You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ofbiz.apache.org by jl...@apache.org on 2008/12/17 21:50:11 UTC
svn commit: r727508 - in /ofbiz/trunk: applications/party/config/
applications/party/webapp/partymgr/WEB-INF/ applications/party/widget/
applications/party/widget/partymgr/
applications/securityext/script/org/ofbiz/securityext/securitygroup/
applicatio...
Author: jleroux
Date: Wed Dec 17 12:50:11 2008
New Revision: 727508
URL: http://svn.apache.org/viewvc?rev=727508&view=rev
Log:
Close "Grey list feature for confidential data access" (https://issues.apache.org/jira/browse/OFBIZ-2074) - OFBIZ-2074
I put an explanation in http://docs.ofbiz.org/display/OFBTECH/OFBiz+security
Added:
ofbiz/trunk/framework/common/webcommon/viewBlocked.ftl
ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/control/ProtectViewWorker.java
Modified:
ofbiz/trunk/applications/party/config/PartyUiLabels.xml
ofbiz/trunk/applications/party/webapp/partymgr/WEB-INF/controller.xml
ofbiz/trunk/applications/party/widget/Menus.xml
ofbiz/trunk/applications/party/widget/partymgr/SecurityForms.xml
ofbiz/trunk/applications/party/widget/partymgr/SecurityScreens.xml
ofbiz/trunk/applications/securityext/script/org/ofbiz/securityext/securitygroup/SecurityGroupServices.xml
ofbiz/trunk/applications/securityext/servicedef/services.xml
ofbiz/trunk/framework/common/config/CommonUiLabels.xml
ofbiz/trunk/framework/common/webcommon/WEB-INF/common-controller.xml
ofbiz/trunk/framework/common/widget/CommonScreens.xml
ofbiz/trunk/framework/security/config/security.properties
ofbiz/trunk/framework/security/entitydef/entitymodel.xml
ofbiz/trunk/framework/webapp/config/WebappUiLabels.xml
ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/control/RequestHandler.java
Modified: ofbiz/trunk/applications/party/config/PartyUiLabels.xml
URL: http://svn.apache.org/viewvc/ofbiz/trunk/applications/party/config/PartyUiLabels.xml?rev=727508&r1=727507&r2=727508&view=diff
==============================================================================
--- ofbiz/trunk/applications/party/config/PartyUiLabels.xml (original)
+++ ofbiz/trunk/applications/party/config/PartyUiLabels.xml Wed Dec 17 12:50:11 2008
@@ -2144,6 +2144,10 @@
<value xml:lang="th">à¹à¸ªà¸à¸à¸à¸£à¸°à¸§à¸±à¸à¸´à¸à¸à¸à¸à¸¥à¸¸à¹à¸¡à¸à¸¹à¹à¹à¸à¹</value>
<value xml:lang="zh">æµè§ä¼åæ¡£æ¡</value>
</property>
+ <property key="PartyProtectedViewsForSecurityGroup">
+ <value xml:lang="en">Protected Views For SecurityGroup</value>
+ <value xml:lang="fr">Vues protégées pour le groupe de sécurité</value>
+ </property>
<property key="PageTitleViewPartyRole">
<value xml:lang="de">Akteur Rollen anzeigen</value>
<value xml:lang="en">View Party Roles</value>
@@ -2345,6 +2349,10 @@
<value xml:lang="th">à¹à¸à¸´à¹à¸¡à¸ªà¸´à¸à¸à¹à¸²à¹à¸à¸£à¸²à¸¢à¸à¸²à¸£</value>
<value xml:lang="zh">æ产åæ·»å å°å表</value>
</property>
+ <property key="PartyAddProtectedViewToSecurityGroup">
+ <value xml:lang="en">Add a Protected View to SecurityGroup</value>
+ <value xml:lang="fr">Ajouter une vue protégée à ce groupe de sécurité</value>
+ </property>
<property key="PartyAddPurpose">
<value xml:lang="de">Zweck hinzufügen</value>
<value xml:lang="en">Add Purpose</value>
@@ -5030,6 +5038,14 @@
<value xml:lang="th">à¹à¸à¹à¸à¸¡à¹à¸²à¸¢</value>
<value xml:lang="zh">丧å¶</value>
</property>
+ <property key="PartyMaxHit">
+ <value xml:lang="en">Maximum number of visits</value>
+ <value xml:lang="fr">Nombre maximum de visites</value>
+ </property>
+ <property key="PartyMaxHitDuration">
+ <value xml:lang="en">Duration during which the visits are considered (in seconds)</value>
+ <value xml:lang="fr">Durée pendant laquelle les visites sont considérées (en secondes)</value>
+ </property>
<property key="PartyMechPurposeTypeNotFound">
<value xml:lang="de">Zweck Typ nicht gefunden mit der ID</value>
<value xml:lang="en">Purpose Type not found with ID</value>
@@ -6320,6 +6336,10 @@
<value xml:lang="ru">ÐÑоÑилÑ</value>
<value xml:lang="th">à¸à¸£à¸°à¸§à¸±à¸à¸´à¸ªà¹à¸§à¸à¸à¸±à¸§</value>
<value xml:lang="zh">ç®ä»</value>
+ </property>
+ <property key="PartyProtectedViews">
+ <value xml:lang="en">Protected Views</value>
+ <value xml:lang="fr">Vues protégées</value>
</property>
<property key="PartyProveinceInCanadaMissing">
<value xml:lang="de">Provinz fehlt und wird benötigt für eine Adresse in Kanada.</value>
@@ -7165,6 +7185,10 @@
<value xml:lang="th">à¸à¸¹à¹à¸à¸±à¸à¸«à¸²</value>
<value xml:lang="zh">ä¾è´§å</value>
</property>
+ <property key="PartyTarpitDuration">
+ <value xml:lang="en">Duration during which the view will not be accessible (in seconds)</value>
+ <value xml:lang="fr">Durée pendant laquelle la vue ne sera plus accessible (en secondes)</value>
+ </property>
<property key="PartyTaxAddInfo">
<value xml:lang="de">Steuerangaben hinzufügen</value>
<value xml:lang="en">Add Tax Info</value>
@@ -7732,6 +7756,10 @@
<value xml:lang="th">Security Error: à¹à¸à¸à¸²à¸£à¸£à¸±à¸à¸à¹à¸²à¸£à¸«à¸±à¸ªà¹à¸à¸£à¸©à¸à¸µà¸¢à¹ à¸à¸¸à¸à¸à¹à¸à¸à¹à¸à¹à¸£à¸±à¸à¸à¸à¸¸à¸à¸²à¸à¸à¸²à¸ PARTY_VIEW หรืภPARTY_ADMIN à¸à¹à¸à¸</value>
<value xml:lang="zh">å®å
¨é误: è¦è¿è¡ getPostalAddressBoundaryï¼ä½ å¿
é¡»å
·æ PARTY_VIEW æ PARTY_ADMIN æé</value>
</property>
+ <property key="PartyViewName">
+ <value xml:lang="en">View Name</value>
+ <value xml:lang="fr">Nom de la vue</value>
+ </property>
<property key="PartyViewSegmentRoles">
<value xml:lang="de">Akteur Segment Rolle anzeigen</value>
<value xml:lang="en">View Party Segment Roles</value>
Modified: ofbiz/trunk/applications/party/webapp/partymgr/WEB-INF/controller.xml
URL: http://svn.apache.org/viewvc/ofbiz/trunk/applications/party/webapp/partymgr/WEB-INF/controller.xml?rev=727508&r1=727507&r2=727508&view=diff
==============================================================================
--- ofbiz/trunk/applications/party/webapp/partymgr/WEB-INF/controller.xml (original)
+++ ofbiz/trunk/applications/party/webapp/partymgr/WEB-INF/controller.xml Wed Dec 17 12:50:11 2008
@@ -465,7 +465,26 @@
<response name="success" type="view" value="EditUserLoginSecurityGroups"/>
<response name="error" type="view" value="EditUserLoginSecurityGroups"/>
</request-map>
-
+ <request-map uri="EditSecurityGroupProtectedViews"><security https="true" auth="true"/><response name="success" type="view" value="EditSecurityGroupProtectedViews"/></request-map>
+ <request-map uri="addProtectedViewToSecurityGroup">
+ <security https="true" auth="true"/>
+ <event type="service" path="" invoke="addProtectedViewToSecurityGroup"/>
+ <response name="success" type="view" value="EditSecurityGroupProtectedViews"/>
+ <response name="error" type="view" value="EditSecurityGroupProtectedViews"/>
+ </request-map>
+ <request-map uri="updateProtectedViewToSecurityGroup">
+ <security https="true" auth="true"/>
+ <event type="service" path="" invoke="updateProtectedViewToSecurityGroup"/>
+ <response name="success" type="view" value="EditSecurityGroupProtectedViews"/>
+ <response name="error" type="view" value="EditSecurityGroupProtectedViews"/>
+ </request-map>
+ <request-map uri="removeProtectedViewFromSecurityGroup">
+ <security https="true" auth="true"/>
+ <event type="service" path="" invoke="removeProtectedViewFromSecurityGroup"/>
+ <response name="success" type="view" value="EditSecurityGroupProtectedViews"/>
+ <response name="error" type="view" value="EditSecurityGroupProtectedViews"/>
+ </request-map>
+
<request-map uri="createnewlogin"><security https="true" auth="true"/><response name="success" type="view" value="createnewlogin"/></request-map>
<request-map uri="createUserLogin">
<security https="true" auth="true"/>
@@ -1170,7 +1189,8 @@
<view-map name="EditSecurityGroup" type="screen" page="component://party/widget/partymgr/SecurityScreens.xml#EditSecurityGroup"/>
<view-map name="EditSecurityGroupPermissions" type="screen" page="component://party/widget/partymgr/SecurityScreens.xml#EditSecurityGroupPermissions"/>
<view-map name="EditSecurityGroupUserLogins" type="screen" page="component://party/widget/partymgr/SecurityScreens.xml#EditSecurityGroupUserLogins"/>
-
+ <view-map name="EditSecurityGroupProtectedViews" type="screen" page="component://party/widget/partymgr/SecurityScreens.xml#EditSecurityGroupProtectedViews"/>
+
<view-map name="CertIssuerProvisions" type="screen" page="component://party/widget/partymgr/SecurityScreens.xml#EditX509IssuerProvisions"/>
<view-map name="ViewCertificate" type="screen" page="component://party/widget/partymgr/SecurityScreens.xml#ViewCertificate"/>
Modified: ofbiz/trunk/applications/party/widget/Menus.xml
URL: http://svn.apache.org/viewvc/ofbiz/trunk/applications/party/widget/Menus.xml?rev=727508&r1=727507&r2=727508&view=diff
==============================================================================
--- ofbiz/trunk/applications/party/widget/Menus.xml (original)
+++ ofbiz/trunk/applications/party/widget/Menus.xml Wed Dec 17 12:50:11 2008
@@ -32,5 +32,8 @@
<menu-item name="EditSecurityGroupUserLogins" title="${uiLabelMap.PartyUserLogins}">
<link target="EditSecurityGroupUserLogins?groupId=${groupId}"/>
</menu-item>
+ <menu-item name="EditSecurityGroupProtectedViews" title="${uiLabelMap.PartyProtectedViews}">
+ <link target="EditSecurityGroupProtectedViews?groupId=${groupId}"/>
+ </menu-item>
</menu>
</menus>
Modified: ofbiz/trunk/applications/party/widget/partymgr/SecurityForms.xml
URL: http://svn.apache.org/viewvc/ofbiz/trunk/applications/party/widget/partymgr/SecurityForms.xml?rev=727508&r1=727507&r2=727508&view=diff
==============================================================================
--- ofbiz/trunk/applications/party/widget/partymgr/SecurityForms.xml (original)
+++ ofbiz/trunk/applications/party/widget/partymgr/SecurityForms.xml Wed Dec 17 12:50:11 2008
@@ -154,7 +154,38 @@
</field>
<field name="submitButton" title="${uiLabelMap.CommonAdd}"><submit button-type="button"/></field>
</form>
-
+
+ <!-- SecurityGroupProtectedViews -->
+ <form name="ListSecurityGroupProtectedViews" type="list" list-name="securityGroupProtectedViewsList" target="updateProtectedViewToSecurityGroup"
+ odd-row-style="alternate-row" header-row-style="header-row-2" default-table-style="basic-table hover-bar">
+ <actions>
+ <entity-condition entity-name="ProtectedView">
+ <condition-expr field-name="groupId" env-name="groupId"/>
+ <order-by field-name="viewNameId"/>
+ </entity-condition>
+ </actions>
+ <field name="groupId"><hidden/></field>
+ <field name="viewNameId" title="${uiLabelMap.PartyViewName}"><display/></field>
+ <field name="maxHits" title="${uiLabelMap.PartyMaxHit}"><text/></field>
+ <field name="maxHitsDuration" title="${uiLabelMap.PartyMaxHitDuration}"><text/></field>
+ <field name="tarpitDuration" title="${uiLabelMap.PartyTarpitDuration}"><text/></field>
+ <field name="submitButton" title="${uiLabelMap.CommonUpdate}"><submit button-type="button"/></field>
+ <field name="deleteLink" title="${uiLabelMap.CommonEmptyHeader}" widget-style="buttontext">
+ <hyperlink description="${uiLabelMap.CommonRemove}" target="removeProtectedViewFromSecurityGroup?groupId=${groupId}&viewNameId=${viewNameId}" also-hidden="false"/>
+ </field>
+ </form>
+
+ <form name="AddSecurityGroupProtectedView" type="single" target="addProtectedViewToSecurityGroup"
+ header-row-style="header-row" default-table-style="basic-table">
+ <auto-fields-service service-name="addProtectedViewToSecurityGroup"/>
+ <field name="groupId"><hidden/></field>
+ <field name="viewNameId" title="${uiLabelMap.PartyViewName}"><text size="60" maxlength="60"/></field>
+ <field name="maxHits" title="${uiLabelMap.PartyMaxHit}"><text size="20" maxlength="20"/></field>
+ <field name="maxHitsDuration" title="${uiLabelMap.PartyMaxHitDuration}"><text size="20" maxlength="20"/></field>
+ <field name="tarpitDuration" title="${uiLabelMap.PartyTarpitDuration}"><text size="20" maxlength="20"/></field>
+ <field name="submitButton" title="${uiLabelMap.CommonAdd}"><submit button-type="button"/></field>
+ </form>
+
<form name="CertIssuerList" type="list" list-name="issuerProvisions"
odd-row-style="alternate-row" default-table-style="basic-table hover-bar">
<actions>
Modified: ofbiz/trunk/applications/party/widget/partymgr/SecurityScreens.xml
URL: http://svn.apache.org/viewvc/ofbiz/trunk/applications/party/widget/partymgr/SecurityScreens.xml?rev=727508&r1=727507&r2=727508&view=diff
==============================================================================
--- ofbiz/trunk/applications/party/widget/partymgr/SecurityScreens.xml (original)
+++ ofbiz/trunk/applications/party/widget/partymgr/SecurityScreens.xml Wed Dec 17 12:50:11 2008
@@ -181,7 +181,29 @@
</widgets>
</section>
</screen>
-
+ <screen name="EditSecurityGroupProtectedViews">
+ <section>
+ <actions>
+ <set field="titleProperty" value="PartyAddProtectedViewToSecurityGroup"/>
+ <set field="tabButtonItem" value="EditSecurityGroupProtectedViews"/>
+ <set field="labelTitleProperty" value="PartyProtectedViewsForSecurityGroup"/>
+
+ <set field="groupId" from-field="parameters.groupId"/>
+ <entity-one entity-name="SecurityGroup" value-name="securityGroup"/>
+ </actions>
+ <widgets>
+ <decorator-screen name="SecurityGroupDecorator" location="${parameters.mainDecoratorLocation}">
+ <decorator-section name="body">
+ <screenlet id="AddSecurityGroupProtectedViewsPanel" title="${uiLabelMap.PartyAddProtectedViewToSecurityGroup}" collapsible="true">
+ <include-form name="AddSecurityGroupProtectedView" location="component://party/widget/partymgr/SecurityForms.xml"/>
+ </screenlet>
+ <include-form name="ListSecurityGroupProtectedViews" location="component://party/widget/partymgr/SecurityForms.xml"/>
+ </decorator-section>
+ </decorator-screen>
+ </widgets>
+ </section>
+ </screen>
+
<screen name="EditX509IssuerProvisions">
<section>
<actions>
Modified: ofbiz/trunk/applications/securityext/script/org/ofbiz/securityext/securitygroup/SecurityGroupServices.xml
URL: http://svn.apache.org/viewvc/ofbiz/trunk/applications/securityext/script/org/ofbiz/securityext/securitygroup/SecurityGroupServices.xml?rev=727508&r1=727507&r2=727508&view=diff
==============================================================================
--- ofbiz/trunk/applications/securityext/script/org/ofbiz/securityext/securitygroup/SecurityGroupServices.xml (original)
+++ ofbiz/trunk/applications/securityext/script/org/ofbiz/securityext/securitygroup/SecurityGroupServices.xml Wed Dec 17 12:50:11 2008
@@ -133,4 +133,43 @@
<!-- clear the org.ofbiz.security.Security object's custom cache by userLoginId -->
<call-bsh><![CDATA[ org.ofbiz.security.Security.userLoginSecurityGroupByUserLoginId.remove(parameters.get("userLoginId")); ]]></call-bsh>
</simple-method>
+
+ <!-- ProtectedView to SecurityGroup methods -->
+ <simple-method method-name="addProtectedViewToSecurityGroup" short-description="Add ProtectedView To SecurityGroup">
+ <check-permission permission="SECURITY" action="_CREATE"><fail-message message="Security Error: to run addProtectedViewToSecurityGroup you must have the SECURITY_CREATE or SECURITY_ADMIN permission"/></check-permission>
+ <check-errors/>
+
+ <make-value value-name="newEntity" entity-name="ProtectedView"/>
+ <set-pk-fields map-name="parameters" value-name="newEntity"/>
+ <set-nonpk-fields map-name="parameters" value-name="newEntity"/>
+
+ <create-value value-name="newEntity"/>
+
+ <!-- clear the org.ofbiz.security.Security object's custom cache by newEntity -->
+ <call-bsh><![CDATA[ org.ofbiz.security.Security.userLoginSecurityGroupByUserLoginId.remove(newEntity); ]]></call-bsh>
+ </simple-method>
+ <simple-method method-name="updateProtectedViewToSecurityGroup" short-description="Update ProtectedView to SecurityGroup">
+ <check-permission permission="SECURITY" action="_UPDATE"><fail-message message="Security Error: to run updateProtectedViewToSecurityGroup you must have the SECURITY_UPDATE or SECURITY_ADMIN permission"/></check-permission>
+ <check-errors/>
+ <make-value entity-name="ProtectedView" value-name="lookupPKMap"/>
+ <set-pk-fields map-name="parameters" value-name="lookupPKMap"/>
+ <find-by-primary-key entity-name="ProtectedView" map-name="lookupPKMap" value-name="lookedUpValue"/>
+ <set-nonpk-fields map-name="parameters" value-name="lookedUpValue"/>
+ <store-value value-name="lookedUpValue"/>
+
+ <!-- clear the org.ofbiz.security.Security object's custom cache by lookupPKMap -->
+ <call-bsh><![CDATA[ org.ofbiz.security.Security.userLoginSecurityGroupByUserLoginId.remove(lookupPKMap); ]]></call-bsh>
+ </simple-method>
+ <simple-method method-name="removeProtectedViewFromSecurityGroup" short-description="Remove ProtectedView From SecurityGroup">
+ <check-permission permission="SECURITY" action="_DELETE"><fail-message message="Security Error: to run removeProtectedViewFromSecurityGroup you must have the SECURITY_DELETE or SECURITY_ADMIN permission"/></check-permission>
+ <check-errors/>
+
+ <make-value entity-name="ProtectedView" value-name="lookupPKMap"/>
+ <set-pk-fields map-name="parameters" value-name="lookupPKMap"/>
+ <find-by-primary-key entity-name="ProtectedView" map-name="lookupPKMap" value-name="lookedUpValue"/>
+ <remove-value value-name="lookedUpValue"/>
+
+ <!-- clear the org.ofbiz.security.Security object's custom cache by lookupPKMap -->
+ <call-bsh><![CDATA[ org.ofbiz.security.Security.userLoginSecurityGroupByUserLoginId.remove(lookupPKMap); ]]></call-bsh>
+ </simple-method>
</simple-methods>
Modified: ofbiz/trunk/applications/securityext/servicedef/services.xml
URL: http://svn.apache.org/viewvc/ofbiz/trunk/applications/securityext/servicedef/services.xml?rev=727508&r1=727507&r2=727508&view=diff
==============================================================================
--- ofbiz/trunk/applications/securityext/servicedef/services.xml (original)
+++ ofbiz/trunk/applications/securityext/servicedef/services.xml Wed Dec 17 12:50:11 2008
@@ -80,7 +80,30 @@
<attribute name="groupId" type="String" mode="IN" optional="false"/>
<attribute name="fromDate" type="Timestamp" mode="IN" optional="false"/>
</service>
-
+
+ <!-- ProtectedView to SecurityGroup services -->
+ <service name="addProtectedViewToSecurityGroup" engine="simple" location="org/ofbiz/securityext/securitygroup/SecurityGroupServices.xml" invoke="addProtectedViewToSecurityGroup" auth="true">
+ <description>Add a ProtectedView to a SecurityGroup</description>
+ <attribute name="viewNameId" type="String" mode="IN" optional="false"/>
+ <attribute name="groupId" type="String" mode="IN" optional="false"/>
+ <attribute name="maxHits" type="Integer" mode="IN" optional="false"/>
+ <attribute name="maxHitsDuration" type="Long" mode="IN" optional="false"/>
+ <attribute name="tarpitDuration" type="Long" mode="IN" optional="false"/>
+ </service>
+ <service name="updateProtectedViewToSecurityGroup" engine="simple" location="org/ofbiz/securityext/securitygroup/SecurityGroupServices.xml" invoke="updateProtectedViewToSecurityGroup" auth="true">
+ <description>Update a ProtectedView to SecurityGroup Appl</description>
+ <attribute name="viewNameId" type="String" mode="IN" optional="false"/>
+ <attribute name="groupId" type="String" mode="IN" optional="false"/>
+ <attribute name="maxHits" type="Integer" mode="IN" optional="false"/>
+ <attribute name="maxHitsDuration" type="Long" mode="IN" optional="false"/>
+ <attribute name="tarpitDuration" type="Long" mode="IN" optional="false"/>
+ </service>
+ <service name="removeProtectedViewFromSecurityGroup" engine="simple" location="org/ofbiz/securityext/securitygroup/SecurityGroupServices.xml" invoke="removeProtectedViewFromSecurityGroup" auth="true">
+ <description>Remove a ProtectedView from a SecurityGroup</description>
+ <attribute name="viewNameId" type="String" mode="IN" optional="false"/>
+ <attribute name="groupId" type="String" mode="IN" optional="false"/>
+ </service>
+
<!-- certificate services -->
<service name="importIssuerProvision" engine="java" auth="true"
location="org.ofbiz.securityext.cert.CertificateServices" invoke="importIssuerCertificate">
Modified: ofbiz/trunk/framework/common/config/CommonUiLabels.xml
URL: http://svn.apache.org/viewvc/ofbiz/trunk/framework/common/config/CommonUiLabels.xml?rev=727508&r1=727507&r2=727508&view=diff
==============================================================================
--- ofbiz/trunk/framework/common/config/CommonUiLabels.xml (original)
+++ ofbiz/trunk/framework/common/config/CommonUiLabels.xml Wed Dec 17 12:50:11 2008
@@ -826,6 +826,10 @@
<value xml:lang="zh">åæ¥</value>
<value xml:lang="zh_CN">让å©</value>
</property>
+ <property key="CommonViewBlocked">
+ <value xml:lang="en">Access to this view has been blocked.</value>
+ <value xml:lang="fr">L'accès à cette page a été bloqué.</value>
+ </property>
<property key="CommonBeLogged">
<value xml:lang="ar">دخÙÙ</value>
<value xml:lang="cs">PÅihlásit</value>
@@ -7640,6 +7644,10 @@
<value xml:lang="zh">æ°å»ºæ°æ®æºç±»å</value>
<value xml:lang="zh_CN">å¢å æ°æ°æ®æºç±»å</value>
</property>
+ <property key="PageTitleViewBlocked">
+ <value xml:lang="en">View Blocked</value>
+ <value xml:lang="en">Page bloquée</value>
+ </property>
<property key="PageTitleEditDataSource">
<value xml:lang="ar">تØرÙر Ù
صدر اÙÙ
عÙÙÙ
ات</value>
<value xml:lang="de">Datenquelle bearbeiten</value>
Modified: ofbiz/trunk/framework/common/webcommon/WEB-INF/common-controller.xml
URL: http://svn.apache.org/viewvc/ofbiz/trunk/framework/common/webcommon/WEB-INF/common-controller.xml?rev=727508&r1=727507&r2=727508&view=diff
==============================================================================
--- ofbiz/trunk/framework/common/webcommon/WEB-INF/common-controller.xml (original)
+++ ofbiz/trunk/framework/common/webcommon/WEB-INF/common-controller.xml Wed Dec 17 12:50:11 2008
@@ -52,6 +52,7 @@
<event type="java" path="org.ofbiz.webapp.control.LoginWorker" invoke="check509CertLogin"/>
<event type="java" path="org.ofbiz.webapp.control.LoginWorker" invoke="checkRequestHeaderLogin"/>
<event type="java" path="org.ofbiz.webapp.control.LoginWorker" invoke="checkExternalLoginKey"/>
+ <event type="java" path="org.ofbiz.webapp.control.ProtectViewWorker" invoke="checkProtectedView"/>
</preprocessor>
<postprocessor>
<!-- Events to run on every request after all other processing (chains exempt) -->
@@ -136,6 +137,10 @@
<response name="success" type="view" value="main"/>
</request-map>
+ <request-map uri="viewBlocked">
+ <response name="success" type="view" value="viewBlocked"/>
+ </request-map>
+
<!-- View Mappings -->
<view-map name="error" page="/error/error.jsp"/>
<view-map name="main" type="none"/>
@@ -150,4 +155,6 @@
<view-map name="ajaxAutocompleteOptions" type="screen" page="component://common/widget/CommonScreens.xml#ajaxAutocompleteOptions"/>
<view-map name="help" type="screen" page="component://common/widget/CommonScreens.xml#help"/>
+
+ <view-map name="viewBlocked" type="screen" page="component://common/widget/CommonScreens.xml#viewBlocked"/>
</site-conf>
Added: ofbiz/trunk/framework/common/webcommon/viewBlocked.ftl
URL: http://svn.apache.org/viewvc/ofbiz/trunk/framework/common/webcommon/viewBlocked.ftl?rev=727508&view=auto
==============================================================================
--- ofbiz/trunk/framework/common/webcommon/viewBlocked.ftl (added)
+++ ofbiz/trunk/framework/common/webcommon/viewBlocked.ftl Wed Dec 17 12:50:11 2008
@@ -0,0 +1,32 @@
+<#--
+Licensed to the Apache Software Foundation (ASF) under one
+or more contributor license agreements. See the NOTICE file
+distributed with this work for additional information
+regarding copyright ownership. The ASF licenses this file
+to you under the Apache License, Version 2.0 (the
+"License"); you may not use this file except in compliance
+with the License. You may obtain a copy of the License at
+
+http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing,
+software distributed under the License is distributed on an
+"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+KIND, either express or implied. See the License for the
+specific language governing permissions and limitations
+under the License.
+-->
+
+<center>
+ <div class="screenlet login-screenlet">
+ <div class="screenlet-title-bar">
+ <h3>${uiLabelMap.CommonViewBlocked}</h3>
+ </div>
+ <div class="screenlet-body">
+ ${errorMessage?if_exists}
+ <br/>
+ </div>
+ </div>
+</center>
+
+
Modified: ofbiz/trunk/framework/common/widget/CommonScreens.xml
URL: http://svn.apache.org/viewvc/ofbiz/trunk/framework/common/widget/CommonScreens.xml?rev=727508&r1=727507&r2=727508&view=diff
==============================================================================
--- ofbiz/trunk/framework/common/widget/CommonScreens.xml (original)
+++ ofbiz/trunk/framework/common/widget/CommonScreens.xml Wed Dec 17 12:50:11 2008
@@ -436,4 +436,17 @@
</section>
</screen>
+ <screen name="viewBlocked">
+ <section>
+ <actions>
+ <set field="titleProperty" value="PageTitleViewBlocked"></set>
+ <property-map resource="CommonUiLabels" map-name="uiLabelMap" global="true"/>
+ </actions>
+ <widgets>
+ <platform-specific><html><html-template location="component://common/webcommon/viewBlocked.ftl"/></html></platform-specific>
+ <platform-specific><html><html-template location="component://common/webcommon/includes/messages.ftl"/></html></platform-specific>
+ </widgets>
+ </section>
+ </screen>
+
</screens>
Modified: ofbiz/trunk/framework/security/config/security.properties
URL: http://svn.apache.org/viewvc/ofbiz/trunk/framework/security/config/security.properties?rev=727508&r1=727507&r2=727508&view=diff
==============================================================================
--- ofbiz/trunk/framework/security/config/security.properties (original)
+++ ofbiz/trunk/framework/security/config/security.properties Wed Dec 17 12:50:11 2008
@@ -77,3 +77,10 @@
# -- Hours after which EmailAdressVerification should expire
email_verification.expire.hours=48
+
+# -- Name of the protect-view preprocessor method (this should not change, but in case...)
+protect-view.preprocessor=java.org.ofbiz.webapp.control.ProtectViewWorker.checkProtectedView
+
+# -- Name of the default error response view for protected views ("none:" will be rendered as a blank page, see RequestHandler.java)
+#default.error.response.view=none:
+default.error.response.view=view:viewBlocked
Modified: ofbiz/trunk/framework/security/entitydef/entitymodel.xml
URL: http://svn.apache.org/viewvc/ofbiz/trunk/framework/security/entitydef/entitymodel.xml?rev=727508&r1=727507&r2=727508&view=diff
==============================================================================
--- ofbiz/trunk/framework/security/entitydef/entitymodel.xml (original)
+++ ofbiz/trunk/framework/security/entitydef/entitymodel.xml Wed Dec 17 12:50:11 2008
@@ -191,4 +191,44 @@
<key-map field-name="groupId"/>
</relation>
</entity>
+ <entity entity-name="ProtectedView"
+ package-name="org.ofbiz.security.securitygroup"
+ title="Security Component - Protected View Entity">
+ <description>Defines views protected from data leakage</description>
+ <field name="groupId" type="id-ne"></field>
+ <field name="viewNameId" type="id-long-ne"><description>name of view to protect from data theft</description></field>
+ <field name="maxHits" type="numeric"><description>number of hits before tarpitting a login for a view</description></field>
+ <field name="maxHitsDuration" type="numeric"><description>period of time associated with maxHits (in seconds)</description></field>
+ <field name="tarpitDuration" type="numeric"><description>period of time a login will not be able to acces this view again (in seconds)</description></field>
+ <prim-key field="groupId"/>
+ <prim-key field="viewNameId"/>
+ <relation type="one" fk-name="VIEW_SECGRP_GRP" rel-entity-name="SecurityGroup">
+ <key-map field-name="groupId"/>
+ </relation>
+ <relation type="many" rel-entity-name="SecurityGroupPermission">
+ <key-map field-name="groupId"/>
+ </relation>
+ </entity>
+ <view-entity entity-name="UserLoginAndProtectedView"
+ package-name="org.ofbiz.security.securitygroup"
+ never-cache="true"
+ title="UserLogin And ProtectedView View Entity">
+ <member-entity entity-alias="ULSGPV" entity-name="UserLoginSecurityGroup"/>
+ <member-entity entity-alias="PV" entity-name="ProtectedView"/>
+ <alias-all entity-alias="ULSGPV"/>
+ <alias-all entity-alias="PV"/>
+ <view-link entity-alias="ULSGPV" rel-entity-alias="PV">
+ <key-map field-name="groupId"/>
+ </view-link>
+ </view-entity>
+ <entity entity-name="TarpittedLoginView"
+ package-name="org.ofbiz.security.securitygroup"
+ title="Security Component - Protected View Entity">
+ <description>Login View couple currently tarpitted : any access to the view for the login is denied</description>
+ <field name="viewNameId" type="id-long-ne"><description>name of view protected from data theft</description></field>
+ <field name="userLoginId" type="id-ne"/>
+ <field name="tarpitReleaseDateTime" type="numeric"><description>Date/Time at which the login will gain anew access to the view (in milliseconds from midnight, January 1, 1970 UTC , 0 meaning no tarpit to allow the admin to free a view and to keep history</description></field>
+ <prim-key field="viewNameId"/>
+ <prim-key field="userLoginId"/>
+ </entity>
</entitymodel>
Modified: ofbiz/trunk/framework/webapp/config/WebappUiLabels.xml
URL: http://svn.apache.org/viewvc/ofbiz/trunk/framework/webapp/config/WebappUiLabels.xml?rev=727508&r1=727507&r2=727508&view=diff
==============================================================================
--- ofbiz/trunk/framework/webapp/config/WebappUiLabels.xml (original)
+++ ofbiz/trunk/framework/webapp/config/WebappUiLabels.xml Wed Dec 17 12:50:11 2008
@@ -169,6 +169,7 @@
<property key="coreEvents.no_fields_in_session">
<value xml:lang="de">Keine 'previous fields' auf der Session gefunden</value>
<value xml:lang="en">No previous fields found in session</value>
+ <value xml:lang="fr">Aucun champ précédent appartenant à la session</value>
<value xml:lang="ru">ÐÑедÑдÑÑие Ð¿Ð¾Ð»Ñ Ð² ÑеÑÑии не найденÑ</value>
<value xml:lang="th">à¹à¸¡à¹à¸à¸à¸à¹à¸à¸¡à¸¹à¸¥à¸à¹à¸à¸à¸«à¸à¹à¸²à¸à¸µà¹à¹à¸ session
</value>
@@ -290,6 +291,14 @@
<value xml:lang="th">à¸à¸·à¹à¸à¸à¸¹à¹à¹à¸à¹à¹à¸à¹à¸à¸à¹à¸²à¸§à¹à¸²à¸ à¸à¸£à¸¸à¸à¸²à¸à¸£à¸à¸à¸à¸µà¸à¸à¸£à¸±à¹à¸</value>
<value xml:lang="zh">ç¨æ·åæ¯ç©ºçï¼è¯·éæ°è¾å
¥ã</value>
</property>
+ <property key="protectedviewevents.blocked_message">
+ <value xml:lang="en">This is the blocked message (to be adapted).</value>
+ <value xml:lang="fr">Ceci est le message de bloquage (Ã adapter).</value>
+ </property>
+ <property key="protectedviewevents.tarpitted_message">
+ <value xml:lang="en">This is the tarpitted message (to be adapted).</value>
+ <value xml:lang="fr">Ceci est le message d'engluage (Ã adapter).</value>
+ </property>
<property key="requestHandler.error_call_event">
<value xml:lang="de">Fehler beim Aufruf eines Events</value>
<value xml:lang="en">Error calling event</value>
Added: ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/control/ProtectViewWorker.java
URL: http://svn.apache.org/viewvc/ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/control/ProtectViewWorker.java?rev=727508&view=auto
==============================================================================
--- ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/control/ProtectViewWorker.java (added)
+++ ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/control/ProtectViewWorker.java Wed Dec 17 12:50:11 2008
@@ -0,0 +1,141 @@
+/*******************************************************************************
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ *******************************************************************************/
+package org.ofbiz.webapp.control;
+
+import java.util.List;
+import java.util.Map;
+
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import javax.servlet.http.HttpSession;
+
+import javolution.util.FastMap;
+
+import org.ofbiz.base.util.Debug;
+import org.ofbiz.base.util.UtilHttp;
+import org.ofbiz.base.util.UtilMisc;
+import org.ofbiz.base.util.UtilProperties;
+import org.ofbiz.base.util.UtilValidate;
+import org.ofbiz.entity.GenericDelegator;
+import org.ofbiz.entity.GenericEntityException;
+import org.ofbiz.entity.GenericValue;
+import org.ofbiz.service.ServiceUtil;
+
+/**
+ * Common Workers
+ */
+public class ProtectViewWorker {
+
+ private final static String module = ProtectViewWorker.class.getName();
+ private static final String resourceWebapp = "WebappUiLabels";
+ private static final FastMap<String, Long> hitsByViewAccessed = FastMap.newInstance();
+ private static final FastMap<String, Long> durationByViewAccessed = FastMap.newInstance();
+ private static final Long one = new Long(1);
+
+ /**
+ * An HTTP WebEvent handler that checks to see if an userLogin should be tarpitted
+ * The decision is made in regard of number of hits in last period of time
+ *
+ * @param request The HTTP request object for the current JSP or Servlet request.
+ * @param response The HTTP response object for the current JSP or Servlet request.
+ * @return String
+ */
+ public static String checkProtectedView(HttpServletRequest request, HttpServletResponse response) {
+ HttpSession session = request.getSession();
+ String viewNameId = RequestHandler.getRequestUri(request.getPathInfo());
+ GenericValue userLogin = (GenericValue) session.getAttribute("userLogin");
+ GenericDelegator delegator = (GenericDelegator) request.getAttribute("delegator");
+ String returnValue = "success";
+
+ if (userLogin != null) {
+ String userLoginId = userLogin.getString("userLoginId");
+ try {
+ List<GenericValue> protectedViews = delegator.findByAnd("UserLoginAndProtectedView",
+ UtilMisc.toMap("userLoginId", userLoginId, "viewNameId", viewNameId));
+ // Any views to deal with ?
+ if (UtilValidate.isNotEmpty(protectedViews)) {
+ Long now = System.currentTimeMillis(); // we are not in a margin of some milliseconds
+
+ // Is this login/view couple already tarpitted ? (ie denied access to view for login for a period of time)
+ List<GenericValue> tarpittedLoginViews = delegator.findByAnd("TarpittedLoginView",
+ UtilMisc.toMap("userLoginId", userLoginId, "viewNameId", viewNameId));
+ if (UtilValidate.isNotEmpty(tarpittedLoginViews)) {
+ GenericValue tarpittedLoginView = tarpittedLoginViews.get(0);
+ Long tarpitReleaseDateTime = (Long) tarpittedLoginView.get("tarpitReleaseDateTime");
+ if (now < tarpitReleaseDateTime) {
+ String tarpittedMessage = UtilProperties.getMessage(resourceWebapp, "protectedviewevents.tarpitted_message", UtilHttp.getLocale(request));
+ // reset since now protected by the tarpit duration
+ hitsByViewAccessed.put(viewNameId, new Long(0));
+ return ":_protect_:" + tarpittedMessage;
+ }
+ }
+ GenericValue protectedView = protectedViews.get(0);
+ // 1st hit ?
+ if (UtilValidate.isEmpty(hitsByViewAccessed.get(viewNameId))) {
+ hitsByViewAccessed.put(viewNameId, one);
+ Long maxHitsDuration = (Long) protectedView.get("maxHitsDuration") * 1000;
+ durationByViewAccessed.put(viewNameId, now + maxHitsDuration);
+ } else {
+ Long maxHits = protectedView.getLong("maxHits");
+ Long maxDuration = (Long) durationByViewAccessed.get(viewNameId);
+ Long newMaxHits = (Long) hitsByViewAccessed.get(viewNameId) + one;
+ hitsByViewAccessed.put(viewNameId, newMaxHits);
+ // Are we in a period of time where we need to check if there was too much hits ?
+ if (now < maxDuration) {
+ // Too much hits ?
+ if (newMaxHits > maxHits) { // yes : block and set tarpitReleaseDateTime
+ String blockedMessage = UtilProperties.getMessage(resourceWebapp, "protectedviewevents.blocked_message", UtilHttp.getLocale(request));
+ returnValue = ":_protect_:" + blockedMessage;
+
+ Long tarpitDuration = (Long) protectedView.get("tarpitDuration") * 1000;
+
+ GenericValue tarpittedLoginView = delegator.makeValue("TarpittedLoginView");
+ tarpittedLoginView.set("userLoginId", userLoginId);
+ tarpittedLoginView.set("viewNameId", viewNameId);
+ tarpittedLoginView.set("tarpitReleaseDateTime", now + tarpitDuration);
+
+ try {
+ delegator.createOrStore(tarpittedLoginView);
+ } catch (GenericEntityException e) {
+ Debug.logError(e, "Could not save TarpittedLoginView:", module);
+ }
+ }
+ } else {
+ // The period of time is revolved, we begin a new one.
+ // Actually it's not a discrete process but we do as it was...
+ // We don't need precision here, a theft will be catch anyway !
+ // We could also take an average of hits in the last x periods of time as initial value,
+ // but it would does not make much more sense.
+ // Of course for this to works well the tarpitting period must be long enough...
+ hitsByViewAccessed.put(viewNameId, one);
+ Long maxHitsDuration = (Long) protectedView.get("maxHitsDuration") * 1000;
+ durationByViewAccessed.put(viewNameId, now + maxHitsDuration);
+ }
+ }
+ }
+ } catch (GenericEntityException e) {
+ Map<String, String> messageMap = UtilMisc.toMap("errMessage", e.getMessage());
+ String errMsg = UtilProperties.getMessage("CommonUiLabels", "CommonDatabaseProblem", messageMap, UtilHttp.getLocale(request));
+ Debug.logError(e, errMsg, module);
+ }
+ }
+
+ return returnValue;
+ }
+}
Modified: ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/control/RequestHandler.java
URL: http://svn.apache.org/viewvc/ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/control/RequestHandler.java?rev=727508&r1=727507&r2=727508&view=diff
==============================================================================
--- ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/control/RequestHandler.java (original)
+++ ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/control/RequestHandler.java Wed Dec 17 12:50:11 2008
@@ -49,6 +49,7 @@
/**
* RequestHandler - Request Processor Object
*/
+@SuppressWarnings("serial")
public class RequestHandler implements Serializable {
public static final String module = RequestHandler.class.getName();
@@ -106,6 +107,8 @@
}
}
+ String eventReturnString = null;
+
// Check for chained request.
if (chain != null) {
requestUri = RequestHandler.getRequestUri(chain);
@@ -217,7 +220,17 @@
try {
String returnString = this.runEvent(request, response, eType, ePath, eMeth);
if (returnString != null && !returnString.equalsIgnoreCase("success")) {
- throw new EventHandlerException("Pre-Processor event did not return 'success'.");
+ if (!returnString.contains(":_protect_:")) {
+ throw new EventHandlerException("Pre-Processor event did not return 'success'.");
+ } else { // protect the view normally rendered and redirect to error response view
+ returnString = returnString.replace(":_protect_:", "");
+ request.setAttribute("_ERROR_MESSAGE_", returnString);
+ eventReturnString = "protect";
+ // check to see if there is an "protect" response, if so it's ok else show the default_error_response_view
+ if (null == requestManager.getRequestAttribute(requestUri, "protect")) {
+ nextView = UtilProperties.getPropertyValue("security.properties", "default.error.response.view");
+ }
+ }
} else if (returnString == null) {
nextView = "none:";
}
@@ -238,7 +251,6 @@
if (Debug.infoOn()) Debug.logInfo("[Processing Request]: " + requestUri + " sessionId=" + UtilHttp.getSessionId(request), module);
request.setAttribute("thisRequestUri", requestUri); // store the actual request URI
- String eventReturnString = null;
// Perform security check.
if (requestManager.requiresAuth(requestUri)) {
@@ -295,7 +307,7 @@
String errMsg = UtilProperties.getMessage(RequestHandler.err_resource, "requestHandler.error_call_event", locale);
request.setAttribute("_ERROR_MESSAGE_", errMsg + ": " + e.toString());
} else {
- throw new RequestHandlerException("Error calling event and no error repsonse was specified", e);
+ throw new RequestHandlerException("Error calling event and no error response was specified", e);
}
}
}
@@ -524,6 +536,7 @@
return nextPage;
}
+ @SuppressWarnings("unchecked")
private void callRedirect(String url, HttpServletResponse resp, HttpServletRequest req) throws RequestHandlerException {
if (Debug.infoOn()) Debug.logInfo("[Sending redirect]: " + url + " sessionId=" + UtilHttp.getSessionId(req), module);
// set the attributes in the session so we can access it.
@@ -908,5 +921,5 @@
} else {
return false;
}
- }
+ }
}