Re: Password reset for admin?
Sorry for the late response (vacation). I understand what you saying that it is not a good idea to use generic or group accounts as much as possible.. However, it should not be so easy for users of an ERP to shoot themselves in the foot. This sounds like a gaping security hole, or at least a major security annoyance. For instance. You have a group of folks who answer phones and provide customer support. They read and reply to emails to multiple customers. When they email customers, they use their own accounts, like sa...@domain.com. Let's disrupt sally (or admin!) by simply going to the ecommerce page, enter sally and click forget password. Does anyone think this is OK? I don't think it should be necessary to change the admin login, or even use unfriendly user names. On Sat, Jul 30, 2011 at 11:39 AM, Carsten Schinzer c.schin...@googlemail.com wrote: From a data security perspective your statement about 'Any organization would have generic accounts' is dangerous, IMHO. If under stricter data security regulations, you would first of all want traceability of who did what in the system, hence you want individual accounts. And initiatives like the Payment Card Industry Data Security Standards are addressing exactly those kind of issues and enforcing such policies. So beware when using 'group accounts' over individual logins. They may be easy to use for everyone but then beware that it's also to hack them (who would use a cryptic password on a group account ?) or be nasty with enforced password resets. I tend to use either email or even generic xAdmin01 or such which are abstracted. On production OFBiz systems, I do not use any of the demo accounts as well. Then BJ's point perfectly kicks in that user names are no longer guessable and thus your pain would go away. Just my 0.02 EUR. Greets Carsten Othrwise 2011/7/30 Mike mz4whee...@gmail.com There must be something more. Any organization would have generic logins, like sales, or it would be easy to guess employee logins from the about us page. It makes sense that the password reset should be intended ONLY for customers, not (any) system-type login. I would think that the password reset feature should be limited to certain roles, like Customer. On Sat, Jul 30, 2011 at 4:00 AM, BJ Freeman bjf...@free-man.net wrote: for production systems do not use admin as a lognin. it is never created. Mike sent the following on 7/30/2011 12:10 AM: Why is it that *any* user can, using the password reset or Forgot Your Password can actually force admin to change the password? Is there a way to turn this off? -- Best Carsten Schinzer Waisenhausstr. 53a 80637 München Germany
Re: Password reset for admin?
Thanks Ruth. Sounds like you tweaked the system to prevent this admin reset issue. I would think that the password reset should only apply to ecommerce customers. Sounds like a code change will be required. On Sat, Jul 30, 2011 at 1:24 PM, Ruth Hoffman rhoff...@aesolves.com wrote: Hi Mike: Not sure if there is a way to turn this off, but on my 9.04 production system I changed the default code so that the admin user had to be logged in as admin before the password is reset. I also changed the way the forgot password works...basically my implementation ignores requests to reset the password for the admin userLoginId unless they are logged in. I found out pretty early on - during testing of the MyOFBiz/mylibrary site - that this was a potential problem in production. Regards, Ruth On 7/30/11 3:10 AM, Mike wrote: Why is it that *any* user can, using the password reset or Forgot Your Password can actually force admin to change the password? Is there a way to turn this off?
Hello All
Hello, *Got the following error while running Ofbiz in eclipse.* Admin socket not configured; set to port 0 Exception in thread main java.lang.ExceptionInInitializerError at org.ofbiz.base.util.Debug.clinit(Debug.java:86) at org.ofbiz.base.container.ContainerLoader.load(ContainerLoader.java:50) at org.ofbiz.base.start.Start.initStartLoaders(Start.java:259) at org.ofbiz.base.start.Start.init(Start.java:96) at org.ofbiz.base.start.Start.main(Start.java:410) Caused by: java.util.MissingResourceException: Can't find bundle for base name cache, locale en at java.util.ResourceBundle.throwMissingResourceException(ResourceBundle.java:1427) at java.util.ResourceBundle.getBundleImpl(ResourceBundle.java:1250) at java.util.ResourceBundle.getBundle(ResourceBundle.java:705) at org.ofbiz.base.util.cache.UtilCache.setPropertiesParams(UtilCache.java:210) at org.ofbiz.base.util.cache.UtilCache.setPropertiesParams(UtilCache.java:206) at org.ofbiz.base.util.cache.UtilCache.init(UtilCache.java:139) at org.ofbiz.base.util.cache.UtilCache.createUtilCache(UtilCache.java:1005) at org.ofbiz.base.util.UtilProperties.clinit(UtilProperties.java:69) ... 5 more Regards *Vivek Mishra *
RE: Hello All
U need to do some changes while running ofbiz from eclipse, edit base/config/ofbiz-containers.xml comment commons-vfs-container and webslinger container This should solve the purpose Regards, Hardik Handa hardik.ha...@hcl.com -Original Message- From: vivek mishra [mailto:vmvivek...@gmail.com] Sent: Thursday, August 04, 2011 12:32 PM To: user@ofbiz.apache.org Subject: Hello All Hello, *Got the following error while running Ofbiz in eclipse.* Admin socket not configured; set to port 0 Exception in thread main java.lang.ExceptionInInitializerError at org.ofbiz.base.util.Debug.clinit(Debug.java:86) at org.ofbiz.base.container.ContainerLoader.load(ContainerLoader.java:50) at org.ofbiz.base.start.Start.initStartLoaders(Start.java:259) at org.ofbiz.base.start.Start.init(Start.java:96) at org.ofbiz.base.start.Start.main(Start.java:410) Caused by: java.util.MissingResourceException: Can't find bundle for base name cache, locale en at java.util.ResourceBundle.throwMissingResourceException(ResourceBundle.java:1427) at java.util.ResourceBundle.getBundleImpl(ResourceBundle.java:1250) at java.util.ResourceBundle.getBundle(ResourceBundle.java:705) at org.ofbiz.base.util.cache.UtilCache.setPropertiesParams(UtilCache.java:210) at org.ofbiz.base.util.cache.UtilCache.setPropertiesParams(UtilCache.java:206) at org.ofbiz.base.util.cache.UtilCache.init(UtilCache.java:139) at org.ofbiz.base.util.cache.UtilCache.createUtilCache(UtilCache.java:1005) at org.ofbiz.base.util.UtilProperties.clinit(UtilProperties.java:69) ... 5 more Regards *Vivek Mishra * ::DISCLAIMER:: --- The contents of this e-mail and any attachment(s) are confidential and intended for the named recipient(s) only. It shall not attach any liability on the originator or HCL or its affiliates. Any views or opinions presented in this email are solely those of the author and may not necessarily reflect the opinions of HCL or its affiliates. Any form of reproduction, dissemination, copying, disclosure, modification, distribution and / or publication of this message without the prior written consent of the author of this e-mail is strictly prohibited. If you have received this email in error please delete it and notify the sender immediately. Before opening any mail and attachments please check them for viruses and defect. ---
Re: Hello All
Hi Vivek, I am running and debuggin ofbiz in eclipse by very simple steps given in following link - https://cwiki.apache.org/confluence/display/OFBIZ/Running+and+Debugging+OFBiz+in+Eclipse#RunningandDebuggingOFBizinEclipse-debuggingInEclipse I hope you are also trying same ?? On Thu, Aug 4, 2011 at 12:32 PM, vivek mishra vmvivek...@gmail.com wrote: Hello, *Got the following error while running Ofbiz in eclipse.* Admin socket not configured; set to port 0 Exception in thread main java.lang.ExceptionInInitializerError at org.ofbiz.base.util.Debug.clinit(Debug.java:86) at org.ofbiz.base.container.ContainerLoader.load(ContainerLoader.java:50) at org.ofbiz.base.start.Start.initStartLoaders(Start.java:259) at org.ofbiz.base.start.Start.init(Start.java:96) at org.ofbiz.base.start.Start.main(Start.java:410) Caused by: java.util.MissingResourceException: Can't find bundle for base name cache, locale en at java.util.ResourceBundle.throwMissingResourceException(ResourceBundle.java:1427) at java.util.ResourceBundle.getBundleImpl(ResourceBundle.java:1250) at java.util.ResourceBundle.getBundle(ResourceBundle.java:705) at org.ofbiz.base.util.cache.UtilCache.setPropertiesParams(UtilCache.java:210) at org.ofbiz.base.util.cache.UtilCache.setPropertiesParams(UtilCache.java:206) at org.ofbiz.base.util.cache.UtilCache.init(UtilCache.java:139) at org.ofbiz.base.util.cache.UtilCache.createUtilCache(UtilCache.java:1005) at org.ofbiz.base.util.UtilProperties.clinit(UtilProperties.java:69) ... 5 more Regards *Vivek Mishra * -- Thanks and Regards Sumit Pandit
Re: Hello All
Hello Sumit Thanks a lot buddy able to run OFBiz using eclipse finally. Thanks Regards *Vivek Mishra * On Thu, Aug 4, 2011 at 1:32 PM, Sumit Pandit meetsumit...@gmail.com wrote: Hi Vivek, I am running and debuggin ofbiz in eclipse by very simple steps given in following link - https://cwiki.apache.org/confluence/display/OFBIZ/Running+and+Debugging+OFBiz+in+Eclipse#RunningandDebuggingOFBizinEclipse-debuggingInEclipse I hope you are also trying same ?? On Thu, Aug 4, 2011 at 12:32 PM, vivek mishra vmvivek...@gmail.com wrote: Hello, *Got the following error while running Ofbiz in eclipse.* Admin socket not configured; set to port 0 Exception in thread main java.lang.ExceptionInInitializerError at org.ofbiz.base.util.Debug.clinit(Debug.java:86) at org.ofbiz.base.container.ContainerLoader.load(ContainerLoader.java:50) at org.ofbiz.base.start.Start.initStartLoaders(Start.java:259) at org.ofbiz.base.start.Start.init(Start.java:96) at org.ofbiz.base.start.Start.main(Start.java:410) Caused by: java.util.MissingResourceException: Can't find bundle for base name cache, locale en at java.util.ResourceBundle.throwMissingResourceException(ResourceBundle.java:1427) at java.util.ResourceBundle.getBundleImpl(ResourceBundle.java:1250) at java.util.ResourceBundle.getBundle(ResourceBundle.java:705) at org.ofbiz.base.util.cache.UtilCache.setPropertiesParams(UtilCache.java:210) at org.ofbiz.base.util.cache.UtilCache.setPropertiesParams(UtilCache.java:206) at org.ofbiz.base.util.cache.UtilCache.init(UtilCache.java:139) at org.ofbiz.base.util.cache.UtilCache.createUtilCache(UtilCache.java:1005) at org.ofbiz.base.util.UtilProperties.clinit(UtilProperties.java:69) ... 5 more Regards *Vivek Mishra * -- Thanks and Regards Sumit Pandit
Hello
Hello Want to use only HR module in OFBiz...how can i hide the others? Thanks Regards Vivek Mishra* *
Re: Hello
Please use a proper subject for your email request? Check into the security...you can allow people only to use the HR component and other components do not disable any components as other suggested Regards. Hans -- Ofbiz on twitter: http://twitter.com/apache_ofbiz Myself on twitter: http://twitter.com/hansbak Antwebsystems.com: Quality services for competitive rates. On Thu, 2011-08-04 at 16:48 +0530, vivek mishra wrote: Hello Want to use only HR module in OFBiz...how can i hide the others? Thanks Regards Vivek Mishra* *
Re: Password reset for admin?
It sounds like you speaking of Ofbiz as a finished product, in which case I agree with you first paragraph. However Ofbiz is not a finished product and is meant for Consultants to setup for end users. The consultant should know this information and make the application they setup for their client fully secure. Confusing about sa...@domain.com. If she is sending emails with this email address, through ofbiz then it is gotten from the Primary email address of the contactmech not the login. and ofbiz recieved those emails and puts them in her party communications. the login should not be sa...@domain.com since the email would be sent to her account in ofbiz and she could not access it. it should be sa...@otherdomain.com like yahoo or qmail.com. This would reduce someone from knowing her login. There are some condition that allow not sensing or resetting the password. They are in the Security.properties. look at the code in LoginEvents.emailPassword() Mike sent the following on 8/3/2011 11:07 PM: Sorry for the late response (vacation). I understand what you saying that it is not a good idea to use generic or group accounts as much as possible.. However, it should not be so easy for users of an ERP to shoot themselves in the foot. This sounds like a gaping security hole, or at least a major security annoyance. For instance. You have a group of folks who answer phones and provide customer support. They read and reply to emails to multiple customers. When they email customers, they use their own accounts, like sa...@domain.com. Let's disrupt sally (or admin!) by simply going to the ecommerce page, enter sally and click forget password. Does anyone think this is OK? I don't think it should be necessary to change the admin login, or even use unfriendly user names. On Sat, Jul 30, 2011 at 11:39 AM, Carsten Schinzer c.schin...@googlemail.com wrote: From a data security perspective your statement about 'Any organization would have generic accounts' is dangerous, IMHO. If under stricter data security regulations, you would first of all want traceability of who did what in the system, hence you want individual accounts. And initiatives like the Payment Card Industry Data Security Standards are addressing exactly those kind of issues and enforcing such policies. So beware when using 'group accounts' over individual logins. They may be easy to use for everyone but then beware that it's also to hack them (who would use a cryptic password on a group account ?) or be nasty with enforced password resets. I tend to use either email or even generic xAdmin01 or such which are abstracted. On production OFBiz systems, I do not use any of the demo accounts as well. Then BJ's point perfectly kicks in that user names are no longer guessable and thus your pain would go away. Just my 0.02 EUR. Greets Carsten Othrwise 2011/7/30 Mike mz4whee...@gmail.com There must be something more. Any organization would have generic logins, like sales, or it would be easy to guess employee logins from the about us page. It makes sense that the password reset should be intended ONLY for customers, not (any) system-type login. I would think that the password reset feature should be limited to certain roles, like Customer. On Sat, Jul 30, 2011 at 4:00 AM, BJ Freeman bjf...@free-man.net wrote: for production systems do not use admin as a lognin. it is never created. Mike sent the following on 7/30/2011 12:10 AM: Why is it that *any* user can, using the password reset or Forgot Your Password can actually force admin to change the password? Is there a way to turn this off? -- Best Carsten Schinzer Waisenhausstr. 53a 80637 München Germany
Re: Hello
On Aug 4, 2011, at 7:37 AM, Hans Bakker wrote: Please use a proper subject for your email request? +1 I generally have to do a double-take on these messages. I don't want to mark things from the list as spam because I don't want my mail client to mark everything from the list as spam, but Hello is usually followed by a message from either 1) a diplomat in Iraq with $6.8 million that he needs help transferring or 2) a beautiful Russian girl, 28 y.o, looking for companion and marriage. Vivek: This message should have been titled HR module in OFBiz. Thank you, Brian
Re: Password reset for admin?
On Aug 4, 2011, at 6:39 AM, BJ Freeman wrote: It sounds like you speaking of Ofbiz as a finished product, in which case I agree with you first paragraph. However Ofbiz is not a finished product and is meant for Consultants to setup for end users. The consultant should know this information and make the application they setup for their client fully secure. Sorry BJ, this simply isn't true. If there is something bad in the project it should be changed. By your line of reasoning everyone doing consulting based on OFBiz should keep a big list of issues to address every time they do anything for a client… wouldn't it be better to just fix those things and be done with it? -David
Re: Password reset for admin?
Yes david if it is a bug, but by your definition many times this is a fearture. My point of the second paragraph that you did not include 1)part of the solution providing a way to circomvent security isssues not part of ofbiz but how one sets up ofbiz 2)the issues are addressed if one reads the code. David E Jones sent the following on 8/4/2011 8:38 AM: On Aug 4, 2011, at 6:39 AM, BJ Freeman wrote: It sounds like you speaking of Ofbiz as a finished product, in which case I agree with you first paragraph. However Ofbiz is not a finished product and is meant for Consultants to setup for end users. The consultant should know this information and make the application they setup for their client fully secure. Sorry BJ, this simply isn't true. If there is something bad in the project it should be changed. By your line of reasoning everyone doing consulting based on OFBiz should keep a big list of issues to address every time they do anything for a client… wouldn't it be better to just fix those things and be done with it? -David
Re: Password reset for admin?
BJ, I fail to see how this could possibly be a feature. Right now, I'm at the level where I fiddle around with the code. As a new user, should I be expected to have to review the code to see if it stands up to security standards? I don't know much, but I do know when something isn't right, and this happens to be one of those. In the real world, people use friendly names to send/receive email and conduct business. They shouldn't be expected to remember a user name like mikej49q because an application needs obfuscation to protect itself. I would hope that maybe this feature could be reduced to a certain sub-set of users, whose login name is optionally in the format of an email address, and maybe require a capta code to prevent dictionary attacks. On Thu, Aug 4, 2011 at 10:56 AM, BJ Freeman bjf...@free-man.net wrote: Yes david if it is a bug, but by your definition many times this is a fearture. My point of the second paragraph that you did not include 1)part of the solution providing a way to circomvent security isssues not part of ofbiz but how one sets up ofbiz 2)the issues are addressed if one reads the code. David E Jones sent the following on 8/4/2011 8:38 AM: On Aug 4, 2011, at 6:39 AM, BJ Freeman wrote: It sounds like you speaking of Ofbiz as a finished product, in which case I agree with you first paragraph. However Ofbiz is not a finished product and is meant for Consultants to setup for end users. The consultant should know this information and make the application they setup for their client fully secure. Sorry BJ, this simply isn't true. If there is something bad in the project it should be changed. By your line of reasoning everyone doing consulting based on OFBiz should keep a big list of issues to address every time they do anything for a client… wouldn't it be better to just fix those things and be done with it? -David
Re: Password reset for admin?
I agree with you Mike. Every week I get couple of mails from Gmail and FB telling me that I had requested to rest my password and click on a link to confirm the request and I simply ignore such mails as I know I never asked to change my password. Imagine, if Gmail changes my password every time someone go to Gmail login page enter my id and hit Forgot Password, I will be changing my password many times a week. Thanks, Raj On Friday 05 August 2011 04:55 AM, Mike wrote: BJ, I fail to see how this could possibly be a feature. Right now, I'm at the level where I fiddle around with the code. As a new user, should I be expected to have to review the code to see if it stands up to security standards? I don't know much, but I do know when something isn't right, and this happens to be one of those. In the real world, people use friendly names to send/receive email and conduct business. They shouldn't be expected to remember a user name like mikej49q because an application needs obfuscation to protect itself. I would hope that maybe this feature could be reduced to a certain sub-set of users, whose login name is optionally in the format of an email address, and maybe require a capta code to prevent dictionary attacks. On Thu, Aug 4, 2011 at 10:56 AM, BJ Freemanbjf...@free-man.net wrote: Yes david if it is a bug, but by your definition many times this is a fearture. My point of the second paragraph that you did not include 1)part of the solution providing a way to circomvent security isssues not part of ofbiz but how one sets up ofbiz 2)the issues are addressed if one reads the code. David E Jones sent the following on 8/4/2011 8:38 AM: On Aug 4, 2011, at 6:39 AM, BJ Freeman wrote: It sounds like you speaking of Ofbiz as a finished product, in which case I agree with you first paragraph. However Ofbiz is not a finished product and is meant for Consultants to setup for end users. The consultant should know this information and make the application they setup for their client fully secure. Sorry BJ, this simply isn't true. If there is something bad in the project it should be changed. By your line of reasoning everyone doing consulting based on OFBiz should keep a big list of issues to address every time they do anything for a client… wouldn't it be better to just fix those things and be done with it? -David
Re: Password reset for admin?
Ok like the see the jira you create. Mike sent the following on 8/4/2011 4:25 PM: BJ, I fail to see how this could possibly be a feature. Right now, I'm at the level where I fiddle around with the code. As a new user, should I be expected to have to review the code to see if it stands up to security standards? I don't know much, but I do know when something isn't right, and this happens to be one of those. In the real world, people use friendly names to send/receive email and conduct business. They shouldn't be expected to remember a user name like mikej49q because an application needs obfuscation to protect itself. I would hope that maybe this feature could be reduced to a certain sub-set of users, whose login name is optionally in the format of an email address, and maybe require a capta code to prevent dictionary attacks. On Thu, Aug 4, 2011 at 10:56 AM, BJ Freeman bjf...@free-man.net wrote: Yes david if it is a bug, but by your definition many times this is a fearture. My point of the second paragraph that you did not include 1)part of the solution providing a way to circomvent security isssues not part of ofbiz but how one sets up ofbiz 2)the issues are addressed if one reads the code. David E Jones sent the following on 8/4/2011 8:38 AM: On Aug 4, 2011, at 6:39 AM, BJ Freeman wrote: It sounds like you speaking of Ofbiz as a finished product, in which case I agree with you first paragraph. However Ofbiz is not a finished product and is meant for Consultants to setup for end users. The consultant should know this information and make the application they setup for their client fully secure. Sorry BJ, this simply isn't true. If there is something bad in the project it should be changed. By your line of reasoning everyone doing consulting based on OFBiz should keep a big list of issues to address every time they do anything for a client… wouldn't it be better to just fix those things and be done with it? -David