Thanks Dan,
That looks like something interesting to think about indeed!
When you right-click on a link, you get something like
https://demo-trunk.ofbiz.apache.org/facility/control/main?externalLoginKey=EL1ad4c84d-3cb7-41d5-bf80-9a24247d6b40
And at the moment our issue is not about externalLoginKey but jessionid. It's
maybe related.
Note that jessionid only appears in access_log files (A Tomcat log) and not in
any other OFBiz log.
I still don't know how jessionid is added to URLs. It could be due to cookies
somehow...
Not a big deal for now, just something we need to fix.
Jacques
Le 29/08/2024 à 10:56, Daniel Watford a écrit :
[Only sending to dev mailing list as is an application architecture related
comment]
I don't have a solution to offer yet around the URL issue raised by Johan,
but have a feeling it it will relate to the issue below.
This is a message to highlight a deep unease I have around the OFBiz use of
query arguments in URLs to carry authentication/session information between
client and server. In particular, clickable links between applications in
the client are rendered with the externalLoginKey query argument since each
application maintains its own login mechanism and session cookie.
One immediate problem I see is if a user right-clicks a link to copy the
URL target, and then shares that URL, they have unwittingly also shared a
credential that will allow recipients of the URL to masquerade as the
original user.
I assume the reason for tying session cookies to applications, rather than
to the root of the OFBiz website, is to ensure a separation between
back-end office applications and front-end ecommerce applications.
As mentioned, I don't have a solution to offer at the moment, but perhaps
we should looks at configuring the applications with the names of their
session cookies. All the back-end applications could then use a single
'backend' cookie, and any front-end consumer facing application could have
their own distinct session cookie.
Thanks,
Dan.
On Thu, 29 Aug 2024 at 09:17, Jacques Le Roux <jacques.le.r...@les7arts.com>
wrote:
Hi,
Finally it's not that clear.
As can be found in trunk demo access_logs, such URLs exist at least since
June 17 2024.
access_log.2024-06-17:28:66.249.75.98 - - [17/Jun/2024:00:11:51 +0000]
"GET
/partymgr/control/main%3FexternalLoginKey=ELf5183769-2759-476b-946c-2a70afe3c42d&sortField=partyId;jsessionid=EBB57C6C3C345E70501827509E05744C.jvm1
HTTP/1.1" 500 1165 "-" "Mozilla/5.0 (Linux; Android 6.0.1; Nexus 5X
Build/MMB29P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.6422.175
Mobile Safari/537.36 (compatible; Googlebot/2.1; +
http://www.google.com/bot.html)"
As you can see they are rejected (HTTP 500) since then too. Actually I
guess they exist for a very long time. Have yet no idea why and how these
URLs
are generated.
The rejection is "new" and due to a security fix done in May 20 2024 with
(OFBIZ-13092) "Prevent special encoded characters sequences in URLs"
So we need to clearly define steps to manually generate these URLs. Then,
if it's OK, we could allow URLs containing ";jsessionid=" to bypass the
security filter.
I copy this email to the dev ML because of its importance
Jacques
Le 28/08/2024 à 15:27, Jacques Le Roux a écrit :
Thanks Guys,
I could not reproduce yet, but I think we have already enough clues to
fix that.
Also I can find a lot of in trunk demo log. That will be helpful too.
Jacques
Le 27/08/2024 à 16:20, 雷咩咩 a écrit :
i can reproduce by login with admin, randomly click severl places, then
when click logout, see such error:
HTTP Status 500 – Internal Server Error
Type Exception Report
Message For security reason this URL is not accepted
Description The server encountered an unexpected condition that
prevented it from fulfilling the request.
Exception
java.lang.RuntimeException: For security reason this URL is not accepted
org.apache.ofbiz.webapp.control.ControlFilter.doFilter(ControlFilter.java:144)
org.apache.logging.log4j.web.Log4jServletFilter.doFilter(Log4jServletFilter.java:71)
Note The full stack trace of the root cause is available in the server
logs.
Apache Tomcat/9.0.91
Regards,
Yang
------------------ 原始邮件 ------------------
发件人: "user" <johanhpcro...@gmail.com>;
发送时间: 2024年8月27日(星期二) 晚上9:12
收件人: "user"<u...@ofbiz.apache.org>;
主题: URL Issue
Hi,
Not sure if anyone would be able to assist me, I have found an issue
which
can also be replicated within the demo.
This issue normally occurs as you navigate to a module after login. It
is
not easily replicable, once you refresh it works and does not occur
again.
Replicated the issue in multiple modules.
It usually adds ;jsessionid=######################.jvm1 to all the URLs
and
this causes a navigation issue.
Once you submit a form or try to click the logout link, an Internal 500
Internal Server Error is being returned
As an example:
https://demo-stable.ofbiz.apache.org/partymgr/control/main
I have screenshots available, however I am not able to attach to this
mail.
Please let me know if you need me to upload it somewhere.
Kind Regards,
Johan Cronjé
