Hi all,
I'm in front of a particular issue where the fix isn't really easy and
need to share :) .
I detected a problem with some ajax call did by js script that failed
with error 405 like :
https://demo-next.ofbiz.apache.org/webtools/control/entity/find/SetTimeZoneFromBrowser
To reproduce just display the page
https://demo-next.ofbiz.apache.org/webtools/control/entity/find/Party
and analyze network traffic.
Ok the reason :
SetTimeZoneFromBrowser is a request define in common-controller.xml, so
available on all component. In js the call is realize by :
```js
$.ajax({
url: "SetTimeZoneFromBrowser",
type: "POST",
async: false,...
```
So the navigator use the relative url to execute the call. In general
case we have a page like
https://demo-next.ofbiz.apache.org/$component/control/$request so js
script realized their call with
https://demo-next.ofbiz.apache.org/$component/control/$request-js . Like
each request-js are present on common-controller.xml all component that
include it can response.
With rest url, the uri pattern is more complex and the script js that
generate a relative call like we have upper :
https://demo-next.ofbiz.apache.org/webtools/control/entity/find/SetTimeZoneFromBrowse.
The ControlServlet behind failed to retrieve the correct request and
generate a http error 405
How to fix :
After different tries, I propose to remove all relative call and create
a dedicate webapp for that.
```js
$.ajax({
url: "/common-js/control/SetTimeZoneFromBrowser",
type: "POST",
async: false,...
```
Open a new webapp on commonext to do that and redirect all relative call
to it.
I propose to implement it on commonext because framework/common need to
keep without exposure. Common-theme is dedicate expose theming
information and not a direct relay to common request. So commonext seems
to be the better solution to be a relay for common request manage by the
common-controller.
The problem with this solution, all webapp are their session separate,
so access to a json request through commonext generate an security issue
if the request have auth enable. We can enable the sso on ofbiz for that
but do we need that for all OFBiz webapp by defaut. We can imagine a
spotted solution to use cookies system like autologin with more
security, only on commonext to be sure to allow the functionality on
many configuration.
Thanks to take this read time and if you have any sharing on it to found
the better solution.
Nicolas
