Re: 回复:URL Issue

2024-08-31 Thread Jacques Le Roux 

That's interesting. Because locally I initially did not find any on mine, but 
finally found one (and only one among 9 logs):

127.0.0.1 - - [28/Aug/2024:20:59:40 +0200] "GET /common/js/jquery/plugins/jsTree/themes/default/d.png HTTP/2.0" 200 7635 
"https://localhost:8443/common/js/jquery/plugins/jsTree/themes/default/style.css"; "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:56.0) Gecko/20100101 
Firefox/56.0"
127.0.0.1 - - [28/Aug/2024:21:00:10 +0200] "GET 
/example/control/FindExample%3FexternalLoginKey=EL8b0c355f-d7a6-4a59-9b34-bb0fa6bd0d05&sortField=description&noConditionFind=N;jsessionid=7C492ACEDE914E38A49E17F9151F02B2.jvm1 
HTTP/2.0" 500 1169 "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:56.0) Gecko/20100101 Firefox/56.0"
127.0.0.1 - - [28/Aug/2024:21:00:11 +0200] "GET /favicon.ico HTTP/2.0" 404 682 "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:56.0) Gecko/20100101 
Firefox/56.0"
127.0.0.1 - - [28/Aug/2024:21:00:11 +0200] "GET /favicon.ico HTTP/2.0" 404 682 "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:56.0) Gecko/20100101 
Firefox/56.0"
127.0.0.1 - - [28/Aug/2024:21:00:12 +0200] "GET /favicon.ico HTTP/2.0" 404 682 "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:56.0) Gecko/20100101 
Firefox/56.0"


As others, it's a HTTP 500, rejected for security reason, actually unrelated to jsessionid. The log stops there. So could be a side effect. The 
session should no longer exists after. It's the end of the day. Closing OFBiz, not sure how, maybe just putting the computer off.


Still a mystery, an annoying one it's not good to see the jsessionid in log :/

Jacques

Le 31/08/2024 à 15:56, Omar Abdullwahhab a écrit :

I didn't understand well,
But it's a local development machine.
Not hosted in web or cloud servers.

On Sat, Aug 31, 2024, 4:21 PM Jacques Le Roux 
wrote:


Thanks Omar,

Is that local or on a server?

Jacques

Le 31/08/2024 à 14:17, Omar Abdullwahhab a écrit :

HI Jacques ,
Here are a few lines of the logs containing jsessionid

127.0.0.1 - - [26/Aug/2024:20:51:14 +0300] "GET
/accounting/control/ListCompanies HTTP/2.0" 200 5147 "
https://localhost:8443/accounting/control/globalGLSettings"; "Mozilla/5.0
(X11; Linux x86_64; rv:129.0) Gecko/20100101 Firefox/129.0"
127.0.0.1 - - [26/Aug/2024:20:51:18 +0300] "GET
/rainbowstone/RAINBOWSTONE_SAPHIR.less HTTP/2.0" 200 1560 "


https://localhost:8443/ordermgr/control/main?externalLoginKey=ELd87879e0-9c8b-45e4-8c51-efc0d40748f4
"

"Mozilla/5.0 (X11; Linux x86_64; rv:129.0) Gecko/20100101 Firefox/129.0"
127.0.0.1 - - [26/Aug/2024:20:51:19 +0300] "GET


/ordermgr/control/main?externalLoginKey=ELd87879e0-9c8b-45e4-8c51-efc0d40748f4

HTTP/2.0" 200 4571 "

https://localhost:8443/accounting/control/ListCompanies";

"Mozilla/5.0 (X11; Linux x86_64; rv:129.0) Gecko/20100101 Firefox/129.0"
127.0.0.1 - - [26/Aug/2024:20:51:24 +0300] "GET


/facility/control/main?externalLoginKey=ELf5b96d38-f415-4bdf-94d4-7666a2445a03

HTTP/2.0" 200 4327 "


https://localhost:8443/ordermgr/control/main?externalLoginKey=ELd87879e0-9c8b-45e4-8c51-efc0d40748f4
"

"Mozilla/5.0 (X11; Linux x86_64; rv:129.0) Gecko/20100101 Firefox/129.0"
127.0.0.1 - - [26/Aug/2024:20:51:29 +0300] "POST


/facility/control/EditFacility;jsessionid=132931D4CDCAC10AC958ED9DD3F6511A.jvm1

HTTP/2.0" 500 2038 "


https://localhost:8443/facility/control/main?externalLoginKey=ELf5b96d38-f415-4bdf-94d4-7666a2445a03
"

"Mozilla/5.0 (X11; Linux x86_64; rv:129.0) Gecko/20100101 Firefox/129.0"
127.0.0.1 - - [26/Aug/2024:20:51:36 +0300] "POST


/facility/control/EditFacility;jsessionid=132931D4CDCAC10AC958ED9DD3F6511A.jvm1

HTTP/2.0" 500 2038 "


https://localhost:8443/facility/control/main?externalLoginKey=ELf5b96d38-f415-4bdf-94d4-7666a2445a03
"

"Mozilla/5.0 (X11; Linux x86_64; rv:129.0) Gecko/20100101 Firefox/129.0"
127.0.0.1 - - [26/Aug/2024:20:51:42 +0300] "GET
/rainbowstone/RAINBOWSTONE_SAPHIR.less HTTP/2.0" 200 1560 "
https://localhost:8443/facility/control/FindFacility"; "Mozilla/5.0 (X11;
Linux x86_64; rv:129.0) Gecko/20100101 Firefox/129.0"
127.0.0.1 - - [26/Aug/2024:20:51:42 +0300] "GET
/facility/control/FindFacility HTTP/2.0" 200 4274 "


https://localhost:8443/facility/control/main?externalLoginKey=ELf5b96d38-f415-4bdf-94d4-7666a2445a03
"

"Mozilla/5.0 (X11; Linux x86_64; rv:129.0) Gecko/20100101 Firefox/129.0"

Regards

On Sat, Aug 31, 2024 at 2:30 PM Jacques Le Roux <
jacques.le.r...@les7arts.com> wrote:


Hi Omar,

Since Java 7 :


https://docs.oracle.com/javaee/7/api/javax/servlet/annotation/WebListener.html

In OFBiz, ControlEventListener implements HttpSessionListener

Did you check locally or on a server your access_logs if you find a
jsessionid there (trunk)?

Jacques

Le 31/08/2024 à 13:07, Omar Abdullwahhab a écrit :

Hi Jacques, Johan,

According to my investigation to this class (
WebAppServletContextListener.java
<

https://github.com/apache/ofbiz-framework/blame/31eb051326bcec29f4c932a6d829e0d7c9979a16/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/WebAppServletCo

Re: 回复:URL Issue

2024-08-31 Thread Omar Abdullwahhab 
I didn't understand well,
But it's a local development machine.
Not hosted in web or cloud servers.

On Sat, Aug 31, 2024, 4:21 PM Jacques Le Roux 
wrote:

> Thanks Omar,
>
> Is that local or on a server?
>
> Jacques
>
> Le 31/08/2024 à 14:17, Omar Abdullwahhab a écrit :
> > HI Jacques ,
> > Here are a few lines of the logs containing jsessionid
> >
> > 127.0.0.1 - - [26/Aug/2024:20:51:14 +0300] "GET
> > /accounting/control/ListCompanies HTTP/2.0" 200 5147 "
> > https://localhost:8443/accounting/control/globalGLSettings"; "Mozilla/5.0
> > (X11; Linux x86_64; rv:129.0) Gecko/20100101 Firefox/129.0"
> > 127.0.0.1 - - [26/Aug/2024:20:51:18 +0300] "GET
> > /rainbowstone/RAINBOWSTONE_SAPHIR.less HTTP/2.0" 200 1560 "
> >
> https://localhost:8443/ordermgr/control/main?externalLoginKey=ELd87879e0-9c8b-45e4-8c51-efc0d40748f4
> "
> > "Mozilla/5.0 (X11; Linux x86_64; rv:129.0) Gecko/20100101 Firefox/129.0"
> > 127.0.0.1 - - [26/Aug/2024:20:51:19 +0300] "GET
> >
> /ordermgr/control/main?externalLoginKey=ELd87879e0-9c8b-45e4-8c51-efc0d40748f4
> > HTTP/2.0" 200 4571 "
> https://localhost:8443/accounting/control/ListCompanies";
> > "Mozilla/5.0 (X11; Linux x86_64; rv:129.0) Gecko/20100101 Firefox/129.0"
> > 127.0.0.1 - - [26/Aug/2024:20:51:24 +0300] "GET
> >
> /facility/control/main?externalLoginKey=ELf5b96d38-f415-4bdf-94d4-7666a2445a03
> > HTTP/2.0" 200 4327 "
> >
> https://localhost:8443/ordermgr/control/main?externalLoginKey=ELd87879e0-9c8b-45e4-8c51-efc0d40748f4
> "
> > "Mozilla/5.0 (X11; Linux x86_64; rv:129.0) Gecko/20100101 Firefox/129.0"
> > 127.0.0.1 - - [26/Aug/2024:20:51:29 +0300] "POST
> >
> /facility/control/EditFacility;jsessionid=132931D4CDCAC10AC958ED9DD3F6511A.jvm1
> > HTTP/2.0" 500 2038 "
> >
> https://localhost:8443/facility/control/main?externalLoginKey=ELf5b96d38-f415-4bdf-94d4-7666a2445a03
> "
> > "Mozilla/5.0 (X11; Linux x86_64; rv:129.0) Gecko/20100101 Firefox/129.0"
> > 127.0.0.1 - - [26/Aug/2024:20:51:36 +0300] "POST
> >
> /facility/control/EditFacility;jsessionid=132931D4CDCAC10AC958ED9DD3F6511A.jvm1
> > HTTP/2.0" 500 2038 "
> >
> https://localhost:8443/facility/control/main?externalLoginKey=ELf5b96d38-f415-4bdf-94d4-7666a2445a03
> "
> > "Mozilla/5.0 (X11; Linux x86_64; rv:129.0) Gecko/20100101 Firefox/129.0"
> > 127.0.0.1 - - [26/Aug/2024:20:51:42 +0300] "GET
> > /rainbowstone/RAINBOWSTONE_SAPHIR.less HTTP/2.0" 200 1560 "
> > https://localhost:8443/facility/control/FindFacility"; "Mozilla/5.0 (X11;
> > Linux x86_64; rv:129.0) Gecko/20100101 Firefox/129.0"
> > 127.0.0.1 - - [26/Aug/2024:20:51:42 +0300] "GET
> > /facility/control/FindFacility HTTP/2.0" 200 4274 "
> >
> https://localhost:8443/facility/control/main?externalLoginKey=ELf5b96d38-f415-4bdf-94d4-7666a2445a03
> "
> > "Mozilla/5.0 (X11; Linux x86_64; rv:129.0) Gecko/20100101 Firefox/129.0"
> >
> > Regards
> >
> > On Sat, Aug 31, 2024 at 2:30 PM Jacques Le Roux <
> > jacques.le.r...@les7arts.com> wrote:
> >
> >> Hi Omar,
> >>
> >> Since Java 7 :
> >>
> https://docs.oracle.com/javaee/7/api/javax/servlet/annotation/WebListener.html
> >>
> >> In OFBiz, ControlEventListener implements HttpSessionListener
> >>
> >> Did you check locally or on a server your access_logs if you find a
> >> jsessionid there (trunk)?
> >>
> >> Jacques
> >>
> >> Le 31/08/2024 à 13:07, Omar Abdullwahhab a écrit :
> >>> Hi Jacques, Johan,
> >>>
> >>> According to my investigation to this class (
> >>> WebAppServletContextListener.java
> >>> <
> >>
> https://github.com/apache/ofbiz-framework/blame/31eb051326bcec29f4c932a6d829e0d7c9979a16/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/WebAppServletContextListener.java#L41
> >>> )
> >>>
> >>> It seems to be that this listener is never registered , so that it has
> no
> >>> effect.
> >>> Note that its annotated with
> >>> @WebListener
> >>>
> >>> So confirm that I am correct, or wrong.
> >>>
> >>> Regards
> >>>
> >>> On Fri, Aug 30, 2024 at 6:30 PM Jacques Le Roux <
> >>> jacques.le.r...@les7arts.com> wrote:
> >>>
>  Hi,
> 
>  Actually it's not related to embedded Tomcat in OFBiz.
> 
>  Since we 2017 in WebAppServletContextListener.java we use this line
> 
> 
> 
> >>
> <>
> 
> 
> >>
> https://github.com/apache/ofbiz-framework/blame/31eb051326bcec29f4c932a6d829e0d7c9979a16/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/WebAppServletContextListener.java#L41
>  If you test locally or maybe in another server than demo one, you will
> >> not
>  find in access_logs files any line similar to the one below. At least
> I
> >> did
>  not, and that's logical since we use cookies for that.
> 
>  I'm not sure what's the reason yet. If you could confirm that it's not
>  reproductible but in demo server that would help to restrain the
>  possibilities
> 
>  TIA
> 
>  Jacques
> 
>  Le 29/08/2024 à 10:17, Jacques Le Roux a écrit :
> > Hi,
> >
> > Finally it's not that clear.
> >
> > As can be fou

Re: 回复:URL Issue

2024-08-31 Thread Jacques Le Roux 

Thanks Omar,

Is that local or on a server?

Jacques

Le 31/08/2024 à 14:17, Omar Abdullwahhab a écrit :

HI Jacques ,
Here are a few lines of the logs containing jsessionid

127.0.0.1 - - [26/Aug/2024:20:51:14 +0300] "GET
/accounting/control/ListCompanies HTTP/2.0" 200 5147 "
https://localhost:8443/accounting/control/globalGLSettings"; "Mozilla/5.0
(X11; Linux x86_64; rv:129.0) Gecko/20100101 Firefox/129.0"
127.0.0.1 - - [26/Aug/2024:20:51:18 +0300] "GET
/rainbowstone/RAINBOWSTONE_SAPHIR.less HTTP/2.0" 200 1560 "
https://localhost:8443/ordermgr/control/main?externalLoginKey=ELd87879e0-9c8b-45e4-8c51-efc0d40748f4";
"Mozilla/5.0 (X11; Linux x86_64; rv:129.0) Gecko/20100101 Firefox/129.0"
127.0.0.1 - - [26/Aug/2024:20:51:19 +0300] "GET
/ordermgr/control/main?externalLoginKey=ELd87879e0-9c8b-45e4-8c51-efc0d40748f4
HTTP/2.0" 200 4571 "https://localhost:8443/accounting/control/ListCompanies";
"Mozilla/5.0 (X11; Linux x86_64; rv:129.0) Gecko/20100101 Firefox/129.0"
127.0.0.1 - - [26/Aug/2024:20:51:24 +0300] "GET
/facility/control/main?externalLoginKey=ELf5b96d38-f415-4bdf-94d4-7666a2445a03
HTTP/2.0" 200 4327 "
https://localhost:8443/ordermgr/control/main?externalLoginKey=ELd87879e0-9c8b-45e4-8c51-efc0d40748f4";
"Mozilla/5.0 (X11; Linux x86_64; rv:129.0) Gecko/20100101 Firefox/129.0"
127.0.0.1 - - [26/Aug/2024:20:51:29 +0300] "POST
/facility/control/EditFacility;jsessionid=132931D4CDCAC10AC958ED9DD3F6511A.jvm1
HTTP/2.0" 500 2038 "
https://localhost:8443/facility/control/main?externalLoginKey=ELf5b96d38-f415-4bdf-94d4-7666a2445a03";
"Mozilla/5.0 (X11; Linux x86_64; rv:129.0) Gecko/20100101 Firefox/129.0"
127.0.0.1 - - [26/Aug/2024:20:51:36 +0300] "POST
/facility/control/EditFacility;jsessionid=132931D4CDCAC10AC958ED9DD3F6511A.jvm1
HTTP/2.0" 500 2038 "
https://localhost:8443/facility/control/main?externalLoginKey=ELf5b96d38-f415-4bdf-94d4-7666a2445a03";
"Mozilla/5.0 (X11; Linux x86_64; rv:129.0) Gecko/20100101 Firefox/129.0"
127.0.0.1 - - [26/Aug/2024:20:51:42 +0300] "GET
/rainbowstone/RAINBOWSTONE_SAPHIR.less HTTP/2.0" 200 1560 "
https://localhost:8443/facility/control/FindFacility"; "Mozilla/5.0 (X11;
Linux x86_64; rv:129.0) Gecko/20100101 Firefox/129.0"
127.0.0.1 - - [26/Aug/2024:20:51:42 +0300] "GET
/facility/control/FindFacility HTTP/2.0" 200 4274 "
https://localhost:8443/facility/control/main?externalLoginKey=ELf5b96d38-f415-4bdf-94d4-7666a2445a03";
"Mozilla/5.0 (X11; Linux x86_64; rv:129.0) Gecko/20100101 Firefox/129.0"

Regards

On Sat, Aug 31, 2024 at 2:30 PM Jacques Le Roux <
jacques.le.r...@les7arts.com> wrote:


Hi Omar,

Since Java 7 :
https://docs.oracle.com/javaee/7/api/javax/servlet/annotation/WebListener.html

In OFBiz, ControlEventListener implements HttpSessionListener

Did you check locally or on a server your access_logs if you find a
jsessionid there (trunk)?

Jacques

Le 31/08/2024 à 13:07, Omar Abdullwahhab a écrit :

Hi Jacques, Johan,

According to my investigation to this class (
WebAppServletContextListener.java
<

https://github.com/apache/ofbiz-framework/blame/31eb051326bcec29f4c932a6d829e0d7c9979a16/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/WebAppServletContextListener.java#L41

)

It seems to be that this listener is never registered , so that it has no
effect.
Note that its annotated with
@WebListener

So confirm that I am correct, or wrong.

Regards

On Fri, Aug 30, 2024 at 6:30 PM Jacques Le Roux <
jacques.le.r...@les7arts.com> wrote:


Hi,

Actually it's not related to embedded Tomcat in OFBiz.

Since we 2017 in WebAppServletContextListener.java we use this line




<>




https://github.com/apache/ofbiz-framework/blame/31eb051326bcec29f4c932a6d829e0d7c9979a16/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/WebAppServletContextListener.java#L41

If you test locally or maybe in another server than demo one, you will

not

find in access_logs files any line similar to the one below. At least I

did

not, and that's logical since we use cookies for that.

I'm not sure what's the reason yet. If you could confirm that it's not
reproductible but in demo server that would help to restrain the
possibilities

TIA

Jacques

Le 29/08/2024 à 10:17, Jacques Le Roux a écrit :

Hi,

Finally it's not that clear.

As can be found in trunk demo access_logs, such URLs exist at least

since June 17 2024.

 access_log.2024-06-17:28:66.249.75.98 - - [17/Jun/2024:00:11:51

+] "GET


/partymgr/control/main%3FexternalLoginKey=ELf5183769-2759-476b-946c-2a70afe3c42d&sortField=partyId;jsessionid=EBB57C6C3C345E70501827509E05744C.jvm1

 HTTP/1.1" 500 1165 "-" "Mozilla/5.0 (Linux; Android 6.0.1; Nexus 5X

Build/MMB29P) AppleWebKit/537.36 (KHTML, like Gecko)

Chrome/125.0.6422.175

 Mobile Safari/537.36 (compatible; Googlebot/2.1; +

http://www.google.com/bot.html)"

As you can see they are rejected (HTTP 500) since then too. Actually I

guess they exist for a very long time. Have yet no idea why and how

these

URLs are generated.

The rejection is "new" and

Re: 回复:URL Issue

2024-08-31 Thread Omar Abdullwahhab 
HI Jacques ,
Here are a few lines of the logs containing jsessionid

127.0.0.1 - - [26/Aug/2024:20:51:14 +0300] "GET
/accounting/control/ListCompanies HTTP/2.0" 200 5147 "
https://localhost:8443/accounting/control/globalGLSettings"; "Mozilla/5.0
(X11; Linux x86_64; rv:129.0) Gecko/20100101 Firefox/129.0"
127.0.0.1 - - [26/Aug/2024:20:51:18 +0300] "GET
/rainbowstone/RAINBOWSTONE_SAPHIR.less HTTP/2.0" 200 1560 "
https://localhost:8443/ordermgr/control/main?externalLoginKey=ELd87879e0-9c8b-45e4-8c51-efc0d40748f4";
"Mozilla/5.0 (X11; Linux x86_64; rv:129.0) Gecko/20100101 Firefox/129.0"
127.0.0.1 - - [26/Aug/2024:20:51:19 +0300] "GET
/ordermgr/control/main?externalLoginKey=ELd87879e0-9c8b-45e4-8c51-efc0d40748f4
HTTP/2.0" 200 4571 "https://localhost:8443/accounting/control/ListCompanies";
"Mozilla/5.0 (X11; Linux x86_64; rv:129.0) Gecko/20100101 Firefox/129.0"
127.0.0.1 - - [26/Aug/2024:20:51:24 +0300] "GET
/facility/control/main?externalLoginKey=ELf5b96d38-f415-4bdf-94d4-7666a2445a03
HTTP/2.0" 200 4327 "
https://localhost:8443/ordermgr/control/main?externalLoginKey=ELd87879e0-9c8b-45e4-8c51-efc0d40748f4";
"Mozilla/5.0 (X11; Linux x86_64; rv:129.0) Gecko/20100101 Firefox/129.0"
127.0.0.1 - - [26/Aug/2024:20:51:29 +0300] "POST
/facility/control/EditFacility;jsessionid=132931D4CDCAC10AC958ED9DD3F6511A.jvm1
HTTP/2.0" 500 2038 "
https://localhost:8443/facility/control/main?externalLoginKey=ELf5b96d38-f415-4bdf-94d4-7666a2445a03";
"Mozilla/5.0 (X11; Linux x86_64; rv:129.0) Gecko/20100101 Firefox/129.0"
127.0.0.1 - - [26/Aug/2024:20:51:36 +0300] "POST
/facility/control/EditFacility;jsessionid=132931D4CDCAC10AC958ED9DD3F6511A.jvm1
HTTP/2.0" 500 2038 "
https://localhost:8443/facility/control/main?externalLoginKey=ELf5b96d38-f415-4bdf-94d4-7666a2445a03";
"Mozilla/5.0 (X11; Linux x86_64; rv:129.0) Gecko/20100101 Firefox/129.0"
127.0.0.1 - - [26/Aug/2024:20:51:42 +0300] "GET
/rainbowstone/RAINBOWSTONE_SAPHIR.less HTTP/2.0" 200 1560 "
https://localhost:8443/facility/control/FindFacility"; "Mozilla/5.0 (X11;
Linux x86_64; rv:129.0) Gecko/20100101 Firefox/129.0"
127.0.0.1 - - [26/Aug/2024:20:51:42 +0300] "GET
/facility/control/FindFacility HTTP/2.0" 200 4274 "
https://localhost:8443/facility/control/main?externalLoginKey=ELf5b96d38-f415-4bdf-94d4-7666a2445a03";
"Mozilla/5.0 (X11; Linux x86_64; rv:129.0) Gecko/20100101 Firefox/129.0"

Regards

On Sat, Aug 31, 2024 at 2:30 PM Jacques Le Roux <
jacques.le.r...@les7arts.com> wrote:

> Hi Omar,
>
> Since Java 7 :
> https://docs.oracle.com/javaee/7/api/javax/servlet/annotation/WebListener.html
>
> In OFBiz, ControlEventListener implements HttpSessionListener
>
> Did you check locally or on a server your access_logs if you find a
> jsessionid there (trunk)?
>
> Jacques
>
> Le 31/08/2024 à 13:07, Omar Abdullwahhab a écrit :
> > Hi Jacques, Johan,
> >
> > According to my investigation to this class (
> > WebAppServletContextListener.java
> > <
> https://github.com/apache/ofbiz-framework/blame/31eb051326bcec29f4c932a6d829e0d7c9979a16/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/WebAppServletContextListener.java#L41
> >)
> >
> > It seems to be that this listener is never registered , so that it has no
> > effect.
> > Note that its annotated with
> > @WebListener
> >
> > So confirm that I am correct, or wrong.
> >
> > Regards
> >
> > On Fri, Aug 30, 2024 at 6:30 PM Jacques Le Roux <
> > jacques.le.r...@les7arts.com> wrote:
> >
> >> Hi,
> >>
> >> Actually it's not related to embedded Tomcat in OFBiz.
> >>
> >> Since we 2017 in WebAppServletContextListener.java we use this line
> >>
> >>
> >>
> <>
> >>
> >>
> >>
> https://github.com/apache/ofbiz-framework/blame/31eb051326bcec29f4c932a6d829e0d7c9979a16/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/WebAppServletContextListener.java#L41
> >>
> >> If you test locally or maybe in another server than demo one, you will
> not
> >> find in access_logs files any line similar to the one below. At least I
> did
> >> not, and that's logical since we use cookies for that.
> >>
> >> I'm not sure what's the reason yet. If you could confirm that it's not
> >> reproductible but in demo server that would help to restrain the
> >> possibilities
> >>
> >> TIA
> >>
> >> Jacques
> >>
> >> Le 29/08/2024 à 10:17, Jacques Le Roux a écrit :
> >>> Hi,
> >>>
> >>> Finally it's not that clear.
> >>>
> >>> As can be found in trunk demo access_logs, such URLs exist at least
> >> since June 17 2024.
> >>> access_log.2024-06-17:28:66.249.75.98 - - [17/Jun/2024:00:11:51
> >> +] "GET
> >>
> /partymgr/control/main%3FexternalLoginKey=ELf5183769-2759-476b-946c-2a70afe3c42d&sortField=partyId;jsessionid=EBB57C6C3C345E70501827509E05744C.jvm1
> >>> HTTP/1.1" 500 1165 "-" "Mozilla/5.0 (Linux; Android 6.0.1; Nexus 5X
> >> Build/MMB29P) AppleWebKit/537.36 (KHTML, like Gecko)
> Chrome/125.0.6422.175
> >>> Mobile Safari/537.36 (compatible; Googlebot/2.1; +
> >> http://www.google.com/bot.html)"
> >>> As you can see they are rejected (H

Re: 回复:URL Issue

2024-08-31 Thread Jacques Le Roux 

Hi Omar,

Since Java 7 : 
https://docs.oracle.com/javaee/7/api/javax/servlet/annotation/WebListener.html

In OFBiz, ControlEventListener implements HttpSessionListener

Did you check locally or on a server your access_logs if you find a jsessionid 
there (trunk)?

Jacques

Le 31/08/2024 à 13:07, Omar Abdullwahhab a écrit :

Hi Jacques, Johan,

According to my investigation to this class (
WebAppServletContextListener.java
)

It seems to be that this listener is never registered , so that it has no
effect.
Note that its annotated with
@WebListener

So confirm that I am correct, or wrong.

Regards

On Fri, Aug 30, 2024 at 6:30 PM Jacques Le Roux <
jacques.le.r...@les7arts.com> wrote:


Hi,

Actually it's not related to embedded Tomcat in OFBiz.

Since we 2017 in WebAppServletContextListener.java we use this line


<>


https://github.com/apache/ofbiz-framework/blame/31eb051326bcec29f4c932a6d829e0d7c9979a16/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/WebAppServletContextListener.java#L41

If you test locally or maybe in another server than demo one, you will not
find in access_logs files any line similar to the one below. At least I did
not, and that's logical since we use cookies for that.

I'm not sure what's the reason yet. If you could confirm that it's not
reproductible but in demo server that would help to restrain the
possibilities

TIA

Jacques

Le 29/08/2024 à 10:17, Jacques Le Roux a écrit :

Hi,

Finally it's not that clear.

As can be found in trunk demo access_logs, such URLs exist at least

since June 17 2024.

access_log.2024-06-17:28:66.249.75.98 - - [17/Jun/2024:00:11:51

+] "GET
/partymgr/control/main%3FexternalLoginKey=ELf5183769-2759-476b-946c-2a70afe3c42d&sortField=partyId;jsessionid=EBB57C6C3C345E70501827509E05744C.jvm1

HTTP/1.1" 500 1165 "-" "Mozilla/5.0 (Linux; Android 6.0.1; Nexus 5X

Build/MMB29P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.6422.175

Mobile Safari/537.36 (compatible; Googlebot/2.1; +

http://www.google.com/bot.html)"

As you can see they are rejected (HTTP 500) since then too. Actually I

guess they exist for a very long time. Have yet no idea why and how these

URLs are generated.

The rejection is "new" and due to a security fix done in May 20 2024

with (OFBIZ-13092) "Prevent special encoded characters sequences in URLs"

So we need to clearly define steps to manually generate these URLs.

Then, if it's OK, we could allow URLs containing ";jsessionid=" to bypass
the

security filter.

I copy this email to the dev ML because of its importance

Jacques


Le 28/08/2024 à 15:27, Jacques Le Roux a écrit :

Thanks Guys,

I could not reproduce yet, but I think we have already enough clues to

fix that.

Also I can find a lot of in trunk demo log. That will be helpful too.

Jacques

Le 27/08/2024 à 16:20, 雷咩咩 a écrit :

i can reproduce by login with admin, randomly click severl places,

then when click logout, see such error:


HTTP Status 500 – Internal Server Error
Type Exception Report


Message For security reason this URL is not accepted


Description The server encountered an unexpected condition that

prevented it from fulfilling the request.


Exception


java.lang.RuntimeException: For security reason this URL is not

accepted
 
org.apache.ofbiz.webapp.control.ControlFilter.doFilter(ControlFilter.java:144)
 
org.apache.logging.log4j.web.Log4jServletFilter.doFilter(Log4jServletFilter.java:71)

Note The full stack trace of the root cause is available in the server

logs.


Apache Tomcat/9.0.91




Regards,
Yang


-- 原始邮件 --
发件人: "user" 
which

can also be replicated within the demo.
This issue normally occurs as you navigate to a module after login. It

is

not easily replicable, once you refresh it works and does not occur

again.

Replicated the issue in multiple modules.
It usually adds ;jsessionid=##.jvm1 to all the

URLs and

this causes a navigation issue.
Once you submit a form or try to click the logout link, an Internal 500
Internal Server Error is being returned
As an example:
https://demo-stable.ofbiz.apache.org/partymgr/control/main

I have screenshots available, however I am not able to attach to this

mail.

Please let me know if you need me to upload it somewhere.

Kind Regards,
Johan Cronjé

Re: 回复:URL Issue

2024-08-31 Thread Omar Abdullwahhab 
Hi Jacques, Johan,

According to my investigation to this class (
WebAppServletContextListener.java
)

It seems to be that this listener is never registered , so that it has no
effect.
Note that its annotated with
@WebListener

So confirm that I am correct, or wrong.

Regards

On Fri, Aug 30, 2024 at 6:30 PM Jacques Le Roux <
jacques.le.r...@les7arts.com> wrote:

> Hi,
>
> Actually it's not related to embedded Tomcat in OFBiz.
>
> Since we 2017 in WebAppServletContextListener.java we use this line
>
>
> <>
>
>
> https://github.com/apache/ofbiz-framework/blame/31eb051326bcec29f4c932a6d829e0d7c9979a16/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/WebAppServletContextListener.java#L41
>
> If you test locally or maybe in another server than demo one, you will not
> find in access_logs files any line similar to the one below. At least I did
> not, and that's logical since we use cookies for that.
>
> I'm not sure what's the reason yet. If you could confirm that it's not
> reproductible but in demo server that would help to restrain the
> possibilities
>
> TIA
>
> Jacques
>
> Le 29/08/2024 à 10:17, Jacques Le Roux a écrit :
> > Hi,
> >
> > Finally it's not that clear.
> >
> > As can be found in trunk demo access_logs, such URLs exist at least
> since June 17 2024.
> >
> >access_log.2024-06-17:28:66.249.75.98 - - [17/Jun/2024:00:11:51
> +] "GET
> >
> /partymgr/control/main%3FexternalLoginKey=ELf5183769-2759-476b-946c-2a70afe3c42d&sortField=partyId;jsessionid=EBB57C6C3C345E70501827509E05744C.jvm1
> >HTTP/1.1" 500 1165 "-" "Mozilla/5.0 (Linux; Android 6.0.1; Nexus 5X
> Build/MMB29P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.6422.175
> >Mobile Safari/537.36 (compatible; Googlebot/2.1; +
> http://www.google.com/bot.html)"
> >
> > As you can see they are rejected (HTTP 500) since then too. Actually I
> guess they exist for a very long time. Have yet no idea why and how these
> > URLs are generated.
> >
> > The rejection is "new" and due to a security fix done in May 20 2024
> with (OFBIZ-13092) "Prevent special encoded characters sequences in URLs"
> >
> > So we need to clearly define steps to manually generate these URLs.
> Then, if it's OK, we could allow URLs containing ";jsessionid=" to bypass
> the
> > security filter.
> >
> > I copy this email to the dev ML because of its importance
> >
> > Jacques
> >
> >
> > Le 28/08/2024 à 15:27, Jacques Le Roux a écrit :
> >> Thanks Guys,
> >>
> >> I could not reproduce yet, but I think we have already enough clues to
> fix that.
> >> Also I can find a lot of in trunk demo log. That will be helpful too.
> >>
> >> Jacques
> >>
> >> Le 27/08/2024 à 16:20, 雷咩咩 a écrit :
> >>> i can reproduce by login with admin, randomly click severl places,
> then when click logout, see such error:
> >>>
> >>>
> >>> HTTP Status 500 – Internal Server Error
> >>> Type Exception Report
> >>>
> >>>
> >>> Message For security reason this URL is not accepted
> >>>
> >>>
> >>> Description The server encountered an unexpected condition that
> prevented it from fulfilling the request.
> >>>
> >>>
> >>> Exception
> >>>
> >>>
> >>> java.lang.RuntimeException: For security reason this URL is not
> accepted
> >>>
> 
> org.apache.ofbiz.webapp.control.ControlFilter.doFilter(ControlFilter.java:144)
> >>>
> 
> org.apache.logging.log4j.web.Log4jServletFilter.doFilter(Log4jServletFilter.java:71)
> >>> Note The full stack trace of the root cause is available in the server
> logs.
> >>>
> >>>
> >>> Apache Tomcat/9.0.91
> >>>
> >>>
> >>>
> >>>
> >>> Regards,
> >>> Yang
> >>>
> >>>
> >>> -- 原始邮件 --
> >>> 发件人: "user"  >>> 发送时间: 2024年8月27日(星期二) 晚上9:12
> >>> 收件人: "user" >>>
> >>> 主题: URL Issue
> >>>
> >>>
> >>>
> >>> Hi,
> >>>
> >>> Not sure if anyone would be able to assist me, I have found an issue
> which
> >>> can also be replicated within the demo.
> >>> This issue normally occurs as you navigate to a module after login. It
> is
> >>> not easily replicable, once you refresh it works and does not occur
> again.
> >>> Replicated the issue in multiple modules.
> >>> It usually adds ;jsessionid=##.jvm1 to all the
> URLs and
> >>> this causes a navigation issue.
> >>> Once you submit a form or try to click the logout link, an Internal 500
> >>> Internal Server Error is being returned
> >>> As an example:
> >>> https://demo-stable.ofbiz.apache.org/partymgr/control/main
> >>>
> >>> I have screenshots available, however I am not able to attach to this
> mail.
> >>> Please let me know if you need me to upload it somewhere.
> >>>
> >>> Kind Regards,
> >>> Johan Cronjé



-- 
Omar Abu-Arab
Java Engineer

Re: 回复:URL Issue

2024-08-30 Thread Jacques Le Roux 

Hi,

Actually it's not related to embedded Tomcat in OFBiz.

Since we 2017 in WebAppServletContextListener.java we use this line

   
<>

   
https://github.com/apache/ofbiz-framework/blame/31eb051326bcec29f4c932a6d829e0d7c9979a16/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/WebAppServletContextListener.java#L41

If you test locally or maybe in another server than demo one, you will not find in access_logs files any line similar to the one below. At least I did 
not, and that's logical since we use cookies for that.


I'm not sure what's the reason yet. If you could confirm that it's not 
reproductible but in demo server that would help to restrain the possibilities

TIA

Jacques

Le 29/08/2024 à 10:17, Jacques Le Roux a écrit :

Hi,

Finally it's not that clear.

As can be found in trunk demo access_logs, such URLs exist at least since June 
17 2024.

   access_log.2024-06-17:28:66.249.75.98 - - [17/Jun/2024:00:11:51 +] "GET
/partymgr/control/main%3FexternalLoginKey=ELf5183769-2759-476b-946c-2a70afe3c42d&sortField=partyId;jsessionid=EBB57C6C3C345E70501827509E05744C.jvm1
   HTTP/1.1" 500 1165 "-" "Mozilla/5.0 (Linux; Android 6.0.1; Nexus 5X 
Build/MMB29P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.6422.175
   Mobile Safari/537.36 (compatible; Googlebot/2.1; 
+http://www.google.com/bot.html)"

As you can see they are rejected (HTTP 500) since then too. Actually I guess they exist for a very long time. Have yet no idea why and how these 
URLs are generated.


The rejection is "new" and due to a security fix done in May 20 2024 with (OFBIZ-13092) 
"Prevent special encoded characters sequences in URLs"

So we need to clearly define steps to manually generate these URLs. Then, if it's OK, we could allow URLs containing ";jsessionid=" to bypass the 
security filter.


I copy this email to the dev ML because of its importance

Jacques


Le 28/08/2024 à 15:27, Jacques Le Roux a écrit :

Thanks Guys,

I could not reproduce yet, but I think we have already enough clues to fix that.
Also I can find a lot of in trunk demo log. That will be helpful too.

Jacques

Le 27/08/2024 à 16:20, 雷咩咩 a écrit :

i can reproduce by login with admin, randomly click severl places, then when 
click logout, see such error:


HTTP Status 500 – Internal Server Error
Type Exception Report


Message For security reason this URL is not accepted


Description The server encountered an unexpected condition that prevented it 
from fulfilling the request.


Exception


java.lang.RuntimeException: For security reason this URL is not accepted

org.apache.ofbiz.webapp.control.ControlFilter.doFilter(ControlFilter.java:144)

org.apache.logging.log4j.web.Log4jServletFilter.doFilter(Log4jServletFilter.java:71)
Note The full stack trace of the root cause is available in the server logs.


Apache Tomcat/9.0.91




Regards,
Yang


-- 原始邮件 --
发件人: "user" https://demo-stable.ofbiz.apache.org/partymgr/control/main

I have screenshots available, however I am not able to attach to this mail.
Please let me know if you need me to upload it somewhere.

Kind Regards,
Johan Cronjé

Re: 回复:URL Issue

2024-08-29 Thread Jacques Le Roux 

Hi,

Finally it's not that clear.

As can be found in trunk demo access_logs, such URLs exist at least since June 
17 2024.

   access_log.2024-06-17:28:66.249.75.98 - - [17/Jun/2024:00:11:51 +] "GET
   
/partymgr/control/main%3FexternalLoginKey=ELf5183769-2759-476b-946c-2a70afe3c42d&sortField=partyId;jsessionid=EBB57C6C3C345E70501827509E05744C.jvm1
   HTTP/1.1" 500 1165 "-" "Mozilla/5.0 (Linux; Android 6.0.1; Nexus 5X 
Build/MMB29P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.6422.175
   Mobile Safari/537.36 (compatible; Googlebot/2.1; 
+http://www.google.com/bot.html)"

As you can see they are rejected (HTTP 500) since then too. Actually I guess they exist for a very long time. Have yet no idea why and how these URLs 
are generated.


The rejection is "new" and due to a security fix done in May 20 2024 with (OFBIZ-13092) 
"Prevent special encoded characters sequences in URLs"

So we need to clearly define steps to manually generate these URLs. Then, if it's OK, we could allow URLs containing ";jsessionid=" to bypass the 
security filter.


I copy this email to the dev ML because of its importance

Jacques


Le 28/08/2024 à 15:27, Jacques Le Roux a écrit :

Thanks Guys,

I could not reproduce yet, but I think we have already enough clues to fix that.
Also I can find a lot of in trunk demo log. That will be helpful too.

Jacques

Le 27/08/2024 à 16:20, 雷咩咩 a écrit :

i can reproduce by login with admin, randomly click severl places, then when 
click logout, see such error:


HTTP Status 500 – Internal Server Error
Type Exception Report


Message For security reason this URL is not accepted


Description The server encountered an unexpected condition that prevented it 
from fulfilling the request.


Exception


java.lang.RuntimeException: For security reason this URL is not accepted

org.apache.ofbiz.webapp.control.ControlFilter.doFilter(ControlFilter.java:144)

org.apache.logging.log4j.web.Log4jServletFilter.doFilter(Log4jServletFilter.java:71)
Note The full stack trace of the root cause is available in the server logs.


Apache Tomcat/9.0.91




Regards,
Yang


-- 原始邮件 --
发件人: "user" https://demo-stable.ofbiz.apache.org/partymgr/control/main

I have screenshots available, however I am not able to attach to this mail.
Please let me know if you need me to upload it somewhere.

Kind Regards,
Johan Cronjé

Re: 回复:URL Issue

2024-08-28 Thread Jacques Le Roux 

Thanks Guys,

I could not reproduce yet, but I think we have already enough clues to fix that.
Also I can find a lot of in trunk demo log. That will be helpful too.

Jacques

Le 27/08/2024 à 16:20, 雷咩咩 a écrit :

i can reproduce by login with admin, randomly click severl places, then when 
click logout, see such error:


HTTP Status 500 – Internal Server Error
Type Exception Report


Message For security reason this URL is not accepted


Description The server encountered an unexpected condition that prevented it 
from fulfilling the request.


Exception


java.lang.RuntimeException: For security reason this URL is not accepted

org.apache.ofbiz.webapp.control.ControlFilter.doFilter(ControlFilter.java:144)

org.apache.logging.log4j.web.Log4jServletFilter.doFilter(Log4jServletFilter.java:71)
Note The full stack trace of the root cause is available in the server logs.


Apache Tomcat/9.0.91




Regards,
Yang


-- 原始邮件 --
发件人: 
   "user"  
  https://demo-stable.ofbiz.apache.org/partymgr/control/main

I have screenshots available, however I am not able to attach to this mail.
Please let me know if you need me to upload it somewhere.

Kind Regards,
Johan Cronjé