Hi Paul, While the proposition to move to SSL is open for discussion elsewhere, I share Michael's concern that the issue we are discussing here might have not been done properly. The discussion in JIRAs and the way the commits were done gives me the impression that this was a quick hack more than a proper solution, and it did leave the system broken because I can go to any URL in OFBiz like say http://localhost:8080/partymgr and it will transfer me to https://localhost/partymgr/control and gives me a resource not found error. This is a broken system!
As for switching to SSL, I don't know actually, but I would think a proper solution is perhaps to make this into a configuration instead of a flat-out block of port 8080. Regards, Taher Alkhateeb On Tue, Mar 14, 2017 at 3:47 AM, Paul Foxworthy <[email protected]> wrote: > Hi all, > > I agree with Taher, we should simply remove non-SSL access. The world is > rapidly moving to SSL only. > > It is now close to essential that passwords should be encrypted in transit > for a serious system like OFBiz. > > Cheers > > Paul Foxworthy > > > On 14 March 2017 at 07:18, Michael Brohl <[email protected]> wrote: > > > Unfortunately I have not the time to dig deeper into this but I've got a > > bad feeling about this and similar threads we had lately. > > > > Ports 8080 and 8443 are used for a long time without problems and it's a > > common production setting if you run OFBiz behind a webserver connected > > through AJP. I don't see any reason why we should not use port 8080 in > > OFBiz, even it is getting more common to have everything on https. > > > > Even if this work is done in trunk, which is regarded as unstable, we > > should take more care to commit consistent and working code instead of > > using trunk as a playground and dumping place for unfinished work. > > > > I'm in favor to better not commit and wait until everything works as > > expected instead of beginning work, committing and then leave it as is > > because there is "no time to look at it right now". We can always use > > branches for this kind of work. > > > > My apologies if I got this wrong but I feel uneasy with this approach. > > > > Best regards, > > > > Michael > > > > > > Am 13.03.17 um 16:55 schrieb Taher Alkhateeb: > > > > I faced this issue again while trying some tests today, and I read your > >> comments which refer to this as "not a bug". > >> > >> So my question is: if we should not use 8080 as the port, why is it > >> enabled > >> in the first place in OFBiz? why not disable it completely instead of > >> confusing people. > >> > >> On Fri, Mar 3, 2017 at 10:49 PM, Taher Alkhateeb < > >> [email protected] > >> > >>> wrote: > >>> Okay so it seems this issue was introduced by your work based on what I > >>> read in jira. I don't think you should apply code changes that cause > >>> regressions like this one. > >>> > >>> On Mar 3, 2017 4:40 PM, "Jacques Le Roux" < > [email protected]> > >>> wrote: > >>> > >>> Le 02/03/2017 à 17:12, Jacques Le Roux a écrit : > >>>> > >>>> Le 02/03/2017 à 15:52, Taher Alkhateeb a écrit : > >>>>> > >>>>> I'm not sure who committed what, but now the automatic redirection > from > >>>>>> 8080 to 8443 ssl is broken. Jacques is this related to your work on > >>>>>> port > >>>>>> offset stuff? > >>>>>> > >>>>>> This is only with localhost, right? > >>>>>> > >>>>> If it's the case, I guess it's related to OFBIZ-9206 but I have no > time > >>>>> to look at it right now > >>>>> > >>>>> Jacques > >>>>> > >>>>> > >>>>> See my comments at OFBIZ-9242 > >>>>> > >>>> Jacques > >>>> > >>>> > >>>> > > > > > > > -- > Coherent Software Australia Pty Ltd > PO Box 2773 > Cheltenham Vic 3192 > Australia > > Phone: +61 3 9585 6788 > Web: http://www.coherentsoftware.com.au/ > Email: [email protected] >
