[
https://issues.apache.org/jira/browse/OFBIZ-11306?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17042404#comment-17042404
]
Jacques Le Roux commented on OFBIZ-11306:
-----------------------------------------
Hi James,
bq. I think csrf-defense-enabled can be removed.
OK, I'll do in the patch to come. Better to have that in CSRF related code
indeed.
bq. For the getEntityRefData error, does it still occur after removing the
current patch?
Bingo! These is an older issue and is 2 folds on Windows.
The 1st one is specific to my OFBiz home path:
{noformat}
Caused by: java.util.regex.PatternSyntaxException: Unknown character property
name {r} near index 4
C:\projectsASF\Git\ofbiz-framework/
^
at java.util.regex.Pattern.error(Pattern.java:1957) ~[?:1.8.0_202]
at java.util.regex.Pattern.charPropertyNodeFor(Pattern.java:2783)
~[?:1.8.0_202]
at java.util.regex.Pattern.family(Pattern.java:2738) ~[?:1.8.0_202]
at java.util.regex.Pattern.sequence(Pattern.java:2078) ~[?:1.8.0_202]
at java.util.regex.Pattern.expr(Pattern.java:1998) ~[?:1.8.0_202]
at java.util.regex.Pattern.compile(Pattern.java:1698) ~[?:1.8.0_202]
at java.util.regex.Pattern.<init>(Pattern.java:1351) ~[?:1.8.0_202]
at java.util.regex.Pattern.compile(Pattern.java:1028) ~[?:1.8.0_202]
at java.lang.String.replaceFirst(String.java:2178) ~[?:1.8.0_202]
at
org.apache.ofbiz.webtools.WebToolsServices.getEntityRefData(WebToolsServices.java:770)
~[main/:?]
{noformat}
I fixed it using {{StringUtils.replaceOnce}, in other places as well. I have
fixed it in OFBIZ-11396
You then get to the 2nd issue, which is easy to reproduce on trunk demo, though
you see it only in log, nothing on screen unlike Windows (thank you WIndows to
spot that ;) )
Here is the log on trunk demo
{noformat}
2020-02-21 21:11:56,445 |ajp-nio-8009-exec-2 |WebToolsServices
|E| null
java.util.MissingResourceException: Can't find resource for bundle
org.apache.ofbiz.base.util.UtilProperties$UtilResourceBundle, key
FieldDescription.WorkEffortType.createdTxStamp
at java.util.ResourceBundle.getObject(ResourceBundle.java:450)
~[?:1.8.0_242]
at java.util.ResourceBundle.getObject(ResourceBundle.java:444)
~[?:1.8.0_242]
at java.util.ResourceBundle.getString(ResourceBundle.java:407)
~[?:1.8.0_242]
at
org.apache.ofbiz.webtools.WebToolsServices.getEntityRefData(WebToolsServices.java:685)
[main/:?]
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
~[?:1.8.0_242]
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
~[?:1.8.0_242]
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
~[?:1.8.0_242]
at java.lang.reflect.Method.invoke(Method.java:498) ~[?:1.8.0_242]
at
org.apache.ofbiz.service.engine.StandardJavaEngine.serviceInvoker(StandardJavaEngine.java:100)
[main/:?]
[...]
at
org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
[tomcat-util-9.0.29.jar:9.0.29]
at java.lang.Thread.run(Thread.java:748) [?:1.8.0_242]
2020-02-21 21:11:56,445 |ajp-nio-8009-exec-2 |WebToolsServices
|E| null
java.util.MissingResourceException: Can't find resource for bundle
org.apache.ofbiz.base.util.UtilProperties$UtilResourceBundle, key
FieldDescription.createdTxStamp
at java.util.ResourceBundle.getObject(ResourceBundle.java:450)
~[?:1.8.0_242]
at java.util.ResourceBundle.getObject(ResourceBundle.java:444)
~[?:1.8.0_242]
at java.util.ResourceBundle.getString(ResourceBundle.java:407)
~[?:1.8.0_242]
at
org.apache.ofbiz.webtools.WebToolsServices.getEntityRefData(WebToolsServices.java:695)
[main/:?]
[...]
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
[?:1.8.0_242]
at
org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
[tomcat-util-9.0.29.jar:9.0.29]
at java.lang.Thread.run(Thread.java:748) [?:1.8.0_242]
2020-02-21 21:11:56,445 |ajp-nio-8009-exec-2 |ServiceDispatcher
|T| Sync service [webtools/getEntityRefData] finished in [5760] milliseconds
at
org.apache.ofbiz.webtools.WebToolsServices.getEntityRefData(WebToolsServices.java:685)
[main/:?]
{noformat}
So it repeats almost "ad ib" and eventually stops after 5+ seconds there.
I'll trace and fix that in another Jira later...
> POC for CSRF Token
> ------------------
>
> Key: OFBIZ-11306
> URL: https://issues.apache.org/jira/browse/OFBIZ-11306
> Project: OFBiz
> Issue Type: Sub-task
> Components: ALL APPLICATIONS
> Affects Versions: Upcoming Branch
> Reporter: James Yong
> Assignee: Jacques Le Roux
> Priority: Minor
> Labels: CSRF
> Fix For: Upcoming Branch
>
> Attachments: CsrfTokenAjaxTransform.java, CsrfTokenTransform.java,
> CsrfUtil.java, OFBIZ-11306-alternative.patch, OFBIZ-11306-alternative.patch,
> OFBIZ-11306-alternative.patch, OFBIZ-11306-alternative.patch,
> OFBIZ-11306-alternative.patch, OFBIZ-11306-alternative.patch,
> OFBIZ-11306-alternative.patch, OFBIZ-11306-alternative.patch,
> OFBIZ-11306-v2.patch, OFBIZ-11306.patch, OFBIZ-11306.patch,
> OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch,
> OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch,
> OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch,
> OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch,
> OFBIZ-11306_Plugins.patch, OFBIZ-11306_Plugins.patch,
> OFBIZ-11306_Plugins.patch, OFBIZ-11306_Plugins.patch,
> OFBIZ-11306_Plugins.patch, partyTokenMap.webtools.txt
>
>
> CRSF tokens are generated using SecureRandom class (maybe later a JWT with a
> "time out").
> They are stored in the user sessions (for AJAX calls and unauthenticated HTTP
> calls) or OFBiz UtilCache (for authenticated HTTP calls), and verified during
> POST request.
> # In *controllers* a new csrf-token attribute is added to the security tag to
> exempt or force CSRF token check.
> # In *Widget Forms* a hidden token field is auto-generated.
> # In *FTL form* a CSRF token is passed through <@ofbizUrl> to automatise the
> change. Using <@ofbizUrl> macro to generate the CSRF token means there is no
> need to manually add the CSRF token field to each form in the ftl files. It
> will save time for users doing custom implementation and maintenance. While
> there is CSRF token in the form URL, the token is invalidated during form
> submission. So it's uniqueand harmless even though the CSRF token of the form
> submission is shown in the browser address bar.
> # For *Ajax calls* an ajaxPrefilter function (observer on DOM ready) is added
> through OfbizUtil.js (itself called at start in decorators and such)
> # The html metadata is storing the csrf token used by JQuery AJAX. This token
> will not change to another value after it is consumed
> # Csrf tokens for the user are removed from the UtilCache when the user logs
> out or session invalidated.
> The general rule are as follows:
> * RequestMap configured with 'get' method will be exempted from CSRF token
> check.
> * RequestMap configured with 'post' or 'all' method will be subjected to CSRF
> token check. (Note there are discussions that RequestMap with ‘all’ method
> should also not be subjected to CSRF token check. This will be done after
> ensuring a separate uri is used when posting changes.)
> * "main" request URIs are exempted from CSRF token check.
> * Setting csrf-token to false or true on the Request Map will override the
> general rules above.
> To Discuss:
> * Invalidate authenticated user session when CSRF token check fails.
> * Configure the general rules in a Service method (which will be run inside
> the constructor of RequestMap class) when determining the final
> securityCsrfToken value.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
