Re: [VOTE] Do not release R17 and directly publish R18 instead.
-1 Dennis Balkir Am 24.01.20 um 11:27 schrieb Jacques Le Roux: Hi, R16 is now an old distribution and has almost reached its end of support. We can soon expect a last release but we need to think about the next to be released package Some would prefer to release R17 before releasing R18, some would prefer to bypass R17 release and directly publish R18 instead. Vote: [ +1] Do not release R17 and directly publish R18 instead. [ -1] Release R17 before releasing R18 We had already 3 months to discuss without reaching a consensus, so this vote will be only open for a week. Note that it's not a formal vote to release R17 or R18, as that is another process documented at https://cwiki.apache.org/confluence/display/OFBIZ/Release+Management+Guide+for+OFBiz Thank you for your attention Jacques
OFBiz Demo not usable
Hi Devs, it seems like the Trunk Demo is not usable at the moment. Everytime I open it up, I just get a non-styled version of the page, with the menu all over it and nothing else. I tried clearing browser data, but this didn't work either. The login page looks normal though. I don't really know what happened, maybe someone can take a look? Thanks and regards, Dennis
Re: [DISCUSSION] turn off OOTB JWT authorization/SSO functionality
+1 for off as default Am 21.01.19 um 10:03 schrieb Taher Alkhateeb: +1 to default off On Sat, Jan 19, 2019 at 7:25 PM Michael Brohl wrote: No, we are mainly discussing if we should turn off the JWT functionality in the default setting and what could be done to make the current implementation more secure / fail proof. Am 19.01.19 um 16:54 schrieb Shi Jinghai: I've just reviewed the code of JWT implements. Sorry for my bad English, I'm a bit lost, are we discussing which one is more secure, the tomcat session or JWT? -邮件原件- 发件人: Michael Brohl [mailto:michael.br...@ecomify.de] 发送时间: 2019年1月19日 19:58 收件人: dev@ofbiz.apache.org 主题: [DISCUSSION] turn off OOTB JWT authorization/SSO functionality Hi all, during my work in [1] I realized that the OOTB JWT authorization / single sign on is switched on by default. The logic to retrieve the secret key uses a default if there is no configuration in SystemProperty or security.properties. This makes it easy to prepare a JWT (e.g. by using [2] or [3]) and login using a guessed userLoginId and this token (which can be retrieved from the code). I think we should secure this so that this cannot be done in an OOTB setting with the following additions: 1. make it configurable through a property which is initially turned off. I think thi is better than commenting the preprocessor in/out because it can be better integrated in (custom) configuration mechanisms. 2. don't use a default secret key if none is provided. The user/administrator must explicitly set a secret key and should know what he is doing then. 3. don't proceed if no secret key can be found (do not attempt a login using the JWT) I think that we should turn this feature off by default for the following reasons: 1. it opens up a security hole if the user does not remove the checkJWTLogin preprocessor (see above) 2. the functionality to have a single sign on between two OFBiz instances will only be used in rare cases (I think). It is only designed for this special case and cannot be used for standard single sign on scenarios with other systems. 3. if it is not used, it will still try to read the authorization header, key etc. *on every request* What do think? Regards, Michael [1] https://issues.apache.org/jira/browse/OFBIZ-10814 [2] https://jwt.io/ [3] http://jwtbuilder.jamiekurtz.com/ -- Dennis Balkir Consultant Fon +49 521 448 157-93 Fax +49 521 448 157-99 Mobil +49 151 17762475 Xing https://www.xing.com/profile/Dennis_Balkir/ LinkedIn https://www.linkedin.com/in/dennis-balkir-165962165 Company and Management Headquarters: ecomify GmbH, Gustav-Winkler-Str. 22, 33699 Bielefeld, Deutschland Fon: +49 521 448157-90, Fax: +49 521 448157-99, www.ecomify.de Court Registration: Amtsgericht Bielefeld HRB 41683 Chief Executive Officer: Martin Becker, Michael Brohl
Re: Successor for elRTE
Thanks Hans, but I think, that this is not what we are looking for. It seems like this editor does not support writing in HTML-Code, which is something, that should not left out. Am 17.01.19 um 09:01 schrieb Hans Bakker: today i saw this one: https://prosemirror.net/ interesting?
Remove Sfa menu-items "Competitors & Partners" and "Documents"
Hi to all, I noticed, that two of the AppBar menu-items in the Sfa application are not functional and seem not to serve any further purpose. In this issue https://issues.apache.org/jira/browse/OFBIZ-2364, some funtionality was in development, but it looks like no one touched it since 2009. My proposal is to remove the mentioned menu-items, since they are only defined with "#" as their destination point. If someone wants to work on this feature in the future, these links can be added again. The suggestion would be to wait for a week, and if there are no complaints, to remove the items.
Confluence Comment Section renders gigantic images
Hi Devs, I just noticed, that on the main page of the ofbiz confluence in the comment section are gigantic images rendered over half the page. Take a look: https://cwiki.apache.org/confluence/display/OFBIZ/Home Maybe this is a bug? Thanks -- Dennis Balkir Consultant Fon +49 521 448 157-93 Fax +49 521 448 157-99 Xing https://www.xing.com/profile/Dennis_Balkir/ LinkedIn https://www.linkedin.com/in/dennis-balkir-165962165 Company and Management Headquarters: ecomify GmbH, Gustav-Winkler-Str. 22, 33699 Bielefeld, Deutschland Fon: +49 521 448157-90, Fax: +49 521 448157-99, www.ecomify.de Court Registration: Amtsgericht Bielefeld HRB 41683 Chief Executive Officer: Martin Becker, Michael Brohl
Re: Minilang to Groovy: login-required tag questions
Thanks to both of you, this actually helped me to understand this a bit further. Since this method has the auth-tag set in the service description i will let the service do the authentication, just as you suggested On 2018/01/24 23:27:34, Nicolas Malin <n...@nereide.fr> wrote: > As simplify the permission management, I prefer to manage all > > authentication access by the SOA. So only service will manage the > > authentication.> > > So if you convert a minilang to groovy report the problematic to the > > service definition related. Otherwise normally you haven't this problem > > on groovy. Maybe I missed something, don't hesitate to send a patch with > > the problem not solved for help my mind :)> > > Nicolas> > > > On 22/01/2018 09:17, Jacques Le Roux wrote:> > > Hi Dennis,> > >> > > That's a good question! I just saw that you also put a comment in the > > > current OFBIZ-10031 patch:> > >> > > // login-required tag?> > >> > > If we refer to the available documentation we have> > >> > > "Require a user login to run this method. Defaults to "true". > > > Optional. Attribute type: constant."> > >> > > and> > >> > > "If auth=false when you hit the request, even if you're not logged in, > > > it will allow you to go through. If auth=true, when you hit the > > > request if you're not logged in it will forward you over to the login > > > page"> > >> > > The later comes from an old David's E. Jones document: the "Apache > > > OFBiz Advanced Framework - Training Video Transcription"> > >> > > Here we have 2 options> > >> > > 1. We consider it simply as a service and then login-required is not > > > needed. This is for instance what has been done for> > >getPartyAccountingPreferences in > > > http://svn.apache.org/viewvc?view=revision=1796731 There the > > > default (login-required=true) was used> > > 2. It seems redundant if you look at it from a service POV. But a > > > simple method can also be used in another context and I guess that's > > > why we have> > >this apparent redundancy. So we can do only 1 if it's only used as > > > a service (I guess for a service implementation much of the time, if not> > >always) else we need to change the call (in other simple-method/s) > > > to service call/s and then do 1.> > >> > > About> > >> > > >Where does this get checked and when?> > >> > > It's checked in SimpleMethod.exec(MethodContext methodContext) But > > > given my proposition above it should not be needed to port this part.> > >> > > About auth=true when you are not in the context of an UI (jobs): > > > runShoppingListAutoReorder shows that's then userLogin is supposed to > > > be in context.> > > I did not check but I guess, if auth=true, at this stage the service > > > engine would have already rejected the call if the userLogin is not in > > > the context.> > >> > > More thoughts are welcome.> > >> > > Jacques> > >> > > Le 05/01/2018 à 14:06, Dennis Balkir a écrit :> > >> Hi Devs,> > >>> > >> at the moment I am doing some Minilang to Groovy conversions > > >> (CategoryServices to be precise) and I found a simple method > > >> (getAssociatedProductsList), which set the tag „login-required“ to > > >> false.> > >> I then checked the service-definition of this method (which it had), > > >> and there it also sets the „auth“ tag to false.> > >> I tried to find, where these tags get checked in the Engine-Codes, > > >> specifically the serviceengine.xml, SimpleServiceEngine.java, > > >> ServiceEngine.java and SimpleMethod.java, but I cannot find for sure, > > >> where the authentication gets checked.> > >>> > >> The question for me is now: Is it necessary for the simple method to > > >> have the „login-required“ tag set to false, if the service definition > > >> set "auth" to false already?> > >> Where does this get checked and when?> > >> And of course: When the set of the „login-required“ tag in the > > >> simple-method is necessary, as well as the set „auth“ tag, how do I > > >> implement the „login-required=false“ in Groovy?> > >>> > >> Thanks in advance for your help> > >>> > >> Kind regards> > >> > >> > > -- Dennis Balkir Trainee Fon +49 521 448 157-90 Fax +49 521 448 157-99 Company and Management Headquarters: ecomify GmbH, Gustav-Winkler-Str. 22, 33699 Bielefeld, Deutschland Fon: +49 521 448157-90, Fax: +49 521 448157-99, www.ecomify.de Court Registration: Amtsgericht Bielefeld HRB 41683 Chief Executive Officer: Martin Becker, Michael Brohl
Conversion of CategoryServices.xml to Groovy
Hi Devs, I just uploaded my conversion-attempt of CatalogServices.xml from Minilang to Groovy. It would be helpful if one (or two) of you takes a look at what I’ve done, and give me a short (or longer) feedback of what is good and what isn’t. I hope this is in good condition as it is now, since all the services seem to work. Here is the issue with the patchfile: https://issues.apache.org/jira/browse/OFBIZ-10031 <https://issues.apache.org/jira/browse/OFBIZ-10031> Thanks in advance and kind regards -- Dennis Balkir Trainee Fon +49 521 448 157-90 Fax +49 521 448 157-99 Company and Management Headquarters: ecomify GmbH, Gustav-Winkler-Str. 22, 33699 Bielefeld, Deutschland Fon: +49 521 448157-90, Fax: +49 521 448157-99, www.ecomify.de Court Registration: Amtsgericht Bielefeld HRB 41683 Chief Executive Officer: Martin Becker, Michael Brohl
Minilang to Groovy: login-required tag questions
Hi Devs, at the moment I am doing some Minilang to Groovy conversions (CategoryServices to be precise) and I found a simple method (getAssociatedProductsList), which set the tag „login-required“ to false. I then checked the service-definition of this method (which it had), and there it also sets the „auth“ tag to false. I tried to find, where these tags get checked in the Engine-Codes, specifically the serviceengine.xml, SimpleServiceEngine.java, ServiceEngine.java and SimpleMethod.java, but I cannot find for sure, where the authentication gets checked. The question for me is now: Is it necessary for the simple method to have the „login-required“ tag set to false, if the service definition set "auth" to false already? Where does this get checked and when? And of course: When the set of the „login-required“ tag in the simple-method is necessary, as well as the set „auth“ tag, how do I implement the „login-required=false“ in Groovy? Thanks in advance for your help Kind regards -- Dennis Balkir Trainee Fon +49 521 448 157-90 Fax +49 521 448 157-99 Company and Management Headquarters: ecomify GmbH, Gustav-Winkler-Str. 22, 33699 Bielefeld, Deutschland Fon: +49 521 448157-90, Fax: +49 521 448157-99, www.ecomify.de Court Registration: Amtsgericht Bielefeld HRB 41683 Chief Executive Officer: Martin Becker, Michael Brohl
Re: Please add me as an Apache OFBiz Contributor
Hi Devs, I just recognised, that another Email, which I used as an draft for my own mail I just send, somehow managed to get copied inside my own mail. Please ignore the upper half of my other mail and just focus on this part: I would like to ask you to add me as an official Apache OFBiz Contributor in order to add and/or edit the Confluence-Wiki-pages.> My Confluence username is: dennis.balkir Thanks and sorry for the inconvinience Dennis On 2017-12-08 15:58, Dennis Balkir <d...@ecomify.de> wrote: > Hello everyone, I would like to ask you to add me as Apache OFBiz contributor > in order to add my eCommerce project to the Confluence relative page. My > Confluence account username is : giulio.speri Thank you very much! Kind > regards, Giulio Speri> > Hi Devs,> > > I would like to ask you to add me as an official Apache OFBiz Contributor in > order to add and/or edit the Confluence-Wiki-pages.> > My Confluence username is:> > > dennis.balkir> > > Thanks and kind regards> > -- > > Dennis Balkir> > Trainee> > > Fon +49 521 448 157-90> > Fax +49 521 448 157-99> > > Company and Management Headquarters:> > ecomify GmbH, Gustav-Winkler-Str. 22, 33699 Bielefeld, Deutschland> > Fon: +49 521 448157-90, Fax: +49 521 448157-99, www.ecomify.de> > > Court Registration: Amtsgericht Bielefeld HRB 41683> > Chief Executive Officer: Martin Becker, Michael Brohl> > > -- Dennis Balkir Trainee Fon +49 521 448 157-90 Fax +49 521 448 157-99 Company and Management Headquarters: ecomify GmbH, Gustav-Winkler-Str. 22, 33699 Bielefeld, Deutschland Fon: +49 521 448157-90, Fax: +49 521 448157-99, www.ecomify.de Court Registration: Amtsgericht Bielefeld HRB 41683 Chief Executive Officer: Martin Becker, Michael Brohl
Please add me as an Apache OFBiz Contributor
Hello everyone, I would like to ask you to add me as Apache OFBiz contributor in order to add my eCommerce project to the Confluence relative page. My Confluence account username is : giulio.speri Thank you very much! Kind regards, Giulio Speri Hi Devs, I would like to ask you to add me as an official Apache OFBiz Contributor in order to add and/or edit the Confluence-Wiki-pages. My Confluence username is: dennis.balkir Thanks and kind regards -- Dennis Balkir Trainee Fon +49 521 448 157-90 Fax +49 521 448 157-99 Company and Management Headquarters: ecomify GmbH, Gustav-Winkler-Str. 22, 33699 Bielefeld, Deutschland Fon: +49 521 448157-90, Fax: +49 521 448157-99, www.ecomify.de Court Registration: Amtsgericht Bielefeld HRB 41683 Chief Executive Officer: Martin Becker, Michael Brohl
Translating simple-method codes to Groovy
Hello Devs, while converting some of the Mini-Lang files to Groovy I have encountered a problem. I started converting the file CatalogServices.xml to Groovy, as I noticed, that one of its methods made a simple-method-call for the method „genericBasePermissionCheck“ from CommonPermissionServices.xml. Is there an equivalent for simple-method-calls which I can use in Groovy or do I have to use a service-call, and if the latter, is there some things I have to know when changing from a simple-method-call to a service-call? Best regards, Dennis Balkir -- Dennis Balkir Trainee Fon +49 521 448 157-90 Fax +49 521 448 157-99 Company and Management Headquarters: ecomify GmbH, Gustav-Winkler-Str. 22, 33699 Bielefeld, Deutschland Fon: +49 521 448157-90, Fax: +49 521 448157-99, www.ecomify.de Court Registration: Amtsgericht Bielefeld HRB 41683 Chief Executive Officer: Martin Becker, Michael Brohl
