>>>>>>>>>> ofbiz-component.xml
>>>>>>>>>>>>>>>>>>>> I could still see the application I was assuming the
>>>>>>>>>>>>>>>>>>>> application
>>>>>>>>>>>>>>>>>>>> would
>>>>>>>>>>>>>>>>>>>> as
>>>>>>>>>>>>>>>>>>>> me to login or prevent me from seeing the page.
>>>>>>>>>>>>>>>>>>>> 2)I added <security> to the main request
>>>>>>>>>>>>>>>>>>>> <request-map uri="main">
>>>>>>>>>>>>>>>>>>>> <security https="false" auth="true"/>
>>>>>>>>>>>>>>>>>>>> <response name="success" type="view" value="main"/>
>>>>>>>>>>>>>>>>>>>> </request-map>
>>>>>>>>>>>>>>>>>>>> This displays "java.lang.NullPointerException" in the
>>>>>>>>>>>>>>>>>>>> browser.
>>>>>>>>>>>>>>>>>>>> How do permissions precedence work starting from the UI
>>>>>>>>>>>>>>>>>>>> to
>>>>>>>>>>>>>>>>>>>> the
>>>>>>>>>>>>>>>>>>>> entity
>>>>>>>>>>>>>>>>>>>> layer.
>>>>>>>>>>>>>>>>>>>> Help appreciated.
>>>>>>>>>>>>>>>>>>>> Thanks
>>>>>>>>>>>>>>>>>>>> -Milind
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> Here is the log
>>>>>>>>>>>>>>>>>>>> 2008-07-29 19:07:17,031 (http-0.0.0.0-8080-1) [
>>>>>>>>>>>>>>>>>>>> RequestHandler.java:243:INFO ] [Processing Request]:
>>>>>>>>>>>>>>>>>>>> main
>>>>>>>>>>>>>>>>>>>> sessionId=6E6BB45A4B5AB75A10A9B9404FA622A5.jvm1
>>>>>>>>>>>>>>>>>>>> 2008-07-29 19:07:17,031 (http-0.0.0.0-8080-1) [
>>>>>>>>>>>>>>>>>>>> RequestManager.java:159:WARN ]
>>>>>>>>>>>>>>>>>>>> [RequestManager.getEventType]
>>>>>>>>>>>>>>>>>>>> Type
>>>>>>>>>>>>>>>>>>>> of
>>>>>>>>>>>>>>>>>>>> event
>>>>>>>>>>>>>>>>>>>> for request "checkLogin" not found
>>>>>>>>>>>>>>>>>>>> 2008-07-29 19:07:17,031 (http-0.0.0.0-8080-1) [
>>>>>>>>>>>>>>>>>>>> RequestManager.java:146:WARN ]
>>>>>>>>>>>>>>>>>>>> [RequestManager.getEventPath]
>>>>>>>>>>>>>>>>>>>> Path
>>>>>>>>>>>>>>>>>>>> of
>>>>>>>>>>>>>>>>>>>> event
>>>>>>>>>>>>>>>>>>>> for request "checkLogin" not found
>>>>>>>>>>>>>>>>>>>> 2008-07-29 19:07:17,031 (http-0.0.0.0-8080-1) [
>>>>>>>>>>>>>>>>>>>> RequestManager.java:172:WARN ]
>>>>>>>>>>>>>>>>>>>> [RequestManager.getEventMethod]
>>>>>>>>>>>>>>>>>>>> Method
>>>>>>>>>>>>>>>>>>>> of
>>>>>>>>>>>>>>>>>>>> event for request "checkLogin" not found
>>>>>>>>>>>>>>>>>>>> 2008-07-29 19:07:17,031 (http-0.0.0.0-8080-1) [
>>>>>>>>>>>>>>>>>>>> ControlServlet.java:205:ERROR]
>>>>>>>>>>>>>>>>>>>> ---- runtime exception report
>>>>>>>>>>>>>>>>>>>> --------------------------------------------------
>>>>>>>>>>>>>>>>>>>> Error in request handler:
>>>>>>>>>>>>>>>>>>>> Exception: java.lang.NullPointerException
>>>>>>>>>>>>>>>>>>>> Message: null
>>>>>>>>>>>>>>>>>>>> ---- stack trace
>>>>>>>>>>>>>>>>>>>> ---------------------------------------------------------------
>>>>>>>>>>>>>>>>>>>> java.lang.NullPointerException
>>>>>>>>>>>>>>>>>>>> javolution.util.FastMap.getEntry(Unknown Source)
>>>>>>>>>>>>>>>>>>>> javolution.util.FastMap.containsKey(Unknown Source)
>>>>>>>>>>>>>>>>>>>> org.ofbiz.webapp.control.RequestManager.getHandlerClass(RequestManager.java:78)
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> org.ofbiz.webapp.event.EventFactory.loadEventHandler(EventFactory.java:102)
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> org.ofbiz.webapp.event.EventFactory.getEventHandler(EventFactory.java:86)
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> org.ofbiz.webapp.control.RequestHandler.runEvent(RequestHandler.java:453)
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> org.ofbiz.webapp.control.RequestHandler.doRequest(RequestHandler.java:259)
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> org.ofbiz.webapp.control.ControlServlet.doGet(ControlServlet.java:198)
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> javax.servlet.http.HttpServlet.service(HttpServlet.java:690)
>>>>>>>>>>>>>>>>>>>> javax.servlet.http.HttpServlet.service(HttpServlet.java:803)
>>>>>>>>>>>>>>>>>>>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> org.ofbiz.webapp.control.ContextFilter.doFilter(ContextFilter.java:255)
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:175)
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:128)
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:568)
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:286)
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:844)
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:583)
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:447)
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> java.lang.Thread.run(Thread.java:595)
>>>>>>>>>>>>>>>>>>>> --------------------------------------------------------------------------------
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> http://www.opensourcestrategies.com/ofbiz/security.php
>>>>>>>>>>>>>>>>>> http://www.opensourcestrategies.com/ofbiz/security.php
>>>>>>>>>
>>>>>
>>>>>
>>>>>
>>>
>>>
>>>
>>>
>>
>
>
>
>
>
Re: how to set security and permissions precedence
Posted by BJ Freeman <bj...@free-man.net>.
david my only reluctance to do anything the requires words is I am
terrible, do to my dyslexia.
howerver if someone does not mind proof reading I will be glad to assist.
David E Jones sent the following on 8/4/2008 11:00 PM:
>
> On Aug 4, 2008, at 11:19 PM, Milind W wrote:
>
>> hi BJ,
>> That arrow left the quiver sooner then I would have liked.
>> But anyways as I said, I definitely agree that people who have written
>> this have every right to benefit and prosper from their effort, specially
>> after having given away most of it for free.
>
> Are you referring to the framework training videos? Please... there's no
> money there. We've barely recovered the creation expense on those, and
> the transcript is even available for free now (and has been for months,
> and it was announced, and we requested help doing something with this,
> and nothing has been done):
>
> http://docs.ofbiz.org/display/OFBTECH/Advanced+Framework+Transcription+Work+Plan
>
>
>> I sincerely hope that it happens so we can continue to use and benefit
>> from this framework.
>> My primary objective right now is trying to get to a point as quickly
>> as I
>> can in developing real world applications.
>
> The best thing you can do for your own benefit is to get involved with
> the community. Would you expect to learn SAP overnight? Or even
> something like ATG or Blue Martini on the ecommerce side?
>
>> Secondary objective would be to contribute whatever I can to the
>> community
>> in the process.
>
> Please understand that the attitude and priorities you've just admitted
> to are the greatest hinderance to the community and how much you can
> benefit from it.
>
> -David
>
>
>> So that said do you think the material
>> http://www.undersunconsulting.com/ecommerce/control/additem/main
>> is the fastest way know to man to get past the newbie stage?
>> Can anyone else weigh on this as well if they have have used these
>> tutorials?
>> How relevant are they with the new versions of ofbiz?
>> Thanks
>> -Milind
>>
>>
>>> our documentation is community driven.
>>> and it has significantly grown in the last few years.
>>> the basics are hard to grasp for object, DB driven, programmers.
>>> so a lot of the learning is unlearning.
>>> I struggle with getting my mind around it for a few years.
>>> now it seem so clear.
>>> my dad use to say.
>>> everything cost time or money, sometimes both.
>>> so you ask why I stick with it.
>>> because of all the software out there this seemed the most likely to fit
>>> needs of my clients.
>>> the tutorials are free except for the advance stuff.
>>> open source does not necessarily mean free.
>>> it means you get the source.
>>> just like the years I spent developing the yahoo interface.
>>> I would like to get some of that back before everyone becomes my
>>> competitor.
>>> The people that made this possible have clients that funded the code and
>>> then allowed them to give it to the community. not the other way around.
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>> Milind W sent the following on 8/4/2008 8:46 PM:
>>>> hi BJ,
>>>> It is sad that there is no quick way to learn ofbiz (still).
>>>> What makes it more difficult is the part where you have to reverse
>>>> engineer the code or existing configuration to undesrtand how to do
>>>> things.
>>>> IMHO
>>>> 1)Reverse engineering and going through existing code has its place but
>>>> not as a newbie.
>>>> 2)The most basic features and capabilities should be easy to learn
>>>> or at
>>>> least there should be tutorials for those ideally these should be free
>>>> for
>>>> something thats open source.
>>>> 3)I do understand that people who made this possible have every
>>>> right to
>>>> benefit from this .
>>>> 3)I guess there are some but nothing that is free so looks like the
>>>> practical way to learn the framework is to spend 350$ and
>>>>
>>>>> this is where using the example, exampleext, and the
>>>>> wiki startup example will help.
>>>>> this is where ofbiz is different than opentaps.
>>>>> and the links to the information that has been give you in the past
>>>>> come
>>>>> into play.
>>>>> there is no quick way to learn ofbiz.
>>>>> :)
>>>>> error is saying the main decorator has not been defined in the web.xml
>>>>> parms.
>>>>>
>>>>> you should check you complete component against the framework/example.
>>>>>
>>>>> Milind W sent the following on 8/3/2008 11:07 PM:
>>>>>> I changed my controller to conform with the example controller.xml.
>>>>>> Now it does attempt to send me to the login screen but get the
>>>>>> following
>>>>>> error.
>>>>>>
>>>>>> org.ofbiz.widget.screen.ScreenRenderException: Error rendering screen
>>>>>> [component://common/widget/CommonScreens.xml#login]:
>>>>>> java.lang.IllegalArgumentException: Could not find screen with name
>>>>>> [main-decorator] in the same file as the screen with name [login]
>>>>>> (Could
>>>>>> not find screen with name [main-decorator] in the same file as the
>>>>>> screen
>>>>>> with name [login])
>>>>>>
>>>>>> Help!
>>>>>>> your controller does not conform to the current svn controllers.
>>>>>>> please review them.
>>>>>>>
>>>>>>>
>>>>>>> Milind W sent the following on 8/3/2008 5:35 PM:
>>>>>>>> I got the updated files.
>>>>>>>> Did ant clean and then a new build.
>>>>>>>> I still see the SAME behavior described in my previous email.
>>>>>>>> I am attaching my controller.xml
>>>>>>>>
>>>>>>>>> here is the fix
>>>>>>>>> http://svn.apache.org/viewvc?rev=682228&view=rev
>>>>>>>>>
>>>>>>>>> Milind W sent the following on 8/3/2008 4:27 PM:
>>>>>>>>>> Just tried "ant clean" it made no difference.
>>>>>>>>>> I can proceed to main without being redirected to login with
>>>>>>>>>> rev#679258.
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> Relevant log for rev#679258
>>>>>>>>>> 2008-08-03 16:15:04,515 (http-0.0.0.0-8080-1)
>>>>>>>>>> [RequestHandler.java:243:INFO ] [Processing Request]: main
>>>>>>>>>> sessionId=B2364C2D58837E9163B9B9214E2228FA.jvm1
>>>>>>>>>> 2008-08-03 16:15:04,515 (http-0.0.0.0-8080-1)
>>>>>>>>>> [RequestHandler.java:433:INFO ] [RequestHandler.doRequest]:
>>>>>>>>>> Response
>>>>>>>>>> is
>>>>>>>>>> a
>>>>>>>>>> view. sessionId=B2364C2D58837E9163B9B9214E2228FA.jvm1
>>>>>>>>>> 2008-08-03 16:15:04,515 (http-0.0.0.0-8080-1)
>>>>>>>>>> [RequestHandler.java:584:INFO ] servletName=control, view=main
>>>>>>>>>> sessionId=B2364C2D58837E9163B9B9214E2228FA.jvm1
>>>>>>>>>> 2008-08-03 16:15:04,515 (http-0.0.0.0-8080-1) [
>>>>>>>>>> UtilJ2eeCompat.java:69
>>>>>>>>>> :INFO ] serverInfo: apache tomcat/6.0.16
>>>>>>>>>> 2008-08-03 16:15:04,515 (http-0.0.0.0-8080-1) [
>>>>>>>>>> UtilJ2eeCompat.java:78
>>>>>>>>>> :INFO ] Apache Tomcat detected, using response.getWriter to write
>>>>>>>>>> text
>>>>>>>>>> out
>>>>>>>>>> instead of response.getOutputStream
>>>>>>>>>>
>>>>>>>>>> and with rev#677863
>>>>>>>>>> 2008-08-03 18:11:55,343 (http-0.0.0.0-8080-Processor4) [
>>>>>>>>>> RequestHandler.java:236:INFO ] [Processing Request]: main
>>>>>>>>>> sessionId=72EE22303A9A4DCDB76F64EE41F963DA.jvm1
>>>>>>>>>> 2008-08-03 18:11:55,343 (http-0.0.0.0-8080-Processor4) [
>>>>>>>>>> LoginWorker.java:262:INFO ] reqParams Map: []
>>>>>>>>>> 2008-08-03 18:11:55,343 (http-0.0.0.0-8080-Processor4) [
>>>>>>>>>> LoginWorker.java:263:INFO ] queryString:
>>>>>>>>>> 2008-08-03 18:11:55,343 (http-0.0.0.0-8080-Processor4) [
>>>>>>>>>> LoginWorker.java:273:INFO ] checkLogin: queryString=
>>>>>>>>>> 2008-08-03 18:11:55,343 (http-0.0.0.0-8080-Processor4) [
>>>>>>>>>> LoginWorker.java:274:INFO ] checkLogin: PathInfo=/main
>>>>>>>>>> 2008-08-03 18:11:55,343 (http-0.0.0.0-8080-Processor4) [
>>>>>>>>>> RequestHandler.java:425:INFO ] [RequestHandler.doRequest]:
>>>>>>>>>> Response
>>>>>>>>>> is
>>>>>>>>>> a
>>>>>>>>>> view. sessionId=72EE22303A9A4DCDB76F64EE41F963DA.jvm1
>>>>>>>>>> 2008-08-03 18:11:55,343 (http-0.0.0.0-8080-Processor4) [
>>>>>>>>>> RequestHandler.java:578:INFO ] servletName=control, view=login
>>>>>>>>>> sessionId=72EE22303A9A4DCDB76F64EE41F963DA.jvm1
>>>>>>>>>> 2008-08-03 18:11:55,343 (http-0.0.0.0-8080-Processor4) [
>>>>>>>>>> UtilJ2eeCompat.java:69 :INFO ] serverInfo: Apache Tomcat/5.5.20
>>>>>>>>>> 2008-08-03 18:11:55,343 (http-0.0.0.0-8080-Processor4) [
>>>>>>>>>> UtilJ2eeCompat.java:78 :INFO ] Apache Tomcat detected, using
>>>>>>>>>> response.getWriter to write text out instead of
>>>>>>>>>> response.getOutputStream
>>>>>>>>>>
>>>>>>>>>> The loginworker seems to be invoked with rev#677863 and not with
>>>>>>>>>> rev#679258.
>>>>>>>>>> Any Idea?
>>>>>>>>>>
>>>>>>>>>>> Did you try an "ant clean" ? There have been some changes
>>>>>>>>>>> recently
>>>>>>>>>>> that
>>>>>>>>>>> implie this cleanup.
>>>>>>>>>>>
>>>>>>>>>>> Jacques
>>>>>>>>>>>
>>>>>>>>>>> From: "Milind W" <ma...@mymunshi.com>
>>>>>>>>>>>> Looks like I have a problem making this example work with
>>>>>>>>>>>> revision#679258
>>>>>>>>>>>>
>>>>>>>>>>>> It worked fine (i.e I was redirected to login screen before I
>>>>>>>>>>>> could
>>>>>>>>>>>> get
>>>>>>>>>>>> to
>>>>>>>>>>>> main) with rev#677863
>>>>>>>>>>>>
>>>>>>>>>>>> Looks like the view
>>>>>>>>>>>> <view-map name="login" type="screen"
>>>>>>>>>>>> page="component://marketing/widget/CommonScreens.xml#login" />
>>>>>>>>>>>> is part of the problem. The CommonScreens.xml has moved and
>>>>>>>>>>>> does
>>>>>>>>>>>> no
>>>>>>>>>>>> longer
>>>>>>>>>>>> seem to have the 'login' screen.
>>>>>>>>>>>>
>>>>>>>>>>>> I tried finding another screen with the 'login' view. I found
>>>>>>>>>>>> another
>>>>>>>>>>>> one
>>>>>>>>>>>> in the 'common' component and modified my hello controller to
>>>>>>>>>>>> point
>>>>>>>>>>>> to
>>>>>>>>>>>> <view-map name="login" type="screen"
>>>>>>>>>>>> page="component://common/widget/CommonScreens.xml#login"/>
>>>>>>>>>>>> but it is no acting the same as previously.
>>>>>>>>>>>>
>>>>>>>>>>>> Please let me know what is missing (or any suggestion how best
>>>>>>>>>>>> to
>>>>>>>>>>>> illustrate login) so I can complete and contribute my tutorial
>>>>>>>>>>>> for
>>>>>>>>>>>> security. Would hate to create a tutorial that worked with one
>>>>>>>>>>>> specific
>>>>>>>>>>>> build.
>>>>>>>>>>>>
>>>>>>>>>>>> http://ofbiz.markmail.org/search/?q=Milind+W#query:Milind%20W+page:2+mid:kwgcnrsxjigfilp2+state:results
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> Thanks
>>>>>>>>>>>> -Milind
>>>>>>>>>>>>
>>>>>>>>>>>>> hi,
>>>>>>>>>>>>> I got login to work by adding the changes below to my
>>>>>>>>>>>>> controller
>>>>>>>>>>>>> using
>>>>>>>>>>>>> ofbiz4.0.
>>>>>>>>>>>>> I don't think I follow the reason with OFBTOOLS base
>>>>>>>>>>>>> persmission
>>>>>>>>>>>>> not
>>>>>>>>>>>>> taking effect in the ofbiz-component as explained in
>>>>>>>>>>>>> OFBIZ-829.
>>>>>>>>>>>>> But I agree with Si Chen on OFBIZ-829
>>>>>>>>>>>>> "The right way is to assume no permission until one of the
>>>>>>>>>>>>> list
>>>>>>>>>>>>> of
>>>>>>>>>>>>> permissions is met." Seems more intitutive.
>>>>>>>>>>>>> For now I can workaround it so thanks all.
>>>>>>>>>>>>> -Milind
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> <preprocessor>
>>>>>>>>>>>>> <!-- Events to run on every request before security
>>>>>>>>>>>>> (chains
>>>>>>>>>>>>> exempt) -->
>>>>>>>>>>>>> <!-- <event type="java"
>>>>>>>>>>>>> path="org.ofbiz.webapp.event.TestEvent"
>>>>>>>>>>>>> invoke="test"/> -->
>>>>>>>>>>>>> <event type="java"
>>>>>>>>>>>>> path="org.ofbiz.webapp.control.LoginWorker"
>>>>>>>>>>>>> invoke="checkExternalLoginKey"/>
>>>>>>>>>>>>> </preprocessor>
>>>>>>>>>>>>>
>>>>>>>>>>>>> <!-- Request Mappings -->
>>>>>>>>>>>>>
>>>>>>>>>>>>> <request-map uri="checkLogin" edit="false">
>>>>>>>>>>>>> <description>Verify a user is logged in.</description>
>>>>>>>>>>>>> <security https="false" auth="false"/>
>>>>>>>>>>>>> <event type="java"
>>>>>>>>>>>>> path="org.ofbiz.webapp.control.LoginWorker"
>>>>>>>>>>>>> invoke="checkLogin" />
>>>>>>>>>>>>> <response name="success" type="view" value="main" />
>>>>>>>>>>>>> <response name="error" type="view" value="login" />
>>>>>>>>>>>>> </request-map>
>>>>>>>>>>>>>
>>>>>>>>>>>>> <request-map uri="login">
>>>>>>>>>>>>> <security https="false" auth="false"/>
>>>>>>>>>>>>> <event type="java"
>>>>>>>>>>>>> path="org.ofbiz.webapp.control.LoginWorker"
>>>>>>>>>>>>> invoke="login"/>
>>>>>>>>>>>>> <response name="success" type="view" value="main"/>
>>>>>>>>>>>>> <response name="error" type="view" value="login"/>
>>>>>>>>>>>>> </request-map>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> <request-map uri="main">
>>>>>>>>>>>>> <security https="false" auth="true" />
>>>>>>>>>>>>> <response name="success" type="view" value="main"/>
>>>>>>>>>>>>> </request-map>
>>>>>>>>>>>>>
>>>>>>>>>>>>> <view-map name="login" type="screen"
>>>>>>>>>>>>> page="component://marketing/widget/CommonScreens.xml#login" />
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>> Not with a direct link to the comment where is the
>>>>>>>>>>>>>> explanation
>>>>>>>>>>>>>> ;p
>>>>>>>>>>>>>> Actually it was more a didactic post
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Jacques
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> From: "BJ Freeman" <bj...@free-man.net>
>>>>>>>>>>>>>>> LOL
>>>>>>>>>>>>>>> that was the first link I sent on this thread.
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Jacques Le Roux sent the following on 7/30/2008 2:18 PM:
>>>>>>>>>>>>>>>> OFBiz Wiki is your friend. Just look for OFBTOOLS.
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> You would have get
>>>>>>>>>>>>>>>> http://docs.ofbiz.org/display/OFBTECH/OFBiz+security?focusedCommentId=3615#comment-3615
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> Jacques
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> ----- Original Message ----- From: "Milind W"
>>>>>>>>>>>>>>>> <ma...@mymunshi.com>
>>>>>>>>>>>>>>>> To: <us...@ofbiz.apache.org>
>>>>>>>>>>>>>>>> Sent: Wednesday, July 30, 2008 8:31 PM
>>>>>>>>>>>>>>>> Subject: Re: how to set security and permissions precedence
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> Let me try to break up questions.
>>>>>>>>>>>>>>>>> Should'nt adding
>>>>>>>>>>>>>>>>> base-permission="OFBTOOLS"
>>>>>>>>>>>>>>>>> to the ofbiz-entity.xml force the user to login with a
>>>>>>>>>>>>>>>>> user
>>>>>>>>>>>>>>>>> id
>>>>>>>>>>>>>>>>> that
>>>>>>>>>>>>>>>>> is
>>>>>>>>>>>>>>>>> associated to the OFBTOOLS security group?
>>>>>>>>>>>>>>>>> I can see the application I created and the line seems to
>>>>>>>>>>>>>>>>> have
>>>>>>>>>>>>>>>>> no
>>>>>>>>>>>>>>>>> effect.
>>>>>>>>>>>>>>>>> What is the purpose of the line?
>>>>>>>>>>>>>>>>> Thanks
>>>>>>>>>>>>>>>>> -Milind
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> Please not that opentaps is not at the same level of
>>>>>>>>>>>>>>>>>> revision
>>>>>>>>>>>>>>>>>> that
>>>>>>>>>>>>>>>>>> ofbiz
>>>>>>>>>>>>>>>>>> it
>>>>>>>>>>>>>>>>>> there have been changes to security.
>>>>>>>>>>>>>>>>>> there are examples in the
>>>>>>>>>>>>>>>>>> framework/example
>>>>>>>>>>>>>>>>>> and
>>>>>>>>>>>>>>>>>> framework/exampleext
>>>>>>>>>>>>>>>>>> I believe this to better tutorial
>>>>>>>>>>>>>>>>>> since they work already.
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> Balaji Sundar sent the following on 7/29/2008 9:40 PM:
>>>>>>>>>>>>>>>>>>> BJ Freeman wrote:
>>>>>>>>>>>>>>>>>>>> http://docs.ofbiz.org/display/OFBTECH/OFBiz+security
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> Milind W sent the following on 7/29/2008 7:58 PM:
>>>>>>>>>>>>>>>>>>>>> hi,
>>>>>>>>>>>>>>>>>>>>> Security Permissions
>>>>>>>>>>>>>>>>>>>>> I am using ofbiz rev.79258
>>>>>>>>>>>>>>>>>>>>> I want to understand how security works so I made the
>>>>>>>>>>>>>>>>>>>>> following
>>>>>>>>>>>>>>>>>>>>> modifications to hello1
>>>>>>>>>>>>>>>>>>>>> 1)I added base-permission="OFBTOOLS" to the
>>>>>>>>>>>>>>>>>>>>> ofbiz-component.xml
>>>>>>>>>>>>>>>>>>>>> I could still see the application I was assuming the
>>>>>>>>>>>>>>>>>>>>> application
>>>>>>>>>>>>>>>>>>>>> would
>>>>>>>>>>>>>>>>>>>>> as
>>>>>>>>>>>>>>>>>>>>> me to login or prevent me from seeing the page.
>>>>>>>>>>>>>>>>>>>>> 2)I added <security> to the main request
>>>>>>>>>>>>>>>>>>>>> <request-map uri="main">
>>>>>>>>>>>>>>>>>>>>> <security https="false" auth="true"/>
>>>>>>>>>>>>>>>>>>>>> <response name="success" type="view" value="main"/>
>>>>>>>>>>>>>>>>>>>>> </request-map>
>>>>>>>>>>>>>>>>>>>>> This displays "java.lang.NullPointerException" in the
>>>>>>>>>>>>>>>>>>>>> browser.
>>>>>>>>>>>>>>>>>>>>> How do permissions precedence work starting from
>>>>>>>>>>>>>>>>>>>>> the UI
>>>>>>>>>>>>>>>>>>>>> to
>>>>>>>>>>>>>>>>>>>>> the
>>>>>>>>>>>>>>>>>>>>> entity
>>>>>>>>>>>>>>>>>>>>> layer.
>>>>>>>>>>>>>>>>>>>>> Help appreciated.
>>>>>>>>>>>>>>>>>>>>> Thanks
>>>>>>>>>>>>>>>>>>>>> -Milind
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>> Here is the log
>>>>>>>>>>>>>>>>>>>>> 2008-07-29 19:07:17,031 (http-0.0.0.0-8080-1) [
>>>>>>>>>>>>>>>>>>>>> RequestHandler.java:243:INFO ] [Processing Request]:
>>>>>>>>>>>>>>>>>>>>> main
>>>>>>>>>>>>>>>>>>>>> sessionId=6E6BB45A4B5AB75A10A9B9404FA622A5.jvm1
>>>>>>>>>>>>>>>>>>>>> 2008-07-29 19:07:17,031 (http-0.0.0.0-8080-1) [
>>>>>>>>>>>>>>>>>>>>> RequestManager.java:159:WARN ]
>>>>>>>>>>>>>>>>>>>>> [RequestManager.getEventType]
>>>>>>>>>>>>>>>>>>>>> Type
>>>>>>>>>>>>>>>>>>>>> of
>>>>>>>>>>>>>>>>>>>>> event
>>>>>>>>>>>>>>>>>>>>> for request "checkLogin" not found
>>>>>>>>>>>>>>>>>>>>> 2008-07-29 19:07:17,031 (http-0.0.0.0-8080-1) [
>>>>>>>>>>>>>>>>>>>>> RequestManager.java:146:WARN ]
>>>>>>>>>>>>>>>>>>>>> [RequestManager.getEventPath]
>>>>>>>>>>>>>>>>>>>>> Path
>>>>>>>>>>>>>>>>>>>>> of
>>>>>>>>>>>>>>>>>>>>> event
>>>>>>>>>>>>>>>>>>>>> for request "checkLogin" not found
>>>>>>>>>>>>>>>>>>>>> 2008-07-29 19:07:17,031 (http-0.0.0.0-8080-1) [
>>>>>>>>>>>>>>>>>>>>> RequestManager.java:172:WARN ]
>>>>>>>>>>>>>>>>>>>>> [RequestManager.getEventMethod]
>>>>>>>>>>>>>>>>>>>>> Method
>>>>>>>>>>>>>>>>>>>>> of
>>>>>>>>>>>>>>>>>>>>> event for request "checkLogin" not found
>>>>>>>>>>>>>>>>>>>>> 2008-07-29 19:07:17,031 (http-0.0.0.0-8080-1) [
>>>>>>>>>>>>>>>>>>>>> ControlServlet.java:205:ERROR]
>>>>>>>>>>>>>>>>>>>>> ---- runtime exception report
>>>>>>>>>>>>>>>>>>>>> --------------------------------------------------
>>>>>>>>>>>>>>>>>>>>> Error in request handler:
>>>>>>>>>>>>>>>>>>>>> Exception: java.lang.NullPointerException
>>>>>>>>>>>>>>>>>>>>> Message: null
>>>>>>>>>>>>>>>>>>>>> ---- stack trace
>>>>>>>>>>>>>>>>>>>>> ---------------------------------------------------------------
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>> java.lang.NullPointerException
>>>>>>>>>>>>>>>>>>>>> javolution.util.FastMap.getEntry(Unknown Source)
>>>>>>>>>>>>>>>>>>>>> javolution.util.FastMap.containsKey(Unknown Source)
>>>>>>>>>>>>>>>>>>>>> org.ofbiz.webapp.control.RequestManager.getHandlerClass(RequestManager.java:78)
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>> org.ofbiz.webapp.event.EventFactory.loadEventHandler(EventFactory.java:102)
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>> org.ofbiz.webapp.event.EventFactory.getEventHandler(EventFactory.java:86)
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>> org.ofbiz.webapp.control.RequestHandler.runEvent(RequestHandler.java:453)
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>> org.ofbiz.webapp.control.RequestHandler.doRequest(RequestHandler.java:259)
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>> org.ofbiz.webapp.control.ControlServlet.doGet(ControlServlet.java:198)
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>> javax.servlet.http.HttpServlet.service(HttpServlet.java:690)
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>> javax.servlet.http.HttpServlet.service(HttpServlet.java:803)
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>> org.ofbiz.webapp.control.ContextFilter.doFilter(ContextFilter.java:255)
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>> org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>> org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:175)
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:128)
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>> org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:568)
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:286)
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>> org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:844)
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>> org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:583)
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>> org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:447)
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>> java.lang.Thread.run(Thread.java:595)
>>>>>>>>>>>>>>>>>>>>> --------------------------------------------------------------------------------
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> http://www.opensourcestrategies.com/ofbiz/security.php
>>>>>>>>>>>>>>>>>>> http://www.opensourcestrategies.com/ofbiz/security.php
>>>>>>>>>>
>>>>>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>
>>>
>>
>>
>
>
>
>
Re: how to set security and permissions precedence
Posted by David E Jones <jo...@hotwaxmedia.com>.
On Aug 4, 2008, at 11:19 PM, Milind W wrote:
> hi BJ,
> That arrow left the quiver sooner then I would have liked.
> But anyways as I said, I definitely agree that people who have written
> this have every right to benefit and prosper from their effort,
> specially
> after having given away most of it for free.
Are you referring to the framework training videos? Please... there's
no money there. We've barely recovered the creation expense on those,
and the transcript is even available for free now (and has been for
months, and it was announced, and we requested help doing something
with this, and nothing has been done):
http://docs.ofbiz.org/display/OFBTECH/Advanced+Framework+Transcription+Work+Plan
> I sincerely hope that it happens so we can continue to use and benefit
> from this framework.
> My primary objective right now is trying to get to a point as
> quickly as I
> can in developing real world applications.
The best thing you can do for your own benefit is to get involved with
the community. Would you expect to learn SAP overnight? Or even
something like ATG or Blue Martini on the ecommerce side?
> Secondary objective would be to contribute whatever I can to the
> community
> in the process.
Please understand that the attitude and priorities you've just
admitted to are the greatest hinderance to the community and how much
you can benefit from it.
-David
> So that said do you think the material
> http://www.undersunconsulting.com/ecommerce/control/additem/main
> is the fastest way know to man to get past the newbie stage?
> Can anyone else weigh on this as well if they have have used these
> tutorials?
> How relevant are they with the new versions of ofbiz?
> Thanks
> -Milind
>
>
>> our documentation is community driven.
>> and it has significantly grown in the last few years.
>> the basics are hard to grasp for object, DB driven, programmers.
>> so a lot of the learning is unlearning.
>> I struggle with getting my mind around it for a few years.
>> now it seem so clear.
>> my dad use to say.
>> everything cost time or money, sometimes both.
>> so you ask why I stick with it.
>> because of all the software out there this seemed the most likely
>> to fit
>> needs of my clients.
>> the tutorials are free except for the advance stuff.
>> open source does not necessarily mean free.
>> it means you get the source.
>> just like the years I spent developing the yahoo interface.
>> I would like to get some of that back before everyone becomes my
>> competitor.
>> The people that made this possible have clients that funded the
>> code and
>> then allowed them to give it to the community. not the other way
>> around.
>>
>>
>>
>>
>>
>>
>>
>> Milind W sent the following on 8/4/2008 8:46 PM:
>>> hi BJ,
>>> It is sad that there is no quick way to learn ofbiz (still).
>>> What makes it more difficult is the part where you have to reverse
>>> engineer the code or existing configuration to undesrtand how to do
>>> things.
>>> IMHO
>>> 1)Reverse engineering and going through existing code has its
>>> place but
>>> not as a newbie.
>>> 2)The most basic features and capabilities should be easy to learn
>>> or at
>>> least there should be tutorials for those ideally these should be
>>> free
>>> for
>>> something thats open source.
>>> 3)I do understand that people who made this possible have every
>>> right to
>>> benefit from this .
>>> 3)I guess there are some but nothing that is free so looks like the
>>> practical way to learn the framework is to spend 350$ and
>>>
>>>> this is where using the example, exampleext, and the
>>>> wiki startup example will help.
>>>> this is where ofbiz is different than opentaps.
>>>> and the links to the information that has been give you in the past
>>>> come
>>>> into play.
>>>> there is no quick way to learn ofbiz.
>>>> :)
>>>> error is saying the main decorator has not been defined in the
>>>> web.xml
>>>> parms.
>>>>
>>>> you should check you complete component against the framework/
>>>> example.
>>>>
>>>> Milind W sent the following on 8/3/2008 11:07 PM:
>>>>> I changed my controller to conform with the example
>>>>> controller.xml.
>>>>> Now it does attempt to send me to the login screen but get the
>>>>> following
>>>>> error.
>>>>>
>>>>> org.ofbiz.widget.screen.ScreenRenderException: Error rendering
>>>>> screen
>>>>> [component://common/widget/CommonScreens.xml#login]:
>>>>> java.lang.IllegalArgumentException: Could not find screen with
>>>>> name
>>>>> [main-decorator] in the same file as the screen with name [login]
>>>>> (Could
>>>>> not find screen with name [main-decorator] in the same file as the
>>>>> screen
>>>>> with name [login])
>>>>>
>>>>> Help!
>>>>>> your controller does not conform to the current svn controllers.
>>>>>> please review them.
>>>>>>
>>>>>>
>>>>>> Milind W sent the following on 8/3/2008 5:35 PM:
>>>>>>> I got the updated files.
>>>>>>> Did ant clean and then a new build.
>>>>>>> I still see the SAME behavior described in my previous email.
>>>>>>> I am attaching my controller.xml
>>>>>>>
>>>>>>>> here is the fix
>>>>>>>> http://svn.apache.org/viewvc?rev=682228&view=rev
>>>>>>>>
>>>>>>>> Milind W sent the following on 8/3/2008 4:27 PM:
>>>>>>>>> Just tried "ant clean" it made no difference.
>>>>>>>>> I can proceed to main without being redirected to login with
>>>>>>>>> rev#679258.
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> Relevant log for rev#679258
>>>>>>>>> 2008-08-03 16:15:04,515 (http-0.0.0.0-8080-1)
>>>>>>>>> [RequestHandler.java:243:INFO ] [Processing Request]: main
>>>>>>>>> sessionId=B2364C2D58837E9163B9B9214E2228FA.jvm1
>>>>>>>>> 2008-08-03 16:15:04,515 (http-0.0.0.0-8080-1)
>>>>>>>>> [RequestHandler.java:433:INFO ] [RequestHandler.doRequest]:
>>>>>>>>> Response
>>>>>>>>> is
>>>>>>>>> a
>>>>>>>>> view. sessionId=B2364C2D58837E9163B9B9214E2228FA.jvm1
>>>>>>>>> 2008-08-03 16:15:04,515 (http-0.0.0.0-8080-1)
>>>>>>>>> [RequestHandler.java:584:INFO ] servletName=control, view=main
>>>>>>>>> sessionId=B2364C2D58837E9163B9B9214E2228FA.jvm1
>>>>>>>>> 2008-08-03 16:15:04,515 (http-0.0.0.0-8080-1) [
>>>>>>>>> UtilJ2eeCompat.java:69
>>>>>>>>> :INFO ] serverInfo: apache tomcat/6.0.16
>>>>>>>>> 2008-08-03 16:15:04,515 (http-0.0.0.0-8080-1) [
>>>>>>>>> UtilJ2eeCompat.java:78
>>>>>>>>> :INFO ] Apache Tomcat detected, using response.getWriter to
>>>>>>>>> write
>>>>>>>>> text
>>>>>>>>> out
>>>>>>>>> instead of response.getOutputStream
>>>>>>>>>
>>>>>>>>> and with rev#677863
>>>>>>>>> 2008-08-03 18:11:55,343 (http-0.0.0.0-8080-Processor4) [
>>>>>>>>> RequestHandler.java:236:INFO ] [Processing Request]: main
>>>>>>>>> sessionId=72EE22303A9A4DCDB76F64EE41F963DA.jvm1
>>>>>>>>> 2008-08-03 18:11:55,343 (http-0.0.0.0-8080-Processor4) [
>>>>>>>>> LoginWorker.java:262:INFO ] reqParams Map: []
>>>>>>>>> 2008-08-03 18:11:55,343 (http-0.0.0.0-8080-Processor4) [
>>>>>>>>> LoginWorker.java:263:INFO ] queryString:
>>>>>>>>> 2008-08-03 18:11:55,343 (http-0.0.0.0-8080-Processor4) [
>>>>>>>>> LoginWorker.java:273:INFO ] checkLogin: queryString=
>>>>>>>>> 2008-08-03 18:11:55,343 (http-0.0.0.0-8080-Processor4) [
>>>>>>>>> LoginWorker.java:274:INFO ] checkLogin: PathInfo=/main
>>>>>>>>> 2008-08-03 18:11:55,343 (http-0.0.0.0-8080-Processor4) [
>>>>>>>>> RequestHandler.java:425:INFO ] [RequestHandler.doRequest]:
>>>>>>>>> Response
>>>>>>>>> is
>>>>>>>>> a
>>>>>>>>> view. sessionId=72EE22303A9A4DCDB76F64EE41F963DA.jvm1
>>>>>>>>> 2008-08-03 18:11:55,343 (http-0.0.0.0-8080-Processor4) [
>>>>>>>>> RequestHandler.java:578:INFO ] servletName=control, view=login
>>>>>>>>> sessionId=72EE22303A9A4DCDB76F64EE41F963DA.jvm1
>>>>>>>>> 2008-08-03 18:11:55,343 (http-0.0.0.0-8080-Processor4) [
>>>>>>>>> UtilJ2eeCompat.java:69 :INFO ] serverInfo: Apache Tomcat/
>>>>>>>>> 5.5.20
>>>>>>>>> 2008-08-03 18:11:55,343 (http-0.0.0.0-8080-Processor4) [
>>>>>>>>> UtilJ2eeCompat.java:78 :INFO ] Apache Tomcat detected, using
>>>>>>>>> response.getWriter to write text out instead of
>>>>>>>>> response.getOutputStream
>>>>>>>>>
>>>>>>>>> The loginworker seems to be invoked with rev#677863 and not
>>>>>>>>> with
>>>>>>>>> rev#679258.
>>>>>>>>> Any Idea?
>>>>>>>>>
>>>>>>>>>> Did you try an "ant clean" ? There have been some changes
>>>>>>>>>> recently
>>>>>>>>>> that
>>>>>>>>>> implie this cleanup.
>>>>>>>>>>
>>>>>>>>>> Jacques
>>>>>>>>>>
>>>>>>>>>> From: "Milind W" <ma...@mymunshi.com>
>>>>>>>>>>> Looks like I have a problem making this example work with
>>>>>>>>>>> revision#679258
>>>>>>>>>>>
>>>>>>>>>>> It worked fine (i.e I was redirected to login screen
>>>>>>>>>>> before I
>>>>>>>>>>> could
>>>>>>>>>>> get
>>>>>>>>>>> to
>>>>>>>>>>> main) with rev#677863
>>>>>>>>>>>
>>>>>>>>>>> Looks like the view
>>>>>>>>>>> <view-map name="login" type="screen"
>>>>>>>>>>> page="component://marketing/widget/
>>>>>>>>>>> CommonScreens.xml#login" />
>>>>>>>>>>> is part of the problem. The CommonScreens.xml has moved
>>>>>>>>>>> and does
>>>>>>>>>>> no
>>>>>>>>>>> longer
>>>>>>>>>>> seem to have the 'login' screen.
>>>>>>>>>>>
>>>>>>>>>>> I tried finding another screen with the 'login' view. I
>>>>>>>>>>> found
>>>>>>>>>>> another
>>>>>>>>>>> one
>>>>>>>>>>> in the 'common' component and modified my hello controller
>>>>>>>>>>> to
>>>>>>>>>>> point
>>>>>>>>>>> to
>>>>>>>>>>> <view-map name="login" type="screen"
>>>>>>>>>>> page="component://common/widget/CommonScreens.xml#login"/>
>>>>>>>>>>> but it is no acting the same as previously.
>>>>>>>>>>>
>>>>>>>>>>> Please let me know what is missing (or any suggestion how
>>>>>>>>>>> best
>>>>>>>>>>> to
>>>>>>>>>>> illustrate login) so I can complete and contribute my
>>>>>>>>>>> tutorial
>>>>>>>>>>> for
>>>>>>>>>>> security. Would hate to create a tutorial that worked with
>>>>>>>>>>> one
>>>>>>>>>>> specific
>>>>>>>>>>> build.
>>>>>>>>>>>
>>>>>>>>>>> http://ofbiz.markmail.org/search/?q=Milind+W#query:Milind
>>>>>>>>>>> %20W+page:2+mid:kwgcnrsxjigfilp2+state:results
>>>>>>>>>>>
>>>>>>>>>>> Thanks
>>>>>>>>>>> -Milind
>>>>>>>>>>>
>>>>>>>>>>>> hi,
>>>>>>>>>>>> I got login to work by adding the changes below to my
>>>>>>>>>>>> controller
>>>>>>>>>>>> using
>>>>>>>>>>>> ofbiz4.0.
>>>>>>>>>>>> I don't think I follow the reason with OFBTOOLS base
>>>>>>>>>>>> persmission
>>>>>>>>>>>> not
>>>>>>>>>>>> taking effect in the ofbiz-component as explained in
>>>>>>>>>>>> OFBIZ-829.
>>>>>>>>>>>> But I agree with Si Chen on OFBIZ-829
>>>>>>>>>>>> "The right way is to assume no permission until one of
>>>>>>>>>>>> the list
>>>>>>>>>>>> of
>>>>>>>>>>>> permissions is met." Seems more intitutive.
>>>>>>>>>>>> For now I can workaround it so thanks all.
>>>>>>>>>>>> -Milind
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> <preprocessor>
>>>>>>>>>>>> <!-- Events to run on every request before security
>>>>>>>>>>>> (chains
>>>>>>>>>>>> exempt) -->
>>>>>>>>>>>> <!-- <event type="java"
>>>>>>>>>>>> path="org.ofbiz.webapp.event.TestEvent"
>>>>>>>>>>>> invoke="test"/> -->
>>>>>>>>>>>> <event type="java"
>>>>>>>>>>>> path="org.ofbiz.webapp.control.LoginWorker"
>>>>>>>>>>>> invoke="checkExternalLoginKey"/>
>>>>>>>>>>>> </preprocessor>
>>>>>>>>>>>>
>>>>>>>>>>>> <!-- Request Mappings -->
>>>>>>>>>>>>
>>>>>>>>>>>> <request-map uri="checkLogin" edit="false">
>>>>>>>>>>>> <description>Verify a user is logged in.</
>>>>>>>>>>>> description>
>>>>>>>>>>>> <security https="false" auth="false"/>
>>>>>>>>>>>> <event type="java"
>>>>>>>>>>>> path="org.ofbiz.webapp.control.LoginWorker"
>>>>>>>>>>>> invoke="checkLogin" />
>>>>>>>>>>>> <response name="success" type="view" value="main" />
>>>>>>>>>>>> <response name="error" type="view" value="login" />
>>>>>>>>>>>> </request-map>
>>>>>>>>>>>>
>>>>>>>>>>>> <request-map uri="login">
>>>>>>>>>>>> <security https="false" auth="false"/>
>>>>>>>>>>>> <event type="java"
>>>>>>>>>>>> path="org.ofbiz.webapp.control.LoginWorker"
>>>>>>>>>>>> invoke="login"/>
>>>>>>>>>>>> <response name="success" type="view" value="main"/>
>>>>>>>>>>>> <response name="error" type="view" value="login"/>
>>>>>>>>>>>> </request-map>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> <request-map uri="main">
>>>>>>>>>>>> <security https="false" auth="true" />
>>>>>>>>>>>> <response name="success" type="view" value="main"/>
>>>>>>>>>>>> </request-map>
>>>>>>>>>>>>
>>>>>>>>>>>> <view-map name="login" type="screen"
>>>>>>>>>>>> page="component://marketing/widget/
>>>>>>>>>>>> CommonScreens.xml#login" />
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>> Not with a direct link to the comment where is the
>>>>>>>>>>>>> explanation
>>>>>>>>>>>>> ;p
>>>>>>>>>>>>> Actually it was more a didactic post
>>>>>>>>>>>>>
>>>>>>>>>>>>> Jacques
>>>>>>>>>>>>>
>>>>>>>>>>>>> From: "BJ Freeman" <bj...@free-man.net>
>>>>>>>>>>>>>> LOL
>>>>>>>>>>>>>> that was the first link I sent on this thread.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Jacques Le Roux sent the following on 7/30/2008 2:18 PM:
>>>>>>>>>>>>>>> OFBiz Wiki is your friend. Just look for OFBTOOLS.
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> You would have get
>>>>>>>>>>>>>>> http://docs.ofbiz.org/display/OFBTECH/OFBiz+security?focusedCommentId=3615#comment-3615
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Jacques
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> ----- Original Message ----- From: "Milind W"
>>>>>>>>>>>>>>> <ma...@mymunshi.com>
>>>>>>>>>>>>>>> To: <us...@ofbiz.apache.org>
>>>>>>>>>>>>>>> Sent: Wednesday, July 30, 2008 8:31 PM
>>>>>>>>>>>>>>> Subject: Re: how to set security and permissions
>>>>>>>>>>>>>>> precedence
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> Let me try to break up questions.
>>>>>>>>>>>>>>>> Should'nt adding
>>>>>>>>>>>>>>>> base-permission="OFBTOOLS"
>>>>>>>>>>>>>>>> to the ofbiz-entity.xml force the user to login with
>>>>>>>>>>>>>>>> a user
>>>>>>>>>>>>>>>> id
>>>>>>>>>>>>>>>> that
>>>>>>>>>>>>>>>> is
>>>>>>>>>>>>>>>> associated to the OFBTOOLS security group?
>>>>>>>>>>>>>>>> I can see the application I created and the line
>>>>>>>>>>>>>>>> seems to
>>>>>>>>>>>>>>>> have
>>>>>>>>>>>>>>>> no
>>>>>>>>>>>>>>>> effect.
>>>>>>>>>>>>>>>> What is the purpose of the line?
>>>>>>>>>>>>>>>> Thanks
>>>>>>>>>>>>>>>> -Milind
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> Please not that opentaps is not at the same level of
>>>>>>>>>>>>>>>>> revision
>>>>>>>>>>>>>>>>> that
>>>>>>>>>>>>>>>>> ofbiz
>>>>>>>>>>>>>>>>> it
>>>>>>>>>>>>>>>>> there have been changes to security.
>>>>>>>>>>>>>>>>> there are examples in the
>>>>>>>>>>>>>>>>> framework/example
>>>>>>>>>>>>>>>>> and
>>>>>>>>>>>>>>>>> framework/exampleext
>>>>>>>>>>>>>>>>> I believe this to better tutorial
>>>>>>>>>>>>>>>>> since they work already.
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> Balaji Sundar sent the following on 7/29/2008 9:40 PM:
>>>>>>>>>>>>>>>>>> BJ Freeman wrote:
>>>>>>>>>>>>>>>>>>> http://docs.ofbiz.org/display/OFBTECH/OFBiz+security
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> Milind W sent the following on 7/29/2008 7:58 PM:
>>>>>>>>>>>>>>>>>>>> hi,
>>>>>>>>>>>>>>>>>>>> Security Permissions
>>>>>>>>>>>>>>>>>>>> I am using ofbiz rev.79258
>>>>>>>>>>>>>>>>>>>> I want to understand how security works so I made
>>>>>>>>>>>>>>>>>>>> the
>>>>>>>>>>>>>>>>>>>> following
>>>>>>>>>>>>>>>>>>>> modifications to hello1
>>>>>>>>>>>>>>>>>>>> 1)I added base-permission="OFBTOOLS" to the
>>>>>>>>>>>>>>>>>>>> ofbiz-component.xml
>>>>>>>>>>>>>>>>>>>> I could still see the application I was assuming
>>>>>>>>>>>>>>>>>>>> the
>>>>>>>>>>>>>>>>>>>> application
>>>>>>>>>>>>>>>>>>>> would
>>>>>>>>>>>>>>>>>>>> as
>>>>>>>>>>>>>>>>>>>> me to login or prevent me from seeing the page.
>>>>>>>>>>>>>>>>>>>> 2)I added <security> to the main request
>>>>>>>>>>>>>>>>>>>> <request-map uri="main">
>>>>>>>>>>>>>>>>>>>> <security https="false" auth="true"/>
>>>>>>>>>>>>>>>>>>>> <response name="success" type="view" value="main"/>
>>>>>>>>>>>>>>>>>>>> </request-map>
>>>>>>>>>>>>>>>>>>>> This displays "java.lang.NullPointerException" in
>>>>>>>>>>>>>>>>>>>> the
>>>>>>>>>>>>>>>>>>>> browser.
>>>>>>>>>>>>>>>>>>>> How do permissions precedence work starting from
>>>>>>>>>>>>>>>>>>>> the UI
>>>>>>>>>>>>>>>>>>>> to
>>>>>>>>>>>>>>>>>>>> the
>>>>>>>>>>>>>>>>>>>> entity
>>>>>>>>>>>>>>>>>>>> layer.
>>>>>>>>>>>>>>>>>>>> Help appreciated.
>>>>>>>>>>>>>>>>>>>> Thanks
>>>>>>>>>>>>>>>>>>>> -Milind
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> Here is the log
>>>>>>>>>>>>>>>>>>>> 2008-07-29 19:07:17,031 (http-0.0.0.0-8080-1) [
>>>>>>>>>>>>>>>>>>>> RequestHandler.java:243:INFO ] [Processing
>>>>>>>>>>>>>>>>>>>> Request]:
>>>>>>>>>>>>>>>>>>>> main
>>>>>>>>>>>>>>>>>>>> sessionId=6E6BB45A4B5AB75A10A9B9404FA622A5.jvm1
>>>>>>>>>>>>>>>>>>>> 2008-07-29 19:07:17,031 (http-0.0.0.0-8080-1) [
>>>>>>>>>>>>>>>>>>>> RequestManager.java:159:WARN ]
>>>>>>>>>>>>>>>>>>>> [RequestManager.getEventType]
>>>>>>>>>>>>>>>>>>>> Type
>>>>>>>>>>>>>>>>>>>> of
>>>>>>>>>>>>>>>>>>>> event
>>>>>>>>>>>>>>>>>>>> for request "checkLogin" not found
>>>>>>>>>>>>>>>>>>>> 2008-07-29 19:07:17,031 (http-0.0.0.0-8080-1) [
>>>>>>>>>>>>>>>>>>>> RequestManager.java:146:WARN ]
>>>>>>>>>>>>>>>>>>>> [RequestManager.getEventPath]
>>>>>>>>>>>>>>>>>>>> Path
>>>>>>>>>>>>>>>>>>>> of
>>>>>>>>>>>>>>>>>>>> event
>>>>>>>>>>>>>>>>>>>> for request "checkLogin" not found
>>>>>>>>>>>>>>>>>>>> 2008-07-29 19:07:17,031 (http-0.0.0.0-8080-1) [
>>>>>>>>>>>>>>>>>>>> RequestManager.java:172:WARN ]
>>>>>>>>>>>>>>>>>>>> [RequestManager.getEventMethod]
>>>>>>>>>>>>>>>>>>>> Method
>>>>>>>>>>>>>>>>>>>> of
>>>>>>>>>>>>>>>>>>>> event for request "checkLogin" not found
>>>>>>>>>>>>>>>>>>>> 2008-07-29 19:07:17,031 (http-0.0.0.0-8080-1) [
>>>>>>>>>>>>>>>>>>>> ControlServlet.java:205:ERROR]
>>>>>>>>>>>>>>>>>>>> ---- runtime exception report
>>>>>>>>>>>>>>>>>>>> --------------------------------------------------
>>>>>>>>>>>>>>>>>>>> Error in request handler:
>>>>>>>>>>>>>>>>>>>> Exception: java.lang.NullPointerException
>>>>>>>>>>>>>>>>>>>> Message: null
>>>>>>>>>>>>>>>>>>>> ---- stack trace
>>>>>>>>>>>>>>>>>>>> ---------------------------------------------------------------
>>>>>>>>>>>>>>>>>>>> java.lang.NullPointerException
>>>>>>>>>>>>>>>>>>>> javolution.util.FastMap.getEntry(Unknown Source)
>>>>>>>>>>>>>>>>>>>> javolution.util.FastMap.containsKey(Unknown Source)
>>>>>>>>>>>>>>>>>>>> org
>>>>>>>>>>>>>>>>>>>> .ofbiz
>>>>>>>>>>>>>>>>>>>> .webapp
>>>>>>>>>>>>>>>>>>>> .control
>>>>>>>>>>>>>>>>>>>> .RequestManager
>>>>>>>>>>>>>>>>>>>> .getHandlerClass(RequestManager.java:78)
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> org
>>>>>>>>>>>>>>>>>>>> .ofbiz
>>>>>>>>>>>>>>>>>>>> .webapp
>>>>>>>>>>>>>>>>>>>> .event
>>>>>>>>>>>>>>>>>>>> .EventFactory.loadEventHandler(EventFactory.java:
>>>>>>>>>>>>>>>>>>>> 102)
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> org
>>>>>>>>>>>>>>>>>>>> .ofbiz
>>>>>>>>>>>>>>>>>>>> .webapp
>>>>>>>>>>>>>>>>>>>> .event
>>>>>>>>>>>>>>>>>>>> .EventFactory.getEventHandler(EventFactory.java:86)
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> org
>>>>>>>>>>>>>>>>>>>> .ofbiz
>>>>>>>>>>>>>>>>>>>> .webapp
>>>>>>>>>>>>>>>>>>>> .control
>>>>>>>>>>>>>>>>>>>> .RequestHandler.runEvent(RequestHandler.java:453)
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> org
>>>>>>>>>>>>>>>>>>>> .ofbiz
>>>>>>>>>>>>>>>>>>>> .webapp
>>>>>>>>>>>>>>>>>>>> .control
>>>>>>>>>>>>>>>>>>>> .RequestHandler.doRequest(RequestHandler.java:259)
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> org
>>>>>>>>>>>>>>>>>>>> .ofbiz
>>>>>>>>>>>>>>>>>>>> .webapp
>>>>>>>>>>>>>>>>>>>> .control.ControlServlet.doGet(ControlServlet.java:
>>>>>>>>>>>>>>>>>>>> 198)
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> javax
>>>>>>>>>>>>>>>>>>>> .servlet
>>>>>>>>>>>>>>>>>>>> .http.HttpServlet.service(HttpServlet.java:690)
>>>>>>>>>>>>>>>>>>>> javax
>>>>>>>>>>>>>>>>>>>> .servlet
>>>>>>>>>>>>>>>>>>>> .http.HttpServlet.service(HttpServlet.java:803)
>>>>>>>>>>>>>>>>>>>> org
>>>>>>>>>>>>>>>>>>>> .apache
>>>>>>>>>>>>>>>>>>>> .catalina
>>>>>>>>>>>>>>>>>>>> .core
>>>>>>>>>>>>>>>>>>>> .ApplicationFilterChain
>>>>>>>>>>>>>>>>>>>> .internalDoFilter(ApplicationFilterChain.java:290)
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> org
>>>>>>>>>>>>>>>>>>>> .apache
>>>>>>>>>>>>>>>>>>>> .catalina
>>>>>>>>>>>>>>>>>>>> .core
>>>>>>>>>>>>>>>>>>>> .ApplicationFilterChain
>>>>>>>>>>>>>>>>>>>> .doFilter(ApplicationFilterChain.java:206)
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> org
>>>>>>>>>>>>>>>>>>>> .ofbiz
>>>>>>>>>>>>>>>>>>>> .webapp
>>>>>>>>>>>>>>>>>>>> .control
>>>>>>>>>>>>>>>>>>>> .ContextFilter.doFilter(ContextFilter.java:255)
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> org
>>>>>>>>>>>>>>>>>>>> .apache
>>>>>>>>>>>>>>>>>>>> .catalina
>>>>>>>>>>>>>>>>>>>> .core
>>>>>>>>>>>>>>>>>>>> .ApplicationFilterChain
>>>>>>>>>>>>>>>>>>>> .internalDoFilter(ApplicationFilterChain.java:235)
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> org
>>>>>>>>>>>>>>>>>>>> .apache
>>>>>>>>>>>>>>>>>>>> .catalina
>>>>>>>>>>>>>>>>>>>> .core
>>>>>>>>>>>>>>>>>>>> .ApplicationFilterChain
>>>>>>>>>>>>>>>>>>>> .doFilter(ApplicationFilterChain.java:206)
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> org
>>>>>>>>>>>>>>>>>>>> .apache
>>>>>>>>>>>>>>>>>>>> .catalina
>>>>>>>>>>>>>>>>>>>> .core
>>>>>>>>>>>>>>>>>>>> .StandardWrapperValve
>>>>>>>>>>>>>>>>>>>> .invoke(StandardWrapperValve.java:233)
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> org
>>>>>>>>>>>>>>>>>>>> .apache
>>>>>>>>>>>>>>>>>>>> .catalina
>>>>>>>>>>>>>>>>>>>> .core
>>>>>>>>>>>>>>>>>>>> .StandardContextValve
>>>>>>>>>>>>>>>>>>>> .invoke(StandardContextValve.java:175)
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> org
>>>>>>>>>>>>>>>>>>>> .apache
>>>>>>>>>>>>>>>>>>>> .catalina
>>>>>>>>>>>>>>>>>>>> .core
>>>>>>>>>>>>>>>>>>>> .StandardHostValve.invoke(StandardHostValve.java:
>>>>>>>>>>>>>>>>>>>> 128)
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> org
>>>>>>>>>>>>>>>>>>>> .apache
>>>>>>>>>>>>>>>>>>>> .catalina
>>>>>>>>>>>>>>>>>>>> .valves
>>>>>>>>>>>>>>>>>>>> .ErrorReportValve.invoke(ErrorReportValve.java:102)
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> org
>>>>>>>>>>>>>>>>>>>> .apache
>>>>>>>>>>>>>>>>>>>> .catalina
>>>>>>>>>>>>>>>>>>>> .core
>>>>>>>>>>>>>>>>>>>> .StandardEngineValve
>>>>>>>>>>>>>>>>>>>> .invoke(StandardEngineValve.java:109)
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> org
>>>>>>>>>>>>>>>>>>>> .apache
>>>>>>>>>>>>>>>>>>>> .catalina
>>>>>>>>>>>>>>>>>>>> .valves.AccessLogValve.invoke(AccessLogValve.java:
>>>>>>>>>>>>>>>>>>>> 568)
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> org
>>>>>>>>>>>>>>>>>>>> .apache
>>>>>>>>>>>>>>>>>>>> .catalina
>>>>>>>>>>>>>>>>>>>> .connector
>>>>>>>>>>>>>>>>>>>> .CoyoteAdapter.service(CoyoteAdapter.java:286)
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> org
>>>>>>>>>>>>>>>>>>>> .apache
>>>>>>>>>>>>>>>>>>>> .coyote
>>>>>>>>>>>>>>>>>>>> .http11
>>>>>>>>>>>>>>>>>>>> .Http11Processor.process(Http11Processor.java:844)
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> org.apache.coyote.http11.Http11Protocol
>>>>>>>>>>>>>>>>>>>> $
>>>>>>>>>>>>>>>>>>>> Http11ConnectionHandler
>>>>>>>>>>>>>>>>>>>> .process(Http11Protocol.java:583)
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> org.apache.tomcat.util.net.JIoEndpoint
>>>>>>>>>>>>>>>>>>>> $Worker.run(JIoEndpoint.java:447)
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> java.lang.Thread.run(Thread.java:595)
>>>>>>>>>>>>>>>>>>>> --------------------------------------------------------------------------------
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> http://www.opensourcestrategies.com/ofbiz/
>>>>>>>>>>>>>>>>>> security.php
>>>>>>>>>>>>>>>>>> http://www.opensourcestrategies.com/ofbiz/
>>>>>>>>>>>>>>>>>> security.php
>>>>>>>>>
>>>>>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>
>>>
>>>
>>>
>>>
>>>
>>
>>
>
>
Re: how to set security and permissions precedence
Posted by Jacques Le Roux <ja...@les7arts.com>.
From: "David E Jones" <jo...@hotwaxmedia.com>
>
> On Aug 4, 2008, at 11:19 PM, Milind W wrote:
>
>> hi BJ,
>> That arrow left the quiver sooner then I would have liked.
>> But anyways as I said, I definitely agree that people who have written
>> this have every right to benefit and prosper from their effort, specially
>> after having given away most of it for free.
>
> Are you referring to the framework training videos? Please... there's no money there. We've barely recovered the creation expense
> on those, and the transcript is even available for free now (and has been for months, and it was announced, and we requested
> help doing something with this, and nothing has been done):
Correction Sir : nothing has been done yet (and atcually is not even true as I recently used some transcrition snippets somewhere I
don't remember from the top of my head :o)
> http://docs.ofbiz.org/display/OFBTECH/Advanced+Framework+Transcription+Work+Plan
>
>> I sincerely hope that it happens so we can continue to use and benefit
>> from this framework.
I continue to hope to find some time to use this invaluable source of knowledge to at least enhance XSD files
annotations/documentation as I done precedently to minilang. Everybody is welcome to help...
Jacques
>> My primary objective right now is trying to get to a point as quickly as I
>> can in developing real world applications.
>
> The best thing you can do for your own benefit is to get involved with the community. Would you expect to learn SAP overnight? Or
> even something like ATG or Blue Martini on the ecommerce side?
>
>> Secondary objective would be to contribute whatever I can to the community
>> in the process.
>
> Please understand that the attitude and priorities you've just admitted to are the greatest hinderance to the community and how
> much you can benefit from it.
>
> -David
>
>
>> So that said do you think the material
>> http://www.undersunconsulting.com/ecommerce/control/additem/main
>> is the fastest way know to man to get past the newbie stage?
>> Can anyone else weigh on this as well if they have have used these tutorials?
>> How relevant are they with the new versions of ofbiz?
>> Thanks
>> -Milind
>>
>>
>>> our documentation is community driven.
>>> and it has significantly grown in the last few years.
>>> the basics are hard to grasp for object, DB driven, programmers.
>>> so a lot of the learning is unlearning.
>>> I struggle with getting my mind around it for a few years.
>>> now it seem so clear.
>>> my dad use to say.
>>> everything cost time or money, sometimes both.
>>> so you ask why I stick with it.
>>> because of all the software out there this seemed the most likely to fit
>>> needs of my clients.
>>> the tutorials are free except for the advance stuff.
>>> open source does not necessarily mean free.
>>> it means you get the source.
>>> just like the years I spent developing the yahoo interface.
>>> I would like to get some of that back before everyone becomes my
>>> competitor.
>>> The people that made this possible have clients that funded the code and
>>> then allowed them to give it to the community. not the other way around.
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>> Milind W sent the following on 8/4/2008 8:46 PM:
>>>> hi BJ,
>>>> It is sad that there is no quick way to learn ofbiz (still).
>>>> What makes it more difficult is the part where you have to reverse
>>>> engineer the code or existing configuration to undesrtand how to do
>>>> things.
>>>> IMHO
>>>> 1)Reverse engineering and going through existing code has its place but
>>>> not as a newbie.
>>>> 2)The most basic features and capabilities should be easy to learn or at
>>>> least there should be tutorials for those ideally these should be free
>>>> for
>>>> something thats open source.
>>>> 3)I do understand that people who made this possible have every right to
>>>> benefit from this .
>>>> 3)I guess there are some but nothing that is free so looks like the
>>>> practical way to learn the framework is to spend 350$ and
>>>>
>>>>> this is where using the example, exampleext, and the
>>>>> wiki startup example will help.
>>>>> this is where ofbiz is different than opentaps.
>>>>> and the links to the information that has been give you in the past
>>>>> come
>>>>> into play.
>>>>> there is no quick way to learn ofbiz.
>>>>> :)
>>>>> error is saying the main decorator has not been defined in the web.xml
>>>>> parms.
>>>>>
>>>>> you should check you complete component against the framework/ example.
>>>>>
>>>>> Milind W sent the following on 8/3/2008 11:07 PM:
>>>>>> I changed my controller to conform with the example controller.xml.
>>>>>> Now it does attempt to send me to the login screen but get the
>>>>>> following
>>>>>> error.
>>>>>>
>>>>>> org.ofbiz.widget.screen.ScreenRenderException: Error rendering screen
>>>>>> [component://common/widget/CommonScreens.xml#login]:
>>>>>> java.lang.IllegalArgumentException: Could not find screen with name
>>>>>> [main-decorator] in the same file as the screen with name [login]
>>>>>> (Could
>>>>>> not find screen with name [main-decorator] in the same file as the
>>>>>> screen
>>>>>> with name [login])
>>>>>>
>>>>>> Help!
>>>>>>> your controller does not conform to the current svn controllers.
>>>>>>> please review them.
>>>>>>>
>>>>>>>
>>>>>>> Milind W sent the following on 8/3/2008 5:35 PM:
>>>>>>>> I got the updated files.
>>>>>>>> Did ant clean and then a new build.
>>>>>>>> I still see the SAME behavior described in my previous email.
>>>>>>>> I am attaching my controller.xml
>>>>>>>>
>>>>>>>>> here is the fix
>>>>>>>>> http://svn.apache.org/viewvc?rev=682228&view=rev
>>>>>>>>>
>>>>>>>>> Milind W sent the following on 8/3/2008 4:27 PM:
>>>>>>>>>> Just tried "ant clean" it made no difference.
>>>>>>>>>> I can proceed to main without being redirected to login with
>>>>>>>>>> rev#679258.
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> Relevant log for rev#679258
>>>>>>>>>> 2008-08-03 16:15:04,515 (http-0.0.0.0-8080-1)
>>>>>>>>>> [RequestHandler.java:243:INFO ] [Processing Request]: main
>>>>>>>>>> sessionId=B2364C2D58837E9163B9B9214E2228FA.jvm1
>>>>>>>>>> 2008-08-03 16:15:04,515 (http-0.0.0.0-8080-1)
>>>>>>>>>> [RequestHandler.java:433:INFO ] [RequestHandler.doRequest]:
>>>>>>>>>> Response
>>>>>>>>>> is
>>>>>>>>>> a
>>>>>>>>>> view. sessionId=B2364C2D58837E9163B9B9214E2228FA.jvm1
>>>>>>>>>> 2008-08-03 16:15:04,515 (http-0.0.0.0-8080-1)
>>>>>>>>>> [RequestHandler.java:584:INFO ] servletName=control, view=main
>>>>>>>>>> sessionId=B2364C2D58837E9163B9B9214E2228FA.jvm1
>>>>>>>>>> 2008-08-03 16:15:04,515 (http-0.0.0.0-8080-1) [
>>>>>>>>>> UtilJ2eeCompat.java:69
>>>>>>>>>> :INFO ] serverInfo: apache tomcat/6.0.16
>>>>>>>>>> 2008-08-03 16:15:04,515 (http-0.0.0.0-8080-1) [
>>>>>>>>>> UtilJ2eeCompat.java:78
>>>>>>>>>> :INFO ] Apache Tomcat detected, using response.getWriter to write
>>>>>>>>>> text
>>>>>>>>>> out
>>>>>>>>>> instead of response.getOutputStream
>>>>>>>>>>
>>>>>>>>>> and with rev#677863
>>>>>>>>>> 2008-08-03 18:11:55,343 (http-0.0.0.0-8080-Processor4) [
>>>>>>>>>> RequestHandler.java:236:INFO ] [Processing Request]: main
>>>>>>>>>> sessionId=72EE22303A9A4DCDB76F64EE41F963DA.jvm1
>>>>>>>>>> 2008-08-03 18:11:55,343 (http-0.0.0.0-8080-Processor4) [
>>>>>>>>>> LoginWorker.java:262:INFO ] reqParams Map: []
>>>>>>>>>> 2008-08-03 18:11:55,343 (http-0.0.0.0-8080-Processor4) [
>>>>>>>>>> LoginWorker.java:263:INFO ] queryString:
>>>>>>>>>> 2008-08-03 18:11:55,343 (http-0.0.0.0-8080-Processor4) [
>>>>>>>>>> LoginWorker.java:273:INFO ] checkLogin: queryString=
>>>>>>>>>> 2008-08-03 18:11:55,343 (http-0.0.0.0-8080-Processor4) [
>>>>>>>>>> LoginWorker.java:274:INFO ] checkLogin: PathInfo=/main
>>>>>>>>>> 2008-08-03 18:11:55,343 (http-0.0.0.0-8080-Processor4) [
>>>>>>>>>> RequestHandler.java:425:INFO ] [RequestHandler.doRequest]:
>>>>>>>>>> Response
>>>>>>>>>> is
>>>>>>>>>> a
>>>>>>>>>> view. sessionId=72EE22303A9A4DCDB76F64EE41F963DA.jvm1
>>>>>>>>>> 2008-08-03 18:11:55,343 (http-0.0.0.0-8080-Processor4) [
>>>>>>>>>> RequestHandler.java:578:INFO ] servletName=control, view=login
>>>>>>>>>> sessionId=72EE22303A9A4DCDB76F64EE41F963DA.jvm1
>>>>>>>>>> 2008-08-03 18:11:55,343 (http-0.0.0.0-8080-Processor4) [
>>>>>>>>>> UtilJ2eeCompat.java:69 :INFO ] serverInfo: Apache Tomcat/ 5.5.20
>>>>>>>>>> 2008-08-03 18:11:55,343 (http-0.0.0.0-8080-Processor4) [
>>>>>>>>>> UtilJ2eeCompat.java:78 :INFO ] Apache Tomcat detected, using
>>>>>>>>>> response.getWriter to write text out instead of
>>>>>>>>>> response.getOutputStream
>>>>>>>>>>
>>>>>>>>>> The loginworker seems to be invoked with rev#677863 and not with
>>>>>>>>>> rev#679258.
>>>>>>>>>> Any Idea?
>>>>>>>>>>
>>>>>>>>>>> Did you try an "ant clean" ? There have been some changes
>>>>>>>>>>> recently
>>>>>>>>>>> that
>>>>>>>>>>> implie this cleanup.
>>>>>>>>>>>
>>>>>>>>>>> Jacques
>>>>>>>>>>>
>>>>>>>>>>> From: "Milind W" <ma...@mymunshi.com>
>>>>>>>>>>>> Looks like I have a problem making this example work with
>>>>>>>>>>>> revision#679258
>>>>>>>>>>>>
>>>>>>>>>>>> It worked fine (i.e I was redirected to login screen before I
>>>>>>>>>>>> could
>>>>>>>>>>>> get
>>>>>>>>>>>> to
>>>>>>>>>>>> main) with rev#677863
>>>>>>>>>>>>
>>>>>>>>>>>> Looks like the view
>>>>>>>>>>>> <view-map name="login" type="screen"
>>>>>>>>>>>> page="component://marketing/widget/ CommonScreens.xml#login" />
>>>>>>>>>>>> is part of the problem. The CommonScreens.xml has moved and does
>>>>>>>>>>>> no
>>>>>>>>>>>> longer
>>>>>>>>>>>> seem to have the 'login' screen.
>>>>>>>>>>>>
>>>>>>>>>>>> I tried finding another screen with the 'login' view. I found
>>>>>>>>>>>> another
>>>>>>>>>>>> one
>>>>>>>>>>>> in the 'common' component and modified my hello controller to
>>>>>>>>>>>> point
>>>>>>>>>>>> to
>>>>>>>>>>>> <view-map name="login" type="screen"
>>>>>>>>>>>> page="component://common/widget/CommonScreens.xml#login"/>
>>>>>>>>>>>> but it is no acting the same as previously.
>>>>>>>>>>>>
>>>>>>>>>>>> Please let me know what is missing (or any suggestion how best
>>>>>>>>>>>> to
>>>>>>>>>>>> illustrate login) so I can complete and contribute my tutorial
>>>>>>>>>>>> for
>>>>>>>>>>>> security. Would hate to create a tutorial that worked with one
>>>>>>>>>>>> specific
>>>>>>>>>>>> build.
>>>>>>>>>>>>
>>>>>>>>>>>> http://ofbiz.markmail.org/search/?q=Milind+W#query:Milind %20W+page:2+mid:kwgcnrsxjigfilp2+state:results
>>>>>>>>>>>>
>>>>>>>>>>>> Thanks
>>>>>>>>>>>> -Milind
>>>>>>>>>>>>
>>>>>>>>>>>>> hi,
>>>>>>>>>>>>> I got login to work by adding the changes below to my
>>>>>>>>>>>>> controller
>>>>>>>>>>>>> using
>>>>>>>>>>>>> ofbiz4.0.
>>>>>>>>>>>>> I don't think I follow the reason with OFBTOOLS base
>>>>>>>>>>>>> persmission
>>>>>>>>>>>>> not
>>>>>>>>>>>>> taking effect in the ofbiz-component as explained in OFBIZ-829.
>>>>>>>>>>>>> But I agree with Si Chen on OFBIZ-829
>>>>>>>>>>>>> "The right way is to assume no permission until one of the list
>>>>>>>>>>>>> of
>>>>>>>>>>>>> permissions is met." Seems more intitutive.
>>>>>>>>>>>>> For now I can workaround it so thanks all.
>>>>>>>>>>>>> -Milind
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> <preprocessor>
>>>>>>>>>>>>> <!-- Events to run on every request before security
>>>>>>>>>>>>> (chains
>>>>>>>>>>>>> exempt) -->
>>>>>>>>>>>>> <!-- <event type="java"
>>>>>>>>>>>>> path="org.ofbiz.webapp.event.TestEvent"
>>>>>>>>>>>>> invoke="test"/> -->
>>>>>>>>>>>>> <event type="java"
>>>>>>>>>>>>> path="org.ofbiz.webapp.control.LoginWorker"
>>>>>>>>>>>>> invoke="checkExternalLoginKey"/>
>>>>>>>>>>>>> </preprocessor>
>>>>>>>>>>>>>
>>>>>>>>>>>>> <!-- Request Mappings -->
>>>>>>>>>>>>>
>>>>>>>>>>>>> <request-map uri="checkLogin" edit="false">
>>>>>>>>>>>>> <description>Verify a user is logged in.</ description>
>>>>>>>>>>>>> <security https="false" auth="false"/>
>>>>>>>>>>>>> <event type="java"
>>>>>>>>>>>>> path="org.ofbiz.webapp.control.LoginWorker"
>>>>>>>>>>>>> invoke="checkLogin" />
>>>>>>>>>>>>> <response name="success" type="view" value="main" />
>>>>>>>>>>>>> <response name="error" type="view" value="login" />
>>>>>>>>>>>>> </request-map>
>>>>>>>>>>>>>
>>>>>>>>>>>>> <request-map uri="login">
>>>>>>>>>>>>> <security https="false" auth="false"/>
>>>>>>>>>>>>> <event type="java"
>>>>>>>>>>>>> path="org.ofbiz.webapp.control.LoginWorker"
>>>>>>>>>>>>> invoke="login"/>
>>>>>>>>>>>>> <response name="success" type="view" value="main"/>
>>>>>>>>>>>>> <response name="error" type="view" value="login"/>
>>>>>>>>>>>>> </request-map>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> <request-map uri="main">
>>>>>>>>>>>>> <security https="false" auth="true" />
>>>>>>>>>>>>> <response name="success" type="view" value="main"/>
>>>>>>>>>>>>> </request-map>
>>>>>>>>>>>>>
>>>>>>>>>>>>> <view-map name="login" type="screen"
>>>>>>>>>>>>> page="component://marketing/widget/ CommonScreens.xml#login" />
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>> Not with a direct link to the comment where is the explanation
>>>>>>>>>>>>>> ;p
>>>>>>>>>>>>>> Actually it was more a didactic post
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Jacques
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> From: "BJ Freeman" <bj...@free-man.net>
>>>>>>>>>>>>>>> LOL
>>>>>>>>>>>>>>> that was the first link I sent on this thread.
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Jacques Le Roux sent the following on 7/30/2008 2:18 PM:
>>>>>>>>>>>>>>>> OFBiz Wiki is your friend. Just look for OFBTOOLS.
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> You would have get
>>>>>>>>>>>>>>>> http://docs.ofbiz.org/display/OFBTECH/OFBiz+security?focusedCommentId=3615#comment-3615
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> Jacques
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> ----- Original Message ----- From: "Milind W"
>>>>>>>>>>>>>>>> <ma...@mymunshi.com>
>>>>>>>>>>>>>>>> To: <us...@ofbiz.apache.org>
>>>>>>>>>>>>>>>> Sent: Wednesday, July 30, 2008 8:31 PM
>>>>>>>>>>>>>>>> Subject: Re: how to set security and permissions precedence
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> Let me try to break up questions.
>>>>>>>>>>>>>>>>> Should'nt adding
>>>>>>>>>>>>>>>>> base-permission="OFBTOOLS"
>>>>>>>>>>>>>>>>> to the ofbiz-entity.xml force the user to login with a user
>>>>>>>>>>>>>>>>> id
>>>>>>>>>>>>>>>>> that
>>>>>>>>>>>>>>>>> is
>>>>>>>>>>>>>>>>> associated to the OFBTOOLS security group?
>>>>>>>>>>>>>>>>> I can see the application I created and the line seems to
>>>>>>>>>>>>>>>>> have
>>>>>>>>>>>>>>>>> no
>>>>>>>>>>>>>>>>> effect.
>>>>>>>>>>>>>>>>> What is the purpose of the line?
>>>>>>>>>>>>>>>>> Thanks
>>>>>>>>>>>>>>>>> -Milind
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> Please not that opentaps is not at the same level of
>>>>>>>>>>>>>>>>>> revision
>>>>>>>>>>>>>>>>>> that
>>>>>>>>>>>>>>>>>> ofbiz
>>>>>>>>>>>>>>>>>> it
>>>>>>>>>>>>>>>>>> there have been changes to security.
>>>>>>>>>>>>>>>>>> there are examples in the
>>>>>>>>>>>>>>>>>> framework/example
>>>>>>>>>>>>>>>>>> and
>>>>>>>>>>>>>>>>>> framework/exampleext
>>>>>>>>>>>>>>>>>> I believe this to better tutorial
>>>>>>>>>>>>>>>>>> since they work already.
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> Balaji Sundar sent the following on 7/29/2008 9:40 PM:
>>>>>>>>>>>>>>>>>>> BJ Freeman wrote:
>>>>>>>>>>>>>>>>>>>> http://docs.ofbiz.org/display/OFBTECH/OFBiz+security
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> Milind W sent the following on 7/29/2008 7:58 PM:
>>>>>>>>>>>>>>>>>>>>> hi,
>>>>>>>>>>>>>>>>>>>>> Security Permissions
>>>>>>>>>>>>>>>>>>>>> I am using ofbiz rev.79258
>>>>>>>>>>>>>>>>>>>>> I want to understand how security works so I made the
>>>>>>>>>>>>>>>>>>>>> following
>>>>>>>>>>>>>>>>>>>>> modifications to hello1
>>>>>>>>>>>>>>>>>>>>> 1)I added base-permission="OFBTOOLS" to the
>>>>>>>>>>>>>>>>>>>>> ofbiz-component.xml
>>>>>>>>>>>>>>>>>>>>> I could still see the application I was assuming the
>>>>>>>>>>>>>>>>>>>>> application
>>>>>>>>>>>>>>>>>>>>> would
>>>>>>>>>>>>>>>>>>>>> as
>>>>>>>>>>>>>>>>>>>>> me to login or prevent me from seeing the page.
>>>>>>>>>>>>>>>>>>>>> 2)I added <security> to the main request
>>>>>>>>>>>>>>>>>>>>> <request-map uri="main">
>>>>>>>>>>>>>>>>>>>>> <security https="false" auth="true"/>
>>>>>>>>>>>>>>>>>>>>> <response name="success" type="view" value="main"/>
>>>>>>>>>>>>>>>>>>>>> </request-map>
>>>>>>>>>>>>>>>>>>>>> This displays "java.lang.NullPointerException" in the
>>>>>>>>>>>>>>>>>>>>> browser.
>>>>>>>>>>>>>>>>>>>>> How do permissions precedence work starting from the UI
>>>>>>>>>>>>>>>>>>>>> to
>>>>>>>>>>>>>>>>>>>>> the
>>>>>>>>>>>>>>>>>>>>> entity
>>>>>>>>>>>>>>>>>>>>> layer.
>>>>>>>>>>>>>>>>>>>>> Help appreciated.
>>>>>>>>>>>>>>>>>>>>> Thanks
>>>>>>>>>>>>>>>>>>>>> -Milind
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>> Here is the log
>>>>>>>>>>>>>>>>>>>>> 2008-07-29 19:07:17,031 (http-0.0.0.0-8080-1) [
>>>>>>>>>>>>>>>>>>>>> RequestHandler.java:243:INFO ] [Processing Request]:
>>>>>>>>>>>>>>>>>>>>> main
>>>>>>>>>>>>>>>>>>>>> sessionId=6E6BB45A4B5AB75A10A9B9404FA622A5.jvm1
>>>>>>>>>>>>>>>>>>>>> 2008-07-29 19:07:17,031 (http-0.0.0.0-8080-1) [
>>>>>>>>>>>>>>>>>>>>> RequestManager.java:159:WARN ]
>>>>>>>>>>>>>>>>>>>>> [RequestManager.getEventType]
>>>>>>>>>>>>>>>>>>>>> Type
>>>>>>>>>>>>>>>>>>>>> of
>>>>>>>>>>>>>>>>>>>>> event
>>>>>>>>>>>>>>>>>>>>> for request "checkLogin" not found
>>>>>>>>>>>>>>>>>>>>> 2008-07-29 19:07:17,031 (http-0.0.0.0-8080-1) [
>>>>>>>>>>>>>>>>>>>>> RequestManager.java:146:WARN ]
>>>>>>>>>>>>>>>>>>>>> [RequestManager.getEventPath]
>>>>>>>>>>>>>>>>>>>>> Path
>>>>>>>>>>>>>>>>>>>>> of
>>>>>>>>>>>>>>>>>>>>> event
>>>>>>>>>>>>>>>>>>>>> for request "checkLogin" not found
>>>>>>>>>>>>>>>>>>>>> 2008-07-29 19:07:17,031 (http-0.0.0.0-8080-1) [
>>>>>>>>>>>>>>>>>>>>> RequestManager.java:172:WARN ]
>>>>>>>>>>>>>>>>>>>>> [RequestManager.getEventMethod]
>>>>>>>>>>>>>>>>>>>>> Method
>>>>>>>>>>>>>>>>>>>>> of
>>>>>>>>>>>>>>>>>>>>> event for request "checkLogin" not found
>>>>>>>>>>>>>>>>>>>>> 2008-07-29 19:07:17,031 (http-0.0.0.0-8080-1) [
>>>>>>>>>>>>>>>>>>>>> ControlServlet.java:205:ERROR]
>>>>>>>>>>>>>>>>>>>>> ---- runtime exception report
>>>>>>>>>>>>>>>>>>>>> --------------------------------------------------
>>>>>>>>>>>>>>>>>>>>> Error in request handler:
>>>>>>>>>>>>>>>>>>>>> Exception: java.lang.NullPointerException
>>>>>>>>>>>>>>>>>>>>> Message: null
>>>>>>>>>>>>>>>>>>>>> ---- stack trace
>>>>>>>>>>>>>>>>>>>>> ---------------------------------------------------------------
>>>>>>>>>>>>>>>>>>>>> java.lang.NullPointerException
>>>>>>>>>>>>>>>>>>>>> javolution.util.FastMap.getEntry(Unknown Source)
>>>>>>>>>>>>>>>>>>>>> javolution.util.FastMap.containsKey(Unknown Source)
>>>>>>>>>>>>>>>>>>>>> org .ofbiz .webapp .control .RequestManager .getHandlerClass(RequestManager.java:78)
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>> org .ofbiz .webapp .event .EventFactory.loadEventHandler(EventFactory.java: 102)
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>> org .ofbiz .webapp .event .EventFactory.getEventHandler(EventFactory.java:86)
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>> org .ofbiz .webapp .control .RequestHandler.runEvent(RequestHandler.java:453)
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>> org .ofbiz .webapp .control .RequestHandler.doRequest(RequestHandler.java:259)
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>> org .ofbiz .webapp .control.ControlServlet.doGet(ControlServlet.java: 198)
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>> javax .servlet .http.HttpServlet.service(HttpServlet.java:690)
>>>>>>>>>>>>>>>>>>>>> javax .servlet .http.HttpServlet.service(HttpServlet.java:803)
>>>>>>>>>>>>>>>>>>>>> org .apache .catalina .core .ApplicationFilterChain .internalDoFilter(ApplicationFilterChain.java:290)
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>> org .apache .catalina .core .ApplicationFilterChain .doFilter(ApplicationFilterChain.java:206)
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>> org .ofbiz .webapp .control .ContextFilter.doFilter(ContextFilter.java:255)
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>> org .apache .catalina .core .ApplicationFilterChain .internalDoFilter(ApplicationFilterChain.java:235)
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>> org .apache .catalina .core .ApplicationFilterChain .doFilter(ApplicationFilterChain.java:206)
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>> org .apache .catalina .core .StandardWrapperValve .invoke(StandardWrapperValve.java:233)
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>> org .apache .catalina .core .StandardContextValve .invoke(StandardContextValve.java:175)
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>> org .apache .catalina .core .StandardHostValve.invoke(StandardHostValve.java: 128)
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>> org .apache .catalina .valves .ErrorReportValve.invoke(ErrorReportValve.java:102)
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>> org .apache .catalina .core .StandardEngineValve .invoke(StandardEngineValve.java:109)
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>> org .apache .catalina .valves.AccessLogValve.invoke(AccessLogValve.java: 568)
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>> org .apache .catalina .connector .CoyoteAdapter.service(CoyoteAdapter.java:286)
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>> org .apache .coyote .http11 .Http11Processor.process(Http11Processor.java:844)
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>> org.apache.coyote.http11.Http11Protocol $ Http11ConnectionHandler .process(Http11Protocol.java:583)
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>> org.apache.tomcat.util.net.JIoEndpoint $Worker.run(JIoEndpoint.java:447)
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>> java.lang.Thread.run(Thread.java:595)
>>>>>>>>>>>>>>>>>>>>> --------------------------------------------------------------------------------
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> http://www.opensourcestrategies.com/ofbiz/ security.php
>>>>>>>>>>>>>>>>>>> http://www.opensourcestrategies.com/ofbiz/ security.php
>>>>>>>>>>
>>>>>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>
>>>
>>
>>
>
Re: how to set security and permissions precedence
Posted by Milind W <ma...@mymunshi.com>.
hi BJ,
That arrow left the quiver sooner then I would have liked.
But anyways as I said, I definitely agree that people who have written
this have every right to benefit and prosper from their effort, specially
after having given away most of it for free.
I sincerely hope that it happens so we can continue to use and benefit
from this framework.
My primary objective right now is trying to get to a point as quickly as I
can in developing real world applications.
Secondary objective would be to contribute whatever I can to the community
in the process.
So that said do you think the material
http://www.undersunconsulting.com/ecommerce/control/additem/main
is the fastest way know to man to get past the newbie stage?
Can anyone else weigh on this as well if they have have used these tutorials?
How relevant are they with the new versions of ofbiz?
Thanks
-Milind
> our documentation is community driven.
> and it has significantly grown in the last few years.
> the basics are hard to grasp for object, DB driven, programmers.
> so a lot of the learning is unlearning.
> I struggle with getting my mind around it for a few years.
> now it seem so clear.
> my dad use to say.
> everything cost time or money, sometimes both.
> so you ask why I stick with it.
> because of all the software out there this seemed the most likely to fit
> needs of my clients.
> the tutorials are free except for the advance stuff.
> open source does not necessarily mean free.
> it means you get the source.
> just like the years I spent developing the yahoo interface.
> I would like to get some of that back before everyone becomes my
> competitor.
> The people that made this possible have clients that funded the code and
> then allowed them to give it to the community. not the other way around.
>
>
>
>
>
>
>
> Milind W sent the following on 8/4/2008 8:46 PM:
>> hi BJ,
>> It is sad that there is no quick way to learn ofbiz (still).
>> What makes it more difficult is the part where you have to reverse
>> engineer the code or existing configuration to undesrtand how to do
>> things.
>> IMHO
>> 1)Reverse engineering and going through existing code has its place but
>> not as a newbie.
>> 2)The most basic features and capabilities should be easy to learn or at
>> least there should be tutorials for those ideally these should be free
>> for
>> something thats open source.
>> 3)I do understand that people who made this possible have every right to
>> benefit from this .
>> 3)I guess there are some but nothing that is free so looks like the
>> practical way to learn the framework is to spend 350$ and
>>
>>> this is where using the example, exampleext, and the
>>> wiki startup example will help.
>>> this is where ofbiz is different than opentaps.
>>> and the links to the information that has been give you in the past
>>> come
>>> into play.
>>> there is no quick way to learn ofbiz.
>>> :)
>>> error is saying the main decorator has not been defined in the web.xml
>>> parms.
>>>
>>> you should check you complete component against the framework/example.
>>>
>>> Milind W sent the following on 8/3/2008 11:07 PM:
>>>> I changed my controller to conform with the example controller.xml.
>>>> Now it does attempt to send me to the login screen but get the
>>>> following
>>>> error.
>>>>
>>>> org.ofbiz.widget.screen.ScreenRenderException: Error rendering screen
>>>> [component://common/widget/CommonScreens.xml#login]:
>>>> java.lang.IllegalArgumentException: Could not find screen with name
>>>> [main-decorator] in the same file as the screen with name [login]
>>>> (Could
>>>> not find screen with name [main-decorator] in the same file as the
>>>> screen
>>>> with name [login])
>>>>
>>>> Help!
>>>>> your controller does not conform to the current svn controllers.
>>>>> please review them.
>>>>>
>>>>>
>>>>> Milind W sent the following on 8/3/2008 5:35 PM:
>>>>>> I got the updated files.
>>>>>> Did ant clean and then a new build.
>>>>>> I still see the SAME behavior described in my previous email.
>>>>>> I am attaching my controller.xml
>>>>>>
>>>>>>> here is the fix
>>>>>>> http://svn.apache.org/viewvc?rev=682228&view=rev
>>>>>>>
>>>>>>> Milind W sent the following on 8/3/2008 4:27 PM:
>>>>>>>> Just tried "ant clean" it made no difference.
>>>>>>>> I can proceed to main without being redirected to login with
>>>>>>>> rev#679258.
>>>>>>>>
>>>>>>>>
>>>>>>>> Relevant log for rev#679258
>>>>>>>> 2008-08-03 16:15:04,515 (http-0.0.0.0-8080-1)
>>>>>>>> [RequestHandler.java:243:INFO ] [Processing Request]: main
>>>>>>>> sessionId=B2364C2D58837E9163B9B9214E2228FA.jvm1
>>>>>>>> 2008-08-03 16:15:04,515 (http-0.0.0.0-8080-1)
>>>>>>>> [RequestHandler.java:433:INFO ] [RequestHandler.doRequest]:
>>>>>>>> Response
>>>>>>>> is
>>>>>>>> a
>>>>>>>> view. sessionId=B2364C2D58837E9163B9B9214E2228FA.jvm1
>>>>>>>> 2008-08-03 16:15:04,515 (http-0.0.0.0-8080-1)
>>>>>>>> [RequestHandler.java:584:INFO ] servletName=control, view=main
>>>>>>>> sessionId=B2364C2D58837E9163B9B9214E2228FA.jvm1
>>>>>>>> 2008-08-03 16:15:04,515 (http-0.0.0.0-8080-1) [
>>>>>>>> UtilJ2eeCompat.java:69
>>>>>>>> :INFO ] serverInfo: apache tomcat/6.0.16
>>>>>>>> 2008-08-03 16:15:04,515 (http-0.0.0.0-8080-1) [
>>>>>>>> UtilJ2eeCompat.java:78
>>>>>>>> :INFO ] Apache Tomcat detected, using response.getWriter to write
>>>>>>>> text
>>>>>>>> out
>>>>>>>> instead of response.getOutputStream
>>>>>>>>
>>>>>>>> and with rev#677863
>>>>>>>> 2008-08-03 18:11:55,343 (http-0.0.0.0-8080-Processor4) [
>>>>>>>> RequestHandler.java:236:INFO ] [Processing Request]: main
>>>>>>>> sessionId=72EE22303A9A4DCDB76F64EE41F963DA.jvm1
>>>>>>>> 2008-08-03 18:11:55,343 (http-0.0.0.0-8080-Processor4) [
>>>>>>>> LoginWorker.java:262:INFO ] reqParams Map: []
>>>>>>>> 2008-08-03 18:11:55,343 (http-0.0.0.0-8080-Processor4) [
>>>>>>>> LoginWorker.java:263:INFO ] queryString:
>>>>>>>> 2008-08-03 18:11:55,343 (http-0.0.0.0-8080-Processor4) [
>>>>>>>> LoginWorker.java:273:INFO ] checkLogin: queryString=
>>>>>>>> 2008-08-03 18:11:55,343 (http-0.0.0.0-8080-Processor4) [
>>>>>>>> LoginWorker.java:274:INFO ] checkLogin: PathInfo=/main
>>>>>>>> 2008-08-03 18:11:55,343 (http-0.0.0.0-8080-Processor4) [
>>>>>>>> RequestHandler.java:425:INFO ] [RequestHandler.doRequest]:
>>>>>>>> Response
>>>>>>>> is
>>>>>>>> a
>>>>>>>> view. sessionId=72EE22303A9A4DCDB76F64EE41F963DA.jvm1
>>>>>>>> 2008-08-03 18:11:55,343 (http-0.0.0.0-8080-Processor4) [
>>>>>>>> RequestHandler.java:578:INFO ] servletName=control, view=login
>>>>>>>> sessionId=72EE22303A9A4DCDB76F64EE41F963DA.jvm1
>>>>>>>> 2008-08-03 18:11:55,343 (http-0.0.0.0-8080-Processor4) [
>>>>>>>> UtilJ2eeCompat.java:69 :INFO ] serverInfo: Apache Tomcat/5.5.20
>>>>>>>> 2008-08-03 18:11:55,343 (http-0.0.0.0-8080-Processor4) [
>>>>>>>> UtilJ2eeCompat.java:78 :INFO ] Apache Tomcat detected, using
>>>>>>>> response.getWriter to write text out instead of
>>>>>>>> response.getOutputStream
>>>>>>>>
>>>>>>>> The loginworker seems to be invoked with rev#677863 and not with
>>>>>>>> rev#679258.
>>>>>>>> Any Idea?
>>>>>>>>
>>>>>>>>> Did you try an "ant clean" ? There have been some changes
>>>>>>>>> recently
>>>>>>>>> that
>>>>>>>>> implie this cleanup.
>>>>>>>>>
>>>>>>>>> Jacques
>>>>>>>>>
>>>>>>>>> From: "Milind W" <ma...@mymunshi.com>
>>>>>>>>>> Looks like I have a problem making this example work with
>>>>>>>>>> revision#679258
>>>>>>>>>>
>>>>>>>>>> It worked fine (i.e I was redirected to login screen before I
>>>>>>>>>> could
>>>>>>>>>> get
>>>>>>>>>> to
>>>>>>>>>> main) with rev#677863
>>>>>>>>>>
>>>>>>>>>> Looks like the view
>>>>>>>>>> <view-map name="login" type="screen"
>>>>>>>>>> page="component://marketing/widget/CommonScreens.xml#login" />
>>>>>>>>>> is part of the problem. The CommonScreens.xml has moved and does
>>>>>>>>>> no
>>>>>>>>>> longer
>>>>>>>>>> seem to have the 'login' screen.
>>>>>>>>>>
>>>>>>>>>> I tried finding another screen with the 'login' view. I found
>>>>>>>>>> another
>>>>>>>>>> one
>>>>>>>>>> in the 'common' component and modified my hello controller to
>>>>>>>>>> point
>>>>>>>>>> to
>>>>>>>>>> <view-map name="login" type="screen"
>>>>>>>>>> page="component://common/widget/CommonScreens.xml#login"/>
>>>>>>>>>> but it is no acting the same as previously.
>>>>>>>>>>
>>>>>>>>>> Please let me know what is missing (or any suggestion how best
>>>>>>>>>> to
>>>>>>>>>> illustrate login) so I can complete and contribute my tutorial
>>>>>>>>>> for
>>>>>>>>>> security. Would hate to create a tutorial that worked with one
>>>>>>>>>> specific
>>>>>>>>>> build.
>>>>>>>>>>
>>>>>>>>>> http://ofbiz.markmail.org/search/?q=Milind+W#query:Milind%20W+page:2+mid:kwgcnrsxjigfilp2+state:results
>>>>>>>>>>
>>>>>>>>>> Thanks
>>>>>>>>>> -Milind
>>>>>>>>>>
>>>>>>>>>>> hi,
>>>>>>>>>>> I got login to work by adding the changes below to my
>>>>>>>>>>> controller
>>>>>>>>>>> using
>>>>>>>>>>> ofbiz4.0.
>>>>>>>>>>> I don't think I follow the reason with OFBTOOLS base
>>>>>>>>>>> persmission
>>>>>>>>>>> not
>>>>>>>>>>> taking effect in the ofbiz-component as explained in OFBIZ-829.
>>>>>>>>>>> But I agree with Si Chen on OFBIZ-829
>>>>>>>>>>> "The right way is to assume no permission until one of the list
>>>>>>>>>>> of
>>>>>>>>>>> permissions is met." Seems more intitutive.
>>>>>>>>>>> For now I can workaround it so thanks all.
>>>>>>>>>>> -Milind
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> <preprocessor>
>>>>>>>>>>> <!-- Events to run on every request before security
>>>>>>>>>>> (chains
>>>>>>>>>>> exempt) -->
>>>>>>>>>>> <!-- <event type="java"
>>>>>>>>>>> path="org.ofbiz.webapp.event.TestEvent"
>>>>>>>>>>> invoke="test"/> -->
>>>>>>>>>>> <event type="java"
>>>>>>>>>>> path="org.ofbiz.webapp.control.LoginWorker"
>>>>>>>>>>> invoke="checkExternalLoginKey"/>
>>>>>>>>>>> </preprocessor>
>>>>>>>>>>>
>>>>>>>>>>> <!-- Request Mappings -->
>>>>>>>>>>>
>>>>>>>>>>> <request-map uri="checkLogin" edit="false">
>>>>>>>>>>> <description>Verify a user is logged in.</description>
>>>>>>>>>>> <security https="false" auth="false"/>
>>>>>>>>>>> <event type="java"
>>>>>>>>>>> path="org.ofbiz.webapp.control.LoginWorker"
>>>>>>>>>>> invoke="checkLogin" />
>>>>>>>>>>> <response name="success" type="view" value="main" />
>>>>>>>>>>> <response name="error" type="view" value="login" />
>>>>>>>>>>> </request-map>
>>>>>>>>>>>
>>>>>>>>>>> <request-map uri="login">
>>>>>>>>>>> <security https="false" auth="false"/>
>>>>>>>>>>> <event type="java"
>>>>>>>>>>> path="org.ofbiz.webapp.control.LoginWorker"
>>>>>>>>>>> invoke="login"/>
>>>>>>>>>>> <response name="success" type="view" value="main"/>
>>>>>>>>>>> <response name="error" type="view" value="login"/>
>>>>>>>>>>> </request-map>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> <request-map uri="main">
>>>>>>>>>>> <security https="false" auth="true" />
>>>>>>>>>>> <response name="success" type="view" value="main"/>
>>>>>>>>>>> </request-map>
>>>>>>>>>>>
>>>>>>>>>>> <view-map name="login" type="screen"
>>>>>>>>>>> page="component://marketing/widget/CommonScreens.xml#login" />
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>> Not with a direct link to the comment where is the explanation
>>>>>>>>>>>> ;p
>>>>>>>>>>>> Actually it was more a didactic post
>>>>>>>>>>>>
>>>>>>>>>>>> Jacques
>>>>>>>>>>>>
>>>>>>>>>>>> From: "BJ Freeman" <bj...@free-man.net>
>>>>>>>>>>>>> LOL
>>>>>>>>>>>>> that was the first link I sent on this thread.
>>>>>>>>>>>>>
>>>>>>>>>>>>> Jacques Le Roux sent the following on 7/30/2008 2:18 PM:
>>>>>>>>>>>>>> OFBiz Wiki is your friend. Just look for OFBTOOLS.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> You would have get
>>>>>>>>>>>>>> http://docs.ofbiz.org/display/OFBTECH/OFBiz+security?focusedCommentId=3615#comment-3615
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Jacques
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> ----- Original Message ----- From: "Milind W"
>>>>>>>>>>>>>> <ma...@mymunshi.com>
>>>>>>>>>>>>>> To: <us...@ofbiz.apache.org>
>>>>>>>>>>>>>> Sent: Wednesday, July 30, 2008 8:31 PM
>>>>>>>>>>>>>> Subject: Re: how to set security and permissions precedence
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Let me try to break up questions.
>>>>>>>>>>>>>>> Should'nt adding
>>>>>>>>>>>>>>> base-permission="OFBTOOLS"
>>>>>>>>>>>>>>> to the ofbiz-entity.xml force the user to login with a user
>>>>>>>>>>>>>>> id
>>>>>>>>>>>>>>> that
>>>>>>>>>>>>>>> is
>>>>>>>>>>>>>>> associated to the OFBTOOLS security group?
>>>>>>>>>>>>>>> I can see the application I created and the line seems to
>>>>>>>>>>>>>>> have
>>>>>>>>>>>>>>> no
>>>>>>>>>>>>>>> effect.
>>>>>>>>>>>>>>> What is the purpose of the line?
>>>>>>>>>>>>>>> Thanks
>>>>>>>>>>>>>>> -Milind
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> Please not that opentaps is not at the same level of
>>>>>>>>>>>>>>>> revision
>>>>>>>>>>>>>>>> that
>>>>>>>>>>>>>>>> ofbiz
>>>>>>>>>>>>>>>> it
>>>>>>>>>>>>>>>> there have been changes to security.
>>>>>>>>>>>>>>>> there are examples in the
>>>>>>>>>>>>>>>> framework/example
>>>>>>>>>>>>>>>> and
>>>>>>>>>>>>>>>> framework/exampleext
>>>>>>>>>>>>>>>> I believe this to better tutorial
>>>>>>>>>>>>>>>> since they work already.
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> Balaji Sundar sent the following on 7/29/2008 9:40 PM:
>>>>>>>>>>>>>>>>> BJ Freeman wrote:
>>>>>>>>>>>>>>>>>> http://docs.ofbiz.org/display/OFBTECH/OFBiz+security
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> Milind W sent the following on 7/29/2008 7:58 PM:
>>>>>>>>>>>>>>>>>>> hi,
>>>>>>>>>>>>>>>>>>> Security Permissions
>>>>>>>>>>>>>>>>>>> I am using ofbiz rev.79258
>>>>>>>>>>>>>>>>>>> I want to understand how security works so I made the
>>>>>>>>>>>>>>>>>>> following
>>>>>>>>>>>>>>>>>>> modifications to hello1
>>>>>>>>>>>>>>>>>>> 1)I added base-permission="OFBTOOLS" to the
>>>>>>>>>>>>>>>>>>> ofbiz-component.xml
>>>>>>>>>>>>>>>>>>> I could still see the application I was assuming the
>>>>>>>>>>>>>>>>>>> application
>>>>>>>>>>>>>>>>>>> would
>>>>>>>>>>>>>>>>>>> as
>>>>>>>>>>>>>>>>>>> me to login or prevent me from seeing the page.
>>>>>>>>>>>>>>>>>>> 2)I added <security> to the main request
>>>>>>>>>>>>>>>>>>> <request-map uri="main">
>>>>>>>>>>>>>>>>>>> <security https="false" auth="true"/>
>>>>>>>>>>>>>>>>>>> <response name="success" type="view" value="main"/>
>>>>>>>>>>>>>>>>>>> </request-map>
>>>>>>>>>>>>>>>>>>> This displays "java.lang.NullPointerException" in the
>>>>>>>>>>>>>>>>>>> browser.
>>>>>>>>>>>>>>>>>>> How do permissions precedence work starting from the UI
>>>>>>>>>>>>>>>>>>> to
>>>>>>>>>>>>>>>>>>> the
>>>>>>>>>>>>>>>>>>> entity
>>>>>>>>>>>>>>>>>>> layer.
>>>>>>>>>>>>>>>>>>> Help appreciated.
>>>>>>>>>>>>>>>>>>> Thanks
>>>>>>>>>>>>>>>>>>> -Milind
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> Here is the log
>>>>>>>>>>>>>>>>>>> 2008-07-29 19:07:17,031 (http-0.0.0.0-8080-1) [
>>>>>>>>>>>>>>>>>>> RequestHandler.java:243:INFO ] [Processing Request]:
>>>>>>>>>>>>>>>>>>> main
>>>>>>>>>>>>>>>>>>> sessionId=6E6BB45A4B5AB75A10A9B9404FA622A5.jvm1
>>>>>>>>>>>>>>>>>>> 2008-07-29 19:07:17,031 (http-0.0.0.0-8080-1) [
>>>>>>>>>>>>>>>>>>> RequestManager.java:159:WARN ]
>>>>>>>>>>>>>>>>>>> [RequestManager.getEventType]
>>>>>>>>>>>>>>>>>>> Type
>>>>>>>>>>>>>>>>>>> of
>>>>>>>>>>>>>>>>>>> event
>>>>>>>>>>>>>>>>>>> for request "checkLogin" not found
>>>>>>>>>>>>>>>>>>> 2008-07-29 19:07:17,031 (http-0.0.0.0-8080-1) [
>>>>>>>>>>>>>>>>>>> RequestManager.java:146:WARN ]
>>>>>>>>>>>>>>>>>>> [RequestManager.getEventPath]
>>>>>>>>>>>>>>>>>>> Path
>>>>>>>>>>>>>>>>>>> of
>>>>>>>>>>>>>>>>>>> event
>>>>>>>>>>>>>>>>>>> for request "checkLogin" not found
>>>>>>>>>>>>>>>>>>> 2008-07-29 19:07:17,031 (http-0.0.0.0-8080-1) [
>>>>>>>>>>>>>>>>>>> RequestManager.java:172:WARN ]
>>>>>>>>>>>>>>>>>>> [RequestManager.getEventMethod]
>>>>>>>>>>>>>>>>>>> Method
>>>>>>>>>>>>>>>>>>> of
>>>>>>>>>>>>>>>>>>> event for request "checkLogin" not found
>>>>>>>>>>>>>>>>>>> 2008-07-29 19:07:17,031 (http-0.0.0.0-8080-1) [
>>>>>>>>>>>>>>>>>>> ControlServlet.java:205:ERROR]
>>>>>>>>>>>>>>>>>>> ---- runtime exception report
>>>>>>>>>>>>>>>>>>> --------------------------------------------------
>>>>>>>>>>>>>>>>>>> Error in request handler:
>>>>>>>>>>>>>>>>>>> Exception: java.lang.NullPointerException
>>>>>>>>>>>>>>>>>>> Message: null
>>>>>>>>>>>>>>>>>>> ---- stack trace
>>>>>>>>>>>>>>>>>>> ---------------------------------------------------------------
>>>>>>>>>>>>>>>>>>> java.lang.NullPointerException
>>>>>>>>>>>>>>>>>>> javolution.util.FastMap.getEntry(Unknown Source)
>>>>>>>>>>>>>>>>>>> javolution.util.FastMap.containsKey(Unknown Source)
>>>>>>>>>>>>>>>>>>> org.ofbiz.webapp.control.RequestManager.getHandlerClass(RequestManager.java:78)
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> org.ofbiz.webapp.event.EventFactory.loadEventHandler(EventFactory.java:102)
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> org.ofbiz.webapp.event.EventFactory.getEventHandler(EventFactory.java:86)
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> org.ofbiz.webapp.control.RequestHandler.runEvent(RequestHandler.java:453)
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> org.ofbiz.webapp.control.RequestHandler.doRequest(RequestHandler.java:259)
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> org.ofbiz.webapp.control.ControlServlet.doGet(ControlServlet.java:198)
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> javax.servlet.http.HttpServlet.service(HttpServlet.java:690)
>>>>>>>>>>>>>>>>>>> javax.servlet.http.HttpServlet.service(HttpServlet.java:803)
>>>>>>>>>>>>>>>>>>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> org.ofbiz.webapp.control.ContextFilter.doFilter(ContextFilter.java:255)
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:175)
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:128)
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:568)
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:286)
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:844)
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:583)
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:447)
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> java.lang.Thread.run(Thread.java:595)
>>>>>>>>>>>>>>>>>>> --------------------------------------------------------------------------------
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> http://www.opensourcestrategies.com/ofbiz/security.php
>>>>>>>>>>>>>>>>> http://www.opensourcestrategies.com/ofbiz/security.php
>>>>>>>>
>>>>>>>>
>>>>
>>>>
>>>>
>>>>
>>>
>>
>>
>>
>>
>>
>
>
Re: how to set security and permissions precedence
Posted by BJ Freeman <bj...@free-man.net>.
our documentation is community driven.
and it has significantly grown in the last few years.
the basics are hard to grasp for object, DB driven, programmers.
so a lot of the learning is unlearning.
I struggle with getting my mind around it for a few years.
now it seem so clear.
my dad use to say.
everything cost time or money, sometimes both.
so you ask why I stick with it.
because of all the software out there this seemed the most likely to fit
needs of my clients.
the tutorials are free except for the advance stuff.
open source does not necessarily mean free.
it means you get the source.
just like the years I spent developing the yahoo interface.
I would like to get some of that back before everyone becomes my competitor.
The people that made this possible have clients that funded the code and
then allowed them to give it to the community. not the other way around.
Milind W sent the following on 8/4/2008 8:46 PM:
> hi BJ,
> It is sad that there is no quick way to learn ofbiz (still).
> What makes it more difficult is the part where you have to reverse
> engineer the code or existing configuration to undesrtand how to do
> things.
> IMHO
> 1)Reverse engineering and going through existing code has its place but
> not as a newbie.
> 2)The most basic features and capabilities should be easy to learn or at
> least there should be tutorials for those ideally these should be free for
> something thats open source.
> 3)I do understand that people who made this possible have every right to
> benefit from this .
> 3)I guess there are some but nothing that is free so looks like the
> practical way to learn the framework is to spend 350$ and
>
>> this is where using the example, exampleext, and the
>> wiki startup example will help.
>> this is where ofbiz is different than opentaps.
>> and the links to the information that has been give you in the past come
>> into play.
>> there is no quick way to learn ofbiz.
>> :)
>> error is saying the main decorator has not been defined in the web.xml
>> parms.
>>
>> you should check you complete component against the framework/example.
>>
>> Milind W sent the following on 8/3/2008 11:07 PM:
>>> I changed my controller to conform with the example controller.xml.
>>> Now it does attempt to send me to the login screen but get the following
>>> error.
>>>
>>> org.ofbiz.widget.screen.ScreenRenderException: Error rendering screen
>>> [component://common/widget/CommonScreens.xml#login]:
>>> java.lang.IllegalArgumentException: Could not find screen with name
>>> [main-decorator] in the same file as the screen with name [login] (Could
>>> not find screen with name [main-decorator] in the same file as the
>>> screen
>>> with name [login])
>>>
>>> Help!
>>>> your controller does not conform to the current svn controllers.
>>>> please review them.
>>>>
>>>>
>>>> Milind W sent the following on 8/3/2008 5:35 PM:
>>>>> I got the updated files.
>>>>> Did ant clean and then a new build.
>>>>> I still see the SAME behavior described in my previous email.
>>>>> I am attaching my controller.xml
>>>>>
>>>>>> here is the fix
>>>>>> http://svn.apache.org/viewvc?rev=682228&view=rev
>>>>>>
>>>>>> Milind W sent the following on 8/3/2008 4:27 PM:
>>>>>>> Just tried "ant clean" it made no difference.
>>>>>>> I can proceed to main without being redirected to login with
>>>>>>> rev#679258.
>>>>>>>
>>>>>>>
>>>>>>> Relevant log for rev#679258
>>>>>>> 2008-08-03 16:15:04,515 (http-0.0.0.0-8080-1)
>>>>>>> [RequestHandler.java:243:INFO ] [Processing Request]: main
>>>>>>> sessionId=B2364C2D58837E9163B9B9214E2228FA.jvm1
>>>>>>> 2008-08-03 16:15:04,515 (http-0.0.0.0-8080-1)
>>>>>>> [RequestHandler.java:433:INFO ] [RequestHandler.doRequest]: Response
>>>>>>> is
>>>>>>> a
>>>>>>> view. sessionId=B2364C2D58837E9163B9B9214E2228FA.jvm1
>>>>>>> 2008-08-03 16:15:04,515 (http-0.0.0.0-8080-1)
>>>>>>> [RequestHandler.java:584:INFO ] servletName=control, view=main
>>>>>>> sessionId=B2364C2D58837E9163B9B9214E2228FA.jvm1
>>>>>>> 2008-08-03 16:15:04,515 (http-0.0.0.0-8080-1) [
>>>>>>> UtilJ2eeCompat.java:69
>>>>>>> :INFO ] serverInfo: apache tomcat/6.0.16
>>>>>>> 2008-08-03 16:15:04,515 (http-0.0.0.0-8080-1) [
>>>>>>> UtilJ2eeCompat.java:78
>>>>>>> :INFO ] Apache Tomcat detected, using response.getWriter to write
>>>>>>> text
>>>>>>> out
>>>>>>> instead of response.getOutputStream
>>>>>>>
>>>>>>> and with rev#677863
>>>>>>> 2008-08-03 18:11:55,343 (http-0.0.0.0-8080-Processor4) [
>>>>>>> RequestHandler.java:236:INFO ] [Processing Request]: main
>>>>>>> sessionId=72EE22303A9A4DCDB76F64EE41F963DA.jvm1
>>>>>>> 2008-08-03 18:11:55,343 (http-0.0.0.0-8080-Processor4) [
>>>>>>> LoginWorker.java:262:INFO ] reqParams Map: []
>>>>>>> 2008-08-03 18:11:55,343 (http-0.0.0.0-8080-Processor4) [
>>>>>>> LoginWorker.java:263:INFO ] queryString:
>>>>>>> 2008-08-03 18:11:55,343 (http-0.0.0.0-8080-Processor4) [
>>>>>>> LoginWorker.java:273:INFO ] checkLogin: queryString=
>>>>>>> 2008-08-03 18:11:55,343 (http-0.0.0.0-8080-Processor4) [
>>>>>>> LoginWorker.java:274:INFO ] checkLogin: PathInfo=/main
>>>>>>> 2008-08-03 18:11:55,343 (http-0.0.0.0-8080-Processor4) [
>>>>>>> RequestHandler.java:425:INFO ] [RequestHandler.doRequest]: Response
>>>>>>> is
>>>>>>> a
>>>>>>> view. sessionId=72EE22303A9A4DCDB76F64EE41F963DA.jvm1
>>>>>>> 2008-08-03 18:11:55,343 (http-0.0.0.0-8080-Processor4) [
>>>>>>> RequestHandler.java:578:INFO ] servletName=control, view=login
>>>>>>> sessionId=72EE22303A9A4DCDB76F64EE41F963DA.jvm1
>>>>>>> 2008-08-03 18:11:55,343 (http-0.0.0.0-8080-Processor4) [
>>>>>>> UtilJ2eeCompat.java:69 :INFO ] serverInfo: Apache Tomcat/5.5.20
>>>>>>> 2008-08-03 18:11:55,343 (http-0.0.0.0-8080-Processor4) [
>>>>>>> UtilJ2eeCompat.java:78 :INFO ] Apache Tomcat detected, using
>>>>>>> response.getWriter to write text out instead of
>>>>>>> response.getOutputStream
>>>>>>>
>>>>>>> The loginworker seems to be invoked with rev#677863 and not with
>>>>>>> rev#679258.
>>>>>>> Any Idea?
>>>>>>>
>>>>>>>> Did you try an "ant clean" ? There have been some changes recently
>>>>>>>> that
>>>>>>>> implie this cleanup.
>>>>>>>>
>>>>>>>> Jacques
>>>>>>>>
>>>>>>>> From: "Milind W" <ma...@mymunshi.com>
>>>>>>>>> Looks like I have a problem making this example work with
>>>>>>>>> revision#679258
>>>>>>>>>
>>>>>>>>> It worked fine (i.e I was redirected to login screen before I
>>>>>>>>> could
>>>>>>>>> get
>>>>>>>>> to
>>>>>>>>> main) with rev#677863
>>>>>>>>>
>>>>>>>>> Looks like the view
>>>>>>>>> <view-map name="login" type="screen"
>>>>>>>>> page="component://marketing/widget/CommonScreens.xml#login" />
>>>>>>>>> is part of the problem. The CommonScreens.xml has moved and does
>>>>>>>>> no
>>>>>>>>> longer
>>>>>>>>> seem to have the 'login' screen.
>>>>>>>>>
>>>>>>>>> I tried finding another screen with the 'login' view. I found
>>>>>>>>> another
>>>>>>>>> one
>>>>>>>>> in the 'common' component and modified my hello controller to
>>>>>>>>> point
>>>>>>>>> to
>>>>>>>>> <view-map name="login" type="screen"
>>>>>>>>> page="component://common/widget/CommonScreens.xml#login"/>
>>>>>>>>> but it is no acting the same as previously.
>>>>>>>>>
>>>>>>>>> Please let me know what is missing (or any suggestion how best to
>>>>>>>>> illustrate login) so I can complete and contribute my tutorial for
>>>>>>>>> security. Would hate to create a tutorial that worked with one
>>>>>>>>> specific
>>>>>>>>> build.
>>>>>>>>>
>>>>>>>>> http://ofbiz.markmail.org/search/?q=Milind+W#query:Milind%20W+page:2+mid:kwgcnrsxjigfilp2+state:results
>>>>>>>>>
>>>>>>>>> Thanks
>>>>>>>>> -Milind
>>>>>>>>>
>>>>>>>>>> hi,
>>>>>>>>>> I got login to work by adding the changes below to my controller
>>>>>>>>>> using
>>>>>>>>>> ofbiz4.0.
>>>>>>>>>> I don't think I follow the reason with OFBTOOLS base persmission
>>>>>>>>>> not
>>>>>>>>>> taking effect in the ofbiz-component as explained in OFBIZ-829.
>>>>>>>>>> But I agree with Si Chen on OFBIZ-829
>>>>>>>>>> "The right way is to assume no permission until one of the list
>>>>>>>>>> of
>>>>>>>>>> permissions is met." Seems more intitutive.
>>>>>>>>>> For now I can workaround it so thanks all.
>>>>>>>>>> -Milind
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> <preprocessor>
>>>>>>>>>> <!-- Events to run on every request before security
>>>>>>>>>> (chains
>>>>>>>>>> exempt) -->
>>>>>>>>>> <!-- <event type="java"
>>>>>>>>>> path="org.ofbiz.webapp.event.TestEvent"
>>>>>>>>>> invoke="test"/> -->
>>>>>>>>>> <event type="java"
>>>>>>>>>> path="org.ofbiz.webapp.control.LoginWorker"
>>>>>>>>>> invoke="checkExternalLoginKey"/>
>>>>>>>>>> </preprocessor>
>>>>>>>>>>
>>>>>>>>>> <!-- Request Mappings -->
>>>>>>>>>>
>>>>>>>>>> <request-map uri="checkLogin" edit="false">
>>>>>>>>>> <description>Verify a user is logged in.</description>
>>>>>>>>>> <security https="false" auth="false"/>
>>>>>>>>>> <event type="java"
>>>>>>>>>> path="org.ofbiz.webapp.control.LoginWorker"
>>>>>>>>>> invoke="checkLogin" />
>>>>>>>>>> <response name="success" type="view" value="main" />
>>>>>>>>>> <response name="error" type="view" value="login" />
>>>>>>>>>> </request-map>
>>>>>>>>>>
>>>>>>>>>> <request-map uri="login">
>>>>>>>>>> <security https="false" auth="false"/>
>>>>>>>>>> <event type="java"
>>>>>>>>>> path="org.ofbiz.webapp.control.LoginWorker"
>>>>>>>>>> invoke="login"/>
>>>>>>>>>> <response name="success" type="view" value="main"/>
>>>>>>>>>> <response name="error" type="view" value="login"/>
>>>>>>>>>> </request-map>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> <request-map uri="main">
>>>>>>>>>> <security https="false" auth="true" />
>>>>>>>>>> <response name="success" type="view" value="main"/>
>>>>>>>>>> </request-map>
>>>>>>>>>>
>>>>>>>>>> <view-map name="login" type="screen"
>>>>>>>>>> page="component://marketing/widget/CommonScreens.xml#login" />
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>> Not with a direct link to the comment where is the explanation
>>>>>>>>>>> ;p
>>>>>>>>>>> Actually it was more a didactic post
>>>>>>>>>>>
>>>>>>>>>>> Jacques
>>>>>>>>>>>
>>>>>>>>>>> From: "BJ Freeman" <bj...@free-man.net>
>>>>>>>>>>>> LOL
>>>>>>>>>>>> that was the first link I sent on this thread.
>>>>>>>>>>>>
>>>>>>>>>>>> Jacques Le Roux sent the following on 7/30/2008 2:18 PM:
>>>>>>>>>>>>> OFBiz Wiki is your friend. Just look for OFBTOOLS.
>>>>>>>>>>>>>
>>>>>>>>>>>>> You would have get
>>>>>>>>>>>>> http://docs.ofbiz.org/display/OFBTECH/OFBiz+security?focusedCommentId=3615#comment-3615
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> Jacques
>>>>>>>>>>>>>
>>>>>>>>>>>>> ----- Original Message ----- From: "Milind W"
>>>>>>>>>>>>> <ma...@mymunshi.com>
>>>>>>>>>>>>> To: <us...@ofbiz.apache.org>
>>>>>>>>>>>>> Sent: Wednesday, July 30, 2008 8:31 PM
>>>>>>>>>>>>> Subject: Re: how to set security and permissions precedence
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>> Let me try to break up questions.
>>>>>>>>>>>>>> Should'nt adding
>>>>>>>>>>>>>> base-permission="OFBTOOLS"
>>>>>>>>>>>>>> to the ofbiz-entity.xml force the user to login with a user
>>>>>>>>>>>>>> id
>>>>>>>>>>>>>> that
>>>>>>>>>>>>>> is
>>>>>>>>>>>>>> associated to the OFBTOOLS security group?
>>>>>>>>>>>>>> I can see the application I created and the line seems to
>>>>>>>>>>>>>> have
>>>>>>>>>>>>>> no
>>>>>>>>>>>>>> effect.
>>>>>>>>>>>>>> What is the purpose of the line?
>>>>>>>>>>>>>> Thanks
>>>>>>>>>>>>>> -Milind
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Please not that opentaps is not at the same level of
>>>>>>>>>>>>>>> revision
>>>>>>>>>>>>>>> that
>>>>>>>>>>>>>>> ofbiz
>>>>>>>>>>>>>>> it
>>>>>>>>>>>>>>> there have been changes to security.
>>>>>>>>>>>>>>> there are examples in the
>>>>>>>>>>>>>>> framework/example
>>>>>>>>>>>>>>> and
>>>>>>>>>>>>>>> framework/exampleext
>>>>>>>>>>>>>>> I believe this to better tutorial
>>>>>>>>>>>>>>> since they work already.
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Balaji Sundar sent the following on 7/29/2008 9:40 PM:
>>>>>>>>>>>>>>>> BJ Freeman wrote:
>>>>>>>>>>>>>>>>> http://docs.ofbiz.org/display/OFBTECH/OFBiz+security
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> Milind W sent the following on 7/29/2008 7:58 PM:
>>>>>>>>>>>>>>>>>> hi,
>>>>>>>>>>>>>>>>>> Security Permissions
>>>>>>>>>>>>>>>>>> I am using ofbiz rev.79258
>>>>>>>>>>>>>>>>>> I want to understand how security works so I made the
>>>>>>>>>>>>>>>>>> following
>>>>>>>>>>>>>>>>>> modifications to hello1
>>>>>>>>>>>>>>>>>> 1)I added base-permission="OFBTOOLS" to the
>>>>>>>>>>>>>>>>>> ofbiz-component.xml
>>>>>>>>>>>>>>>>>> I could still see the application I was assuming the
>>>>>>>>>>>>>>>>>> application
>>>>>>>>>>>>>>>>>> would
>>>>>>>>>>>>>>>>>> as
>>>>>>>>>>>>>>>>>> me to login or prevent me from seeing the page.
>>>>>>>>>>>>>>>>>> 2)I added <security> to the main request
>>>>>>>>>>>>>>>>>> <request-map uri="main">
>>>>>>>>>>>>>>>>>> <security https="false" auth="true"/>
>>>>>>>>>>>>>>>>>> <response name="success" type="view" value="main"/>
>>>>>>>>>>>>>>>>>> </request-map>
>>>>>>>>>>>>>>>>>> This displays "java.lang.NullPointerException" in the
>>>>>>>>>>>>>>>>>> browser.
>>>>>>>>>>>>>>>>>> How do permissions precedence work starting from the UI
>>>>>>>>>>>>>>>>>> to
>>>>>>>>>>>>>>>>>> the
>>>>>>>>>>>>>>>>>> entity
>>>>>>>>>>>>>>>>>> layer.
>>>>>>>>>>>>>>>>>> Help appreciated.
>>>>>>>>>>>>>>>>>> Thanks
>>>>>>>>>>>>>>>>>> -Milind
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> Here is the log
>>>>>>>>>>>>>>>>>> 2008-07-29 19:07:17,031 (http-0.0.0.0-8080-1) [
>>>>>>>>>>>>>>>>>> RequestHandler.java:243:INFO ] [Processing Request]: main
>>>>>>>>>>>>>>>>>> sessionId=6E6BB45A4B5AB75A10A9B9404FA622A5.jvm1
>>>>>>>>>>>>>>>>>> 2008-07-29 19:07:17,031 (http-0.0.0.0-8080-1) [
>>>>>>>>>>>>>>>>>> RequestManager.java:159:WARN ]
>>>>>>>>>>>>>>>>>> [RequestManager.getEventType]
>>>>>>>>>>>>>>>>>> Type
>>>>>>>>>>>>>>>>>> of
>>>>>>>>>>>>>>>>>> event
>>>>>>>>>>>>>>>>>> for request "checkLogin" not found
>>>>>>>>>>>>>>>>>> 2008-07-29 19:07:17,031 (http-0.0.0.0-8080-1) [
>>>>>>>>>>>>>>>>>> RequestManager.java:146:WARN ]
>>>>>>>>>>>>>>>>>> [RequestManager.getEventPath]
>>>>>>>>>>>>>>>>>> Path
>>>>>>>>>>>>>>>>>> of
>>>>>>>>>>>>>>>>>> event
>>>>>>>>>>>>>>>>>> for request "checkLogin" not found
>>>>>>>>>>>>>>>>>> 2008-07-29 19:07:17,031 (http-0.0.0.0-8080-1) [
>>>>>>>>>>>>>>>>>> RequestManager.java:172:WARN ]
>>>>>>>>>>>>>>>>>> [RequestManager.getEventMethod]
>>>>>>>>>>>>>>>>>> Method
>>>>>>>>>>>>>>>>>> of
>>>>>>>>>>>>>>>>>> event for request "checkLogin" not found
>>>>>>>>>>>>>>>>>> 2008-07-29 19:07:17,031 (http-0.0.0.0-8080-1) [
>>>>>>>>>>>>>>>>>> ControlServlet.java:205:ERROR]
>>>>>>>>>>>>>>>>>> ---- runtime exception report
>>>>>>>>>>>>>>>>>> --------------------------------------------------
>>>>>>>>>>>>>>>>>> Error in request handler:
>>>>>>>>>>>>>>>>>> Exception: java.lang.NullPointerException
>>>>>>>>>>>>>>>>>> Message: null
>>>>>>>>>>>>>>>>>> ---- stack trace
>>>>>>>>>>>>>>>>>> ---------------------------------------------------------------
>>>>>>>>>>>>>>>>>> java.lang.NullPointerException
>>>>>>>>>>>>>>>>>> javolution.util.FastMap.getEntry(Unknown Source)
>>>>>>>>>>>>>>>>>> javolution.util.FastMap.containsKey(Unknown Source)
>>>>>>>>>>>>>>>>>> org.ofbiz.webapp.control.RequestManager.getHandlerClass(RequestManager.java:78)
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> org.ofbiz.webapp.event.EventFactory.loadEventHandler(EventFactory.java:102)
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> org.ofbiz.webapp.event.EventFactory.getEventHandler(EventFactory.java:86)
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> org.ofbiz.webapp.control.RequestHandler.runEvent(RequestHandler.java:453)
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> org.ofbiz.webapp.control.RequestHandler.doRequest(RequestHandler.java:259)
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> org.ofbiz.webapp.control.ControlServlet.doGet(ControlServlet.java:198)
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> javax.servlet.http.HttpServlet.service(HttpServlet.java:690)
>>>>>>>>>>>>>>>>>> javax.servlet.http.HttpServlet.service(HttpServlet.java:803)
>>>>>>>>>>>>>>>>>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> org.ofbiz.webapp.control.ContextFilter.doFilter(ContextFilter.java:255)
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:175)
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:128)
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:568)
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:286)
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:844)
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:583)
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:447)
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> java.lang.Thread.run(Thread.java:595)
>>>>>>>>>>>>>>>>>> --------------------------------------------------------------------------------
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> http://www.opensourcestrategies.com/ofbiz/security.php
>>>>>>>>>>>>>>>> http://www.opensourcestrategies.com/ofbiz/security.php
>>>>>>>
>>>>>>>
>>>
>>>
>>>
>>>
>>
>
>
>
>
>
Re: how to set security and permissions precedence
Posted by Milind W <ma...@mymunshi.com>.
hi BJ,
It is sad that there is no quick way to learn ofbiz (still).
What makes it more difficult is the part where you have to reverse
engineer the code or existing configuration to undesrtand how to do
things.
IMHO
1)Reverse engineering and going through existing code has its place but
not as a newbie.
2)The most basic features and capabilities should be easy to learn or at
least there should be tutorials for those ideally these should be free for
something thats open source.
3)I do understand that people who made this possible have every right to
benefit from this .
3)I guess there are some but nothing that is free so looks like the
practical way to learn the framework is to spend 350$ and
> this is where using the example, exampleext, and the
> wiki startup example will help.
> this is where ofbiz is different than opentaps.
> and the links to the information that has been give you in the past come
> into play.
> there is no quick way to learn ofbiz.
> :)
> error is saying the main decorator has not been defined in the web.xml
> parms.
>
> you should check you complete component against the framework/example.
>
> Milind W sent the following on 8/3/2008 11:07 PM:
>> I changed my controller to conform with the example controller.xml.
>> Now it does attempt to send me to the login screen but get the following
>> error.
>>
>> org.ofbiz.widget.screen.ScreenRenderException: Error rendering screen
>> [component://common/widget/CommonScreens.xml#login]:
>> java.lang.IllegalArgumentException: Could not find screen with name
>> [main-decorator] in the same file as the screen with name [login] (Could
>> not find screen with name [main-decorator] in the same file as the
>> screen
>> with name [login])
>>
>> Help!
>>> your controller does not conform to the current svn controllers.
>>> please review them.
>>>
>>>
>>> Milind W sent the following on 8/3/2008 5:35 PM:
>>>> I got the updated files.
>>>> Did ant clean and then a new build.
>>>> I still see the SAME behavior described in my previous email.
>>>> I am attaching my controller.xml
>>>>
>>>>> here is the fix
>>>>> http://svn.apache.org/viewvc?rev=682228&view=rev
>>>>>
>>>>> Milind W sent the following on 8/3/2008 4:27 PM:
>>>>>> Just tried "ant clean" it made no difference.
>>>>>> I can proceed to main without being redirected to login with
>>>>>> rev#679258.
>>>>>>
>>>>>>
>>>>>> Relevant log for rev#679258
>>>>>> 2008-08-03 16:15:04,515 (http-0.0.0.0-8080-1)
>>>>>> [RequestHandler.java:243:INFO ] [Processing Request]: main
>>>>>> sessionId=B2364C2D58837E9163B9B9214E2228FA.jvm1
>>>>>> 2008-08-03 16:15:04,515 (http-0.0.0.0-8080-1)
>>>>>> [RequestHandler.java:433:INFO ] [RequestHandler.doRequest]: Response
>>>>>> is
>>>>>> a
>>>>>> view. sessionId=B2364C2D58837E9163B9B9214E2228FA.jvm1
>>>>>> 2008-08-03 16:15:04,515 (http-0.0.0.0-8080-1)
>>>>>> [RequestHandler.java:584:INFO ] servletName=control, view=main
>>>>>> sessionId=B2364C2D58837E9163B9B9214E2228FA.jvm1
>>>>>> 2008-08-03 16:15:04,515 (http-0.0.0.0-8080-1) [
>>>>>> UtilJ2eeCompat.java:69
>>>>>> :INFO ] serverInfo: apache tomcat/6.0.16
>>>>>> 2008-08-03 16:15:04,515 (http-0.0.0.0-8080-1) [
>>>>>> UtilJ2eeCompat.java:78
>>>>>> :INFO ] Apache Tomcat detected, using response.getWriter to write
>>>>>> text
>>>>>> out
>>>>>> instead of response.getOutputStream
>>>>>>
>>>>>> and with rev#677863
>>>>>> 2008-08-03 18:11:55,343 (http-0.0.0.0-8080-Processor4) [
>>>>>> RequestHandler.java:236:INFO ] [Processing Request]: main
>>>>>> sessionId=72EE22303A9A4DCDB76F64EE41F963DA.jvm1
>>>>>> 2008-08-03 18:11:55,343 (http-0.0.0.0-8080-Processor4) [
>>>>>> LoginWorker.java:262:INFO ] reqParams Map: []
>>>>>> 2008-08-03 18:11:55,343 (http-0.0.0.0-8080-Processor4) [
>>>>>> LoginWorker.java:263:INFO ] queryString:
>>>>>> 2008-08-03 18:11:55,343 (http-0.0.0.0-8080-Processor4) [
>>>>>> LoginWorker.java:273:INFO ] checkLogin: queryString=
>>>>>> 2008-08-03 18:11:55,343 (http-0.0.0.0-8080-Processor4) [
>>>>>> LoginWorker.java:274:INFO ] checkLogin: PathInfo=/main
>>>>>> 2008-08-03 18:11:55,343 (http-0.0.0.0-8080-Processor4) [
>>>>>> RequestHandler.java:425:INFO ] [RequestHandler.doRequest]: Response
>>>>>> is
>>>>>> a
>>>>>> view. sessionId=72EE22303A9A4DCDB76F64EE41F963DA.jvm1
>>>>>> 2008-08-03 18:11:55,343 (http-0.0.0.0-8080-Processor4) [
>>>>>> RequestHandler.java:578:INFO ] servletName=control, view=login
>>>>>> sessionId=72EE22303A9A4DCDB76F64EE41F963DA.jvm1
>>>>>> 2008-08-03 18:11:55,343 (http-0.0.0.0-8080-Processor4) [
>>>>>> UtilJ2eeCompat.java:69 :INFO ] serverInfo: Apache Tomcat/5.5.20
>>>>>> 2008-08-03 18:11:55,343 (http-0.0.0.0-8080-Processor4) [
>>>>>> UtilJ2eeCompat.java:78 :INFO ] Apache Tomcat detected, using
>>>>>> response.getWriter to write text out instead of
>>>>>> response.getOutputStream
>>>>>>
>>>>>> The loginworker seems to be invoked with rev#677863 and not with
>>>>>> rev#679258.
>>>>>> Any Idea?
>>>>>>
>>>>>>> Did you try an "ant clean" ? There have been some changes recently
>>>>>>> that
>>>>>>> implie this cleanup.
>>>>>>>
>>>>>>> Jacques
>>>>>>>
>>>>>>> From: "Milind W" <ma...@mymunshi.com>
>>>>>>>> Looks like I have a problem making this example work with
>>>>>>>> revision#679258
>>>>>>>>
>>>>>>>> It worked fine (i.e I was redirected to login screen before I
>>>>>>>> could
>>>>>>>> get
>>>>>>>> to
>>>>>>>> main) with rev#677863
>>>>>>>>
>>>>>>>> Looks like the view
>>>>>>>> <view-map name="login" type="screen"
>>>>>>>> page="component://marketing/widget/CommonScreens.xml#login" />
>>>>>>>> is part of the problem. The CommonScreens.xml has moved and does
>>>>>>>> no
>>>>>>>> longer
>>>>>>>> seem to have the 'login' screen.
>>>>>>>>
>>>>>>>> I tried finding another screen with the 'login' view. I found
>>>>>>>> another
>>>>>>>> one
>>>>>>>> in the 'common' component and modified my hello controller to
>>>>>>>> point
>>>>>>>> to
>>>>>>>> <view-map name="login" type="screen"
>>>>>>>> page="component://common/widget/CommonScreens.xml#login"/>
>>>>>>>> but it is no acting the same as previously.
>>>>>>>>
>>>>>>>> Please let me know what is missing (or any suggestion how best to
>>>>>>>> illustrate login) so I can complete and contribute my tutorial for
>>>>>>>> security. Would hate to create a tutorial that worked with one
>>>>>>>> specific
>>>>>>>> build.
>>>>>>>>
>>>>>>>> http://ofbiz.markmail.org/search/?q=Milind+W#query:Milind%20W+page:2+mid:kwgcnrsxjigfilp2+state:results
>>>>>>>>
>>>>>>>> Thanks
>>>>>>>> -Milind
>>>>>>>>
>>>>>>>>> hi,
>>>>>>>>> I got login to work by adding the changes below to my controller
>>>>>>>>> using
>>>>>>>>> ofbiz4.0.
>>>>>>>>> I don't think I follow the reason with OFBTOOLS base persmission
>>>>>>>>> not
>>>>>>>>> taking effect in the ofbiz-component as explained in OFBIZ-829.
>>>>>>>>> But I agree with Si Chen on OFBIZ-829
>>>>>>>>> "The right way is to assume no permission until one of the list
>>>>>>>>> of
>>>>>>>>> permissions is met." Seems more intitutive.
>>>>>>>>> For now I can workaround it so thanks all.
>>>>>>>>> -Milind
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> <preprocessor>
>>>>>>>>> <!-- Events to run on every request before security
>>>>>>>>> (chains
>>>>>>>>> exempt) -->
>>>>>>>>> <!-- <event type="java"
>>>>>>>>> path="org.ofbiz.webapp.event.TestEvent"
>>>>>>>>> invoke="test"/> -->
>>>>>>>>> <event type="java"
>>>>>>>>> path="org.ofbiz.webapp.control.LoginWorker"
>>>>>>>>> invoke="checkExternalLoginKey"/>
>>>>>>>>> </preprocessor>
>>>>>>>>>
>>>>>>>>> <!-- Request Mappings -->
>>>>>>>>>
>>>>>>>>> <request-map uri="checkLogin" edit="false">
>>>>>>>>> <description>Verify a user is logged in.</description>
>>>>>>>>> <security https="false" auth="false"/>
>>>>>>>>> <event type="java"
>>>>>>>>> path="org.ofbiz.webapp.control.LoginWorker"
>>>>>>>>> invoke="checkLogin" />
>>>>>>>>> <response name="success" type="view" value="main" />
>>>>>>>>> <response name="error" type="view" value="login" />
>>>>>>>>> </request-map>
>>>>>>>>>
>>>>>>>>> <request-map uri="login">
>>>>>>>>> <security https="false" auth="false"/>
>>>>>>>>> <event type="java"
>>>>>>>>> path="org.ofbiz.webapp.control.LoginWorker"
>>>>>>>>> invoke="login"/>
>>>>>>>>> <response name="success" type="view" value="main"/>
>>>>>>>>> <response name="error" type="view" value="login"/>
>>>>>>>>> </request-map>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> <request-map uri="main">
>>>>>>>>> <security https="false" auth="true" />
>>>>>>>>> <response name="success" type="view" value="main"/>
>>>>>>>>> </request-map>
>>>>>>>>>
>>>>>>>>> <view-map name="login" type="screen"
>>>>>>>>> page="component://marketing/widget/CommonScreens.xml#login" />
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>> Not with a direct link to the comment where is the explanation
>>>>>>>>>> ;p
>>>>>>>>>> Actually it was more a didactic post
>>>>>>>>>>
>>>>>>>>>> Jacques
>>>>>>>>>>
>>>>>>>>>> From: "BJ Freeman" <bj...@free-man.net>
>>>>>>>>>>> LOL
>>>>>>>>>>> that was the first link I sent on this thread.
>>>>>>>>>>>
>>>>>>>>>>> Jacques Le Roux sent the following on 7/30/2008 2:18 PM:
>>>>>>>>>>>> OFBiz Wiki is your friend. Just look for OFBTOOLS.
>>>>>>>>>>>>
>>>>>>>>>>>> You would have get
>>>>>>>>>>>> http://docs.ofbiz.org/display/OFBTECH/OFBiz+security?focusedCommentId=3615#comment-3615
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> Jacques
>>>>>>>>>>>>
>>>>>>>>>>>> ----- Original Message ----- From: "Milind W"
>>>>>>>>>>>> <ma...@mymunshi.com>
>>>>>>>>>>>> To: <us...@ofbiz.apache.org>
>>>>>>>>>>>> Sent: Wednesday, July 30, 2008 8:31 PM
>>>>>>>>>>>> Subject: Re: how to set security and permissions precedence
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>> Let me try to break up questions.
>>>>>>>>>>>>> Should'nt adding
>>>>>>>>>>>>> base-permission="OFBTOOLS"
>>>>>>>>>>>>> to the ofbiz-entity.xml force the user to login with a user
>>>>>>>>>>>>> id
>>>>>>>>>>>>> that
>>>>>>>>>>>>> is
>>>>>>>>>>>>> associated to the OFBTOOLS security group?
>>>>>>>>>>>>> I can see the application I created and the line seems to
>>>>>>>>>>>>> have
>>>>>>>>>>>>> no
>>>>>>>>>>>>> effect.
>>>>>>>>>>>>> What is the purpose of the line?
>>>>>>>>>>>>> Thanks
>>>>>>>>>>>>> -Milind
>>>>>>>>>>>>>
>>>>>>>>>>>>>> Please not that opentaps is not at the same level of
>>>>>>>>>>>>>> revision
>>>>>>>>>>>>>> that
>>>>>>>>>>>>>> ofbiz
>>>>>>>>>>>>>> it
>>>>>>>>>>>>>> there have been changes to security.
>>>>>>>>>>>>>> there are examples in the
>>>>>>>>>>>>>> framework/example
>>>>>>>>>>>>>> and
>>>>>>>>>>>>>> framework/exampleext
>>>>>>>>>>>>>> I believe this to better tutorial
>>>>>>>>>>>>>> since they work already.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Balaji Sundar sent the following on 7/29/2008 9:40 PM:
>>>>>>>>>>>>>>> BJ Freeman wrote:
>>>>>>>>>>>>>>>> http://docs.ofbiz.org/display/OFBTECH/OFBiz+security
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> Milind W sent the following on 7/29/2008 7:58 PM:
>>>>>>>>>>>>>>>>> hi,
>>>>>>>>>>>>>>>>> Security Permissions
>>>>>>>>>>>>>>>>> I am using ofbiz rev.79258
>>>>>>>>>>>>>>>>> I want to understand how security works so I made the
>>>>>>>>>>>>>>>>> following
>>>>>>>>>>>>>>>>> modifications to hello1
>>>>>>>>>>>>>>>>> 1)I added base-permission="OFBTOOLS" to the
>>>>>>>>>>>>>>>>> ofbiz-component.xml
>>>>>>>>>>>>>>>>> I could still see the application I was assuming the
>>>>>>>>>>>>>>>>> application
>>>>>>>>>>>>>>>>> would
>>>>>>>>>>>>>>>>> as
>>>>>>>>>>>>>>>>> me to login or prevent me from seeing the page.
>>>>>>>>>>>>>>>>> 2)I added <security> to the main request
>>>>>>>>>>>>>>>>> <request-map uri="main">
>>>>>>>>>>>>>>>>> <security https="false" auth="true"/>
>>>>>>>>>>>>>>>>> <response name="success" type="view" value="main"/>
>>>>>>>>>>>>>>>>> </request-map>
>>>>>>>>>>>>>>>>> This displays "java.lang.NullPointerException" in the
>>>>>>>>>>>>>>>>> browser.
>>>>>>>>>>>>>>>>> How do permissions precedence work starting from the UI
>>>>>>>>>>>>>>>>> to
>>>>>>>>>>>>>>>>> the
>>>>>>>>>>>>>>>>> entity
>>>>>>>>>>>>>>>>> layer.
>>>>>>>>>>>>>>>>> Help appreciated.
>>>>>>>>>>>>>>>>> Thanks
>>>>>>>>>>>>>>>>> -Milind
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> Here is the log
>>>>>>>>>>>>>>>>> 2008-07-29 19:07:17,031 (http-0.0.0.0-8080-1) [
>>>>>>>>>>>>>>>>> RequestHandler.java:243:INFO ] [Processing Request]: main
>>>>>>>>>>>>>>>>> sessionId=6E6BB45A4B5AB75A10A9B9404FA622A5.jvm1
>>>>>>>>>>>>>>>>> 2008-07-29 19:07:17,031 (http-0.0.0.0-8080-1) [
>>>>>>>>>>>>>>>>> RequestManager.java:159:WARN ]
>>>>>>>>>>>>>>>>> [RequestManager.getEventType]
>>>>>>>>>>>>>>>>> Type
>>>>>>>>>>>>>>>>> of
>>>>>>>>>>>>>>>>> event
>>>>>>>>>>>>>>>>> for request "checkLogin" not found
>>>>>>>>>>>>>>>>> 2008-07-29 19:07:17,031 (http-0.0.0.0-8080-1) [
>>>>>>>>>>>>>>>>> RequestManager.java:146:WARN ]
>>>>>>>>>>>>>>>>> [RequestManager.getEventPath]
>>>>>>>>>>>>>>>>> Path
>>>>>>>>>>>>>>>>> of
>>>>>>>>>>>>>>>>> event
>>>>>>>>>>>>>>>>> for request "checkLogin" not found
>>>>>>>>>>>>>>>>> 2008-07-29 19:07:17,031 (http-0.0.0.0-8080-1) [
>>>>>>>>>>>>>>>>> RequestManager.java:172:WARN ]
>>>>>>>>>>>>>>>>> [RequestManager.getEventMethod]
>>>>>>>>>>>>>>>>> Method
>>>>>>>>>>>>>>>>> of
>>>>>>>>>>>>>>>>> event for request "checkLogin" not found
>>>>>>>>>>>>>>>>> 2008-07-29 19:07:17,031 (http-0.0.0.0-8080-1) [
>>>>>>>>>>>>>>>>> ControlServlet.java:205:ERROR]
>>>>>>>>>>>>>>>>> ---- runtime exception report
>>>>>>>>>>>>>>>>> --------------------------------------------------
>>>>>>>>>>>>>>>>> Error in request handler:
>>>>>>>>>>>>>>>>> Exception: java.lang.NullPointerException
>>>>>>>>>>>>>>>>> Message: null
>>>>>>>>>>>>>>>>> ---- stack trace
>>>>>>>>>>>>>>>>> ---------------------------------------------------------------
>>>>>>>>>>>>>>>>> java.lang.NullPointerException
>>>>>>>>>>>>>>>>> javolution.util.FastMap.getEntry(Unknown Source)
>>>>>>>>>>>>>>>>> javolution.util.FastMap.containsKey(Unknown Source)
>>>>>>>>>>>>>>>>> org.ofbiz.webapp.control.RequestManager.getHandlerClass(RequestManager.java:78)
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> org.ofbiz.webapp.event.EventFactory.loadEventHandler(EventFactory.java:102)
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> org.ofbiz.webapp.event.EventFactory.getEventHandler(EventFactory.java:86)
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> org.ofbiz.webapp.control.RequestHandler.runEvent(RequestHandler.java:453)
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> org.ofbiz.webapp.control.RequestHandler.doRequest(RequestHandler.java:259)
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> org.ofbiz.webapp.control.ControlServlet.doGet(ControlServlet.java:198)
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> javax.servlet.http.HttpServlet.service(HttpServlet.java:690)
>>>>>>>>>>>>>>>>> javax.servlet.http.HttpServlet.service(HttpServlet.java:803)
>>>>>>>>>>>>>>>>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> org.ofbiz.webapp.control.ContextFilter.doFilter(ContextFilter.java:255)
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:175)
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:128)
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:568)
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:286)
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:844)
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:583)
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:447)
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> java.lang.Thread.run(Thread.java:595)
>>>>>>>>>>>>>>>>> --------------------------------------------------------------------------------
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> http://www.opensourcestrategies.com/ofbiz/security.php
>>>>>>>>>>>>>>> http://www.opensourcestrategies.com/ofbiz/security.php
>>>>>>
>>>>>>
>>>>>>
>>>
>>
>>
>>
>>
>>
>
>
Re: how to set security and permissions precedence
Posted by BJ Freeman <bj...@free-man.net>.
this is where using the example, exampleext, and the
wiki startup example will help.
this is where ofbiz is different than opentaps.
and the links to the information that has been give you in the past come
into play.
there is no quick way to learn ofbiz.
:)
error is saying the main decorator has not been defined in the web.xml
parms.
you should check you complete component against the framework/example.
Milind W sent the following on 8/3/2008 11:07 PM:
> I changed my controller to conform with the example controller.xml.
> Now it does attempt to send me to the login screen but get the following
> error.
>
> org.ofbiz.widget.screen.ScreenRenderException: Error rendering screen
> [component://common/widget/CommonScreens.xml#login]:
> java.lang.IllegalArgumentException: Could not find screen with name
> [main-decorator] in the same file as the screen with name [login] (Could
> not find screen with name [main-decorator] in the same file as the screen
> with name [login])
>
> Help!
>> your controller does not conform to the current svn controllers.
>> please review them.
>>
>>
>> Milind W sent the following on 8/3/2008 5:35 PM:
>>> I got the updated files.
>>> Did ant clean and then a new build.
>>> I still see the SAME behavior described in my previous email.
>>> I am attaching my controller.xml
>>>
>>>> here is the fix
>>>> http://svn.apache.org/viewvc?rev=682228&view=rev
>>>>
>>>> Milind W sent the following on 8/3/2008 4:27 PM:
>>>>> Just tried "ant clean" it made no difference.
>>>>> I can proceed to main without being redirected to login with
>>>>> rev#679258.
>>>>>
>>>>>
>>>>> Relevant log for rev#679258
>>>>> 2008-08-03 16:15:04,515 (http-0.0.0.0-8080-1)
>>>>> [RequestHandler.java:243:INFO ] [Processing Request]: main
>>>>> sessionId=B2364C2D58837E9163B9B9214E2228FA.jvm1
>>>>> 2008-08-03 16:15:04,515 (http-0.0.0.0-8080-1)
>>>>> [RequestHandler.java:433:INFO ] [RequestHandler.doRequest]: Response
>>>>> is
>>>>> a
>>>>> view. sessionId=B2364C2D58837E9163B9B9214E2228FA.jvm1
>>>>> 2008-08-03 16:15:04,515 (http-0.0.0.0-8080-1)
>>>>> [RequestHandler.java:584:INFO ] servletName=control, view=main
>>>>> sessionId=B2364C2D58837E9163B9B9214E2228FA.jvm1
>>>>> 2008-08-03 16:15:04,515 (http-0.0.0.0-8080-1) [
>>>>> UtilJ2eeCompat.java:69
>>>>> :INFO ] serverInfo: apache tomcat/6.0.16
>>>>> 2008-08-03 16:15:04,515 (http-0.0.0.0-8080-1) [
>>>>> UtilJ2eeCompat.java:78
>>>>> :INFO ] Apache Tomcat detected, using response.getWriter to write text
>>>>> out
>>>>> instead of response.getOutputStream
>>>>>
>>>>> and with rev#677863
>>>>> 2008-08-03 18:11:55,343 (http-0.0.0.0-8080-Processor4) [
>>>>> RequestHandler.java:236:INFO ] [Processing Request]: main
>>>>> sessionId=72EE22303A9A4DCDB76F64EE41F963DA.jvm1
>>>>> 2008-08-03 18:11:55,343 (http-0.0.0.0-8080-Processor4) [
>>>>> LoginWorker.java:262:INFO ] reqParams Map: []
>>>>> 2008-08-03 18:11:55,343 (http-0.0.0.0-8080-Processor4) [
>>>>> LoginWorker.java:263:INFO ] queryString:
>>>>> 2008-08-03 18:11:55,343 (http-0.0.0.0-8080-Processor4) [
>>>>> LoginWorker.java:273:INFO ] checkLogin: queryString=
>>>>> 2008-08-03 18:11:55,343 (http-0.0.0.0-8080-Processor4) [
>>>>> LoginWorker.java:274:INFO ] checkLogin: PathInfo=/main
>>>>> 2008-08-03 18:11:55,343 (http-0.0.0.0-8080-Processor4) [
>>>>> RequestHandler.java:425:INFO ] [RequestHandler.doRequest]: Response is
>>>>> a
>>>>> view. sessionId=72EE22303A9A4DCDB76F64EE41F963DA.jvm1
>>>>> 2008-08-03 18:11:55,343 (http-0.0.0.0-8080-Processor4) [
>>>>> RequestHandler.java:578:INFO ] servletName=control, view=login
>>>>> sessionId=72EE22303A9A4DCDB76F64EE41F963DA.jvm1
>>>>> 2008-08-03 18:11:55,343 (http-0.0.0.0-8080-Processor4) [
>>>>> UtilJ2eeCompat.java:69 :INFO ] serverInfo: Apache Tomcat/5.5.20
>>>>> 2008-08-03 18:11:55,343 (http-0.0.0.0-8080-Processor4) [
>>>>> UtilJ2eeCompat.java:78 :INFO ] Apache Tomcat detected, using
>>>>> response.getWriter to write text out instead of
>>>>> response.getOutputStream
>>>>>
>>>>> The loginworker seems to be invoked with rev#677863 and not with
>>>>> rev#679258.
>>>>> Any Idea?
>>>>>
>>>>>> Did you try an "ant clean" ? There have been some changes recently
>>>>>> that
>>>>>> implie this cleanup.
>>>>>>
>>>>>> Jacques
>>>>>>
>>>>>> From: "Milind W" <ma...@mymunshi.com>
>>>>>>> Looks like I have a problem making this example work with
>>>>>>> revision#679258
>>>>>>>
>>>>>>> It worked fine (i.e I was redirected to login screen before I could
>>>>>>> get
>>>>>>> to
>>>>>>> main) with rev#677863
>>>>>>>
>>>>>>> Looks like the view
>>>>>>> <view-map name="login" type="screen"
>>>>>>> page="component://marketing/widget/CommonScreens.xml#login" />
>>>>>>> is part of the problem. The CommonScreens.xml has moved and does no
>>>>>>> longer
>>>>>>> seem to have the 'login' screen.
>>>>>>>
>>>>>>> I tried finding another screen with the 'login' view. I found
>>>>>>> another
>>>>>>> one
>>>>>>> in the 'common' component and modified my hello controller to point
>>>>>>> to
>>>>>>> <view-map name="login" type="screen"
>>>>>>> page="component://common/widget/CommonScreens.xml#login"/>
>>>>>>> but it is no acting the same as previously.
>>>>>>>
>>>>>>> Please let me know what is missing (or any suggestion how best to
>>>>>>> illustrate login) so I can complete and contribute my tutorial for
>>>>>>> security. Would hate to create a tutorial that worked with one
>>>>>>> specific
>>>>>>> build.
>>>>>>>
>>>>>>> http://ofbiz.markmail.org/search/?q=Milind+W#query:Milind%20W+page:2+mid:kwgcnrsxjigfilp2+state:results
>>>>>>>
>>>>>>> Thanks
>>>>>>> -Milind
>>>>>>>
>>>>>>>> hi,
>>>>>>>> I got login to work by adding the changes below to my controller
>>>>>>>> using
>>>>>>>> ofbiz4.0.
>>>>>>>> I don't think I follow the reason with OFBTOOLS base persmission
>>>>>>>> not
>>>>>>>> taking effect in the ofbiz-component as explained in OFBIZ-829.
>>>>>>>> But I agree with Si Chen on OFBIZ-829
>>>>>>>> "The right way is to assume no permission until one of the list of
>>>>>>>> permissions is met." Seems more intitutive.
>>>>>>>> For now I can workaround it so thanks all.
>>>>>>>> -Milind
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> <preprocessor>
>>>>>>>> <!-- Events to run on every request before security (chains
>>>>>>>> exempt) -->
>>>>>>>> <!-- <event type="java"
>>>>>>>> path="org.ofbiz.webapp.event.TestEvent"
>>>>>>>> invoke="test"/> -->
>>>>>>>> <event type="java"
>>>>>>>> path="org.ofbiz.webapp.control.LoginWorker"
>>>>>>>> invoke="checkExternalLoginKey"/>
>>>>>>>> </preprocessor>
>>>>>>>>
>>>>>>>> <!-- Request Mappings -->
>>>>>>>>
>>>>>>>> <request-map uri="checkLogin" edit="false">
>>>>>>>> <description>Verify a user is logged in.</description>
>>>>>>>> <security https="false" auth="false"/>
>>>>>>>> <event type="java"
>>>>>>>> path="org.ofbiz.webapp.control.LoginWorker"
>>>>>>>> invoke="checkLogin" />
>>>>>>>> <response name="success" type="view" value="main" />
>>>>>>>> <response name="error" type="view" value="login" />
>>>>>>>> </request-map>
>>>>>>>>
>>>>>>>> <request-map uri="login">
>>>>>>>> <security https="false" auth="false"/>
>>>>>>>> <event type="java"
>>>>>>>> path="org.ofbiz.webapp.control.LoginWorker"
>>>>>>>> invoke="login"/>
>>>>>>>> <response name="success" type="view" value="main"/>
>>>>>>>> <response name="error" type="view" value="login"/>
>>>>>>>> </request-map>
>>>>>>>>
>>>>>>>>
>>>>>>>> <request-map uri="main">
>>>>>>>> <security https="false" auth="true" />
>>>>>>>> <response name="success" type="view" value="main"/>
>>>>>>>> </request-map>
>>>>>>>>
>>>>>>>> <view-map name="login" type="screen"
>>>>>>>> page="component://marketing/widget/CommonScreens.xml#login" />
>>>>>>>>
>>>>>>>>
>>>>>>>>> Not with a direct link to the comment where is the explanation ;p
>>>>>>>>> Actually it was more a didactic post
>>>>>>>>>
>>>>>>>>> Jacques
>>>>>>>>>
>>>>>>>>> From: "BJ Freeman" <bj...@free-man.net>
>>>>>>>>>> LOL
>>>>>>>>>> that was the first link I sent on this thread.
>>>>>>>>>>
>>>>>>>>>> Jacques Le Roux sent the following on 7/30/2008 2:18 PM:
>>>>>>>>>>> OFBiz Wiki is your friend. Just look for OFBTOOLS.
>>>>>>>>>>>
>>>>>>>>>>> You would have get
>>>>>>>>>>> http://docs.ofbiz.org/display/OFBTECH/OFBiz+security?focusedCommentId=3615#comment-3615
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> Jacques
>>>>>>>>>>>
>>>>>>>>>>> ----- Original Message ----- From: "Milind W"
>>>>>>>>>>> <ma...@mymunshi.com>
>>>>>>>>>>> To: <us...@ofbiz.apache.org>
>>>>>>>>>>> Sent: Wednesday, July 30, 2008 8:31 PM
>>>>>>>>>>> Subject: Re: how to set security and permissions precedence
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>> Let me try to break up questions.
>>>>>>>>>>>> Should'nt adding
>>>>>>>>>>>> base-permission="OFBTOOLS"
>>>>>>>>>>>> to the ofbiz-entity.xml force the user to login with a user id
>>>>>>>>>>>> that
>>>>>>>>>>>> is
>>>>>>>>>>>> associated to the OFBTOOLS security group?
>>>>>>>>>>>> I can see the application I created and the line seems to have
>>>>>>>>>>>> no
>>>>>>>>>>>> effect.
>>>>>>>>>>>> What is the purpose of the line?
>>>>>>>>>>>> Thanks
>>>>>>>>>>>> -Milind
>>>>>>>>>>>>
>>>>>>>>>>>>> Please not that opentaps is not at the same level of revision
>>>>>>>>>>>>> that
>>>>>>>>>>>>> ofbiz
>>>>>>>>>>>>> it
>>>>>>>>>>>>> there have been changes to security.
>>>>>>>>>>>>> there are examples in the
>>>>>>>>>>>>> framework/example
>>>>>>>>>>>>> and
>>>>>>>>>>>>> framework/exampleext
>>>>>>>>>>>>> I believe this to better tutorial
>>>>>>>>>>>>> since they work already.
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> Balaji Sundar sent the following on 7/29/2008 9:40 PM:
>>>>>>>>>>>>>> BJ Freeman wrote:
>>>>>>>>>>>>>>> http://docs.ofbiz.org/display/OFBTECH/OFBiz+security
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Milind W sent the following on 7/29/2008 7:58 PM:
>>>>>>>>>>>>>>>> hi,
>>>>>>>>>>>>>>>> Security Permissions
>>>>>>>>>>>>>>>> I am using ofbiz rev.79258
>>>>>>>>>>>>>>>> I want to understand how security works so I made the
>>>>>>>>>>>>>>>> following
>>>>>>>>>>>>>>>> modifications to hello1
>>>>>>>>>>>>>>>> 1)I added base-permission="OFBTOOLS" to the
>>>>>>>>>>>>>>>> ofbiz-component.xml
>>>>>>>>>>>>>>>> I could still see the application I was assuming the
>>>>>>>>>>>>>>>> application
>>>>>>>>>>>>>>>> would
>>>>>>>>>>>>>>>> as
>>>>>>>>>>>>>>>> me to login or prevent me from seeing the page.
>>>>>>>>>>>>>>>> 2)I added <security> to the main request
>>>>>>>>>>>>>>>> <request-map uri="main">
>>>>>>>>>>>>>>>> <security https="false" auth="true"/>
>>>>>>>>>>>>>>>> <response name="success" type="view" value="main"/>
>>>>>>>>>>>>>>>> </request-map>
>>>>>>>>>>>>>>>> This displays "java.lang.NullPointerException" in the
>>>>>>>>>>>>>>>> browser.
>>>>>>>>>>>>>>>> How do permissions precedence work starting from the UI to
>>>>>>>>>>>>>>>> the
>>>>>>>>>>>>>>>> entity
>>>>>>>>>>>>>>>> layer.
>>>>>>>>>>>>>>>> Help appreciated.
>>>>>>>>>>>>>>>> Thanks
>>>>>>>>>>>>>>>> -Milind
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> Here is the log
>>>>>>>>>>>>>>>> 2008-07-29 19:07:17,031 (http-0.0.0.0-8080-1) [
>>>>>>>>>>>>>>>> RequestHandler.java:243:INFO ] [Processing Request]: main
>>>>>>>>>>>>>>>> sessionId=6E6BB45A4B5AB75A10A9B9404FA622A5.jvm1
>>>>>>>>>>>>>>>> 2008-07-29 19:07:17,031 (http-0.0.0.0-8080-1) [
>>>>>>>>>>>>>>>> RequestManager.java:159:WARN ]
>>>>>>>>>>>>>>>> [RequestManager.getEventType]
>>>>>>>>>>>>>>>> Type
>>>>>>>>>>>>>>>> of
>>>>>>>>>>>>>>>> event
>>>>>>>>>>>>>>>> for request "checkLogin" not found
>>>>>>>>>>>>>>>> 2008-07-29 19:07:17,031 (http-0.0.0.0-8080-1) [
>>>>>>>>>>>>>>>> RequestManager.java:146:WARN ]
>>>>>>>>>>>>>>>> [RequestManager.getEventPath]
>>>>>>>>>>>>>>>> Path
>>>>>>>>>>>>>>>> of
>>>>>>>>>>>>>>>> event
>>>>>>>>>>>>>>>> for request "checkLogin" not found
>>>>>>>>>>>>>>>> 2008-07-29 19:07:17,031 (http-0.0.0.0-8080-1) [
>>>>>>>>>>>>>>>> RequestManager.java:172:WARN ]
>>>>>>>>>>>>>>>> [RequestManager.getEventMethod]
>>>>>>>>>>>>>>>> Method
>>>>>>>>>>>>>>>> of
>>>>>>>>>>>>>>>> event for request "checkLogin" not found
>>>>>>>>>>>>>>>> 2008-07-29 19:07:17,031 (http-0.0.0.0-8080-1) [
>>>>>>>>>>>>>>>> ControlServlet.java:205:ERROR]
>>>>>>>>>>>>>>>> ---- runtime exception report
>>>>>>>>>>>>>>>> --------------------------------------------------
>>>>>>>>>>>>>>>> Error in request handler:
>>>>>>>>>>>>>>>> Exception: java.lang.NullPointerException
>>>>>>>>>>>>>>>> Message: null
>>>>>>>>>>>>>>>> ---- stack trace
>>>>>>>>>>>>>>>> ---------------------------------------------------------------
>>>>>>>>>>>>>>>> java.lang.NullPointerException
>>>>>>>>>>>>>>>> javolution.util.FastMap.getEntry(Unknown Source)
>>>>>>>>>>>>>>>> javolution.util.FastMap.containsKey(Unknown Source)
>>>>>>>>>>>>>>>> org.ofbiz.webapp.control.RequestManager.getHandlerClass(RequestManager.java:78)
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> org.ofbiz.webapp.event.EventFactory.loadEventHandler(EventFactory.java:102)
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> org.ofbiz.webapp.event.EventFactory.getEventHandler(EventFactory.java:86)
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> org.ofbiz.webapp.control.RequestHandler.runEvent(RequestHandler.java:453)
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> org.ofbiz.webapp.control.RequestHandler.doRequest(RequestHandler.java:259)
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> org.ofbiz.webapp.control.ControlServlet.doGet(ControlServlet.java:198)
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> javax.servlet.http.HttpServlet.service(HttpServlet.java:690)
>>>>>>>>>>>>>>>> javax.servlet.http.HttpServlet.service(HttpServlet.java:803)
>>>>>>>>>>>>>>>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> org.ofbiz.webapp.control.ContextFilter.doFilter(ContextFilter.java:255)
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:175)
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:128)
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:568)
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:286)
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:844)
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:583)
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:447)
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> java.lang.Thread.run(Thread.java:595)
>>>>>>>>>>>>>>>> --------------------------------------------------------------------------------
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>> http://www.opensourcestrategies.com/ofbiz/security.php
>>>>>>>>>>>>>> http://www.opensourcestrategies.com/ofbiz/security.php
>>>>>
>>>>>
>>>>>
>>
>
>
>
>
>
Re: how to set security and permissions precedence
Posted by Milind W <ma...@mymunshi.com>.
I changed my controller to conform with the example controller.xml.
Now it does attempt to send me to the login screen but get the following
error.
org.ofbiz.widget.screen.ScreenRenderException: Error rendering screen
[component://common/widget/CommonScreens.xml#login]:
java.lang.IllegalArgumentException: Could not find screen with name
[main-decorator] in the same file as the screen with name [login] (Could
not find screen with name [main-decorator] in the same file as the screen
with name [login])
Help!
> your controller does not conform to the current svn controllers.
> please review them.
>
>
> Milind W sent the following on 8/3/2008 5:35 PM:
>> I got the updated files.
>> Did ant clean and then a new build.
>> I still see the SAME behavior described in my previous email.
>> I am attaching my controller.xml
>>
>>> here is the fix
>>> http://svn.apache.org/viewvc?rev=682228&view=rev
>>>
>>> Milind W sent the following on 8/3/2008 4:27 PM:
>>>> Just tried "ant clean" it made no difference.
>>>> I can proceed to main without being redirected to login with
>>>> rev#679258.
>>>>
>>>>
>>>> Relevant log for rev#679258
>>>> 2008-08-03 16:15:04,515 (http-0.0.0.0-8080-1)
>>>> [RequestHandler.java:243:INFO ] [Processing Request]: main
>>>> sessionId=B2364C2D58837E9163B9B9214E2228FA.jvm1
>>>> 2008-08-03 16:15:04,515 (http-0.0.0.0-8080-1)
>>>> [RequestHandler.java:433:INFO ] [RequestHandler.doRequest]: Response
>>>> is
>>>> a
>>>> view. sessionId=B2364C2D58837E9163B9B9214E2228FA.jvm1
>>>> 2008-08-03 16:15:04,515 (http-0.0.0.0-8080-1)
>>>> [RequestHandler.java:584:INFO ] servletName=control, view=main
>>>> sessionId=B2364C2D58837E9163B9B9214E2228FA.jvm1
>>>> 2008-08-03 16:15:04,515 (http-0.0.0.0-8080-1) [
>>>> UtilJ2eeCompat.java:69
>>>> :INFO ] serverInfo: apache tomcat/6.0.16
>>>> 2008-08-03 16:15:04,515 (http-0.0.0.0-8080-1) [
>>>> UtilJ2eeCompat.java:78
>>>> :INFO ] Apache Tomcat detected, using response.getWriter to write text
>>>> out
>>>> instead of response.getOutputStream
>>>>
>>>> and with rev#677863
>>>> 2008-08-03 18:11:55,343 (http-0.0.0.0-8080-Processor4) [
>>>> RequestHandler.java:236:INFO ] [Processing Request]: main
>>>> sessionId=72EE22303A9A4DCDB76F64EE41F963DA.jvm1
>>>> 2008-08-03 18:11:55,343 (http-0.0.0.0-8080-Processor4) [
>>>> LoginWorker.java:262:INFO ] reqParams Map: []
>>>> 2008-08-03 18:11:55,343 (http-0.0.0.0-8080-Processor4) [
>>>> LoginWorker.java:263:INFO ] queryString:
>>>> 2008-08-03 18:11:55,343 (http-0.0.0.0-8080-Processor4) [
>>>> LoginWorker.java:273:INFO ] checkLogin: queryString=
>>>> 2008-08-03 18:11:55,343 (http-0.0.0.0-8080-Processor4) [
>>>> LoginWorker.java:274:INFO ] checkLogin: PathInfo=/main
>>>> 2008-08-03 18:11:55,343 (http-0.0.0.0-8080-Processor4) [
>>>> RequestHandler.java:425:INFO ] [RequestHandler.doRequest]: Response is
>>>> a
>>>> view. sessionId=72EE22303A9A4DCDB76F64EE41F963DA.jvm1
>>>> 2008-08-03 18:11:55,343 (http-0.0.0.0-8080-Processor4) [
>>>> RequestHandler.java:578:INFO ] servletName=control, view=login
>>>> sessionId=72EE22303A9A4DCDB76F64EE41F963DA.jvm1
>>>> 2008-08-03 18:11:55,343 (http-0.0.0.0-8080-Processor4) [
>>>> UtilJ2eeCompat.java:69 :INFO ] serverInfo: Apache Tomcat/5.5.20
>>>> 2008-08-03 18:11:55,343 (http-0.0.0.0-8080-Processor4) [
>>>> UtilJ2eeCompat.java:78 :INFO ] Apache Tomcat detected, using
>>>> response.getWriter to write text out instead of
>>>> response.getOutputStream
>>>>
>>>> The loginworker seems to be invoked with rev#677863 and not with
>>>> rev#679258.
>>>> Any Idea?
>>>>
>>>>> Did you try an "ant clean" ? There have been some changes recently
>>>>> that
>>>>> implie this cleanup.
>>>>>
>>>>> Jacques
>>>>>
>>>>> From: "Milind W" <ma...@mymunshi.com>
>>>>>> Looks like I have a problem making this example work with
>>>>>> revision#679258
>>>>>>
>>>>>> It worked fine (i.e I was redirected to login screen before I could
>>>>>> get
>>>>>> to
>>>>>> main) with rev#677863
>>>>>>
>>>>>> Looks like the view
>>>>>> <view-map name="login" type="screen"
>>>>>> page="component://marketing/widget/CommonScreens.xml#login" />
>>>>>> is part of the problem. The CommonScreens.xml has moved and does no
>>>>>> longer
>>>>>> seem to have the 'login' screen.
>>>>>>
>>>>>> I tried finding another screen with the 'login' view. I found
>>>>>> another
>>>>>> one
>>>>>> in the 'common' component and modified my hello controller to point
>>>>>> to
>>>>>> <view-map name="login" type="screen"
>>>>>> page="component://common/widget/CommonScreens.xml#login"/>
>>>>>> but it is no acting the same as previously.
>>>>>>
>>>>>> Please let me know what is missing (or any suggestion how best to
>>>>>> illustrate login) so I can complete and contribute my tutorial for
>>>>>> security. Would hate to create a tutorial that worked with one
>>>>>> specific
>>>>>> build.
>>>>>>
>>>>>> http://ofbiz.markmail.org/search/?q=Milind+W#query:Milind%20W+page:2+mid:kwgcnrsxjigfilp2+state:results
>>>>>>
>>>>>> Thanks
>>>>>> -Milind
>>>>>>
>>>>>>> hi,
>>>>>>> I got login to work by adding the changes below to my controller
>>>>>>> using
>>>>>>> ofbiz4.0.
>>>>>>> I don't think I follow the reason with OFBTOOLS base persmission
>>>>>>> not
>>>>>>> taking effect in the ofbiz-component as explained in OFBIZ-829.
>>>>>>> But I agree with Si Chen on OFBIZ-829
>>>>>>> "The right way is to assume no permission until one of the list of
>>>>>>> permissions is met." Seems more intitutive.
>>>>>>> For now I can workaround it so thanks all.
>>>>>>> -Milind
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> <preprocessor>
>>>>>>> <!-- Events to run on every request before security (chains
>>>>>>> exempt) -->
>>>>>>> <!-- <event type="java"
>>>>>>> path="org.ofbiz.webapp.event.TestEvent"
>>>>>>> invoke="test"/> -->
>>>>>>> <event type="java"
>>>>>>> path="org.ofbiz.webapp.control.LoginWorker"
>>>>>>> invoke="checkExternalLoginKey"/>
>>>>>>> </preprocessor>
>>>>>>>
>>>>>>> <!-- Request Mappings -->
>>>>>>>
>>>>>>> <request-map uri="checkLogin" edit="false">
>>>>>>> <description>Verify a user is logged in.</description>
>>>>>>> <security https="false" auth="false"/>
>>>>>>> <event type="java"
>>>>>>> path="org.ofbiz.webapp.control.LoginWorker"
>>>>>>> invoke="checkLogin" />
>>>>>>> <response name="success" type="view" value="main" />
>>>>>>> <response name="error" type="view" value="login" />
>>>>>>> </request-map>
>>>>>>>
>>>>>>> <request-map uri="login">
>>>>>>> <security https="false" auth="false"/>
>>>>>>> <event type="java"
>>>>>>> path="org.ofbiz.webapp.control.LoginWorker"
>>>>>>> invoke="login"/>
>>>>>>> <response name="success" type="view" value="main"/>
>>>>>>> <response name="error" type="view" value="login"/>
>>>>>>> </request-map>
>>>>>>>
>>>>>>>
>>>>>>> <request-map uri="main">
>>>>>>> <security https="false" auth="true" />
>>>>>>> <response name="success" type="view" value="main"/>
>>>>>>> </request-map>
>>>>>>>
>>>>>>> <view-map name="login" type="screen"
>>>>>>> page="component://marketing/widget/CommonScreens.xml#login" />
>>>>>>>
>>>>>>>
>>>>>>>> Not with a direct link to the comment where is the explanation ;p
>>>>>>>> Actually it was more a didactic post
>>>>>>>>
>>>>>>>> Jacques
>>>>>>>>
>>>>>>>> From: "BJ Freeman" <bj...@free-man.net>
>>>>>>>>> LOL
>>>>>>>>> that was the first link I sent on this thread.
>>>>>>>>>
>>>>>>>>> Jacques Le Roux sent the following on 7/30/2008 2:18 PM:
>>>>>>>>>> OFBiz Wiki is your friend. Just look for OFBTOOLS.
>>>>>>>>>>
>>>>>>>>>> You would have get
>>>>>>>>>> http://docs.ofbiz.org/display/OFBTECH/OFBiz+security?focusedCommentId=3615#comment-3615
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> Jacques
>>>>>>>>>>
>>>>>>>>>> ----- Original Message ----- From: "Milind W"
>>>>>>>>>> <ma...@mymunshi.com>
>>>>>>>>>> To: <us...@ofbiz.apache.org>
>>>>>>>>>> Sent: Wednesday, July 30, 2008 8:31 PM
>>>>>>>>>> Subject: Re: how to set security and permissions precedence
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>> Let me try to break up questions.
>>>>>>>>>>> Should'nt adding
>>>>>>>>>>> base-permission="OFBTOOLS"
>>>>>>>>>>> to the ofbiz-entity.xml force the user to login with a user id
>>>>>>>>>>> that
>>>>>>>>>>> is
>>>>>>>>>>> associated to the OFBTOOLS security group?
>>>>>>>>>>> I can see the application I created and the line seems to have
>>>>>>>>>>> no
>>>>>>>>>>> effect.
>>>>>>>>>>> What is the purpose of the line?
>>>>>>>>>>> Thanks
>>>>>>>>>>> -Milind
>>>>>>>>>>>
>>>>>>>>>>>> Please not that opentaps is not at the same level of revision
>>>>>>>>>>>> that
>>>>>>>>>>>> ofbiz
>>>>>>>>>>>> it
>>>>>>>>>>>> there have been changes to security.
>>>>>>>>>>>> there are examples in the
>>>>>>>>>>>> framework/example
>>>>>>>>>>>> and
>>>>>>>>>>>> framework/exampleext
>>>>>>>>>>>> I believe this to better tutorial
>>>>>>>>>>>> since they work already.
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> Balaji Sundar sent the following on 7/29/2008 9:40 PM:
>>>>>>>>>>>>> BJ Freeman wrote:
>>>>>>>>>>>>>> http://docs.ofbiz.org/display/OFBTECH/OFBiz+security
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Milind W sent the following on 7/29/2008 7:58 PM:
>>>>>>>>>>>>>>> hi,
>>>>>>>>>>>>>>> Security Permissions
>>>>>>>>>>>>>>> I am using ofbiz rev.79258
>>>>>>>>>>>>>>> I want to understand how security works so I made the
>>>>>>>>>>>>>>> following
>>>>>>>>>>>>>>> modifications to hello1
>>>>>>>>>>>>>>> 1)I added base-permission="OFBTOOLS" to the
>>>>>>>>>>>>>>> ofbiz-component.xml
>>>>>>>>>>>>>>> I could still see the application I was assuming the
>>>>>>>>>>>>>>> application
>>>>>>>>>>>>>>> would
>>>>>>>>>>>>>>> as
>>>>>>>>>>>>>>> me to login or prevent me from seeing the page.
>>>>>>>>>>>>>>> 2)I added <security> to the main request
>>>>>>>>>>>>>>> <request-map uri="main">
>>>>>>>>>>>>>>> <security https="false" auth="true"/>
>>>>>>>>>>>>>>> <response name="success" type="view" value="main"/>
>>>>>>>>>>>>>>> </request-map>
>>>>>>>>>>>>>>> This displays "java.lang.NullPointerException" in the
>>>>>>>>>>>>>>> browser.
>>>>>>>>>>>>>>> How do permissions precedence work starting from the UI to
>>>>>>>>>>>>>>> the
>>>>>>>>>>>>>>> entity
>>>>>>>>>>>>>>> layer.
>>>>>>>>>>>>>>> Help appreciated.
>>>>>>>>>>>>>>> Thanks
>>>>>>>>>>>>>>> -Milind
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Here is the log
>>>>>>>>>>>>>>> 2008-07-29 19:07:17,031 (http-0.0.0.0-8080-1) [
>>>>>>>>>>>>>>> RequestHandler.java:243:INFO ] [Processing Request]: main
>>>>>>>>>>>>>>> sessionId=6E6BB45A4B5AB75A10A9B9404FA622A5.jvm1
>>>>>>>>>>>>>>> 2008-07-29 19:07:17,031 (http-0.0.0.0-8080-1) [
>>>>>>>>>>>>>>> RequestManager.java:159:WARN ]
>>>>>>>>>>>>>>> [RequestManager.getEventType]
>>>>>>>>>>>>>>> Type
>>>>>>>>>>>>>>> of
>>>>>>>>>>>>>>> event
>>>>>>>>>>>>>>> for request "checkLogin" not found
>>>>>>>>>>>>>>> 2008-07-29 19:07:17,031 (http-0.0.0.0-8080-1) [
>>>>>>>>>>>>>>> RequestManager.java:146:WARN ]
>>>>>>>>>>>>>>> [RequestManager.getEventPath]
>>>>>>>>>>>>>>> Path
>>>>>>>>>>>>>>> of
>>>>>>>>>>>>>>> event
>>>>>>>>>>>>>>> for request "checkLogin" not found
>>>>>>>>>>>>>>> 2008-07-29 19:07:17,031 (http-0.0.0.0-8080-1) [
>>>>>>>>>>>>>>> RequestManager.java:172:WARN ]
>>>>>>>>>>>>>>> [RequestManager.getEventMethod]
>>>>>>>>>>>>>>> Method
>>>>>>>>>>>>>>> of
>>>>>>>>>>>>>>> event for request "checkLogin" not found
>>>>>>>>>>>>>>> 2008-07-29 19:07:17,031 (http-0.0.0.0-8080-1) [
>>>>>>>>>>>>>>> ControlServlet.java:205:ERROR]
>>>>>>>>>>>>>>> ---- runtime exception report
>>>>>>>>>>>>>>> --------------------------------------------------
>>>>>>>>>>>>>>> Error in request handler:
>>>>>>>>>>>>>>> Exception: java.lang.NullPointerException
>>>>>>>>>>>>>>> Message: null
>>>>>>>>>>>>>>> ---- stack trace
>>>>>>>>>>>>>>> ---------------------------------------------------------------
>>>>>>>>>>>>>>> java.lang.NullPointerException
>>>>>>>>>>>>>>> javolution.util.FastMap.getEntry(Unknown Source)
>>>>>>>>>>>>>>> javolution.util.FastMap.containsKey(Unknown Source)
>>>>>>>>>>>>>>> org.ofbiz.webapp.control.RequestManager.getHandlerClass(RequestManager.java:78)
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> org.ofbiz.webapp.event.EventFactory.loadEventHandler(EventFactory.java:102)
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> org.ofbiz.webapp.event.EventFactory.getEventHandler(EventFactory.java:86)
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> org.ofbiz.webapp.control.RequestHandler.runEvent(RequestHandler.java:453)
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> org.ofbiz.webapp.control.RequestHandler.doRequest(RequestHandler.java:259)
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> org.ofbiz.webapp.control.ControlServlet.doGet(ControlServlet.java:198)
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> javax.servlet.http.HttpServlet.service(HttpServlet.java:690)
>>>>>>>>>>>>>>> javax.servlet.http.HttpServlet.service(HttpServlet.java:803)
>>>>>>>>>>>>>>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> org.ofbiz.webapp.control.ContextFilter.doFilter(ContextFilter.java:255)
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:175)
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:128)
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:568)
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:286)
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:844)
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:583)
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:447)
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> java.lang.Thread.run(Thread.java:595)
>>>>>>>>>>>>>>> --------------------------------------------------------------------------------
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>> http://www.opensourcestrategies.com/ofbiz/security.php
>>>>>>>>>>>>> http://www.opensourcestrategies.com/ofbiz/security.php
>>>>>>>>>>
>>>>
>>>>
>>>>
>>>>
>>>
>
>
Re: how to set security and permissions precedence
Posted by BJ Freeman <bj...@free-man.net>.
your controller does not conform to the current svn controllers.
please review them.
Milind W sent the following on 8/3/2008 5:35 PM:
> I got the updated files.
> Did ant clean and then a new build.
> I still see the SAME behavior described in my previous email.
> I am attaching my controller.xml
>
>> here is the fix
>> http://svn.apache.org/viewvc?rev=682228&view=rev
>>
>> Milind W sent the following on 8/3/2008 4:27 PM:
>>> Just tried "ant clean" it made no difference.
>>> I can proceed to main without being redirected to login with rev#679258.
>>>
>>>
>>> Relevant log for rev#679258
>>> 2008-08-03 16:15:04,515 (http-0.0.0.0-8080-1)
>>> [RequestHandler.java:243:INFO ] [Processing Request]: main
>>> sessionId=B2364C2D58837E9163B9B9214E2228FA.jvm1
>>> 2008-08-03 16:15:04,515 (http-0.0.0.0-8080-1)
>>> [RequestHandler.java:433:INFO ] [RequestHandler.doRequest]: Response is
>>> a
>>> view. sessionId=B2364C2D58837E9163B9B9214E2228FA.jvm1
>>> 2008-08-03 16:15:04,515 (http-0.0.0.0-8080-1)
>>> [RequestHandler.java:584:INFO ] servletName=control, view=main
>>> sessionId=B2364C2D58837E9163B9B9214E2228FA.jvm1
>>> 2008-08-03 16:15:04,515 (http-0.0.0.0-8080-1) [
>>> UtilJ2eeCompat.java:69
>>> :INFO ] serverInfo: apache tomcat/6.0.16
>>> 2008-08-03 16:15:04,515 (http-0.0.0.0-8080-1) [
>>> UtilJ2eeCompat.java:78
>>> :INFO ] Apache Tomcat detected, using response.getWriter to write text
>>> out
>>> instead of response.getOutputStream
>>>
>>> and with rev#677863
>>> 2008-08-03 18:11:55,343 (http-0.0.0.0-8080-Processor4) [
>>> RequestHandler.java:236:INFO ] [Processing Request]: main
>>> sessionId=72EE22303A9A4DCDB76F64EE41F963DA.jvm1
>>> 2008-08-03 18:11:55,343 (http-0.0.0.0-8080-Processor4) [
>>> LoginWorker.java:262:INFO ] reqParams Map: []
>>> 2008-08-03 18:11:55,343 (http-0.0.0.0-8080-Processor4) [
>>> LoginWorker.java:263:INFO ] queryString:
>>> 2008-08-03 18:11:55,343 (http-0.0.0.0-8080-Processor4) [
>>> LoginWorker.java:273:INFO ] checkLogin: queryString=
>>> 2008-08-03 18:11:55,343 (http-0.0.0.0-8080-Processor4) [
>>> LoginWorker.java:274:INFO ] checkLogin: PathInfo=/main
>>> 2008-08-03 18:11:55,343 (http-0.0.0.0-8080-Processor4) [
>>> RequestHandler.java:425:INFO ] [RequestHandler.doRequest]: Response is a
>>> view. sessionId=72EE22303A9A4DCDB76F64EE41F963DA.jvm1
>>> 2008-08-03 18:11:55,343 (http-0.0.0.0-8080-Processor4) [
>>> RequestHandler.java:578:INFO ] servletName=control, view=login
>>> sessionId=72EE22303A9A4DCDB76F64EE41F963DA.jvm1
>>> 2008-08-03 18:11:55,343 (http-0.0.0.0-8080-Processor4) [
>>> UtilJ2eeCompat.java:69 :INFO ] serverInfo: Apache Tomcat/5.5.20
>>> 2008-08-03 18:11:55,343 (http-0.0.0.0-8080-Processor4) [
>>> UtilJ2eeCompat.java:78 :INFO ] Apache Tomcat detected, using
>>> response.getWriter to write text out instead of response.getOutputStream
>>>
>>> The loginworker seems to be invoked with rev#677863 and not with
>>> rev#679258.
>>> Any Idea?
>>>
>>>> Did you try an "ant clean" ? There have been some changes recently that
>>>> implie this cleanup.
>>>>
>>>> Jacques
>>>>
>>>> From: "Milind W" <ma...@mymunshi.com>
>>>>> Looks like I have a problem making this example work with
>>>>> revision#679258
>>>>>
>>>>> It worked fine (i.e I was redirected to login screen before I could
>>>>> get
>>>>> to
>>>>> main) with rev#677863
>>>>>
>>>>> Looks like the view
>>>>> <view-map name="login" type="screen"
>>>>> page="component://marketing/widget/CommonScreens.xml#login" />
>>>>> is part of the problem. The CommonScreens.xml has moved and does no
>>>>> longer
>>>>> seem to have the 'login' screen.
>>>>>
>>>>> I tried finding another screen with the 'login' view. I found another
>>>>> one
>>>>> in the 'common' component and modified my hello controller to point to
>>>>> <view-map name="login" type="screen"
>>>>> page="component://common/widget/CommonScreens.xml#login"/>
>>>>> but it is no acting the same as previously.
>>>>>
>>>>> Please let me know what is missing (or any suggestion how best to
>>>>> illustrate login) so I can complete and contribute my tutorial for
>>>>> security. Would hate to create a tutorial that worked with one
>>>>> specific
>>>>> build.
>>>>>
>>>>> http://ofbiz.markmail.org/search/?q=Milind+W#query:Milind%20W+page:2+mid:kwgcnrsxjigfilp2+state:results
>>>>>
>>>>> Thanks
>>>>> -Milind
>>>>>
>>>>>> hi,
>>>>>> I got login to work by adding the changes below to my controller
>>>>>> using
>>>>>> ofbiz4.0.
>>>>>> I don't think I follow the reason with OFBTOOLS base persmission not
>>>>>> taking effect in the ofbiz-component as explained in OFBIZ-829.
>>>>>> But I agree with Si Chen on OFBIZ-829
>>>>>> "The right way is to assume no permission until one of the list of
>>>>>> permissions is met." Seems more intitutive.
>>>>>> For now I can workaround it so thanks all.
>>>>>> -Milind
>>>>>>
>>>>>>
>>>>>>
>>>>>> <preprocessor>
>>>>>> <!-- Events to run on every request before security (chains
>>>>>> exempt) -->
>>>>>> <!-- <event type="java"
>>>>>> path="org.ofbiz.webapp.event.TestEvent"
>>>>>> invoke="test"/> -->
>>>>>> <event type="java"
>>>>>> path="org.ofbiz.webapp.control.LoginWorker"
>>>>>> invoke="checkExternalLoginKey"/>
>>>>>> </preprocessor>
>>>>>>
>>>>>> <!-- Request Mappings -->
>>>>>>
>>>>>> <request-map uri="checkLogin" edit="false">
>>>>>> <description>Verify a user is logged in.</description>
>>>>>> <security https="false" auth="false"/>
>>>>>> <event type="java"
>>>>>> path="org.ofbiz.webapp.control.LoginWorker"
>>>>>> invoke="checkLogin" />
>>>>>> <response name="success" type="view" value="main" />
>>>>>> <response name="error" type="view" value="login" />
>>>>>> </request-map>
>>>>>>
>>>>>> <request-map uri="login">
>>>>>> <security https="false" auth="false"/>
>>>>>> <event type="java"
>>>>>> path="org.ofbiz.webapp.control.LoginWorker"
>>>>>> invoke="login"/>
>>>>>> <response name="success" type="view" value="main"/>
>>>>>> <response name="error" type="view" value="login"/>
>>>>>> </request-map>
>>>>>>
>>>>>>
>>>>>> <request-map uri="main">
>>>>>> <security https="false" auth="true" />
>>>>>> <response name="success" type="view" value="main"/>
>>>>>> </request-map>
>>>>>>
>>>>>> <view-map name="login" type="screen"
>>>>>> page="component://marketing/widget/CommonScreens.xml#login" />
>>>>>>
>>>>>>
>>>>>>> Not with a direct link to the comment where is the explanation ;p
>>>>>>> Actually it was more a didactic post
>>>>>>>
>>>>>>> Jacques
>>>>>>>
>>>>>>> From: "BJ Freeman" <bj...@free-man.net>
>>>>>>>> LOL
>>>>>>>> that was the first link I sent on this thread.
>>>>>>>>
>>>>>>>> Jacques Le Roux sent the following on 7/30/2008 2:18 PM:
>>>>>>>>> OFBiz Wiki is your friend. Just look for OFBTOOLS.
>>>>>>>>>
>>>>>>>>> You would have get
>>>>>>>>> http://docs.ofbiz.org/display/OFBTECH/OFBiz+security?focusedCommentId=3615#comment-3615
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> Jacques
>>>>>>>>>
>>>>>>>>> ----- Original Message ----- From: "Milind W"
>>>>>>>>> <ma...@mymunshi.com>
>>>>>>>>> To: <us...@ofbiz.apache.org>
>>>>>>>>> Sent: Wednesday, July 30, 2008 8:31 PM
>>>>>>>>> Subject: Re: how to set security and permissions precedence
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>> Let me try to break up questions.
>>>>>>>>>> Should'nt adding
>>>>>>>>>> base-permission="OFBTOOLS"
>>>>>>>>>> to the ofbiz-entity.xml force the user to login with a user id
>>>>>>>>>> that
>>>>>>>>>> is
>>>>>>>>>> associated to the OFBTOOLS security group?
>>>>>>>>>> I can see the application I created and the line seems to have no
>>>>>>>>>> effect.
>>>>>>>>>> What is the purpose of the line?
>>>>>>>>>> Thanks
>>>>>>>>>> -Milind
>>>>>>>>>>
>>>>>>>>>>> Please not that opentaps is not at the same level of revision
>>>>>>>>>>> that
>>>>>>>>>>> ofbiz
>>>>>>>>>>> it
>>>>>>>>>>> there have been changes to security.
>>>>>>>>>>> there are examples in the
>>>>>>>>>>> framework/example
>>>>>>>>>>> and
>>>>>>>>>>> framework/exampleext
>>>>>>>>>>> I believe this to better tutorial
>>>>>>>>>>> since they work already.
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> Balaji Sundar sent the following on 7/29/2008 9:40 PM:
>>>>>>>>>>>> BJ Freeman wrote:
>>>>>>>>>>>>> http://docs.ofbiz.org/display/OFBTECH/OFBiz+security
>>>>>>>>>>>>>
>>>>>>>>>>>>> Milind W sent the following on 7/29/2008 7:58 PM:
>>>>>>>>>>>>>> hi,
>>>>>>>>>>>>>> Security Permissions
>>>>>>>>>>>>>> I am using ofbiz rev.79258
>>>>>>>>>>>>>> I want to understand how security works so I made the
>>>>>>>>>>>>>> following
>>>>>>>>>>>>>> modifications to hello1
>>>>>>>>>>>>>> 1)I added base-permission="OFBTOOLS" to the
>>>>>>>>>>>>>> ofbiz-component.xml
>>>>>>>>>>>>>> I could still see the application I was assuming the
>>>>>>>>>>>>>> application
>>>>>>>>>>>>>> would
>>>>>>>>>>>>>> as
>>>>>>>>>>>>>> me to login or prevent me from seeing the page.
>>>>>>>>>>>>>> 2)I added <security> to the main request
>>>>>>>>>>>>>> <request-map uri="main">
>>>>>>>>>>>>>> <security https="false" auth="true"/>
>>>>>>>>>>>>>> <response name="success" type="view" value="main"/>
>>>>>>>>>>>>>> </request-map>
>>>>>>>>>>>>>> This displays "java.lang.NullPointerException" in the
>>>>>>>>>>>>>> browser.
>>>>>>>>>>>>>> How do permissions precedence work starting from the UI to
>>>>>>>>>>>>>> the
>>>>>>>>>>>>>> entity
>>>>>>>>>>>>>> layer.
>>>>>>>>>>>>>> Help appreciated.
>>>>>>>>>>>>>> Thanks
>>>>>>>>>>>>>> -Milind
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Here is the log
>>>>>>>>>>>>>> 2008-07-29 19:07:17,031 (http-0.0.0.0-8080-1) [
>>>>>>>>>>>>>> RequestHandler.java:243:INFO ] [Processing Request]: main
>>>>>>>>>>>>>> sessionId=6E6BB45A4B5AB75A10A9B9404FA622A5.jvm1
>>>>>>>>>>>>>> 2008-07-29 19:07:17,031 (http-0.0.0.0-8080-1) [
>>>>>>>>>>>>>> RequestManager.java:159:WARN ] [RequestManager.getEventType]
>>>>>>>>>>>>>> Type
>>>>>>>>>>>>>> of
>>>>>>>>>>>>>> event
>>>>>>>>>>>>>> for request "checkLogin" not found
>>>>>>>>>>>>>> 2008-07-29 19:07:17,031 (http-0.0.0.0-8080-1) [
>>>>>>>>>>>>>> RequestManager.java:146:WARN ] [RequestManager.getEventPath]
>>>>>>>>>>>>>> Path
>>>>>>>>>>>>>> of
>>>>>>>>>>>>>> event
>>>>>>>>>>>>>> for request "checkLogin" not found
>>>>>>>>>>>>>> 2008-07-29 19:07:17,031 (http-0.0.0.0-8080-1) [
>>>>>>>>>>>>>> RequestManager.java:172:WARN ]
>>>>>>>>>>>>>> [RequestManager.getEventMethod]
>>>>>>>>>>>>>> Method
>>>>>>>>>>>>>> of
>>>>>>>>>>>>>> event for request "checkLogin" not found
>>>>>>>>>>>>>> 2008-07-29 19:07:17,031 (http-0.0.0.0-8080-1) [
>>>>>>>>>>>>>> ControlServlet.java:205:ERROR]
>>>>>>>>>>>>>> ---- runtime exception report
>>>>>>>>>>>>>> --------------------------------------------------
>>>>>>>>>>>>>> Error in request handler:
>>>>>>>>>>>>>> Exception: java.lang.NullPointerException
>>>>>>>>>>>>>> Message: null
>>>>>>>>>>>>>> ---- stack trace
>>>>>>>>>>>>>> ---------------------------------------------------------------
>>>>>>>>>>>>>> java.lang.NullPointerException
>>>>>>>>>>>>>> javolution.util.FastMap.getEntry(Unknown Source)
>>>>>>>>>>>>>> javolution.util.FastMap.containsKey(Unknown Source)
>>>>>>>>>>>>>> org.ofbiz.webapp.control.RequestManager.getHandlerClass(RequestManager.java:78)
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> org.ofbiz.webapp.event.EventFactory.loadEventHandler(EventFactory.java:102)
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> org.ofbiz.webapp.event.EventFactory.getEventHandler(EventFactory.java:86)
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> org.ofbiz.webapp.control.RequestHandler.runEvent(RequestHandler.java:453)
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> org.ofbiz.webapp.control.RequestHandler.doRequest(RequestHandler.java:259)
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> org.ofbiz.webapp.control.ControlServlet.doGet(ControlServlet.java:198)
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> javax.servlet.http.HttpServlet.service(HttpServlet.java:690)
>>>>>>>>>>>>>> javax.servlet.http.HttpServlet.service(HttpServlet.java:803)
>>>>>>>>>>>>>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> org.ofbiz.webapp.control.ContextFilter.doFilter(ContextFilter.java:255)
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:175)
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:128)
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:568)
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:286)
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:844)
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:583)
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:447)
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> java.lang.Thread.run(Thread.java:595)
>>>>>>>>>>>>>> --------------------------------------------------------------------------------
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>> http://www.opensourcestrategies.com/ofbiz/security.php
>>>>>>>>>>>> http://www.opensourcestrategies.com/ofbiz/security.php
>>>>>>>>>
>>>
>>>
>>>
>>>
>>
Re: how to set security and permissions precedence
Posted by Jacques Le Roux <ja...@les7arts.com>.
This works for sure from r682228, please check you locale instance...
Except of course if we don't speak about the _SAME behavior_ (see my previous posts in ML)
Jacques
From: "Milind W" <ma...@mymunshi.com>
>I got the updated files.
> Did ant clean and then a new build.
> I still see the SAME behavior described in my previous email.
> I am attaching my controller.xml
>
>> here is the fix
>> http://svn.apache.org/viewvc?rev=682228&view=rev
>>
>> Milind W sent the following on 8/3/2008 4:27 PM:
>>> Just tried "ant clean" it made no difference.
>>> I can proceed to main without being redirected to login with rev#679258.
>>>
>>>
>>> Relevant log for rev#679258
>>> 2008-08-03 16:15:04,515 (http-0.0.0.0-8080-1)
>>> [RequestHandler.java:243:INFO ] [Processing Request]: main
>>> sessionId=B2364C2D58837E9163B9B9214E2228FA.jvm1
>>> 2008-08-03 16:15:04,515 (http-0.0.0.0-8080-1)
>>> [RequestHandler.java:433:INFO ] [RequestHandler.doRequest]: Response is
>>> a
>>> view. sessionId=B2364C2D58837E9163B9B9214E2228FA.jvm1
>>> 2008-08-03 16:15:04,515 (http-0.0.0.0-8080-1)
>>> [RequestHandler.java:584:INFO ] servletName=control, view=main
>>> sessionId=B2364C2D58837E9163B9B9214E2228FA.jvm1
>>> 2008-08-03 16:15:04,515 (http-0.0.0.0-8080-1) [
>>> UtilJ2eeCompat.java:69
>>> :INFO ] serverInfo: apache tomcat/6.0.16
>>> 2008-08-03 16:15:04,515 (http-0.0.0.0-8080-1) [
>>> UtilJ2eeCompat.java:78
>>> :INFO ] Apache Tomcat detected, using response.getWriter to write text
>>> out
>>> instead of response.getOutputStream
>>>
>>> and with rev#677863
>>> 2008-08-03 18:11:55,343 (http-0.0.0.0-8080-Processor4) [
>>> RequestHandler.java:236:INFO ] [Processing Request]: main
>>> sessionId=72EE22303A9A4DCDB76F64EE41F963DA.jvm1
>>> 2008-08-03 18:11:55,343 (http-0.0.0.0-8080-Processor4) [
>>> LoginWorker.java:262:INFO ] reqParams Map: []
>>> 2008-08-03 18:11:55,343 (http-0.0.0.0-8080-Processor4) [
>>> LoginWorker.java:263:INFO ] queryString:
>>> 2008-08-03 18:11:55,343 (http-0.0.0.0-8080-Processor4) [
>>> LoginWorker.java:273:INFO ] checkLogin: queryString=
>>> 2008-08-03 18:11:55,343 (http-0.0.0.0-8080-Processor4) [
>>> LoginWorker.java:274:INFO ] checkLogin: PathInfo=/main
>>> 2008-08-03 18:11:55,343 (http-0.0.0.0-8080-Processor4) [
>>> RequestHandler.java:425:INFO ] [RequestHandler.doRequest]: Response is a
>>> view. sessionId=72EE22303A9A4DCDB76F64EE41F963DA.jvm1
>>> 2008-08-03 18:11:55,343 (http-0.0.0.0-8080-Processor4) [
>>> RequestHandler.java:578:INFO ] servletName=control, view=login
>>> sessionId=72EE22303A9A4DCDB76F64EE41F963DA.jvm1
>>> 2008-08-03 18:11:55,343 (http-0.0.0.0-8080-Processor4) [
>>> UtilJ2eeCompat.java:69 :INFO ] serverInfo: Apache Tomcat/5.5.20
>>> 2008-08-03 18:11:55,343 (http-0.0.0.0-8080-Processor4) [
>>> UtilJ2eeCompat.java:78 :INFO ] Apache Tomcat detected, using
>>> response.getWriter to write text out instead of response.getOutputStream
>>>
>>> The loginworker seems to be invoked with rev#677863 and not with
>>> rev#679258.
>>> Any Idea?
>>>
>>>> Did you try an "ant clean" ? There have been some changes recently that
>>>> implie this cleanup.
>>>>
>>>> Jacques
>>>>
>>>> From: "Milind W" <ma...@mymunshi.com>
>>>>> Looks like I have a problem making this example work with
>>>>> revision#679258
>>>>>
>>>>> It worked fine (i.e I was redirected to login screen before I could
>>>>> get
>>>>> to
>>>>> main) with rev#677863
>>>>>
>>>>> Looks like the view
>>>>> <view-map name="login" type="screen"
>>>>> page="component://marketing/widget/CommonScreens.xml#login" />
>>>>> is part of the problem. The CommonScreens.xml has moved and does no
>>>>> longer
>>>>> seem to have the 'login' screen.
>>>>>
>>>>> I tried finding another screen with the 'login' view. I found another
>>>>> one
>>>>> in the 'common' component and modified my hello controller to point to
>>>>> <view-map name="login" type="screen"
>>>>> page="component://common/widget/CommonScreens.xml#login"/>
>>>>> but it is no acting the same as previously.
>>>>>
>>>>> Please let me know what is missing (or any suggestion how best to
>>>>> illustrate login) so I can complete and contribute my tutorial for
>>>>> security. Would hate to create a tutorial that worked with one
>>>>> specific
>>>>> build.
>>>>>
>>>>> http://ofbiz.markmail.org/search/?q=Milind+W#query:Milind%20W+page:2+mid:kwgcnrsxjigfilp2+state:results
>>>>>
>>>>> Thanks
>>>>> -Milind
>>>>>
>>>>>> hi,
>>>>>> I got login to work by adding the changes below to my controller
>>>>>> using
>>>>>> ofbiz4.0.
>>>>>> I don't think I follow the reason with OFBTOOLS base persmission not
>>>>>> taking effect in the ofbiz-component as explained in OFBIZ-829.
>>>>>> But I agree with Si Chen on OFBIZ-829
>>>>>> "The right way is to assume no permission until one of the list of
>>>>>> permissions is met." Seems more intitutive.
>>>>>> For now I can workaround it so thanks all.
>>>>>> -Milind
>>>>>>
>>>>>>
>>>>>>
>>>>>> <preprocessor>
>>>>>> <!-- Events to run on every request before security (chains
>>>>>> exempt) -->
>>>>>> <!-- <event type="java"
>>>>>> path="org.ofbiz.webapp.event.TestEvent"
>>>>>> invoke="test"/> -->
>>>>>> <event type="java"
>>>>>> path="org.ofbiz.webapp.control.LoginWorker"
>>>>>> invoke="checkExternalLoginKey"/>
>>>>>> </preprocessor>
>>>>>>
>>>>>> <!-- Request Mappings -->
>>>>>>
>>>>>> <request-map uri="checkLogin" edit="false">
>>>>>> <description>Verify a user is logged in.</description>
>>>>>> <security https="false" auth="false"/>
>>>>>> <event type="java"
>>>>>> path="org.ofbiz.webapp.control.LoginWorker"
>>>>>> invoke="checkLogin" />
>>>>>> <response name="success" type="view" value="main" />
>>>>>> <response name="error" type="view" value="login" />
>>>>>> </request-map>
>>>>>>
>>>>>> <request-map uri="login">
>>>>>> <security https="false" auth="false"/>
>>>>>> <event type="java"
>>>>>> path="org.ofbiz.webapp.control.LoginWorker"
>>>>>> invoke="login"/>
>>>>>> <response name="success" type="view" value="main"/>
>>>>>> <response name="error" type="view" value="login"/>
>>>>>> </request-map>
>>>>>>
>>>>>>
>>>>>> <request-map uri="main">
>>>>>> <security https="false" auth="true" />
>>>>>> <response name="success" type="view" value="main"/>
>>>>>> </request-map>
>>>>>>
>>>>>> <view-map name="login" type="screen"
>>>>>> page="component://marketing/widget/CommonScreens.xml#login" />
>>>>>>
>>>>>>
>>>>>>> Not with a direct link to the comment where is the explanation ;p
>>>>>>> Actually it was more a didactic post
>>>>>>>
>>>>>>> Jacques
>>>>>>>
>>>>>>> From: "BJ Freeman" <bj...@free-man.net>
>>>>>>>> LOL
>>>>>>>> that was the first link I sent on this thread.
>>>>>>>>
>>>>>>>> Jacques Le Roux sent the following on 7/30/2008 2:18 PM:
>>>>>>>>> OFBiz Wiki is your friend. Just look for OFBTOOLS.
>>>>>>>>>
>>>>>>>>> You would have get
>>>>>>>>> http://docs.ofbiz.org/display/OFBTECH/OFBiz+security?focusedCommentId=3615#comment-3615
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> Jacques
>>>>>>>>>
>>>>>>>>> ----- Original Message ----- From: "Milind W"
>>>>>>>>> <ma...@mymunshi.com>
>>>>>>>>> To: <us...@ofbiz.apache.org>
>>>>>>>>> Sent: Wednesday, July 30, 2008 8:31 PM
>>>>>>>>> Subject: Re: how to set security and permissions precedence
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>> Let me try to break up questions.
>>>>>>>>>> Should'nt adding
>>>>>>>>>> base-permission="OFBTOOLS"
>>>>>>>>>> to the ofbiz-entity.xml force the user to login with a user id
>>>>>>>>>> that
>>>>>>>>>> is
>>>>>>>>>> associated to the OFBTOOLS security group?
>>>>>>>>>> I can see the application I created and the line seems to have no
>>>>>>>>>> effect.
>>>>>>>>>> What is the purpose of the line?
>>>>>>>>>> Thanks
>>>>>>>>>> -Milind
>>>>>>>>>>
>>>>>>>>>>> Please not that opentaps is not at the same level of revision
>>>>>>>>>>> that
>>>>>>>>>>> ofbiz
>>>>>>>>>>> it
>>>>>>>>>>> there have been changes to security.
>>>>>>>>>>> there are examples in the
>>>>>>>>>>> framework/example
>>>>>>>>>>> and
>>>>>>>>>>> framework/exampleext
>>>>>>>>>>> I believe this to better tutorial
>>>>>>>>>>> since they work already.
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> Balaji Sundar sent the following on 7/29/2008 9:40 PM:
>>>>>>>>>>>>
>>>>>>>>>>>> BJ Freeman wrote:
>>>>>>>>>>>>> http://docs.ofbiz.org/display/OFBTECH/OFBiz+security
>>>>>>>>>>>>>
>>>>>>>>>>>>> Milind W sent the following on 7/29/2008 7:58 PM:
>>>>>>>>>>>>>> hi,
>>>>>>>>>>>>>> Security Permissions
>>>>>>>>>>>>>> I am using ofbiz rev.79258
>>>>>>>>>>>>>> I want to understand how security works so I made the
>>>>>>>>>>>>>> following
>>>>>>>>>>>>>> modifications to hello1
>>>>>>>>>>>>>> 1)I added base-permission="OFBTOOLS" to the
>>>>>>>>>>>>>> ofbiz-component.xml
>>>>>>>>>>>>>> I could still see the application I was assuming the
>>>>>>>>>>>>>> application
>>>>>>>>>>>>>> would
>>>>>>>>>>>>>> as
>>>>>>>>>>>>>> me to login or prevent me from seeing the page.
>>>>>>>>>>>>>> 2)I added <security> to the main request
>>>>>>>>>>>>>> <request-map uri="main">
>>>>>>>>>>>>>> <security https="false" auth="true"/>
>>>>>>>>>>>>>> <response name="success" type="view" value="main"/>
>>>>>>>>>>>>>> </request-map>
>>>>>>>>>>>>>> This displays "java.lang.NullPointerException" in the
>>>>>>>>>>>>>> browser.
>>>>>>>>>>>>>> How do permissions precedence work starting from the UI to
>>>>>>>>>>>>>> the
>>>>>>>>>>>>>> entity
>>>>>>>>>>>>>> layer.
>>>>>>>>>>>>>> Help appreciated.
>>>>>>>>>>>>>> Thanks
>>>>>>>>>>>>>> -Milind
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Here is the log
>>>>>>>>>>>>>> 2008-07-29 19:07:17,031 (http-0.0.0.0-8080-1) [
>>>>>>>>>>>>>> RequestHandler.java:243:INFO ] [Processing Request]: main
>>>>>>>>>>>>>> sessionId=6E6BB45A4B5AB75A10A9B9404FA622A5.jvm1
>>>>>>>>>>>>>> 2008-07-29 19:07:17,031 (http-0.0.0.0-8080-1) [
>>>>>>>>>>>>>> RequestManager.java:159:WARN ] [RequestManager.getEventType]
>>>>>>>>>>>>>> Type
>>>>>>>>>>>>>> of
>>>>>>>>>>>>>> event
>>>>>>>>>>>>>> for request "checkLogin" not found
>>>>>>>>>>>>>> 2008-07-29 19:07:17,031 (http-0.0.0.0-8080-1) [
>>>>>>>>>>>>>> RequestManager.java:146:WARN ] [RequestManager.getEventPath]
>>>>>>>>>>>>>> Path
>>>>>>>>>>>>>> of
>>>>>>>>>>>>>> event
>>>>>>>>>>>>>> for request "checkLogin" not found
>>>>>>>>>>>>>> 2008-07-29 19:07:17,031 (http-0.0.0.0-8080-1) [
>>>>>>>>>>>>>> RequestManager.java:172:WARN ]
>>>>>>>>>>>>>> [RequestManager.getEventMethod]
>>>>>>>>>>>>>> Method
>>>>>>>>>>>>>> of
>>>>>>>>>>>>>> event for request "checkLogin" not found
>>>>>>>>>>>>>> 2008-07-29 19:07:17,031 (http-0.0.0.0-8080-1) [
>>>>>>>>>>>>>> ControlServlet.java:205:ERROR]
>>>>>>>>>>>>>> ---- runtime exception report
>>>>>>>>>>>>>> --------------------------------------------------
>>>>>>>>>>>>>> Error in request handler:
>>>>>>>>>>>>>> Exception: java.lang.NullPointerException
>>>>>>>>>>>>>> Message: null
>>>>>>>>>>>>>> ---- stack trace
>>>>>>>>>>>>>> ---------------------------------------------------------------
>>>>>>>>>>>>>> java.lang.NullPointerException
>>>>>>>>>>>>>> javolution.util.FastMap.getEntry(Unknown Source)
>>>>>>>>>>>>>> javolution.util.FastMap.containsKey(Unknown Source)
>>>>>>>>>>>>>> org.ofbiz.webapp.control.RequestManager.getHandlerClass(RequestManager.java:78)
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> org.ofbiz.webapp.event.EventFactory.loadEventHandler(EventFactory.java:102)
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> org.ofbiz.webapp.event.EventFactory.getEventHandler(EventFactory.java:86)
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> org.ofbiz.webapp.control.RequestHandler.runEvent(RequestHandler.java:453)
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> org.ofbiz.webapp.control.RequestHandler.doRequest(RequestHandler.java:259)
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> org.ofbiz.webapp.control.ControlServlet.doGet(ControlServlet.java:198)
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> javax.servlet.http.HttpServlet.service(HttpServlet.java:690)
>>>>>>>>>>>>>> javax.servlet.http.HttpServlet.service(HttpServlet.java:803)
>>>>>>>>>>>>>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> org.ofbiz.webapp.control.ContextFilter.doFilter(ContextFilter.java:255)
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:175)
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:128)
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:568)
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:286)
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:844)
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:583)
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:447)
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> java.lang.Thread.run(Thread.java:595)
>>>>>>>>>>>>>> --------------------------------------------------------------------------------
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>> http://www.opensourcestrategies.com/ofbiz/security.php
>>>>>>>>>>>> http://www.opensourcestrategies.com/ofbiz/security.php
>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>
>>>>>
>>>
>>>
>>>
>>>
>>>
>>
>>
>
Re: how to set security and permissions precedence
Posted by Milind W <ma...@mymunshi.com>.
I got the updated files.
Did ant clean and then a new build.
I still see the SAME behavior described in my previous email.
I am attaching my controller.xml
> here is the fix
> http://svn.apache.org/viewvc?rev=682228&view=rev
>
> Milind W sent the following on 8/3/2008 4:27 PM:
>> Just tried "ant clean" it made no difference.
>> I can proceed to main without being redirected to login with rev#679258.
>>
>>
>> Relevant log for rev#679258
>> 2008-08-03 16:15:04,515 (http-0.0.0.0-8080-1)
>> [RequestHandler.java:243:INFO ] [Processing Request]: main
>> sessionId=B2364C2D58837E9163B9B9214E2228FA.jvm1
>> 2008-08-03 16:15:04,515 (http-0.0.0.0-8080-1)
>> [RequestHandler.java:433:INFO ] [RequestHandler.doRequest]: Response is
>> a
>> view. sessionId=B2364C2D58837E9163B9B9214E2228FA.jvm1
>> 2008-08-03 16:15:04,515 (http-0.0.0.0-8080-1)
>> [RequestHandler.java:584:INFO ] servletName=control, view=main
>> sessionId=B2364C2D58837E9163B9B9214E2228FA.jvm1
>> 2008-08-03 16:15:04,515 (http-0.0.0.0-8080-1) [
>> UtilJ2eeCompat.java:69
>> :INFO ] serverInfo: apache tomcat/6.0.16
>> 2008-08-03 16:15:04,515 (http-0.0.0.0-8080-1) [
>> UtilJ2eeCompat.java:78
>> :INFO ] Apache Tomcat detected, using response.getWriter to write text
>> out
>> instead of response.getOutputStream
>>
>> and with rev#677863
>> 2008-08-03 18:11:55,343 (http-0.0.0.0-8080-Processor4) [
>> RequestHandler.java:236:INFO ] [Processing Request]: main
>> sessionId=72EE22303A9A4DCDB76F64EE41F963DA.jvm1
>> 2008-08-03 18:11:55,343 (http-0.0.0.0-8080-Processor4) [
>> LoginWorker.java:262:INFO ] reqParams Map: []
>> 2008-08-03 18:11:55,343 (http-0.0.0.0-8080-Processor4) [
>> LoginWorker.java:263:INFO ] queryString:
>> 2008-08-03 18:11:55,343 (http-0.0.0.0-8080-Processor4) [
>> LoginWorker.java:273:INFO ] checkLogin: queryString=
>> 2008-08-03 18:11:55,343 (http-0.0.0.0-8080-Processor4) [
>> LoginWorker.java:274:INFO ] checkLogin: PathInfo=/main
>> 2008-08-03 18:11:55,343 (http-0.0.0.0-8080-Processor4) [
>> RequestHandler.java:425:INFO ] [RequestHandler.doRequest]: Response is a
>> view. sessionId=72EE22303A9A4DCDB76F64EE41F963DA.jvm1
>> 2008-08-03 18:11:55,343 (http-0.0.0.0-8080-Processor4) [
>> RequestHandler.java:578:INFO ] servletName=control, view=login
>> sessionId=72EE22303A9A4DCDB76F64EE41F963DA.jvm1
>> 2008-08-03 18:11:55,343 (http-0.0.0.0-8080-Processor4) [
>> UtilJ2eeCompat.java:69 :INFO ] serverInfo: Apache Tomcat/5.5.20
>> 2008-08-03 18:11:55,343 (http-0.0.0.0-8080-Processor4) [
>> UtilJ2eeCompat.java:78 :INFO ] Apache Tomcat detected, using
>> response.getWriter to write text out instead of response.getOutputStream
>>
>> The loginworker seems to be invoked with rev#677863 and not with
>> rev#679258.
>> Any Idea?
>>
>>> Did you try an "ant clean" ? There have been some changes recently that
>>> implie this cleanup.
>>>
>>> Jacques
>>>
>>> From: "Milind W" <ma...@mymunshi.com>
>>>> Looks like I have a problem making this example work with
>>>> revision#679258
>>>>
>>>> It worked fine (i.e I was redirected to login screen before I could
>>>> get
>>>> to
>>>> main) with rev#677863
>>>>
>>>> Looks like the view
>>>> <view-map name="login" type="screen"
>>>> page="component://marketing/widget/CommonScreens.xml#login" />
>>>> is part of the problem. The CommonScreens.xml has moved and does no
>>>> longer
>>>> seem to have the 'login' screen.
>>>>
>>>> I tried finding another screen with the 'login' view. I found another
>>>> one
>>>> in the 'common' component and modified my hello controller to point to
>>>> <view-map name="login" type="screen"
>>>> page="component://common/widget/CommonScreens.xml#login"/>
>>>> but it is no acting the same as previously.
>>>>
>>>> Please let me know what is missing (or any suggestion how best to
>>>> illustrate login) so I can complete and contribute my tutorial for
>>>> security. Would hate to create a tutorial that worked with one
>>>> specific
>>>> build.
>>>>
>>>> http://ofbiz.markmail.org/search/?q=Milind+W#query:Milind%20W+page:2+mid:kwgcnrsxjigfilp2+state:results
>>>>
>>>> Thanks
>>>> -Milind
>>>>
>>>>> hi,
>>>>> I got login to work by adding the changes below to my controller
>>>>> using
>>>>> ofbiz4.0.
>>>>> I don't think I follow the reason with OFBTOOLS base persmission not
>>>>> taking effect in the ofbiz-component as explained in OFBIZ-829.
>>>>> But I agree with Si Chen on OFBIZ-829
>>>>> "The right way is to assume no permission until one of the list of
>>>>> permissions is met." Seems more intitutive.
>>>>> For now I can workaround it so thanks all.
>>>>> -Milind
>>>>>
>>>>>
>>>>>
>>>>> <preprocessor>
>>>>> <!-- Events to run on every request before security (chains
>>>>> exempt) -->
>>>>> <!-- <event type="java"
>>>>> path="org.ofbiz.webapp.event.TestEvent"
>>>>> invoke="test"/> -->
>>>>> <event type="java"
>>>>> path="org.ofbiz.webapp.control.LoginWorker"
>>>>> invoke="checkExternalLoginKey"/>
>>>>> </preprocessor>
>>>>>
>>>>> <!-- Request Mappings -->
>>>>>
>>>>> <request-map uri="checkLogin" edit="false">
>>>>> <description>Verify a user is logged in.</description>
>>>>> <security https="false" auth="false"/>
>>>>> <event type="java"
>>>>> path="org.ofbiz.webapp.control.LoginWorker"
>>>>> invoke="checkLogin" />
>>>>> <response name="success" type="view" value="main" />
>>>>> <response name="error" type="view" value="login" />
>>>>> </request-map>
>>>>>
>>>>> <request-map uri="login">
>>>>> <security https="false" auth="false"/>
>>>>> <event type="java"
>>>>> path="org.ofbiz.webapp.control.LoginWorker"
>>>>> invoke="login"/>
>>>>> <response name="success" type="view" value="main"/>
>>>>> <response name="error" type="view" value="login"/>
>>>>> </request-map>
>>>>>
>>>>>
>>>>> <request-map uri="main">
>>>>> <security https="false" auth="true" />
>>>>> <response name="success" type="view" value="main"/>
>>>>> </request-map>
>>>>>
>>>>> <view-map name="login" type="screen"
>>>>> page="component://marketing/widget/CommonScreens.xml#login" />
>>>>>
>>>>>
>>>>>> Not with a direct link to the comment where is the explanation ;p
>>>>>> Actually it was more a didactic post
>>>>>>
>>>>>> Jacques
>>>>>>
>>>>>> From: "BJ Freeman" <bj...@free-man.net>
>>>>>>> LOL
>>>>>>> that was the first link I sent on this thread.
>>>>>>>
>>>>>>> Jacques Le Roux sent the following on 7/30/2008 2:18 PM:
>>>>>>>> OFBiz Wiki is your friend. Just look for OFBTOOLS.
>>>>>>>>
>>>>>>>> You would have get
>>>>>>>> http://docs.ofbiz.org/display/OFBTECH/OFBiz+security?focusedCommentId=3615#comment-3615
>>>>>>>>
>>>>>>>>
>>>>>>>> Jacques
>>>>>>>>
>>>>>>>> ----- Original Message ----- From: "Milind W"
>>>>>>>> <ma...@mymunshi.com>
>>>>>>>> To: <us...@ofbiz.apache.org>
>>>>>>>> Sent: Wednesday, July 30, 2008 8:31 PM
>>>>>>>> Subject: Re: how to set security and permissions precedence
>>>>>>>>
>>>>>>>>
>>>>>>>>> Let me try to break up questions.
>>>>>>>>> Should'nt adding
>>>>>>>>> base-permission="OFBTOOLS"
>>>>>>>>> to the ofbiz-entity.xml force the user to login with a user id
>>>>>>>>> that
>>>>>>>>> is
>>>>>>>>> associated to the OFBTOOLS security group?
>>>>>>>>> I can see the application I created and the line seems to have no
>>>>>>>>> effect.
>>>>>>>>> What is the purpose of the line?
>>>>>>>>> Thanks
>>>>>>>>> -Milind
>>>>>>>>>
>>>>>>>>>> Please not that opentaps is not at the same level of revision
>>>>>>>>>> that
>>>>>>>>>> ofbiz
>>>>>>>>>> it
>>>>>>>>>> there have been changes to security.
>>>>>>>>>> there are examples in the
>>>>>>>>>> framework/example
>>>>>>>>>> and
>>>>>>>>>> framework/exampleext
>>>>>>>>>> I believe this to better tutorial
>>>>>>>>>> since they work already.
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> Balaji Sundar sent the following on 7/29/2008 9:40 PM:
>>>>>>>>>>>
>>>>>>>>>>> BJ Freeman wrote:
>>>>>>>>>>>> http://docs.ofbiz.org/display/OFBTECH/OFBiz+security
>>>>>>>>>>>>
>>>>>>>>>>>> Milind W sent the following on 7/29/2008 7:58 PM:
>>>>>>>>>>>>> hi,
>>>>>>>>>>>>> Security Permissions
>>>>>>>>>>>>> I am using ofbiz rev.79258
>>>>>>>>>>>>> I want to understand how security works so I made the
>>>>>>>>>>>>> following
>>>>>>>>>>>>> modifications to hello1
>>>>>>>>>>>>> 1)I added base-permission="OFBTOOLS" to the
>>>>>>>>>>>>> ofbiz-component.xml
>>>>>>>>>>>>> I could still see the application I was assuming the
>>>>>>>>>>>>> application
>>>>>>>>>>>>> would
>>>>>>>>>>>>> as
>>>>>>>>>>>>> me to login or prevent me from seeing the page.
>>>>>>>>>>>>> 2)I added <security> to the main request
>>>>>>>>>>>>> <request-map uri="main">
>>>>>>>>>>>>> <security https="false" auth="true"/>
>>>>>>>>>>>>> <response name="success" type="view" value="main"/>
>>>>>>>>>>>>> </request-map>
>>>>>>>>>>>>> This displays "java.lang.NullPointerException" in the
>>>>>>>>>>>>> browser.
>>>>>>>>>>>>> How do permissions precedence work starting from the UI to
>>>>>>>>>>>>> the
>>>>>>>>>>>>> entity
>>>>>>>>>>>>> layer.
>>>>>>>>>>>>> Help appreciated.
>>>>>>>>>>>>> Thanks
>>>>>>>>>>>>> -Milind
>>>>>>>>>>>>>
>>>>>>>>>>>>> Here is the log
>>>>>>>>>>>>> 2008-07-29 19:07:17,031 (http-0.0.0.0-8080-1) [
>>>>>>>>>>>>> RequestHandler.java:243:INFO ] [Processing Request]: main
>>>>>>>>>>>>> sessionId=6E6BB45A4B5AB75A10A9B9404FA622A5.jvm1
>>>>>>>>>>>>> 2008-07-29 19:07:17,031 (http-0.0.0.0-8080-1) [
>>>>>>>>>>>>> RequestManager.java:159:WARN ] [RequestManager.getEventType]
>>>>>>>>>>>>> Type
>>>>>>>>>>>>> of
>>>>>>>>>>>>> event
>>>>>>>>>>>>> for request "checkLogin" not found
>>>>>>>>>>>>> 2008-07-29 19:07:17,031 (http-0.0.0.0-8080-1) [
>>>>>>>>>>>>> RequestManager.java:146:WARN ] [RequestManager.getEventPath]
>>>>>>>>>>>>> Path
>>>>>>>>>>>>> of
>>>>>>>>>>>>> event
>>>>>>>>>>>>> for request "checkLogin" not found
>>>>>>>>>>>>> 2008-07-29 19:07:17,031 (http-0.0.0.0-8080-1) [
>>>>>>>>>>>>> RequestManager.java:172:WARN ]
>>>>>>>>>>>>> [RequestManager.getEventMethod]
>>>>>>>>>>>>> Method
>>>>>>>>>>>>> of
>>>>>>>>>>>>> event for request "checkLogin" not found
>>>>>>>>>>>>> 2008-07-29 19:07:17,031 (http-0.0.0.0-8080-1) [
>>>>>>>>>>>>> ControlServlet.java:205:ERROR]
>>>>>>>>>>>>> ---- runtime exception report
>>>>>>>>>>>>> --------------------------------------------------
>>>>>>>>>>>>> Error in request handler:
>>>>>>>>>>>>> Exception: java.lang.NullPointerException
>>>>>>>>>>>>> Message: null
>>>>>>>>>>>>> ---- stack trace
>>>>>>>>>>>>> ---------------------------------------------------------------
>>>>>>>>>>>>> java.lang.NullPointerException
>>>>>>>>>>>>> javolution.util.FastMap.getEntry(Unknown Source)
>>>>>>>>>>>>> javolution.util.FastMap.containsKey(Unknown Source)
>>>>>>>>>>>>> org.ofbiz.webapp.control.RequestManager.getHandlerClass(RequestManager.java:78)
>>>>>>>>>>>>>
>>>>>>>>>>>>> org.ofbiz.webapp.event.EventFactory.loadEventHandler(EventFactory.java:102)
>>>>>>>>>>>>>
>>>>>>>>>>>>> org.ofbiz.webapp.event.EventFactory.getEventHandler(EventFactory.java:86)
>>>>>>>>>>>>>
>>>>>>>>>>>>> org.ofbiz.webapp.control.RequestHandler.runEvent(RequestHandler.java:453)
>>>>>>>>>>>>>
>>>>>>>>>>>>> org.ofbiz.webapp.control.RequestHandler.doRequest(RequestHandler.java:259)
>>>>>>>>>>>>>
>>>>>>>>>>>>> org.ofbiz.webapp.control.ControlServlet.doGet(ControlServlet.java:198)
>>>>>>>>>>>>>
>>>>>>>>>>>>> javax.servlet.http.HttpServlet.service(HttpServlet.java:690)
>>>>>>>>>>>>> javax.servlet.http.HttpServlet.service(HttpServlet.java:803)
>>>>>>>>>>>>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
>>>>>>>>>>>>>
>>>>>>>>>>>>> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
>>>>>>>>>>>>>
>>>>>>>>>>>>> org.ofbiz.webapp.control.ContextFilter.doFilter(ContextFilter.java:255)
>>>>>>>>>>>>>
>>>>>>>>>>>>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
>>>>>>>>>>>>>
>>>>>>>>>>>>> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
>>>>>>>>>>>>>
>>>>>>>>>>>>> org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
>>>>>>>>>>>>>
>>>>>>>>>>>>> org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:175)
>>>>>>>>>>>>>
>>>>>>>>>>>>> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:128)
>>>>>>>>>>>>>
>>>>>>>>>>>>> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
>>>>>>>>>>>>>
>>>>>>>>>>>>> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
>>>>>>>>>>>>>
>>>>>>>>>>>>> org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:568)
>>>>>>>>>>>>>
>>>>>>>>>>>>> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:286)
>>>>>>>>>>>>>
>>>>>>>>>>>>> org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:844)
>>>>>>>>>>>>>
>>>>>>>>>>>>> org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:583)
>>>>>>>>>>>>>
>>>>>>>>>>>>> org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:447)
>>>>>>>>>>>>>
>>>>>>>>>>>>> java.lang.Thread.run(Thread.java:595)
>>>>>>>>>>>>> --------------------------------------------------------------------------------
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>> http://www.opensourcestrategies.com/ofbiz/security.php
>>>>>>>>>>> http://www.opensourcestrategies.com/ofbiz/security.php
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>
>>>>
>>
>>
>>
>>
>>
>
>
Re: how to set security and permissions precedence
Posted by BJ Freeman <bj...@free-man.net>.
here is the fix
http://svn.apache.org/viewvc?rev=682228&view=rev
Milind W sent the following on 8/3/2008 4:27 PM:
> Just tried "ant clean" it made no difference.
> I can proceed to main without being redirected to login with rev#679258.
>
>
> Relevant log for rev#679258
> 2008-08-03 16:15:04,515 (http-0.0.0.0-8080-1)
> [RequestHandler.java:243:INFO ] [Processing Request]: main
> sessionId=B2364C2D58837E9163B9B9214E2228FA.jvm1
> 2008-08-03 16:15:04,515 (http-0.0.0.0-8080-1)
> [RequestHandler.java:433:INFO ] [RequestHandler.doRequest]: Response is a
> view. sessionId=B2364C2D58837E9163B9B9214E2228FA.jvm1
> 2008-08-03 16:15:04,515 (http-0.0.0.0-8080-1)
> [RequestHandler.java:584:INFO ] servletName=control, view=main
> sessionId=B2364C2D58837E9163B9B9214E2228FA.jvm1
> 2008-08-03 16:15:04,515 (http-0.0.0.0-8080-1) [ UtilJ2eeCompat.java:69
> :INFO ] serverInfo: apache tomcat/6.0.16
> 2008-08-03 16:15:04,515 (http-0.0.0.0-8080-1) [ UtilJ2eeCompat.java:78
> :INFO ] Apache Tomcat detected, using response.getWriter to write text out
> instead of response.getOutputStream
>
> and with rev#677863
> 2008-08-03 18:11:55,343 (http-0.0.0.0-8080-Processor4) [
> RequestHandler.java:236:INFO ] [Processing Request]: main
> sessionId=72EE22303A9A4DCDB76F64EE41F963DA.jvm1
> 2008-08-03 18:11:55,343 (http-0.0.0.0-8080-Processor4) [
> LoginWorker.java:262:INFO ] reqParams Map: []
> 2008-08-03 18:11:55,343 (http-0.0.0.0-8080-Processor4) [
> LoginWorker.java:263:INFO ] queryString:
> 2008-08-03 18:11:55,343 (http-0.0.0.0-8080-Processor4) [
> LoginWorker.java:273:INFO ] checkLogin: queryString=
> 2008-08-03 18:11:55,343 (http-0.0.0.0-8080-Processor4) [
> LoginWorker.java:274:INFO ] checkLogin: PathInfo=/main
> 2008-08-03 18:11:55,343 (http-0.0.0.0-8080-Processor4) [
> RequestHandler.java:425:INFO ] [RequestHandler.doRequest]: Response is a
> view. sessionId=72EE22303A9A4DCDB76F64EE41F963DA.jvm1
> 2008-08-03 18:11:55,343 (http-0.0.0.0-8080-Processor4) [
> RequestHandler.java:578:INFO ] servletName=control, view=login
> sessionId=72EE22303A9A4DCDB76F64EE41F963DA.jvm1
> 2008-08-03 18:11:55,343 (http-0.0.0.0-8080-Processor4) [
> UtilJ2eeCompat.java:69 :INFO ] serverInfo: Apache Tomcat/5.5.20
> 2008-08-03 18:11:55,343 (http-0.0.0.0-8080-Processor4) [
> UtilJ2eeCompat.java:78 :INFO ] Apache Tomcat detected, using
> response.getWriter to write text out instead of response.getOutputStream
>
> The loginworker seems to be invoked with rev#677863 and not with rev#679258.
> Any Idea?
>
>> Did you try an "ant clean" ? There have been some changes recently that
>> implie this cleanup.
>>
>> Jacques
>>
>> From: "Milind W" <ma...@mymunshi.com>
>>> Looks like I have a problem making this example work with
>>> revision#679258
>>>
>>> It worked fine (i.e I was redirected to login screen before I could get
>>> to
>>> main) with rev#677863
>>>
>>> Looks like the view
>>> <view-map name="login" type="screen"
>>> page="component://marketing/widget/CommonScreens.xml#login" />
>>> is part of the problem. The CommonScreens.xml has moved and does no
>>> longer
>>> seem to have the 'login' screen.
>>>
>>> I tried finding another screen with the 'login' view. I found another
>>> one
>>> in the 'common' component and modified my hello controller to point to
>>> <view-map name="login" type="screen"
>>> page="component://common/widget/CommonScreens.xml#login"/>
>>> but it is no acting the same as previously.
>>>
>>> Please let me know what is missing (or any suggestion how best to
>>> illustrate login) so I can complete and contribute my tutorial for
>>> security. Would hate to create a tutorial that worked with one specific
>>> build.
>>>
>>> http://ofbiz.markmail.org/search/?q=Milind+W#query:Milind%20W+page:2+mid:kwgcnrsxjigfilp2+state:results
>>>
>>> Thanks
>>> -Milind
>>>
>>>> hi,
>>>> I got login to work by adding the changes below to my controller using
>>>> ofbiz4.0.
>>>> I don't think I follow the reason with OFBTOOLS base persmission not
>>>> taking effect in the ofbiz-component as explained in OFBIZ-829.
>>>> But I agree with Si Chen on OFBIZ-829
>>>> "The right way is to assume no permission until one of the list of
>>>> permissions is met." Seems more intitutive.
>>>> For now I can workaround it so thanks all.
>>>> -Milind
>>>>
>>>>
>>>>
>>>> <preprocessor>
>>>> <!-- Events to run on every request before security (chains
>>>> exempt) -->
>>>> <!-- <event type="java" path="org.ofbiz.webapp.event.TestEvent"
>>>> invoke="test"/> -->
>>>> <event type="java" path="org.ofbiz.webapp.control.LoginWorker"
>>>> invoke="checkExternalLoginKey"/>
>>>> </preprocessor>
>>>>
>>>> <!-- Request Mappings -->
>>>>
>>>> <request-map uri="checkLogin" edit="false">
>>>> <description>Verify a user is logged in.</description>
>>>> <security https="false" auth="false"/>
>>>> <event type="java" path="org.ofbiz.webapp.control.LoginWorker"
>>>> invoke="checkLogin" />
>>>> <response name="success" type="view" value="main" />
>>>> <response name="error" type="view" value="login" />
>>>> </request-map>
>>>>
>>>> <request-map uri="login">
>>>> <security https="false" auth="false"/>
>>>> <event type="java" path="org.ofbiz.webapp.control.LoginWorker"
>>>> invoke="login"/>
>>>> <response name="success" type="view" value="main"/>
>>>> <response name="error" type="view" value="login"/>
>>>> </request-map>
>>>>
>>>>
>>>> <request-map uri="main">
>>>> <security https="false" auth="true" />
>>>> <response name="success" type="view" value="main"/>
>>>> </request-map>
>>>>
>>>> <view-map name="login" type="screen"
>>>> page="component://marketing/widget/CommonScreens.xml#login" />
>>>>
>>>>
>>>>> Not with a direct link to the comment where is the explanation ;p
>>>>> Actually it was more a didactic post
>>>>>
>>>>> Jacques
>>>>>
>>>>> From: "BJ Freeman" <bj...@free-man.net>
>>>>>> LOL
>>>>>> that was the first link I sent on this thread.
>>>>>>
>>>>>> Jacques Le Roux sent the following on 7/30/2008 2:18 PM:
>>>>>>> OFBiz Wiki is your friend. Just look for OFBTOOLS.
>>>>>>>
>>>>>>> You would have get
>>>>>>> http://docs.ofbiz.org/display/OFBTECH/OFBiz+security?focusedCommentId=3615#comment-3615
>>>>>>>
>>>>>>>
>>>>>>> Jacques
>>>>>>>
>>>>>>> ----- Original Message ----- From: "Milind W"
>>>>>>> <ma...@mymunshi.com>
>>>>>>> To: <us...@ofbiz.apache.org>
>>>>>>> Sent: Wednesday, July 30, 2008 8:31 PM
>>>>>>> Subject: Re: how to set security and permissions precedence
>>>>>>>
>>>>>>>
>>>>>>>> Let me try to break up questions.
>>>>>>>> Should'nt adding
>>>>>>>> base-permission="OFBTOOLS"
>>>>>>>> to the ofbiz-entity.xml force the user to login with a user id that
>>>>>>>> is
>>>>>>>> associated to the OFBTOOLS security group?
>>>>>>>> I can see the application I created and the line seems to have no
>>>>>>>> effect.
>>>>>>>> What is the purpose of the line?
>>>>>>>> Thanks
>>>>>>>> -Milind
>>>>>>>>
>>>>>>>>> Please not that opentaps is not at the same level of revision that
>>>>>>>>> ofbiz
>>>>>>>>> it
>>>>>>>>> there have been changes to security.
>>>>>>>>> there are examples in the
>>>>>>>>> framework/example
>>>>>>>>> and
>>>>>>>>> framework/exampleext
>>>>>>>>> I believe this to better tutorial
>>>>>>>>> since they work already.
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> Balaji Sundar sent the following on 7/29/2008 9:40 PM:
>>>>>>>>>>
>>>>>>>>>> BJ Freeman wrote:
>>>>>>>>>>> http://docs.ofbiz.org/display/OFBTECH/OFBiz+security
>>>>>>>>>>>
>>>>>>>>>>> Milind W sent the following on 7/29/2008 7:58 PM:
>>>>>>>>>>>> hi,
>>>>>>>>>>>> Security Permissions
>>>>>>>>>>>> I am using ofbiz rev.79258
>>>>>>>>>>>> I want to understand how security works so I made the following
>>>>>>>>>>>> modifications to hello1
>>>>>>>>>>>> 1)I added base-permission="OFBTOOLS" to the ofbiz-component.xml
>>>>>>>>>>>> I could still see the application I was assuming the
>>>>>>>>>>>> application
>>>>>>>>>>>> would
>>>>>>>>>>>> as
>>>>>>>>>>>> me to login or prevent me from seeing the page.
>>>>>>>>>>>> 2)I added <security> to the main request
>>>>>>>>>>>> <request-map uri="main">
>>>>>>>>>>>> <security https="false" auth="true"/>
>>>>>>>>>>>> <response name="success" type="view" value="main"/>
>>>>>>>>>>>> </request-map>
>>>>>>>>>>>> This displays "java.lang.NullPointerException" in the browser.
>>>>>>>>>>>> How do permissions precedence work starting from the UI to the
>>>>>>>>>>>> entity
>>>>>>>>>>>> layer.
>>>>>>>>>>>> Help appreciated.
>>>>>>>>>>>> Thanks
>>>>>>>>>>>> -Milind
>>>>>>>>>>>>
>>>>>>>>>>>> Here is the log
>>>>>>>>>>>> 2008-07-29 19:07:17,031 (http-0.0.0.0-8080-1) [
>>>>>>>>>>>> RequestHandler.java:243:INFO ] [Processing Request]: main
>>>>>>>>>>>> sessionId=6E6BB45A4B5AB75A10A9B9404FA622A5.jvm1
>>>>>>>>>>>> 2008-07-29 19:07:17,031 (http-0.0.0.0-8080-1) [
>>>>>>>>>>>> RequestManager.java:159:WARN ] [RequestManager.getEventType]
>>>>>>>>>>>> Type
>>>>>>>>>>>> of
>>>>>>>>>>>> event
>>>>>>>>>>>> for request "checkLogin" not found
>>>>>>>>>>>> 2008-07-29 19:07:17,031 (http-0.0.0.0-8080-1) [
>>>>>>>>>>>> RequestManager.java:146:WARN ] [RequestManager.getEventPath]
>>>>>>>>>>>> Path
>>>>>>>>>>>> of
>>>>>>>>>>>> event
>>>>>>>>>>>> for request "checkLogin" not found
>>>>>>>>>>>> 2008-07-29 19:07:17,031 (http-0.0.0.0-8080-1) [
>>>>>>>>>>>> RequestManager.java:172:WARN ] [RequestManager.getEventMethod]
>>>>>>>>>>>> Method
>>>>>>>>>>>> of
>>>>>>>>>>>> event for request "checkLogin" not found
>>>>>>>>>>>> 2008-07-29 19:07:17,031 (http-0.0.0.0-8080-1) [
>>>>>>>>>>>> ControlServlet.java:205:ERROR]
>>>>>>>>>>>> ---- runtime exception report
>>>>>>>>>>>> --------------------------------------------------
>>>>>>>>>>>> Error in request handler:
>>>>>>>>>>>> Exception: java.lang.NullPointerException
>>>>>>>>>>>> Message: null
>>>>>>>>>>>> ---- stack trace
>>>>>>>>>>>> ---------------------------------------------------------------
>>>>>>>>>>>> java.lang.NullPointerException
>>>>>>>>>>>> javolution.util.FastMap.getEntry(Unknown Source)
>>>>>>>>>>>> javolution.util.FastMap.containsKey(Unknown Source)
>>>>>>>>>>>> org.ofbiz.webapp.control.RequestManager.getHandlerClass(RequestManager.java:78)
>>>>>>>>>>>>
>>>>>>>>>>>> org.ofbiz.webapp.event.EventFactory.loadEventHandler(EventFactory.java:102)
>>>>>>>>>>>>
>>>>>>>>>>>> org.ofbiz.webapp.event.EventFactory.getEventHandler(EventFactory.java:86)
>>>>>>>>>>>>
>>>>>>>>>>>> org.ofbiz.webapp.control.RequestHandler.runEvent(RequestHandler.java:453)
>>>>>>>>>>>>
>>>>>>>>>>>> org.ofbiz.webapp.control.RequestHandler.doRequest(RequestHandler.java:259)
>>>>>>>>>>>>
>>>>>>>>>>>> org.ofbiz.webapp.control.ControlServlet.doGet(ControlServlet.java:198)
>>>>>>>>>>>>
>>>>>>>>>>>> javax.servlet.http.HttpServlet.service(HttpServlet.java:690)
>>>>>>>>>>>> javax.servlet.http.HttpServlet.service(HttpServlet.java:803)
>>>>>>>>>>>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
>>>>>>>>>>>>
>>>>>>>>>>>> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
>>>>>>>>>>>>
>>>>>>>>>>>> org.ofbiz.webapp.control.ContextFilter.doFilter(ContextFilter.java:255)
>>>>>>>>>>>>
>>>>>>>>>>>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
>>>>>>>>>>>>
>>>>>>>>>>>> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
>>>>>>>>>>>>
>>>>>>>>>>>> org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
>>>>>>>>>>>>
>>>>>>>>>>>> org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:175)
>>>>>>>>>>>>
>>>>>>>>>>>> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:128)
>>>>>>>>>>>>
>>>>>>>>>>>> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
>>>>>>>>>>>>
>>>>>>>>>>>> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
>>>>>>>>>>>>
>>>>>>>>>>>> org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:568)
>>>>>>>>>>>>
>>>>>>>>>>>> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:286)
>>>>>>>>>>>>
>>>>>>>>>>>> org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:844)
>>>>>>>>>>>>
>>>>>>>>>>>> org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:583)
>>>>>>>>>>>>
>>>>>>>>>>>> org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:447)
>>>>>>>>>>>>
>>>>>>>>>>>> java.lang.Thread.run(Thread.java:595)
>>>>>>>>>>>> --------------------------------------------------------------------------------
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>> http://www.opensourcestrategies.com/ofbiz/security.php
>>>>>>>>>> http://www.opensourcestrategies.com/ofbiz/security.php
>>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>>
>>>>
>>>
>
>
>
>
>
Re: how to set security and permissions precedence
Posted by Milind W <ma...@mymunshi.com>.
Just tried "ant clean" it made no difference.
I can proceed to main without being redirected to login with rev#679258.
Relevant log for rev#679258
2008-08-03 16:15:04,515 (http-0.0.0.0-8080-1)
[RequestHandler.java:243:INFO ] [Processing Request]: main
sessionId=B2364C2D58837E9163B9B9214E2228FA.jvm1
2008-08-03 16:15:04,515 (http-0.0.0.0-8080-1)
[RequestHandler.java:433:INFO ] [RequestHandler.doRequest]: Response is a
view. sessionId=B2364C2D58837E9163B9B9214E2228FA.jvm1
2008-08-03 16:15:04,515 (http-0.0.0.0-8080-1)
[RequestHandler.java:584:INFO ] servletName=control, view=main
sessionId=B2364C2D58837E9163B9B9214E2228FA.jvm1
2008-08-03 16:15:04,515 (http-0.0.0.0-8080-1) [ UtilJ2eeCompat.java:69
:INFO ] serverInfo: apache tomcat/6.0.16
2008-08-03 16:15:04,515 (http-0.0.0.0-8080-1) [ UtilJ2eeCompat.java:78
:INFO ] Apache Tomcat detected, using response.getWriter to write text out
instead of response.getOutputStream
and with rev#677863
2008-08-03 18:11:55,343 (http-0.0.0.0-8080-Processor4) [
RequestHandler.java:236:INFO ] [Processing Request]: main
sessionId=72EE22303A9A4DCDB76F64EE41F963DA.jvm1
2008-08-03 18:11:55,343 (http-0.0.0.0-8080-Processor4) [
LoginWorker.java:262:INFO ] reqParams Map: []
2008-08-03 18:11:55,343 (http-0.0.0.0-8080-Processor4) [
LoginWorker.java:263:INFO ] queryString:
2008-08-03 18:11:55,343 (http-0.0.0.0-8080-Processor4) [
LoginWorker.java:273:INFO ] checkLogin: queryString=
2008-08-03 18:11:55,343 (http-0.0.0.0-8080-Processor4) [
LoginWorker.java:274:INFO ] checkLogin: PathInfo=/main
2008-08-03 18:11:55,343 (http-0.0.0.0-8080-Processor4) [
RequestHandler.java:425:INFO ] [RequestHandler.doRequest]: Response is a
view. sessionId=72EE22303A9A4DCDB76F64EE41F963DA.jvm1
2008-08-03 18:11:55,343 (http-0.0.0.0-8080-Processor4) [
RequestHandler.java:578:INFO ] servletName=control, view=login
sessionId=72EE22303A9A4DCDB76F64EE41F963DA.jvm1
2008-08-03 18:11:55,343 (http-0.0.0.0-8080-Processor4) [
UtilJ2eeCompat.java:69 :INFO ] serverInfo: Apache Tomcat/5.5.20
2008-08-03 18:11:55,343 (http-0.0.0.0-8080-Processor4) [
UtilJ2eeCompat.java:78 :INFO ] Apache Tomcat detected, using
response.getWriter to write text out instead of response.getOutputStream
The loginworker seems to be invoked with rev#677863 and not with rev#679258.
Any Idea?
> Did you try an "ant clean" ? There have been some changes recently that
> implie this cleanup.
>
> Jacques
>
> From: "Milind W" <ma...@mymunshi.com>
>> Looks like I have a problem making this example work with
>> revision#679258
>>
>> It worked fine (i.e I was redirected to login screen before I could get
>> to
>> main) with rev#677863
>>
>> Looks like the view
>> <view-map name="login" type="screen"
>> page="component://marketing/widget/CommonScreens.xml#login" />
>> is part of the problem. The CommonScreens.xml has moved and does no
>> longer
>> seem to have the 'login' screen.
>>
>> I tried finding another screen with the 'login' view. I found another
>> one
>> in the 'common' component and modified my hello controller to point to
>> <view-map name="login" type="screen"
>> page="component://common/widget/CommonScreens.xml#login"/>
>> but it is no acting the same as previously.
>>
>> Please let me know what is missing (or any suggestion how best to
>> illustrate login) so I can complete and contribute my tutorial for
>> security. Would hate to create a tutorial that worked with one specific
>> build.
>>
>> http://ofbiz.markmail.org/search/?q=Milind+W#query:Milind%20W+page:2+mid:kwgcnrsxjigfilp2+state:results
>>
>> Thanks
>> -Milind
>>
>>> hi,
>>> I got login to work by adding the changes below to my controller using
>>> ofbiz4.0.
>>> I don't think I follow the reason with OFBTOOLS base persmission not
>>> taking effect in the ofbiz-component as explained in OFBIZ-829.
>>> But I agree with Si Chen on OFBIZ-829
>>> "The right way is to assume no permission until one of the list of
>>> permissions is met." Seems more intitutive.
>>> For now I can workaround it so thanks all.
>>> -Milind
>>>
>>>
>>>
>>> <preprocessor>
>>> <!-- Events to run on every request before security (chains
>>> exempt) -->
>>> <!-- <event type="java" path="org.ofbiz.webapp.event.TestEvent"
>>> invoke="test"/> -->
>>> <event type="java" path="org.ofbiz.webapp.control.LoginWorker"
>>> invoke="checkExternalLoginKey"/>
>>> </preprocessor>
>>>
>>> <!-- Request Mappings -->
>>>
>>> <request-map uri="checkLogin" edit="false">
>>> <description>Verify a user is logged in.</description>
>>> <security https="false" auth="false"/>
>>> <event type="java" path="org.ofbiz.webapp.control.LoginWorker"
>>> invoke="checkLogin" />
>>> <response name="success" type="view" value="main" />
>>> <response name="error" type="view" value="login" />
>>> </request-map>
>>>
>>> <request-map uri="login">
>>> <security https="false" auth="false"/>
>>> <event type="java" path="org.ofbiz.webapp.control.LoginWorker"
>>> invoke="login"/>
>>> <response name="success" type="view" value="main"/>
>>> <response name="error" type="view" value="login"/>
>>> </request-map>
>>>
>>>
>>> <request-map uri="main">
>>> <security https="false" auth="true" />
>>> <response name="success" type="view" value="main"/>
>>> </request-map>
>>>
>>> <view-map name="login" type="screen"
>>> page="component://marketing/widget/CommonScreens.xml#login" />
>>>
>>>
>>>> Not with a direct link to the comment where is the explanation ;p
>>>> Actually it was more a didactic post
>>>>
>>>> Jacques
>>>>
>>>> From: "BJ Freeman" <bj...@free-man.net>
>>>>> LOL
>>>>> that was the first link I sent on this thread.
>>>>>
>>>>> Jacques Le Roux sent the following on 7/30/2008 2:18 PM:
>>>>>> OFBiz Wiki is your friend. Just look for OFBTOOLS.
>>>>>>
>>>>>> You would have get
>>>>>> http://docs.ofbiz.org/display/OFBTECH/OFBiz+security?focusedCommentId=3615#comment-3615
>>>>>>
>>>>>>
>>>>>> Jacques
>>>>>>
>>>>>> ----- Original Message ----- From: "Milind W"
>>>>>> <ma...@mymunshi.com>
>>>>>> To: <us...@ofbiz.apache.org>
>>>>>> Sent: Wednesday, July 30, 2008 8:31 PM
>>>>>> Subject: Re: how to set security and permissions precedence
>>>>>>
>>>>>>
>>>>>>> Let me try to break up questions.
>>>>>>> Should'nt adding
>>>>>>> base-permission="OFBTOOLS"
>>>>>>> to the ofbiz-entity.xml force the user to login with a user id that
>>>>>>> is
>>>>>>> associated to the OFBTOOLS security group?
>>>>>>> I can see the application I created and the line seems to have no
>>>>>>> effect.
>>>>>>> What is the purpose of the line?
>>>>>>> Thanks
>>>>>>> -Milind
>>>>>>>
>>>>>>>> Please not that opentaps is not at the same level of revision that
>>>>>>>> ofbiz
>>>>>>>> it
>>>>>>>> there have been changes to security.
>>>>>>>> there are examples in the
>>>>>>>> framework/example
>>>>>>>> and
>>>>>>>> framework/exampleext
>>>>>>>> I believe this to better tutorial
>>>>>>>> since they work already.
>>>>>>>>
>>>>>>>>
>>>>>>>> Balaji Sundar sent the following on 7/29/2008 9:40 PM:
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> BJ Freeman wrote:
>>>>>>>>>> http://docs.ofbiz.org/display/OFBTECH/OFBiz+security
>>>>>>>>>>
>>>>>>>>>> Milind W sent the following on 7/29/2008 7:58 PM:
>>>>>>>>>>> hi,
>>>>>>>>>>> Security Permissions
>>>>>>>>>>> I am using ofbiz rev.79258
>>>>>>>>>>> I want to understand how security works so I made the following
>>>>>>>>>>> modifications to hello1
>>>>>>>>>>> 1)I added base-permission="OFBTOOLS" to the ofbiz-component.xml
>>>>>>>>>>> I could still see the application I was assuming the
>>>>>>>>>>> application
>>>>>>>>>>> would
>>>>>>>>>>> as
>>>>>>>>>>> me to login or prevent me from seeing the page.
>>>>>>>>>>> 2)I added <security> to the main request
>>>>>>>>>>> <request-map uri="main">
>>>>>>>>>>> <security https="false" auth="true"/>
>>>>>>>>>>> <response name="success" type="view" value="main"/>
>>>>>>>>>>> </request-map>
>>>>>>>>>>> This displays "java.lang.NullPointerException" in the browser.
>>>>>>>>>>> How do permissions precedence work starting from the UI to the
>>>>>>>>>>> entity
>>>>>>>>>>> layer.
>>>>>>>>>>> Help appreciated.
>>>>>>>>>>> Thanks
>>>>>>>>>>> -Milind
>>>>>>>>>>>
>>>>>>>>>>> Here is the log
>>>>>>>>>>> 2008-07-29 19:07:17,031 (http-0.0.0.0-8080-1) [
>>>>>>>>>>> RequestHandler.java:243:INFO ] [Processing Request]: main
>>>>>>>>>>> sessionId=6E6BB45A4B5AB75A10A9B9404FA622A5.jvm1
>>>>>>>>>>> 2008-07-29 19:07:17,031 (http-0.0.0.0-8080-1) [
>>>>>>>>>>> RequestManager.java:159:WARN ] [RequestManager.getEventType]
>>>>>>>>>>> Type
>>>>>>>>>>> of
>>>>>>>>>>> event
>>>>>>>>>>> for request "checkLogin" not found
>>>>>>>>>>> 2008-07-29 19:07:17,031 (http-0.0.0.0-8080-1) [
>>>>>>>>>>> RequestManager.java:146:WARN ] [RequestManager.getEventPath]
>>>>>>>>>>> Path
>>>>>>>>>>> of
>>>>>>>>>>> event
>>>>>>>>>>> for request "checkLogin" not found
>>>>>>>>>>> 2008-07-29 19:07:17,031 (http-0.0.0.0-8080-1) [
>>>>>>>>>>> RequestManager.java:172:WARN ] [RequestManager.getEventMethod]
>>>>>>>>>>> Method
>>>>>>>>>>> of
>>>>>>>>>>> event for request "checkLogin" not found
>>>>>>>>>>> 2008-07-29 19:07:17,031 (http-0.0.0.0-8080-1) [
>>>>>>>>>>> ControlServlet.java:205:ERROR]
>>>>>>>>>>> ---- runtime exception report
>>>>>>>>>>> --------------------------------------------------
>>>>>>>>>>> Error in request handler:
>>>>>>>>>>> Exception: java.lang.NullPointerException
>>>>>>>>>>> Message: null
>>>>>>>>>>> ---- stack trace
>>>>>>>>>>> ---------------------------------------------------------------
>>>>>>>>>>> java.lang.NullPointerException
>>>>>>>>>>> javolution.util.FastMap.getEntry(Unknown Source)
>>>>>>>>>>> javolution.util.FastMap.containsKey(Unknown Source)
>>>>>>>>>>> org.ofbiz.webapp.control.RequestManager.getHandlerClass(RequestManager.java:78)
>>>>>>>>>>>
>>>>>>>>>>> org.ofbiz.webapp.event.EventFactory.loadEventHandler(EventFactory.java:102)
>>>>>>>>>>>
>>>>>>>>>>> org.ofbiz.webapp.event.EventFactory.getEventHandler(EventFactory.java:86)
>>>>>>>>>>>
>>>>>>>>>>> org.ofbiz.webapp.control.RequestHandler.runEvent(RequestHandler.java:453)
>>>>>>>>>>>
>>>>>>>>>>> org.ofbiz.webapp.control.RequestHandler.doRequest(RequestHandler.java:259)
>>>>>>>>>>>
>>>>>>>>>>> org.ofbiz.webapp.control.ControlServlet.doGet(ControlServlet.java:198)
>>>>>>>>>>>
>>>>>>>>>>> javax.servlet.http.HttpServlet.service(HttpServlet.java:690)
>>>>>>>>>>> javax.servlet.http.HttpServlet.service(HttpServlet.java:803)
>>>>>>>>>>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
>>>>>>>>>>>
>>>>>>>>>>> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
>>>>>>>>>>>
>>>>>>>>>>> org.ofbiz.webapp.control.ContextFilter.doFilter(ContextFilter.java:255)
>>>>>>>>>>>
>>>>>>>>>>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
>>>>>>>>>>>
>>>>>>>>>>> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
>>>>>>>>>>>
>>>>>>>>>>> org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
>>>>>>>>>>>
>>>>>>>>>>> org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:175)
>>>>>>>>>>>
>>>>>>>>>>> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:128)
>>>>>>>>>>>
>>>>>>>>>>> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
>>>>>>>>>>>
>>>>>>>>>>> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
>>>>>>>>>>>
>>>>>>>>>>> org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:568)
>>>>>>>>>>>
>>>>>>>>>>> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:286)
>>>>>>>>>>>
>>>>>>>>>>> org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:844)
>>>>>>>>>>>
>>>>>>>>>>> org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:583)
>>>>>>>>>>>
>>>>>>>>>>> org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:447)
>>>>>>>>>>>
>>>>>>>>>>> java.lang.Thread.run(Thread.java:595)
>>>>>>>>>>> --------------------------------------------------------------------------------
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>> http://www.opensourcestrategies.com/ofbiz/security.php
>>>>>>>>> http://www.opensourcestrategies.com/ofbiz/security.php
>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>
>>>
>>>
>>
>>
>
Re: how to set security and permissions precedence
Posted by Jacques Le Roux <ja...@les7arts.com>.
Did you try an "ant clean" ? There have been some changes recently that implie this cleanup.
Jacques
From: "Milind W" <ma...@mymunshi.com>
> Looks like I have a problem making this example work with revision#679258
>
> It worked fine (i.e I was redirected to login screen before I could get to
> main) with rev#677863
>
> Looks like the view
> <view-map name="login" type="screen"
> page="component://marketing/widget/CommonScreens.xml#login" />
> is part of the problem. The CommonScreens.xml has moved and does no longer
> seem to have the 'login' screen.
>
> I tried finding another screen with the 'login' view. I found another one
> in the 'common' component and modified my hello controller to point to
> <view-map name="login" type="screen"
> page="component://common/widget/CommonScreens.xml#login"/>
> but it is no acting the same as previously.
>
> Please let me know what is missing (or any suggestion how best to
> illustrate login) so I can complete and contribute my tutorial for
> security. Would hate to create a tutorial that worked with one specific
> build.
>
> http://ofbiz.markmail.org/search/?q=Milind+W#query:Milind%20W+page:2+mid:kwgcnrsxjigfilp2+state:results
>
> Thanks
> -Milind
>
>> hi,
>> I got login to work by adding the changes below to my controller using
>> ofbiz4.0.
>> I don't think I follow the reason with OFBTOOLS base persmission not
>> taking effect in the ofbiz-component as explained in OFBIZ-829.
>> But I agree with Si Chen on OFBIZ-829
>> "The right way is to assume no permission until one of the list of
>> permissions is met." Seems more intitutive.
>> For now I can workaround it so thanks all.
>> -Milind
>>
>>
>>
>> <preprocessor>
>> <!-- Events to run on every request before security (chains
>> exempt) -->
>> <!-- <event type="java" path="org.ofbiz.webapp.event.TestEvent"
>> invoke="test"/> -->
>> <event type="java" path="org.ofbiz.webapp.control.LoginWorker"
>> invoke="checkExternalLoginKey"/>
>> </preprocessor>
>>
>> <!-- Request Mappings -->
>>
>> <request-map uri="checkLogin" edit="false">
>> <description>Verify a user is logged in.</description>
>> <security https="false" auth="false"/>
>> <event type="java" path="org.ofbiz.webapp.control.LoginWorker"
>> invoke="checkLogin" />
>> <response name="success" type="view" value="main" />
>> <response name="error" type="view" value="login" />
>> </request-map>
>>
>> <request-map uri="login">
>> <security https="false" auth="false"/>
>> <event type="java" path="org.ofbiz.webapp.control.LoginWorker"
>> invoke="login"/>
>> <response name="success" type="view" value="main"/>
>> <response name="error" type="view" value="login"/>
>> </request-map>
>>
>>
>> <request-map uri="main">
>> <security https="false" auth="true" />
>> <response name="success" type="view" value="main"/>
>> </request-map>
>>
>> <view-map name="login" type="screen"
>> page="component://marketing/widget/CommonScreens.xml#login" />
>>
>>
>>> Not with a direct link to the comment where is the explanation ;p
>>> Actually it was more a didactic post
>>>
>>> Jacques
>>>
>>> From: "BJ Freeman" <bj...@free-man.net>
>>>> LOL
>>>> that was the first link I sent on this thread.
>>>>
>>>> Jacques Le Roux sent the following on 7/30/2008 2:18 PM:
>>>>> OFBiz Wiki is your friend. Just look for OFBTOOLS.
>>>>>
>>>>> You would have get
>>>>> http://docs.ofbiz.org/display/OFBTECH/OFBiz+security?focusedCommentId=3615#comment-3615
>>>>>
>>>>>
>>>>> Jacques
>>>>>
>>>>> ----- Original Message ----- From: "Milind W"
>>>>> <ma...@mymunshi.com>
>>>>> To: <us...@ofbiz.apache.org>
>>>>> Sent: Wednesday, July 30, 2008 8:31 PM
>>>>> Subject: Re: how to set security and permissions precedence
>>>>>
>>>>>
>>>>>> Let me try to break up questions.
>>>>>> Should'nt adding
>>>>>> base-permission="OFBTOOLS"
>>>>>> to the ofbiz-entity.xml force the user to login with a user id that
>>>>>> is
>>>>>> associated to the OFBTOOLS security group?
>>>>>> I can see the application I created and the line seems to have no
>>>>>> effect.
>>>>>> What is the purpose of the line?
>>>>>> Thanks
>>>>>> -Milind
>>>>>>
>>>>>>> Please not that opentaps is not at the same level of revision that
>>>>>>> ofbiz
>>>>>>> it
>>>>>>> there have been changes to security.
>>>>>>> there are examples in the
>>>>>>> framework/example
>>>>>>> and
>>>>>>> framework/exampleext
>>>>>>> I believe this to better tutorial
>>>>>>> since they work already.
>>>>>>>
>>>>>>>
>>>>>>> Balaji Sundar sent the following on 7/29/2008 9:40 PM:
>>>>>>>>
>>>>>>>>
>>>>>>>> BJ Freeman wrote:
>>>>>>>>> http://docs.ofbiz.org/display/OFBTECH/OFBiz+security
>>>>>>>>>
>>>>>>>>> Milind W sent the following on 7/29/2008 7:58 PM:
>>>>>>>>>> hi,
>>>>>>>>>> Security Permissions
>>>>>>>>>> I am using ofbiz rev.79258
>>>>>>>>>> I want to understand how security works so I made the following
>>>>>>>>>> modifications to hello1
>>>>>>>>>> 1)I added base-permission="OFBTOOLS" to the ofbiz-component.xml
>>>>>>>>>> I could still see the application I was assuming the application
>>>>>>>>>> would
>>>>>>>>>> as
>>>>>>>>>> me to login or prevent me from seeing the page.
>>>>>>>>>> 2)I added <security> to the main request
>>>>>>>>>> <request-map uri="main">
>>>>>>>>>> <security https="false" auth="true"/>
>>>>>>>>>> <response name="success" type="view" value="main"/>
>>>>>>>>>> </request-map>
>>>>>>>>>> This displays "java.lang.NullPointerException" in the browser.
>>>>>>>>>> How do permissions precedence work starting from the UI to the
>>>>>>>>>> entity
>>>>>>>>>> layer.
>>>>>>>>>> Help appreciated.
>>>>>>>>>> Thanks
>>>>>>>>>> -Milind
>>>>>>>>>>
>>>>>>>>>> Here is the log
>>>>>>>>>> 2008-07-29 19:07:17,031 (http-0.0.0.0-8080-1) [
>>>>>>>>>> RequestHandler.java:243:INFO ] [Processing Request]: main
>>>>>>>>>> sessionId=6E6BB45A4B5AB75A10A9B9404FA622A5.jvm1
>>>>>>>>>> 2008-07-29 19:07:17,031 (http-0.0.0.0-8080-1) [
>>>>>>>>>> RequestManager.java:159:WARN ] [RequestManager.getEventType] Type
>>>>>>>>>> of
>>>>>>>>>> event
>>>>>>>>>> for request "checkLogin" not found
>>>>>>>>>> 2008-07-29 19:07:17,031 (http-0.0.0.0-8080-1) [
>>>>>>>>>> RequestManager.java:146:WARN ] [RequestManager.getEventPath] Path
>>>>>>>>>> of
>>>>>>>>>> event
>>>>>>>>>> for request "checkLogin" not found
>>>>>>>>>> 2008-07-29 19:07:17,031 (http-0.0.0.0-8080-1) [
>>>>>>>>>> RequestManager.java:172:WARN ] [RequestManager.getEventMethod]
>>>>>>>>>> Method
>>>>>>>>>> of
>>>>>>>>>> event for request "checkLogin" not found
>>>>>>>>>> 2008-07-29 19:07:17,031 (http-0.0.0.0-8080-1) [
>>>>>>>>>> ControlServlet.java:205:ERROR]
>>>>>>>>>> ---- runtime exception report
>>>>>>>>>> --------------------------------------------------
>>>>>>>>>> Error in request handler:
>>>>>>>>>> Exception: java.lang.NullPointerException
>>>>>>>>>> Message: null
>>>>>>>>>> ---- stack trace
>>>>>>>>>> ---------------------------------------------------------------
>>>>>>>>>> java.lang.NullPointerException
>>>>>>>>>> javolution.util.FastMap.getEntry(Unknown Source)
>>>>>>>>>> javolution.util.FastMap.containsKey(Unknown Source)
>>>>>>>>>> org.ofbiz.webapp.control.RequestManager.getHandlerClass(RequestManager.java:78)
>>>>>>>>>>
>>>>>>>>>> org.ofbiz.webapp.event.EventFactory.loadEventHandler(EventFactory.java:102)
>>>>>>>>>>
>>>>>>>>>> org.ofbiz.webapp.event.EventFactory.getEventHandler(EventFactory.java:86)
>>>>>>>>>>
>>>>>>>>>> org.ofbiz.webapp.control.RequestHandler.runEvent(RequestHandler.java:453)
>>>>>>>>>>
>>>>>>>>>> org.ofbiz.webapp.control.RequestHandler.doRequest(RequestHandler.java:259)
>>>>>>>>>>
>>>>>>>>>> org.ofbiz.webapp.control.ControlServlet.doGet(ControlServlet.java:198)
>>>>>>>>>>
>>>>>>>>>> javax.servlet.http.HttpServlet.service(HttpServlet.java:690)
>>>>>>>>>> javax.servlet.http.HttpServlet.service(HttpServlet.java:803)
>>>>>>>>>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
>>>>>>>>>>
>>>>>>>>>> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
>>>>>>>>>>
>>>>>>>>>> org.ofbiz.webapp.control.ContextFilter.doFilter(ContextFilter.java:255)
>>>>>>>>>>
>>>>>>>>>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
>>>>>>>>>>
>>>>>>>>>> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
>>>>>>>>>>
>>>>>>>>>> org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
>>>>>>>>>>
>>>>>>>>>> org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:175)
>>>>>>>>>>
>>>>>>>>>> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:128)
>>>>>>>>>>
>>>>>>>>>> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
>>>>>>>>>>
>>>>>>>>>> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
>>>>>>>>>>
>>>>>>>>>> org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:568)
>>>>>>>>>>
>>>>>>>>>> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:286)
>>>>>>>>>>
>>>>>>>>>> org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:844)
>>>>>>>>>>
>>>>>>>>>> org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:583)
>>>>>>>>>>
>>>>>>>>>> org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:447)
>>>>>>>>>>
>>>>>>>>>> java.lang.Thread.run(Thread.java:595)
>>>>>>>>>> --------------------------------------------------------------------------------
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>>> http://www.opensourcestrategies.com/ofbiz/security.php
>>>>>>>> http://www.opensourcestrategies.com/ofbiz/security.php
>>>>>>>
>>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>>
>>>>
>>>
>>
>>
>
>
Re: how to set security and permissions precedence
Posted by Milind W <ma...@mymunshi.com>.
Looks like I have a problem making this example work with revision#679258
It worked fine (i.e I was redirected to login screen before I could get to
main) with rev#677863
Looks like the view
<view-map name="login" type="screen"
page="component://marketing/widget/CommonScreens.xml#login" />
is part of the problem. The CommonScreens.xml has moved and does no longer
seem to have the 'login' screen.
I tried finding another screen with the 'login' view. I found another one
in the 'common' component and modified my hello controller to point to
<view-map name="login" type="screen"
page="component://common/widget/CommonScreens.xml#login"/>
but it is no acting the same as previously.
Please let me know what is missing (or any suggestion how best to
illustrate login) so I can complete and contribute my tutorial for
security. Would hate to create a tutorial that worked with one specific
build.
http://ofbiz.markmail.org/search/?q=Milind+W#query:Milind%20W+page:2+mid:kwgcnrsxjigfilp2+state:results
Thanks
-Milind
> hi,
> I got login to work by adding the changes below to my controller using
> ofbiz4.0.
> I don't think I follow the reason with OFBTOOLS base persmission not
> taking effect in the ofbiz-component as explained in OFBIZ-829.
> But I agree with Si Chen on OFBIZ-829
> "The right way is to assume no permission until one of the list of
> permissions is met." Seems more intitutive.
> For now I can workaround it so thanks all.
> -Milind
>
>
>
> <preprocessor>
> <!-- Events to run on every request before security (chains
> exempt) -->
> <!-- <event type="java" path="org.ofbiz.webapp.event.TestEvent"
> invoke="test"/> -->
> <event type="java" path="org.ofbiz.webapp.control.LoginWorker"
> invoke="checkExternalLoginKey"/>
> </preprocessor>
>
> <!-- Request Mappings -->
>
> <request-map uri="checkLogin" edit="false">
> <description>Verify a user is logged in.</description>
> <security https="false" auth="false"/>
> <event type="java" path="org.ofbiz.webapp.control.LoginWorker"
> invoke="checkLogin" />
> <response name="success" type="view" value="main" />
> <response name="error" type="view" value="login" />
> </request-map>
>
> <request-map uri="login">
> <security https="false" auth="false"/>
> <event type="java" path="org.ofbiz.webapp.control.LoginWorker"
> invoke="login"/>
> <response name="success" type="view" value="main"/>
> <response name="error" type="view" value="login"/>
> </request-map>
>
>
> <request-map uri="main">
> <security https="false" auth="true" />
> <response name="success" type="view" value="main"/>
> </request-map>
>
> <view-map name="login" type="screen"
> page="component://marketing/widget/CommonScreens.xml#login" />
>
>
>> Not with a direct link to the comment where is the explanation ;p
>> Actually it was more a didactic post
>>
>> Jacques
>>
>> From: "BJ Freeman" <bj...@free-man.net>
>>> LOL
>>> that was the first link I sent on this thread.
>>>
>>> Jacques Le Roux sent the following on 7/30/2008 2:18 PM:
>>>> OFBiz Wiki is your friend. Just look for OFBTOOLS.
>>>>
>>>> You would have get
>>>> http://docs.ofbiz.org/display/OFBTECH/OFBiz+security?focusedCommentId=3615#comment-3615
>>>>
>>>>
>>>> Jacques
>>>>
>>>> ----- Original Message ----- From: "Milind W"
>>>> <ma...@mymunshi.com>
>>>> To: <us...@ofbiz.apache.org>
>>>> Sent: Wednesday, July 30, 2008 8:31 PM
>>>> Subject: Re: how to set security and permissions precedence
>>>>
>>>>
>>>>> Let me try to break up questions.
>>>>> Should'nt adding
>>>>> base-permission="OFBTOOLS"
>>>>> to the ofbiz-entity.xml force the user to login with a user id that
>>>>> is
>>>>> associated to the OFBTOOLS security group?
>>>>> I can see the application I created and the line seems to have no
>>>>> effect.
>>>>> What is the purpose of the line?
>>>>> Thanks
>>>>> -Milind
>>>>>
>>>>>> Please not that opentaps is not at the same level of revision that
>>>>>> ofbiz
>>>>>> it
>>>>>> there have been changes to security.
>>>>>> there are examples in the
>>>>>> framework/example
>>>>>> and
>>>>>> framework/exampleext
>>>>>> I believe this to better tutorial
>>>>>> since they work already.
>>>>>>
>>>>>>
>>>>>> Balaji Sundar sent the following on 7/29/2008 9:40 PM:
>>>>>>>
>>>>>>>
>>>>>>> BJ Freeman wrote:
>>>>>>>> http://docs.ofbiz.org/display/OFBTECH/OFBiz+security
>>>>>>>>
>>>>>>>> Milind W sent the following on 7/29/2008 7:58 PM:
>>>>>>>>> hi,
>>>>>>>>> Security Permissions
>>>>>>>>> I am using ofbiz rev.79258
>>>>>>>>> I want to understand how security works so I made the following
>>>>>>>>> modifications to hello1
>>>>>>>>> 1)I added base-permission="OFBTOOLS" to the ofbiz-component.xml
>>>>>>>>> I could still see the application I was assuming the application
>>>>>>>>> would
>>>>>>>>> as
>>>>>>>>> me to login or prevent me from seeing the page.
>>>>>>>>> 2)I added <security> to the main request
>>>>>>>>> <request-map uri="main">
>>>>>>>>> <security https="false" auth="true"/>
>>>>>>>>> <response name="success" type="view" value="main"/>
>>>>>>>>> </request-map>
>>>>>>>>> This displays "java.lang.NullPointerException" in the browser.
>>>>>>>>> How do permissions precedence work starting from the UI to the
>>>>>>>>> entity
>>>>>>>>> layer.
>>>>>>>>> Help appreciated.
>>>>>>>>> Thanks
>>>>>>>>> -Milind
>>>>>>>>>
>>>>>>>>> Here is the log
>>>>>>>>> 2008-07-29 19:07:17,031 (http-0.0.0.0-8080-1) [
>>>>>>>>> RequestHandler.java:243:INFO ] [Processing Request]: main
>>>>>>>>> sessionId=6E6BB45A4B5AB75A10A9B9404FA622A5.jvm1
>>>>>>>>> 2008-07-29 19:07:17,031 (http-0.0.0.0-8080-1) [
>>>>>>>>> RequestManager.java:159:WARN ] [RequestManager.getEventType] Type
>>>>>>>>> of
>>>>>>>>> event
>>>>>>>>> for request "checkLogin" not found
>>>>>>>>> 2008-07-29 19:07:17,031 (http-0.0.0.0-8080-1) [
>>>>>>>>> RequestManager.java:146:WARN ] [RequestManager.getEventPath] Path
>>>>>>>>> of
>>>>>>>>> event
>>>>>>>>> for request "checkLogin" not found
>>>>>>>>> 2008-07-29 19:07:17,031 (http-0.0.0.0-8080-1) [
>>>>>>>>> RequestManager.java:172:WARN ] [RequestManager.getEventMethod]
>>>>>>>>> Method
>>>>>>>>> of
>>>>>>>>> event for request "checkLogin" not found
>>>>>>>>> 2008-07-29 19:07:17,031 (http-0.0.0.0-8080-1) [
>>>>>>>>> ControlServlet.java:205:ERROR]
>>>>>>>>> ---- runtime exception report
>>>>>>>>> --------------------------------------------------
>>>>>>>>> Error in request handler:
>>>>>>>>> Exception: java.lang.NullPointerException
>>>>>>>>> Message: null
>>>>>>>>> ---- stack trace
>>>>>>>>> ---------------------------------------------------------------
>>>>>>>>> java.lang.NullPointerException
>>>>>>>>> javolution.util.FastMap.getEntry(Unknown Source)
>>>>>>>>> javolution.util.FastMap.containsKey(Unknown Source)
>>>>>>>>> org.ofbiz.webapp.control.RequestManager.getHandlerClass(RequestManager.java:78)
>>>>>>>>>
>>>>>>>>> org.ofbiz.webapp.event.EventFactory.loadEventHandler(EventFactory.java:102)
>>>>>>>>>
>>>>>>>>> org.ofbiz.webapp.event.EventFactory.getEventHandler(EventFactory.java:86)
>>>>>>>>>
>>>>>>>>> org.ofbiz.webapp.control.RequestHandler.runEvent(RequestHandler.java:453)
>>>>>>>>>
>>>>>>>>> org.ofbiz.webapp.control.RequestHandler.doRequest(RequestHandler.java:259)
>>>>>>>>>
>>>>>>>>> org.ofbiz.webapp.control.ControlServlet.doGet(ControlServlet.java:198)
>>>>>>>>>
>>>>>>>>> javax.servlet.http.HttpServlet.service(HttpServlet.java:690)
>>>>>>>>> javax.servlet.http.HttpServlet.service(HttpServlet.java:803)
>>>>>>>>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
>>>>>>>>>
>>>>>>>>> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
>>>>>>>>>
>>>>>>>>> org.ofbiz.webapp.control.ContextFilter.doFilter(ContextFilter.java:255)
>>>>>>>>>
>>>>>>>>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
>>>>>>>>>
>>>>>>>>> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
>>>>>>>>>
>>>>>>>>> org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
>>>>>>>>>
>>>>>>>>> org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:175)
>>>>>>>>>
>>>>>>>>> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:128)
>>>>>>>>>
>>>>>>>>> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
>>>>>>>>>
>>>>>>>>> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
>>>>>>>>>
>>>>>>>>> org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:568)
>>>>>>>>>
>>>>>>>>> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:286)
>>>>>>>>>
>>>>>>>>> org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:844)
>>>>>>>>>
>>>>>>>>> org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:583)
>>>>>>>>>
>>>>>>>>> org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:447)
>>>>>>>>>
>>>>>>>>> java.lang.Thread.run(Thread.java:595)
>>>>>>>>> --------------------------------------------------------------------------------
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>> http://www.opensourcestrategies.com/ofbiz/security.php
>>>>>>> http://www.opensourcestrategies.com/ofbiz/security.php
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>>
>>>
>>
>
>
Re: how to set security and permissions precedence
Posted by Jacques Le Roux <ja...@les7arts.com>.
Not with a direct link to the comment where is the explanation ;p
Actually it was more a didactic post
Jacques
From: "BJ Freeman" <bj...@free-man.net>
> LOL
> that was the first link I sent on this thread.
>
> Jacques Le Roux sent the following on 7/30/2008 2:18 PM:
>> OFBiz Wiki is your friend. Just look for OFBTOOLS.
>>
>> You would have get
>> http://docs.ofbiz.org/display/OFBTECH/OFBiz+security?focusedCommentId=3615#comment-3615
>>
>>
>> Jacques
>>
>> ----- Original Message ----- From: "Milind W" <ma...@mymunshi.com>
>> To: <us...@ofbiz.apache.org>
>> Sent: Wednesday, July 30, 2008 8:31 PM
>> Subject: Re: how to set security and permissions precedence
>>
>>
>>> Let me try to break up questions.
>>> Should'nt adding
>>> base-permission="OFBTOOLS"
>>> to the ofbiz-entity.xml force the user to login with a user id that is
>>> associated to the OFBTOOLS security group?
>>> I can see the application I created and the line seems to have no effect.
>>> What is the purpose of the line?
>>> Thanks
>>> -Milind
>>>
>>>> Please not that opentaps is not at the same level of revision that ofbiz
>>>> it
>>>> there have been changes to security.
>>>> there are examples in the
>>>> framework/example
>>>> and
>>>> framework/exampleext
>>>> I believe this to better tutorial
>>>> since they work already.
>>>>
>>>>
>>>> Balaji Sundar sent the following on 7/29/2008 9:40 PM:
>>>>>
>>>>>
>>>>> BJ Freeman wrote:
>>>>>> http://docs.ofbiz.org/display/OFBTECH/OFBiz+security
>>>>>>
>>>>>> Milind W sent the following on 7/29/2008 7:58 PM:
>>>>>>> hi,
>>>>>>> Security Permissions
>>>>>>> I am using ofbiz rev.79258
>>>>>>> I want to understand how security works so I made the following
>>>>>>> modifications to hello1
>>>>>>> 1)I added base-permission="OFBTOOLS" to the ofbiz-component.xml
>>>>>>> I could still see the application I was assuming the application
>>>>>>> would
>>>>>>> as
>>>>>>> me to login or prevent me from seeing the page.
>>>>>>> 2)I added <security> to the main request
>>>>>>> <request-map uri="main">
>>>>>>> <security https="false" auth="true"/>
>>>>>>> <response name="success" type="view" value="main"/>
>>>>>>> </request-map>
>>>>>>> This displays "java.lang.NullPointerException" in the browser.
>>>>>>> How do permissions precedence work starting from the UI to the entity
>>>>>>> layer.
>>>>>>> Help appreciated.
>>>>>>> Thanks
>>>>>>> -Milind
>>>>>>>
>>>>>>> Here is the log
>>>>>>> 2008-07-29 19:07:17,031 (http-0.0.0.0-8080-1) [
>>>>>>> RequestHandler.java:243:INFO ] [Processing Request]: main
>>>>>>> sessionId=6E6BB45A4B5AB75A10A9B9404FA622A5.jvm1
>>>>>>> 2008-07-29 19:07:17,031 (http-0.0.0.0-8080-1) [
>>>>>>> RequestManager.java:159:WARN ] [RequestManager.getEventType] Type of
>>>>>>> event
>>>>>>> for request "checkLogin" not found
>>>>>>> 2008-07-29 19:07:17,031 (http-0.0.0.0-8080-1) [
>>>>>>> RequestManager.java:146:WARN ] [RequestManager.getEventPath] Path of
>>>>>>> event
>>>>>>> for request "checkLogin" not found
>>>>>>> 2008-07-29 19:07:17,031 (http-0.0.0.0-8080-1) [
>>>>>>> RequestManager.java:172:WARN ] [RequestManager.getEventMethod] Method
>>>>>>> of
>>>>>>> event for request "checkLogin" not found
>>>>>>> 2008-07-29 19:07:17,031 (http-0.0.0.0-8080-1) [
>>>>>>> ControlServlet.java:205:ERROR]
>>>>>>> ---- runtime exception report
>>>>>>> --------------------------------------------------
>>>>>>> Error in request handler:
>>>>>>> Exception: java.lang.NullPointerException
>>>>>>> Message: null
>>>>>>> ---- stack trace
>>>>>>> ---------------------------------------------------------------
>>>>>>> java.lang.NullPointerException
>>>>>>> javolution.util.FastMap.getEntry(Unknown Source)
>>>>>>> javolution.util.FastMap.containsKey(Unknown Source)
>>>>>>> org.ofbiz.webapp.control.RequestManager.getHandlerClass(RequestManager.java:78)
>>>>>>>
>>>>>>> org.ofbiz.webapp.event.EventFactory.loadEventHandler(EventFactory.java:102)
>>>>>>>
>>>>>>> org.ofbiz.webapp.event.EventFactory.getEventHandler(EventFactory.java:86)
>>>>>>>
>>>>>>> org.ofbiz.webapp.control.RequestHandler.runEvent(RequestHandler.java:453)
>>>>>>>
>>>>>>> org.ofbiz.webapp.control.RequestHandler.doRequest(RequestHandler.java:259)
>>>>>>>
>>>>>>> org.ofbiz.webapp.control.ControlServlet.doGet(ControlServlet.java:198)
>>>>>>>
>>>>>>> javax.servlet.http.HttpServlet.service(HttpServlet.java:690)
>>>>>>> javax.servlet.http.HttpServlet.service(HttpServlet.java:803)
>>>>>>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
>>>>>>>
>>>>>>> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
>>>>>>>
>>>>>>> org.ofbiz.webapp.control.ContextFilter.doFilter(ContextFilter.java:255)
>>>>>>>
>>>>>>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
>>>>>>>
>>>>>>> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
>>>>>>>
>>>>>>> org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
>>>>>>>
>>>>>>> org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:175)
>>>>>>>
>>>>>>> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:128)
>>>>>>>
>>>>>>> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
>>>>>>>
>>>>>>> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
>>>>>>>
>>>>>>> org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:568)
>>>>>>>
>>>>>>> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:286)
>>>>>>>
>>>>>>> org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:844)
>>>>>>>
>>>>>>> org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:583)
>>>>>>>
>>>>>>> org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:447)
>>>>>>>
>>>>>>> java.lang.Thread.run(Thread.java:595)
>>>>>>> --------------------------------------------------------------------------------
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>> http://www.opensourcestrategies.com/ofbiz/security.php
>>>>> http://www.opensourcestrategies.com/ofbiz/security.php
>>>>
>>>>
>>>
>>>
>>
>>
>>
>
Re: how to set security and permissions precedence
Posted by BJ Freeman <bj...@free-man.net>.
LOL
that was the first link I sent on this thread.
Jacques Le Roux sent the following on 7/30/2008 2:18 PM:
> OFBiz Wiki is your friend. Just look for OFBTOOLS.
>
> You would have get
> http://docs.ofbiz.org/display/OFBTECH/OFBiz+security?focusedCommentId=3615#comment-3615
>
>
> Jacques
>
> ----- Original Message ----- From: "Milind W" <ma...@mymunshi.com>
> To: <us...@ofbiz.apache.org>
> Sent: Wednesday, July 30, 2008 8:31 PM
> Subject: Re: how to set security and permissions precedence
>
>
>> Let me try to break up questions.
>> Should'nt adding
>> base-permission="OFBTOOLS"
>> to the ofbiz-entity.xml force the user to login with a user id that is
>> associated to the OFBTOOLS security group?
>> I can see the application I created and the line seems to have no effect.
>> What is the purpose of the line?
>> Thanks
>> -Milind
>>
>>> Please not that opentaps is not at the same level of revision that ofbiz
>>> it
>>> there have been changes to security.
>>> there are examples in the
>>> framework/example
>>> and
>>> framework/exampleext
>>> I believe this to better tutorial
>>> since they work already.
>>>
>>>
>>> Balaji Sundar sent the following on 7/29/2008 9:40 PM:
>>>>
>>>>
>>>> BJ Freeman wrote:
>>>>> http://docs.ofbiz.org/display/OFBTECH/OFBiz+security
>>>>>
>>>>> Milind W sent the following on 7/29/2008 7:58 PM:
>>>>>> hi,
>>>>>> Security Permissions
>>>>>> I am using ofbiz rev.79258
>>>>>> I want to understand how security works so I made the following
>>>>>> modifications to hello1
>>>>>> 1)I added base-permission="OFBTOOLS" to the ofbiz-component.xml
>>>>>> I could still see the application I was assuming the application
>>>>>> would
>>>>>> as
>>>>>> me to login or prevent me from seeing the page.
>>>>>> 2)I added <security> to the main request
>>>>>> <request-map uri="main">
>>>>>> <security https="false" auth="true"/>
>>>>>> <response name="success" type="view" value="main"/>
>>>>>> </request-map>
>>>>>> This displays "java.lang.NullPointerException" in the browser.
>>>>>> How do permissions precedence work starting from the UI to the entity
>>>>>> layer.
>>>>>> Help appreciated.
>>>>>> Thanks
>>>>>> -Milind
>>>>>>
>>>>>> Here is the log
>>>>>> 2008-07-29 19:07:17,031 (http-0.0.0.0-8080-1) [
>>>>>> RequestHandler.java:243:INFO ] [Processing Request]: main
>>>>>> sessionId=6E6BB45A4B5AB75A10A9B9404FA622A5.jvm1
>>>>>> 2008-07-29 19:07:17,031 (http-0.0.0.0-8080-1) [
>>>>>> RequestManager.java:159:WARN ] [RequestManager.getEventType] Type of
>>>>>> event
>>>>>> for request "checkLogin" not found
>>>>>> 2008-07-29 19:07:17,031 (http-0.0.0.0-8080-1) [
>>>>>> RequestManager.java:146:WARN ] [RequestManager.getEventPath] Path of
>>>>>> event
>>>>>> for request "checkLogin" not found
>>>>>> 2008-07-29 19:07:17,031 (http-0.0.0.0-8080-1) [
>>>>>> RequestManager.java:172:WARN ] [RequestManager.getEventMethod] Method
>>>>>> of
>>>>>> event for request "checkLogin" not found
>>>>>> 2008-07-29 19:07:17,031 (http-0.0.0.0-8080-1) [
>>>>>> ControlServlet.java:205:ERROR]
>>>>>> ---- runtime exception report
>>>>>> --------------------------------------------------
>>>>>> Error in request handler:
>>>>>> Exception: java.lang.NullPointerException
>>>>>> Message: null
>>>>>> ---- stack trace
>>>>>> ---------------------------------------------------------------
>>>>>> java.lang.NullPointerException
>>>>>> javolution.util.FastMap.getEntry(Unknown Source)
>>>>>> javolution.util.FastMap.containsKey(Unknown Source)
>>>>>> org.ofbiz.webapp.control.RequestManager.getHandlerClass(RequestManager.java:78)
>>>>>>
>>>>>> org.ofbiz.webapp.event.EventFactory.loadEventHandler(EventFactory.java:102)
>>>>>>
>>>>>> org.ofbiz.webapp.event.EventFactory.getEventHandler(EventFactory.java:86)
>>>>>>
>>>>>> org.ofbiz.webapp.control.RequestHandler.runEvent(RequestHandler.java:453)
>>>>>>
>>>>>> org.ofbiz.webapp.control.RequestHandler.doRequest(RequestHandler.java:259)
>>>>>>
>>>>>> org.ofbiz.webapp.control.ControlServlet.doGet(ControlServlet.java:198)
>>>>>>
>>>>>> javax.servlet.http.HttpServlet.service(HttpServlet.java:690)
>>>>>> javax.servlet.http.HttpServlet.service(HttpServlet.java:803)
>>>>>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
>>>>>>
>>>>>> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
>>>>>>
>>>>>> org.ofbiz.webapp.control.ContextFilter.doFilter(ContextFilter.java:255)
>>>>>>
>>>>>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
>>>>>>
>>>>>> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
>>>>>>
>>>>>> org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
>>>>>>
>>>>>> org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:175)
>>>>>>
>>>>>> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:128)
>>>>>>
>>>>>> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
>>>>>>
>>>>>> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
>>>>>>
>>>>>> org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:568)
>>>>>>
>>>>>> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:286)
>>>>>>
>>>>>> org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:844)
>>>>>>
>>>>>> org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:583)
>>>>>>
>>>>>> org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:447)
>>>>>>
>>>>>> java.lang.Thread.run(Thread.java:595)
>>>>>> --------------------------------------------------------------------------------
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>
>>>> http://www.opensourcestrategies.com/ofbiz/security.php
>>>> http://www.opensourcestrategies.com/ofbiz/security.php
>>>
>>>
>>
>>
>
>
>
Re: how to set security and permissions precedence
Posted by Jacques Le Roux <ja...@les7arts.com>.
OFBiz Wiki is your friend. Just look for OFBTOOLS.
You would have get http://docs.ofbiz.org/display/OFBTECH/OFBiz+security?focusedCommentId=3615#comment-3615
Jacques
----- Original Message -----
From: "Milind W" <ma...@mymunshi.com>
To: <us...@ofbiz.apache.org>
Sent: Wednesday, July 30, 2008 8:31 PM
Subject: Re: how to set security and permissions precedence
> Let me try to break up questions.
> Should'nt adding
> base-permission="OFBTOOLS"
> to the ofbiz-entity.xml force the user to login with a user id that is
> associated to the OFBTOOLS security group?
> I can see the application I created and the line seems to have no effect.
> What is the purpose of the line?
> Thanks
> -Milind
>
>> Please not that opentaps is not at the same level of revision that ofbiz
>> it
>> there have been changes to security.
>> there are examples in the
>> framework/example
>> and
>> framework/exampleext
>> I believe this to better tutorial
>> since they work already.
>>
>>
>> Balaji Sundar sent the following on 7/29/2008 9:40 PM:
>>>
>>>
>>> BJ Freeman wrote:
>>>> http://docs.ofbiz.org/display/OFBTECH/OFBiz+security
>>>>
>>>> Milind W sent the following on 7/29/2008 7:58 PM:
>>>>> hi,
>>>>> Security Permissions
>>>>> I am using ofbiz rev.79258
>>>>> I want to understand how security works so I made the following
>>>>> modifications to hello1
>>>>> 1)I added base-permission="OFBTOOLS" to the ofbiz-component.xml
>>>>> I could still see the application I was assuming the application would
>>>>> as
>>>>> me to login or prevent me from seeing the page.
>>>>> 2)I added <security> to the main request
>>>>> <request-map uri="main">
>>>>> <security https="false" auth="true"/>
>>>>> <response name="success" type="view" value="main"/>
>>>>> </request-map>
>>>>> This displays "java.lang.NullPointerException" in the browser.
>>>>> How do permissions precedence work starting from the UI to the entity
>>>>> layer.
>>>>> Help appreciated.
>>>>> Thanks
>>>>> -Milind
>>>>>
>>>>> Here is the log
>>>>> 2008-07-29 19:07:17,031 (http-0.0.0.0-8080-1) [
>>>>> RequestHandler.java:243:INFO ] [Processing Request]: main
>>>>> sessionId=6E6BB45A4B5AB75A10A9B9404FA622A5.jvm1
>>>>> 2008-07-29 19:07:17,031 (http-0.0.0.0-8080-1) [
>>>>> RequestManager.java:159:WARN ] [RequestManager.getEventType] Type of
>>>>> event
>>>>> for request "checkLogin" not found
>>>>> 2008-07-29 19:07:17,031 (http-0.0.0.0-8080-1) [
>>>>> RequestManager.java:146:WARN ] [RequestManager.getEventPath] Path of
>>>>> event
>>>>> for request "checkLogin" not found
>>>>> 2008-07-29 19:07:17,031 (http-0.0.0.0-8080-1) [
>>>>> RequestManager.java:172:WARN ] [RequestManager.getEventMethod] Method
>>>>> of
>>>>> event for request "checkLogin" not found
>>>>> 2008-07-29 19:07:17,031 (http-0.0.0.0-8080-1) [
>>>>> ControlServlet.java:205:ERROR]
>>>>> ---- runtime exception report
>>>>> --------------------------------------------------
>>>>> Error in request handler:
>>>>> Exception: java.lang.NullPointerException
>>>>> Message: null
>>>>> ---- stack trace
>>>>> ---------------------------------------------------------------
>>>>> java.lang.NullPointerException
>>>>> javolution.util.FastMap.getEntry(Unknown Source)
>>>>> javolution.util.FastMap.containsKey(Unknown Source)
>>>>> org.ofbiz.webapp.control.RequestManager.getHandlerClass(RequestManager.java:78)
>>>>> org.ofbiz.webapp.event.EventFactory.loadEventHandler(EventFactory.java:102)
>>>>> org.ofbiz.webapp.event.EventFactory.getEventHandler(EventFactory.java:86)
>>>>> org.ofbiz.webapp.control.RequestHandler.runEvent(RequestHandler.java:453)
>>>>> org.ofbiz.webapp.control.RequestHandler.doRequest(RequestHandler.java:259)
>>>>> org.ofbiz.webapp.control.ControlServlet.doGet(ControlServlet.java:198)
>>>>> javax.servlet.http.HttpServlet.service(HttpServlet.java:690)
>>>>> javax.servlet.http.HttpServlet.service(HttpServlet.java:803)
>>>>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
>>>>> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
>>>>> org.ofbiz.webapp.control.ContextFilter.doFilter(ContextFilter.java:255)
>>>>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
>>>>> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
>>>>> org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
>>>>> org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:175)
>>>>> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:128)
>>>>> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
>>>>> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
>>>>> org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:568)
>>>>> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:286)
>>>>> org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:844)
>>>>> org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:583)
>>>>> org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:447)
>>>>> java.lang.Thread.run(Thread.java:595)
>>>>> --------------------------------------------------------------------------------
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>
>>> http://www.opensourcestrategies.com/ofbiz/security.php
>>> http://www.opensourcestrategies.com/ofbiz/security.php
>>
>>
>
>
Re: how to set security and permissions precedence
Posted by BJ Freeman <bj...@free-man.net>.
sorry forgot one link
good discussion
http://mail-archives.apache.org/mod_mbox/ofbiz-dev/200710.mbox/%3C4716ED96.3050901@improov.com%3E
BJ Freeman sent the following on 7/30/2008 1:13 PM:
> http://lists.ofbiz.org/pipermail/jira/2006-April/003536.html
> should help.
> also look at
> https://demo.hotwaxmedia.com/webtools/control/FindGeneric?entityName=SecurityGroupPermission&find=true&VIEW_SIZE=50&VIEW_INDEX=0
> for how permission are grouped together
> the list of permission in ofbiz
> https://demo.hotwaxmedia.com/webtools/control/FindGeneric?entityName=SecurityPermission&find=true&VIEW_SIZE=50&VIEW_INDEX=0
>
>
> Milind W sent the following on 7/30/2008 11:31 AM:
>> Let me try to break up questions.
>> Should'nt adding
>> base-permission="OFBTOOLS"
>> to the ofbiz-entity.xml force the user to login with a user id that is
>> associated to the OFBTOOLS security group?
>> I can see the application I created and the line seems to have no effect.
>> What is the purpose of the line?
>> Thanks
>> -Milind
>>
>>> Please not that opentaps is not at the same level of revision that ofbiz
>>> it
>>> there have been changes to security.
>>> there are examples in the
>>> framework/example
>>> and
>>> framework/exampleext
>>> I believe this to better tutorial
>>> since they work already.
>>>
>>>
>>> Balaji Sundar sent the following on 7/29/2008 9:40 PM:
>>>> BJ Freeman wrote:
>>>>> http://docs.ofbiz.org/display/OFBTECH/OFBiz+security
>>>>>
>>>>> Milind W sent the following on 7/29/2008 7:58 PM:
>>>>>> hi,
>>>>>> Security Permissions
>>>>>> I am using ofbiz rev.79258
>>>>>> I want to understand how security works so I made the following
>>>>>> modifications to hello1
>>>>>> 1)I added base-permission="OFBTOOLS" to the ofbiz-component.xml
>>>>>> I could still see the application I was assuming the application would
>>>>>> as
>>>>>> me to login or prevent me from seeing the page.
>>>>>> 2)I added <security> to the main request
>>>>>> <request-map uri="main">
>>>>>> <security https="false" auth="true"/>
>>>>>> <response name="success" type="view" value="main"/>
>>>>>> </request-map>
>>>>>> This displays "java.lang.NullPointerException" in the browser.
>>>>>> How do permissions precedence work starting from the UI to the entity
>>>>>> layer.
>>>>>> Help appreciated.
>>>>>> Thanks
>>>>>> -Milind
>>>>>>
>>>>>> Here is the log
>>>>>> 2008-07-29 19:07:17,031 (http-0.0.0.0-8080-1) [
>>>>>> RequestHandler.java:243:INFO ] [Processing Request]: main
>>>>>> sessionId=6E6BB45A4B5AB75A10A9B9404FA622A5.jvm1
>>>>>> 2008-07-29 19:07:17,031 (http-0.0.0.0-8080-1) [
>>>>>> RequestManager.java:159:WARN ] [RequestManager.getEventType] Type of
>>>>>> event
>>>>>> for request "checkLogin" not found
>>>>>> 2008-07-29 19:07:17,031 (http-0.0.0.0-8080-1) [
>>>>>> RequestManager.java:146:WARN ] [RequestManager.getEventPath] Path of
>>>>>> event
>>>>>> for request "checkLogin" not found
>>>>>> 2008-07-29 19:07:17,031 (http-0.0.0.0-8080-1) [
>>>>>> RequestManager.java:172:WARN ] [RequestManager.getEventMethod] Method
>>>>>> of
>>>>>> event for request "checkLogin" not found
>>>>>> 2008-07-29 19:07:17,031 (http-0.0.0.0-8080-1) [
>>>>>> ControlServlet.java:205:ERROR]
>>>>>> ---- runtime exception report
>>>>>> --------------------------------------------------
>>>>>> Error in request handler:
>>>>>> Exception: java.lang.NullPointerException
>>>>>> Message: null
>>>>>> ---- stack trace
>>>>>> ---------------------------------------------------------------
>>>>>> java.lang.NullPointerException
>>>>>> javolution.util.FastMap.getEntry(Unknown Source)
>>>>>> javolution.util.FastMap.containsKey(Unknown Source)
>>>>>> org.ofbiz.webapp.control.RequestManager.getHandlerClass(RequestManager.java:78)
>>>>>> org.ofbiz.webapp.event.EventFactory.loadEventHandler(EventFactory.java:102)
>>>>>> org.ofbiz.webapp.event.EventFactory.getEventHandler(EventFactory.java:86)
>>>>>> org.ofbiz.webapp.control.RequestHandler.runEvent(RequestHandler.java:453)
>>>>>> org.ofbiz.webapp.control.RequestHandler.doRequest(RequestHandler.java:259)
>>>>>> org.ofbiz.webapp.control.ControlServlet.doGet(ControlServlet.java:198)
>>>>>> javax.servlet.http.HttpServlet.service(HttpServlet.java:690)
>>>>>> javax.servlet.http.HttpServlet.service(HttpServlet.java:803)
>>>>>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
>>>>>> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
>>>>>> org.ofbiz.webapp.control.ContextFilter.doFilter(ContextFilter.java:255)
>>>>>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
>>>>>> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
>>>>>> org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
>>>>>> org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:175)
>>>>>> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:128)
>>>>>> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
>>>>>> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
>>>>>> org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:568)
>>>>>> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:286)
>>>>>> org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:844)
>>>>>> org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:583)
>>>>>> org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:447)
>>>>>> java.lang.Thread.run(Thread.java:595)
>>>>>> --------------------------------------------------------------------------------
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>> http://www.opensourcestrategies.com/ofbiz/security.php
>>>> http://www.opensourcestrategies.com/ofbiz/security.php
>>
>>
>>
>>
>
>
>
>
Re: how to set security and permissions precedence
Posted by BJ Freeman <bj...@free-man.net>.
http://lists.ofbiz.org/pipermail/jira/2006-April/003536.html
should help.
also look at
https://demo.hotwaxmedia.com/webtools/control/FindGeneric?entityName=SecurityGroupPermission&find=true&VIEW_SIZE=50&VIEW_INDEX=0
for how permission are grouped together
the list of permission in ofbiz
https://demo.hotwaxmedia.com/webtools/control/FindGeneric?entityName=SecurityPermission&find=true&VIEW_SIZE=50&VIEW_INDEX=0
Milind W sent the following on 7/30/2008 11:31 AM:
> Let me try to break up questions.
> Should'nt adding
> base-permission="OFBTOOLS"
> to the ofbiz-entity.xml force the user to login with a user id that is
> associated to the OFBTOOLS security group?
> I can see the application I created and the line seems to have no effect.
> What is the purpose of the line?
> Thanks
> -Milind
>
>> Please not that opentaps is not at the same level of revision that ofbiz
>> it
>> there have been changes to security.
>> there are examples in the
>> framework/example
>> and
>> framework/exampleext
>> I believe this to better tutorial
>> since they work already.
>>
>>
>> Balaji Sundar sent the following on 7/29/2008 9:40 PM:
>>>
>>> BJ Freeman wrote:
>>>> http://docs.ofbiz.org/display/OFBTECH/OFBiz+security
>>>>
>>>> Milind W sent the following on 7/29/2008 7:58 PM:
>>>>> hi,
>>>>> Security Permissions
>>>>> I am using ofbiz rev.79258
>>>>> I want to understand how security works so I made the following
>>>>> modifications to hello1
>>>>> 1)I added base-permission="OFBTOOLS" to the ofbiz-component.xml
>>>>> I could still see the application I was assuming the application would
>>>>> as
>>>>> me to login or prevent me from seeing the page.
>>>>> 2)I added <security> to the main request
>>>>> <request-map uri="main">
>>>>> <security https="false" auth="true"/>
>>>>> <response name="success" type="view" value="main"/>
>>>>> </request-map>
>>>>> This displays "java.lang.NullPointerException" in the browser.
>>>>> How do permissions precedence work starting from the UI to the entity
>>>>> layer.
>>>>> Help appreciated.
>>>>> Thanks
>>>>> -Milind
>>>>>
>>>>> Here is the log
>>>>> 2008-07-29 19:07:17,031 (http-0.0.0.0-8080-1) [
>>>>> RequestHandler.java:243:INFO ] [Processing Request]: main
>>>>> sessionId=6E6BB45A4B5AB75A10A9B9404FA622A5.jvm1
>>>>> 2008-07-29 19:07:17,031 (http-0.0.0.0-8080-1) [
>>>>> RequestManager.java:159:WARN ] [RequestManager.getEventType] Type of
>>>>> event
>>>>> for request "checkLogin" not found
>>>>> 2008-07-29 19:07:17,031 (http-0.0.0.0-8080-1) [
>>>>> RequestManager.java:146:WARN ] [RequestManager.getEventPath] Path of
>>>>> event
>>>>> for request "checkLogin" not found
>>>>> 2008-07-29 19:07:17,031 (http-0.0.0.0-8080-1) [
>>>>> RequestManager.java:172:WARN ] [RequestManager.getEventMethod] Method
>>>>> of
>>>>> event for request "checkLogin" not found
>>>>> 2008-07-29 19:07:17,031 (http-0.0.0.0-8080-1) [
>>>>> ControlServlet.java:205:ERROR]
>>>>> ---- runtime exception report
>>>>> --------------------------------------------------
>>>>> Error in request handler:
>>>>> Exception: java.lang.NullPointerException
>>>>> Message: null
>>>>> ---- stack trace
>>>>> ---------------------------------------------------------------
>>>>> java.lang.NullPointerException
>>>>> javolution.util.FastMap.getEntry(Unknown Source)
>>>>> javolution.util.FastMap.containsKey(Unknown Source)
>>>>> org.ofbiz.webapp.control.RequestManager.getHandlerClass(RequestManager.java:78)
>>>>> org.ofbiz.webapp.event.EventFactory.loadEventHandler(EventFactory.java:102)
>>>>> org.ofbiz.webapp.event.EventFactory.getEventHandler(EventFactory.java:86)
>>>>> org.ofbiz.webapp.control.RequestHandler.runEvent(RequestHandler.java:453)
>>>>> org.ofbiz.webapp.control.RequestHandler.doRequest(RequestHandler.java:259)
>>>>> org.ofbiz.webapp.control.ControlServlet.doGet(ControlServlet.java:198)
>>>>> javax.servlet.http.HttpServlet.service(HttpServlet.java:690)
>>>>> javax.servlet.http.HttpServlet.service(HttpServlet.java:803)
>>>>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
>>>>> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
>>>>> org.ofbiz.webapp.control.ContextFilter.doFilter(ContextFilter.java:255)
>>>>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
>>>>> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
>>>>> org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
>>>>> org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:175)
>>>>> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:128)
>>>>> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
>>>>> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
>>>>> org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:568)
>>>>> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:286)
>>>>> org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:844)
>>>>> org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:583)
>>>>> org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:447)
>>>>> java.lang.Thread.run(Thread.java:595)
>>>>> --------------------------------------------------------------------------------
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>
>>> http://www.opensourcestrategies.com/ofbiz/security.php
>>> http://www.opensourcestrategies.com/ofbiz/security.php
>>
>
>
>
>
>
Re: how to set security and permissions precedence
Posted by Milind W <ma...@mymunshi.com>.
Let me try to break up questions.
Should'nt adding
base-permission="OFBTOOLS"
to the ofbiz-entity.xml force the user to login with a user id that is
associated to the OFBTOOLS security group?
I can see the application I created and the line seems to have no effect.
What is the purpose of the line?
Thanks
-Milind
> Please not that opentaps is not at the same level of revision that ofbiz
> it
> there have been changes to security.
> there are examples in the
> framework/example
> and
> framework/exampleext
> I believe this to better tutorial
> since they work already.
>
>
> Balaji Sundar sent the following on 7/29/2008 9:40 PM:
>>
>>
>> BJ Freeman wrote:
>>> http://docs.ofbiz.org/display/OFBTECH/OFBiz+security
>>>
>>> Milind W sent the following on 7/29/2008 7:58 PM:
>>>> hi,
>>>> Security Permissions
>>>> I am using ofbiz rev.79258
>>>> I want to understand how security works so I made the following
>>>> modifications to hello1
>>>> 1)I added base-permission="OFBTOOLS" to the ofbiz-component.xml
>>>> I could still see the application I was assuming the application would
>>>> as
>>>> me to login or prevent me from seeing the page.
>>>> 2)I added <security> to the main request
>>>> <request-map uri="main">
>>>> <security https="false" auth="true"/>
>>>> <response name="success" type="view" value="main"/>
>>>> </request-map>
>>>> This displays "java.lang.NullPointerException" in the browser.
>>>> How do permissions precedence work starting from the UI to the entity
>>>> layer.
>>>> Help appreciated.
>>>> Thanks
>>>> -Milind
>>>>
>>>> Here is the log
>>>> 2008-07-29 19:07:17,031 (http-0.0.0.0-8080-1) [
>>>> RequestHandler.java:243:INFO ] [Processing Request]: main
>>>> sessionId=6E6BB45A4B5AB75A10A9B9404FA622A5.jvm1
>>>> 2008-07-29 19:07:17,031 (http-0.0.0.0-8080-1) [
>>>> RequestManager.java:159:WARN ] [RequestManager.getEventType] Type of
>>>> event
>>>> for request "checkLogin" not found
>>>> 2008-07-29 19:07:17,031 (http-0.0.0.0-8080-1) [
>>>> RequestManager.java:146:WARN ] [RequestManager.getEventPath] Path of
>>>> event
>>>> for request "checkLogin" not found
>>>> 2008-07-29 19:07:17,031 (http-0.0.0.0-8080-1) [
>>>> RequestManager.java:172:WARN ] [RequestManager.getEventMethod] Method
>>>> of
>>>> event for request "checkLogin" not found
>>>> 2008-07-29 19:07:17,031 (http-0.0.0.0-8080-1) [
>>>> ControlServlet.java:205:ERROR]
>>>> ---- runtime exception report
>>>> --------------------------------------------------
>>>> Error in request handler:
>>>> Exception: java.lang.NullPointerException
>>>> Message: null
>>>> ---- stack trace
>>>> ---------------------------------------------------------------
>>>> java.lang.NullPointerException
>>>> javolution.util.FastMap.getEntry(Unknown Source)
>>>> javolution.util.FastMap.containsKey(Unknown Source)
>>>> org.ofbiz.webapp.control.RequestManager.getHandlerClass(RequestManager.java:78)
>>>> org.ofbiz.webapp.event.EventFactory.loadEventHandler(EventFactory.java:102)
>>>> org.ofbiz.webapp.event.EventFactory.getEventHandler(EventFactory.java:86)
>>>> org.ofbiz.webapp.control.RequestHandler.runEvent(RequestHandler.java:453)
>>>> org.ofbiz.webapp.control.RequestHandler.doRequest(RequestHandler.java:259)
>>>> org.ofbiz.webapp.control.ControlServlet.doGet(ControlServlet.java:198)
>>>> javax.servlet.http.HttpServlet.service(HttpServlet.java:690)
>>>> javax.servlet.http.HttpServlet.service(HttpServlet.java:803)
>>>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
>>>> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
>>>> org.ofbiz.webapp.control.ContextFilter.doFilter(ContextFilter.java:255)
>>>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
>>>> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
>>>> org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
>>>> org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:175)
>>>> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:128)
>>>> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
>>>> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
>>>> org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:568)
>>>> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:286)
>>>> org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:844)
>>>> org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:583)
>>>> org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:447)
>>>> java.lang.Thread.run(Thread.java:595)
>>>> --------------------------------------------------------------------------------
>>>>
>>>>
>>>>
>>>>
>>>>
>>>
>>>
>>
>> http://www.opensourcestrategies.com/ofbiz/security.php
>> http://www.opensourcestrategies.com/ofbiz/security.php
>
>
Re: how to set security and permissions precedence
Posted by BJ Freeman <bj...@free-man.net>.
Please not that opentaps is not at the same level of revision that ofbiz it
there have been changes to security.
there are examples in the
framework/example
and
framework/exampleext
I believe this to better tutorial
since they work already.
Balaji Sundar sent the following on 7/29/2008 9:40 PM:
>
>
> BJ Freeman wrote:
>> http://docs.ofbiz.org/display/OFBTECH/OFBiz+security
>>
>> Milind W sent the following on 7/29/2008 7:58 PM:
>>> hi,
>>> Security Permissions
>>> I am using ofbiz rev.79258
>>> I want to understand how security works so I made the following
>>> modifications to hello1
>>> 1)I added base-permission="OFBTOOLS" to the ofbiz-component.xml
>>> I could still see the application I was assuming the application would as
>>> me to login or prevent me from seeing the page.
>>> 2)I added <security> to the main request
>>> <request-map uri="main">
>>> <security https="false" auth="true"/>
>>> <response name="success" type="view" value="main"/>
>>> </request-map>
>>> This displays "java.lang.NullPointerException" in the browser.
>>> How do permissions precedence work starting from the UI to the entity
>>> layer.
>>> Help appreciated.
>>> Thanks
>>> -Milind
>>>
>>> Here is the log
>>> 2008-07-29 19:07:17,031 (http-0.0.0.0-8080-1) [
>>> RequestHandler.java:243:INFO ] [Processing Request]: main
>>> sessionId=6E6BB45A4B5AB75A10A9B9404FA622A5.jvm1
>>> 2008-07-29 19:07:17,031 (http-0.0.0.0-8080-1) [
>>> RequestManager.java:159:WARN ] [RequestManager.getEventType] Type of
>>> event
>>> for request "checkLogin" not found
>>> 2008-07-29 19:07:17,031 (http-0.0.0.0-8080-1) [
>>> RequestManager.java:146:WARN ] [RequestManager.getEventPath] Path of
>>> event
>>> for request "checkLogin" not found
>>> 2008-07-29 19:07:17,031 (http-0.0.0.0-8080-1) [
>>> RequestManager.java:172:WARN ] [RequestManager.getEventMethod] Method of
>>> event for request "checkLogin" not found
>>> 2008-07-29 19:07:17,031 (http-0.0.0.0-8080-1) [
>>> ControlServlet.java:205:ERROR]
>>> ---- runtime exception report
>>> --------------------------------------------------
>>> Error in request handler:
>>> Exception: java.lang.NullPointerException
>>> Message: null
>>> ---- stack trace
>>> ---------------------------------------------------------------
>>> java.lang.NullPointerException
>>> javolution.util.FastMap.getEntry(Unknown Source)
>>> javolution.util.FastMap.containsKey(Unknown Source)
>>> org.ofbiz.webapp.control.RequestManager.getHandlerClass(RequestManager.java:78)
>>> org.ofbiz.webapp.event.EventFactory.loadEventHandler(EventFactory.java:102)
>>> org.ofbiz.webapp.event.EventFactory.getEventHandler(EventFactory.java:86)
>>> org.ofbiz.webapp.control.RequestHandler.runEvent(RequestHandler.java:453)
>>> org.ofbiz.webapp.control.RequestHandler.doRequest(RequestHandler.java:259)
>>> org.ofbiz.webapp.control.ControlServlet.doGet(ControlServlet.java:198)
>>> javax.servlet.http.HttpServlet.service(HttpServlet.java:690)
>>> javax.servlet.http.HttpServlet.service(HttpServlet.java:803)
>>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
>>> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
>>> org.ofbiz.webapp.control.ContextFilter.doFilter(ContextFilter.java:255)
>>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
>>> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
>>> org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
>>> org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:175)
>>> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:128)
>>> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
>>> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
>>> org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:568)
>>> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:286)
>>> org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:844)
>>> org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:583)
>>> org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:447)
>>> java.lang.Thread.run(Thread.java:595)
>>> --------------------------------------------------------------------------------
>>>
>>>
>>>
>>>
>>>
>>
>>
>
> http://www.opensourcestrategies.com/ofbiz/security.php
> http://www.opensourcestrategies.com/ofbiz/security.php
Re: how to set security and permissions precedence
Posted by Balaji Sundar <ks...@gmail.com>.
BJ Freeman wrote:
>
> http://docs.ofbiz.org/display/OFBTECH/OFBiz+security
>
> Milind W sent the following on 7/29/2008 7:58 PM:
>> hi,
>> Security Permissions
>> I am using ofbiz rev.79258
>> I want to understand how security works so I made the following
>> modifications to hello1
>> 1)I added base-permission="OFBTOOLS" to the ofbiz-component.xml
>> I could still see the application I was assuming the application would as
>> me to login or prevent me from seeing the page.
>> 2)I added <security> to the main request
>> <request-map uri="main">
>> <security https="false" auth="true"/>
>> <response name="success" type="view" value="main"/>
>> </request-map>
>> This displays "java.lang.NullPointerException" in the browser.
>> How do permissions precedence work starting from the UI to the entity
>> layer.
>> Help appreciated.
>> Thanks
>> -Milind
>>
>> Here is the log
>> 2008-07-29 19:07:17,031 (http-0.0.0.0-8080-1) [
>> RequestHandler.java:243:INFO ] [Processing Request]: main
>> sessionId=6E6BB45A4B5AB75A10A9B9404FA622A5.jvm1
>> 2008-07-29 19:07:17,031 (http-0.0.0.0-8080-1) [
>> RequestManager.java:159:WARN ] [RequestManager.getEventType] Type of
>> event
>> for request "checkLogin" not found
>> 2008-07-29 19:07:17,031 (http-0.0.0.0-8080-1) [
>> RequestManager.java:146:WARN ] [RequestManager.getEventPath] Path of
>> event
>> for request "checkLogin" not found
>> 2008-07-29 19:07:17,031 (http-0.0.0.0-8080-1) [
>> RequestManager.java:172:WARN ] [RequestManager.getEventMethod] Method of
>> event for request "checkLogin" not found
>> 2008-07-29 19:07:17,031 (http-0.0.0.0-8080-1) [
>> ControlServlet.java:205:ERROR]
>> ---- runtime exception report
>> --------------------------------------------------
>> Error in request handler:
>> Exception: java.lang.NullPointerException
>> Message: null
>> ---- stack trace
>> ---------------------------------------------------------------
>> java.lang.NullPointerException
>> javolution.util.FastMap.getEntry(Unknown Source)
>> javolution.util.FastMap.containsKey(Unknown Source)
>> org.ofbiz.webapp.control.RequestManager.getHandlerClass(RequestManager.java:78)
>> org.ofbiz.webapp.event.EventFactory.loadEventHandler(EventFactory.java:102)
>> org.ofbiz.webapp.event.EventFactory.getEventHandler(EventFactory.java:86)
>> org.ofbiz.webapp.control.RequestHandler.runEvent(RequestHandler.java:453)
>> org.ofbiz.webapp.control.RequestHandler.doRequest(RequestHandler.java:259)
>> org.ofbiz.webapp.control.ControlServlet.doGet(ControlServlet.java:198)
>> javax.servlet.http.HttpServlet.service(HttpServlet.java:690)
>> javax.servlet.http.HttpServlet.service(HttpServlet.java:803)
>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
>> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
>> org.ofbiz.webapp.control.ContextFilter.doFilter(ContextFilter.java:255)
>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
>> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
>> org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
>> org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:175)
>> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:128)
>> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
>> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
>> org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:568)
>> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:286)
>> org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:844)
>> org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:583)
>> org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:447)
>> java.lang.Thread.run(Thread.java:595)
>> --------------------------------------------------------------------------------
>>
>>
>>
>>
>>
>
>
>
http://www.opensourcestrategies.com/ofbiz/security.php
http://www.opensourcestrategies.com/ofbiz/security.php
--
View this message in context: http://www.nabble.com/how-to-set-security-and-permissions-precedence-tp18725310p18726014.html
Sent from the OFBiz - User mailing list archive at Nabble.com.
Re: how to set security and permissions precedence
Posted by BJ Freeman <bj...@free-man.net>.
http://docs.ofbiz.org/display/OFBTECH/OFBiz+security
Milind W sent the following on 7/29/2008 7:58 PM:
> hi,
> Security Permissions
> I am using ofbiz rev.79258
> I want to understand how security works so I made the following
> modifications to hello1
> 1)I added base-permission="OFBTOOLS" to the ofbiz-component.xml
> I could still see the application I was assuming the application would as
> me to login or prevent me from seeing the page.
> 2)I added <security> to the main request
> <request-map uri="main">
> <security https="false" auth="true"/>
> <response name="success" type="view" value="main"/>
> </request-map>
> This displays "java.lang.NullPointerException" in the browser.
> How do permissions precedence work starting from the UI to the entity layer.
> Help appreciated.
> Thanks
> -Milind
>
> Here is the log
> 2008-07-29 19:07:17,031 (http-0.0.0.0-8080-1) [
> RequestHandler.java:243:INFO ] [Processing Request]: main
> sessionId=6E6BB45A4B5AB75A10A9B9404FA622A5.jvm1
> 2008-07-29 19:07:17,031 (http-0.0.0.0-8080-1) [
> RequestManager.java:159:WARN ] [RequestManager.getEventType] Type of event
> for request "checkLogin" not found
> 2008-07-29 19:07:17,031 (http-0.0.0.0-8080-1) [
> RequestManager.java:146:WARN ] [RequestManager.getEventPath] Path of event
> for request "checkLogin" not found
> 2008-07-29 19:07:17,031 (http-0.0.0.0-8080-1) [
> RequestManager.java:172:WARN ] [RequestManager.getEventMethod] Method of
> event for request "checkLogin" not found
> 2008-07-29 19:07:17,031 (http-0.0.0.0-8080-1) [
> ControlServlet.java:205:ERROR]
> ---- runtime exception report
> --------------------------------------------------
> Error in request handler:
> Exception: java.lang.NullPointerException
> Message: null
> ---- stack trace
> ---------------------------------------------------------------
> java.lang.NullPointerException
> javolution.util.FastMap.getEntry(Unknown Source)
> javolution.util.FastMap.containsKey(Unknown Source)
> org.ofbiz.webapp.control.RequestManager.getHandlerClass(RequestManager.java:78)
> org.ofbiz.webapp.event.EventFactory.loadEventHandler(EventFactory.java:102)
> org.ofbiz.webapp.event.EventFactory.getEventHandler(EventFactory.java:86)
> org.ofbiz.webapp.control.RequestHandler.runEvent(RequestHandler.java:453)
> org.ofbiz.webapp.control.RequestHandler.doRequest(RequestHandler.java:259)
> org.ofbiz.webapp.control.ControlServlet.doGet(ControlServlet.java:198)
> javax.servlet.http.HttpServlet.service(HttpServlet.java:690)
> javax.servlet.http.HttpServlet.service(HttpServlet.java:803)
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
> org.ofbiz.webapp.control.ContextFilter.doFilter(ContextFilter.java:255)
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
> org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
> org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:175)
> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:128)
> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
> org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:568)
> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:286)
> org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:844)
> org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:583)
> org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:447)
> java.lang.Thread.run(Thread.java:595)
> --------------------------------------------------------------------------------
>
>
>
>
>