Re: HTTP Compression not working for some files (JS and CSS)

[girish . vasmatkar]

On 2018/08/20 17:09:35, Scott Gray  wrote: 
> See the note under the compression config here:
> https://tomcat.apache.org/tomcat-8.5-doc/config/http.html#Standard_Implementation
> 
> Regards
> Scott
> 
> 
> On 20 August 2018 at 07:38, girish.vasmat...@hotwaxsystems.com <
> girish.vasmat...@hotwaxsystems.com> wrote:
> 
> >
> >
> > On 2018/08/20 07:20:38, Michael Brohl  wrote:
> > > Hi Girish,
> > >
> > > how did you check that these files are not getting compressed before the
> > > transfer?
> > >
> > > They are decompressed by the browser after the transfer so you won't see
> > > that they were compressed.
> > >
> > > Regards,
> > >
> > > Michael
> > >
> > >
> > > Am 20.08.18 um 09:12 schrieb girish.vasmat...@hotwaxsystems.com:
> > > > Hi Devs!!!
> > > >
> > > > I see that we have enabled HTTP compression in in the HTTP and HTTPS
> > connectors, but I am observing that it is not working properly for some of
> > the JS and CSS files.
> > > >
> > > > All medium to large files (more than 50 KB or so) are not getting
> > compressed. Has anyone else observed the same? I can definitely see that
> > Content-Encoding:gzip response header is set for all the files that are
> > compressed and the transfer size does indicate they were compressed based
> > on what size I see on the disk.
> > > >
> > > >
> > > > Thanks,
> > > > Girish Vasmatkar
> > > > HotWax Systems
> > > >
> > >
> > >
> > >
> > Hi Michael
> >
> > I can see the response headers in Chrome developers tools. For some files
> > for example, OfbizUtil.js, Content-Encoding:gzip indicating that it was
> > compressed by the server and received in compressed format.
> > For the other ones, no Content-Encoding header is present. Also, there is
> > a "Size" tab and a "Transferred" tab in FireBug showing 47.13 KB and 11.79
> > KB values respectively. For select2-4.0.6.js which is one of the one I
> > don't see come compressed the corresponding values are 143.01 KB and 142.80
> > KB and the Content-Encoding header is also absent.
> >
> > Thanks and Regards,
> > Girish Vasmatkar
> > HotWax Systems
> >
> >
> >
> 
Thanks Scot for the reply. 

For what it is worth :
Figured that it is happening on Mac OS only and there is a nice explanation 
here ..
http://tomcat.10.x6.nabble.com/sendFiles-vs-compression-td5062656.html

Turns out that the decision to choose compression vs sendFile is based on that 
fact which connector is being used by Tomcat under the hood. sendFile is used 
to save CPU cycles if the file size is more that 48KB which was the case for 
all the files that appeared to not get compressed. sendFile will choose best 
strategy to send static files based on the underlying OS. That helps explain 
why it did not work in MacOS while it works for OFBiz instance deployed on 
Ubuntu.

I was having troubles with setting sendFile to false and I was using "off" as 
the value to turn it off. 

The way to do it is under http-connector or any other connector for that matter.



There is also some information on sendFile being broken on OS X...

https://blog.phusion.nl/2015/06/04/the-brokenness-of-the-sendfile-system-call/

Thanks and Best regards,
Girish Vasmatkar
HotWax Systems

Re: Old demo restarted

[Girish Vasmatkar]

I had earlier replied to this thread but looks like the email did not go
through. I had leaned towards using the tool (only just) instead of may be
having a CRON job or an alternative.

What I feel now is that may be we can use JMX here and try to use various
in build MBeans that provide CPU usage for the system and also for the JVM
process we are concerned about that is OFBiz instance. We should also be
able to get the memory usage of the JVM and if reaches a particular
threshold we can be notified.

In addition, I think we already add a shutdown hook to the JVM process... I
am not sure and have not used it much but may be we can use it to send some
notifications? Of course, it is applicable for graceful exits of JVM only
and if you just happen to kill the process it won't be of much help.

Hope it makes sense and correct me if I am wrong.

Best regards,
Girish Vasmatkar
HotWax Systems


On Thu, Aug 23, 2018 at 8:48 PM Jacques Le Roux <
jacques.le.r...@les7arts.com> wrote:

> Le 23/08/2018 à 14:04, Taher Alkhateeb a écrit :
> > I'm not sure why you're hanging this on me,
> Because you answered to the bait ;)
>
> > but sure I'm willing to
> > help.
> Thanks, much appreciated!
>
> > Can I get some information on how the crashes are happening and
> > how you're getting notified, and I will take it from there.
> I think after a crash it's mostly to use dumps there (we have several from
> the recent pas) but I'm not sure they will help, and it takes time to
> analyse.
>
> In the past I took the time to analyse some of them and it was
> interesting. For instance in 2010 I found a bug in a Java version we were
> using and it
> helped me in a custom project I was also doing then:
> https://markmail.org/message/byu2ivjn7wckayzz
>
> Lastly it was mostly lack of memory, despite having 8GB now. I created
> https://issues.apache.org/jira/browse/INFRA-16780 for that, but not sure
> it was
> the reason. At least we have less issues since.
>
> Before (months ago) the Infra was monitoring our demos and alerting us by
> mail (you just had to subscribe). Unfortunately we are on our own for that
> now, too much projects in the ASF...
> As as I said initially in this thread I'm currently using montastic.com
> for the email alerts.
> My idea when I started this thread was that it all depends on me, and
> that's bad. So I wanted people to be aware, you are much welcome.
>
> Jacques
> > On Thu, Aug 23, 2018 at 2:29 PM Jacques Le Roux
> >  wrote:
> >> Yes we can, will you?
> >>
> >> Jacques
> >>
> >>
> >> Le 22/08/2018 à 19:29, Taher Alkhateeb a écrit :
> >>> Well, we can ask Infra for help, we can check available solutions, we
> >>> can create a CRON script that checks things periodically, there are
> >>> multiple ways to go about this.
> >>>
> >>> My personal preference is for a simple CRON script that takes care of
> this.
> >>> On Wed, Aug 22, 2018 at 8:25 PM Jacques Le Roux
> >>>  wrote:
> >>>> So you prefer that I'm the only one to take care of the demos and act
> on alerts?
> >>>>
> >>>> Jacques
> >>>>
> >>>>
> >>>> Le 22/08/2018 à 18:53, Taher Alkhateeb a écrit :
> >>>>> I prefer not to include any tools without proper analysis and
> >>>>> discussion first. Less is more.
> >>>>> On Wed, Aug 22, 2018 at 5:31 PM Jacques Le Roux
> >>>>>  wrote:
> >>>>>> Hi,
> >>>>>>
> >>>>>> Should I consider no answers as a lazy consensus and should I send
> (rare) alerts to this ML?
> >>>>>>
> >>>>>> Without any answers I'll consider it a lazy consensus in 2 days.
> >>>>>>
> >>>>>> Jacques
> >>>>>>
> >>>>>>
> >>>>>> Le 17/08/2018 à 12:22, Jacques Le Roux a écrit :
> >>>>>>> Le 13/08/2018 à 18:21, Jacques Le Roux a écrit :
> >>>>>>>> Le 12/08/2018 à 11:26, Jacques Le Roux a écrit :
> >>>>>>>>> Hi,
> >>>>>>>>>
> >>>>>>>>> This morning I noticed the old demo was down and restarted it
> after cleaning things.
> >>>>>>>>>
> >>>>>>>>> Previously (still some weeks ago) Daniel Gruno's (from Infra
> team) company was kindly providing us a mean to monitor our demos but it
> seems that
> >>>>>>>>> this mean is no longer available
> >>>>>>>>&

Re: Old demo restarted

[Girish Vasmatkar]

Hi Taher

Please see my reply below in-line.

On Fri, Aug 24, 2018 at 12:22 PM Taher Alkhateeb 
wrote:

> Hi Girish, inline...
>
> On Thu, Aug 23, 2018, 7:25 PM Girish Vasmatkar <
> girish.vasmat...@hotwaxsystems.com> wrote:
>
> > I had earlier replied to this thread but looks like the email did not go
> > through. I had leaned towards using the tool (only just) instead of may
> be
> > having a CRON job or an alternative.
> >
> > What I feel now is that may be we can use JMX here and try to use various
> > in build MBeans that provide CPU usage for the system and also for the
> JVM
> > process we are concerned about that is OFBiz instance. We should also be
> > able to get the memory usage of the JVM and if reaches a particular
> > threshold we can be notified.
> >
> Do you have a PoC for all of this?
>
   GV : I can have one ready; and there is going to be much doing involved.

>
> >
> > In addition, I think we already add a shutdown hook to the JVM
> process... I
> > am not sure and have not used it much but may be we can use it to send
> some
> > notifications? Of course, it is applicable for graceful exits of JVM only
> > and if you just happen to kill the process it won't be of much help.
> >
> The shutdown hook is used for shutting down. I'm not sure what is the
> purpose of mentioning it here?
>
GV : The reason I mentioned shutdown hook was it can be used to send
notification (may be email) or anything per our needs indicating that the
demo process was shut down. Per my understanding, shutdown   hook gets
called whenever JVM shuts down gracefully. Graceful word is very important
here because we won't be able to do much if someone just kills the process.
The only thing a shutdown hook will add to this is that we will be notified
then and there.

>
> >
> > Hope it makes sense and correct me if I am wrong.
>
> Well I'm struggling a bit. I didn't understand exactly what needs to be
> done? I see mixed topics about JMX, Mbeans, Memory monitors and shutdown
> hooks. First this seems to be more like coding than a tool, and second I
> have no idea how you want to implement this?
>
GV: Yes, it would mostly be coding rather than being a substitute for
the tool. My idea was that to have a timer service run within the JVM and
it access various MBeans for the CPU usage and Memory usages just for our
monitoring purpose and raise an alert if it reaches a threshold. It was
just to have a glance over how JVM is performing. The disadvantage? The
service will run in OFBiz JVM and there will be considerable amount of
coding involved.

>
> My idea for example is simple: create a cronjob that checks the system
> periodically and if the demo process stopped, restart it (or maybe rebuild
> and restart). To go with your suggestion we need to perhaps first
> understand it.
>
   GV: There is nothing wrong with creating a CRON job, per se. The only
reason why I introduced MBeans in the mix was to be able to sort of having
OFBiz monitor itself within it's realm, hence use of MBeans. I believe a
CRON will be able to do it as well. I probably did not get that we probably
want something that take some action after the JVM has crashed and not
having something that monitors the process and alerts concerned parties
that the process is occupying more than say 2 GB or it's CPU usage has
spiked above 80%.

All in all, I feel we should choose the solution based on what we want to
do and whether we want to take it further as well. I do not know what the
tool does now or whether it can build the system again and restart it
automatically. I also do not know what measures we take in such an event. I
agree CRON will be simplest of them all, but if the tool provides all of
these (be able to take corrective measures) and not just send
notifications, then it can also be worth it's salt. Yes, CRON will be more
technical way of achieving :)

Thanks and Best regards,
Girish Vasmatkar
HotWax Systems

>
> >
> > Best regards,
> > Girish Vasmatkar
> > HotWax Systems
> >
> >
> > On Thu, Aug 23, 2018 at 8:48 PM Jacques Le Roux <
> > jacques.le.r...@les7arts.com> wrote:
> >
> > > Le 23/08/2018 à 14:04, Taher Alkhateeb a écrit :
> > > > I'm not sure why you're hanging this on me,
> > > Because you answered to the bait ;)
> > >
> > > > but sure I'm willing to
> > > > help.
> > > Thanks, much appreciated!
> > >
> > > > Can I get some information on how the crashes are happening and
> > > > how you're getting notified, and I will take it from there.
> > > I think after a crash it's mostly to use dumps there (we have several
> > from
> > > the recent pas) but

Re: Old demo restarted

[Girish Vasmatkar]

Speaking of monitoring tools and if we don't want to go for third party
tools, we can also use VisualVM that comes bundled with Oracle JDK. It can
connect to the remote VM (OFBiz process) and start displaying various
information.

Very minimal configuration is needed in the form of VM argument to allow
for remote monitoring. Also, to enable further analysis of what went wrong,
why JVM crashed etc, we should also dump heap as the JVM shuts down.

Too many ways and too many options. Probably need to reach a unanimous
decision, IMO.

Thanks and Best regards,
Girish Vasmatkar

On Fri, Aug 24, 2018 at 4:56 PM Jacques Le Roux <
jacques.le.r...@les7arts.com> wrote:

> Thanks Michael,
>
> Best idea so far!
>
> Jacques
>
>
> Le 24/08/2018 à 11:08, Michael Brohl a écrit :
> > We are monitoring our OFBiz instances with JMX and self hosted Zabbix
> [1].
> >
> > Zabbix gives you a nice overview about the system health and metrics
> like memory  consumption etc. It also sends out warnings (Email, SMS or
> else)
> > if metrics are exceeded (like CPU load or memory consumption) as well as
> the system is not accessible.
> >
> > Looks like this: [2]
> >
> > There is no programming needed, just some configuration for JMX and
> Zabbix.
> >
> > [1] https://www.zabbix.com/
> > [2]
> https://www.ecomify.de/wp-content/uploads/2018/08/Zabbix_Monitoring.png
> >
> > If we want to see why the demos crash, it might be useful. If we only
> want to monitor if the system is up, a simple cron job which sends a mail
> > might be enough...
> >
> > Regards,
> >
> > Michael Brohl
> > ecomify GmbH
> > www.ecomify.de
> >
> >
> > Am 24.08.18 um 10:07 schrieb Taher Alkhateeb:
> >> Okay all neat ideas, I'm not sure if the energy you will put into
> something
> >> like this is equal to the value produced but if you want to make this
> >> happen I would be happy to assist.
> >>
> >> How much time will it take to make something like this happen? I ask
> >> because it seems Jacques ia getting annoyed with these crashes and we'd
> >> like to help him out.
> >>
> >> On Fri, Aug 24, 2018, 10:59 AM Girish Vasmatkar <
> >> girish.vasmat...@hotwaxsystems.com> wrote:
> >>
> >>> Hi Taher
> >>>
> >>> Please see my reply below in-line.
> >>>
> >>> On Fri, Aug 24, 2018 at 12:22 PM Taher Alkhateeb <
> >>> slidingfilame...@gmail.com>
> >>> wrote:
> >>>
> >>>> Hi Girish, inline...
> >>>>
> >>>> On Thu, Aug 23, 2018, 7:25 PM Girish Vasmatkar <
> >>>> girish.vasmat...@hotwaxsystems.com> wrote:
> >>>>
> >>>>> I had earlier replied to this thread but looks like the email did not
> >>> go
> >>>>> through. I had leaned towards using the tool (only just) instead of
> may
> >>>> be
> >>>>> having a CRON job or an alternative.
> >>>>>
> >>>>> What I feel now is that may be we can use JMX here and try to use
> >>> various
> >>>>> in build MBeans that provide CPU usage for the system and also for
> the
> >>>> JVM
> >>>>> process we are concerned about that is OFBiz instance. We should also
> >>> be
> >>>>> able to get the memory usage of the JVM and if reaches a particular
> >>>>> threshold we can be notified.
> >>>>>
> >>>> Do you have a PoC for all of this?
> >>>>
> >>> GV : I can have one ready; and there is going to be much doing
> involved.
> >>>
> >>>>> In addition, I think we already add a shutdown hook to the JVM
> >>>> process... I
> >>>>> am not sure and have not used it much but may be we can use it to
> send
> >>>> some
> >>>>> notifications? Of course, it is applicable for graceful exits of JVM
> >>> only
> >>>>> and if you just happen to kill the process it won't be of much help.
> >>>>>
> >>>> The shutdown hook is used for shutting down. I'm not sure what is the
> >>>> purpose of mentioning it here?
> >>>>
> >>>  GV : The reason I mentioned shutdown hook was it can be used to
> send
> >>> notification (may be email) or anything per our needs indicating that
> the
> >>> demo process was shut down. Per my understanding, shutdown   hook
> gets
> &

Re: Issue with opening a bookmarked page when the user is logged out

[Girish Vasmatkar]

Hi Ritesh

It does look like an issue to me.

I believe (correct me if I am wrong) it is not so much about whether GET is
appropriate here, it is more about that the framework is unable to handle
multiple request parameters with same name, which is a common case when we
talk about multiple check boxes on a form representing a single entity. The
fact that GET is doing it's job correctly when the user is logged in (means
when you change the method from POST to GET and the user is already logged
in) and not so much when the user is logged out and the request is made via
bookmark, shows that the code is not working properly.

Then, there is also an issue with URL encoding and decoding that becomes
apparent with executing your scenario. Whether it is correct to change the
form method is arguable, but the code should be able to handle it. If a
form were to be designed with GET method and the only elements present on
the form are two check boxes and a text field and if you were to select
both check boxes and have value with spaces in the text box, this scenario
would still fail.

I think the simplest approach would have been to just store query string
(request.getQueryString()) in the session attribute instead of Map (but I
think it was well pondered upon to use Map) and then just redirecting to
the saved URL once the user loges in. I did it on my local workstation and
it just worked perfectly. May be one reason why a map was used instead of
storing query string was to handle unencoded requests coming from browsers
such as IE. I may be wrong so please correct me if anyone has an idea
around this piece of code as to why Map was used instead of storing the
query string in session to be used later on.

If you can do something to fix the existing code, that would be better
approach, IMO.

May be it is not a major issue but certainly worthy of having a dedicated
JIRA for. Everybody, please chime in and provide your thoughts.

Thanks and Best regards,
Girish Vasmatkar
HotWax Systems

On Sat, Aug 25, 2018 at 8:03 PM Taher Alkhateeb 
wrote:

> Okay, I understand this issue. I don't think it is possible to
> abstract away a complex search screen with http GET method for
> bookmarks. The performFind service is quite complex and it is
> difficult to replicate the requirements using GET. GET is not designed
> to handle multiple languages, spaces, and other peculiarities that are
> needed for such a screen to work.
>
> There are multiple solutions that I can see here. One of them is
> simply to create a new entity, let's call it SearchFilter, that saves
> search parameters, which can be applied later on. Either way, you need
> to customize, your problem is not OFBiz, your problem is http GET
> limitations.
> On Fri, Aug 24, 2018 at 12:35 PM Ritesh Kumar
>  wrote:
> >
> > Using the POST method does not append form data to the URL, i.e, the
> > parameters will not be visible in the URL.
> > For example, take a Find Screen (say, FindWorkEffort) which send data
> > through a form with POST method. Apply some filters (say, status). No
> > applied filters appear in the URL.  Bookmark this page. Next time when I
> > open this bookmark, those applied filters will not be there as this page
> is
> > being rendered using data from the URL and since the applied filters were
> > not there in the bookmarked URL, this page is rendered without the
> applied
> > filters. That is why I used GET form method so that I am able to get the
> > page with applied filters when I open a bookmarked page.
> >
> > The bug here is (supposing the GET method is used)
> > 1. On opening the bookmark, the page is rendered with double encoding (if
> > the value had a space character initially, the space character was
> already
> > encoded into '+' in the URL and when this bookmark is opened, this '+' is
> > again encoded).
> > 2. Suppose the bookmarked URL had multiple values from the same filter
> > (say, Cancelled and Declined status), it renders with just one of the
> > statutes applied. It is because the request handler prepares a Map of
> > parameters from the query string and as is the property of Map to replace
> > the old value if a new value is being added with the same key (in this
> > example, first Cancelled status is put in this Map and then Declined),
> only
> > Declined status is put in this Map.
> >
> > Hope, this clears the confusion. I will be happy to provide more
> > information if needed.
> >
> > On Fri, Aug 24, 2018 at 1:46 PM Taher Alkhateeb <
> slidingfilame...@gmail.com>
> > wrote:
> >
> > > Not enough information. What happens exactly? What is the bug? What do
> you
> > > mean by it does not let us do that?
> > >
> > > On Fri, Aug 24, 2018, 11:09 AM 

Re: HTTP Compression not working for some files (JS and CSS)

[girish . vasmatkar]

On 2018/08/20 07:20:38, Michael Brohl  wrote: 
> Hi Girish,
> 
> how did you check that these files are not getting compressed before the 
> transfer?
> 
> They are decompressed by the browser after the transfer so you won't see 
> that they were compressed.
> 
> Regards,
> 
> Michael
> 
> 
> Am 20.08.18 um 09:12 schrieb girish.vasmat...@hotwaxsystems.com:
> > Hi Devs!!!
> >
> > I see that we have enabled HTTP compression in in the HTTP and HTTPS 
> > connectors, but I am observing that it is not working properly for some of 
> > the JS and CSS files.
> >
> > All medium to large files (more than 50 KB or so) are not getting 
> > compressed. Has anyone else observed the same? I can definitely see that 
> > Content-Encoding:gzip response header is set for all the files that are 
> > compressed and the transfer size does indicate they were compressed based 
> > on what size I see on the disk.
> >
> >
> > Thanks,
> > Girish Vasmatkar
> > HotWax Systems
> >
> 
> 
>
Hi Michael

I can see the response headers in Chrome developers tools. For some files for 
example, OfbizUtil.js, Content-Encoding:gzip indicating that it was compressed 
by the server and received in compressed format. 
For the other ones, no Content-Encoding header is present. Also, there is a 
"Size" tab and a "Transferred" tab in FireBug showing 47.13 KB and 11.79 KB 
values respectively. For select2-4.0.6.js which is one of the one I don't see 
come compressed the corresponding values are 143.01 KB and 142.80 KB and the 
Content-Encoding header is also absent.

Thanks and Regards,
Girish Vasmatkar
HotWax Systems

HTTP Compression not working for some files (JS and CSS)

[girish . vasmatkar]

Hi Devs!!!

I see that we have enabled HTTP compression in in the HTTP and HTTPS 
connectors, but I am observing that it is not working properly for some of the 
JS and CSS files.

All medium to large files (more than 50 KB or so) are not getting compressed. 
Has anyone else observed the same? I can definitely see that 
Content-Encoding:gzip response header is set for all the files that are 
compressed and the transfer size does indicate they were compressed based on 
what size I see on the disk.


Thanks,
Girish Vasmatkar
HotWax Systems

CSRF attack and prevention

[girish . vasmatkar]

Hi All

 It looks like there is no mechanism to prevent CSRF attack in ofbiz. If I 
am logged in to ofbiz instance on my local and create a sample standalone HTML 
page and try to submit to either a GET or a POST ofbiz URL, I am successfully 
through and various cookies (applicable to the domain) are also sent by the 
browser to Ofbiz instance. That essentially is CSRF. This can be reproduced 
with a script tag with a valid ofbiz URL as src and you can actually see in the 
developer console the request made through and response is received.

Of course this attack has a context - that the user is logged in and happens on 
the victim's browser. 

I replaced ofbiz URL with gmail and made sure I am logged in to my gmail 
account. I saw a vague/obsure response from gmail in the console meaning it 
prevented itself.

 I feel we can handle it in multiple ways and one of the ways is adding 
SameSite cookie which is a fairly new concept and per latest information Chrome 
already supports it and FireFox has also added support for the same. Browsers 
supporting this Cookie will not send JSESSIONID or any other SameSite cookie to 
the request if the request is cross-site. Each cookie needs to be flagged with 
SameSite with possible values being strict or lax. 
Here's its IETF draft - 
https://tools.ietf.org/html/draft-west-first-party-cookies-07

 I also think we should not rely on this as the sole prevention mechanism and 
should also do something on the server side in the sense that we should not 
rely on the browser support. Tomcat does support a filter - 
org.apache.catalina.filters.CsrfPreventionFilter that appends a nonce for every 
request and stores the same in session.

We should also add support for checking Origin and Referrer headers. I think 
there is a lot we can do.

I have not seen any reference in the current trunk code for both SameSite 
cookie and CsrfPreventionFilter filter. If we can make everyone on the same 
page on CSRF, I would like to propose we go ahead with this change. I think we 
will need to handle it in multiple ways.

I can create a JIRA with all details provided we have the necessary concord.


Thanks and Best regards,
Girish Vasmatkar
HotWax Systems

Re: CSRF attack and prevention

[Girish Vasmatkar]

Hi Jacques,

Thanks for your reply. I will certainly take a look at the JIRA and will
also try to see we can successfully implement CSRF filter. I will provide
my inputs on the JIRA as well.

Best,
Girish Vasmatkar
HotWax Systems


On Thu, Sep 6, 2018 at 7:19 PM Jacques Le Roux 
wrote:

> Hi Girish,
>
> Sorry, I completely forgot I worked later on that. Please see OFBIZ-10427
> where I again tried the Tomcat CSRF filter w/o success.
>
> It was suggested in the OFBiz security ML by Gregory Draperi (OFBiz
> committer specialised in security) that we could handle that ourselves.
>
> "generate an unpredictable value that is sent at the beginning of the
> session of the user and then should be checked on any sensitive actions."
>
> We could create a nonce at the beginning of the session and then send it
> with any request.
>
> We could also use a token in header, a JWT as in OFBIZ-9833, for each
> request as suggested at
>
>
> https://security.stackexchange.com/questions/170388/do-i-need-csrf-token-if-im-using-bearer-jwt
>
> HTH
>
> Jacques
>
>
> Le 03/09/2018 à 09:59, Girish Vasmatkar a écrit :
> > Thanks Jacques and Nicolas. I will take this further in the security
> group
> > and will soon have updates there. My bad I didn't realise we need to take
> > it up over there.
> >
> > Thanks and Best Regards,
> > Girish Vasmatkar
> > HotWax Systems
> >
> > On Mon, Sep 3, 2018 at 1:21 PM Jacques Le Roux <
> jacques.le.r...@les7arts.com>
> > wrote:
> >
> >> Hi Girish,
> >>
> >> Nicolas is right, I just want to say that I already tried to use the
> >> CsrfPreventionFilter Tomcat Filter (wrongly noted
> RestCsrfPreventionFilter
> >> in the
> >> link below) without success, please refer to
> >>
> >> https://markmail.org/message/r245yie623cdo3wz
> >>
> >> Your help is welcome :)
> >>
> >> Jacques
> >>
> >>
> >> Le 02/09/2018 à 21:15, Nicolas Malin a écrit :
> >>> Hi Girish,
> >>>
> >>> Thanks for your warm. If you want to detail your please prefer send an
> >> email to secur...@ofbiz.apache.org instead of open an issue to JIRA.
> >>> Nicolas
> >>>
> >>>
> >>> On 02/09/2018 17:36, girish.vasmat...@hotwaxsystems.com wrote:
> >>>> Hi All
> >>>>
> >>>>It looks like there is no mechanism to prevent CSRF attack in
> >> ofbiz. If I am logged in to ofbiz instance on my local and create a
> sample
> >>>> standalone HTML page and try to submit to either a GET or a POST ofbiz
> >> URL, I am successfully through and various cookies (applicable to the
> >>>> domain) are also sent by the browser to Ofbiz instance. That
> >> essentially is CSRF. This can be reproduced with a script tag with a
> valid
> >> ofbiz URL
> >>>> as src and you can actually see in the developer console the request
> >> made through and response is received.
> >>>> Of course this attack has a context - that the user is logged in and
> >> happens on the victim's browser.
> >>>> I replaced ofbiz URL with gmail and made sure I am logged in to my
> >> gmail account. I saw a vague/obsure response from gmail in the console
> >> meaning
> >>>> it prevented itself.
> >>>>
> >>>>I feel we can handle it in multiple ways and one of the ways is
> >> adding SameSite cookie which is a fairly new concept and per latest
> >> information
> >>>> Chrome already supports it and FireFox has also added support for the
> >> same. Browsers supporting this Cookie will not send JSESSIONID or any
> other
> >>>> SameSite cookie to the request if the request is cross-site. Each
> >> cookie needs to be flagged with SameSite with possible values being
> strict
> >> or lax.
> >>>> Here's its IETF draft -
> >> https://tools.ietf.org/html/draft-west-first-party-cookies-07
> >>>>I also think we should not rely on this as the sole prevention
> >> mechanism and should also do something on the server side in the sense
> that
> >> we
> >>>> should not rely on the browser support. Tomcat does support a filter -
> >> org.apache.catalina.filters.CsrfPreventionFilter that appends a nonce
> for
> >>>> every request and stores the same in session.
> >>>>
> >>>> We should also add support for checking Origin and Referrer headers. I
> >> think there is a lot we can do.
> >>>> I have not seen any reference in the current trunk code for both
> >> SameSite cookie and CsrfPreventionFilter filter. If we can make
> everyone on
> >> the
> >>>> same page on CSRF, I would like to propose we go ahead with this
> >> change. I think we will need to handle it in multiple ways.
> >>>> I can create a JIRA with all details provided we have the necessary
> >> concord.
> >>>>
> >>>> Thanks and Best regards,
> >>>> Girish Vasmatkar
> >>>> HotWax Systems
> >>>>
> >>>
> >>
>
>

Re: How to deploy Microservice developed using Spring boot to ofbiz

[girish . vasmatkar]

On 2018/08/05 02:44:58, Sudheer Kode  wrote: 
> Hi,
> 
> I have developed Microservice using spring boot. I want to deploy this
> application to Apache ofbiz and want to make it up and running on ofbiz.  I
> searched lot on internet to find out  the way but no luck and spent lot of
> time on it.
> 
> Can any one explain  me the process in detail how to achieve it.
> 
> Thanks,
> Sudheer
> 

Hi Sudheer
This is a delayed reply and I am unsure where you're on it. 

You're going to have to do a lot of work in order to achieve this, if at all it 
is even remotely feasible.

Spring boot itself launches it's own container and so does ofbiz. There is no 
straight forward or step-by-step way to do this. You will probably need a deep 
understanding of ofbiz architecture and then figure out how (if at all) your 
microservices map to various components in ofbiz ecosystem. 

It seems pretty daunting task and will require quite a bit of work.

Thanks,
Girish Vasmatkar
HotWax Systems

Re: Hard Coded Cookie Path

[Girish Vasmatkar]

Hi Deepak

That largely depends on the use case whether to set cookie path as the root
of the web server or not. Yes, generally, it is preferred to keep the
cookies separate for the various web apps deployed on the server.

In OFBiz case, various web applications are deployed on separate mount
points and if you take, for example, the case of visitor cookie, then it
makes sense to keep it's path as root because a visitor (same person)
visiting order manager and accounting should be counted as a same and
single visitor. You do not want server to create a new visitor cookie for
order manager if the user has already visited accounting.

Browser will send the visitor cookie as part of request to order manager
that helps OFBiz identify the visitor.

Often certain other use cases demand server session to be maintained across
different web applications. Imagine a scenario where you log in to a parent
web application and then a separate module is part of a different web
application and you navigate to the sub module from the parent module. You
would ideally want the session cookie to be "transferred" from parent web
app to sub web app. Here you will have to make sure the session cookie
created by the server has the path "/" set. If that is not the case, then
navigating from parent web app to sub web app will result in session loss.

So, all in all, it is mostly based on your scenario. I hope that makes
sense.

Thanks,
Girish Vasmatkar
HotWax Systems


On Thu, Oct 4, 2018 at 4:57 PM Deepak Nigam 
wrote:

> Hello Folks,
>
> During the code walkthrough, I observed that everywhere the cookie path
> attribute is hardcoded as root '/' using the setPath() method. This is not
> the correct implementation because if the cookie path is set to the root
> '/', then the cookie will be sent to all the application under the same
> domain.
>
> Is there any best practice around this? Should it be configurable?
> IMO, the cookie path should be set to '/users/' directory. WDYT?
>
>
> Thanks!
>
> Deepak Nigam
> HotWax Systems Pvt. Ltd
>

Re: CSRF attack and prevention

[Girish Vasmatkar]

Thanks Jacques and Nicolas. I will take this further in the security group
and will soon have updates there. My bad I didn't realise we need to take
it up over there.

Thanks and Best Regards,
Girish Vasmatkar
HotWax Systems

On Mon, Sep 3, 2018 at 1:21 PM Jacques Le Roux 
wrote:

> Hi Girish,
>
> Nicolas is right, I just want to say that I already tried to use the
> CsrfPreventionFilter Tomcat Filter (wrongly noted RestCsrfPreventionFilter
> in the
> link below) without success, please refer to
>
> https://markmail.org/message/r245yie623cdo3wz
>
> Your help is welcome :)
>
> Jacques
>
>
> Le 02/09/2018 à 21:15, Nicolas Malin a écrit :
> > Hi Girish,
> >
> > Thanks for your warm. If you want to detail your please prefer send an
> email to secur...@ofbiz.apache.org instead of open an issue to JIRA.
> >
> > Nicolas
> >
> >
> > On 02/09/2018 17:36, girish.vasmat...@hotwaxsystems.com wrote:
> >> Hi All
> >>
> >>   It looks like there is no mechanism to prevent CSRF attack in
> ofbiz. If I am logged in to ofbiz instance on my local and create a sample
> >> standalone HTML page and try to submit to either a GET or a POST ofbiz
> URL, I am successfully through and various cookies (applicable to the
> >> domain) are also sent by the browser to Ofbiz instance. That
> essentially is CSRF. This can be reproduced with a script tag with a valid
> ofbiz URL
> >> as src and you can actually see in the developer console the request
> made through and response is received.
> >>
> >> Of course this attack has a context - that the user is logged in and
> happens on the victim's browser.
> >>
> >> I replaced ofbiz URL with gmail and made sure I am logged in to my
> gmail account. I saw a vague/obsure response from gmail in the console
> meaning
> >> it prevented itself.
> >>
> >>   I feel we can handle it in multiple ways and one of the ways is
> adding SameSite cookie which is a fairly new concept and per latest
> information
> >> Chrome already supports it and FireFox has also added support for the
> same. Browsers supporting this Cookie will not send JSESSIONID or any other
> >> SameSite cookie to the request if the request is cross-site. Each
> cookie needs to be flagged with SameSite with possible values being strict
> or lax.
> >> Here's its IETF draft -
> https://tools.ietf.org/html/draft-west-first-party-cookies-07
> >>
> >>   I also think we should not rely on this as the sole prevention
> mechanism and should also do something on the server side in the sense that
> we
> >> should not rely on the browser support. Tomcat does support a filter -
> org.apache.catalina.filters.CsrfPreventionFilter that appends a nonce for
> >> every request and stores the same in session.
> >>
> >> We should also add support for checking Origin and Referrer headers. I
> think there is a lot we can do.
> >>
> >> I have not seen any reference in the current trunk code for both
> SameSite cookie and CsrfPreventionFilter filter. If we can make everyone on
> the
> >> same page on CSRF, I would like to propose we go ahead with this
> change. I think we will need to handle it in multiple ways.
> >>
> >> I can create a JIRA with all details provided we have the necessary
> concord.
> >>
> >>
> >> Thanks and Best regards,
> >> Girish Vasmatkar
> >> HotWax Systems
> >>
> >
> >
>
>

Re: [QUESTION] Should we not check fields consistency?

[Girish Vasmatkar]

I am all for having validations at the UI level, at least. Apart from Date,
there are other fields that need some basic validations. Showing
error/waring on tabbing out is one of the simplest forms for validation we
can put on certain fields.

+1 for this change.


On Mon, Sep 3, 2018 at 10:24 PM Jacques Le Roux <
jacques.le.r...@les7arts.com> wrote:

> Interesting idea, but please Richard subscribe to the dev ML, your email
> has been moderated
>
> Thanks
>
> Jacques
>
>
> Le 03/09/2018 à 15:59, Richard a écrit :
> > Some systems warn or block depending on the user's role.  A "bookkeeper"
> might not be able to enter incorrect data, while an administrator may just
> > receive a warning.
> >
> >
> > Jacques Le Roux wrote:
> >> One thing we could do is not block but warn the user, easy, simple
> >>
> >> Jacques
> >>
> >>
> >> Le 03/09/2018 à 15:28, Julien NICOLAS a écrit :
> >>> Hello
> >>>
> >>> I've already implemented this kind of things and if you want to be
> exhaustive, you have to do it at least in service AND in UI.
> >>>
> >>> However, it really depend on use cases that it depend on the customer
> tastes. When it depend on customer tastes, I prefer to keep it open in the
> >>> framework / OOTB webapp than limit the OFBiz possibilities.
> >>>
> >>> The only reason that we can do it is for legal locking features...
> but... it could depend on the country, so...
> >>>
> >>> My 2 cents,
> >>>
> >>> Julien.
> >>>
> >>>
> >>> Le 03/09/2018 à 14:55, Jacques Le Roux a écrit :
>  By root I mean the point where things begin. And for entering data
> for end users it all start in UI. If you can stop things at this level, you
>  don't have to worry for sequel. That's what I mean by "root in UI".
> Maybe "seed in UI" would have been a better image :)
> 
>  It would be more to prevent users's typo errors, fat fingers and
> such, without ambition to rule all cases, notably for later actions.
> 
>  Rest inline...
> 
>  Le 03/09/2018 à 14:19, Taher Alkhateeb a écrit :
> > I don't know what it means by the root in UI, but we are arriving at
> a
> > complex topic: Validation.
>  Yep, I know. Let's try to keep it as simple as possible
> 
> > Validation is something that can happen on many levels like:
> > - entity definition level
> > - entity-auto level
> > - service level
> > - UI level
> > - route level
> >
> > Each one of those has advantages and disadvantages. So I don't think
> > this is something we can make a rule for. What if a user wants to
> > enter a back-dated order?
>  Good question. They are cases, as in my examples, where common sense
> applies and there are no doubts (eg shipping before creating comes to
> mind).
>  A case like you suggest should not stop us to think about all the
> others.
> 
> > What if a user wants to be able to search
> > for a date range in the past,
>  That should not be a problem. It's all about keeping things
> consistent. For instance not reserving after shipping. I'm sure there are
> plenty
>  other cases where common sense applies. I only speak about dates
> here, but I don't suggest to restrict only to date fields.
>  There also case where it's not as simple and then we need to think
> about it. In this case do you think at something particularly? An URL would
> help.
> 
> > what if the site owner wants validation
> > on the service level for security because users can break out of
> > browser validation and enter a back-dated dates?
>  That's another topic I'd say. I'm not sure, but maybe we can enforce
> this rule, even on the client side.
>  To begin with baby steps, we should try to deliver common sense rules
> OOTB and let users adapt them to their needs.
>  Maybe we can even have a vision to help them. But my intention here
> is to keep things as simple as possible to begin.
> 
> 
> > I think this proposal needs more information and details. Otherwise
> > it's hard to determine what is the right decision as circumstances
> > vary widely
>  It was not a proposal so far, only a [QUESTION] to see if we are
> interested in researching this. I know it's not that simple, thank you for
> your
>  questions. Let's see if others believe we should make it a [PROPOSAL]
> 
>  Jacques
> 
> > On Mon, Sep 3, 2018 at 2:45 PM Jacques Le Roux
> >  wrote:
> >> It's only about checking at the root in UI when entering data and
> not let things go as long as the value is not correct
> >>
> >> Jacques
> >>
> >>
> >> Le 03/09/2018 à 13:08, Taher Alkhateeb a écrit :
> >>> Well, it depends on where the cross checks happen. Are you talking
> >>> about UI? entity-auto? somewhere else?
> >>> On Mon, Sep 3, 2018 at 11:52 AM deepak nigam <
> deepak.nigam1...@gmail.com> wrote:
>  +1.
> 
>  Thanks for the putting this forward. Please count me in for 

Re: POM relocation to an other version number is not fully supported in Gradle

[Girish Vasmatkar]

Hi Jacques

It looks like every transitive dependency defined in our build.gradle to
xml-apis is getting resolved to xml-apis:2.0.2.

+--- xom:xom:1.2.5

||+--- xml-apis:xml-apis:1.3.03 -> 2.0.2

+--- xml-apis:xml-apis:1.3.04 -> 2.0.2

org.apache.xmlrpc:xmlrpc-client:3.1.3

|\--- org.apache.xmlrpc:xmlrpc-common:3.1.3

| \--- org.apache.ws.commons.util:ws-commons-util:1.0.2

|  +--- junit:junit:3.8.1 -> 4.11 (*)

|  \--- xml-apis:xml-apis:1.0.b2 -> 2.0.2

Apparently, this has been occurring since earlier gradle versions as well
and no support yet.

Does the build fail due to this? If it is just a warning, then may be we
can live with it. And if there is a hard dependency on it, then may be we
should try forcing the version as shown in the SOF link you sent.

While I do not have any particular opinion on this, may be others can weigh
in and take a call as to what should be done.

Best,
Girish
HotWax Systems


On Fri, Sep 21, 2018 at 5:28 PM Jacques Le Roux <
jacques.le.r...@les7arts.com> wrote:

> Le 21/09/2018 à 13:29, Jacques Le Roux a écrit :
> > Hi,
> >
> > I cleared by Gradle cache, so had to reload all.
> my
>
> >
> > I stumbled upon this is in log
> >
> >Download
> https://jcenter.bintray.com/xml-apis/xml-apis/2.0.2/xml-apis-2.0.2.pom
> >POM relocation to an other version number is not fully supported in
> Gradle : xml-apis:xml-apis:2.0.2 relocated to xml-apis:xml-apis:1.0.b2.
> >Please update your dependency to directly use the correct version
> 'xml-apis:xml-apis:1.0.b2'.
> >
> > xml-apis-2.0.2 is not a dependency we define in build.gradle.
> >
> > We could use this trick
> https://stackoverflow.com/questions/22613596/gradle-download-dependency-error
> >
> > But should we or should we simply neglect and wait it resolves by itself?
> >
> > Jacques
> >
> >
>
>

Re: Demo Trunk NPE

[Girish Vasmatkar]

Hi Rishi/Mohammad

This looks an intermittent issue as I could not reproduce it. However, in
webtools, under Fetch Logs, I tried searching for "NullPointer" in the
error.log file and it did return some instances of NullPointerException.

java.lang.IllegalArgumentException: Error running script at location
[component://webtools/groovyScripts/service/Services.groovy]:
java.lang.NullPointerException
Caused by: java.lang.NullPointerException
java.lang.IllegalArgumentException: Error running script at location
[component://webtools/groovyScripts/service/Services.groovy]:
java.lang.NullPointerException
Caused by: java.lang.NullPointerException
java.lang.IllegalArgumentException: Error running script at location
[component://webtools/groovyScripts/service/Services.groovy]:
java.lang.NullPointerException
Caused by: java.lang.NullPointerException
java.lang.IllegalArgumentException: Error running script at location
[component://webtools/groovyScripts/service/Services.groovy]:
java.lang.NullPointerException
Caused by: java.lang.NullPointerException
java.lang.IllegalArgumentException: Error running script at location
[component://webtools/groovyScripts/service/Services.groovy]:
java.lang.NullPointerException
Caused by: java.lang.NullPointerException
java.lang.IllegalArgumentException: Error running script at location
[component://webtools/groovyScripts/service/Services.groovy]:
java.lang.NullPointerException
Caused by: java.lang.NullPointerException
java.lang.IllegalArgumentException: Error running script at location
[component://webtools/groovyScripts/service/Services.groovy]:
java.lang.NullPointerException
Caused by: java.lang.NullPointerException
java.lang.IllegalArgumentException: Error running script at location
[component://webtools/groovyScripts/service/Services.groovy]:
java.lang.NullPointerException
Caused by: java.lang.NullPointerException

Best,
Girish Vasmatkar
HotWax Systems

On Sat, Sep 22, 2018 at 3:02 PM Mohammad Kathawala <
mohammad.kathaw...@hotwaxsystems.com> wrote:

> Working for me.
> Regards*,*
> *Mohammad Kathawala* | Sr. Technical Consultant
> *HotWax Commerce* by *HotWax Systems*
> Plot no. 80, Scheme no. 78 Part 2, Near Brilliant Convention Center,
> Indore,
> M.P 452010
> Cell phone: 7772858789
>
> HotWax Systems recently received 8 mentions in *The Gartner Digital
> Commerce Vendor Guide, 2016 *by Gartner, Inc., the world's leading IT
> research and advisory company. Learn more about our research here
> <
> https://www.gartner.com/technology/media-products/newsletters/HotWax/1-2UVLP6M/index.html
> >
> .
>
>
> On Sat, Sep 22, 2018 at 2:19 PM Rishi Solanki 
> wrote:
>
> > Hello Team,
> > Browse to Webtools >> Logging >> Service Log on demo trunk returns NPE.
> >
> > Quick Reference:
> > https://demo-trunk.ofbiz.apache.org/webtools/control/ServiceLog
> >
> > Not able to replicate it on local setup, anyone face the same issue then
> > please revert back. Will log Jira Ticket for that.
> >
> > Regards,
> > --
> > Rishi Solanki
> > Sr Manager, Enterprise Software Development
> > HotWax Systems Pvt. Ltd.
> > Direct: +91-9893287847
> > http://www.hotwaxsystems.com
> > www.hotwax.co
> >
>

Re: [Discussion] Upgrading OFBiz to work with Java 11

[Girish Vasmatkar]

Hi Taher

I haven't tried upgrading myself but I'm in for this effort. I think it
only makes sense to do the upgrade. I'll also try Java 11 and see how it
goes.

Best,
Girish

On Wed, Dec 26, 2018 at 1:25 AM Taher Alkhateeb 
wrote:

> Hi Folks,
>
> Now that we upgraded Gradle, I think we should consider moving to the
> new LTS (JDK 11)? I tried to upgrade to java 11 and got lots of
> issues. Some deprecated packages are removed and others changed
> signature. I got 2 errors and about 53 warnings for things that should
> be fixed.
>
> Should we go ahead and attempt the upgrade? Anyone already went
> through the effort and can help out?
>
> Taher Alkhateeb
>

Re: [SUGGESTION] Common .derived file and AutoDeriv Eclipse plugin

[Girish Vasmatkar]

Hi Jacques

Following two settings help me not facing the issue you're facing. I, too,
ran into this issue when I initially set up OFBiz on eclipse.


   1. Uncheck Show Derived Resources when you do CTRL+Shift+R, such that
   only Show Status Line is checked. I am sure you have it correctly, but just
   in case.
   2. This does the trick mostly for me. By default, eclipse sets "bin"
   directly as the output folder for the compiled files. I have it as
   "build/classes". I think eclipse does not include resources present in the
   output folder as part of search result, so setting the default output
   folder as gradle's output folder i.e. *build/classes* does the trick for
   me. I am unsure if that's what you're looking for.


So even if the derived setting is gone after clean task is run, if the
output folder is set to *build/classes*, your search results should not
include .class files.

Also, when I am using eclipse for the development, almost always I rely on
eclipse for compiling the sources. I have not used gradle clean task for a
while. But with the about setting (changing default output folder), gradle
clean task does not affect my search results i.e. it does not include
.class files.

Based on what I understood, I think above should help. Please let me know
if that's not the case.

Best,
Girish



On Wed, Dec 26, 2018 at 9:06 PM Jacques Le Roux <
jacques.le.r...@les7arts.com> wrote:

> Hi Michael,
>
> I asked because so far when you updated Eclipse you were losing your
> plugins and their configurations. I recently updated to Photon and it's no
> longer
> the case. So it's no longer an issue for me :). At least as long as the
> repos locations don't change. I'd then lose my local .derived file and
> would
> surely I'd forget about it :/. But this should not happen before a long
> time...
>
> About the .class files showing when using Ctrl+Shift+R (opening a
> ressource). It's not a configuration problem on my side.
>
> I guess when you speak about filters you think about what is explained in
> the second answer of
>
> https://stackoverflow.com/questions/443169/exclude-folders-from-eclipse-search
> .
>
> As you can see in comments there both options (derived and filters) have
> advantages and drawbacks. I personally prefer using derived ("the *quick*
> and
> dirty way", very handy). But, as explained in stackoverflow, you face an
> Eclipse bug. That's why AutoDeriv exists.
>
> So what's the problem for me? When you use the clean task, Gradle removes
> the build dir. So also the dir where the .class files are (build\classes).
> And then you lose the derived properties for these dirs :/
>
> Since to hide these files from opening or searching you need to set them
> as derived, each time you use clean (I do it a lot) you loose this config.
> That's why I use, and suggest to use as in wiki, the AutoDeriv plugin.
>
> Anyway as I said it's no longer a trivial but irritating concern for me
> and I don't want to shoehorn anybody with my solutions :)
>
> Thanks for answering
>
> Happy holidays
>
> Jacques
>
> Le 18/12/2018 à 07:44, Michael Brohl a écrit :
> > Hi Jacques,
> >
> > who is going to decide which files you want to see and which you don't
> want so see? People have different taste on that and so you would be
> > struggling with different settings checked in to the code repository.
> >
> > I'm not in favor of putting these files into the repository. I think
> these are specific for each developer and it's no problem to keep them
> locally.
> >
> > For your specific examples: I don't see any .class files when searching,
> that must be a configuration problem on your side. For searching, you can
> > also set up filters which provide an efficient mechanism to search (or
> don't search) specific files.
> >
> > Thanks,
> >
> > Michael
> >
> >
> > Am 17.12.18 um 14:11 schrieb Jacques Le Roux:
> >> Hi,
> >>
> >> I know we don't all use Eclipse but I though want to make a suggestion.
> >>
> >> 2 years ago I put this tip at
> https://cwiki.apache.org/confluence/display/OFBIZ/Eclipse+Tips#EclipseTips-Hidefoldersfromsearches
> :
> >>
> >>
> >>< opening a file.
> >>
> >>Most of the time you don't want to look into some folders because
> there is nothing interesting there and they sometimes annoy you because of
> >>search errors (triste)
> >>It's also annoying to see *.class files when you look for a
> similarly named Java source.
> >>Then you tool of choice is https://nodj.github.io/AutoDeriv/>>
> >>
> >>
> >> As it's convenient, I suggest now to put the .derived file and its
> content (maybe updated) into the svn repo as we have .xmlcatalog.xml which
> is
> >> also Eclipse specific.
> >>
> >> Can I get a consensus about that?
> >>
> >> Jacques
> >>
> >>
> >
> >
>

Re: Upgrading gradle to version 5.0

[Girish Vasmatkar]

Hi Taher

I'm all for it. I have also updated the version and it seems to be working
just fine in my workspace.

Just a very minor caveat I noticed with the upgrade is that you don't see
what all tasks gradle executed, while the earlier versions showed the
executed tasks and their corresponding output.

With the newer version you see -  Build Successful on the terminal. More
often than not we are not going to be bothered by this, but having it
display the executed tasks helps debugging, I feel.

Here's

the
solution that worked for me.

Best,
Girish

On Wed, Nov 28, 2018 at 11:26 PM Taher Alkhateeb 
wrote:

> Hello Everyone,
>
> I just received some good news from Mathieu Lirzin (Thank you Mathieu)
> on the state of Gradle. Essentially, we were worried about gradle
> deprecating spaces used in task names which led to problems in issuing
> our standard server commands [1]. Thankfully, it seems this issue is
> resolved, the gradle folks seem to have changed their minds and we can
> continue as usual.
>
> Therefore, I recommend we upgrade gradle to version 5. It is a lot
> faster for loading (it runs parallel processes for downloading
> dependencies) and it is also more compatible with newer versions of
> Java.
>
> https://issues.apache.org/jira/browse/OFBIZ-9972
>

Re: Session timeout for webapps

[Girish Vasmatkar]

Hi Jacques

Yes, we should put back the session timeout declaration in web.xml. Given
the fact that we can always mix web.xml and Annotation based configuration,
it only makes sense to let web.xml decide the session timeout and even if
we have the session listener (via web.xml declaration or Annotation), we
should not programatically try to override the setting.

Thanks and Regards,
Girish


On Thu, Jan 10, 2019 at 7:14 PM Jacques Le Roux <
jacques.le.r...@les7arts.com> wrote:

> Hi Deepak, Girish,
>
> I had a look at the issue. The specifications of Java Servlet
> Specification 3.0 don't include an annotation to change the session time
> out.
>
> https://www.baeldung.com/servlet-session-timeout
>
> https://stackoverflow.com/questions/20389833/session-timeout-config-with-no-web-xml-file
>
> I think the best solution is to put back what we had before, ie set it to
> a value (it was 1 hour before) in all web.xml file and remove the
>
> session.setMaxInactiveInterval(60*60); //in seconds
>
> line in ControlEventListener::sessionCreated
>
> I thought about keeping this line if a check to null for the session
> timeout value (from web.xml) was positive.
> But by default Tomcat sets it to 30 min (so it's never null) and it's
> possible but hard to change in OFBiz (eg to a known specific extraordinary
> value
> that could be checked instead of null as above)
> So it could be confusing and anyway best practice is to prefer convention
> over configuration, even if in this case it's much redundant.
>
> I think we can reopen OFBIZ-6655 and handle it there, with an explanation.
>
> Other ideas?
>
> Jacques
>
> Le 09/01/2019 à 10:11, Girish Vasmatkar a écrit :
> > Hi Deepak
> >
> > By the time sessionCreated is called in an HttpSessionListener, the
> session
> > has already been created. I am sure if you try to get the HttpSession
> from
> > the HttpSessionEvent object, it will have what you defined in
> >  tag.
> >
> > But the code is overriding the timeout using setMaxInactiveInterval to 1
> > hour that is why it is looking like web.xml is not being given
> > precedence over programmatic session configuration.
> >
> > Whether web.xml takes precedence over annotation does not apply in this
> > case because anyway the session timeout value is being overridden by the
> > code. The tomcat container definitely reads session-timeout from web.xml
> > and assigns timeout for the session accordingly. But since a listener is
> > configured for session lifecycle management, it invokes the method and
> > there the session value is being overridden.
> >
> > Try to set 2 minutes session timeout in web.xml and remove
> > session.setMaxInactiveInterval(60*60).
> > I would say you will be logged out after 2 minutes. If that is not the
> > case, pl let me know.
> >
> > I hope I understood your question and problem correctly.
> >
> > Best,
> > Girish
> >
> >
> >
> > On Wed, Jan 9, 2019 at 1:53 PM Deepak Nigam 
> > wrote:
> >
> >> Thanks, Jacques.
> >>
> >> Apart from the hardcoded thing, I am not able to override the session
> >> timeout value using  tag in web.xml.
> >>
> >> On Tue, Jan 8, 2019 at 1:55 PM Jacques Le Roux <
> >> jacques.le.r...@les7arts.com>
> >> wrote:
> >>
> >>> Hi Deepak,
> >>>
> >>> You are right, it's hardcoded and should not. I have no time to go
> >> further
> >>> at the moment, but I'll ASAP
> >>>
> >>> Thanks
> >>>
> >>> Jacques
> >>>
> >>> Le 08/01/2019 à 06:10, Deepak Nigam a écrit :
> >>>> Hello all,
> >>>>
> >>>> I tried to set the session timeout for the 'ecommerce' and the
> >>>> 'webtools' components using  of web.xml, but unable to
> >> do
> >>>> so. Session for the logged-in user remains active even after the set
> >>> time.
> >>>> On further research, I found that we did some changes in this area in
> >> the
> >>>> ticket OFBIZ-6655 <https://issues.apache.org/jira/browse/OFBIZ-6655>.
> >> We
> >>>> have hard coded the session timeout (1 hr) in the sessionCreated()
> >> method
> >>>> of ControlEventListner class. As per the comments in the Jira ticket,
> >>>> session timeout declarations in web.xml have been removed by the use
> >>>> of @WebListner annotation. This is to avoid duplicates things
> >> everywhere
> >>> in
> >>>> web.xml files. Since the web.xml files have precedence on annotations,
> >>> the
> >>>> setting can be easily overridden when necessary.
> >>>>
> >>>> But the @WebListner is missing in the ControlEventListner class. Also,
> >> I
> >>> am
> >>>> unable to override the session timeout in web.xml even after putting
> >> the
> >>>> @WebListner annotation in ControlEventListner class.
> >>>>
> >>>> Please let me know if this is a real issue or I am doing something
> >> wrong?
> >>>> Thanks & Regards
> >>>> --
> >>>> Deepak Nigam
> >>>> HotWax Systems Pvt. Ltd.
> >>>>
>

Re: Session timeout for webapps

[Girish Vasmatkar]

Hi Deepak

By the time sessionCreated is called in an HttpSessionListener, the session
has already been created. I am sure if you try to get the HttpSession from
the HttpSessionEvent object, it will have what you defined in
 tag.

But the code is overriding the timeout using setMaxInactiveInterval to 1
hour that is why it is looking like web.xml is not being given
precedence over programmatic session configuration.

Whether web.xml takes precedence over annotation does not apply in this
case because anyway the session timeout value is being overridden by the
code. The tomcat container definitely reads session-timeout from web.xml
and assigns timeout for the session accordingly. But since a listener is
configured for session lifecycle management, it invokes the method and
there the session value is being overridden.

Try to set 2 minutes session timeout in web.xml and remove
session.setMaxInactiveInterval(60*60).
I would say you will be logged out after 2 minutes. If that is not the
case, pl let me know.

I hope I understood your question and problem correctly.

Best,
Girish



On Wed, Jan 9, 2019 at 1:53 PM Deepak Nigam 
wrote:

> Thanks, Jacques.
>
> Apart from the hardcoded thing, I am not able to override the session
> timeout value using  tag in web.xml.
>
> On Tue, Jan 8, 2019 at 1:55 PM Jacques Le Roux <
> jacques.le.r...@les7arts.com>
> wrote:
>
> > Hi Deepak,
> >
> > You are right, it's hardcoded and should not. I have no time to go
> further
> > at the moment, but I'll ASAP
> >
> > Thanks
> >
> > Jacques
> >
> > Le 08/01/2019 à 06:10, Deepak Nigam a écrit :
> > > Hello all,
> > >
> > > I tried to set the session timeout for the 'ecommerce' and the
> > > 'webtools' components using  of web.xml, but unable to
> do
> > > so. Session for the logged-in user remains active even after the set
> > time.
> > >
> > > On further research, I found that we did some changes in this area in
> the
> > > ticket OFBIZ-6655 .
> We
> > > have hard coded the session timeout (1 hr) in the sessionCreated()
> method
> > > of ControlEventListner class. As per the comments in the Jira ticket,
> > > session timeout declarations in web.xml have been removed by the use
> > > of @WebListner annotation. This is to avoid duplicates things
> everywhere
> > in
> > > web.xml files. Since the web.xml files have precedence on annotations,
> > the
> > > setting can be easily overridden when necessary.
> > >
> > > But the @WebListner is missing in the ControlEventListner class. Also,
> I
> > am
> > > unable to override the session timeout in web.xml even after putting
> the
> > > @WebListner annotation in ControlEventListner class.
> > >
> > > Please let me know if this is a real issue or I am doing something
> wrong?
> > >
> > > Thanks & Regards
> > > --
> > > Deepak Nigam
> > > HotWax Systems Pvt. Ltd.
> > >
> >
>

Gradle eclipse task - classpath modification

[Girish Vasmatkar]

Hi All

When you run eclipse task it removes all unnecessary classpath entries
including the ones containing "config" and "dtd". This introduces a minor
inconvenience, in turn, because you do need two entries below in order for
OFBiz to start normally -

/framework/base/config
/framework/base/dtd

I rely heavily on *Start.java* to launch OFBiz (Run as Java Application)
and therefore the code needs cache.properties and ofbiz-component.xsd to be
in the classpath during start up. I see that we are removing certain
eclipse classpath entries (rightly so). Doing so also deletes classpath
entry for /framework/base/config and /framework/base/dtd that we need for
normal start-up.

I opine that we have to make provision for escaping deletion of these two
entries. This is essential because every time we run ./gradlew eclipse, you
have to add the two entries manually all over again as the eclipse task
resets classpath entries.

Granted, it is a minor inconvenience, but I feel this should be handled.
Should I go file a ticket for this change if we have a mutual consent on
this one?

Best,
Girish

Re: Gradle eclipse task - classpath modification

[Girish Vasmatkar]

 Hello Girish,
>
> Girish Vasmatkar  writes:
>
> > When you run eclipse task it removes all unnecessary classpath entries
> > including the ones containing "config" and "dtd". This introduces a minor
> > inconvenience, in turn, because you do need two entries below in order
> for
> > OFBiz to start normally -
> >
> > /framework/base/config
> > /framework/base/dtd
> >
> > I rely heavily on *Start.java* to launch OFBiz (Run as Java Application)
>
> I guess every one using OFBiz is relying on it, no? :-)
>
> > and therefore the code needs cache.properties and ofbiz-component.xsd to
> be
> > in the classpath during start up.
>
> Can you tell us during the startup when and for what purpose are those
> files needed?
>
> And what does happen when you don't add “/framework/base/{config,dtd}”
> manually to the classpath? an error, a warning?
>
> > I see that we are removing certain eclipse classpath entries (rightly
> > so). Doing so also deletes classpath entry for /framework/base/config
> > and /framework/base/dtd that we need for normal start-up.
> >
> > I opine that we have to make provision for escaping deletion of these two
> > entries. This is essential because every time we run ./gradlew eclipse,
> you
> > have to add the two entries manually all over again as the eclipse task
> > resets classpath entries.
> >
> > Granted, it is a minor inconvenience, but I feel this should be handled.
> > Should I go file a ticket for this change if we have a mutual consent on
> > this one?
>
> I see no reason not to fix this issue. Moreover it would be nice to make
> it clearer in the ‘build.gradle’ what is the actual problem about having
> extra entries in the ‘.classpath’.
>
> Thanks.
>
> --
> Mathieu Lirzin
> GPG: F2A3 8D7E EB2B 6640 5761  070D 0ADE E100 9460 4D37
>

Re: Gradle eclipse task - classpath modification

[Girish Vasmatkar]

There is a bit more to it ...

When the system can't find cache.properties (as it's no more on the
classpath), following happens -

1. Exception is thrown (which is obvious)
2. Code execution halts (which is fine), so no tomcat is launched.
3. Since execution stops, JVM should be terminated in my opinion. In other
words, JVM should not keep hanging doing nothing, better stop it if a major
exception has occurred. The JVM process is never terminated in this case.

Again, this is a very isolated scenario because it is always expected that
these config files and folders are always going to be on the classpath. But
this is one of those rare scenarios
where that's not the case.

Log4j2 internal initialization logging.

java.util.MissingResourceException: Can't find bundle for base name cache,
locale en

at java.util.ResourceBundle.throwMissingResourceException(
ResourceBundle.java:1573)

at java.util.ResourceBundle.getBundleImpl(ResourceBundle.java:1396)

at java.util.ResourceBundle.getBundle(ResourceBundle.java:782)

at org.apache.ofbiz.base.util.cache.UtilCache.setPropertiesParams(
UtilCache.java:191)

at org.apache.ofbiz.base.util.cache.UtilCache.setPropertiesParams(
UtilCache.java:173)

at org.apache.ofbiz.base.util.cache.UtilCache.setPropertiesParams(
UtilCache.java:169)

at org.apache.ofbiz.base.util.cache.UtilCache.(UtilCache.java:125)

at org.apache.ofbiz.base.util.cache.UtilCache.createUtilCache(
UtilCache.java:797)

at org.apache.ofbiz.base.util.UtilProperties.(UtilProperties.java:75
)

at org.apache.ofbiz.base.util.Debug.(Debug.java:69)

at org.apache.ofbiz.base.container.ContainerLoader.load(
ContainerLoader.java:61)

at org.apache.ofbiz.base.start.StartupControlPanel.loadStartupLoaders(
StartupControlPanel.java:218)

at org.apache.ofbiz.base.start.StartupControlPanel.start(
StartupControlPanel.java:71)

at org.apache.ofbiz.base.start.Start.main(Start.java:85)


Best,
Girish

On Sat, May 25, 2019 at 2:56 PM Girish Vasmatkar <
girish.vasmat...@hotwaxsystems.com> wrote:

> Hi Mathieu,
>
> With those entries missing from the classpath, you'd get the following
> exceptions and warning -
>
> 1. For cache.properties (when /framework/base/config entry is missing)
>
> Exception in thread "main" java.lang.ExceptionInInitializerError
>
> at org.apache.ofbiz.base.util.Debug.(Debug.java:69)
>
> at org.apache.ofbiz.base.container.ContainerLoader.load(
> ContainerLoader.java:61)
>
> at org.apache.ofbiz.base.start.StartupControlPanel.loadStartupLoaders(
> StartupControlPanel.java:218)
>
> at org.apache.ofbiz.base.start.StartupControlPanel.start(
> StartupControlPanel.java:71)
>
> at org.apache.ofbiz.base.start.Start.main(Start.java:85)
>
> Caused by: java.util.MissingResourceException: Can't find bundle for base
> name cache, locale en
>
> at java.util.ResourceBundle.throwMissingResourceException(
> ResourceBundle.java:1573)
>
> at java.util.ResourceBundle.getBundleImpl(ResourceBundle.java:1396)
>
> at java.util.ResourceBundle.getBundle(ResourceBundle.java:782)
>
> at org.apache.ofbiz.base.util.cache.UtilCache.setPropertiesParams(
> UtilCache.java:177)
>
> at org.apache.ofbiz.base.util.cache.UtilCache.setPropertiesParams(
> UtilCache.java:173)
>
> at org.apache.ofbiz.base.util.cache.UtilCache.setPropertiesParams(
> UtilCache.java:169)
>
> at org.apache.ofbiz.base.util.cache.UtilCache.(UtilCache.java:125)
>
> at org.apache.ofbiz.base.util.cache.UtilCache.createUtilCache(
> UtilCache.java:779)
>
> at org.apache.ofbiz.base.util.UtilProperties.(
> UtilProperties.java:75)
>
> ... 5 more
>
> 2. when /framework/base/dtd entry is missing (contains all schema files)
>
> 2019-05-25 14:48:37,591 |main |ContainerLoader
> |I| [Startup] Loading containers...
>
> 2019-05-25 14:48:38,431 |main |UtilXml
> |W| [UtilXml.LocalResolver.resolveEntity] could not find LOCAL
> DTD/Schema with publicId [null] and the file/resource is
> [ofbiz-containers.xsd]
>
> 2019-05-25 14:48:39,139 |main |ContainerLoader
> |I| Loading container: component-container
>
> 2019-05-25 14:48:39,244 |main |UtilXml
> |W| [UtilXml.LocalResolver.resolveEntity] could not find LOCAL
> DTD/Schema with publicId [null] and the file/resource is
> [component-loader.xsd]
>
> 2019-05-25 14:48:39,596 |main |ComponentContainer
> |I| Auto-Loading component directory :
> [/Users/grv/git/clients/warbyparker/github/ofbiz/framework]
>
> 2019-05-25 14:48:39,641 |main |UtilXml
> |W| [UtilXml.LocalResolver.resolveEntity] could not find LOCAL
> DTD/Schema with publicId [null] and the file/resource is
> [component-loader.xsd]
>
> 2019-05-25 14:48:39,898 |main |UtilXml
> |W| [UtilXml.LocalResol

Re: Gradle eclipse task - classpath modification

[Girish Vasmatkar]

So every IDE provides a shortcut (certain combination of keys) to execute
any java file in a project as a java application, that in turn invokes *java
*command on that class file. Eclipse applies all classpath entries (list of
jar files from gradle dependency) as -classpath argument.

Under the hood command that gets executed is -

java org.apache.ofbiz.base.start.Start -classpath 

I do this because it saves a lot of time. As soon as you make any change in
any file, especially java, it is compiled instantaneously as soon as you
save it. All you have to do is, just run Start.java as a java application
and you have OFBiz launched quickly.



On Sat, May 25, 2019 at 7:23 PM Taher Alkhateeb 
wrote:

> start how? what is the command? Are you trying to start _from_ eclipse. If
> yes why?
>
> On Sat, May 25, 2019 at 2:26 PM Girish Vasmatkar <
> girish.vasmat...@hotwaxsystems.com> wrote:
>
> > I realised Taher's reply after I had sent my response.
> >
> > Following's the command.
> >
> > *./gradlew eclipse*
> >
> > This would do the job of setting up the eclipse workspace with all all
> > gradle dependencies nicely set-up in the classpath.
> >
> > Then I would normally try to start OFBiz using Start.java. Not sure if
> you
> > can see the inline screenshot. Pl see below.
> >
> > [image: image.png]
> >
> >
> >
> >
> >
> >
> > On Sat, May 25, 2019 at 4:49 PM Girish Vasmatkar <
> > girish.vasmat...@hotwaxsystems.com> wrote:
> >
> >> There is a bit more to it ...
> >>
> >> When the system can't find cache.properties (as it's no more on the
> >> classpath), following happens -
> >>
> >> 1. Exception is thrown (which is obvious)
> >> 2. Code execution halts (which is fine), so no tomcat is launched.
> >> 3. Since execution stops, JVM should be terminated in my opinion. In
> >> other words, JVM should not keep hanging doing nothing, better stop it
> if a
> >> major exception has occurred. The JVM process is never terminated in
> this
> >> case.
> >>
> >> Again, this is a very isolated scenario because it is always expected
> >> that these config files and folders are always going to be on the
> >> classpath. But this is one of those rare scenarios
> >> where that's not the case.
> >>
> >> Log4j2 internal initialization logging.
> >>
> >> java.util.MissingResourceException: Can't find bundle for base name
> >> cache, locale en
> >>
> >> at java.util.ResourceBundle.throwMissingResourceException(
> >> ResourceBundle.java:1573)
> >>
> >> at java.util.ResourceBundle.getBundleImpl(ResourceBundle.java:1396)
> >>
> >> at java.util.ResourceBundle.getBundle(ResourceBundle.java:782)
> >>
> >> at org.apache.ofbiz.base.util.cache.UtilCache.setPropertiesParams(
> >> UtilCache.java:191)
> >>
> >> at org.apache.ofbiz.base.util.cache.UtilCache.setPropertiesParams(
> >> UtilCache.java:173)
> >>
> >> at org.apache.ofbiz.base.util.cache.UtilCache.setPropertiesParams(
> >> UtilCache.java:169)
> >>
> >> at org.apache.ofbiz.base.util.cache.UtilCache.(UtilCache.java:125)
> >>
> >> at org.apache.ofbiz.base.util.cache.UtilCache.createUtilCache(
> >> UtilCache.java:797)
> >>
> >> at org.apache.ofbiz.base.util.UtilProperties.(
> >> UtilProperties.java:75)
> >>
> >> at org.apache.ofbiz.base.util.Debug.(Debug.java:69)
> >>
> >> at org.apache.ofbiz.base.container.ContainerLoader.load(
> >> ContainerLoader.java:61)
> >>
> >> at org.apache.ofbiz.base.start.StartupControlPanel.loadStartupLoaders(
> >> StartupControlPanel.java:218)
> >>
> >> at org.apache.ofbiz.base.start.StartupControlPanel.start(
> >> StartupControlPanel.java:71)
> >>
> >> at org.apache.ofbiz.base.start.Start.main(Start.java:85)
> >>
> >>
> >> Best,
> >> Girish
> >>
> >> On Sat, May 25, 2019 at 2:56 PM Girish Vasmatkar <
> >> girish.vasmat...@hotwaxsystems.com> wrote:
> >>
> >>> Hi Mathieu,
> >>>
> >>> With those entries missing from the classpath, you'd get the following
> >>> exceptions and warning -
> >>>
> >>> 1. For cache.properties (when /framework/base/config entry is missing)
> >>>
> >>> Exception in thread "main" java.lang.ExceptionInInitializerError
> >>>
> >>> at org.apache.ofbiz

Re: Gradle eclipse task - classpath modification

[Girish Vasmatkar]

I realised Taher's reply after I had sent my response.

Following's the command.

*./gradlew eclipse*

This would do the job of setting up the eclipse workspace with all all
gradle dependencies nicely set-up in the classpath.

Then I would normally try to start OFBiz using Start.java. Not sure if you
can see the inline screenshot. Pl see below.

[image: image.png]






On Sat, May 25, 2019 at 4:49 PM Girish Vasmatkar <
girish.vasmat...@hotwaxsystems.com> wrote:

> There is a bit more to it ...
>
> When the system can't find cache.properties (as it's no more on the
> classpath), following happens -
>
> 1. Exception is thrown (which is obvious)
> 2. Code execution halts (which is fine), so no tomcat is launched.
> 3. Since execution stops, JVM should be terminated in my opinion. In other
> words, JVM should not keep hanging doing nothing, better stop it if a major
> exception has occurred. The JVM process is never terminated in this case.
>
> Again, this is a very isolated scenario because it is always expected that
> these config files and folders are always going to be on the classpath. But
> this is one of those rare scenarios
> where that's not the case.
>
> Log4j2 internal initialization logging.
>
> java.util.MissingResourceException: Can't find bundle for base name
> cache, locale en
>
> at java.util.ResourceBundle.throwMissingResourceException(
> ResourceBundle.java:1573)
>
> at java.util.ResourceBundle.getBundleImpl(ResourceBundle.java:1396)
>
> at java.util.ResourceBundle.getBundle(ResourceBundle.java:782)
>
> at org.apache.ofbiz.base.util.cache.UtilCache.setPropertiesParams(
> UtilCache.java:191)
>
> at org.apache.ofbiz.base.util.cache.UtilCache.setPropertiesParams(
> UtilCache.java:173)
>
> at org.apache.ofbiz.base.util.cache.UtilCache.setPropertiesParams(
> UtilCache.java:169)
>
> at org.apache.ofbiz.base.util.cache.UtilCache.(UtilCache.java:125)
>
> at org.apache.ofbiz.base.util.cache.UtilCache.createUtilCache(
> UtilCache.java:797)
>
> at org.apache.ofbiz.base.util.UtilProperties.(
> UtilProperties.java:75)
>
> at org.apache.ofbiz.base.util.Debug.(Debug.java:69)
>
> at org.apache.ofbiz.base.container.ContainerLoader.load(
> ContainerLoader.java:61)
>
> at org.apache.ofbiz.base.start.StartupControlPanel.loadStartupLoaders(
> StartupControlPanel.java:218)
>
> at org.apache.ofbiz.base.start.StartupControlPanel.start(
> StartupControlPanel.java:71)
>
> at org.apache.ofbiz.base.start.Start.main(Start.java:85)
>
>
> Best,
> Girish
>
> On Sat, May 25, 2019 at 2:56 PM Girish Vasmatkar <
> girish.vasmat...@hotwaxsystems.com> wrote:
>
>> Hi Mathieu,
>>
>> With those entries missing from the classpath, you'd get the following
>> exceptions and warning -
>>
>> 1. For cache.properties (when /framework/base/config entry is missing)
>>
>> Exception in thread "main" java.lang.ExceptionInInitializerError
>>
>> at org.apache.ofbiz.base.util.Debug.(Debug.java:69)
>>
>> at org.apache.ofbiz.base.container.ContainerLoader.load(
>> ContainerLoader.java:61)
>>
>> at org.apache.ofbiz.base.start.StartupControlPanel.loadStartupLoaders(
>> StartupControlPanel.java:218)
>>
>> at org.apache.ofbiz.base.start.StartupControlPanel.start(
>> StartupControlPanel.java:71)
>>
>> at org.apache.ofbiz.base.start.Start.main(Start.java:85)
>>
>> Caused by: java.util.MissingResourceException: Can't find bundle for
>> base name cache, locale en
>>
>> at java.util.ResourceBundle.throwMissingResourceException(
>> ResourceBundle.java:1573)
>>
>> at java.util.ResourceBundle.getBundleImpl(ResourceBundle.java:1396)
>>
>> at java.util.ResourceBundle.getBundle(ResourceBundle.java:782)
>>
>> at org.apache.ofbiz.base.util.cache.UtilCache.setPropertiesParams(
>> UtilCache.java:177)
>>
>> at org.apache.ofbiz.base.util.cache.UtilCache.setPropertiesParams(
>> UtilCache.java:173)
>>
>> at org.apache.ofbiz.base.util.cache.UtilCache.setPropertiesParams(
>> UtilCache.java:169)
>>
>> at org.apache.ofbiz.base.util.cache.UtilCache.(UtilCache.java:125)
>>
>> at org.apache.ofbiz.base.util.cache.UtilCache.createUtilCache(
>> UtilCache.java:779)
>>
>> at org.apache.ofbiz.base.util.UtilProperties.(
>> UtilProperties.java:75)
>>
>> ... 5 more
>>
>> 2. when /framework/base/dtd entry is missing (contains all schema files)
>>
>> 2019-05-25 14:48:37,591 |main |ContainerLoader
>> |I| [Startup] Loading containers...
>>
>> 2019-05-25 14:48:38,431 |main |UtilXml
>> |W| [Ut

Re: Gradle eclipse task - classpath modification

[Girish Vasmatkar]

Filed OFBIZ-11071 <https://issues.apache.org/jira/browse/OFBIZ-11071> for
the same.

Best,
Girish

On Mon, May 27, 2019 at 1:21 AM Taher Alkhateeb 
wrote:

> I see, sounds good. No harm in altering the exclusions.
>
> On Sun, May 26, 2019 at 10:01 PM Michael Brohl 
> wrote:
> >
> > Hi Taher,
> >
> > I find it extremely useful to start OFBiz from the IDE ;-)
> >
> > This way hot code replacement is supported which helps changing code at
> > runtime or while debugging.
> >
> > We add these two classpath entries by hand in Eclipse until now. I think
> > there would be no problem to remove the two exclusions which would make
> > these extra steps obsolete.
> >
> > Thanks,
> >
> > Michael
> >
> > ecomify GmbH - www.ecomify.de
> >
> >
> > Am 25.05.19 um 19:15 schrieb Taher Alkhateeb:
> > > It might be more useful not to launch from the IDE. Instead run gradle
> > > "ofbizDebug" and hookup remotely with the debug port. This would
> maintain a
> > > consistent environment instead of being surprised (happened to me in
> the
> > > past). It would also make a consistent experience to development team
> > > regardless of the IDE and you won't have to alter the jar file to
> > > accommodate an IDE.
> > >
> > > With that being said I don't think it's a big deal if you wish to
> remove
> > > those exclusions. Up to community to decide.
> > >
> > >
> > >
> > > On Sat, May 25, 2019, 6:37 PM Girish Vasmatkar <
> > > girish.vasmat...@hotwaxsystems.com> wrote:
> > >
> > >> So every IDE provides a shortcut (certain combination of keys) to
> execute
> > >> any java file in a project as a java application, that in turn invokes
> > >> *java
> > >> *command on that class file. Eclipse applies all classpath entries
> (list of
> > >> jar files from gradle dependency) as -classpath argument.
> > >>
> > >> Under the hood command that gets executed is -
> > >>
> > >> java org.apache.ofbiz.base.start.Start -classpath 
> > >>
> > >> I do this because it saves a lot of time. As soon as you make any
> change in
> > >> any file, especially java, it is compiled instantaneously as soon as
> you
> > >> save it. All you have to do is, just run Start.java as a java
> application
> > >> and you have OFBiz launched quickly.
> > >>
> > >>
> > >>
> > >> On Sat, May 25, 2019 at 7:23 PM Taher Alkhateeb <
> > >> slidingfilame...@gmail.com>
> > >> wrote:
> > >>
> > >>> start how? what is the command? Are you trying to start _from_
> eclipse.
> > >> If
> > >>> yes why?
> > >>>
> > >>> On Sat, May 25, 2019 at 2:26 PM Girish Vasmatkar <
> > >>> girish.vasmat...@hotwaxsystems.com> wrote:
> > >>>
> > >>>> I realised Taher's reply after I had sent my response.
> > >>>>
> > >>>> Following's the command.
> > >>>>
> > >>>> *./gradlew eclipse*
> > >>>>
> > >>>> This would do the job of setting up the eclipse workspace with all
> all
> > >>>> gradle dependencies nicely set-up in the classpath.
> > >>>>
> > >>>> Then I would normally try to start OFBiz using Start.java. Not sure
> if
> > >>> you
> > >>>> can see the inline screenshot. Pl see below.
> > >>>>
> > >>>> [image: image.png]
> > >>>>
> > >>>>
> > >>>>
> > >>>>
> > >>>>
> > >>>>
> > >>>> On Sat, May 25, 2019 at 4:49 PM Girish Vasmatkar <
> > >>>> girish.vasmat...@hotwaxsystems.com> wrote:
> > >>>>
> > >>>>> There is a bit more to it ...
> > >>>>>
> > >>>>> When the system can't find cache.properties (as it's no more on the
> > >>>>> classpath), following happens -
> > >>>>>
> > >>>>> 1. Exception is thrown (which is obvious)
> > >>>>> 2. Code execution halts (which is fine), so no tomcat is launched.
> > >>>>> 3. Since execution stops, JVM should be terminated in my opinion.
> In
> &

Re: Issue when debugging with Eclipse

[Girish Vasmatkar]

It is pretty much the same case with me as well. Not just this, I observe
lag during DB operations as well. Did it use to be fast for you earlier? I
would say first request always takes more time than the subsequent requests.

My eclipse version -

Version: Photon Release (4.8.0)

Build id: 20180619-1200

Best,
Girish

On Tue, Aug 13, 2019 at 8:13 PM Jacques Le Roux <
jacques.le.r...@les7arts.com> wrote:

> Hi,
>
> Since sometimes now (few weeks?) I get an issue when debugging with
> Eclipse (version 2018-12). I have to wait a long time before passing these
> lines
>
> 2019-08-13 15:00:05,186 |main |ServiceContainer  |I| Created
> new dispatcher: scrum
> 2019-08-13 15:00:05,187 |main |ControlServlet|I| Loading
> webapp [scrum], located at C:\projectsASF\ofbiz\plugins\scrum\webapp\scrum\
> 2019-08-13 15:00:05,221 |main |ConfigXMLReader   |I|
> controller loaded: 0.003s, 207 requests, 81 views in
>
> file:/C:/projectsASF/ofbiz/plugins/scrum/webapp/scrum/WEB-INF/controller.xml
>
> I tried it's not related with scrum component. If I remove it, the same
> happens with order component.
>
> The timeout is few minutes and quite annoying. Nobody has an idea?
>
> Thanks
>
> Jacques
>
>

Re: OFBiz and Camel integration updated

[Girish Vasmatkar]

Thanks Bilgin for taking care of pull request. If everyone is okay with the
changes, I will go ahead and create a ticket for the same to add it as an
ofbiz plugin. Let me know of any issues or concerns anyone may have.

While writing a few test cases for the various camel components (and I am
using CamelTestSupport), it turned out OFBiz test container does not pick
them up because it is still based on inheritance (extending TestCase) and
not on annotation (any class with @Test annotated methods). I will probably
elaborate further in a separate thread, but I feel we need to add support
for considering such classes as part of test suite as well. We are using
JUnit 4 but it is hardly being used except for being available on the
classpath. Using JUnit 4 classes will make sure both mechanisms will be
supported.

Best,
Girish

On Fri, Jul 19, 2019 at 10:12 AM Girish Vasmatkar <
girish.vasmat...@hotwaxsystems.com> wrote:

> Hi Bilgin
>
> I have created a pull request
> <https://github.com/bibryam/ofbiz-camel/pull/5> for *ofbiz-camel* component
> with the following additions and fixes. Please review and let me know what
> you think. Post review if you feel it is worth incorporating, we can add it
> as an ofbiz plugin.
> Here's the summary -
>
> 1. Auto discovery of RouteBuilders. Considering possibility of a developer
> wanting to create more than one route, I though of scanning available
> RouteBuilder instances in the classpath and then registering them with
> camel context. I think it should be no issue having one RouteBuilder
> configuring single route, instead of all the routes configured by a single
> RouteBuilder.
> 2. Developer can configure property to specify the package where all
> RouteBuilders are packaged and at container initialization, system would
> try to register all available RouteBuilders.
> 3. Additionally, I have also added a custom annotation (CamelRoute) that a
> class can be annotated with. I have not thought about it's implementation
> for now but this may be added in the future. Since, the same can be
> achieved by discovering RouteBuilders, this may not be needed.
> 4. As a future enhancement, I feel the need to introduce XML DSL to
> configure the routes. I am willing to share the design on this if you feel
> it would be worth a feature.
>
> Please let me know if you have any questions related to the pull request.
>
> Best,
> Girish
>
>
> On Wed, Jun 19, 2019 at 12:14 AM Rishi Solanki 
> wrote:
>
>> Dear Taher,
>> Thanks for your reply, I will soon start discussion on dev list. I just go
>> thru the code developed and basics of Apache Camel, seems it would be very
>> helpful to interact OFBiz with outer world. Work is really appreciated,
>> thanks to Bilgin for doing that.
>>
>> Best Regards,
>> --
>> *Rishi Solanki* | Sr Manager, Enterprise Software Development
>> HotWax Systems <http://www.hotwaxsystems.com/>
>> Linkedin: *Rishi Solanki*
>> <https://www.linkedin.com/in/rishi-solanki-62271b7/>
>> Direct: +91-9893287847
>>
>>
>> On Mon, Jun 17, 2019 at 6:09 PM Taher Alkhateeb <
>> slidingfilame...@gmail.com>
>> wrote:
>>
>> > Hopefully the code still works. If yes, I think it would be a good
>> > plugin to add.
>> >
>> > Either way, I think this discussion should perhaps move to the
>> > development mailing list.
>> >
>> > On Mon, Jun 17, 2019 at 1:04 PM Rishi Solanki 
>> > wrote:
>> > >
>> > > Dear Bilgin/Taher,
>> > > I tried to look into the plugins and Jira could not found anything
>> > related.
>> > > Although some discussion is there but I see plugin is not added into
>> > OFBiz
>> > > till now. Can you please share any reference if I missed something?
>> > >
>> > > I see the code in the Bilgin's repo and seems we can take it as ground
>> > and
>> > > test then commit it. If Bilgin allows then extend ofbiz-camel
>> component
>> > to
>> > > next level if possible. And it too late to reply on this thread but I
>> > also
>> > > feel that the plugin should be part of OFBiz repo.
>> > >
>> > > Please suggest if all agree then I can go ahead to create Jira, test,
>> > > enhance and proceed.
>> > >
>> > > Best Regards,
>> > > --
>> > > Rishi Solanki
>> > > Sr Manager, Enterprise Software Development
>> > > *HotWax Systems*
>> > > *Enterprise open source experts*
>> > > cell: +91-98932-87847
>> > > http://www.hotwaxsystems.com
>> > >
>> 

Re: Issue when debugging with Eclipse

[Girish Vasmatkar]

Hi Jacques

Hooking up OFBiz with a profiler should help as to which method (eventually
leading to the dependency/API) is taking a lot of time helping narrowing
down the cause. Not sure if you want to go down this road, but it may help.

Best,
Girish

On Wed, Aug 14, 2019 at 3:56 PM Jacques Le Roux <
jacques.le.r...@les7arts.com> wrote:

> This is due to logging, here it a sample from trunk demo log (to be sure
> it's not on my machine):
>
> 2019-08-14 03:06:57,734 |main
> |ConfigXMLReader   |I| controller loaded: 0.009s, 207 requests,
> 81 views in
> file:/home/ofbizDemo/trunk/plugins/scrum/webapp/scrum/WEB-INF/controller.xml
> 2019-08-14 03:06:59,831 |main
> |log   |I| Logging initialized @54684ms to
> org.eclipse.jetty.util.log.Slf4jLog 2019-08-14 03:07:00,052
> |main
> |config|W| Trusting all certificates configured
> for Client@4da6d664[provider=null,keyStore=null,trustStore=null]
>
> After my change in OFBIZ-11151 I tried to revert to log4j-api:2.11.2
>
> But still got this locally after
>
> 2019-08-14 11:31:34,409 |main
> |log   |I| Logging initialized @269930ms to
> org.eclipse.jetty.util.log.Slf4jLog
>
> Since there is not this problem in stable demo, I reverted to
> log4j-api:2.6.2 but got the same type of issue
>
> I then ran R16 locally and there was no issue. So it's something else than
> just log4j-api version.
>
> I continue...
>
> Jacques
>
> Le 14/08/2019 à 11:08, Jacques Le Roux a écrit :
> > The issue I initially reported (stop after loading scrum controller)
> also happens to me in console now, still investigating...
> >
> > Jacques
> >
> > Le 13/08/2019 à 18:57, Mathieu Lirzin a écrit :
> >> Hello,
> >>
> >> Jacques Le Roux  writes:
> >>
> >>> Yes it was much faster before (but before what???), as fast as running
> it in console.
> >> Seems like a good scenario for a ‘git bisect’. ;-)
> >>
> >
>

Fwd: OFBiz and Camel integration updated

[Girish Vasmatkar]

Moving it to DEV list. My apologies if it is a nuisance.

I have attached plugin tar to the ticket for everybody to take a look at.
Please review and try to run the plug-in and see if there is any issue with
it.

Best,
Girish

- Forwarded message -
From: Girish Vasmatkar 
Date: Mon, Aug 5, 2019 at 9:38 PM
Subject: Re: OFBiz and Camel integration updated
To: ofbizuser 


I've created OFBIZ-11147 <https://issues.apache.org/jira/browse/OFBIZ-11147> to
track camel integration. I will provide the plug in along with relevant
details.

Best,
Girish

On Sat, Aug 3, 2019 at 5:07 PM Mathieu Lirzin 
wrote:

> Hello,
>
> Girish Vasmatkar  writes:
>
> > Thanks Bilgin for taking care of pull request. If everyone is okay with
> the
> > changes, I will go ahead and create a ticket for the same to add it as an
> > ofbiz plugin. Let me know of any issues or concerns anyone may have.
> >
> > While writing a few test cases for the various camel components (and I am
> > using CamelTestSupport), it turned out OFBiz test container does not pick
> > them up because it is still based on inheritance (extending TestCase) and
> > not on annotation (any class with @Test annotated methods). I will
> probably
> > elaborate further in a separate thread, but I feel we need to add support
> > for considering such classes as part of test suite as well. We are using
> > JUnit 4 but it is hardly being used except for being available on the
> > classpath. Using JUnit 4 classes will make sure both mechanisms will be
> > supported.
>
> Supporting the JUnit4 runner API which make use of annotations would be
> nice if it helps improving the *sad* state of OFBiz integration tests in
> term of error reporting.
>
> For the record Junit4 annotations are already supported by OFBiz unit
> tests run by ‘./gradlew test’ which by the way should be preferred over
> integration tests in most cases because they run faster.
>
> As a side note, please avoid cross-posting to ‘devel’ and ‘user’ mailing
> lists.
>
> Thanks.
>
> --
> Mathieu Lirzin
> GPG: F2A3 8D7E EB2B 6640 5761  070D 0ADE E100 9460 4D37
>

Re: Location of .wsdd file

[Girish Vasmatkar]

If you just want to run the tutorial as it is, you need to place WSDD in
the directory your code is getting executed from. Idea is it should be
available in the classpath.

Coming to OFBiz, you can place WSDD in any of the java packages (because
they are on the classpath) and provide fully qualified name of the
package/. It should work.

Should be like this -

-Daxis.ClientConfigFile=com/apache/ofbiz/xyx/SampleDeploy.wsdd

Best,
Girish

On Wed, Sep 4, 2019 at 10:23 AM Deepak Nigam 
wrote:

> Hello all,
>
> I am trying to integrate CyberSource with OFBiz using SOAP toolkit. We can
> consume its web services using Apache Axis and WSS4J. I am following the
> developer's guide [1] for it.
>
> The last step in this guide is as follows:
>
>
> *Run the sample as follows:*
> *java -Daxis.ClientConfigFile=SampleDeploy.wsdd Sample*
>
> It is providing axis.ClientConfigFile from the command line argument. Where
> do I need to configure and put this file in OFBiz (or any web application)?
>
> Thanks in advance!
>
> [1]
>
> http://apps.cybersource.com/library/documentation/dev_guides/SOAP_Toolkits/html/wwhelp/wwhimpl/js/html/wwhelp.htm#href=ApacheAxis.12.1.html
>
> Regards,
> Deepak Nigam
>

Re: OFBiz and Camel integration updated

[Girish Vasmatkar]

Hi Bilgin

I have created a pull request
 for *ofbiz-camel* component
with the following additions and fixes. Please review and let me know what
you think. Post review if you feel it is worth incorporating, we can add it
as an ofbiz plugin.
Here's the summary -

1. Auto discovery of RouteBuilders. Considering possibility of a developer
wanting to create more than one route, I though of scanning available
RouteBuilder instances in the classpath and then registering them with
camel context. I think it should be no issue having one RouteBuilder
configuring single route, instead of all the routes configured by a single
RouteBuilder.
2. Developer can configure property to specify the package where all
RouteBuilders are packaged and at container initialization, system would
try to register all available RouteBuilders.
3. Additionally, I have also added a custom annotation (CamelRoute) that a
class can be annotated with. I have not thought about it's implementation
for now but this may be added in the future. Since, the same can be
achieved by discovering RouteBuilders, this may not be needed.
4. As a future enhancement, I feel the need to introduce XML DSL to
configure the routes. I am willing to share the design on this if you feel
it would be worth a feature.

Please let me know if you have any questions related to the pull request.

Best,
Girish


On Wed, Jun 19, 2019 at 12:14 AM Rishi Solanki 
wrote:

> Dear Taher,
> Thanks for your reply, I will soon start discussion on dev list. I just go
> thru the code developed and basics of Apache Camel, seems it would be very
> helpful to interact OFBiz with outer world. Work is really appreciated,
> thanks to Bilgin for doing that.
>
> Best Regards,
> --
> *Rishi Solanki* | Sr Manager, Enterprise Software Development
> HotWax Systems 
> Linkedin: *Rishi Solanki*
> 
> Direct: +91-9893287847
>
>
> On Mon, Jun 17, 2019 at 6:09 PM Taher Alkhateeb <
> slidingfilame...@gmail.com>
> wrote:
>
> > Hopefully the code still works. If yes, I think it would be a good
> > plugin to add.
> >
> > Either way, I think this discussion should perhaps move to the
> > development mailing list.
> >
> > On Mon, Jun 17, 2019 at 1:04 PM Rishi Solanki 
> > wrote:
> > >
> > > Dear Bilgin/Taher,
> > > I tried to look into the plugins and Jira could not found anything
> > related.
> > > Although some discussion is there but I see plugin is not added into
> > OFBiz
> > > till now. Can you please share any reference if I missed something?
> > >
> > > I see the code in the Bilgin's repo and seems we can take it as ground
> > and
> > > test then commit it. If Bilgin allows then extend ofbiz-camel component
> > to
> > > next level if possible. And it too late to reply on this thread but I
> > also
> > > feel that the plugin should be part of OFBiz repo.
> > >
> > > Please suggest if all agree then I can go ahead to create Jira, test,
> > > enhance and proceed.
> > >
> > > Best Regards,
> > > --
> > > Rishi Solanki
> > > Sr Manager, Enterprise Software Development
> > > *HotWax Systems*
> > > *Enterprise open source experts*
> > > cell: +91-98932-87847
> > > http://www.hotwaxsystems.com
> > >
> > > On Thu, Mar 22, 2018 at 4:00 PM Taher Alkhateeb <
> > slidingfilame...@gmail.com>
> > > wrote:
> > >
> > > > 1- create a JIRA
> > > > 2- provide a patch or reference to your github repo and get some
> > feedback
> > > > 3- commit in $OFBIZ_HOME/plugins/
> > > >
> > > > Given that you're the expert in this domain, I doubt you'll get any
> > > > feedback on the design. However there are a few things which might
> > > > need changing, for example:
> > > > - Putting apache 2 license header in files
> > > > - deleting the data directory given it is empty
> > > > - moving the documentation to src/docs/asciidoc
> > > > - removing some commented-out code
> > > >
> > > > I'd help you out if you'd need my help in anything BTW.
> > > >
> > > > On Thu, Mar 22, 2018 at 12:59 PM, Bilgin Ibryam 
> > wrote:
> > > > > On Wed, Mar 21, 2018 at 4:16 PM, Taher Alkhateeb
> > > > >  wrote:
> > > > >> Super awesome Bilgin,
> > > > >>
> > > > >> Maybe we should consider moving this work to plugins given how
> > useful
> > > > this
> > > > >> feature could be? The license is compatible and the work joins two
> > great
> > > > >> apache projects.
> > > > >
> > > > > Since there is considerable interest in this, it might be worth the
> > > > > effort. What is the processes for adding things into plugins?
> > > > >
> > > > >
> > > > >>
> > > > >> On Wed, Mar 21, 2018, 1:06 PM Bilgin Ibryam 
> > wrote:
> > > > >>
> > > > >>> hi all,
> > > > >>>
> > > > >>> a quick heads up. I've been getting requests to fix the
> ofbiz-camel
> > > > >>> integration demo and finally did it.
> > > > >>> It works with the latest version of OFBiz and Camel
> > > > >>> Also added a nice diagram demonstrating how the integration
> 

Re: GraphQL API for OFBiz

[Girish Vasmatkar]

Thanks Pierre.

Here's the ticket for the same. I'll keep posting updates to it.

https://issues.apache.org/jira/browse/OFBIZ-11347

Best,
Girish

On Mon, Feb 10, 2020 at 4:48 PM Pierre Smits  wrote:

> Hi Girish,
>
> Thank you for making the greater OFBiz community aware of this endeavour. I
> welcome such initiatives as it increases the appeal of our main product.
> Not only does it increase the appeal of OFBiz for (potential) adopters, but
> it may also lead to more parties willing to contribute.
>
> Best regards,
>
> Pierre Smits
> *Proud* *contributor* (but without privileges)* of* Apache OFBiz
> <https://ofbiz.apache.org/>, since 2008
>
> *Apache Trafodion <https://trafodion.apache.org>, Vice President*
> *Apache Directory <https://directory.apache.org>, PMC Member*
> Apache Incubator <https://incubator.apache.org>, committer
> Apache Steve <https://steve.apache.org>, committer
>
>
> On Mon, Feb 10, 2020 at 11:40 AM Girish Vasmatkar <
> girish.vasmat...@hotwaxsystems.com> wrote:
>
> > Hello
> >
> > I had been working on adding GraphQL support to OFBiz and could come up
> > with something that might be of interest to the community. Wanted to
> gauge
> > community's interest on the same.
> >
> > Essentially, I have first tried to enable GraphQL support such that OFBiz
> > is able to server GraphQL queries, mutations and subscriptions as per the
> > GraphQL specification (http://spec.graphql.org/). The Java GraphQL
> library
> > mostly takes care of it.
> >
> > The other major part is writing GraphQL schema and I have tried to
> include
> > both SDL and programmatic approach to generate the schema. Included a
> demo
> > query in the SDL approach to showcase hw OFBiz can server GraphQL
> requests.
> >
> > This is the part that I feel needs more work in order to make it more
> > generalised and I am still working on this.
> >
> > I have included GraphiQL(https://github.com/graphql/graphiql) and
> > Playground (https://github.com/prisma-labs/graphql-playground) as two
> > visual editor tools as well.
> >
> > Here's the github link for the plug in.
> > https://github.com/hotwax/ofbiz-graphql
> >
> > Any feedback, questions, concerns or suggestions are welcome.
> >
> > Best,
> > Girish
> >
>

OFBiz Jersey Swagger plug in

[Girish Vasmatkar]

Hi All

Just wanted to gauge the community's interest in having a JAX-RS component
with swagger capabilities. I am fully aware of the fact that there are
efforts undergoing on implementing a REST servlet.

This can come handy for anyone comfortable with implementing JAX-RS or
having experience with JAX-RS. You can fully take advantage of Jersey in
implementing services that are truly RESTful in nature leveraging HATEOAS.

I have been using this plug in for one of our work and would like to
contribute the same to the community.

Please let me know your thoughts and I can then open a JIRA maybe and
proceed further.

Best,
Girish

Re: OFBiz Jersey Swagger plug in

[Girish Vasmatkar]

Hi, Jacques. Thanks. I've created OFBIZ-11328 for the same. I'll attach
details soon.

Best,
Girish

On Sun, Jan 26, 2020 at 5:08 PM Jacques Le Roux <
jacques.le.r...@les7arts.com> wrote:

> Le 26/01/2020 à 10:57, Girish Vasmatkar a écrit :
> > Hi All
> >
> > Just wanted to gauge the community's interest in having a JAX-RS
> component
> > with swagger capabilities. I am fully aware of the fact that there are
> > efforts undergoing on implementing a REST servlet.
> >
> > This can come handy for anyone comfortable with implementing JAX-RS or
> > having experience with JAX-RS. You can fully take advantage of Jersey in
> > implementing services that are truly RESTful in nature leveraging
> HATEOAS.
> >
> > I have been using this plug in for one of our work and would like to
> > contribute the same to the community.
> >
> > Please let me know your thoughts and I can then open a JIRA maybe and
> > proceed further.
> >
> > Best,
> > Girish
> Hi Girish,
>
> That sounds like creating a Jira and attaching the necessary :)
>
> Jacques
>
>

Re: OFBiz Jersey Swagger plug in

[Girish Vasmatkar]

I have attached necessary details in JIRA.  Please review and let me know
if I need to provide more details.

Best Regards,
Girish

On Mon, Jan 27, 2020 at 10:20 AM Akash Jain 
wrote:

> Hi Girish,
>
> It's a nice feature. Please let me know if you need any help.
>
> Thanks and Regards
> --
> Akash Jain
>
> On Sun, Jan 26, 2020 at 3:27 PM Girish Vasmatkar <
> girish.vasmat...@hotwaxsystems.com> wrote:
>
> > Hi All
> >
> > Just wanted to gauge the community's interest in having a JAX-RS
> component
> > with swagger capabilities. I am fully aware of the fact that there are
> > efforts undergoing on implementing a REST servlet.
> >
> > This can come handy for anyone comfortable with implementing JAX-RS or
> > having experience with JAX-RS. You can fully take advantage of Jersey in
> > implementing services that are truly RESTful in nature leveraging
> HATEOAS.
> >
> > I have been using this plug in for one of our work and would like to
> > contribute the same to the community.
> >
> > Please let me know your thoughts and I can then open a JIRA maybe and
> > proceed further.
> >
> > Best,
> > Girish
> >
>

Re: OFBiz Jersey Swagger plug in

[Girish Vasmatkar]

Hi Nicolas

If I understood you correctly, you mean to say if there is a way Jersey can
render "resources" via XML configuration? Since it is an implementation of
JAX-RS specification, and the specification itself does not define and XML
configuration, so actually have to annotate the java classes with paths and
methods much like you would do in an XML file.

That being said, I have added those endpoints to showcase how a typical
JAX-RS(Jersey) API configuration works.
As far as resource scanning is concerned, you can either specify individual
classes or specify the packages where resources reside and that's where the
specification kicks in and does the job.

There is also a way to configure the resources programmatically (having a
custom XML file) and then define the API there and populate Jersey.

I am unsure if I understood you correctly nor am I sure if I was able to
provide you the answers, so please let me know if you still have
more questions.

Best,
Girish


On Thu, Feb 6, 2020 at 7:40 PM Nicolas Malin 
wrote:

> Hi Girish,
>
> I read your contribution on the related issue, and I saw that you hard
> coded the rest definition in java file.
>
> Just to understand the finality, you propose to deploy Jersey with
> define available request as you already done, or it's just for example
> how Jersey rendering a definition ?
>
> Do you imagine that we would be improve the OFBiz model scanning (like
> Artifact Info) to populate Jersey ?
>
> Nicolas
>
> On 26/01/2020 10:57, Girish Vasmatkar wrote:
> > Hi All
> >
> > Just wanted to gauge the community's interest in having a JAX-RS
> component
> > with swagger capabilities. I am fully aware of the fact that there are
> > efforts undergoing on implementing a REST servlet.
> >
> > This can come handy for anyone comfortable with implementing JAX-RS or
> > having experience with JAX-RS. You can fully take advantage of Jersey in
> > implementing services that are truly RESTful in nature leveraging
> HATEOAS.
> >
> > I have been using this plug in for one of our work and would like to
> > contribute the same to the community.
> >
> > Please let me know your thoughts and I can then open a JIRA maybe and
> > proceed further.
> >
> > Best,
> > Girish
> >
>

GraphQL API for OFBiz

[Girish Vasmatkar]

Hello

I had been working on adding GraphQL support to OFBiz and could come up
with something that might be of interest to the community. Wanted to gauge
community's interest on the same.

Essentially, I have first tried to enable GraphQL support such that OFBiz
is able to server GraphQL queries, mutations and subscriptions as per the
GraphQL specification (http://spec.graphql.org/). The Java GraphQL library
mostly takes care of it.

The other major part is writing GraphQL schema and I have tried to include
both SDL and programmatic approach to generate the schema. Included a demo
query in the SDL approach to showcase hw OFBiz can server GraphQL requests.

This is the part that I feel needs more work in order to make it more
generalised and I am still working on this.

I have included GraphiQL(https://github.com/graphql/graphiql) and
Playground (https://github.com/prisma-labs/graphql-playground) as two
visual editor tools as well.

Here's the github link for the plug in.
https://github.com/hotwax/ofbiz-graphql

Any feedback, questions, concerns or suggestions are welcome.

Best,
Girish

Re: [TEST] Test "POC for CSRF Token"

[Girish Vasmatkar]

Hi Jacques

I tried to simulate the CSRF manually (and I plan to use Zap as well) and I
got this error -

Invalid or missing CSRF token to path '/EntitySQLProcessor'

I logged in to OFBiz and then used an HTML form to perform the attack and
the patch successfully prevented.

So it looks good to me. I will let you know how it goes with ZAP.

Best,
Girish






On Sat, Mar 7, 2020 at 3:30 PM Jacques Le Roux 
wrote:

> Hi All,
>
> This is my 1st weekly reminder :)
>
> As you may know CSRF attacks are very bad. TL;DR: They are hard to provoke
> but once you are able to create one, mostly using social engineering, they
> can be "/devastating for both the business and user/".[1]
>
> OFBiz is currently riddled with CSRF vulnerabilities, all not idempotent
> URLs[2] are susceptible to be attacked. James started an effort to fix them
> with OFBIZ-11306 and I joined him.
>
> Though, after almost 3 months of work, I'm pretty confident about our
> results, I have investigated how to validate our effort, with 3 mains
> penetrations tools: Burp, Owasp Zap and Qualys.
>
> I notably followed[3]. Since we have (normally) covered all cases (see
> OFBIZ-11306 description), I did not find a way to penetrate using this
> method.
>
> Moreover, I'm a developer not a penetration tester. And, for misc.
> reasons, I find quite painful to use those tools when it comes to CSRF,
> even if
> it's well explained in[3].
>
> I did not either find an easy way to automatically test all URLs for CSRF
> vulnerabilities. It seems to me that the most powerful tool is Qualys but
> so
> far I have been unable to scan a localhost instance. I expect to work on
> that next week. If I can't get it working it would be nice to have a domain
> where to put the changes and launch Qualys, and Zap that I have to test
> for the same also, against this domain.
>
> Another aspect I'd be interested in are regressions. I don't think there
> should be any, but if you can apply the patch, or use my fork branch (see
> OFBIZ-11425), and have a short tour it would be good.
>
> [1]
> https://www.imperva.com/learn/application-security/csrf-cross-site-request-forgery/
> [2] this is security jargon :), and idempotent URL is one that does not
> change the state of the application. It's a bit more than safe URL:
> http://restcookbook.com/HTTP%20Methods/idempotency/
> [3]
> https://portswigger.net/support/using-burp-to-test-for-cross-site-request-forgery
>
> TIA
>
> Jacques
>
> Le 29/02/2020 à 11:01, Pierre Smits a écrit :
> > Thanks for the info, and the persistence to keep it in the attention
> span,
> > Jacques.
> >
> > Met vriendelijke groet,
> >
> > Pierre Smits
> > *Proud* *contributor** of* Apache OFBiz
> since
> > 2008 (without privileges)
> >
> > *Apache Trafodion, Vice President*
> > *Apache Directory, PMC Member*
> > Apache Incubator, committer
> > Apache Steve, committer
> >
> >
> > On Sat, Feb 29, 2020 at 10:28 AM Jacques Le Roux <
> > jacques.le.r...@les7arts.com> wrote:
> >
> >> For those interested, it's maybe easier to test to simply apply the last
> >> patches (framework + plugins) at OFBIZ-11306
> >>
> >> Also if I see nothing happening, I'll do a reminder every week...
> >>
> >> Thanks
> >>
> >> Jacques
> >>
> >> Le 27/02/2020 à 17:28, Jacques Le Roux a écrit :
> >>> Forgot to say that w/ or w/o test I'll commit in 1 month...
> >>>
> >>> Jacques
> >>>
> >>> Le 27/02/2020 à 15:08, Jacques Le Roux a écrit :
>  Hi,
> 
>  After working with James, who initiated the "POC for CSRF Token"
> >> effort, onhttps://issues.apache.org/jira/browse/OFBIZ-11306
>  I have created OFBIZ-11425 to ask for all possible help to review and
> >> test.
>  TIA
> 
>  Jacques
> 
>

Re: GraphQL API for OFBiz

[Girish Vasmatkar]

Hi All

I'm planning an introduction of the OFBiz-GraphQL component that we have
developed so far. Please find below the hangout meet details -

Date : 03/27/2020 9:00 PM IST, 11:30 AM EST, 3:30 PM GMT.
Join Hangout Meet : https://meet.google.com/gja-jdwt-wpi
Join By Phone : +1 661-237-5173‬ PIN: ‪585 477 050‬#

Meeting agenda -

   - GraphQL briefing
  - Queries
  - Mutations
   - OFBiz-GraphQL component
  - Architecture
  - Entity Fetchers
  - Service Fetchers
   - What Next
  - Pagination
  - Interface
  - Batching
  - Subscriptions


Best Regards
Girish Vasmatkar



On Wed, Feb 12, 2020 at 7:04 PM Girish Vasmatkar <
girish.vasmat...@hotwaxsystems.com> wrote:

> Thanks Pierre.
>
> Here's the ticket for the same. I'll keep posting updates to it.
>
> https://issues.apache.org/jira/browse/OFBIZ-11347
>
> Best,
> Girish
>
> On Mon, Feb 10, 2020 at 4:48 PM Pierre Smits 
> wrote:
>
>> Hi Girish,
>>
>> Thank you for making the greater OFBiz community aware of this endeavour.
>> I
>> welcome such initiatives as it increases the appeal of our main product.
>> Not only does it increase the appeal of OFBiz for (potential) adopters,
>> but
>> it may also lead to more parties willing to contribute.
>>
>> Best regards,
>>
>> Pierre Smits
>> *Proud* *contributor* (but without privileges)* of* Apache OFBiz
>> <https://ofbiz.apache.org/>, since 2008
>>
>> *Apache Trafodion <https://trafodion.apache.org>, Vice President*
>> *Apache Directory <https://directory.apache.org>, PMC Member*
>> Apache Incubator <https://incubator.apache.org>, committer
>> Apache Steve <https://steve.apache.org>, committer
>>
>>
>> On Mon, Feb 10, 2020 at 11:40 AM Girish Vasmatkar <
>> girish.vasmat...@hotwaxsystems.com> wrote:
>>
>> > Hello
>> >
>> > I had been working on adding GraphQL support to OFBiz and could come up
>> > with something that might be of interest to the community. Wanted to
>> gauge
>> > community's interest on the same.
>> >
>> > Essentially, I have first tried to enable GraphQL support such that
>> OFBiz
>> > is able to server GraphQL queries, mutations and subscriptions as per
>> the
>> > GraphQL specification (http://spec.graphql.org/). The Java GraphQL
>> library
>> > mostly takes care of it.
>> >
>> > The other major part is writing GraphQL schema and I have tried to
>> include
>> > both SDL and programmatic approach to generate the schema. Included a
>> demo
>> > query in the SDL approach to showcase hw OFBiz can server GraphQL
>> requests.
>> >
>> > This is the part that I feel needs more work in order to make it more
>> > generalised and I am still working on this.
>> >
>> > I have included GraphiQL(https://github.com/graphql/graphiql) and
>> > Playground (https://github.com/prisma-labs/graphql-playground) as two
>> > visual editor tools as well.
>> >
>> > Here's the github link for the plug in.
>> > https://github.com/hotwax/ofbiz-graphql
>> >
>> > Any feedback, questions, concerns or suggestions are welcome.
>> >
>> > Best,
>> > Girish
>> >
>>
>

Re: GraphQL API for OFBiz

[Girish Vasmatkar]

I am holding another session tonight - please see details below -

Date : 04/03/2020 8:00 PM IST, 10:30 AM EST, 2:30 PM GMT.
Join Hangout Meet : https://meet.google.com/kvm-axrp-fev
Join By Phone : ‪+1 614-881-0100‬ PIN: ‪198 863 972‬#

Agenda:

OFBiz-GraphQL integration

   - Pagination
   - Operation Input Types
   - Nested GraphQLOutputType

Best Regards,
Girish



On Sat, Mar 28, 2020 at 10:31 PM Girish Vasmatkar <
girish.vasmat...@hotwaxsystems.com> wrote:

> Hi Guys -
>
> I've attached video link of the demo held on 03/27 to the ticket
> https://issues.apache.org/jira/browse/OFBIZ-11347. Let me know should you
> have any questions.
>
> Best Regards,
> Girish
>
>
> On Sat, Mar 28, 2020 at 2:56 PM Girish Vasmatkar <
> girish.vasmat...@hotwaxsystems.com> wrote:
>
>> Hi Pierre
>>
>> Yes, the demo went well barring some network glitches:).It was recorded
>> as well so I will put the details on the ticket. Thanks for your interest.
>>
>> Best,
>> Girish
>>
>>
>>
>>
>> On Sat, Mar 28, 2020 at 1:30 PM Pierre Smits 
>> wrote:
>>
>>> Hi Girish,
>>>
>>> How did your presentation go? Unfortunately I was unable to
>>> attend/participate, but am curious.
>>>
>>> Will you capture highlights and put those in the ticket?
>>>
>>> Mvg
>>>
>>> Pierre
>>>
>>> Op vr 27 mrt. 2020 10:13 schreef Deepak Dixit :
>>>
>>> > Great initiative Girish.
>>> >
>>> > Thanks & Regards
>>> > --
>>> > Deepak Dixit
>>> > ofbiz.apache.org
>>> >
>>> >
>>> > On Thu, Mar 26, 2020 at 9:18 PM Girish Vasmatkar <
>>> > girish.vasmat...@hotwaxsystems.com> wrote:
>>> >
>>> > > Hi All
>>> > >
>>> > > I'm planning an introduction of the OFBiz-GraphQL component that we
>>> have
>>> > > developed so far. Please find below the hangout meet details -
>>> > >
>>> > > Date : 03/27/2020 9:00 PM IST, 11:30 AM EST, 3:30 PM GMT.
>>> > > Join Hangout Meet : https://meet.google.com/gja-jdwt-wpi
>>> > > Join By Phone : +1 661-237-5173‬ PIN: ‪585 477 050‬#
>>> > >
>>> > > Meeting agenda -
>>> > >
>>> > >- GraphQL briefing
>>> > >   - Queries
>>> > >   - Mutations
>>> > >- OFBiz-GraphQL component
>>> > >   - Architecture
>>> > >   - Entity Fetchers
>>> > >   - Service Fetchers
>>> > >- What Next
>>> > >   - Pagination
>>> > >   - Interface
>>> > >   - Batching
>>> > >   - Subscriptions
>>> > >
>>> > >
>>> > > Best Regards
>>> > > Girish Vasmatkar
>>> > >
>>> > >
>>> > >
>>> > > On Wed, Feb 12, 2020 at 7:04 PM Girish Vasmatkar <
>>> > > girish.vasmat...@hotwaxsystems.com> wrote:
>>> > >
>>> > > > Thanks Pierre.
>>> > > >
>>> > > > Here's the ticket for the same. I'll keep posting updates to it.
>>> > > >
>>> > > > https://issues.apache.org/jira/browse/OFBIZ-11347
>>> > > >
>>> > > > Best,
>>> > > > Girish
>>> > > >
>>> > > > On Mon, Feb 10, 2020 at 4:48 PM Pierre Smits <
>>> pierresm...@apache.org>
>>> > > > wrote:
>>> > > >
>>> > > >> Hi Girish,
>>> > > >>
>>> > > >> Thank you for making the greater OFBiz community aware of this
>>> > > endeavour.
>>> > > >> I
>>> > > >> welcome such initiatives as it increases the appeal of our main
>>> > product.
>>> > > >> Not only does it increase the appeal of OFBiz for (potential)
>>> > adopters,
>>> > > >> but
>>> > > >> it may also lead to more parties willing to contribute.
>>> > > >>
>>> > > >> Best regards,
>>> > > >>
>>> > > >> Pierre Smits
>>> > > >> *Proud* *contributor* (but without privileges)* of* Apache OFBiz
>>> > > >> <https://ofbiz.apache.org/>, since 2008
>>> > > >>
>>&g

Re: GraphQL API for OFBiz

[Girish Vasmatkar]

Hi Pierre

Yes, the demo went well barring some network glitches:).It was recorded as
well so I will put the details on the ticket. Thanks for your interest.

Best,
Girish




On Sat, Mar 28, 2020 at 1:30 PM Pierre Smits  wrote:

> Hi Girish,
>
> How did your presentation go? Unfortunately I was unable to
> attend/participate, but am curious.
>
> Will you capture highlights and put those in the ticket?
>
> Mvg
>
> Pierre
>
> Op vr 27 mrt. 2020 10:13 schreef Deepak Dixit :
>
> > Great initiative Girish.
> >
> > Thanks & Regards
> > --
> > Deepak Dixit
> > ofbiz.apache.org
> >
> >
> > On Thu, Mar 26, 2020 at 9:18 PM Girish Vasmatkar <
> > girish.vasmat...@hotwaxsystems.com> wrote:
> >
> > > Hi All
> > >
> > > I'm planning an introduction of the OFBiz-GraphQL component that we
> have
> > > developed so far. Please find below the hangout meet details -
> > >
> > > Date : 03/27/2020 9:00 PM IST, 11:30 AM EST, 3:30 PM GMT.
> > > Join Hangout Meet : https://meet.google.com/gja-jdwt-wpi
> > > Join By Phone : +1 661-237-5173‬ PIN: ‪585 477 050‬#
> > >
> > > Meeting agenda -
> > >
> > >- GraphQL briefing
> > >   - Queries
> > >   - Mutations
> > >- OFBiz-GraphQL component
> > >   - Architecture
> > >   - Entity Fetchers
> > >   - Service Fetchers
> > >- What Next
> > >   - Pagination
> > >   - Interface
> > >   - Batching
> > >   - Subscriptions
> > >
> > >
> > > Best Regards
> > > Girish Vasmatkar
> > >
> > >
> > >
> > > On Wed, Feb 12, 2020 at 7:04 PM Girish Vasmatkar <
> > > girish.vasmat...@hotwaxsystems.com> wrote:
> > >
> > > > Thanks Pierre.
> > > >
> > > > Here's the ticket for the same. I'll keep posting updates to it.
> > > >
> > > > https://issues.apache.org/jira/browse/OFBIZ-11347
> > > >
> > > > Best,
> > > > Girish
> > > >
> > > > On Mon, Feb 10, 2020 at 4:48 PM Pierre Smits  >
> > > > wrote:
> > > >
> > > >> Hi Girish,
> > > >>
> > > >> Thank you for making the greater OFBiz community aware of this
> > > endeavour.
> > > >> I
> > > >> welcome such initiatives as it increases the appeal of our main
> > product.
> > > >> Not only does it increase the appeal of OFBiz for (potential)
> > adopters,
> > > >> but
> > > >> it may also lead to more parties willing to contribute.
> > > >>
> > > >> Best regards,
> > > >>
> > > >> Pierre Smits
> > > >> *Proud* *contributor* (but without privileges)* of* Apache OFBiz
> > > >> <https://ofbiz.apache.org/>, since 2008
> > > >>
> > > >> *Apache Trafodion <https://trafodion.apache.org>, Vice President*
> > > >> *Apache Directory <https://directory.apache.org>, PMC Member*
> > > >> Apache Incubator <https://incubator.apache.org>, committer
> > > >> Apache Steve <https://steve.apache.org>, committer
> > > >>
> > > >>
> > > >> On Mon, Feb 10, 2020 at 11:40 AM Girish Vasmatkar <
> > > >> girish.vasmat...@hotwaxsystems.com> wrote:
> > > >>
> > > >> > Hello
> > > >> >
> > > >> > I had been working on adding GraphQL support to OFBiz and could
> come
> > > up
> > > >> > with something that might be of interest to the community. Wanted
> to
> > > >> gauge
> > > >> > community's interest on the same.
> > > >> >
> > > >> > Essentially, I have first tried to enable GraphQL support such
> that
> > > >> OFBiz
> > > >> > is able to server GraphQL queries, mutations and subscriptions as
> > per
> > > >> the
> > > >> > GraphQL specification (http://spec.graphql.org/). The Java
> GraphQL
> > > >> library
> > > >> > mostly takes care of it.
> > > >> >
> > > >> > The other major part is writing GraphQL schema and I have tried to
> > > >> include
> > > >> > both SDL and programmatic approach to generate the schema.
> Included
> > a
> > > >> demo
> > > >> > query in the SDL approach to showcase hw OFBiz can server GraphQL
> > > >> requests.
> > > >> >
> > > >> > This is the part that I feel needs more work in order to make it
> > more
> > > >> > generalised and I am still working on this.
> > > >> >
> > > >> > I have included GraphiQL(https://github.com/graphql/graphiql) and
> > > >> > Playground (https://github.com/prisma-labs/graphql-playground) as
> > two
> > > >> > visual editor tools as well.
> > > >> >
> > > >> > Here's the github link for the plug in.
> > > >> > https://github.com/hotwax/ofbiz-graphql
> > > >> >
> > > >> > Any feedback, questions, concerns or suggestions are welcome.
> > > >> >
> > > >> > Best,
> > > >> > Girish
> > > >> >
> > > >>
> > > >
> > >
> >
>

Re: [TEST] Test "POC for CSRF Token"

[Girish Vasmatkar]

Hi Jacques

I second your points. However, I have the following question -

Since you have explored and followed OWASP very extensively, do you think
with the introduction of same-site attribute, the whole concept of CSRF
token becomes somewhat redundant, provided almost every browser has the
support for this attribute now?
I haven't gone into too much detail, so my understanding on this is
limited. However, from what I understood, same-site has the ability to
become an all-in-one solution for CSRF attacks provided browsers honour it.

Best,
Girish


On Sat, Mar 28, 2020 at 2:39 PM Jacques Le Roux <
jacques.le.r...@les7arts.com> wrote:

> Hi,
>
> Of course, I have my own opinion. Here are my answers to these questions.
>
>  1. By default in OFBiz the session timeout is 1 hour. After that, OFBiz
> generates a new CSRF token before you sign in. I think for OFBiz
> applications
> it's enough security. Of course we could have more fancy defenses like
> banks which are using random numeric pads for authentication and two-factor
> authentication for important operations. Or companies like GitHub
> which use two-factor authentication in case of machine or browser change. I
> don't think it's needed OOTB for OFBiz applications. Some users may
> need it but it's then to them to implement what they specifically need. So
> random values generated by java.security.SecureRandom are safe enough
> in my opinion.
>  2. If someone tries to use a not auth protected request the CSRF defenses
> (token + same-site) will not allow it from another domain if csrf-token is
> not set to false. That's already reassuring and we maybe not need to
> worry much about the remaining 195 cases where auth="false". Because there
> are some obviously needed, like all those related to login or password
> change. For the others it may turn out that they are also needed for other
> reasons. For them we need to test them one by one and in some case
> need to set csrf-token to false, for instance in case of requests in an
> anonymous flow. So finally, despite the remaining 195 cases, it should
> not be too hard and too long to decide on this.
>
> Also note that with OFBIZ-11470 <
> https://issues.apache.org/jira/browse/OFBIZ-11470> we are more secured,
> in a CSRF perspective, with the same-site
> cookie attribute. It's not perfect in itself, but according to OWASP, it's
> the perfect duo for CSRF defense when associated with CSRF tokens.
>
> I continue to work on the remaining 195 cases where auth="false"...
>
> HTH
>
> Jacques
>
> Le 27/03/2020 à 19:16, Jacques Le Roux a écrit :
> > Hi All,
> >
> > Before I create a PR as a last opportunity to allow reviews and tests,
> I'd like to ask 2 last questions:
> >
> > 1. should we not use a JWT rather than a (pseudo) random value for the
> CSRF token, this for timeout reason? Don't get me wrong I'm sure that the
> >random values generated by java.security.SecureRandom, as currently
> used, are safe enough. It's just that I wonder about the timeout. Should we
> > care?
> > 2. In relation with OFBIZ-4956, we need to check the remaining 195 cases
> where auth="false" and decide if we should change to "true", with the CSRF
> >defense then used by default. In other cases (auth="false" must
> remain) we need to decide if should set the CSRF token check to false.
> >
> > Apart that my
> https://github.com/JacquesLeRoux/ofbiz-framework/tree/POC-for-CSRF-Token-OFBIZ-11306
> branch is ready to create a PR. We can't wait too
> > long about those 2 points, even if the 2nd needs a "bit" of work.
> Anyway, for now I'll wait answers, and hopefully help for OFBIZ-4956.
> >
> > Thanks
> >
> > Jacques
> >
> >
> > Le 26/03/2020 à 07:39, James Yong a écrit :
> >> +1 with CSRF defense enabled in Demo
> >>> Hi,
> >>>
> >>> I thought about that a bit more. I suggest to let the stable version
> (soon, R17) as is, ie with  CSRF defense enabled. This way users, mostly
> >>> interested in stable, would  see the real situation.
> >>>
> >>> And to use the NoCsrfDefenseStrategy in trunk. So developers, often
> brought to use the trunk for development reasons, would have more latitude;
> as
> >>> they certainly will do locally.
> >>>
> >>> If nobody disagree we will do so at
> https://issues.apache.org/jira/browse/OFBIZ-11472 with Swapnil
> >>>
> >>> If we do so, the link
> https://demo-stable.ofbiz.apache.org/ordermgr/control/main?USERNAME=admin=ofbiz=Y
> will no longer
> >>> work.
> >>>
> >>> https://demo-stable.ofbiz.apache.org/ordermgr should be used and we
> need to update https://ofbiz.apache.org/ofbiz-demos.html for that.
> >>>
> >>> Jacques
> >>>
> >>>
>

Re: GraphQL API for OFBiz

[Girish Vasmatkar]

Hi Guys -

I've attached video link of the demo held on 03/27 to the ticket
https://issues.apache.org/jira/browse/OFBIZ-11347. Let me know should you
have any questions.

Best Regards,
Girish


On Sat, Mar 28, 2020 at 2:56 PM Girish Vasmatkar <
girish.vasmat...@hotwaxsystems.com> wrote:

> Hi Pierre
>
> Yes, the demo went well barring some network glitches:).It was recorded as
> well so I will put the details on the ticket. Thanks for your interest.
>
> Best,
> Girish
>
>
>
>
> On Sat, Mar 28, 2020 at 1:30 PM Pierre Smits 
> wrote:
>
>> Hi Girish,
>>
>> How did your presentation go? Unfortunately I was unable to
>> attend/participate, but am curious.
>>
>> Will you capture highlights and put those in the ticket?
>>
>> Mvg
>>
>> Pierre
>>
>> Op vr 27 mrt. 2020 10:13 schreef Deepak Dixit :
>>
>> > Great initiative Girish.
>> >
>> > Thanks & Regards
>> > --
>> > Deepak Dixit
>> > ofbiz.apache.org
>> >
>> >
>> > On Thu, Mar 26, 2020 at 9:18 PM Girish Vasmatkar <
>> > girish.vasmat...@hotwaxsystems.com> wrote:
>> >
>> > > Hi All
>> > >
>> > > I'm planning an introduction of the OFBiz-GraphQL component that we
>> have
>> > > developed so far. Please find below the hangout meet details -
>> > >
>> > > Date : 03/27/2020 9:00 PM IST, 11:30 AM EST, 3:30 PM GMT.
>> > > Join Hangout Meet : https://meet.google.com/gja-jdwt-wpi
>> > > Join By Phone : +1 661-237-5173‬ PIN: ‪585 477 050‬#
>> > >
>> > > Meeting agenda -
>> > >
>> > >- GraphQL briefing
>> > >   - Queries
>> > >   - Mutations
>> > >- OFBiz-GraphQL component
>> > >   - Architecture
>> > >   - Entity Fetchers
>> > >   - Service Fetchers
>> > >- What Next
>> > >   - Pagination
>> > >   - Interface
>> > >   - Batching
>> > >   - Subscriptions
>> > >
>> > >
>> > > Best Regards
>> > > Girish Vasmatkar
>> > >
>> > >
>> > >
>> > > On Wed, Feb 12, 2020 at 7:04 PM Girish Vasmatkar <
>> > > girish.vasmat...@hotwaxsystems.com> wrote:
>> > >
>> > > > Thanks Pierre.
>> > > >
>> > > > Here's the ticket for the same. I'll keep posting updates to it.
>> > > >
>> > > > https://issues.apache.org/jira/browse/OFBIZ-11347
>> > > >
>> > > > Best,
>> > > > Girish
>> > > >
>> > > > On Mon, Feb 10, 2020 at 4:48 PM Pierre Smits <
>> pierresm...@apache.org>
>> > > > wrote:
>> > > >
>> > > >> Hi Girish,
>> > > >>
>> > > >> Thank you for making the greater OFBiz community aware of this
>> > > endeavour.
>> > > >> I
>> > > >> welcome such initiatives as it increases the appeal of our main
>> > product.
>> > > >> Not only does it increase the appeal of OFBiz for (potential)
>> > adopters,
>> > > >> but
>> > > >> it may also lead to more parties willing to contribute.
>> > > >>
>> > > >> Best regards,
>> > > >>
>> > > >> Pierre Smits
>> > > >> *Proud* *contributor* (but without privileges)* of* Apache OFBiz
>> > > >> <https://ofbiz.apache.org/>, since 2008
>> > > >>
>> > > >> *Apache Trafodion <https://trafodion.apache.org>, Vice President*
>> > > >> *Apache Directory <https://directory.apache.org>, PMC Member*
>> > > >> Apache Incubator <https://incubator.apache.org>, committer
>> > > >> Apache Steve <https://steve.apache.org>, committer
>> > > >>
>> > > >>
>> > > >> On Mon, Feb 10, 2020 at 11:40 AM Girish Vasmatkar <
>> > > >> girish.vasmat...@hotwaxsystems.com> wrote:
>> > > >>
>> > > >> > Hello
>> > > >> >
>> > > >> > I had been working on adding GraphQL support to OFBiz and could
>> come
>> > > up
>> > > >> > with something that might be of interest to the community.
>> Wanted to
>> > > >> gauge
>> > > >> > community's interest on the same.
>> > > >> >
>> > > >> > Essentially, I have first tried to enable GraphQL support such
>> that
>> > > >> OFBiz
>> > > >> > is able to server GraphQL queries, mutations and subscriptions as
>> > per
>> > > >> the
>> > > >> > GraphQL specification (http://spec.graphql.org/). The Java
>> GraphQL
>> > > >> library
>> > > >> > mostly takes care of it.
>> > > >> >
>> > > >> > The other major part is writing GraphQL schema and I have tried
>> to
>> > > >> include
>> > > >> > both SDL and programmatic approach to generate the schema.
>> Included
>> > a
>> > > >> demo
>> > > >> > query in the SDL approach to showcase hw OFBiz can server GraphQL
>> > > >> requests.
>> > > >> >
>> > > >> > This is the part that I feel needs more work in order to make it
>> > more
>> > > >> > generalised and I am still working on this.
>> > > >> >
>> > > >> > I have included GraphiQL(https://github.com/graphql/graphiql)
>> and
>> > > >> > Playground (https://github.com/prisma-labs/graphql-playground)
>> as
>> > two
>> > > >> > visual editor tools as well.
>> > > >> >
>> > > >> > Here's the github link for the plug in.
>> > > >> > https://github.com/hotwax/ofbiz-graphql
>> > > >> >
>> > > >> > Any feedback, questions, concerns or suggestions are welcome.
>> > > >> >
>> > > >> > Best,
>> > > >> > Girish
>> > > >> >
>> > > >>
>> > > >
>> > >
>> >
>>
>

Re: Welcome Rishi Solanki as new PMC member

[Girish Vasmatkar]

Congratulations Rishi!

Best,
Girish
On 28 Apr 2020 11:32 pm, "Akash Jain"  wrote:

> Many Congratulations Rishi!!
>
> Thanks and Regards
> --
> Akash Jain
>
> On Tue, Apr 28, 2020 at 7:53 PM Jacopo Cappellato <
> jacopo.cappell...@gmail.com> wrote:
>
> > The OFBiz PMC has invited Rishi Solanki to become member of the committee
> > and we are glad to announce that he has accepted the nomination.
> >
> > On behalf of the OFBiz PMC, welcome on board!
> >
>

Re: OFBiz-Shopify Integration

[Girish Vasmatkar]

Hi Ritesh -

This is certainly going to be a great initiative. +1

Best,
Girish





On Sun, Apr 26, 2020 at 8:49 PM Suraj Khurana 
wrote:

> +1 for creating a new plugin.
>
> --
> Best Regards,
> Suraj Khurana
> SENIOR TECHNICAL CONSULTANT
> mobile: +91 9669750002
> email: suraj.khur...@hotwax.co
> *www.hotwax.co *
>
>
> On Sun, Apr 26, 2020 at 10:00 AM Ritesh Kumar <
> ritesh.ku...@hotwaxsystems.com> wrote:
>
> > Hello team,
> >
> > Let me start by giving you heads up on Shopify.
> >
> > Shopify is a renowned eCommerce platform for building online retail
> > businesses. A large number of businesses are moving to the world of
> hosted
> > eCommerce platforms and Shopify seems to be, if not the best, one of the
> > best platforms available in the market today. Over a million merchants
> use
> > Shopify to run their businesses. They come in all sizes, from all around
> > the world, and each one is different. One can easily set up a store and
> go
> > online.
> >
> > Owing to such a large user base, there could be many merchants interested
> > in integrating their online sales with a powerful ERP system for the
> > backend processes such as order fulfilment, accounting, customer service,
> > etc.
> >
> > Shopify provides both REST and GraphQL APIs. APIs are richly documented.
> We
> > can further discuss the integration details.
> >
> > I do believe this integration will positively add to feature set already
> > available in OFBiz and can become a major adoption factor.
> >
> > Here are the references,
> > Shopify developer introduction
> > 
> > Shopify storefront API 
> >
> > Please, let me know your thoughts on this.
> >
> > Best,
> >
> > --
> > Ritesh Kumar
> >
>

Re: Default constructors in JAVA classes

[Girish Vasmatkar]

Hi

I am unsure if this needs to be extended or applied to the service classes
because even though the service classes do not appear to maintain state,
they conceptually relate to the business domain and hence are not a worthy
candidate. Moreover they are executed within a context and don't qualify as
typical helper or utility classes.

We should be all for this change but probably exempt service classes from
it and restrict this change to Helper/Utility classes. Also, it will be
helpful if we bring this about in phases.

+1 for helper/utility classes.

Best,
Girish




On Wed, Apr 22, 2020 at 11:55 PM Jacques Le Roux <
jacques.le.r...@les7arts.com> wrote:

> Le 22/04/2020 à 19:58, Jacques Le Roux a écrit :
> > I have still to read the articles an understand the Lombok project and
> how we could possibly use it
> I'm thinking about https://projectlombok.org/setup/gradle but I have no
> ideas yet to what it entails, someone knows?
>
> Jacques
>
>

Re: Welcome to Girish Vasmatkar as new committer!

[Girish Vasmatkar]

Hi All

Thanks for your continuous support in this journey. I am honoured and
privileged to be part of this community. Sure, the committership comes with
great responsibilities and I hope to back it up with even more commitment
from my side.

Thanks once again!

Best,
Girish


On Wed, Apr 22, 2020 at 5:36 PM Jacques Le Roux <
jacques.le.r...@les7arts.com> wrote:

> Sorry I missed Girish 1st name in subject :/
>
> Le 22/04/2020 à 11:37, Jacques Le Roux a écrit :
> > The OFBiz PMC has invited Girish to become a new committer and we are
> pleased  to announce that he has accepted.
> >
> > Girish is part of the community for near 2 years and has proposed
> several smart propositions notably related to security and GraphQL, but not
> only.
> >
> > Please join me in welcoming and congratulating Girish.
> >
> > Jacques
> >
> >
>

Re: Welcome Swapnil M Mane as new PMC member

[Girish Vasmatkar]

Congratulations, Swapnil.

Best,
Girish

On Thu, Apr 23, 2020 at 6:48 PM Ankush Upadhyay <
ankush.upadh...@hotwaxsystems.com> wrote:

> Many Congratulations, Swapnil!!!
>
> Kind Regards,
> Ankush Upadhyay
> Senior Technical Consultant
>
> *HotWax Systems*
> *Enterprise open source experts*
> cell: +91-8109201285
> office: 0731-409-3684
> http://www.hotwaxsystems.com
>
>
> On Thu, Apr 23, 2020 at 5:47 PM Ashish Vijaywargiya 
> wrote:
>
> > Many congratulations, Swapnil!!
> >
> > Thanks,
> > Ashish Vijaywargiya
> >
> > On Thu, Apr 23, 2020 at 5:02 PM Jacques Le Roux <
> > jacques.le.r...@les7arts.com> wrote:
> >
> > > The OFBiz PMC has invited Swapnil M Mane to become member of the
> > committee
> > > and we are glad to announce that he has accepted the nomination.
> > >
> > > On behalf of the OFBiz PMC, welcome on board!
> > >
> > >
> >
>

Re: getting started with ofbiz-rest-impl

[Girish Vasmatkar]

Hello Hans

Thanks for giving it (REST Impl) a try and providing valuable feedback. The
token's signature part and the payload part (that includes claims) does
indeed change, while the header part is not expected to change.
The token is revoked after it is expired (default is 1800 seconds based on
security.properties).

Looking forward to hearing more from you and please let us know of any
issue you encounter.

Best Regards,
Girish










On Sat, Sep 5, 2020 at 6:51 AM Hans Bakker 
wrote:

> Good day!
>
> Good to see we finally have a REST interface in OFBiz, thank you
> girishvasmatkar for this implementation!
>
>   I will try to use it for the Growerp.org open source project, a
> flutter frontend for currently Moqui.org but also will try to use OFBiz,
> yes with this REST interface.
>
> My experience after away from ofbiz for a couple of years and just for
> other users getting started email.
>
> OFBIZ install:
> ==
> i looked how to install ofbiz in the readme.adoc fle , this tells me to
> run ./gradle/init-gradle-wrapper for linux
> did not worked on my linux system, however ./gradlew init-gradle-wrapper
> worked but got stuck at the end...
> killed it and then ran ./gradlew cleanAll loadAll and all was fine.
>
> Did not know how to install a plugin, ( a lot changed the last couple of
> years that is good!) so i added it to the application folder and updated
> the component-load.xml file. that was still the same.
>
> REST plugin:
> ==
> then I searched for how to get an token after authorization.
> These curl commands worked for me: could be added to the READ me file?
>
> curl -X POST https://localhost:8443/rest/auth/token -H "Accept:
> application/json" -u admin:ofbiz --insecure
>
> however when i requested it the second time, the token did not change?
> shouldn't it? Now i cannot revoke a token?
>
> then tried the services list:
> curl -X GET https://localhost:8443/rest/services -H "Accept:
> application/json" -H "Authorization: Bearer
> eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzUxMiJ9.eyJpc3MiOiJBcGFjaGVPRkJpeiIsImlhdCI6MTU0NzczOTM0OCwiZXhwIjoxNjc5Mjc1MzQ4LCJhdWQiOiJ3d3cuZXhhbXBsZS5jb20iLCJzdWIiOiJqcm9ja2V0QGV4YW1wbGUuY29tIiwiR2l2ZW5OYW1lIjoiSm9obm55IiwiU3VybmFtZSI6IlJvY2tldCIsIkVtYWlsIjoianJvY2tldEBleGFtcGxlLmNvbSIsInVzZXJMb2dpbklkIjoiYWRtaW4iLCJSb2xlIjpbIk1hbmFnZXIiLCJQcm9qZWN0IEFkbWluaXN0cmF0b3IiXX0.fwafgrgpodBJcXxNTQdZknKeWKb3sDOsQrcR2vcRw97FznD6mkE79p10Tu7cqpUx7LiXuROUAnXEgqDice-BSg"
>
> --insecure
>
> also working fine!
>
> if I have more comments or remarks, i will let you know
>
> Regards,
>
> Hans Bakker https://www.AntWebsystems.com
> we specialize in flutter.dev growerp.org moqui.org and ofbiz.apache.org
>
>
>

Re: buildbot failure in on ofbizTrunkFrameworkPlugins

[Girish Vasmatkar]

Hi Jacques/Akash -

I have taken care of it with my latest commit
- 310a2a58eff7cb203e4f7b25b78be23ea856aa79
Checkstyle count stays @ 2007

Best,
Girish

On Tue, Sep 1, 2020 at 10:20 PM Jacques Le Roux <
jacques.le.r...@les7arts.com> wrote:

> Hi Akash,
>
> Please either fix the checkstyle issue or increase to 2008
>
> https://ci.apache.org/builders/ofbizTrunkFrameworkPlugins
>
> TIA
>
> Jacques
>
> Le 01/09/2020 à 13:41, build...@apache.org a écrit :
> > The Buildbot has detected a new failure on builder
> ofbizTrunkFrameworkPlugins while building ofbiz-plugins. Full details are
> available at:
> >
> https://ci.apache.org/builders/ofbizTrunkFrameworkPlugins/builds/1733
> >
> > Buildbot URL: https://ci.apache.org/
> >
> > Buildslave for this Build: asf946_ubuntu
> >
> > Build Reason: The AnyBranchScheduler scheduler named
> 'onTrunkPluginsCommit' triggered this build
> > Build Source Stamp: [branch trunk]
> 6a7136ada4d38698a3497002e65cfc1980e4954c
> > Blamelist: Akash Jain ,Suraj Khurana <
> suraj.khur...@hotwax.co>
> >
> > BUILD FAILED: failed check
> >
> > Sincerely,
> >   -The Buildbot
> >
> >
> >
>

Re: buildbot failure in on ofbizTrunkFrameworkPlugins

[Girish Vasmatkar]

Hi Jacques

It is actually due to 2 errors reported under UtilHtmlTest.java. I just ran
it on my machine and it failed with this.
File
/Users/grv/workspace/OFBiz/community/ofbiz-framework/framework/base/src/test/java/org/apache/ofbiz/base/util/UtilHtmlTest.java
Error DescriptionLine
Name 'parseHtmlFragment_unclosedDiv' must match pattern
'^[a-z][a-zA-Z0-9]*$'. 30
Name 'parseHtmlFragment_multiRoot' must match pattern '^[a-z][a-zA-Z0-9]*$'.

Before committing, I did not face any build failure due to checkstyle.

Best Regards,
Girish


On Thu, Sep 10, 2020 at 3:16 PM Jacques Le Roux <
jacques.le.r...@les7arts.com> wrote:

> Hi Girish,
>
> I had a quick look at this checkstyle issue, and it's weird.
>
> It's due to
> https://github.com/apache/ofbiz-plugins/commit/42192da7d3cc8bd979711e72a47b104dda0c25a3/
>
> And I see no reason why we get
>
> [...]
>  > Task :checkstyleTest FAILED
> FAILURE: Build failed with an exception.
>
> * What went wrong:
> Execution failed for task ':checkstyleTest'.
>  > Checkstyle rule violations were found. See the report at:
> file:///C:/projectsASF/Git/ofbiz-framework/build/reports/checkstyle/test.html
>Checkstyle files with violations: 1
>Checkstyle violations by severity: [error:2]
>
> Also
>
> https://ci.apache.org/projects/ofbiz/logs/trunk/checkstyle.html#f-/home/buildslave/slave/ofbizTrunkFrameworkPlugins/build/plugins/ofbiz-rest-impl/src/main/java/org/apache/ofbiz/ws/rs/resources/OFBizServiceResource.java
> is useless
>
> I'll have a look later, if you beat me on it I'll not be offended ;)
>
> Jacques
>
> Le 10/09/2020 à 08:17, build...@apache.org a écrit :
> > The Buildbot has detected a new failure on builder
> ofbizTrunkFrameworkPlugins while building ofbiz-plugins. Full details are
> available at:
> >
> https://ci.apache.org/builders/ofbizTrunkFrameworkPlugins/builds/1750
> >
> > Buildbot URL: https://ci.apache.org/
> >
> > Buildslave for this Build: asf945_ubuntu
> >
> > Build Reason: The AnyBranchScheduler scheduler named
> 'onTrunkPluginsCommit' triggered this build
> > Build Source Stamp: [branch trunk]
> 42192da7d3cc8bd979711e72a47b104dda0c25a3
> > Blamelist: Girish Vasmatkar 
> >
> > BUILD FAILED: failed check
> >
> > Sincerely,
> >   -The Buildbot
> >
> >
> >
>

Re: REST get no parameters

[Girish Vasmatkar]

Hi Hans

I had earlier made a commit 72458a1ef2fd1e5b7c1694e76fece049aecfb0a4 that
should have resulted in 400. If not done already, could you please update
your local repository?

You should get following in response -

{
  "statusCode": 400,
  "statusDescription": "Bad Request",
  "errorMessage": "Missing Parameter: 'inParams'"
}

Best Regards,
Girish Vasmatkar
HotWax Systems

On Thu, Sep 10, 2020 at 6:54 AM Hans Bakker 
wrote:

> Sorry Girish me again,
>
> if i create a simple method service with action GET and no parameters ,
> i get a 500 http error,
>
> like:
>
> curl -X  GET https://localhost:8443/rest/services/findProductById -H
> "Accept: application/json" -H "Authorization: Bearer $token" --insecure
> {
>"statusCode" : 500,
>"statusDescription" : "Internal Server Error"
> }
>
> regards,
>
> Hans
>
>
>

Re: public rest API

[Girish Vasmatkar]

Every REST endpoint, as it is implemented now, is secured by default. I had
not thought of a scenario where internal OFBiz services will need to be
invoked without authentication (externally)

Yes, the services themselves can be specified to NOT require auth but I had
always thought that was applicable within internal execution. I may be
wrong here, so please correct me.

auth and login-required are not taken into account yet, but can certainly
be, if some exportable services should be exposed as public APIs.

Best Regards,
Girish Vasmatkar
HotWax Systems



On Thu, Sep 10, 2020 at 5:55 AM Hans Bakker 
wrote:

> Hi, Girish,
>
> thanks again for your last reply it defenity helped, however i have
> another question.
>
> I need to access certain services publicly without a token.
>
> I have put auth="false" on the service definition and
> login-required="false" on the simple-method implementation
>
> still i get a 401 response.
>
> any suggestions?
>
> Regards,
>
> Hans
>
>

Re: public rest API

[Girish Vasmatkar]

Thanks Hans, I will plan to include this change for the exportable services
as well.

There is also OFBIZ-11995, where more RESTFul resources can be declared
(development is undergoing) and bound to services where I had planned to
include declarative authentication.

Best Regards,
Girish Vasmatkar
HotWax Systems




On Thu, Sep 10, 2020 at 12:08 PM Hans Bakker 
wrote:

> Hi Girish,
>
> how about ecommerce? you want to show the products without logging in,
> actually all information on the ecommerce frontend?
>
> so yes, really required.
>
> regards,
>
> Hans
>
>
> On 9/10/20 12:37 PM, Girish Vasmatkar wrote:
> > Every REST endpoint, as it is implemented now, is secured by default. I
> had
> > not thought of a scenario where internal OFBiz services will need to be
> > invoked without authentication (externally)
> >
> > Yes, the services themselves can be specified to NOT require auth but I
> had
> > always thought that was applicable within internal execution. I may be
> > wrong here, so please correct me.
> >
> > auth and login-required are not taken into account yet, but can certainly
> > be, if some exportable services should be exposed as public APIs.
> >
> > Best Regards,
> > Girish Vasmatkar
> > HotWax Systems
> >
> >
> >
> > On Thu, Sep 10, 2020 at 5:55 AM Hans Bakker 
> > wrote:
> >
> >> Hi, Girish,
> >>
> >> thanks again for your last reply it defenity helped, however i have
> >> another question.
> >>
> >> I need to access certain services publicly without a token.
> >>
> >> I have put auth="false" on the service definition and
> >> login-required="false" on the simple-method implementation
> >>
> >> still i get a 401 response.
> >>
> >> any suggestions?
> >>
> >> Regards,
> >>
> >> Hans
> >>
> >>
>

Re: getting started with ofbiz-rest-impl

[Girish Vasmatkar]

Hi Hans -

Here's that works (if you don't want to manually url encode) -

curl -G -X  GET https://localhost:8443/rest/services/findProductById
--data-urlencode
'inParams={"idToFind":"GZ-1001"}' -H "Accept: application/json" -H
"Authorization: Bearer $token" --insecure

Note '-G' parameter to CURL. It appends the encoded data to the URL.
Also, *--data-urlencode
*should contain key value pairs.

There has to have a query parameter named 'inParams' to call services
exposed as GET.
During it's implementation, I had given a thought whether to map each
service IN attribute as query parameter to the REST call, but I chose this
approach. A GET service with too many IN attributes would have resulted in
a large number of query parameters.

Best,
Girish


On Mon, Sep 7, 2020 at 9:59 AM Hans Bakker 
wrote:

> OK, made some progress, have it now working from the flutter dart
> environment however..
>
> this curl works even from flutter dart,
> curl -X  GET
> https://localhost:8443/rest/services/findProductByI?inParams=%7B%22idToFind%22:%22GZ-1001%22%7D
> -H "Accept: application/json" -H "Authorization: Bearer $token" --insecure
> however i do not want to url encode myself, so shouldn't this also work:
>
> curl -X  GET https://localhost:8443/rest/services/findProductById
> --data-urlencode "{'inparams': {'idToFind':'GZ-1001'}}" -H "Accept:
> application/json" -H "Authorization: Bearer $token" --insecure
>
> I tried it also without the inner quotes but could not get his to work.
>
> i get:
> {
>   "statusCode" : 500,
>   "statusDescription" : "Internal Server Error"
> }
>
> can you help?
>
> regards,
>
> Hans
> On 9/5/20 8:26 PM, Girish Vasmatkar wrote:
>
> Hello Hans
>
> Thanks for giving it (REST Impl) a try and providing valuable feedback. The
> token's signature part and the payload part (that includes claims) does
> indeed change, while the header part is not expected to change.
> The token is revoked after it is expired (default is 1800 seconds based on
> security.properties).
>
> Looking forward to hearing more from you and please let us know of any
> issue you encounter.
>
> Best Regards,
> Girish
>
>
>
>
>
>
>
>
>
>
> On Sat, Sep 5, 2020 at 6:51 AM Hans Bakker  
> 
> wrote:
>
>
> Good day!
>
> Good to see we finally have a REST interface in OFBiz, thank you
> girishvasmatkar for this implementation!
>
>   I will try to use it for the Growerp.org open source project, a
> flutter frontend for currently Moqui.org but also will try to use OFBiz,
> yes with this REST interface.
>
> My experience after away from ofbiz for a couple of years and just for
> other users getting started email.
>
> OFBIZ install:
> ==
> i looked how to install ofbiz in the readme.adoc fle , this tells me to
> run ./gradle/init-gradle-wrapper for linux
> did not worked on my linux system, however ./gradlew init-gradle-wrapper
> worked but got stuck at the end...
> killed it and then ran ./gradlew cleanAll loadAll and all was fine.
>
> Did not know how to install a plugin, ( a lot changed the last couple of
> years that is good!) so i added it to the application folder and updated
> the component-load.xml file. that was still the same.
>
> REST plugin:
> ==
> then I searched for how to get an token after authorization.
> These curl commands worked for me: could be added to the READ me file?
>
> curl -X POST https://localhost:8443/rest/auth/token -H "Accept:
> application/json" -u admin:ofbiz --insecure
>
> however when i requested it the second time, the token did not change?
> shouldn't it? Now i cannot revoke a token?
>
> then tried the services list:
> curl -X GET https://localhost:8443/rest/services -H "Accept:
> application/json" -H "Authorization: Bearer
> eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzUxMiJ9.eyJpc3MiOiJBcGFjaGVPRkJpeiIsImlhdCI6MTU0NzczOTM0OCwiZXhwIjoxNjc5Mjc1MzQ4LCJhdWQiOiJ3d3cuZXhhbXBsZS5jb20iLCJzdWIiOiJqcm9ja2V0QGV4YW1wbGUuY29tIiwiR2l2ZW5OYW1lIjoiSm9obm55IiwiU3VybmFtZSI6IlJvY2tldCIsIkVtYWlsIjoianJvY2tldEBleGFtcGxlLmNvbSIsInVzZXJMb2dpbklkIjoiYWRtaW4iLCJSb2xlIjpbIk1hbmFnZXIiLCJQcm9qZWN0IEFkbWluaXN0cmF0b3IiXX0.fwafgrgpodBJcXxNTQdZknKeWKb3sDOsQrcR2vcRw97FznD6mkE79p10Tu7cqpUx7LiXuROUAnXEgqDice-BSg"
>
> --insecure
>
> also working fine!
>
> if I have more comments or remarks, i will let you know
>
> Regards,
>
> Hans Bakker https://www.AntWebsystems.com
> we specialize in flutter.dev growerp.org moqui.org and ofbiz.apache.org
>
>
>

Re: getting started with ofbiz-rest-impl

[Girish Vasmatkar]

That being said, I should make the query param mandatory such that it
returns 400 Bad Request "Missing Parameters" to let the client know of the
error.

I will make this improvement and commit soon.

Best,
Girish

On Mon, Sep 7, 2020 at 11:59 AM Girish Vasmatkar <
girish.vasmat...@hotwaxsystems.com> wrote:

> Hi Hans -
>
> Here's that works (if you don't want to manually url encode) -
>
> curl -G -X  GET https://localhost:8443/rest/services/findProductById 
> --data-urlencode
> 'inParams={"idToFind":"GZ-1001"}' -H "Accept: application/json" -H
> "Authorization: Bearer $token" --insecure
>
> Note '-G' parameter to CURL. It appends the encoded data to the URL. Also, 
> *--data-urlencode
> *should contain key value pairs.
>
> There has to have a query parameter named 'inParams' to call services
> exposed as GET.
> During it's implementation, I had given a thought whether to map each
> service IN attribute as query parameter to the REST call, but I chose this
> approach. A GET service with too many IN attributes would have resulted in
> a large number of query parameters.
>
> Best,
> Girish
>
>
> On Mon, Sep 7, 2020 at 9:59 AM Hans Bakker 
> wrote:
>
>> OK, made some progress, have it now working from the flutter dart
>> environment however..
>>
>> this curl works even from flutter dart,
>> curl -X  GET
>> https://localhost:8443/rest/services/findProductByI?inParams=%7B%22idToFind%22:%22GZ-1001%22%7D
>> -H "Accept: application/json" -H "Authorization: Bearer $token" --insecure
>> however i do not want to url encode myself, so shouldn't this also work:
>>
>> curl -X  GET https://localhost:8443/rest/services/findProductById
>> --data-urlencode "{'inparams': {'idToFind':'GZ-1001'}}" -H "Accept:
>> application/json" -H "Authorization: Bearer $token" --insecure
>>
>> I tried it also without the inner quotes but could not get his to
>> work.
>>
>> i get:
>> {
>>   "statusCode" : 500,
>>   "statusDescription" : "Internal Server Error"
>> }
>>
>> can you help?
>>
>> regards,
>>
>> Hans
>> On 9/5/20 8:26 PM, Girish Vasmatkar wrote:
>>
>> Hello Hans
>>
>> Thanks for giving it (REST Impl) a try and providing valuable feedback. The
>> token's signature part and the payload part (that includes claims) does
>> indeed change, while the header part is not expected to change.
>> The token is revoked after it is expired (default is 1800 seconds based on
>> security.properties).
>>
>> Looking forward to hearing more from you and please let us know of any
>> issue you encounter.
>>
>> Best Regards,
>> Girish
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> On Sat, Sep 5, 2020 at 6:51 AM Hans Bakker  
>> 
>> wrote:
>>
>>
>> Good day!
>>
>> Good to see we finally have a REST interface in OFBiz, thank you
>> girishvasmatkar for this implementation!
>>
>>   I will try to use it for the Growerp.org open source project, a
>> flutter frontend for currently Moqui.org but also will try to use OFBiz,
>> yes with this REST interface.
>>
>> My experience after away from ofbiz for a couple of years and just for
>> other users getting started email.
>>
>> OFBIZ install:
>> ==
>> i looked how to install ofbiz in the readme.adoc fle , this tells me to
>> run ./gradle/init-gradle-wrapper for linux
>> did not worked on my linux system, however ./gradlew init-gradle-wrapper
>> worked but got stuck at the end...
>> killed it and then ran ./gradlew cleanAll loadAll and all was fine.
>>
>> Did not know how to install a plugin, ( a lot changed the last couple of
>> years that is good!) so i added it to the application folder and updated
>> the component-load.xml file. that was still the same.
>>
>> REST plugin:
>> ==
>> then I searched for how to get an token after authorization.
>> These curl commands worked for me: could be added to the READ me file?
>>
>> curl -X POST https://localhost:8443/rest/auth/token -H "Accept:
>> application/json" -u admin:ofbiz --insecure
>>
>> however when i requested it the second time, the token did not change?
>> shouldn't it? Now i cannot revoke a token?
>>
>> then tried the services list:
>> curl -X GET https://localhost:8443/rest/services -H "Accept:
>> application/json" -H "Authorization: Bearer
>> eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzUxMiJ9.eyJpc3MiOiJBcGFjaGVPRkJpeiIsImlhdCI6MTU0NzczOTM0OCwiZXhwIjoxNjc5Mjc1MzQ4LCJhdWQiOiJ3d3cuZXhhbXBsZS5jb20iLCJzdWIiOiJqcm9ja2V0QGV4YW1wbGUuY29tIiwiR2l2ZW5OYW1lIjoiSm9obm55IiwiU3VybmFtZSI6IlJvY2tldCIsIkVtYWlsIjoianJvY2tldEBleGFtcGxlLmNvbSIsInVzZXJMb2dpbklkIjoiYWRtaW4iLCJSb2xlIjpbIk1hbmFnZXIiLCJQcm9qZWN0IEFkbWluaXN0cmF0b3IiXX0.fwafgrgpodBJcXxNTQdZknKeWKb3sDOsQrcR2vcRw97FznD6mkE79p10Tu7cqpUx7LiXuROUAnXEgqDice-BSg"
>>
>> --insecure
>>
>> also working fine!
>>
>> if I have more comments or remarks, i will let you know
>>
>> Regards,
>>
>> Hans Bakker https://www.AntWebsystems.com
>> we specialize in flutter.dev growerp.org moqui.org and ofbiz.apache.org
>>
>>
>>

Re: getting started with ofbiz-rest-impl

[Girish Vasmatkar]

Hello Hans -

POST services will need to have data in the HTTP Body. So, any OFBiz
service (irrespective of engine), that is exposed as POST, you will need to
pass the JSON data in POST body. Here is the corresponding cURL for the
service in question -

curl -X  POST https://localhost:8443/rest/services/ensureNaPartyRole -d
'{"partyId":"admin"}' -H "Content-Type: application/json" -H "Accept:
application/json" -H "Authorization: Bearer $token" --insecure

Please note the use of the "-d" argument. You can also use '--data' instead
of '-d'. It sets the data in the request body.

I am not sure if you have taken a look at the OpenAPI documentation. You
can follow https://localhost:8443/docs/swagger-ui.html and it will show all
endpoints available along with example usage.

All in all, GET endpoint needs service IN attributes specified in a JSON
string wrapped in "inParams" query parameter, while POST endpoint needs
service IN attributes be part of HTTP body in JSON.

Best,
Girish





On Mon, Sep 7, 2020 at 2:58 PM Hans Bakker 
wrote:

> Hi Girish,
>
> thanks for your last help, that worked fine.
>
> I am struggling with simple method services.
>
> i went to applications/party/servicedef/services.xml
>
> and enabled the service ensureNaPartyRole with export="true" and
> action="post"
>
> then issued the command:
>
> curl -G -X  POST https://localhost:8443/rest/services/ensureNaPartyRole
> --data-urlencode 'inParams={"partyId":"admin"}' -H "Accept:
> application/json" -H "Authorization: Bearer $token" --insecure
>
> and tells me:
> {
>"statusCode" : 500,
>"statusDescription" : "Internal Server Error",
>"errorMessage" : "Required Field Missing : Party Id"
> }
>
> any idea?
>
> Thanks in advance.
>
> Hans
>
>
> just a quick question , does it also work with minilang?
>
>
>   i get
> {
>"statusCode" : 500,
>"statusDescription" : "Internal Server Error"
> }:
> Regards.
>
> On 9/5/20 8:26 PM, Girish Vasmatkar wrote:
> > Hello Hans
> >
> > Thanks for giving it (REST Impl) a try and providing valuable
> feedback.The
> > token's signature part and the payload part (that includes claims) does
> > indeed change, while the header part is not expected to change.
> > The token is revoked after it is expired (default is 1800 seconds basedon
> > security.properties).
> >
> > Looking forward to hearing more from you and please let us know of any
> > issue you encounter.
> >
> > Best Regards,
> > Girish
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> > On Sat, Sep 5, 2020 at 6:51 AM Hans Bakker 
> > wrote:
> >
> >> Good day!
> >>
> >> Good to see we finally have a REST interface in OFBiz, thank you
> >> girishvasmatkar for this implementation!
> >>
> >> I will try to use it for the Growerp.org open source project, a
> >> flutter frontend for currently Moqui.org but also will try to use OFBiz,
> >> yes with this REST interface.
> >>
> >> My experience after away from ofbiz for a couple of years and just for
> >> other users getting started email.
> >>
> >> OFBIZ install:
> >> ==
> >> i looked how to install ofbiz in the readme.adoc fle , this tells me to
> >> run ./gradle/init-gradle-wrapper for linux
> >> did not worked on my linux system, however ./gradlew init-gradle-wrapper
> >> worked but got stuck at the end...
> >> killed it and then ran ./gradlew cleanAll loadAll and all was fine.
> >>
> >> Did not know how to install a plugin, ( a lot changed the last couple of
> >> years that is good!) so i added it to the application folder and updated
> >> the component-load.xml file. that was still the same.
> >>
> >> REST plugin:
> >> ==
> >> then I searched for how to get an token after authorization.
> >> These curl commands worked for me: could be added to the READ me file?
> >>
> >> curl -X POST https://localhost:8443/rest/auth/token -H "Accept:
> >> application/json" -u admin:ofbiz --insecure
> >>
> >> however when i requested it the second time, the token did not change?
> >> shouldn't it? Now i cannot revoke a token?
> >>
> >> then tried the services list:
> >> curl -X GET https://localhost:8443/rest/services -H "Accept:
> >> application/json" -H "Authorization: Bearer
> >>
> eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzUxMiJ9.eyJpc3MiOiJBcGFjaGVPRkJpeiIsImlhdCI6MTU0NzczOTM0OCwiZXhwIjoxNjc5Mjc1MzQ4LCJhdWQiOiJ3d3cuZXhhbXBsZS5jb20iLCJzdWIiOiJqcm9ja2V0QGV4YW1wbGUuY29tIiwiR2l2ZW5OYW1lIjoiSm9obm55IiwiU3VybmFtZSI6IlJvY2tldCIsIkVtYWlsIjoianJvY2tldEBleGFtcGxlLmNvbSIsInVzZXJMb2dpbklkIjoiYWRtaW4iLCJSb2xlIjpbIk1hbmFnZXIiLCJQcm9qZWN0IEFkbWluaXN0cmF0b3IiXX0.fwafgrgpodBJcXxNTQdZknKeWKb3sDOsQrcR2vcRw97FznD6mkE79p10Tu7cqpUx7LiXuROUAnXEgqDice-BSg"
> >>
> >> --insecure
> >>
> >> also working fine!
> >>
> >> if I have more comments or remarks, i will let you know
> >>
> >> Regards,
> >>
> >> Hans Bakker https://www.AntWebsystems.com
> >> we specialize in flutter.dev growerp.org moqui.org and ofbiz.apache.org
> >>
> >>
> >>
>

Re: buildbot exception in on ofbizTrunkFrameworkPlugins

[Girish Vasmatkar]

Hi Jacques

Javadoc generated error. I have fixed it and it should be fine now.

Best,
Girish

On Tue, Sep 15, 2020 at 2:34 PM Jacques Le Roux <
jacques.le.r...@les7arts.com> wrote:

> Hi Girish,
>
> Could you please have a look? TIA
>
> Jacques
>
> Le 15/09/2020 à 10:22, build...@apache.org a écrit :
> > The Buildbot has detected a build exception on builder
> ofbizTrunkFrameworkPlugins while building ofbiz-plugins. Full details are
> available at:
> >
> https://ci.apache.org/builders/ofbizTrunkFrameworkPlugins/builds/1768
> >
> > Buildbot URL: https://ci.apache.org/
> >
> > Buildslave for this Build: asf947_ubuntu
> >
> > Build Reason: The AnyBranchScheduler scheduler named
> 'onTrunkPluginsCommit' triggered this build
> > Build Source Stamp: [branch trunk]
> 290f0b8af93d28d88f4e687763d122d40ac2df10
> > Blamelist: girishvasmatkar <
> 47553544+girishvasmat...@users.noreply.github.com>
> >
> > BUILD FAILED: exception javadoc upload test-results part 1
> >
> > Sincerely,
> >   -The Buildbot
> >
> >
> >
>

Re: REST upgrade not find services anymore....

[Girish Vasmatkar]

Hi Hans

There's an error in your service definition file *services100.xml. *Please
check *invoke* attribute below.





Best Regards,
Girish


On Tue, Oct 6, 2020 at 6:58 PM Hans Bakker 
wrote:

> Hi Girish,
>
> just upgraded the rest plugin and now services are not found anymore
>
> my log:
>
> 2020-10-06 20:18:34,185 |OFBiz-JobQueue-1 |ServiceDispatcher
> |T| Sync service [default/runServiceOnSubscriptionExpiry] finished in
> [42] milliseconds
> 2020-10-06 20:19:10,230 |jsse-nio-8443-exec-4
> |APIAuthFilter |E| Cannot locate service by name
> (registerUserAndCompany100)
> 2020-10-06 20:19:10,873 |jsse-nio-8443-exec-5
> |APIAuthFilter |E| Cannot locate service by name
> (getCompanies100)
> 2020-10-06 20:19:11,181 |jsse-nio-8443-exec-6
> |UtilProperties|I| ResourceBundle SecurityextUiLabels
> (en) created in 0.109s with 69 properties
> 2020-10-06 20:19:11,184 |jsse-nio-8443-exec-6
> |LoginServices |I| [LoginServices.userLogin] Invalid
> User : '4344du...@example.com'; User not found.
> 2020-10-06 20:19:11,185 |jsse-nio-8443-exec-6
> |ServiceDispatcher |W| Service Failure [userLogin]: User not
> found.
> 2020-10-06 20:19:11,188 |jsse-nio-8443-exec-6
> |ServiceDispatcher |T| Sync service
> [ofbiz-rest-jersey/userLogin] finished in [145] milliseconds
> 2020-10-06 20:19:11,192 |jsse-nio-8443-exec-6
> |HttpBasicAuthFilter   |E| User not found.
> 2020-10-06 20:19:11,262 |jsse-nio-8443-exec-7
> |APIAuthFilter |E| Cannot locate service by name
> (getAuthenticate100)
>
> do i perhaps miss something?
>
> my plugin at https://github.com/growerp/growerp-ofbiz
>
> regards,
>
> Hans
>
>

Re: netbeans development

[Girish Vasmatkar]

Hi Alex

What version of NetBeans are you using? Your installation should have a
gradle plugin installed that can get you started. Should be able to import
OFBiz into NetBeans.

Best
Girish

On Sun, Oct 4, 2020 at 6:28 PM Alex Bodnaru  wrote:

> hello friends,
>
> i wish to be able to deeper inquiry the ofbiz functionality.
> after failing to install eclipse on my 32 bit linux, i happily found that
> netbeans seems to work.
> is there any friend here to put me on a trail?
> i would need to open some project etc.
>
> thanks in advance,
> --
> --
> alex
>

Re: OFBiz REST implementation session #2 (10/07/2020)

[Girish Vasmatkar]

Hi All

Please note the meeting details for tomorrow's session -

Topic: REST Session #2
Time: Oct 7, 2020 04:00 PM Mumbai, Kolkata, New Delhi, 12:30 PM CET

Join Zoom Meeting
https://us04web.zoom.us/j/2504311919?pwd=WHpkS2pCOEVNRi85Znczc2lMeHYvQT09

Meeting ID: 250 431 1919
Passcode: 4jmxz0

I have also prepared a POSTMAN collection
<https://www.postman.com/collection/> with API request examples that I'll
be walking you through. You can import it on your local workspace. Please
follow the link below.

https://www.getpostman.com/collections/5ef56c4f090b715112bc

Best,
Girish

On Wed, Sep 30, 2020 at 9:07 PM Girish Vasmatkar <
girish.vasmat...@hotwaxsystems.com> wrote:

> Hi Everyone!
>
> Please find details of the next session I am planning to hold on OFBiz
> REST implementation. This will have some hands-on examples that will help
> everyone using it.
>
> Date :  10/07/2020
> Time :  4 PM IST, 12:30 PM CET
> Meeting URL : TBD, I will send the invite link the day before.
> Agenda :
>
> 1. Preconfigured Resources (Resources that come OTB)
>
>-
>
>Authentication Token Generating Resource (How to invoke and example
>usage)
>-
>
>   POST /auth/token
>   -
>
>Exportable Services Resource (How to call services with export=true
>via REST interface with example usage)
>-
>
>   GET | POST | PUT | DELETE | PATCH /services/{serviceName}
>   -
>
>   GET vs POST service in parameters difference. How to invoke service
>   defined as GET vs POST | POST | PATCH.
>   -
>
>OpenAPI Resource
>-
>
>   GET /openapi.json
>   -
>
>   GET /openapi.yaml
>   -
>
>WADL Resource (WADL is to REST as  WSDL is to SOAP)
>-
>
>   GET /application.wadl
>
> 2.  Standard API responses supported for various use cases (with examples)
> and how to interpret them.
>
>-
>
>HTTP 200 OK
>-
>
>HTTP 400 Bad Request
>-
>
>HTTP 401 Unauthorized
>-
>
>HTTP 403 Forbidden
>-
>
>HTTP 422 Unprocessable Entity
>-
>
>HTTP 405 Method Not Allowed
>-
>
>HTTP 406 Not Acceptable
>-
>
>HTTP 415 Unsupported Media Type
>
> 3. Content Negotiation (JSON)
>
>-
>
>Accept : application/json
>-
>
>Content-Type : application/json
>
> 4. Q session
>
> Best,
> Girish Vasmatkar
>
>
>

Re: [OFBIZ-11976] svg files not removed on clean

[Girish Vasmatkar]

Hi Jacques -

This explains it nicely -
https://blog.softwaremill.com/my-task-whats-wrong-with-your-gradle-task-82312100c595

Turns out that gradle's configuration phase appears to be "running" the
tasks.

Best,
Girish




On Thu, Aug 27, 2020 at 3:12 PM Jacques Le Roux <
jacques.le.r...@les7arts.com> wrote:

> Hi,
>
> While looking at this issue I found that a simple "gradlew config"
> generates the files which are used by generatePluginDocumentation and
> generateAllPluginsDocumentation.
>
> So somehow these tasks are "activated" just launching any task. Does
> somebody knows why it's so?
>
> Thanks
>
> Jacques
>
>

Re: [OFBIZ-11976] svg files not removed on clean

[Girish Vasmatkar]

Hi Jacques

When you run "gradlew generateAllPluginsDocumentation", all "actions"
defined in the task '"generateAllPluginsDocumentation" get executed as part
of execution phase. doFirst and doLast are the actions defined hence they
get executed.

And when you run any other tasks, all tasks present in the project
(including subprojects) are just configured not executed*. *So when we run
say ./gradlew config, everything that is not defined an an action (doFirst,
doLast or any other action) gets executed as part of configuration phase
for generateAllPluginsDocumentation task.

doLast { delete "${component}/src/docs/asciidoc/images/OFBiz-Logo.svg" }
Above is supposed to be executed during execution phase of the task
because doLast is an action for the task.  If you define your print
statements inside doLast, you won't see it printed if you run any other
task.

The problem is the part that is generating the docs, should be defined in
an action but at present is part of configuration. That's why when other
tasks run, docs are generated but never deleted (deletion part being
defined in doLast).

Best Regards,
- Girish

Re: REST, how about 'Login' map

[Girish Vasmatkar]

Hi Hans

Since you specifically mentioned about groovy service, I would think it is
true for other services as well.

It would possibly be happening, if the service itself is declared with
auth=false, so no token check is happening and hence userLogin is not
retrieved from the token.
Can you confirm if this is the case? The userLogin is added to the service
call before delegating the service call to dispatcher after jwt has been
verified. But in case of auth=false, services, auth is bypassed and hence
userLogin is not set.

I guess the key here is to bypass token validation if, and only if, the
Authorization header is absent, otherwise perform validation. I had a
discussion about this with Jacopo as well and here is what can be done
(applicable for */services *endpoint ) -

If auth=false and *Authorization* header is *present*, validate token and
return error if invalid. Else set userLogin in context and delegate the
call to dispatcher.
If auth=false and *Authorization* header is *absent, *just call the
service. The service will be executed *without* userLogin in context.

I will try to work on this change in the next couple days.

Best,
Girish
HotWax Systems











Best,
Girish
HotWax Systems








On Tue, Sep 29, 2020 at 6:20 AM Hans Bakker 
wrote:

> Hi Girish,
>
> thanks for your last email, that is working now too
>
> howeveranother question,
>
> If i call a service using the token i obtained earlier, i see that the
> userLogin map in the groovy service I called, is null
>
> can you set the login map to the userLogin of the token that was used so
> we know who the user is?
>
> Thanks, Hans
>
>
>

Re: [PROPOSAL] Separate login service for API calls

[Girish Vasmatkar]

I've created https://issues.apache.org/jira/browse/OFBIZ-12033 for the
same. Thank you, all.

Best,
Girish
HotWax Systems

On Tue, Sep 29, 2020 at 1:39 PM Mridul Pathak 
wrote:

> +1
>
> Thanks.
> Mridul Pathak
>
> On Tue, Sep 29, 2020 at 1:29 PM Michael Brohl 
> wrote:
>
> > +1
> >
> > With an addition: we should do the implementation in a way that the
> > user/password matching is implemented only once and used in both login
> > methods (not just copy & paste into another method).
> >
> > It might take some refactoring to pull these part out of the login event.
> >
> > Best regards,
> >
> > Michael Brohl
> >
> > ecomify GmbH - www.ecomify.de
> >
> >
> > Am 29.09.20 um 09:43 schrieb Jacopo Cappellato:
> > > +1
> > >
> > > Jacopo
> > >
> > > On Sat, Sep 26, 2020 at 6:35 AM Girish Vasmatkar <
> > > girish.vasmat...@hotwaxsystems.com> wrote:
> > >
> > >> Hi
> > >>
> > >> I am using userLogin service to authenticate users before generating
> > auth
> > >> tokens for REST API and GraphQL calls. However, I figured that a
> > session is
> > >> also getting created and returned in response which is defeating the
> > >> purpose of having an API in place. Even though that session is not
> > getting
> > >> used anywhere when subsequent calls are made using the token, I still
> > think
> > >> it is an extra session lying around in tomcat's session cache.
> > >>
> > >> I propose to implement a new basic userLogin service
> > (basicAuthUserLogin)
> > >> that would just do username/password matching and be done with it
> > without
> > >> ever calling request.getSession(). This will ensure that APIs are
> > stateless
> > >> and no session is generated.
> > >>
> > >> Anything else you think should be part of the new service instead of
> > just
> > >> username/password validation?
> > >>
> > >> Best,
> > >> Girish
> > >> HotWax Systems
> > >>
> >
> >
>

OFBiz REST session

[Girish Vasmatkar]

Hi All

We will be holding an introductory session on *ofbiz-rest-impl* plugin @ 4
PM IST, 10:30 AM GMT. Agenda for the same is as follows -

1. Introduction to ofbiz-rest-impl 2. Technology stack used 3. Q session

Here's the meet URL for everybody's reference :
https://meet.google.com/mjt-rich-suo . Please do join.

Best Regards,
Girish

Re: OFBiz REST session

[Girish Vasmatkar]

Hello Pierre

Apparently I missed the most important part, I thought I had mentioned
"today", but unfortunately I didn't. Apologies for that. Please do join, if
you can, today @ 4 PM IST, 10:30 AM GMT.

Future sessions will be sent notifications for well in advance.

Best Regards,
Girish


On Wed, Sep 30, 2020 at 2:26 PM Pierre Smits  wrote:

> Hi Girish,
>
> Which date will this be?
>
>
> Met vriendelijke groet,
>
> Pierre Smits
> *Proud* *contributor** of* Apache OFBiz <https://ofbiz.apache.org/> since
> 2008 (without privileges)
>
> *Apache Trafodion <https://trafodion.apache.org>, Vice President*
> *Apache Directory <https://directory.apache.org>, PMC Member*
> Apache Incubator <https://incubator.apache.org>, committer
> Apache Steve <https://steve.apache.org>, committer
>
>
> On Wed, Sep 30, 2020 at 10:13 AM Girish Vasmatkar <
> girish.vasmat...@hotwaxsystems.com> wrote:
>
> > Hi All
> >
> > We will be holding an introductory session on *ofbiz-rest-impl* plugin @
> 4
> > PM IST, 10:30 AM GMT. Agenda for the same is as follows -
> >
> > 1. Introduction to ofbiz-rest-impl 2. Technology stack used 3. Q
> session
> >
> > Here's the meet URL for everybody's reference :
> > https://meet.google.com/mjt-rich-suo . Please do join.
> >
> > Best Regards,
> > Girish
> >
>

OFBIZ-11995

[Girish Vasmatkar]

Hi All

Continuing the efforts done on OFBIZ-11328, I have now added an XML based
REST DSL that facilitates declarative resource bindings to OFBiz services
(for now only OFBiz service).  Various commits are pushed under OFBIZ-11995.
It attempts to allow each component to define their own set of APIs that
eventually end up being in a single runtime. At the moment, a single
OpenAPI spec (JSON and YAML) is generated clubbing together APIs defined in
all components. I wish to provide separate OpenAPI for each component
considering the combined spec becomes too huge.

I have also developed a demo component under my forked plug-in to give you
an idea of how the resources can be defined and mapped to OFBiz services.
Pl take a look at -
https://github.com/girishvasmatkar/ofbiz-plugins/tree/trunk/rest-impl-demo

In the demo, I have configured some resources like below -

POST  /rest*/*products (Create a new product)
GET /rest/products/{productId} (Get product)
POST /rest/products/features (Create a new feature)
POST /rest/products/{productId}/features (Apply feature to product)
GET /rest/products/{productId}/features/{featureId}

POST /rest/categories (Create a new category)
GET /rest/categories (Get all categories)

Schema file can be defined under
/api/.rest.xml

For now, JSON is supported and I intend to bring in XML in the mix as well
based on the Content-Type header.
There may be some refinement needed and some extra use cases that may not
work, so please feel free to let me know how it goes and any changes you
would like to make and I will try to accomodate.

Best,
Girish
HotWax Systems

[PROPOSAL] Separate login service for API calls

[Girish Vasmatkar]

Hi

I am using userLogin service to authenticate users before generating auth
tokens for REST API and GraphQL calls. However, I figured that a session is
also getting created and returned in response which is defeating the
purpose of having an API in place. Even though that session is not getting
used anywhere when subsequent calls are made using the token, I still think
it is an extra session lying around in tomcat's session cache.

I propose to implement a new basic userLogin service (basicAuthUserLogin)
that would just do username/password matching and be done with it without
ever calling request.getSession(). This will ensure that APIs are stateless
and no session is generated.

Anything else you think should be part of the new service instead of just
username/password validation?

Best,
Girish
HotWax Systems

Re: public rest API

[Girish Vasmatkar]

Hello Hans

With the latest commi1361c3c
<https://github.com/apache/ofbiz-plugins/commit/1361c3cdaf7d6756cc9abdc6c37450ef3d46f921>
on
trunk, the system now honours the "auth" attribute defined on service and
accordingly bypasses authorization for such services.

Best,
Girish


On Thu, Sep 10, 2020 at 5:46 PM Hans Bakker 
wrote:

> Thank you Girish,
>
> look forward to your updates of this excellent and much needed addition to
> OFBiz.
>
> Regars
>
> Hans
> www.antwebsystems.com
> On 9/10/20 3:27 PM, Girish Vasmatkar wrote:
>
> Thanks Hans, I will plan to include this change for the exportable
> services as well.
>
> There is also OFBIZ-11995, where more RESTFul resources can be declared
> (development is undergoing) and bound to services where I had planned to
> include declarative authentication.
>
> Best Regards,
> Girish Vasmatkar
> HotWax Systems
>
>
>
>
> On Thu, Sep 10, 2020 at 12:08 PM Hans Bakker 
> wrote:
>
>> Hi Girish,
>>
>> how about ecommerce? you want to show the products without logging in,
>> actually all information on the ecommerce frontend?
>>
>> so yes, really required.
>>
>> regards,
>>
>> Hans
>>
>>
>> On 9/10/20 12:37 PM, Girish Vasmatkar wrote:
>> > Every REST endpoint, as it is implemented now, is secured by default. I
>> had
>> > not thought of a scenario where internal OFBiz services will need to be
>> > invoked without authentication (externally)
>> >
>> > Yes, the services themselves can be specified to NOT require auth but I
>> had
>> > always thought that was applicable within internal execution. I may be
>> > wrong here, so please correct me.
>> >
>> > auth and login-required are not taken into account yet, but can
>> certainly
>> > be, if some exportable services should be exposed as public APIs.
>> >
>> > Best Regards,
>> > Girish Vasmatkar
>> > HotWax Systems
>> >
>> >
>> >
>> > On Thu, Sep 10, 2020 at 5:55 AM Hans Bakker > >
>> > wrote:
>> >
>> >> Hi, Girish,
>> >>
>> >> thanks again for your last reply it defenity helped, however i have
>> >> another question.
>> >>
>> >> I need to access certain services publicly without a token.
>> >>
>> >> I have put auth="false" on the service definition and
>> >> login-required="false" on the simple-method implementation
>> >>
>> >> still i get a 401 response.
>> >>
>> >> any suggestions?
>> >>
>> >> Regards,
>> >>
>> >> Hans
>> >>
>> >>
>>
>

Re: [PROPOSAL] Separate login service for API calls

[Girish Vasmatkar]

Hello
I am not sure if we can talk about sessions when we're talking about REST.
The REST implementation is mapping Resources with OFBiz services and the
services are executing in a context using "userLogin" and that is all the
REST implementation is doing. Extracting userLogin from token and supplying
to the OFBiz service.

The session you get from running userLogin service is not getting used for
subsequent API calls made using JWT token because usual OFBiz flow
(ContextFilter, ControlServlet) don't come in picture. Therefore, I feel,
as far as REST implementation is concerned, it is better to create a
separate service that does just authentication and doesn't create sessions.

Also, a properly designed REST endpoint without cookies means no CSRF.

Best,
Girish
HotWax System








On Sat, Sep 26, 2020 at 2:04 PM Jacques Le Roux <
jacques.le.r...@les7arts.com> wrote:

> Thanks Gavin,
>
> I'd just note that in this case your are not protected from CSRF.
> Fortunately the REST effort is only in trunk. And, as explained in
> security.properties, in trunk we can use
> org.apache.ofbiz.security.CsrfDefenseStrategy in such case.
>
> Jacques
>
> Le 26/09/2020 à 07:38, Gavin Mabie a écrit :
> > Sessions are extremely useful and even indispensable for an ERP system
> > where statefullnes are critical for audit trail purposes. Stateless
> > requests don't care about transactions beyond the actual
> request/response.
> > Besides, sessions are only problematic when a new session gets created
> for
> > each REST API request. You can prevent this by setting the cookie
> SameSite
> > property to "None".  That way sessions and REST request can happily live
> > together.
> >
> > On Sat, Sep 26, 2020 at 6:35 AM Girish Vasmatkar <
> > girish.vasmat...@hotwaxsystems.com> wrote:
> >
> >> Hi
> >>
> >> I am using userLogin service to authenticate users before generating
> auth
> >> tokens for REST API and GraphQL calls. However, I figured that a
> session is
> >> also getting created and returned in response which is defeating the
> >> purpose of having an API in place. Even though that session is not
> getting
> >> used anywhere when subsequent calls are made using the token, I still
> think
> >> it is an extra session lying around in tomcat's session cache.
> >>
> >> I propose to implement a new basic userLogin service
> (basicAuthUserLogin)
> >> that would just do username/password matching and be done with it
> without
> >> ever calling request.getSession(). This will ensure that APIs are
> stateless
> >> and no session is generated.
> >>
> >> Anything else you think should be part of the new service instead of
> just
> >> username/password validation?
> >>
> >> Best,
> >> Girish
> >> HotWax Systems
> >>
>

Re: REST, how about 'Login' map

[Girish Vasmatkar]

Hi Hans,

This is now implemented/fixed with commit8545cfe
<https://github.com/apache/ofbiz-plugins/commit/8545cfebb2193bead7d06bd8e8cdb5108d24b209>
 .

Best,
Girish
HotWax Systems


On Tue, Sep 29, 2020 at 5:26 PM Hans Bakker 
wrote:

> Hi Girish, thanks for your prompt reply,
>
> the login map need to be filled when the related token is available, what
> is currently not the case.
>
> Not sure if this is directly related to the Auth=false parameter, you know
> that better,
>
> Regards, Hans
> On 9/29/20 4:20 PM, Girish Vasmatkar wrote:
>
> Hi Hans
>
> Since you specifically mentioned about groovy service, I would think it is
> true for other services as well.
>
> It would possibly be happening, if the service itself is declared with
> auth=false, so no token check is happening and hence userLogin is not
> retrieved from the token.
> Can you confirm if this is the case? The userLogin is added to the service
> call before delegating the service call to dispatcher after jwt has been
> verified. But in case of auth=false, services, auth is bypassed and hence
> userLogin is not set.
>
> I guess the key here is to bypass token validation if, and only if, the
> Authorization header is absent, otherwise perform validation. I had a
> discussion about this with Jacopo as well and here is what can be done
> (applicable for */services *endpoint ) -
>
> If auth=false and *Authorization* header is *present*, validate token and
> return error if invalid. Else set userLogin in context and delegate the
> call to dispatcher.
> If auth=false and *Authorization* header is *absent, *just call the
> service. The service will be executed *without* userLogin in context.
>
> I will try to work on this change in the next couple days.
>
> Best,
> Girish
> HotWax Systems
>
>
>
>
>
>
>
>
>
>
>
> Best,
> Girish
> HotWax Systems
>
>
>
>
>
>
>
>
> On Tue, Sep 29, 2020 at 6:20 AM Hans Bakker 
> wrote:
>
>> Hi Girish,
>>
>> thanks for your last email, that is working now too
>>
>> howeveranother question,
>>
>> If i call a service using the token i obtained earlier, i see that the
>> userLogin map in the groovy service I called, is null
>>
>> can you set the login map to the userLogin of the token that was used so
>> we know who the user is?
>>
>> Thanks, Hans
>>
>>
>>

Re: REST, how about 'Login' map

[Girish Vasmatkar]

Thanks Hans.

The error codes are broadly categorized in three types based on what ofbiz
is generating during service call -

1. 400 Bad Request = if ServiceValidationException is thrown. This
indicates client error and client must make amends to the request. Example,
service's required IN parameter were missing in the JSON body.
2. 422 Unprocessable Entity = if GenericEntityException is thrown. This
also indicates client error but also indicates that the request was
syntactically correct but semantically wrong. Example - while creating a
product, *productTypeId* was provided in the request, but it didn't exist.
This indicates client error again, but the json was not malformed.
3. 404 NotFoundException = if service being invoked does not exist, or is
not declared export=true, or action attribute is not defined.
4. 500 Internal Server Error = Any other category of exception that might
be thrown from the service.

In all three cases, appropriate error messages from the original exception
should be included in the error response.

Best,
Girish






On Thu, Oct 1, 2020 at 1:43 PM Hans Bakker 
wrote:

> Hi Girish,
>
> yes userLogin is working fine now,
>
> further i see you are working on the error messages?
> would be nice to get the ofbiz error message together with the error code
> 500?
>
> keep up the good work, it is getting better and better!
>
> Regards,
>
> Hans
> On 10/1/20 10:49 AM, Girish Vasmatkar wrote:
>
> Hi Hans,
>
> This is now implemented/fixed with commit8545cfe
> <https://github.com/apache/ofbiz-plugins/commit/8545cfebb2193bead7d06bd8e8cdb5108d24b209>
>  .
>
> Best,
> Girish
> HotWax Systems
>
>
> On Tue, Sep 29, 2020 at 5:26 PM Hans Bakker 
> wrote:
>
>> Hi Girish, thanks for your prompt reply,
>>
>> the login map need to be filled when the related token is available, what
>> is currently not the case.
>>
>> Not sure if this is directly related to the Auth=false parameter, you
>> know that better,
>>
>> Regards, Hans
>> On 9/29/20 4:20 PM, Girish Vasmatkar wrote:
>>
>> Hi Hans
>>
>> Since you specifically mentioned about groovy service, I would think it
>> is true for other services as well.
>>
>> It would possibly be happening, if the service itself is declared with
>> auth=false, so no token check is happening and hence userLogin is not
>> retrieved from the token.
>> Can you confirm if this is the case? The userLogin is added to the
>> service call before delegating the service call to dispatcher after jwt has
>> been verified. But in case of auth=false, services, auth is bypassed and
>> hence userLogin is not set.
>>
>> I guess the key here is to bypass token validation if, and only if, the
>> Authorization header is absent, otherwise perform validation. I had a
>> discussion about this with Jacopo as well and here is what can be done
>> (applicable for */services *endpoint ) -
>>
>> If auth=false and *Authorization* header is *present*, validate token
>> and return error if invalid. Else set userLogin in context and delegate the
>> call to dispatcher.
>> If auth=false and *Authorization* header is *absent, *just call the
>> service. The service will be executed *without* userLogin in context.
>>
>> I will try to work on this change in the next couple days.
>>
>> Best,
>> Girish
>> HotWax Systems
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> Best,
>> Girish
>> HotWax Systems
>>
>>
>>
>>
>>
>>
>>
>>
>> On Tue, Sep 29, 2020 at 6:20 AM Hans Bakker 
>> wrote:
>>
>>> Hi Girish,
>>>
>>> thanks for your last email, that is working now too
>>>
>>> howeveranother question,
>>>
>>> If i call a service using the token i obtained earlier, i see that the
>>> userLogin map in the groovy service I called, is null
>>>
>>> can you set the login map to the userLogin of the token that was used so
>>> we know who the user is?
>>>
>>> Thanks, Hans
>>>
>>>
>>>

OFBiz REST implementation session #2 (10/07/2020)

[Girish Vasmatkar]

Hi Everyone!

Please find details of the next session I am planning to hold on OFBiz REST
implementation. This will have some hands-on examples that will help
everyone using it.

Date :  10/07/2020
Time :  4 PM IST, 12:30 PM CET
Meeting URL : TBD, I will send the invite link the day before.
Agenda :

1. Preconfigured Resources (Resources that come OTB)

   -

   Authentication Token Generating Resource (How to invoke and example
   usage)
   -

  POST /auth/token
  -

   Exportable Services Resource (How to call services with export=true via
   REST interface with example usage)
   -

  GET | POST | PUT | DELETE | PATCH /services/{serviceName}
  -

  GET vs POST service in parameters difference. How to invoke service
  defined as GET vs POST | POST | PATCH.
  -

   OpenAPI Resource
   -

  GET /openapi.json
  -

  GET /openapi.yaml
  -

   WADL Resource (WADL is to REST as  WSDL is to SOAP)
   -

  GET /application.wadl

2.  Standard API responses supported for various use cases (with examples)
and how to interpret them.

   -

   HTTP 200 OK
   -

   HTTP 400 Bad Request
   -

   HTTP 401 Unauthorized
   -

   HTTP 403 Forbidden
   -

   HTTP 422 Unprocessable Entity
   -

   HTTP 405 Method Not Allowed
   -

   HTTP 406 Not Acceptable
   -

   HTTP 415 Unsupported Media Type

3. Content Negotiation (JSON)

   -

   Accept : application/json
   -

   Content-Type : application/json

4. Q session

Best,
Girish Vasmatkar

Re: REST, how about 'Login' map

[Girish Vasmatkar]

Hi Hans, if service is returning an error, it should get converted into a
422.

I took your getCompanies service example from your plugin and modified the
service as below

def getCompanies() {
Map result = success()
logInfo("service starting with ${parameters.input}")
result.companies = parameters.input
return error("this is the error message")
}

And accessed it like

https://localhost:8443/rest
/services/getCompanies?inParams=%7B%0A%20%20%22input%22%3A%20%22string%22%0A%7D

And it returned below error. I had cleaned up some code and added
additional handling yesterday, so might be possible you don't have those
changes. Pl sync once and give it a try again.

{

"statusCode": 422,

"statusDescription": *"Unprocessable Entity"*,

"errorType": *"ServiceError"*,

"errorMessage": *"getCompanies returned error. The request contained
invalid information and could not be processed."*,

"errorDescription": *"this is the error message"*

}

Let me know if it still does not work for you and additionally provide your
service def for me to take a more closer look.

Best,
Girish








On Fri, Oct 2, 2020 at 6:07 AM Hans Bakker 
wrote:

> Hi Girish,
>
> thanks for the explanation, however if i create a last statement in a
> groovy service:
> return error("this is the error message")
>
> then i get an error 500 returned, however not showing the error message of
> the service.
>
> Regards,
>
> Hans
> On 10/2/20 12:14 AM, Girish Vasmatkar wrote:
>
> Thanks Hans.
>
> The error codes are broadly categorized in three types based on what ofbiz
> is generating during service call -
>
> 1. 400 Bad Request = if ServiceValidationException is thrown. This
> indicates client error and client must make amends to the request. Example,
> service's required IN parameter were missing in the JSON body.
> 2. 422 Unprocessable Entity = if GenericEntityException is thrown. This
> also indicates client error but also indicates that the request was
> syntactically correct but semantically wrong. Example - while creating a
> product, *productTypeId* was provided in the request, but it didn't
> exist. This indicates client error again, but the json was not malformed.
> 3. 404 NotFoundException = if service being invoked does not exist, or is
> not declared export=true, or action attribute is not defined.
> 4. 500 Internal Server Error = Any other category of exception that might
> be thrown from the service.
>
> In all three cases, appropriate error messages from the original exception
> should be included in the error response.
>
> Best,
> Girish
>
>
>
>
>
>
> On Thu, Oct 1, 2020 at 1:43 PM Hans Bakker 
> wrote:
>
>> Hi Girish,
>>
>> yes userLogin is working fine now,
>>
>> further i see you are working on the error messages?
>> would be nice to get the ofbiz error message together with the error code
>> 500?
>>
>> keep up the good work, it is getting better and better!
>>
>> Regards,
>>
>> Hans
>> On 10/1/20 10:49 AM, Girish Vasmatkar wrote:
>>
>> Hi Hans,
>>
>> This is now implemented/fixed with commit8545cfe
>> <https://github.com/apache/ofbiz-plugins/commit/8545cfebb2193bead7d06bd8e8cdb5108d24b209>
>>  .
>>
>> Best,
>> Girish
>> HotWax Systems
>>
>>
>> On Tue, Sep 29, 2020 at 5:26 PM Hans Bakker 
>> wrote:
>>
>>> Hi Girish, thanks for your prompt reply,
>>>
>>> the login map need to be filled when the related token is available,
>>> what is currently not the case.
>>>
>>> Not sure if this is directly related to the Auth=false parameter, you
>>> know that better,
>>>
>>> Regards, Hans
>>> On 9/29/20 4:20 PM, Girish Vasmatkar wrote:
>>>
>>> Hi Hans
>>>
>>> Since you specifically mentioned about groovy service, I would think it
>>> is true for other services as well.
>>>
>>> It would possibly be happening, if the service itself is declared with
>>> auth=false, so no token check is happening and hence userLogin is not
>>> retrieved from the token.
>>> Can you confirm if this is the case? The userLogin is added to the
>>> service call before delegating the service call to dispatcher after jwt has
>>> been verified. But in case of auth=false, services, auth is bypassed and
>>> hence userLogin is not set.
>>>
>>> I guess the key here is to bypass token validation if, and only if, the
>>> Authorization header is absent, otherwis

Re: REST input is a map?

[Girish Vasmatkar]

Hi Hans

Maps and Lists work quite well. There is a difference in how you send the
JSON to a service that's listed as GET vs (PUT, PATCH or POST).

Yours is probably GET and you need to send the JSON urlencoded.



Gets a product feature





 


curl -G -X  GET https://localhost:8443/rest/services/demoMapService
--data-urlencode 'inParams={"input":{"test":"just testing"}}' -H "Accept: ap

plication/json" -H "Authorization: Bearer $token" --insecure

Above cURL works if the service is defined as GET.
However, if it were defined as POST, you will be sending like this -



Gets a product feature







curl -X POST https://localhost:8443/rest/services/demoMapService -d
'{"input":{"test":"just testing"}}' -H "Content-Type: application/json" -H "

Accept: application/json" -H "Authorization: Bearer $token" --insecure

Best,
Girish
HotWax Systems

On Sun, Sep 27, 2020 at 5:34 PM Hans Bakker 
wrote:

> Hi Girish,
>
> did some more tests and it works well with strings as in- and output,
>
> how about Maps and Lists?
>
> i tried the following input: {"input":{"test":"just testing"}}
>
> and the service definition: 
>
> then the ofbiz log below
>
> can you have a look?
>
> Regards,
>
> Hans
>
> 2020-09-27 18:56:26,801 |jsse-nio-8443-exec-6
> |ObjectType|W| Exception thrown while converting type:
> org.apache.ofbiz.base.conversion.ConversionException: Could not convert
> just testing to Map:
>  at
> org.apache.ofbiz.base.conversion.CollectionConverters$StringToMap.convert(CollectionConverters.java:172)
>
> ~[main/:?]
>  at
> org.apache.ofbiz.base.conversion.CollectionConverters$StringToMap.convert(CollectionConverters.java:164)
>
> ~[main/:?]
>  at
> org.apache.ofbiz.base.util.ObjectType.simpleTypeOrObjectConvert(ObjectType.java:350)
>
> ~[main/:?]
>  at
> org.apache.ofbiz.service.ModelService.makeValid(ModelService.java:1589)
> ~[main/:?]
>  at
> org.apache.ofbiz.service.ModelService.makeValid(ModelService.java:1516)
> ~[main/:?]
>  at
> org.apache.ofbiz.service.ModelService.makeValid(ModelService.java:1503)
> ~[main/:?]
>  at
> org.apache.ofbiz.service.DispatchContext.makeValidContext(DispatchContext.java:190)
>
> ~[main/:?]
>  at
> org.apache.ofbiz.service.DispatchContext.makeValidContext(DispatchContext.java:162)
>
> ~[main/:?]
>  at
> org.apache.ofbiz.ws.rs.ServiceRequestProcessor.process(ServiceRequestProcessor.java:64)
>
> ~[main/:?]
>  at
> org.apache.ofbiz.ws.rs.resources.OFBizServiceResource.doGet(OFBizServiceResource.java:120)
>
> ~[main/:?]
>  at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> ~[?:1.8.0_265]
>  at
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
>
> ~[?:1.8.0_265]
>  at
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
>
> ~[?:1.8.0_265]
>  at java.lang.reflect.Method.invoke(Method.java:498) ~[?:1.8.0_265]
>  at
> org.glassfish.jersey.server.model.internal.ResourceMethodInvocationHandlerFactory.lambda$static$0(ResourceMethodInvocationHandlerFactory.java:52)
>
> ~[jersey-server-2.31.jar:?]
>  at
> org.glassfish.jersey.server.model.internal.AbstractJavaResourceMethodDispatcher$1.run(AbstractJavaResourceMethodDispatcher.java:124)
>
> [jersey-server-2.31.jar:?]
>  at
> org.glassfish.jersey.server.model.internal.AbstractJavaResourceMethodDispatcher.invoke(AbstractJavaResourceMethodDispatcher.java:167)
>
> [jersey-server-2.31.jar:?]
>  at
> org.glassfish.jersey.server.model.internal.JavaResourceMethodDispatcherProvider$ResponseOutInvoker.doDispatch(JavaResourceMethodDispatcherProvider.java:176)
>
> [jersey-server-2.31.jar:?]
>  at
> org.glassfish.jersey.server.model.internal.AbstractJavaResourceMethodDispatcher.dispatch(AbstractJavaResourceMethodDispatcher.java:79)
>
> [jersey-server-2.31.jar:?]
>  at
> org.glassfish.jersey.server.model.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:469)
>
> [jersey-server-2.31.jar:?]
>  at
> org.glassfish.jersey.server.model.ResourceMethodInvoker.apply(ResourceMethodInvoker.java:391)
>
> [jersey-server-2.31.jar:?]
>  at
> org.glassfish.jersey.server.model.ResourceMethodInvoker.apply(ResourceMethodInvoker.java:80)
>
> [jersey-server-2.31.jar:?]
>  at
> org.glassfish.jersey.server.ServerRuntime$1.run(ServerRuntime.java:253)
> [jersey-server-2.31.jar:?]
>  at org.glassfish.jersey.internal.Errors$1.call(Errors.java:248)
> [jersey-common-2.31.jar:?]
>  at org.glassfish.jersey.internal.Errors$1.call(Errors.java:244)
> [jersey-common-2.31.jar:?]
>  at org.glassfish.jersey.internal.Errors.process(Errors.java:292)
> [jersey-common-2.31.jar:?]
>  at org.glassfish.jersey.internal.Errors.process(Errors.java:274)
> [jersey-common-2.31.jar:?]
>  at org.glassfish.jersey.internal.Errors.process(Errors.java:244)
> [jersey-common-2.31.jar:?]
>  at
> 

Re: OFBIZ-11995

[Girish Vasmatkar]

Hi Ravi

Please find my comments in-line below...

On Thu, Oct 22, 2020 at 7:38 PM Ravi Lodhi  wrote:

> Hello Girish,
>
> The XML-based REST DSL is a great enhancement and gives much more
> flexibility to define the rest endpoints. I just tried out some REST APIs.
> The only thing I noticed so far is regarding the way the query parameters
> are passed to a GET call.
>
> The /rest/services/* GET endpoints requires URL encoded JSON in query param
> as given below -
>
> curl -G -X  GET https://localhost:8443/rest/services/findProductById
> --data-urlencod
> <https://localhost:8443/rest/services/findProductById--data-urlencod>
> 'inParams={"idToFind":"GZ-1001"}' -H "Accept:
> application/json" -H "Authorization: Bearer
>
> eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzUxMiJ9.eyJ1c2VyTG9naW5JZCI6ImFkbWluIiwiaXNzIjoiQXBhY2hlT0ZCaXoiLCJleHAiOjE2MDMzNzU2ODksImlhdCI6MTYwMzM3Mzg4OX0.izqiW-bOXFHOm5Nk_ZFQ2PpfPtrcUM8y_5FnT-5UgEKeNv-sw0J2zq3OI1dACjPC8tCUJjFnOb3zt2ozpGOGmQ"
> --insecure
>
>  GV: Service endpoints and XML DSLs were implemented in isolation. The
service endpoint impl was done first and at that time I had thought to
design it in a way that allows to send individual service IN params.
However, due to the fact that someone might want to use an existing service
with a lot of IN params with GET action possibly making the URL too large.
Having individual IN params as query params certainly make it a bit more
intuitive for the API consumer, but this was the reason behind it. However,
after I implemented REST DSL, the GET implementation with more RESTFul URL
patterns, the individual IN params as query params made more natural and
sensible.

I will probably make both consistent as I now feel that the REST DSL
approach is a bit more intuitive and straightforward. I hope this answers
your questions.


>
> While the REST DSL GET endpoints requires query parameters directly as
> given below-
>
> curl -G -X  GET https://localhost:8443/rest/products?idToFind=GZ-1001 -H
> "Accept: application/json" -H "Authorization: Bearer
>
> eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzUxMiJ9.eyJ1c2VyTG9naW5JZCI6ImFkbWluIiwiaXNzIjoiQXBhY2hlT0ZCaXoiLCJleHAiOjE2MDMzNzU2ODksImlhdCI6MTYwMzM3Mzg4OX0.izqiW-bOXFHOm5Nk_ZFQ2PpfPtrcUM8y_5FnT-5UgEKeNv-sw0J2zq3OI1dACjPC8tCUJjFnOb3zt2ozpGOGmQ"
> --insecure
>
> Is there any specific reason behind this? Can we make it consistent?
>
> Kind Regards,
> --
> Ravi Lodhi
>
> On Wed, Sep 23, 2020 at 7:09 PM Girish Vasmatkar <
> girish.vasmat...@hotwaxsystems.com> wrote:
>
> > Hi All
> >
> > Continuing the efforts done on OFBIZ-11328, I have now added an XML based
> > REST DSL that facilitates declarative resource bindings to OFBiz services
> > (for now only OFBiz service).  Various commits are pushed under
> > OFBIZ-11995.
> > It attempts to allow each component to define their own set of APIs that
> > eventually end up being in a single runtime. At the moment, a single
> > OpenAPI spec (JSON and YAML) is generated clubbing together APIs defined
> in
> > all components. I wish to provide separate OpenAPI for each component
> > considering the combined spec becomes too huge.
> >
> > I have also developed a demo component under my forked plug-in to give
> you
> > an idea of how the resources can be defined and mapped to OFBiz services.
> > Pl take a look at -
> >
> https://github.com/girishvasmatkar/ofbiz-plugins/tree/trunk/rest-impl-demo
> >
> > In the demo, I have configured some resources like below -
> >
> > POST  /rest*/*products (Create a new product)
> > GET /rest/products/{productId} (Get product)
> > POST /rest/products/features (Create a new feature)
> > POST /rest/products/{productId}/features (Apply feature to product)
> > GET /rest/products/{productId}/features/{featureId}
> >
> > POST /rest/categories (Create a new category)
> > GET /rest/categories (Get all categories)
> >
> > Schema file can be defined under
> > /api/.rest.xml
> >
> > For now, JSON is supported and I intend to bring in XML in the mix as
> well
> > based on the Content-Type header.
> > There may be some refinement needed and some extra use cases that may not
> > work, so please feel free to let me know how it goes and any changes you
> > would like to make and I will try to accomodate.
> >
> > Best,
> > Girish
> > HotWax Systems
> >
>

Re: REST implementation

[Girish Vasmatkar]

apache.org (at
> OpenApiResource::buildOpenApiContact) I'd suggest dev@ofbiz.apache.org
> >
> > For "Terms of service" I suggest a link to ASL2 and to remove the below
> direct link to it.
> >
> > BTW thanks Girish, this is really a great step forward :)
> >
> > Jacques
> >
> >
> > Le 02/08/2020 à 09:40, Jacques Le Roux a écrit :
> >> Hi Girish,
> >>
> >> I'm just starting to review so I may miss things. Just a question for
> now. We have an option at
> >>
> >>
> https://demo-trunk.ofbiz.apache.org/webtools/control/ServiceList?sel_service_name=testScv
> >>
> >> to  (Show wsdl <
> https://demo-trunk.ofbiz.apache.org:443/webtools/control/ServiceList?sel_service_name=testScv_wsdl=true
> >)
> >>
> >> Would it be possible to have the same for REST?
> >>
> >> Thanks
> >>
> >> Jacques
> >>
> >> Le 31/07/2020 à 10:32, Girish Vasmatkar a écrit :
> >>> Greetings!
> >>>
> >>> I have created a PR to add a REST component -
> >>> https://github.com/apache/ofbiz-plugins/pull/35 . Please take a look
> >>> and let me know what you think and let me know if you face any issues.
> I
> >>> intend to merge it in a week from now.
> >>>
> >>> With the PR (https://github.com/apache/ofbiz-framework/pull/214) to
> add
> >>> "action" attribute to the service definition now merged, this above
> >>> component should be able to expose exportable (export=true) and
> >>> actionable(action=GET|POST) services via REST.
> >>>
> >>> Once the changes for nested attributes (OFBIZ-11902
> >>> <https://issues.apache.org/jira/browse/OFBIZ-11902>) are done, I will
> also
> >>> be making corresponding changes in the GraphQL plugin to account for
> nested
> >>> attributes. OFBIZ-11902
> >>> <https://issues.apache.org/jira/browse/OFBIZ-11902> will
> >>> help in defining complex GraphQL mutations.
> >>>
> >>> I am parallelly also working on designing an XML DSL for REST that
> should
> >>> allow tying up REST resources with OFBiz services.
> >>>
> >>> Best,
> >>> Girish
> >>>
> >>>
> >>>
> >>> On Thu, Jul 9, 2020 at 6:27 PM Shi Jinghai 
> wrote:
> >>>
> >>>> Hi Girish,
> >>>>
> >>>> Yes, you got it.
> >>>>
> >>>> Web browser will popup a login dialog when response code is 401:
> >>>> setResponseHeader("WWW-Authenticate", "Bearer realm=\"authentication
> >>>> required\"");
> >>>>
> >>>> The popup is skipped and then react/vue/angular can handle the
> response:
> >>>> setResponseHeader("WWW-Authenticate", "OFBiz realm=\"authentication
> >>>> required\"");
> >>>>
> >>>>
> >>>> 发件人: Girish Vasmatkar<mailto:girish.vasmat...@hotwaxsystems.com>
> >>>> 发送时间: 2020年7月9日 14:54
> >>>> 收件人: dev@ofbiz.apache.org<mailto:dev@ofbiz.apache.org>
> >>>> 主题: Re: REST implementation
> >>>>
> >>>> Hi Shi
> >>>>
> >>>> Thanks for taking a look at it. I have a question on
> "WWW-Authenticate"
> >>>> header so please clarify and I can make appropriate changes
> accordingly -
> >>>>
> >>>> All I am finding is that to prevent the pop-up, either return 403
> (which I
> >>>> do not want to do) or not include "WWW-Authenticate" header at all
> (not
> >>>> inclined to do this as well because then we would be violating the
> spec).
> >>>> Do you mean to NOT start the value of the header with "Bearer" ?
> >>>> so instead of below
> >>>>
> >>>> *WWW-Authenticate: Bearer realm="Access to OFBiz", charset="UTF-8"*
> >>>>
> >>>> should we change it to
> >>>>
> >>>> *WWW-Authenticate: xBearer realm="Access to OFBiz", charset="UTF-8"*
> >>>>
> >>>> I did not test it, but I can just change it like this without testing
> if
> >>>> you can please confirm it will prevent the browser dialog.
> >>>>
> >>>> Thanks again for the review.
> >>>>
> >>>> Best,
> >>>> Girish
> >>>>
> >>>> On Wed, Jul 8, 2020 at 8:45 PM Shi Jinghai 
> wrote:
> >>>>
> >>>>> Hi Girish,
> >>>>>
> >>>>> Excellent.
> >>>>>
> >>>>> Only one suggestion from my quick view, when response code is 401,
> the
> >>>>> "WWW-Authenticate" header should be set to start with a word NOT
> “Bearer
> >>>>> …”, this can prevent web browser from popping up a login dialog.
> >>>>>
> >>>>> Kind Regards,
> >>>>>
> >>>>> Shi Jinghai
> >>>>>
> >>>>> 发件人: Girish Vasmatkar<mailto:girish.vasmat...@hotwaxsystems.com>
> >>>>> 发送时间: 2020年7月8日 20:47
> >>>>> 收件人: dev@ofbiz.apache.org<mailto:dev@ofbiz.apache.org>
> >>>>> 主题: Re: REST implementation
> >>>>>
> >>>>> Hi Folks
> >>>>>
> >>>>> I have added support for OpenApi Integration. The updated code can be
> >>>> found
> >>>>> here : https://github.com/girishvasmatkar/ofbiz-rest-impl. Please go
> >>>>> through the changes and test at your end and let me know your
> thoughts.
> >>>>>
> >>>>> I am planning to do some refactoring and then raise initial PR for
> the
> >>>>> plug-in if the changes look good to everyone.
> >>>>>
> >>>>> Best,
> >>>>> Girish
> >>>>>
> >>>>>
> >>>>> On Wed, Jun 17, 2020 at 4:54 PM Carsten Schinzer <
> >>>>> cars...@dcs-verkaufssysteme.de> wrote:
> >>>>>
> >>>>>> Hi Girish,
> >>>>>>
> >>>>>> Thanks to clarify :)
> >>>>>> What caught me on the OpenAPI integration is the snippet quoted
> below
> >>>> and
> >>>>>> I realize I should have read it in context. Actually then it is
> aligned
> >>>>>> with my view.
> >>>>>>
> >>>>>> Warm regards
> >>>>>>
> >>>>>> Carsten
> >>>>>>
> >>>>>>>>>>> Initial implementation does not contain OpenApi integration
> yet.
> >>>>> And
> >>>>>>
> >>>>>
> >>>>
>

Re: REST implementation

[Girish Vasmatkar]

Hi Daniel

You can use the JWT token in the README of. Sorry, if it is not clearly
documented, this will be improved upon further as I make more changes.
https://github.com/girishvasmatkar/ofbiz-plugins/tree/trunk/ofbiz-rest-impl

I need to implement an API endpoint that eventually generates a JWT token
that can be issued to the client to make subsequent API calls. Until then,
please use the once mentioned in the README examples. That JWT has userId
claim value as admin assuming admin would have got himself authenticated
and a JWT was issued to him.

I will soon add an API endpoint to issue JWTs and will update README
accordingly. I hope that answers your question.

Best Regards,
Girish







On Sun, Aug 2, 2020 at 3:21 PM Daniel Watford  wrote:

> Hi Girish,
>
> I wanted to try out some REST calls using Swagger-ui (
> https://localhost:8443/docs/swagger-ui.html) but don't know how to
> authenticate to get a JWT.
>
> Apologies if I missed the instructions elsewhere but please could you
> advise on how to authenticate against the REST api?
>
> Thanks,
>
> Dan.
>
> On Fri, 31 Jul 2020 at 09:34, Girish Vasmatkar <
> girish.vasmat...@hotwaxsystems.com> wrote:
>
> > Greetings!
> >
> > I have created a PR to add a REST component -
> > https://github.com/apache/ofbiz-plugins/pull/35 . Please take a look
> > and let me know what you think and let me know if you face any issues. I
> > intend to merge it in a week from now.
> >
> > With the PR (https://github.com/apache/ofbiz-framework/pull/214) to add
> > "action" attribute to the service definition now merged, this above
> > component should be able to expose exportable (export=true) and
> > actionable(action=GET|POST) services via REST.
> >
> > Once the changes for nested attributes (OFBIZ-11902
> > <https://issues.apache.org/jira/browse/OFBIZ-11902>) are done, I will
> also
> > be making corresponding changes in the GraphQL plugin to account for
> nested
> > attributes. OFBIZ-11902
> > <https://issues.apache.org/jira/browse/OFBIZ-11902> will
> > help in defining complex GraphQL mutations.
> >
> > I am parallelly also working on designing an XML DSL for REST that should
> > allow tying up REST resources with OFBiz services.
> >
> > Best,
> > Girish
> >
> >
> >
> > On Thu, Jul 9, 2020 at 6:27 PM Shi Jinghai  wrote:
> >
> > > Hi Girish,
> > >
> > > Yes, you got it.
> > >
> > > Web browser will popup a login dialog when response code is 401:
> > > setResponseHeader("WWW-Authenticate", "Bearer realm=\"authentication
> > > required\"");
> > >
> > > The popup is skipped and then react/vue/angular can handle the
> response:
> > > setResponseHeader("WWW-Authenticate", "OFBiz realm=\"authentication
> > > required\"");
> > >
> > >
> > > 发件人: Girish Vasmatkar<mailto:girish.vasmat...@hotwaxsystems.com>
> > > 发送时间: 2020年7月9日 14:54
> > > 收件人: dev@ofbiz.apache.org<mailto:dev@ofbiz.apache.org>
> > > 主题: Re: REST implementation
> > >
> > > Hi Shi
> > >
> > > Thanks for taking a look at it. I have a question on "WWW-Authenticate"
> > > header so please clarify and I can make appropriate changes
> accordingly -
> > >
> > > All I am finding is that to prevent the pop-up, either return 403
> (which
> > I
> > > do not want to do) or not include "WWW-Authenticate" header at all (not
> > > inclined to do this as well because then we would be violating the
> spec).
> > > Do you mean to NOT start the value of the header with "Bearer" ?
> > > so instead of below
> > >
> > > *WWW-Authenticate: Bearer realm="Access to OFBiz", charset="UTF-8"*
> > >
> > > should we change it to
> > >
> > > *WWW-Authenticate: xBearer realm="Access to OFBiz", charset="UTF-8"*
> > >
> > > I did not test it, but I can just change it like this without testing
> if
> > > you can please confirm it will prevent the browser dialog.
> > >
> > > Thanks again for the review.
> > >
> > > Best,
> > > Girish
> > >
> > > On Wed, Jul 8, 2020 at 8:45 PM Shi Jinghai 
> wrote:
> > >
> > > > Hi Girish,
> > > >
> > > > Excellent.
> > > >
> > > > Only one suggestion from my quick view, when response code is 401,
> the
> > > > "WWW-Authen

Re: REST implementation

[Girish Vasmatkar]

Hi Shi and Dan

Thanks for the OAuth2 implementation and Dan, thanks for your evaluation. I
have now included an endpoint for clients to authenticate themselves before
start using the API. Also, since the endpoint is included in OpenAPI, the
same can be executed directly from Swagger UI.

curl -X POST "https://localhost:8443/rest/auth/token; -H "accept:
application/json" -H "Authorization: Basic YWRtaW46b2ZiaXo="

This gets you the generated token with expiry as set in security.properties
file.

{
"statusCode": 200,
"statusDescription": "OK",
"successMessage": "Token granted.",
"data": {
"access_token":
"eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzUxMiJ9.eyJ1c2VyTG9naW5JZCI6ImFkbWluIiwiaXNzIjoiQXBhY2hlT0ZCaXoiLCJleHAiOjE1OTY3MDk4MjAsImlhdCI6MTU5NjcwODAyMH0.9Hj4pkkeQowAMxPLrI_To0WTohxxgVR6FoViyx5HoboTACQZ4iqDyqiIBodkuCVsZwOTPT1RSAQJ0L_oSVMqBA",
"token_type": "Bearer",
"expires_in": "1800"
}
}

The generated token can then be used to make API calls using Bearer Auth
Scheme. I have updated README here :
https://github.com/girishvasmatkar/ofbiz-plugins/blob/trunk/ofbiz-rest-impl/README.adoc

Best,
Girish










On Wed, Aug 5, 2020 at 8:13 PM Daniel Watford  wrote:

> Hi Girish,
>
> I've been able to authenticate with the REST api using the token you
> mentioned.
>
> I find the REST service very interesting as I think it has the potential to
> drastically simplify some of the lookup-style functionality currently
> implemented.
>
> As an extension to your PR I tried out a couple of things that might be
> useful while you continue to explore REST service opportunities.
>
> Please see this branch:
>
> https://github.com/danwatford/ofbiz-framework/commits/rest-experiements-based-on-pr214
>
>
> There are two commits on top of PR214.
>
> The first commit uses REST to look up State/Province values for a given
> country. This functionality is used when editing postal addresses. In this
> commit I've modified the editcontactmech form to use a REST endpoint to
> retrieve state/province information. If you have demo data loaded locally
> you can see the result here:
>
> https://localhost:8443/partymgr/control/editcontactmech?partyId=Company=1
>
> There wasn't too much of a saving here as the controller servlet is already
> configured to return JSON in response to these lookups, but making use of
> REST would sidestep the need to create controller.xml entries.
>
>
> The second commit uses REST to look up User Logins for the autocomplete
> field displayed here: https://localhost:8443/partymgr/control/main
>
> As you type into the User Login ID field REST calls are made to endpoint
> https://localhost:8443/rest/services/lookupUserLogin to search for
> matching
> user logins.
>
> The potential savings for this style of lookup are a reduction in
> complexity on the client and server side.
>
> At the moment AJAX lookup requests are processed as regular screen
> renderings, but with a decorator-loaded screen detecting that the
> ajaxLookup parameter is set and then triggering
> common/groovyScripts/FindAutocompleteOptions.groovy to run to perform the
> search. The search results are then encoded as a piece of javascript inside
> an HTML response.
> The client loads that HTML response into an automatically generated div,
> causing the javascript to execute and populate a global variable.
> The client then reads that global variable to generate the options to be
> displayed by the autocomplete widget.
>
> It is quite a convoluted chain of code to follow, but I imagine it was
> necessary at the time to make lookups work with the screen view rendering
> approach. Calling REST services instead will remove the need to generate
> javascript scripts embedded in HTML responses.
>
> Please note, the code written is very hacky at the moment and hardcoded to
> have ofbiz accessible at https://localhost:8443/. Notifying the client
> code
> of REST endpoints has been done by 'inappropriately reusing' other
> configuration items.
>
> Looking forward to seeing what comes next. Perhaps we could create a new
> ModelForm.RestLookupField to work similarly to ModelForm.LookupField, but
> making use of REST calls instead.
>
> Thanks,
>
> Dan.
>
>
> On Sun, 2 Aug 2020 at 11:03, Girish Vasmatkar <
> girish.vasmat...@hotwaxsystems.com> wrote:
>
> > Hi Daniel
> >
> > You can use the JWT token in the README of. Sorry, if it is not clearly
> > documented, this will be improved upon further as I make more changes.
> >
> https://github.com/girishvasmatkar/ofbiz-plugins/tree/trunk/ofbiz-rest-impl
> >
&g

Re: [PROPOSAL] Return json from database directly

[Girish Vasmatkar]

Hi Shi

I am sorry but I am not following it. By results, did you mean the result
of operations done on the View Entity or the definition of the View
Entities in JSON format? Also, since you mentioned PostgreSQL, would it be
database-agnostic and not limited to PostgreSQL?

An example JSON response will help.

Best Regards,
Girish


On Tue, Jun 30, 2020 at 4:00 PM Shi Jinghai  wrote:

> Hi there,
>
> While playing openapi with ofbiz, I found it would more convenient to get
> some view entity results in json format. I tried array-to-json of
> PostgreSQL, it worked.
>
> A sample use case:
>   package-name="org.langhua.sandflower.luca.product"
>  never-cache="true"
>  title="VWProductAttribute">
>  entity-name="ProductAttribute">
>
> 
>  function="array-to-json">
>  function="array-to-json">
>  field="attrDescription" function="array-to-json">
> 
>
> And then the result could be sent to front-end(react/vue/angular) directly.
>
> Kind Regards,
>
> Shi Jinghai
>

Re: JUnit 5?

[Girish Vasmatkar]

Hi All

OFBiz integration tests are based on classes extending the TestCase class.
Should we not allow for a hybrid way of writing integration test cases
based on classes that do not extend TestCase while also allowing old ways
(extending TestCase and test methods starting with test) of writing test
cases?

Is there any particular reason why we are still using TestCase class?

Best
Girish




On Sun, Jul 5, 2020 at 1:44 PM Jacques Le Roux 
wrote:

> Thanks Eugen,
>
> That's quite interesting, could you please put your comment in the Jira?
>
> TIA
>
> Jacques
>
> Le 05/07/2020 à 09:36, Eugen Stan a écrit :
> > Hello Jacques,
> >
> > I think it makes sense to make the transition.
> >
> > In James we do have it ongoing.
> >
> > Junit5 people have documented the upgrade process and you can make it
> > gradually and have both.
> >
> > Use ` git grep org.junit.Test | wc -l `to count the non-migrated tests.
> >
> > This is what we have based on the migration samples
> > https://github.com/junit-team/junit5-samples#gradle-migration-
> >
> >
> https://github.com/junit-team/junit5-samples/blob/main/junit5-migration-gradle/build.gradle
> >
> >
> > https://junit.org/junit5/docs/current/user-guide/#migrating-from-junit4
> >
> > 
> >
> >  testImplementation 'org.junit.jupiter:junit-jupiter-api:5.5.1'
> >  testImplementation 'org.junit.jupiter:junit-jupiter-params:5.5.1'
> >  testRuntimeOnly 'org.junit.jupiter:junit-jupiter-engine:5.5.1'
> >  testCompileOnly 'junit:junit:4.13'
> >  testRuntimeOnly 'org.junit.vintage:junit-vintage-engine:5.5.1'
> > }
> >
> > test {
> >  useJUnitPlatform()
> > }
> >
> > 
> >
> >
> > La 05.07.2020 10:01, Jacques Le Roux a scris:
> >> I created https://issues.apache.org/jira/browse/OFBIZ-11870 for that
> >>
> >> Jacques
> >>
> >> Le 04/09/2018 à 09:15, Jacques Le Roux a écrit :
> >>> Hi,
> >>>
> >>> I stumbled upon this tweet
> >>>
> >>>  https://twitter.com/junitteam/status/1036707906706698243
> >>>
> >>> Had a quick look at
> >>>
> >>>  https://junit.org/junit5/docs/5.3.0/release-notes/
> >>>
> >>>  https://www.baeldung.com/junit-5-migration
> >>>
> >>> I did not rememberf, so searched if we discussed moving from JUnit 4
> >>> to JUnit 5, but did not find anything.
> >>>
> >>> Did we discuss it, if so what were the conclusions? If not, should we
> >>> not discuss it?
> >>>
> >>> Thanks
> >>>
> >>>  >>>
> https://twitter.com/junitteam/status/1036707906706698243witter.com/junitteam/status/1036707906706698243
> >>>
> >>> Jacques
> >>>
> >>>
>

Re: REST implementation

[Girish Vasmatkar]

Hi Folks

I have added support for OpenApi Integration. The updated code can be found
here : https://github.com/girishvasmatkar/ofbiz-rest-impl. Please go
through the changes and test at your end and let me know your thoughts.

I am planning to do some refactoring and then raise initial PR for the
plug-in if the changes look good to everyone.

Best,
Girish


On Wed, Jun 17, 2020 at 4:54 PM Carsten Schinzer <
cars...@dcs-verkaufssysteme.de> wrote:

> Hi Girish,
>
> Thanks to clarify :)
> What caught me on the OpenAPI integration is the snippet quoted below and
> I realize I should have read it in context. Actually then it is aligned
> with my view.
>
> Warm regards
>
> Carsten
>
> > Initial implementation does not contain OpenApi integration yet. And
>
>

Re: OFBiz - Eclipse: can't find ofbiz.jar

[Girish Vasmatkar]

Hi Carlos

Did you first run the "gradlew build" command? That would make sure
ofbiz.jar was created and placed in the directory you mentioned. You can
then use it as a classpath entry and ofbiz should run from eclipse.

Best,
Girish


On Mon, Jul 6, 2020 at 2:15 PM Carlos Navarro 
wrote:

> Good morning,
>
> OFBiz is running fine in my laptop, so I suposse all necesary files must
> be ok.
>
> I'm trying to configure OFBiz - Eclipse following
> https://cwiki.apache.org/confluence/display/OFBIZ/Running+and+Debugging+OFBiz+in+Eclipse.
>  At some point it is neccesary to add ofbiz.jar: "Classpath
> Bootstrap Entries: JRE System Library
> User Entries: build/libs/ofbiz.jar from OFBiz project
> Don't forget to remove the entry "ofbiz (default
> classpath)" else you may have a message "Can't find bundle for base name
> cache, locale ...""
> But I can not find ofbiz.jar neither in build/libs/ofbiz.jar nor in any
> other path. Cant you help me please?
>
> Thanks.
>

Re: checkNewPassword and ignoreCurrentPassword

[Girish Vasmatkar]

Hi Jacques

I think the vulnerability does not exist if the CSRF defence is in place.
If there is no defence in place, there is a possibility of using system
account session to change the admin password.

As for bypassing current password check if the user is admin, it won't hurt
if the check was in place for system account as well to check the current
password. I could be wrong so we need others opinion as well. My 2 cents.

Best Regards,
Girish

On Sun, Jul 12, 2020 at 4:38 PM Jacques Le Roux <
jacques.le.r...@les7arts.com> wrote:

> Hi team,
>
> We recently got a security report about checkNewPassword where it was
> claimed a CSRF vulnerability because of ignoreCurrentPassword but I
> rejected it.
>
> I have though added a comment in trunk to allow users to adds OFBiz
> specific CSRF defense in case it would be needed (peculiar browsers):
>
> https://github.com/apache/ofbiz-framework/commit/16c2d3521990caf5e8703cbb323ce1146c93b9ce/
>
> The reporter then wrote
>
> "Even if this is not a CSRF vulnerability, I still think it is an
> insecure measure to not verify the current password when changing the
> password
> of the system account. What do you think?"
>
> His report was initially roughly :
>
> *If it is a system account, current password would not be checked*
> *
> *
> public static void checkNewPassword(GenericValue userLogin, String
> currentPassword, String newPassword, String newPasswordVerify, String
> passwordHint, List errorMessageList, boolean
> ignoreCurrentPassword, Locale locale) {
>  Delegator delegator = userLogin.getDelegator();
>  boolean useEncryption =
> "true".equals(EntityUtilProperties.getPropertyValue("security",
> "password.encrypt", delegator));
>
>  String errMsg = null;
>
>  if (!ignoreCurrentPassword) {
>  // if the password.accept.encrypted.and.plain property in
> security is set to true allow plain or encrypted passwords
>  // if this is a system account don't bother checking the
> passwords
>  boolean passwordMatches =
> checkPassword(userLogin.getString("currentPassword"), useEncryption,
> currentPassword);
>  if ((currentPassword == null) || (!passwordMatches)) {
>  errMsg =
> UtilProperties.getMessage(resource,"loginservices.old_password_not_correct_reenter",
> locale);
>  errorMessageList.add(errMsg);
>  }
>  if (checkPassword(userLogin.getString("currentPassword"),
> useEncryption, newPassword)) {
>  errMsg =
> UtilProperties.getMessage(resource,"loginservices.new_password_is_equal_to_old_password",
> locale);
>  errorMessageList.add(errMsg);
>  }
>
>  }
>
> The code and related calling code is easy to check and I don't really see
> an issue with it.
>
> @Jacopo, you put it in with
> http://svn.apache.org/viewvc?view=revision=739738 what is your
> opinion about that?
>
> And what is the team's opinion?
>
> Thanks
>
> Jacques
>
>

Re: REST implementation

[Girish Vasmatkar]

Hi Shi

Thanks for taking a look at it. I have a question on "WWW-Authenticate"
header so please clarify and I can make appropriate changes accordingly -

All I am finding is that to prevent the pop-up, either return 403 (which I
do not want to do) or not include "WWW-Authenticate" header at all (not
inclined to do this as well because then we would be violating the spec).
Do you mean to NOT start the value of the header with "Bearer" ?
so instead of below

*WWW-Authenticate: Bearer realm="Access to OFBiz", charset="UTF-8"*

should we change it to

*WWW-Authenticate: xBearer realm="Access to OFBiz", charset="UTF-8"*

I did not test it, but I can just change it like this without testing if
you can please confirm it will prevent the browser dialog.

Thanks again for the review.

Best,
Girish

On Wed, Jul 8, 2020 at 8:45 PM Shi Jinghai  wrote:

> Hi Girish,
>
> Excellent.
>
> Only one suggestion from my quick view, when response code is 401, the
> "WWW-Authenticate" header should be set to start with a word NOT “Bearer
> …”, this can prevent web browser from popping up a login dialog.
>
> Kind Regards,
>
> Shi Jinghai
>
> 发件人: Girish Vasmatkar<mailto:girish.vasmat...@hotwaxsystems.com>
> 发送时间: 2020年7月8日 20:47
> 收件人: dev@ofbiz.apache.org<mailto:dev@ofbiz.apache.org>
> 主题: Re: REST implementation
>
> Hi Folks
>
> I have added support for OpenApi Integration. The updated code can be found
> here : https://github.com/girishvasmatkar/ofbiz-rest-impl. Please go
> through the changes and test at your end and let me know your thoughts.
>
> I am planning to do some refactoring and then raise initial PR for the
> plug-in if the changes look good to everyone.
>
> Best,
> Girish
>
>
> On Wed, Jun 17, 2020 at 4:54 PM Carsten Schinzer <
> cars...@dcs-verkaufssysteme.de> wrote:
>
> > Hi Girish,
> >
> > Thanks to clarify :)
> > What caught me on the OpenAPI integration is the snippet quoted below and
> > I realize I should have read it in context. Actually then it is aligned
> > with my view.
> >
> > Warm regards
> >
> > Carsten
> >
> > >>>>> Initial implementation does not contain OpenApi integration yet.
> And
> >
> >
>
>

Re: REST implementation

[Girish Vasmatkar]

Hi Carsten -

Your points make a lot of sense and that's the general consensus of the
community as well. However, I believe we want to have the option of
exposing the services via "REST". The existing frameworks services
obviously are not named, thinking them as Resources and in the REST work
resources are perceived as nouns.

This is obviously not a complete implementation and we would obviously like
to tie up entities and services with resources. For example - consider the
service cancelProductionRun.

If we expose it under services resource (considering services as
resources), we could do it like this -
PATCH /rest/services/cancelProductionRun
{
"productionRunId": 1234
}

While this may not sound RESTFul, but this in a way adds capability for
OFBiz to expose the services via a "REST" interface. A truly RESTFul
approach that I am working on might do something like this -

PATCH /rest/productionruns/{productionRunId}

Internally it will hook up the service cancelProductionRun with this
resource URL. This obviously has to be configured somewhere in XML and such
details can be chalked out.

Best,
Girish










On Tue, Jun 16, 2020 at 12:45 PM Jacques Le Roux <
jacques.le.r...@les7arts.com> wrote:

> Thanks Girish,
>
> I did not have time to look into details yet but your README is very
> promising :)
>
> Jacques
>
> Le 15/06/2020 à 17:59, Girish Vasmatkar a écrit :
> > Hi All
> >
> > I have tried to implement a draft proposal here -
> > https://github.com/girishvasmatkar/ofbiz-rest-impl.git
> > The readme contains details.
> >
> > In order to support the changes, I have made a corresponding change in
> the
> > service definition to include a new attribute named "verb". This can also
> > be named "method". These changes are in my forked ofbiz repo (it is very
> > much in sync with ofbiz trunk):
> >
> https://github.com/girishvasmatkar/ofbiz-framework/tree/feature/add-service-verb
> >
> > Initial implementation does not contain OpenApi integration yet. And yes,
> > we should be fine doing both JSON and YAML.
> >
> > Please take a look at it and let me know what you think of this. I am
> open
> > to suggestions, improvements, discussions.
> >
> > Best Regards,
> > Girish
> >
> >
> > On Mon, Jun 15, 2020 at 7:02 PM Pritam Kute <
> pritam.k...@hotwaxsystems.com>
> > wrote:
> >
> >> Hello Girish,
> >>
> >> +1 for having REST implementation using Jersey as a separate plugin and
> not
> >> to disturb the OFBiz default Control servlets and filters.
> >>
> >> IMO we should also think about the end-point security implementations
> >> alongside as it is one of the crucial things that users look into while
> >> adopting any framework.
> >>
> >> Kind Regards,
> >> --
> >> Pritam Kute
> >>
> >>
> >> On Fri, Jun 12, 2020 at 2:58 PM Jacques Le Roux <
> >> jacques.le.r...@les7arts.com> wrote:
> >>
> >>> Hi Girish,
> >>>
> >>> Inline...
> >>>
> >>> Le 10/06/2020 à 17:42, Girish Vasmatkar a écrit :
> >>>> Hi All
> >>>>
> >>>> I am again bringing up this discussion on having a REST implementation
> >>> for
> >>>> OFBiz. I know we have had discussions before and I was looking at some
> >> of
> >>>> the past discussions about this topic and seems we are not there quite
> >>> yet
> >>>> (correct me if I am wrong).
> >>>>
> >>>> I had developed a POC plug-in based on Jersey (that I am currently
> >>>> enhancing) and recently started evaluating Apache Juneau as well. I
> >>> wanted
> >>>> to bring everybody on the same page as far as REST implementation is
> >>>> concerned so I had initiated a discussion on slack today. I am listing
> >>> down
> >>>> a few points below that can be perceived as
> >>> comment/question/understanding
> >>>> based on my general understanding of the matter and today's slack
> >>>> discussion.
> >>>>
> >>>>  - Anything we start on can be part of a plug-in for the start and
> >>> later
> >>>>  can become part of the framework (as separate plug-in) once it is
> >>>>  developed. A dedicated API application will allow it to be
> >>> lightweight in
> >>>>  terms of request processing. Should have separate auth mechanism
> >>> bypassing
&

Re: REST implementation

[Girish Vasmatkar]

Hi Carsten

OpenAPI integration and the implementation go hand in hand so no reason
separating them. I think what this draft does is just trying to see how
this might work. I am also parallelly working on OpenAPI spec but I wanted
the developers to review this work to get a better understanding of how to
proceed further.

As for the PATCH example that I quoted, that was just for
demonstration purposes to show the two approaches.

Best Regards,
Girish




On Wed, Jun 17, 2020 at 2:42 PM Carsten Schinzer <
cars...@dcs-verkaufssysteme.de> wrote:

> Hello Giresh,
>
>
> Thanks for the example, it makes clearer what you want to achieve.
>
> General considerations on RESTful or not:
> If you want to stop a productionRun, why do you use PATCH and not DELETE?
> Well, I know the connotation of Delete is „dismantle“ rather than „stop“,
> but PATCH also considers and exposes config/data changes, not only status
> changes
>
> PATCH /rest/productionruns/{productionRunId}?action=cancel
> … would probably be the best
>
> Here is how an Annotation based implementation would achieve this:
>
> @Route /productionrun/{productionRunId}, requirement={productionRunid, \d+}
> @ApiDoc(title=„A service to patch MRP Production Runs“, description="It
> allows to change the run configuration and status“)
> public patchProductionRunAction(int productionRunId, string[]
> urlParameters)
> {
> ...
> if urlParameters[‚action‘] == ‚cancel‘:
> call service cancelProductionRun(productionRunId)
> ...
> }
>
> Forgive this pseudo-code, but I think you get what I mean.
>
> It would not avoid that some matching layer of code is reuqired in-between
> the exposed REST API methods like patchProductionRunAction and the actual
> service call, but this layer would remain code instead of being in XML or
> somewhere else that requires a context switch.
>
> In my other application (the PHP) the classes are clearly separated by
> responsibility, i.e. Repository classes interact wit the persistence layer,
> Service classes are manipulating things and RestController classes are
> wrapping up the REST API methods and properly annotated with the Routes and
> validation constraints. The important point is that it is all coded in the
> same language and therefore the context is exposed to the IDE I am working
> with. No lookups to be made into an XML file to understand parameters and
> return types of services etc. That is quite an advantage IMO.
>
> IMO that is the complexity in the current way of dealing with this in
> OFBiz and that’s why I believe the OpenAPI integration should be going
> along with REST implementation.
>
> Warm regards
>
>
> Carsten
>
>
> > Am 17.06.2020 um 08:38 schrieb Girish Vasmatkar <
> girish.vasmat...@hotwaxsystems.com>:
> >
> > Hi Carsten -
> >
> > Your points make a lot of sense and that's the general consensus of the
> > community as well. However, I believe we want to have the option of
> > exposing the services via "REST". The existing frameworks services
> > obviously are not named, thinking them as Resources and in the REST work
> > resources are perceived as nouns.
> >
> > This is obviously not a complete implementation and we would obviously
> like
> > to tie up entities and services with resources. For example - consider
> the
> > service cancelProductionRun.
> >
> > If we expose it under services resource (considering services as
> > resources), we could do it like this -
> > PATCH /rest/services/cancelProductionRun
> > {
> >"productionRunId": 1234
> > }
> >
> > While this may not sound RESTFul, but this in a way adds capability for
> > OFBiz to expose the services via a "REST" interface. A truly RESTFul
> > approach that I am working on might do something like this -
> >
> > PATCH /rest/productionruns/{productionRunId}
> >
> > Internally it will hook up the service cancelProductionRun with this
> > resource URL. This obviously has to be configured somewhere in XML and
> such
> > details can be chalked out.
> >
> > Best,
> > Girish
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> > On Tue, Jun 16, 2020 at 12:45 PM Jacques Le Roux <
> > jacques.le.r...@les7arts.com> wrote:
> >
> >> Thanks Girish,
> >>
> >> I did not have time to look into details yet but your README is very
> >> promising :)
> >>
> >> Jacques
> >>
> >> Le 15/06/2020 à 17:59, Girish Vasmatkar a écrit :
> >>> Hi All
> >>>
> >&g

Re: REST implementation

[Girish Vasmatkar]

Hi All

I have tried to implement a draft proposal here -
https://github.com/girishvasmatkar/ofbiz-rest-impl.git
The readme contains details.

In order to support the changes, I have made a corresponding change in the
service definition to include a new attribute named "verb". This can also
be named "method". These changes are in my forked ofbiz repo (it is very
much in sync with ofbiz trunk):
https://github.com/girishvasmatkar/ofbiz-framework/tree/feature/add-service-verb

Initial implementation does not contain OpenApi integration yet. And yes,
we should be fine doing both JSON and YAML.

Please take a look at it and let me know what you think of this. I am open
to suggestions, improvements, discussions.

Best Regards,
Girish


On Mon, Jun 15, 2020 at 7:02 PM Pritam Kute 
wrote:

> Hello Girish,
>
> +1 for having REST implementation using Jersey as a separate plugin and not
> to disturb the OFBiz default Control servlets and filters.
>
> IMO we should also think about the end-point security implementations
> alongside as it is one of the crucial things that users look into while
> adopting any framework.
>
> Kind Regards,
> --
> Pritam Kute
>
>
> On Fri, Jun 12, 2020 at 2:58 PM Jacques Le Roux <
> jacques.le.r...@les7arts.com> wrote:
>
> >
> > Hi Girish,
> >
> > Inline...
> >
> > Le 10/06/2020 à 17:42, Girish Vasmatkar a écrit :
> > > Hi All
> > >
> > > I am again bringing up this discussion on having a REST implementation
> > for
> > > OFBiz. I know we have had discussions before and I was looking at some
> of
> > > the past discussions about this topic and seems we are not there quite
> > yet
> > > (correct me if I am wrong).
> > >
> > > I had developed a POC plug-in based on Jersey (that I am currently
> > > enhancing) and recently started evaluating Apache Juneau as well. I
> > wanted
> > > to bring everybody on the same page as far as REST implementation is
> > > concerned so I had initiated a discussion on slack today. I am listing
> > down
> > > a few points below that can be perceived as
> > comment/question/understanding
> > > based on my general understanding of the matter and today's slack
> > > discussion.
> > >
> > > - Anything we start on can be part of a plug-in for the start and
> > later
> > > can become part of the framework (as separate plug-in) once it is
> > > developed. A dedicated API application will allow it to be
> > lightweight in
> > > terms of request processing. Should have separate auth mechanism
> > bypassing
> > > ControlerServlet/ContextFiler/ControlFilter. I opine we do not need
> > the API
> > > request to go through these three. Please correct me.
> >
> > Though I did not look at the code (is it already somewhere?) I tend to
> > agree on that.
> > REST is something else and should not be hampered by those, if it's the
> > case.
> >
> >
> > > - We want to have mechanism to expose services (export=true) to be
> > > available as a REST resources. Possibly extending existing service
> > > definition by a new attribute verb="get|post".
> >
> > +1
> >
> >
> > > Also, if we also want to
> > > expose out REST interface as an OpenApi specification, then it will
> > > possibly help if we show in the spec an example of request for a
> > specific
> > > service. In that case, the service definition can be expanded to
> > allow for
> > > defining a JSON example (in a CDATA element)?
> >
> > That's an interesting point. Maybe we could prefer YAML over JSON.
> > Because YAML is a superset of JSON and that could be useful in future:
> >
> >
> https://stackoverflow.com/questions/1726802/what-is-the-difference-between-yaml-and-json
> > But it might complicate things in request bodies...
> >
> >
> > > -  Any service that declares one of the verbs and not called with
> > > declared verb will result in 405(Method not found) or 404(Resource
> > does not
> > > exist) error.
> > >- GET /api/services/{serviceName}?inParams={JSON}
> > >- POST /api/services/{serviceName} (Request Body will contain in
> > >params as JSON)
> > >- GET /api/services : We list all services(export=true) along
> with
> > >HATEOS Links (self link describing where the specific service
> can
> > be
> > >located)
> >
> > +1
> >
>

Re: OFBiz-GraphQL Webinar Recording on YouTube

[Girish Vasmatkar]

Hi Eugen

The Webinar was an attempt to discuss the ongoing OFBiz-GraphQL
implementation with the community and showcase what had been done on that
front. Thanks for taking interest in the implementation.

I will plan to have series of more sessions by breaking it down and
covering only specifics to cut short the duration. In the meantime, please
let me know if you have any questions or concerns or have any suggestions
on the current implementation.

Best Regards,
Girish
Hotwax Systems







On Mon, Jun 8, 2020 at 9:03 PM Eugen Stan  wrote:

> Thanks for the webinar. I watched it full as an API on top of Of Biz is
> of interest to me.
>
> I have some feedback which I believe you are already aware of:
>
> - the audio is of poor quality and hard to understand in some points
>
> - the video is very long and could use some editing to remove the silent
> / dead parts.
>
> - If editing is not an option, I think it's easy to add "skip this
> section" buttons on youtube.
>
> Please share future videos in this direction.
>
> Regards,
>
> Eugen
>
> La 08.05.2020 18:10, Pranay Pandey a scris:
> > Here is the direct URL: https://youtu.be/VK0o0OBAS1I
> >
> > Best regards,
> > Pranay Pandey
> >
> >
> > On Fri, May 8, 2020 at 8:39 PM Pranay Pandey <
> > pranay.pan...@hotwaxsystems.com> wrote:
> >
> >> Hello OFBiz Devs, Users
> >>
> >> OFBiz-GraphQL webinar recording is now available for everyone's
> reference
> >> on YouTube.
> >>
> >> Thank you Girish Vasmatkar for this doing this webinar and providing the
> >> recording for upload.
> >>
> >> Best regards,
> >> Pranay Pandey
> >>
> --
> Eugen Stan
> +40720 898 747 / netdava.com
>
>

REST implementation

[Girish Vasmatkar]

Hi All

I am again bringing up this discussion on having a REST implementation for
OFBiz. I know we have had discussions before and I was looking at some of
the past discussions about this topic and seems we are not there quite yet
(correct me if I am wrong).

I had developed a POC plug-in based on Jersey (that I am currently
enhancing) and recently started evaluating Apache Juneau as well. I wanted
to bring everybody on the same page as far as REST implementation is
concerned so I had initiated a discussion on slack today. I am listing down
a few points below that can be perceived as comment/question/understanding
based on my general understanding of the matter and today's slack
discussion.

   - Anything we start on can be part of a plug-in for the start and later
   can become part of the framework (as separate plug-in) once it is
   developed. A dedicated API application will allow it to be lightweight in
   terms of request processing. Should have separate auth mechanism bypassing
   ControlerServlet/ContextFiler/ControlFilter. I opine we do not need the API
   request to go through these three. Please correct me.
   - We want to have mechanism to expose services (export=true) to be
   available as a REST resources. Possibly extending existing service
   definition by a new attribute verb="get|post". Also, if we also want to
   expose out REST interface as an OpenApi specification, then it will
   possibly help if we show in the spec an example of request for a specific
   service. In that case, the service definition can be expanded to allow for
   defining a JSON example (in a CDATA element)?
   -  Any service that declares one of the verbs and not called with
   declared verb will result in 405(Method not found) or 404(Resource does not
   exist) error.
  - GET /api/services/{serviceName}?inParams={JSON}
  - POST /api/services/{serviceName} (Request Body will contain in
  params as JSON)
  - GET /api/services : We list all services(export=true) along with
  HATEOS Links (self link describing where the specific service can be
  located)
   - Do we want to have a similar resource for entities?. I think entities
   should not be exposed directly as a REST resource even though they are a
   good example of being a resource.
   - We can take one day at a time approach here and just start with
   exposing services as REST.
   - Auth : I had provided JWT based auth for the plug-in I had developed.
   This can further be expanded and allow for Digest auth as well? Can have
   separate API endpoint to generate JWT token.

Please share your thoughts on this and apologies for long email.

Best Regards,
Girish

Nested attributes for Collection Types

[Girish Vasmatkar]

Hey Guys,

While working on OpenApi integration as well as GraphQL implementation, I
faced issues on how to automatically document request/response JSON
structure for service attributes that were of Collection types (Map, List
etc).

For simple types, it is just plain easy but when it comes to Map/Lists, you
have to know what exactly is inside them to be able to convey properly in
the OpenApi schema.

I was thinking to may be try to introduce nested attributes in service
definition such that if the attribute type is Map/List, you can actually
specify what goes inside that attribute -











With this change, it becomes possible to generate the schema for the
service attribute, Where as if we don't have this option, we can't possibly
indicate what the structure of the "header" key is going to be if it was
represented in JSON format.

Of course, this change will only help documentation and GraphQL
implementation and that there is very little case for it to benefit a
general OFBiz service call.

Any thoughts or comments on this? Is this too big of a change (impact wise
and not coding perspective) to avoid it and consider something else? Has
this been discussed before?

Best,
Girish

Re: A little bit of Lombok

[Girish Vasmatkar]

Hi

I think we need to decide how much is the fair usage of lombok. I have used
it previously and it does good job of taking care of removing boilerplate
code. However, I feel care must also be taken to determine how much we use
it because chances are that the code might not work (potentially) if you
upgrade the compiler - for example upgrading from Java 8 to 9 or Java 9 to
10 since it adds bytecodes at the compile time.

With its heavy usage, it is also likely to affect the build time as well.
There are ways to mitigate such issues however [1] but care must be taken.

As far as IDEs are concerned, it is fairly easy, be it Eclipse or IntelliJ.
WIth Eclipse, you would typically install it as a plug-in and then Eclipse
should not complain about compilation issues.

I think we need to evaluate all these pros and cons before deciding on its
acceptance. I have not used to more than using it for generating getters
and setters.

[1] -
https://stackoverflow.com/questions/15518405/lombok-slowing-down-build-process-in-large-project#:~:text=Lombok%20is%20an%20annotation%20processor,sources%20or%20throw%20compiler%20errors.

Best,
Girish



On Tue, Jul 28, 2020 at 7:12 PM Eugen Stan  wrote:

> La 28.07.2020 16:10, Michael Brohl a scris:
> > Hi Daniel,
> >
> > can you explain what the advantages and disadvantages are?
> >
> > Is it worth the introduction of an additional framework, more complex
> > IDE configuration, an additional Gradle plugin and more memory
> > consumption and why?
> >
> > Thanks for clarification,
> >
> > Michael Brohl
>
> Hi,
>
> My 2c:
>
> I think Lombok is great.
> I've used it with my previous Java projects to reduce the amount of
> boilerplate needed when writing Java code.
>
> The lombok annotations are only applied during compilation so they don't
> change the runtime behavior.
>
> The cons are an initial quick setup and a very small learning curve.
> The pros are less code to write and review and safer equals and hashcode
> (they are generated) .
>
> I would argue that some of the advantages regarding getters and setters
> will be diminished once Records are adopted in Java (second preview)
> https://openjdk.java.net/projects/jdk/15/
>
> I believe this will be done probably in march 2021 and it will be in
> time for the next LTS which hopefully it will be JDK 16 in september
> 2021 as per
> https://www.oracle.com/java/technologies/java-se-support-roadmap.html .
>
> That being said Lombok has advantages and can be used very easily.
>
>
> I do think Lombok can be set without a plugin since grade has
> annotationProcessor configuration
>
> https://tomgregory.com/annotation-processors-in-gradle-with-the-annotationprocessor-dependency-configuration/
>
>
>
> --
> Eugen Stan
> +40720 898 747 / netdava.com
>

Re: Welcome Pawan Verma as new PMC member

[Girish Vasmatkar]

Many congratulations Pawan.

Best,
Girish

On Tue, Jul 28, 2020 at 2:10 PM Devanshu Vyas 
wrote:

> Many many Congratulations Pawan!!
>
>
> Thanks & Regards,
> Devanshu Vyas.
>
>
> On Tue, Jul 28, 2020 at 1:53 PM Aditya Sharma 
> wrote:
>
> > Felicitation Pawan!!
> >
> > Thanks and Regards,
> > Aditya Sharma
> >
> > On Tue, Jul 28, 2020 at 1:22 PM Jacques Le Roux <
> > jacques.le.r...@les7arts.com> wrote:
> >
> > > The OFBiz PMC has invited Pawan Verma to become member of the committee
> > > and we are glad to announce that he has accepted the nomination.
> > >
> > > On behalf of the OFBiz PMC, welcome on board Pawan!
> > >
> > >
> >
>

Re: Nested attributes for Collection Types

[Girish Vasmatkar]

Thank you, all. I've created
https://issues.apache.org/jira/browse/OFBIZ-11902 to track this.

Best,
Girish

On Tue, Jul 21, 2020 at 1:14 AM Jacques Le Roux <
jacques.le.r...@les7arts.com> wrote:

> Thanks Mridul,
>
> I agree about enhancing existing service definitions
>
> Jacques
>
> Le 20/07/2020 à 10:37, Mridul Pathak a écrit :
> > Hi Girish,
> >
> > I think this would be a good improvement to service definition. While it
> makes more sense that it would enable creating JSON like schema definitions
> it would make service definitions more predictable in general. This
> improvement could also be applied to existing service definitions to be
> able to expose them as an API in a more sensible way.
> >
> > Thanks.
> > --
> > Mridul Pathak
> >
> >
> >> On 16-Jul-2020, at 5:20 PM, Girish Vasmatkar <
> girish.vasmat...@hotwaxsystems.com> wrote:
> >>
> >> Hey Guys,
> >>
> >> While working on OpenApi integration as well as GraphQL implementation,
> I
> >> faced issues on how to automatically document request/response JSON
> >> structure for service attributes that were of Collection types (Map,
> List
> >> etc).
> >>
> >> For simple types, it is just plain easy but when it comes to Map/Lists,
> you
> >> have to know what exactly is inside them to be able to convey properly
> in
> >> the OpenApi schema.
> >>
> >> I was thinking to may be try to introduce nested attributes in service
> >> definition such that if the attribute type is Map/List, you can actually
> >> specify what goes inside that attribute -
> >>
> >> 
> >>
> >> 
> >>
> >> 
> >>
> >> 
> >>
> >>
> >>
> >> With this change, it becomes possible to generate the schema for the
> >> service attribute, Where as if we don't have this option, we can't
> possibly
> >> indicate what the structure of the "header" key is going to be if it was
> >> represented in JSON format.
> >>
> >> Of course, this change will only help documentation and GraphQL
> >> implementation and that there is very little case for it to benefit a
> >> general OFBiz service call.
> >>
> >> Any thoughts or comments on this? Is this too big of a change (impact
> wise
> >> and not coding perspective) to avoid it and consider something else? Has
> >> this been discussed before?
> >>
> >> Best,
> >> Girish
>
>

Re: REST implementation

[Girish Vasmatkar]

Greetings!

I have created a PR to add a REST component -
https://github.com/apache/ofbiz-plugins/pull/35 . Please take a look
and let me know what you think and let me know if you face any issues. I
intend to merge it in a week from now.

With the PR (https://github.com/apache/ofbiz-framework/pull/214) to add
"action" attribute to the service definition now merged, this above
component should be able to expose exportable (export=true) and
actionable(action=GET|POST) services via REST.

Once the changes for nested attributes (OFBIZ-11902
<https://issues.apache.org/jira/browse/OFBIZ-11902>) are done, I will also
be making corresponding changes in the GraphQL plugin to account for nested
attributes. OFBIZ-11902
<https://issues.apache.org/jira/browse/OFBIZ-11902> will
help in defining complex GraphQL mutations.

I am parallelly also working on designing an XML DSL for REST that should
allow tying up REST resources with OFBiz services.

Best,
Girish



On Thu, Jul 9, 2020 at 6:27 PM Shi Jinghai  wrote:

> Hi Girish,
>
> Yes, you got it.
>
> Web browser will popup a login dialog when response code is 401:
> setResponseHeader("WWW-Authenticate", "Bearer realm=\"authentication
> required\"");
>
> The popup is skipped and then react/vue/angular can handle the response:
> setResponseHeader("WWW-Authenticate", "OFBiz realm=\"authentication
> required\"");
>
>
> 发件人: Girish Vasmatkar<mailto:girish.vasmat...@hotwaxsystems.com>
> 发送时间: 2020年7月9日 14:54
> 收件人: dev@ofbiz.apache.org<mailto:dev@ofbiz.apache.org>
> 主题: Re: REST implementation
>
> Hi Shi
>
> Thanks for taking a look at it. I have a question on "WWW-Authenticate"
> header so please clarify and I can make appropriate changes accordingly -
>
> All I am finding is that to prevent the pop-up, either return 403 (which I
> do not want to do) or not include "WWW-Authenticate" header at all (not
> inclined to do this as well because then we would be violating the spec).
> Do you mean to NOT start the value of the header with "Bearer" ?
> so instead of below
>
> *WWW-Authenticate: Bearer realm="Access to OFBiz", charset="UTF-8"*
>
> should we change it to
>
> *WWW-Authenticate: xBearer realm="Access to OFBiz", charset="UTF-8"*
>
> I did not test it, but I can just change it like this without testing if
> you can please confirm it will prevent the browser dialog.
>
> Thanks again for the review.
>
> Best,
> Girish
>
> On Wed, Jul 8, 2020 at 8:45 PM Shi Jinghai  wrote:
>
> > Hi Girish,
> >
> > Excellent.
> >
> > Only one suggestion from my quick view, when response code is 401, the
> > "WWW-Authenticate" header should be set to start with a word NOT “Bearer
> > …”, this can prevent web browser from popping up a login dialog.
> >
> > Kind Regards,
> >
> > Shi Jinghai
> >
> > 发件人: Girish Vasmatkar<mailto:girish.vasmat...@hotwaxsystems.com>
> > 发送时间: 2020年7月8日 20:47
> > 收件人: dev@ofbiz.apache.org<mailto:dev@ofbiz.apache.org>
> > 主题: Re: REST implementation
> >
> > Hi Folks
> >
> > I have added support for OpenApi Integration. The updated code can be
> found
> > here : https://github.com/girishvasmatkar/ofbiz-rest-impl. Please go
> > through the changes and test at your end and let me know your thoughts.
> >
> > I am planning to do some refactoring and then raise initial PR for the
> > plug-in if the changes look good to everyone.
> >
> > Best,
> > Girish
> >
> >
> > On Wed, Jun 17, 2020 at 4:54 PM Carsten Schinzer <
> > cars...@dcs-verkaufssysteme.de> wrote:
> >
> > > Hi Girish,
> > >
> > > Thanks to clarify :)
> > > What caught me on the OpenAPI integration is the snippet quoted below
> and
> > > I realize I should have read it in context. Actually then it is aligned
> > > with my view.
> > >
> > > Warm regards
> > >
> > > Carsten
> > >
> > > >>>>> Initial implementation does not contain OpenApi integration yet.
> > And
> > >
> > >
> >
> >
>
>

Re: [VOTE] [RELEASE] Apache OFBiz 17.12.04 - Second Attempt

[Girish Vasmatkar]

Looks fine at my end -

 girish$ ./verify-ofbiz-release.sh apache-ofbiz-17.12.04.zip

sha check of file: apache-ofbiz-17.12.04.zip

Using sha file: apache-ofbiz-17.12.04.zip.sha512

apache-ofbiz-17.12.04.zip: 87FC62B2 8005BE59 FBB5AA69 6F0317C1 72273F02
EB39DD82 9738761C 694D644B F004C3A6 12E8DB41 512C726A 4F5E991F D80A6A84
4AADE640 7B726DC1 8E4182A8

apache-ofbiz-17.12.04.zip: 87FC62B2 8005BE59 FBB5AA69 6F0317C1 72273F02
EB39DD82 9738761C 694D644B F004C3A6 12E8DB41 512C726A 4F5E991F D80A6A84
4AADE640 7B726DC1 8E4182A8

sha checksum OK


GPG verification output

gpg: Signature made Sun Jul  5 13:38:45 2020 IST

gpg:using RSA key 7A580908847AF9E0

gpg: Good signature from "Jacopo Cappellato (CODE SIGNING KEY) <
jaco...@apache.org>" [unknown]

gpg: WARNING: This key is not certified with a trusted signature!

gpg:  There is no indication that the signature belongs to the
owner.

Primary key fingerprint: 3545 C5E3 1CC2 D029 B2CC  AD06 7A58 0908 847A F9E0

Best,
Girish


On Sun, Jul 5, 2020 at 3:24 PM Jacques Le Roux 
wrote:

> Hi Jacopo,
>
> Something is wrong, I get that (dowloaded twice, except the package which
> opens normally):
>
> $ ./verify-ofbiz-release.sh apache-ofbiz-17.12.04.zip
> sha check of file: apache-ofbiz-17.12.04.zip
> Using sha file: apache-ofbiz-17.12.04.zip.sha512
> apache-ofbiz-17.12.04.zip: 87FC62B2 8005BE59 FBB5AA69 6F0317C1 72273F02
> EB39DD82 9738761C 694D644B F004C3A6 12E8DB41 512C726A 4F5E991F D80A6A84
> 4AADE640 7B726DC1 8E4182A8
> apache-ofbiz-17.12.04.zip: 74F79D42 2746A409 9C0F2E0D 5F96C070 78C73D7B
> 4C681452 EB974F18 33E2E391 3E1C7D1F 2F0E8A44 C18AC8FF A9F86094 4C9F5D4D
> 5DDA3AB9 E2DC2057 CA0F2E33
> sha sums mismatch!
>
> GPG verification output
> gpg: Signature made Fri Jul  3 16:04:40 2020
> gpg:using RSA key 7A580908847AF9E0
> gpg: BAD signature from "Jacopo Cappellato (CODE SIGNING KEY) <
> jaco...@apache.org>"
>
> Could it be on my side? Anyone reproduce?
>
> Jacques
>
> Le 05/07/2020 à 10:23, Jacopo Cappellato a écrit :
> > This is the vote thread (second attempt) to publish a new bug fix release
> > from the "release17.12" branch. This new release, "Apache OFBiz
> 17.12.04",
> > will supersede all the previous releases from the same branch.
> >
> > The release files can be downloaded from here:
> > https://dist.apache.org/repos/dist/dev/ofbiz/
> > and are:
> > * apache-ofbiz-17.12.04.zip
> > * KEYS: text file with keys
> > * apache-ofbiz-17.12.04.zip.asc: the detached signature file
> > * apache-ofbiz-17.12.04.zip.sha512: checksum file
> >
> > Please download and test the zip file and its signatures (for
> instructions
> > on testing the signatures see
> http://www.apache.org/info/verification.html).
> >
> > Vote:
> > [ +1] release as Apache OFBiz 17.12.04
> > [ -1] do not release
> >
> > This vote will be open for 5 days.
> >
> > For more details about this process please read
> > http://www.apache.org/foundation/voting.html
>
>

Re: Getting Error when push code changes to GitHub

[Girish Vasmatkar]

Hello Yashwant

pre-commit hook is getting kicked in which runs checkstyleMain gradle task
to check code compliance with the rules defined in checkstyle
configuration. The error count is 327, which is probably more than the
threshold defined in the build.gradle.

tasks.checkstyleMain.maxErrors property governs the max threshold beyond
which build will fail.

Best Regards,
Girish


On Sat, Dec 26, 2020 at 4:03 PM Yashwant Dhakad <
yashwant.dha...@hotwaxsystems.com> wrote:

> Hello All,
> I am getting an error while pushing changes to the GitHub repository for
> the trunk. Do you have any idea what I am doing wrong? I run this command
> "git push origin OFBIZ-10577" and Here is the error message:
>
> > Task :compileJava UP-TO-DATE
> > Task :compileGroovy UP-TO-DATE
> > Task :processResources UP-TO-DATE
> > Task :classes UP-TO-DATE
> > Task :checkstyleMain
> > Task :checkstyleMain FAILED
>
> FAILURE: Build failed with an exception.
>
> * What went wrong:
> Execution failed for task ':checkstyleMain'.
>   Checkstyle files with violations: 126
>   Checkstyle violations by severity: [error:327]
>
>
> Kind Regards,
> Yashwant Dhakad
> Sr. Technical Consultant
>
> *HotWax Systems*
> *Enterprise open source experts*
> cell: +91-9098240513
> office: 0731-409-3684
> http://www.hotwaxsystems.com
>

Re: Developing groovyScripts in the IDE

[Girish Vasmatkar]

Hi Daniel

I am on Eclipse most of the time and use the gradle eclipse plug-in to just
build the classpath. I have not faced this issue on Eclipse so can't speak
to that.

That said, I see no issues with selecting SDK or compiler for the Groovy
files. I do it on eclipse and it works without generating dupes. I launch
OFBiz from within IDE and can navigate to other OFBiz classes as well.

I'll also give it a try on IntelliJ and let you know how it goes.

Best,
Girish




On Mon, Jan 18, 2021 at 1:32 PM Pritam Kute 
wrote:

> Hello Emad,
>
> I have tried those changes and can confirm that those are working as
> expected. Thanks!
>
> Kind Regards,
> --
> Pritam Kute
>
>
> On Sun, Jan 17, 2021 at 9:01 PM Daniel Watford  wrote:
>
> > Hello,
> >
> > I use IntelliJ for ofbiz development, but have found it awkward to work
> > with groovyScript files.
> >
> > Each time I would view a groovyScript file IntelliJ would display a
> warning
> > that the file was not associated with a Groovy SDK and prompt me to
> select
> > one. Further, I couldn't navigate from a groovyScript file to other ofbiz
> > classes.
> >
> > IntelliJ imports the project script from the build.gradle file, so any
> > changes I might have manually made to ease IDE development of
> groovyScript
> > files were lost as soon as I reimported build.gradle.
> >
> > To address this I needed to add the groovyScript files to the gradle
> build
> > in some way, while at the same time preventing the files from being built
> > and turned into classes.
> >
> > Some minor changes to the build.gradle file have been added to a branch
> > here -
> > https://github.com/danwatford/ofbiz-framework/tree/groovyScript-gradle
> >
> > I have tested these build.gradle changes in IntelliJ and can now navigate
> > from groovyScript to ofbiz classes.
> >
> > Please could other IDE users (eclipse, netbeans, etc0 try out the changes
> > in the branch to see if the developer experience is improved when
> importing
> > the ofbiz project structure from the gradle build file.
> >
> > Thanks,
> >
> > Dan.
> >
> > --
> > Daniel Watford
> >
>