Re: Getting "The data should be encrypted by making it part of the request body instead of the request URL." errors in Back Office

[David E Jones]

The error message pretty much says it all: the request passed  
parameters in the URL that are not allowed in the URL because they are  
insecure, ie they should be passed in form fields which are in the  
message body which are secure.

Quite a bit of discussion has gone on related to this, including  
notification of the change and such. It is not a bug so much as older  
code that needs to be updated to be more secure, because of a new  
security policy we are trying to more strictly enforce.

The most valuable feedback you can offer, and what is unfortunately  
missing in this message, is each page that has links that are like  
this. For example, you mention the manufacturing component, but which  
requests? What does your browser have in the URL box on the page with  
the bad link in it? Also, what it he URL of the link itself that is bad?

Those things will help us find and fix these quickly. It really only  
takes a few minutes for each one.

On a more technical note: at this point all such problems should be in  
links that are manually coded in FTL files. All links in widget XML  
files should be handled at this point (with possible exceptions, but  
these should be more rare).

Anyway, what we need is URLs!

-David


On Mar 25, 2009, at 4:38 PM, cjhorton wrote:


Hi All,

I updated to the latest Trunk version yesterday and I am getting the
following error message at various locations in the back office.  I  
get the
same error message on Jacques's server:
https://lamouline.myvnc.com:28443/webtools/control/main.

This one occurred in the Manufacturing Component when I try to  
perform any
action on a Production Run(schedule, quick start, etc.).  I get a  
similar
message to the following depending on what I try to do.


The Following Errors Occurred:

Error calling event: org.ofbiz.webapp.event.EventHandlerException:  
Found URL
parameter [productionRunId] passed to secure (https) request-map  
with uri
[quickStartAllProductionRunTasks] with an event that calls service
[quickStartAllProductionRunTasks]; this is not allowed for security  
reasons!
The data should be encrypted by making it part of the request body  
instead
of the request URL.


This occurred in the Order Component when I go into an order and in  
the
Shipment Information tab I select "New Shipment for Ship Group  
[00001].


The Following Errors Occurred:

Error calling event: org.ofbiz.webapp.event.EventHandlerException:  
Found URL
parameter [statusId] passed to secure (https) request-map with uri
[createShipment] with an event that calls service [createShipment];  
this is
not allowed for security reasons! The data should be encrypted by  
making it
part of the request body instead of the request URL.

Here is the log section of the errors:

2009-03-25 17:28:50,107 (http-0.0.0.0-8443-4) [ ModelForm.java: 
1363:INFO ]
preparePager: Found rows = -1
2009-03-25 17:28:50,165 (http-0.0.0.0-8443-4) [ ControlServlet.java: 
299:INFO
] [[[ShowProductionRun] Request Done- total:0.842,since
last([ShowProductionRu...):0.842]]
2009-03-25 17:28:58,054 (http-0.0.0.0-8443-4) [ ControlServlet.java: 
130:INFO
] [[[quickChangeProductionRunStatus] Request Begun, encoding=[UTF-8]-
total:0.0,since last(Begin):0.0]]
2009-03-25 17:28:58,058 (http-0.0.0.0-8443-4)
[ServiceEventHandler.java:271:ERROR] =============== Found URL  
parameter
[productionRunId] passed to secure (https) request-map with uri
[quickChangeProductionRunStatus] with an event that calls service
[quickChangeProductionRunStatus]; this is not allowed for security  
reasons!
The data should be encrypted by making it part of the request body  
instead
of the request URL.; In session  
[EB208FE8F2D2ECA295F2AB3A3568FA8E.jvm1]
2009-03-25 17:28:58,059 (http-0.0.0.0-8443-4) [
RequestHandler.java:379:ERROR] Request  
quickChangeProductionRunStatus caused
an error with the following message: Error calling event:
org.ofbiz.webapp.event.EventHandlerException: Found URL parameter
[productionRunId] passed to secure (https) request-map with uri
[quickChangeProductionRunStatus] with an event that calls service
[quickChangeProductionRunStatus]; this is not allowed for security  
reasons!
The data should be encrypted by making it part of the request body  
instead
of the request URL.
2009-03-25 17:28:58,060 (http-0.0.0.0-8443-4) [ RequestHandler.java: 
649:INFO
] Rendering View [ProductionRunDeclaration],
sessionId=EB208FE8F2D2ECA295F2AB3A3568FA8E.jvm1
2009-03-25 17:28:58,405 (http-0.0.0.0-8443-4) [ ModelForm.java: 
1345:INFO ]
preparePager: low - high = 0 - 20
2009-03-25 17:28:58,406 (http-0.0.0.0-8443-4) [ ModelForm.java: 
1363:INFO ]
preparePager: Found rows = -1
2009-03-25 17:28:58,407 (http-0.0.0.0-8443-4) [ ModelForm.java: 
1345:INFO ]
preparePager: low - high = 0 - 20
2009-03-25 17:28:58,408 (http-0.0.0.0-8443-4) [ ModelForm.java: 
1363:INFO ]
preparePager: Found rows = 0
2009-03-25 17:28:58,432 (http-0.0.0.0-8443-4) [ ModelForm.java: 
1345:INFO ]
preparePager: low - high = 0 - 20
2009-03-25 17:28:58,434 (http-0.0.0.0-8443-4) [ ModelForm.java: 
1363:INFO ]
preparePager: Found rows = 2
2009-03-25 17:28:58,509 (http-0.0.0.0-8443-4) [ ModelForm.java: 
1345:INFO ]
preparePager: low - high = 0 - 20
2009-03-25 17:28:58,510 (http-0.0.0.0-8443-4) [ ModelForm.java: 
1363:INFO ]
preparePager: Found rows = -1
2009-03-25 17:28:58,538 (http-0.0.0.0-8443-4) [ ControlServlet.java: 
299:INFO
] [[[quickChangeProductionRunStatus] Request Done- total:0.484,since
last([quickChangeProdu...):0.484]]
2009-03-25 17:29:04,098 (http-0.0.0.0-8443-4) [ ControlServlet.java: 
130:INFO
] [[[quickStartAllProductionRunTasks] Request Begun, encoding=[UTF-8]-
total:0.0,since last(Begin):0.0]]
2009-03-25 17:29:04,119 (http-0.0.0.0-8443-4) [
ConfigXMLReader.java:118:INFO ] controller loaded: 0.0020s, 15  
requests, 13
views in
file:/home/cjhorton/development/ofbiz/framework/common/webcommon/WEB- 
INF/common-controller.xml
2009-03-25 17:29:04,123 (http-0.0.0.0-8443-4) [
ConfigXMLReader.java:118:INFO ] controller loaded: 0.013s, 146  
requests, 69
views in jndi:/0.0.0.0/manufacturing/WEB-INF/controller.xml
2009-03-25 17:29:04,136 (http-0.0.0.0-8443-4)
[ServiceEventHandler.java:271:ERROR] =============== Found URL  
parameter
[productionRunId] passed to secure (https) request-map with uri
[quickStartAllProductionRunTasks] with an event that calls service
[quickStartAllProductionRunTasks]; this is not allowed for security  
reasons!
The data should be encrypted by making it part of the request body  
instead
of the request URL.; In session  
[EB208FE8F2D2ECA295F2AB3A3568FA8E.jvm1]
2009-03-25 17:29:04,136 (http-0.0.0.0-8443-4) [
RequestHandler.java:379:ERROR] Request quickStartAllProductionRunTasks
caused an error with the following message: Error calling event:
org.ofbiz.webapp.event.EventHandlerException: Found URL parameter
[productionRunId] passed to secure (https) request-map with uri
[quickStartAllProductionRunTasks] with an event that calls service
[quickStartAllProductionRunTasks]; this is not allowed for security  
reasons!
The data should be encrypted by making it part of the request body  
instead
of the request URL.
2009-03-25 17:29:04,137 (http-0.0.0.0-8443-4) [ RequestHandler.java: 
649:INFO
] Rendering View [ProductionRunDeclaration],
sessionId=EB208FE8F2D2ECA295F2AB3A3568FA8E.jvm1
2009-03-25 17:29:04,160 (http-0.0.0.0-8443-4) [ ScreenFactory.java: 
129:INFO
] Got 13 screens in 0.017s from:
file:/home/cjhorton/development/ofbiz/applications/manufacturing/ 
widget/manufacturing/JobshopScreens.xml
2009-03-25 17:29:04,232 (http-0.0.0.0-8443-4) [ ScreenFactory.java: 
129:INFO
] Got 1 screens in 0.01s from:
file:/home/cjhorton/development/ofbiz/applications/manufacturing/ 
widget/manufacturing/CommonScreens.xml
2009-03-25 17:29:04,248 (http-0.0.0.0-8443-4) [ ScreenFactory.java: 
129:INFO
] Got 1 screens in 0.01s from:
file:/home/cjhorton/development/ofbiz/applications/commonext/widget/ 
CommonScreens.xml
2009-03-25 17:29:04,292 (http-0.0.0.0-8443-4) [ ScreenFactory.java: 
129:INFO
] Got 22 screens in 0.015s from:
file:/home/cjhorton/development/ofbiz/framework/common/widget/ 
CommonScreens.xml
2009-03-25 17:29:04,580 (http-0.0.0.0-8443-4) [ ModelForm.java: 
1345:INFO ]
preparePager: low - high = 0 - 20
2009-03-25 17:29:04,581 (http-0.0.0.0-8443-4) [ ModelForm.java: 
1363:INFO ]
preparePager: Found rows = -1
2009-03-25 17:29:04,611 (http-0.0.0.0-8443-4) [ ModelForm.java: 
1345:INFO ]
preparePager: low - high = 0 - 20
2009-03-25 17:29:04,612 (http-0.0.0.0-8443-4) [ ModelForm.java: 
1363:INFO ]
preparePager: Found rows = 0
2009-03-25 17:29:04,614 (http-0.0.0.0-8443-4) [ ModelForm.java: 
1345:INFO ]
preparePager: low - high = 0 - 20
2009-03-25 17:29:04,614 (http-0.0.0.0-8443-4) [ ModelForm.java: 
1363:INFO ]
preparePager: Found rows = 2
2009-03-25 17:29:04,678 (http-0.0.0.0-8443-4) [ ModelForm.java: 
1345:INFO ]
preparePager: low - high = 0 - 20
2009-03-25 17:29:04,679 (http-0.0.0.0-8443-4) [ ModelForm.java: 
1363:INFO ]
preparePager: Found rows = -1
2009-03-25 17:29:04,716 (http-0.0.0.0-8443-4) [ ControlServlet.java: 
299:INFO
] [[[quickStartAllProductionRunTasks] Request Done- total:0.618,since
last([quickStartAllPro...):0.618]]
2009-03-25 17:32:09,018 (http-0.0.0.0-8443-4) [ ControlServlet.java: 
130:INFO
] [[[changeProductionRunTaskStatus] Request Begun, encoding=[UTF-8]-
total:0.0,since last(Begin):0.0]]
2009-03-25 17:32:09,041 (http-0.0.0.0-8443-4) [
ConfigXMLReader.java:118:INFO ] controller loaded: 0.0s, 15  
requests, 13
views in
file:/home/cjhorton/development/ofbiz/framework/common/webcommon/WEB- 
INF/common-controller.xml
2009-03-25 17:32:09,048 (http-0.0.0.0-8443-4) [
ConfigXMLReader.java:118:INFO ] controller loaded: 0.017s, 146  
requests, 69
views in jndi:/0.0.0.0/manufacturing/WEB-INF/controller.xml
2009-03-25 17:32:09,053 (http-0.0.0.0-8443-4)
[ServiceEventHandler.java:271:ERROR] =============== Found URL  
parameter
[productionRunId] passed to secure (https) request-map with uri
[changeProductionRunTaskStatus] with an event that calls service
[changeProductionRunTaskStatus]; this is not allowed for security  
reasons!
The data should be encrypted by making it part of the request body  
instead
of the request URL.; In session  
[EB208FE8F2D2ECA295F2AB3A3568FA8E.jvm1]
2009-03-25 17:32:09,054 (http-0.0.0.0-8443-4) [
RequestHandler.java:379:ERROR] Request changeProductionRunTaskStatus  
caused
an error with the following message: Error calling event:
org.ofbiz.webapp.event.EventHandlerException: Found URL parameter
[productionRunId] passed to secure (https) request-map with uri
[changeProductionRunTaskStatus] with an event that calls service
[changeProductionRunTaskStatus]; this is not allowed for security  
reasons!
The data should be encrypted by making it part of the request body  
instead
of the request URL.
2009-03-25 17:32:09,054 (http-0.0.0.0-8443-4) [ RequestHandler.java: 
649:INFO
] Rendering View [ProductionRunDeclaration],
sessionId=EB208FE8F2D2ECA295F2AB3A3568FA8E.jvm1
2009-03-25 17:32:09,084 (http-0.0.0.0-8443-4) [ ScreenFactory.java: 
129:INFO
] Got 13 screens in 0.023s from:
file:/home/cjhorton/development/ofbiz/applications/manufacturing/ 
widget/manufacturing/JobshopScreens.xml
2009-03-25 17:32:09,256 (http-0.0.0.0-8443-4) [ ScreenFactory.java: 
129:INFO
] Got 1 screens in 0.01s from:
file:/home/cjhorton/development/ofbiz/applications/manufacturing/ 
widget/manufacturing/CommonScreens.xml
2009-03-25 17:32:09,281 (http-0.0.0.0-8443-4) [ ScreenFactory.java: 
129:INFO
] Got 1 screens in 0.01s from:
file:/home/cjhorton/development/ofbiz/applications/commonext/widget/ 
CommonScreens.xml
2009-03-25 17:32:09,325 (http-0.0.0.0-8443-4) [ ScreenFactory.java: 
129:INFO
] Got 22 screens in 0.014s from: fil

I figured I would post it while i start examining what is going on.

Thanks,

CJ
--
View this message in context: 
http://www.nabble.com/Getting-%22The-data-should-be-encrypted-by-making-it-part-of-the-request-body-instead-of-the-request-URL.%22-errors-in-Back-Office-tp22712428p22712428.html
Sent from the OFBiz - User mailing list archive at Nabble.com.