[jira] [Updated] (OFBIZ-6888) GroovyEngine.serviceInvoker masks Groovy script exceptions in some cases
[ https://issues.apache.org/jira/browse/OFBIZ-6888?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Forrest Rae updated OFBIZ-6888: --- Attachment: OFBIZ-6888.patch Patch to fix issue. > GroovyEngine.serviceInvoker masks Groovy script exceptions in some cases > > > Key: OFBIZ-6888 > URL: https://issues.apache.org/jira/browse/OFBIZ-6888 > Project: OFBiz > Issue Type: Bug > Components: framework >Affects Versions: Release Branch 13.07, Release Branch 14.12, Trunk, > Release Branch 15.12 >Reporter: Forrest Rae > Labels: errorhandling > Attachments: OFBIZ-6888.patch > > > If GroovyEngine.serviceInvoker catches an exception in a Groovy script, it > would mask the exception in some cases. An exception's detailMessage can be > null. If it is null, the exception won't be properly returned and logged, > and that will make spotting problems very difficult. This was the case for > me while trying to track down a problem with a > java.util.ConcurrentModificationException error in a Groovy script. I > suspect that this choice to mask exceptions and only return the message has > cause bugs to not be spotted. > Disabling this for now in favor of returning a proper exception. > GroovyEngine.serviceInvoker() should throw GenericServiceException if error, > rather than returning ServiceUtil.returnError(e.getMessage()) -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Created] (OFBIZ-6888) GroovyEngine.serviceInvoker masks Groovy script exceptions in some cases
Forrest Rae created OFBIZ-6888: -- Summary: GroovyEngine.serviceInvoker masks Groovy script exceptions in some cases Key: OFBIZ-6888 URL: https://issues.apache.org/jira/browse/OFBIZ-6888 Project: OFBiz Issue Type: Bug Components: framework Affects Versions: Release Branch 15.12, Trunk, Release Branch 14.12, Release Branch 13.07 Reporter: Forrest Rae If GroovyEngine.serviceInvoker catches an exception in a Groovy script, it would mask the exception in some cases. An exception's detailMessage can be null. If it is null, the exception won't be properly returned and logged, and that will make spotting problems very difficult. This was the case for me while trying to track down a problem with a java.util.ConcurrentModificationException error in a Groovy script. I suspect that this choice to mask exceptions and only return the message has cause bugs to not be spotted. Disabling this for now in favor of returning a proper exception. GroovyEngine.serviceInvoker() should throw GenericServiceException if error, rather than returning ServiceUtil.returnError(e.getMessage()) -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (OFBIZ-5840) Create bootstrap theme
[ https://issues.apache.org/jira/browse/OFBIZ-5840?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15139931#comment-15139931 ] Jacques Le Roux commented on OFBIZ-5840: Take your time Julien, there is no hurry :) > Create bootstrap theme > -- > > Key: OFBIZ-5840 > URL: https://issues.apache.org/jira/browse/OFBIZ-5840 > Project: OFBiz > Issue Type: New Feature > Components: framework, themes >Affects Versions: Bootstrap theme >Reporter: Julien NICOLAS >Assignee: Jacques Le Roux > Labels: bootstrap, theme > Attachments: Facility.PNG, FindAgreement..png, Footer.jpg, > GlobalDecorator.patch, ImprovedFooter.patch, MacroMenuRenderer.patch, > OFBIZ-5840-Menufactory.patch, OFBIZ-5840-Menufactory.patch, > appbar_menu_ftl.patch, bootified.js, bootified_js_screentrans.patch, > bootstrap-theme.zip, bootstrap.zip, bootstrapThemeToTrunk.patch, > calendar.PNG, catalog.png, glyphicons-halflings-regular.zip, > htmlMenuMacroLibrary.patch, lookupField_patch.patch, > pagination_htmlFormMacroLibrary.patch, > panelCollapse_htmlSreenMacroLibrary.patch, party menu tab bar.PNG, > preferences.png, styling_issue_1.png, styling_issue_2.png, > styling_issue_3.png, styling_issue_4.png, styling_issue_5.png, > styling_issue_6.png, styling_issue_7.png, styling_issue_8.png, > styling_issue_9.png, tab-bar.png, workeffort.PNG > > > 1- create a sub-directory called bootstrap under the image webapp to put > the resources over there (js, css and fonts) as indicated earlier by Gavin. > (Julien : not sure about location) > 2- check to make sure that the current version of jQuery is compatible with > the installed version or upgrade it accordingly > 3- Create a new theme based on one of the existing themes as suggested by > Julien and Gavin > 4- Test the theme by switching to it and handle major bugs / issues. > 5- Start to make a few test screens utilizing Bootstrap -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (OFBIZ-5840) Create bootstrap theme
[ https://issues.apache.org/jira/browse/OFBIZ-5840?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15139793#comment-15139793 ] Julien NICOLAS commented on OFBIZ-5840: --- I was wondered to enhance rainbowstone to match with your preference Jacques. But, you spent time to merge this branch and it's a pity to not finish this work. I'll take a look this night, not sure to find a solution but I don't want to leave you alone with an effort that I ask for :) The more I understand CSS, the less I need bootstrap. Today, I'm not sure about integrate it in the backend. I'm convinced that it's interesting to use it for the default e-commerce website but for the backend... I'm not sure right now. So I take a look and hope that I find something :) > Create bootstrap theme > -- > > Key: OFBIZ-5840 > URL: https://issues.apache.org/jira/browse/OFBIZ-5840 > Project: OFBiz > Issue Type: New Feature > Components: framework, themes >Affects Versions: Bootstrap theme >Reporter: Julien NICOLAS >Assignee: Jacques Le Roux > Labels: bootstrap, theme > Attachments: Facility.PNG, FindAgreement..png, Footer.jpg, > GlobalDecorator.patch, ImprovedFooter.patch, MacroMenuRenderer.patch, > OFBIZ-5840-Menufactory.patch, OFBIZ-5840-Menufactory.patch, > appbar_menu_ftl.patch, bootified.js, bootified_js_screentrans.patch, > bootstrap-theme.zip, bootstrap.zip, bootstrapThemeToTrunk.patch, > calendar.PNG, catalog.png, glyphicons-halflings-regular.zip, > htmlMenuMacroLibrary.patch, lookupField_patch.patch, > pagination_htmlFormMacroLibrary.patch, > panelCollapse_htmlSreenMacroLibrary.patch, party menu tab bar.PNG, > preferences.png, styling_issue_1.png, styling_issue_2.png, > styling_issue_3.png, styling_issue_4.png, styling_issue_5.png, > styling_issue_6.png, styling_issue_7.png, styling_issue_8.png, > styling_issue_9.png, tab-bar.png, workeffort.PNG > > > 1- create a sub-directory called bootstrap under the image webapp to put > the resources over there (js, css and fonts) as indicated earlier by Gavin. > (Julien : not sure about location) > 2- check to make sure that the current version of jQuery is compatible with > the installed version or upgrade it accordingly > 3- Create a new theme based on one of the existing themes as suggested by > Julien and Gavin > 4- Test the theme by switching to it and handle major bugs / issues. > 5- Start to make a few test screens utilizing Bootstrap -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (OFBIZ-6452) Bad Lookup Field
[ https://issues.apache.org/jira/browse/OFBIZ-6452?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15139731#comment-15139731 ] Jacques Le Roux commented on OFBIZ-6452: This has been applied not sure why it's not yet said here > Bad Lookup Field > > > Key: OFBIZ-6452 > URL: https://issues.apache.org/jira/browse/OFBIZ-6452 > Project: OFBiz > Issue Type: Sub-task > Components: ALL APPLICATIONS >Affects Versions: Bootstrap theme >Reporter: Gavin Mabie >Assignee: Gavin Mabie > Attachments: lookupField_patch.patch > > > Lookup buttons in forms not displaying properly. This is linked to css in > legacy.css. Comment out .field-lookup a selector line 2112 -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (OFBIZ-5840) Create bootstrap theme
[
https://issues.apache.org/jira/browse/OFBIZ-5840?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15139753#comment-15139753
]
Jacques Le Roux commented on OFBIZ-5840:
I succeeded to merge the branch in a trunk version back to r1685214. I then svn
updated and build all went fine but 2 conflicts I put as resolved (no real
merge conflicts). I applied the BranchMergeToTrunk.patch (the one committed in
the branch) which is needed because getMenuFromLocation() methods are called in
appbar.ftl
I had to fix an issue with
{code}
freemarker.template.TemplateModelException: No error description was specified
for this error; low-level message: java.lang.ClassNotFoundException:
org.ofbiz.widget.menu.MenuFactory
{code}
where org.ofbiz.widget.menu.MenuFactory should have been
org.ofbiz.widget.model.MenuFactory (I was surprised by that one, Adrian changed
it in April 2015). I did it in 3 files: appbar.ftl, appbarOpen.ftl and
header.ftl
Then I got a page at
https://localhost:8443/catalog/control/login?USERNAME=admin&PASSWORD=ofbiz&JavaScriptEnabled=Y
but the menus, nor the lookups (including auto-completion), nor the buttons
works. I had a look at the lookupField_patch.patch but it was already applied,
so unrelated to the issue. I gave up at this stage... but I did not say my last
word yet...
I could commit the current state I have, but I believe it's easy to get to this
stage so no need to polute the branches. We will see if we are still
interested. It would be a pity to lose the work done, except if someone can
give use a good reason?
> Create bootstrap theme
> --
>
> Key: OFBIZ-5840
> URL: https://issues.apache.org/jira/browse/OFBIZ-5840
> Project: OFBiz
> Issue Type: New Feature
> Components: framework, themes
>Affects Versions: Bootstrap theme
>Reporter: Julien NICOLAS
>Assignee: Jacques Le Roux
> Labels: bootstrap, theme
> Attachments: Facility.PNG, FindAgreement..png, Footer.jpg,
> GlobalDecorator.patch, ImprovedFooter.patch, MacroMenuRenderer.patch,
> OFBIZ-5840-Menufactory.patch, OFBIZ-5840-Menufactory.patch,
> appbar_menu_ftl.patch, bootified.js, bootified_js_screentrans.patch,
> bootstrap-theme.zip, bootstrap.zip, bootstrapThemeToTrunk.patch,
> calendar.PNG, catalog.png, glyphicons-halflings-regular.zip,
> htmlMenuMacroLibrary.patch, lookupField_patch.patch,
> pagination_htmlFormMacroLibrary.patch,
> panelCollapse_htmlSreenMacroLibrary.patch, party menu tab bar.PNG,
> preferences.png, styling_issue_1.png, styling_issue_2.png,
> styling_issue_3.png, styling_issue_4.png, styling_issue_5.png,
> styling_issue_6.png, styling_issue_7.png, styling_issue_8.png,
> styling_issue_9.png, tab-bar.png, workeffort.PNG
>
>
> 1- create a sub-directory called bootstrap under the image webapp to put
> the resources over there (js, css and fonts) as indicated earlier by Gavin.
> (Julien : not sure about location)
> 2- check to make sure that the current version of jQuery is compatible with
> the installed version or upgrade it accordingly
> 3- Create a new theme based on one of the existing themes as suggested by
> Julien and Gavin
> 4- Test the theme by switching to it and handle major bugs / issues.
> 5- Start to make a few test screens utilizing Bootstrap
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
[jira] [Comment Edited] (OFBIZ-5840) Create bootstrap theme
[ https://issues.apache.org/jira/browse/OFBIZ-5840?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14574423#comment-14574423 ] Jacques Le Roux edited comment on OFBIZ-5840 at 2/9/16 8:30 PM: Done with OFBIZ-6452 was (Author: gavin.ma...@urbannex.co.za): Done > Create bootstrap theme > -- > > Key: OFBIZ-5840 > URL: https://issues.apache.org/jira/browse/OFBIZ-5840 > Project: OFBiz > Issue Type: New Feature > Components: framework, themes >Affects Versions: Bootstrap theme >Reporter: Julien NICOLAS >Assignee: Jacques Le Roux > Labels: bootstrap, theme > Attachments: Facility.PNG, FindAgreement..png, Footer.jpg, > GlobalDecorator.patch, ImprovedFooter.patch, MacroMenuRenderer.patch, > OFBIZ-5840-Menufactory.patch, OFBIZ-5840-Menufactory.patch, > appbar_menu_ftl.patch, bootified.js, bootified_js_screentrans.patch, > bootstrap-theme.zip, bootstrap.zip, bootstrapThemeToTrunk.patch, > calendar.PNG, catalog.png, glyphicons-halflings-regular.zip, > htmlMenuMacroLibrary.patch, lookupField_patch.patch, > pagination_htmlFormMacroLibrary.patch, > panelCollapse_htmlSreenMacroLibrary.patch, party menu tab bar.PNG, > preferences.png, styling_issue_1.png, styling_issue_2.png, > styling_issue_3.png, styling_issue_4.png, styling_issue_5.png, > styling_issue_6.png, styling_issue_7.png, styling_issue_8.png, > styling_issue_9.png, tab-bar.png, workeffort.PNG > > > 1- create a sub-directory called bootstrap under the image webapp to put > the resources over there (js, css and fonts) as indicated earlier by Gavin. > (Julien : not sure about location) > 2- check to make sure that the current version of jQuery is compatible with > the installed version or upgrade it accordingly > 3- Create a new theme based on one of the existing themes as suggested by > Julien and Gavin > 4- Test the theme by switching to it and handle major bugs / issues. > 5- Start to make a few test screens utilizing Bootstrap -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (OFBIZ-6849) Use only HTTPS in OFBiz
[
https://issues.apache.org/jira/browse/OFBIZ-6849?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15139418#comment-15139418
]
Jacques Le Roux commented on OFBIZ-6849:
The most important problem was ecomseo. I just retried (w/o changes) with most
important browsers (last versions) trying both possibilities (though now only
HTTPS should be used)
# https://localhost:8443/ecomseo
all tried browsers work 1st time
# http://localhost:8080/ecomseo
** FF 404, works 2nd time (F5), redirects to https://localhost:8443/ecomseo
** Chrome 404, works 2nd time (F5), redirects to https://localhost:8443/ecomseo
** IE 11 works 404, stays. I guess it's related with HSTS, I will digg that
** Opera 404, works 2nd time (F5), redirects to https://localhost:8443/ecomseo
The difficulty here is that you don't need to login to access ecommerce or
ecomseo (anonymoius access). Though there is any problems with
http://localhost:8080/ecommerce/control/main. So this still needs to be
clarifed but is not blocking
> Use only HTTPS in OFBiz
> ---
>
> Key: OFBIZ-6849
> URL: https://issues.apache.org/jira/browse/OFBIZ-6849
> Project: OFBiz
> Issue Type: Sub-task
> Components: ALL COMPONENTS
>Affects Versions: Trunk
>Reporter: Jacques Le Roux
>Assignee: Jacques Le Roux
> Fix For: Upcoming Branch
>
> Attachments: OFBIZ-6849.patch
>
>
> I recently (~4 weeks ago) started the ["Performance over security, is that
> reasonable?"|http://markmail.org/message/ubgacfzfxvlvlqva] thread on dev ML.
> I think I did not explain me well then. I must say it's easy to drown down in
> details with this subject when you want to illustrate the reasons.
> So instead of only answering on the dev ML, I decided it will be good to
> create a Jira task with maybe related tasks, here it is.
> For now I consider it only an improvement, but since it's a security matter
> we can discuss backporting later.
> \\
>
> h2. TL;DR
> h3. Performance over security?
> So why was this thread opposing performance and security? First we need to
> understand that here performance stands for HTTP and security for HTTPS.
> h5. Why is HTTP standing for performance?
> Actually is now not much performance difference between the 2 protocols, but
> you can't cache HTTPS requests and it sometimes (inter-continental requests)
> matters.
> h3. And why the question about being reasonable or not?
> I think it's unreasonable to put performance over security. And nowadays you
> are not secure when you use HTTP mixed with HTTPS. Most of the time when you
> mix both is because you want to identity an user using a sessionId. So with
> HTTPS, after the user started with HTTP. As concisely explained Forrest in
> the above referenced thread
> {quote}
> If you're switching between HTTPS and HTTP based on some criteria, an
> attacker can leverage that to trick the user into all kind of things.
> {quote}
> It's also well and simply explained (with other things) in [this
> article|http://arstechnica.com/business/2011/03/https-is-great-here-is-why-everyone-needs-to-use-it-so-ars-can-too/]:
> {quote}
> The HTTP spec defines a “Secure” flag for cookies, which instructs the
> browser to only send that cookie value over SSL. If sites set that cookie
> like they’re supposed to, then yes, SSL is helping you out. Most sites don’t,
> however, and browsers will happily send the sensitive cookies over
> unencrypted HTTP. Our hypothetical skeezebag really just needs some way to
> trick you into opening a normal HTTP URL, maybe by e-mailing you a link to
> http://yourbank.com/a-picture-of-ponies-and-rainbows.gif so he can sniff the
> plain-text cookie off your unencrypted HTTP request, or by surreptitiously
> embedding a JavaScript file via some site’s XSS vulnerability.
> {quote}
> Of course if you site is only showing things but nobody has never to
> identify, then you are not at risk and HTTP only is perfect. But with
> ecommerce kind of site or such, it's rarely the case, most of the time users
> need to identify!
>
> \\
> So why are people still mixing HTTP and HTTPS on their site? In the 1st
> answer at
> [\[1\]|https://security.stackexchange.com/questions/4369/why-is-https-not-the-default-protocol#answer-4376]
> Thomas Pornin and others gave some interesting points and answers. At
> [\[2\]|http://arstechnica.com/business/2011/03/https-is-more-secure-so-why-isnt-the-web-using-it/]
> Yves Lafon gave also a good summary even if a bit old now. I took some
> questions/answers from
> [\[3\]|https://stackoverflow.com/questions/2746047/why-not-use-https-for-everything]
> also. So you might check those links by yourself, here is an abstract:
> # *"Some browsers may not support SSL"* Only old Lynx versions, negligible
> # *"Connection initiation requires some
buildbot success in on ofbiz-branch14
The Buildbot has detected a restored build on builder ofbiz-branch14 while building . Full details are available at: https://ci.apache.org/builders/ofbiz-branch14/builds/129 Buildbot URL: https://ci.apache.org/ Buildslave for this Build: lares_ubuntu Build Reason: forced: by IRC user (privmsg): forces manual build. It seems Builbot did not detect merged commit (R15+R14) Build Source Stamp: HEAD Blamelist: Build succeeded! Sincerely, -The Buildbot
[jira] [Commented] (OFBIZ-6805) Session already invalidate (removeAttribute: Session already invalidated) on destroyCart for anonymous userLogin
[ https://issues.apache.org/jira/browse/OFBIZ-6805?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15138946#comment-15138946 ] Jacques Le Roux commented on OFBIZ-6805: I also reverted R15 and R14 at r1729379 See https://ci.apache.org/builders/ofbiz-branch14/builds/118#changes- and https://ci.apache.org/builders/ofbiz-branch14 for details > Session already invalidate (removeAttribute: Session already invalidated) on > destroyCart for anonymous userLogin > > > Key: OFBIZ-6805 > URL: https://issues.apache.org/jira/browse/OFBIZ-6805 > Project: OFBiz > Issue Type: Bug > Components: order >Affects Versions: Trunk >Reporter: Ankush Upadhyay >Assignee: Deepak Dixit > Fix For: 14.12.01, Upcoming Branch > > Attachments: DestroyCart.patch > > > ShoppingCartEvents.destroyCart event throws error *Session already > invalidated (removeAttribute: Session already invalidated)* if anonymous > userLogin set into the session and this session going to be destroyed. > The reason is clearCart method invalidated the session and after that > destroyCart method calls removeAttribute method on same session object. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Updated] (OFBIZ-6849) Use only HTTPS in OFBiz
[
https://issues.apache.org/jira/browse/OFBIZ-6849?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Jacques Le Roux updated OFBIZ-6849:
---
Description:
I recently (~4 weeks ago) started the ["Performance over security, is that
reasonable?"|http://markmail.org/message/ubgacfzfxvlvlqva] thread on dev ML. I
think I did not explain me well then. I must say it's easy to drown down in
details with this subject when you want to illustrate the reasons.
So instead of only answering on the dev ML, I decided it will be good to create
a Jira task with maybe related tasks, here it is.
For now I consider it only an improvement, but since it's a security matter we
can discuss backporting later.
\\
h2. TL;DR
h3. Performance over security?
So why was this thread opposing performance and security? First we need to
understand that here performance stands for HTTP and security for HTTPS.
h5. Why is HTTP standing for performance?
Actually is now not much performance difference between the 2 protocols, but
you can't cache HTTPS requests and it sometimes (inter-continental requests)
matters.
h3. And why the question about being reasonable or not?
I think it's unreasonable to put performance over security. And nowadays you
are not secure when you use HTTP mixed with HTTPS. Most of the time when you
mix both is because you want to identity an user using a sessionId. So with
HTTPS, after the user started with HTTP. As concisely explained Forrest in the
above referenced thread
{quote}
If you're switching between HTTPS and HTTP based on some criteria, an attacker
can leverage that to trick the user into all kind of things.
{quote}
It's also well and simply explained (with other things) in [this
article|http://arstechnica.com/business/2011/03/https-is-great-here-is-why-everyone-needs-to-use-it-so-ars-can-too/]:
{quote}
The HTTP spec defines a “Secure” flag for cookies, which instructs the browser
to only send that cookie value over SSL. If sites set that cookie like they’re
supposed to, then yes, SSL is helping you out. Most sites don’t, however, and
browsers will happily send the sensitive cookies over unencrypted HTTP. Our
hypothetical skeezebag really just needs some way to trick you into opening a
normal HTTP URL, maybe by e-mailing you a link to
http://yourbank.com/a-picture-of-ponies-and-rainbows.gif so he can sniff the
plain-text cookie off your unencrypted HTTP request, or by surreptitiously
embedding a JavaScript file via some site’s XSS vulnerability.
{quote}
Of course if you site is only showing things but nobody has never to identify,
then you are not at risk and HTTP only is perfect. But with ecommerce kind of
site or such, it's rarely the case, most of the time users need to identify!
\\
So why are people still mixing HTTP and HTTPS on their site? In the 1st answer
at
[\[1\]|https://security.stackexchange.com/questions/4369/why-is-https-not-the-default-protocol#answer-4376]
Thomas Pornin and others gave some interesting points and answers. At
[\[2\]|http://arstechnica.com/business/2011/03/https-is-more-secure-so-why-isnt-the-web-using-it/]
Yves Lafon gave also a good summary even if a bit old now. I took some
questions/answers from
[\[3\]|https://stackoverflow.com/questions/2746047/why-not-use-https-for-everything]
also. So you might check those links by yourself, here is an abstract:
# *"Some browsers may not support SSL"* Only old Lynx versions, negligible
# *"Connection initiation requires some extra network roundtrips"* Negligible
but for sites which serve mostly static contents, see "static content takes a
hit" below.
# *"the SSL initial key exchange adds to the latency"* As [completely explained
here|https://security.stackexchange.com/questions/4369/why-is-https-not-the-default-protocol#comment-6560]:
"most TLS server use a RSA key and the client part of RSA is cheap (the server
incurs most of the cost in RSA)". Still better to have [not too short sessions
as explained
here|https://stackoverflow.com/questions/149274/http-vs-https-performance]
# *"static content takes a hit"* You should though store static content apart.
OFBiz comes with ofbizContentUrl and content.properties for that. But you
should still use HTTPS. The [complete
answer|https://security.stackexchange.com/questions/4369/why-is-https-not-the-default-protocol#comment-6560]
for the last question (just above this one) also applies here. Also this is
quite interesting https://www.httpvshttps.com/ and proves *HTTPS can be faster
than HTTP*
# *"HTTPS servers must use one IP per server name"* or *"it doesn't work with
virtual hosts"* This issue has long been solved by [Server Name
Indication|https://en.wikipedia.org/wiki/Server_Name_Indication] which is
supported by all major browsers nowadays.
# *Certificates are expensive* For demos, etc. (ie not for real production
sites where a certificate is mandatory anyway) but this no l
[jira] [Closed] (OFBIZ-6886) Hide sessionId in logs by default, show them using a properties
[ https://issues.apache.org/jira/browse/OFBIZ-6886?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jacques Le Roux closed OFBIZ-6886. -- Resolution: Implemented Implemented at revision: 1729348 > Hide sessionId in logs by default, show them using a properties > --- > > Key: OFBIZ-6886 > URL: https://issues.apache.org/jira/browse/OFBIZ-6886 > Project: OFBiz > Issue Type: Sub-task > Components: framework, specialpurpose/pos >Affects Versions: Trunk >Reporter: Jacques Le Roux >Assignee: Jacques Le Roux >Priority: Minor > Fix For: Upcoming Branch > > > There are few cases where we show the sessionId in logs (using > UtilHttp.getSessionId() in or HttpSessionEvent.getSession().getId()) in > other places) > Despite we secured the log access at r1489461, I suggested on the dev ML a > properties to opt in, false by default. I will apply as a lazy consensus. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
