Thanks Groza,
I'll check why we get this URI:
/facility/control/logoutjsessionid=47426E5B6F9A20CD2134E70F4DE525DF.jvm1
Looks like something ahead is removing the ";". Could be related to a
recent security change.
Jacques
Le 05/09/2024 à 11:08, Groza Danut a écrit :
I am able to consistently reproduce the error using the above steps
mentioned by Yang, with one addition: make sure you clear the cookies
each
time before starting. The error is thrown after you click logout.
Debugging in LoginWorker.logout at the following line:
RequestHandler rh = RequestHandler.getRequestHandler(request
.getSession().getServletContext());
I can see that for the servlet context the values are:
sessionTrackingModes null
supportedSessionTrackingModes [COOKIE, URL, SSL]
Also, the program never stops for my breakpoint at the first line in
WebAppServletContextListener.contextInitialized
Are you sure this listener is registered?
Indeed the problem is caused by this line in the ControlFilter: if (!
initialURI.equals(uRIFiltered))
Because the 2 uris are different:
/facility/control/logout;jsessionid=47426E5B6F9A20CD2134E70F4DE525DF.jvm1
/facility/control/logoutjsessionid=47426E5B6F9A20CD2134E70F4DE525DF.jvm1
Can we not provide a fix in here for this jsessionid case?
On Thu, Sep 5, 2024 at 5:38 AM 雷咩咩 <675686...@qq.com.invalid> wrote:
now i get a lot of errors for a lot of pages
https://demo-trunk.ofbiz.apache.org/content/control/main?externalLoginKey=EL2e3c96f3-bd6f-4609-a954-bd795856f143
Internal Server Error
The server encountered an internal error or misconfiguration and was
unable to complete your request.
Please contact the server administrator at dev@ofbiz.apache.org to
inform
them of the time this error occurred, and the actions you performed just
before this error.
More information about this error may be available in the server error
log.
原始邮件
发件人:"雷咩咩"< 675686...@qq.com >;
发件时间:2024/9/5 7:54
收件人:"ofbiz user"< u...@ofbiz.apache.org >;"dev"<
dev@ofbiz.apache.org
>;
主题:回复:Re: 回复:URL Issue
I found one stable steps to reproduce this issue in official trunk demo
site.
go to https://demo-trunk.ofbiz.apache.org/catalog/control/login,
login with admin. the url will be like
https://demo-trunk.ofbiz.apache.org/content/control/main?externalLoginKey=EL9a0d332c-0a33-47a2-8dfd-5fa39aa8ffdd
go to menu content, then click any of the items, such
as WebStorePos
Expected:
can browse
Actual:
url is
https://demo-trunk.ofbiz.apache.org/content/control/EditWebSite;jsessionid=167CC5B83474F1F8F5C7204282259AE3.jvm1?webSiteId=WebStorePos
error
HTTP Status 500 – Internal Server ErrorType Exception Report
Message For security reason this URL is not accepted
Description The server encountered an unexpected condition that
prevented
it from fulfilling the request.
Exception
java.lang.RuntimeException: For security reason this URL is not accepted
org.apache.ofbiz.webapp.control.ControlFilter.doFilter(ControlFilter.java:172)
javax.servlet.http.HttpFilter.doFilter(HttpFilter.java:53)
org.apache.logging.log4j.web.Log4jServletFilter.doFilter(Log4jServletFilter.java:71)
Note The full stack trace of the root cause is available in the server
logs.
Apache Tomcat/9.0.91
原始邮件
发件人:"Jacques Le Roux"< jacques.le.r...@les7arts.com >;
发件时间:2024/8/31 22:58
收件人:"user"< u...@ofbiz.apache.org >;
主题:Re: 回复:URL Issue
That's interesting. Because locally I initially did not find any on
mine,
but finally found one (and only one among 9 logs):
127.0.0.1 - - [28/Aug/2024:20:59:40 +0200] "GET
/common/js/jquery/plugins/jsTree/themes/default/d.png HTTP/2.0" 200 7635
"
https://localhost:8443/common/js/jquery/plugins/jsTree/themes/default/style.css
"
"Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:56.0) Gecko/20100101
Firefox/56.0"
127.0.0.1 - - [28/Aug/2024:21:00:10 +0200] "GET
/example/control/FindExample%3FexternalLoginKey=EL8b0c355f-d7a6-4a59-9b34-bb0fa6bd0d05&sortField=description&noConditionFind=N;jsessionid=7C492ACEDE914E38A49E17F9151F02B2.jvm1
HTTP/2.0" 500 1169 "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64;
rv:56.0)
Gecko/20100101 Firefox/56.0"
127.0.0.1 - - [28/Aug/2024:21:00:11 +0200] "GET /favicon.ico HTTP/2.0"
404
682 "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:56.0)
Gecko/20100101
Firefox/56.0"
127.0.0.1 - - [28/Aug/2024:21:00:11 +0200] "GET /favicon.ico HTTP/2.0"
404
682 "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:56.0)
Gecko/20100101
Firefox/56.0"
127.0.0.1 - - [28/Aug/2024:21:00:12 +0200] "GET /favicon.ico HTTP/2.0"
404
682 "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:56.0)
Gecko/20100101
Firefox/56.0"
As others, it's a HTTP 500, rejected for security reason, actually
unrelated to jsessionid. The log stops there. So could be a side effect.
The
session should no longer exists after. It's the end of the day. Closing
OFBiz, not sure how, maybe just putting the computer off.
Still a mystery, an annoying one it's not good to see the jsessionid in
log :/
Jacques
Le 31/08/2024 à 15:56, Omar Abdullwahhab a écrit :
> I didn't understand well,
> But it's a local development machine.
> Not hosted in web or cloud servers.
>
> On Sat, Aug 31, 2024, 4:21 PM Jacques Le Roux
> wrote:
>
>> Thanks Omar,
>>
>> Is that local or on a server?
>>
>> Jacques
>>
>> Le 31/08/2024 à 14:17, Omar Abdullwahhab a écrit :
>>> HI Jacques ,
>>> Here are a few lines of the logs containing jsessionid
>>>
>>> 127.0.0.1 - - [26/Aug/2024:20:51:14 +0300] "GET
>>> /accounting/control/ListCompanies HTTP/2.0" 200 5147 "
>>> https://localhost:8443/accounting/control/globalGLSettings
"
"Mozilla/5.0
>>> (X11; Linux x86_64; rv:129.0) Gecko/20100101 Firefox/129.0"
>>> 127.0.0.1 - - [26/Aug/2024:20:51:18 +0300] "GET
>>> /rainbowstone/RAINBOWSTONE_SAPHIR.less HTTP/2.0" 200 1560 "
>>>
>>
https://localhost:8443/ordermgr/control/main?externalLoginKey=ELd87879e0-9c8b-45e4-8c51-efc0d40748f4
>>
<
https://localhost:8443/ordermgr/control/main?externalLoginKey=ELd87879e0-9c8b-45e4-8c51-efc0d40748f4>>
;
"
>>> "Mozilla/5.0 (X11; Linux x86_64; rv:129.0) Gecko/20100101
Firefox/129.0"
>>> 127.0.0.1 - - [26/Aug/2024:20:51:19 +0300] "GET
>>>
>>
/ordermgr/control/main?externalLoginKey=ELd87879e0-9c8b-45e4-8c51-efc0d40748f4
>>> HTTP/2.0" 200 4571 "
>> https://localhost:8443/accounting/control/ListCompanies";
>>> "Mozilla/5.0 (X11; Linux x86_64; rv:129.0) Gecko/20100101
Firefox/129.0"
>>> 127.0.0.1 - - [26/Aug/2024:20:51:24 +0300] "GET
>>>
>>
/facility/control/main?externalLoginKey=ELf5b96d38-f415-4bdf-94d4-7666a2445a03
>>> HTTP/2.0" 200 4327 "
>>>
>>
https://localhost:8443/ordermgr/control/main?externalLoginKey=ELd87879e0-9c8b-45e4-8c51-efc0d40748f4
>>
<
https://localhost:8443/ordermgr/control/main?externalLoginKey=ELd87879e0-9c8b-45e4-8c51-efc0d40748f4>>
;
"
>>> "Mozilla/5.0 (X11; Linux x86_64; rv:129.0) Gecko/20100101
Firefox/129.0"
>>> 127.0.0.1 - - [26/Aug/2024:20:51:29 +0300] "POST
>>>
>>
/facility/control/EditFacility;jsessionid=132931D4CDCAC10AC958ED9DD3F6511A.jvm1
>>> HTTP/2.0" 500 2038 "
>>>
>>
https://localhost:8443/facility/control/main?externalLoginKey=ELf5b96d38-f415-4bdf-94d4-7666a2445a03
>>
<
https://localhost:8443/facility/control/main?externalLoginKey=ELf5b96d38-f415-4bdf-94d4-7666a2445a03>>
;
"
>>> "Mozilla/5.0 (X11; Linux x86_64; rv:129.0) Gecko/20100101
Firefox/129.0"
>>> 127.0.0.1 - - [26/Aug/2024:20:51:36 +0300] "POST
>>>
>>
/facility/control/EditFacility;jsessionid=132931D4CDCAC10AC958ED9DD3F6511A.jvm1
>>> HTTP/2.0" 500 2038 "
>>>
>>
https://localhost:8443/facility/control/main?externalLoginKey=ELf5b96d38-f415-4bdf-94d4-7666a2445a03
>>
<
https://localhost:8443/facility/control/main?externalLoginKey=ELf5b96d38-f415-4bdf-94d4-7666a2445a03>>
;
"
>>> "Mozilla/5.0 (X11; Linux x86_64; rv:129.0) Gecko/20100101
Firefox/129.0"
>>> 127.0.0.1 - - [26/Aug/2024:20:51:42 +0300] "GET
>>> /rainbowstone/RAINBOWSTONE_SAPHIR.less HTTP/2.0" 200 1560 "
>>> https://localhost:8443/facility/control/FindFacility";
"Mozilla/5.0 (X11;
>>> Linux x86_64; rv:129.0) Gecko/20100101 Firefox/129.0"
>>> 127.0.0.1 - - [26/Aug/2024:20:51:42 +0300] "GET
>>> /facility/control/FindFacility HTTP/2.0" 200 4274 "
>>>
>>
https://localhost:8443/facility/control/main?externalLoginKey=ELf5b96d38-f415-4bdf-94d4-7666a2445a03
>>
<
https://localhost:8443/facility/control/main?externalLoginKey=ELf5b96d38-f415-4bdf-94d4-7666a2445a03>>
;
"
>>> "Mozilla/5.0 (X11; Linux x86_64; rv:129.0) Gecko/20100101
Firefox/129.0"
>>>
>>> Regards
>>>
>>> On Sat, Aug 31, 2024 at 2:30 PM Jacques Le Roux <
>>> jacques.le.r...@les7arts.com> wrote:
>>>
>>>> Hi Omar,
>>>>
>>>> Since Java 7 :
>>>>
>>
https://docs.oracle.com/javaee/7/api/javax/servlet/annotation/WebListener.html
>>>> In OFBiz, ControlEventListener implements
HttpSessionListener
>>>>
>>>> Did you check locally or on a server your access_logs
if
you find a
>>>> jsessionid there (trunk)?
>>>>
>>>> Jacques
>>>>
>>>> Le 31/08/2024 à 13:07, Omar Abdullwahhab a écrit :
>>>>> Hi Jacques, Johan,
>>>>>
>>>>> According to my investigation to this class (
>>>>> WebAppServletContextListener.java
>>>>> <
>>
https://github.com/apache/ofbiz-framework/blame/31eb051326bcec29f4c932a6d829e0d7c9979a16/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/WebAppServletContextListener.java#L41
>>>>>
<
https://github.com/apache/ofbiz-framework/blame/31eb051326bcec29f4c932a6d829e0d7c9979a16/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/WebAppServletContextListener.java#L41>>>>>
;
)
>>>>>
>>>>> It seems to be that this listener is never
registered
, so that it has
>> no
>>>>> effect.
>>>>> Note that its annotated with
>>>>> @WebListener
>>>>>
>>>>> So confirm that I am correct, or wrong.
>>>>>
>>>>> Regards
>>>>>
>>>>> On Fri, Aug 30, 2024 at 6:30 PM Jacques Le Roux <
>>>>> jacques.le.r...@les7arts.com> wrote:
>>>>>
>>>>>> Hi,
>>>>>>
>>>>>> Actually it's not related to embedded Tomcat in
OFBiz.
>>>>>>
>>>>>> Since we 2017 in
WebAppServletContextListener.java we use this line
>>>>>>
>>>>>>
>>>>>>
>>
<<servletContext.setSessionTrackingModes(EnumSet.of(SessionTrackingMode.COOKIE));>>
>>>>>>
>>
https://github.com/apache/ofbiz-framework/blame/31eb051326bcec29f4c932a6d829e0d7c9979a16/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/WebAppServletContextListener.java#L41
>>>>>>
<
https://github.com/apache/ofbiz-framework/blame/31eb051326bcec29f4c932a6d829e0d7c9979a16/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/WebAppServletContextListener.java#L41>>>>>>
;
If you test locally or maybe in another server than demo one, you will
>>>> not
>>>>>> find in access_logs files any line similar to
the
one below. At least
>> I
>>>> did
>>>>>> not, and that's logical since we use cookies
for
that.
>>>>>>
>>>>>> I'm not sure what's the reason yet. If you
could
confirm that it's not
>>>>>> reproductible but in demo server that would
help
to restrain the
>>>>>> possibilities
>>>>>>
>>>>>> TIA
>>>>>>
>>>>>> Jacques
>>>>>>
>>>>>> Le 29/08/2024 à 10:17, Jacques Le Roux a écrit
:
>>>>>>> Hi,
>>>>>>>
>>>>>>> Finally it's not that clear.
>>>>>>>
>>>>>>> As can be found in trunk demo access_logs,
such URLs exist at least
>>>>>> since June 17 2024.
>>>>>>>
access_log.2024-06-17:28:66.249.75.98 -
- [17/Jun/2024:00:11:51
>>>>>> +0000] "GET
>>>>>>
>>
/partymgr/control/main%3FexternalLoginKey=ELf5183769-2759-476b-946c-2a70afe3c42d&sortField=partyId;jsessionid=EBB57C6C3C345E70501827509E05744C.jvm1
>>>>>>> HTTP/1.1" 500 1165 "-" "Mozilla/5.0
(Linux; Android 6.0.1;
>> Nexus 5X
>>>>>> Build/MMB29P) AppleWebKit/537.36 (KHTML, like
Gecko)
>>>> Chrome/125.0.6422.175
>>>>>>> Mobile Safari/537.36 (compatible;
Googlebot/2.1; +
>>>>>> http://www.google.com/bot.html)"
>>>>>>> As you can see they are rejected (HTTP 500)
since then too. Actually
>> I
>>>>>> guess they exist for a very long time. Have yet
no idea why and how
>>>> these
>>>>>>> URLs are generated.
>>>>>>>
>>>>>>> The rejection is "new" and due to a
security
fix done in May 20 2024
>>>>>> with (OFBIZ-13092) "Prevent special encoded
characters sequences in
>>>> URLs"
>>>>>>> So we need to clearly define steps to
manually generate these URLs.
>>>>>> Then, if it's OK, we could allow URLs
containing
";jsessionid=" to
>>>> bypass
>>>>>> the
>>>>>>> security filter.
>>>>>>>
>>>>>>> I copy this email to the dev ML because of
its importance
>>>>>>>
>>>>>>> Jacques
>>>>>>>
>>>>>>>
>>>>>>> Le 28/08/2024 à 15:27, Jacques Le Roux a
écrit :
>>>>>>>> Thanks Guys,
>>>>>>>>
>>>>>>>> I could not reproduce yet, but I think
we
have already enough clues
>> to
>>>>>> fix that.
>>>>>>>> Also I can find a lot of in trunk demo
log. That will be helpful
>> too.
>>>>>>>> Jacques
>>>>>>>>
>>>>>>>> Le 27/08/2024 à 16:20, 雷咩咩 a écrit :
>>>>>>>>> i can reproduce by login with
admin,
randomly click severl places,
>>>>>> then when click logout, see such error:
>>>>>>>>> HTTP Status 500 – Internal Server
Error
>>>>>>>>> Type Exception Report
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> Message For security reason this
URL
is not accepted
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> Description The server encountered
an
unexpected condition that
>>>>>> prevented it from fulfilling the request.
>>>>>>>>> Exception
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> java.lang.RuntimeException: For
security reason this URL is not
>>>>>> accepted
>>>>>>
>>
org.apache.ofbiz.webapp.control.ControlFilter.doFilter(ControlFilter.java:144)
>>
org.apache.logging.log4j.web.Log4jServletFilter.doFilter(Log4jServletFilter.java:71)
>>>>>>>>> Note The full stack trace of the
root
cause is available in the
>>>> server
>>>>>> logs.
>>>>>>>>> Apache Tomcat/9.0.91
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> Regards,
>>>>>>>>> Yang
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
------------------ 原始邮件 ------------------
>>>>>>>>> 发件人: "user" <
johanhpcro...@gmail.com
>;
>>>>>>>>> 发送时间: 2024年8月27日(星期二) 晚上9:12
>>>>>>>>> 收件人: "user"<
u...@ofbiz.apache.org>;
>>>>>>>>>
>>>>>>>>> 主题: URL Issue
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> Hi,
>>>>>>>>>
>>>>>>>>> Not sure if anyone would be able to
assist me, I have found an
>> issue
>>>>>> which
>>>>>>>>> can also be replicated within the
demo.
>>>>>>>>> This issue normally occurs as you
navigate to a module after login.
>>>> It
>>>>>> is
>>>>>>>>> not easily replicable, once you
refresh it works and does not occur
>>>>>> again.
>>>>>>>>> Replicated the issue in multiple
modules.
>>>>>>>>> It usually adds
;jsessionid=######################.jvm1 to all the
>>>>>> URLs and
>>>>>>>>> this causes a navigation issue.
>>>>>>>>> Once you submit a form or try to
click the logout link, an Internal
>>>> 500
>>>>>>>>> Internal Server Error is being
returned
>>>>>>>>> As an example:
>>>>>>>>>
https://demo-stable.ofbiz.apache.org/partymgr/control/main
>>>>>>>>>
<
https://demo-stable.ofbiz.apache.org/partymgr/control/main>>>>>>>>>
;
>>>>>>>>> I have screenshots available,
however
I am not able to attach to
>> this
>>>>>> mail.
>>>>>>>>> Please let me know if you need me
to
upload it somewhere.
>>>>>>>>>
>>>>>>>>> Kind Regards,
>>>>>>>>> Johan Cronjé
>>>
