You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@ofbiz.apache.org by Jacques Le Roux <ja...@les7arts.com> on 2009/04/05 16:59:50 UTC
Secure URLs end for link, hyperlink and sub-hyperlink
After the changes recently introduced. The campaign to secure URLs for link, hyperlink and sub-hyperlink is now finished.
Please report any related errors you may cross
Thanks
Jacques
Re: Secure URLs end for link, hyperlink and sub-hyperlink
Posted by BJ Freeman <bj...@free-man.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Thanks for the effort, Jacques.
Jacques Le Roux sent the following on 4/5/2009 7:59 AM:
> After the changes recently introduced. The campaign to secure URLs for link, hyperlink and sub-hyperlink is now finished.
> Please report any related errors you may cross
>
> Thanks
>
> Jacques
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFJ2MgWrP3NbaWWqE4RAqr+AJ437qkqdVkjM5fQRrGVSZNR1VqZfwCguCS7
r1xIFtlWXo5KiUyzzELx9wI=
=+dmt
-----END PGP SIGNATURE-----
Re: Secure URLs end for link, hyperlink and sub-hyperlink
Posted by Jacques Le Roux <ja...@les7arts.com>.
Actually David reestablished this feature which was already a hole, you are free to use it ;o)
It was a question of reporting in Jira (you were right for that) but to give more informations, details, etc.
Anyway thanks for the report!
Jacques
From: "Angelo Matarazzo" <ma...@gmail.com>
> Hi, David, Jacques
> You have right about security hole.
> But after security improvement "port.https.enabled" was useless (or not?).
> Sorry for my bad reporting way.
> But I'wasn't sure if my issue should be reported in Jira.
> However, thanks a lot
> Angelo
>
>
> jacques.le.roux wrote:
>>
>> After the changes recently introduced. The campaign to secure URLs for
>> link, hyperlink and sub-hyperlink is now finished.
>> Please report any related errors you may cross
>>
>> Thanks
>>
>> Jacques
>>
>>
>
> --
> View this message in context:
> http://www.nabble.com/Secure-URLs-end-for-link%2C-hyperlink-and-sub-hyperlink-tp22894715p22984646.html
> Sent from the OFBiz - User mailing list archive at Nabble.com.
>
Re: Secure URLs end for link, hyperlink and sub-hyperlink
Posted by Angelo Matarazzo <ma...@gmail.com>.
Hi, David, Jacques
You have right about security hole.
But after security improvement "port.https.enabled" was useless (or not?).
Sorry for my bad reporting way.
But I'wasn't sure if my issue should be reported in Jira.
However, thanks a lot
Angelo
jacques.le.roux wrote:
>
> After the changes recently introduced. The campaign to secure URLs for
> link, hyperlink and sub-hyperlink is now finished.
> Please report any related errors you may cross
>
> Thanks
>
> Jacques
>
>
--
View this message in context: http://www.nabble.com/Secure-URLs-end-for-link%2C-hyperlink-and-sub-hyperlink-tp22894715p22984646.html
Sent from the OFBiz - User mailing list archive at Nabble.com.
Re: Secure URLs end for link, hyperlink and sub-hyperlink
Posted by Jacques Le Roux <ja...@les7arts.com>.
This sounds like port.https.enabled="N" in url.properties file is not longer working.
Quick answer : 2 alternatives
Harder but safer, you will have to revert related changes and get back to previous situation (should not be too hard though)
Hack : look at RequestHandler.java line 184
Jacques
From: "Angelo Matarazzo" <ma...@gmail.com>
> Hi, Jaques
> I don't know if my problem is a error but I think you can help me.
> My question is:
> "Can I change the protocol for all the traffic to http from https? If yes,
> how do I go about doing it?"
>
> I followed the advices here
> http://www.nabble.com/changing-https-to-http-td11412198.html#a22907203
>
> I setted port.https.enabled="N" in url.properties file.
>
> Before changes
>
> I went here
> http://abna22216ecs:8080/webtools/
>
> I inserted user: admin
> password:ofbiz
>
> The request
> http://localhost:8080/webtools/control/login worked!
>
> Now,after security improvement
>
> The request
> http://localhost:8080/webtools/control/login doesn't work!
>
> The error is:
> org.ofbiz.webapp.control.RequestHandlerException: Not accepting insecure
> form data posted to a secure request
>
> How can I change the protocol for all the traffic to http from https now?
>
> Thanks,
>
> Angelo
>
>
> jacques.le.roux wrote:
>>
>> After the changes recently introduced. The campaign to secure URLs for
>> link, hyperlink and sub-hyperlink is now finished.
>> Please report any related errors you may cross
>>
>> Thanks
>>
>> Jacques
>>
>>
>
> --
> View this message in context:
> http://www.nabble.com/Secure-URLs-end-for-link%2C-hyperlink-and-sub-hyperlink-tp22894715p22934649.html
> Sent from the OFBiz - User mailing list archive at Nabble.com.
>
Re: Secure URLs end for link, hyperlink and sub-hyperlink
Posted by Angelo Matarazzo <ma...@gmail.com>.
Hi, Jaques
I don't know if my problem is a error but I think you can help me.
My question is:
"Can I change the protocol for all the traffic to http from https? If yes,
how do I go about doing it?"
I followed the advices here
http://www.nabble.com/changing-https-to-http-td11412198.html#a22907203
I setted port.https.enabled="N" in url.properties file.
Before changes
I went here
http://abna22216ecs:8080/webtools/
I inserted user: admin
password:ofbiz
The request
http://localhost:8080/webtools/control/login worked!
Now,after security improvement
The request
http://localhost:8080/webtools/control/login doesn't work!
The error is:
org.ofbiz.webapp.control.RequestHandlerException: Not accepting insecure
form data posted to a secure request
How can I change the protocol for all the traffic to http from https now?
Thanks,
Angelo
jacques.le.roux wrote:
>
> After the changes recently introduced. The campaign to secure URLs for
> link, hyperlink and sub-hyperlink is now finished.
> Please report any related errors you may cross
>
> Thanks
>
> Jacques
>
>
--
View this message in context: http://www.nabble.com/Secure-URLs-end-for-link%2C-hyperlink-and-sub-hyperlink-tp22894715p22934649.html
Sent from the OFBiz - User mailing list archive at Nabble.com.
Re: Secure URLs end for link, hyperlink and sub-hyperlink
Posted by Jacopo Cappellato <ja...@hotwaxmedia.com>.
thanks so much for your work, Jacques.
Jacopo
On Apr 5, 2009, at 8:29 PM, Jacques Le Roux wrote:
> After the changes recently introduced. The campaign to secure URLs
> for link, hyperlink and sub-hyperlink is now finished.
> Please report any related errors you may cross
>
> Thanks
>
> Jacques
Re: Secure URLs end for link, hyperlink and sub-hyperlink
Posted by David E Jones <da...@hotwaxmedia.com>.
Angelo,
This issue should be addressed in SVN rev 763855. Please read the
commit log as deploying in this way is not recommended as it opens a
security hole.
Also, as a general recommendation for future reference so that your
feedback and requests are better received: if you find an issue report
it in as much detail as possible (including steps to reproduce, what
you expected to happen, and what actually happened including EXACT
error message quotes, along with whatever you find about it), and do
so by creating an issue in Jira. That way you won't have to send the
same complaint over and over, and we won't have to guess about what
you're seeing and what is happening.
Anyway, thanks for reporting this and I hope your experience is
overall good with OFBiz!
-David
On Apr 9, 2009, at 2:33 AM, Angelo Matarazzo wrote:
>
> Hi Jacques,
> I understood the problem.
> I have looked at RequestHandler.java line 184.
> At line 179 there is if (!request.isSecure() &&
> requestMap.securityHttps).
> Now with "http://localhost:8080" request.isSecure() is "false" but
> requestMap.securityHttps depends on ConfigXMLReader.java at line 384
> 'this.securityHttps =
> "true".equals(securityElement.getAttribute("https"));'
> In your opinion is it good idea change ConfigXMLReader.java in this
> way?
>
>
> - if (securityElement != null) {
> - this.securityHttps =
> "true".equals(securityElement.getAttribute("https"));
>
>
>
> +boolean useHttpsDefault =
> UtilProperties.propertyValueEqualsIgnoreCase("url.properties",
> "port.https.enabled", "Y");
>
>
> +if (securityElement != null) {
> + if (useHttpsDefault))
> this.securityHttps =
> "true".equals(securityElement.getAttribute("https"));
> +
> + else {
> + this.securityHttps = false;
> + }
>
> Thanks,
> Angelo
>
>
>
> jacques.le.roux wrote:
>>
>> After the changes recently introduced. The campaign to secure URLs
>> for
>> link, hyperlink and sub-hyperlink is now finished.
>> Please report any related errors you may cross
>>
>> Thanks
>>
>> Jacques
>>
>>
>
> --
> View this message in context: http://www.nabble.com/Secure-URLs-end-for-link%2C-hyperlink-and-sub-hyperlink-tp22894715p22966638.html
> Sent from the OFBiz - User mailing list archive at Nabble.com.
>
Re: Secure URLs end for link, hyperlink and sub-hyperlink
Posted by Jacques Le Roux <ja...@les7arts.com>.
Hi Angelo,
David has officially fixed this issue at r763855, but please read his comment!
Jacques
PS: Oops just read David's post, anyway...
From: "Angelo Matarazzo" <ma...@gmail.com>
> Hi Jacques,
> I understood the problem.
> I have looked at RequestHandler.java line 184.
> At line 179 there is if (!request.isSecure() && requestMap.securityHttps).
> Now with "http://localhost:8080" request.isSecure() is "false" but
> requestMap.securityHttps depends on ConfigXMLReader.java at line 384
> 'this.securityHttps = "true".equals(securityElement.getAttribute("https"));'
> In your opinion is it good idea change ConfigXMLReader.java in this way?
>
>
> - if (securityElement != null) {
> - this.securityHttps =
> "true".equals(securityElement.getAttribute("https"));
>
>
>
> +boolean useHttpsDefault =
> UtilProperties.propertyValueEqualsIgnoreCase("url.properties",
> "port.https.enabled", "Y");
>
>
> +if (securityElement != null) {
> + if (useHttpsDefault))
> this.securityHttps =
> "true".equals(securityElement.getAttribute("https"));
> +
> + else {
> + this.securityHttps = false;
> + }
>
> Thanks,
> Angelo
>
>
>
> jacques.le.roux wrote:
>>
>> After the changes recently introduced. The campaign to secure URLs for
>> link, hyperlink and sub-hyperlink is now finished.
>> Please report any related errors you may cross
>>
>> Thanks
>>
>> Jacques
>>
>>
>
> --
> View this message in context:
> http://www.nabble.com/Secure-URLs-end-for-link%2C-hyperlink-and-sub-hyperlink-tp22894715p22966638.html
> Sent from the OFBiz - User mailing list archive at Nabble.com.
>
Re: Secure URLs end for link, hyperlink and sub-hyperlink
Posted by Angelo Matarazzo <ma...@gmail.com>.
Hi Jacques,
I understood the problem.
I have looked at RequestHandler.java line 184.
At line 179 there is if (!request.isSecure() && requestMap.securityHttps).
Now with "http://localhost:8080" request.isSecure() is "false" but
requestMap.securityHttps depends on ConfigXMLReader.java at line 384
'this.securityHttps = "true".equals(securityElement.getAttribute("https"));'
In your opinion is it good idea change ConfigXMLReader.java in this way?
- if (securityElement != null) {
- this.securityHttps =
"true".equals(securityElement.getAttribute("https"));
+boolean useHttpsDefault =
UtilProperties.propertyValueEqualsIgnoreCase("url.properties",
"port.https.enabled", "Y");
+if (securityElement != null) {
+ if (useHttpsDefault))
this.securityHttps =
"true".equals(securityElement.getAttribute("https"));
+
+ else {
+ this.securityHttps = false;
+ }
Thanks,
Angelo
jacques.le.roux wrote:
>
> After the changes recently introduced. The campaign to secure URLs for
> link, hyperlink and sub-hyperlink is now finished.
> Please report any related errors you may cross
>
> Thanks
>
> Jacques
>
>
--
View this message in context: http://www.nabble.com/Secure-URLs-end-for-link%2C-hyperlink-and-sub-hyperlink-tp22894715p22966638.html
Sent from the OFBiz - User mailing list archive at Nabble.com.