Thanks Omar,
Is that local or on a server?
Jacques
Le 31/08/2024 à 14:17, Omar Abdullwahhab a écrit :
HI Jacques ,
Here are a few lines of the logs containing jsessionid
127.0.0.1 - - [26/Aug/2024:20:51:14 +0300] "GET
/accounting/control/ListCompanies HTTP/2.0" 200 5147 "
https://localhost:8443/accounting/control/globalGLSettings" "Mozilla/5.0
(X11; Linux x86_64; rv:129.0) Gecko/20100101 Firefox/129.0"
127.0.0.1 - - [26/Aug/2024:20:51:18 +0300] "GET
/rainbowstone/RAINBOWSTONE_SAPHIR.less HTTP/2.0" 200 1560 "
https://localhost:8443/ordermgr/control/main?externalLoginKey=ELd87879e0-9c8b-45e4-8c51-efc0d40748f4
"
"Mozilla/5.0 (X11; Linux x86_64; rv:129.0) Gecko/20100101 Firefox/129.0"
127.0.0.1 - - [26/Aug/2024:20:51:19 +0300] "GET
/ordermgr/control/main?externalLoginKey=ELd87879e0-9c8b-45e4-8c51-efc0d40748f4
HTTP/2.0" 200 4571 "
https://localhost:8443/accounting/control/ListCompanies"
"Mozilla/5.0 (X11; Linux x86_64; rv:129.0) Gecko/20100101 Firefox/129.0"
127.0.0.1 - - [26/Aug/2024:20:51:24 +0300] "GET
/facility/control/main?externalLoginKey=ELf5b96d38-f415-4bdf-94d4-7666a2445a03
HTTP/2.0" 200 4327 "
https://localhost:8443/ordermgr/control/main?externalLoginKey=ELd87879e0-9c8b-45e4-8c51-efc0d40748f4
"
"Mozilla/5.0 (X11; Linux x86_64; rv:129.0) Gecko/20100101 Firefox/129.0"
127.0.0.1 - - [26/Aug/2024:20:51:29 +0300] "POST
/facility/control/EditFacility;jsessionid=132931D4CDCAC10AC958ED9DD3F6511A.jvm1
HTTP/2.0" 500 2038 "
https://localhost:8443/facility/control/main?externalLoginKey=ELf5b96d38-f415-4bdf-94d4-7666a2445a03
"
"Mozilla/5.0 (X11; Linux x86_64; rv:129.0) Gecko/20100101 Firefox/129.0"
127.0.0.1 - - [26/Aug/2024:20:51:36 +0300] "POST
/facility/control/EditFacility;jsessionid=132931D4CDCAC10AC958ED9DD3F6511A.jvm1
HTTP/2.0" 500 2038 "
https://localhost:8443/facility/control/main?externalLoginKey=ELf5b96d38-f415-4bdf-94d4-7666a2445a03
"
"Mozilla/5.0 (X11; Linux x86_64; rv:129.0) Gecko/20100101 Firefox/129.0"
127.0.0.1 - - [26/Aug/2024:20:51:42 +0300] "GET
/rainbowstone/RAINBOWSTONE_SAPHIR.less HTTP/2.0" 200 1560 "
https://localhost:8443/facility/control/FindFacility" "Mozilla/5.0 (X11;
Linux x86_64; rv:129.0) Gecko/20100101 Firefox/129.0"
127.0.0.1 - - [26/Aug/2024:20:51:42 +0300] "GET
/facility/control/FindFacility HTTP/2.0" 200 4274 "
https://localhost:8443/facility/control/main?externalLoginKey=ELf5b96d38-f415-4bdf-94d4-7666a2445a03
"
"Mozilla/5.0 (X11; Linux x86_64; rv:129.0) Gecko/20100101 Firefox/129.0"
Regards
On Sat, Aug 31, 2024 at 2:30 PM Jacques Le Roux <
jacques.le.r...@les7arts.com> wrote:
Hi Omar,
Since Java 7 :
https://docs.oracle.com/javaee/7/api/javax/servlet/annotation/WebListener.html
In OFBiz, ControlEventListener implements HttpSessionListener
Did you check locally or on a server your access_logs if you find a
jsessionid there (trunk)?
Jacques
Le 31/08/2024 à 13:07, Omar Abdullwahhab a écrit :
Hi Jacques, Johan,
According to my investigation to this class (
WebAppServletContextListener.java
<
https://github.com/apache/ofbiz-framework/blame/31eb051326bcec29f4c932a6d829e0d7c9979a16/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/WebAppServletContextListener.java#L41
)
It seems to be that this listener is never registered , so that it has
no
effect.
Note that its annotated with
@WebListener
So confirm that I am correct, or wrong.
Regards
On Fri, Aug 30, 2024 at 6:30 PM Jacques Le Roux <
jacques.le.r...@les7arts.com> wrote:
Hi,
Actually it's not related to embedded Tomcat in OFBiz.
Since we 2017 in WebAppServletContextListener.java we use this line
<<servletContext.setSessionTrackingModes(EnumSet.of(SessionTrackingMode.COOKIE));>>
https://github.com/apache/ofbiz-framework/blame/31eb051326bcec29f4c932a6d829e0d7c9979a16/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/WebAppServletContextListener.java#L41
If you test locally or maybe in another server than demo one, you will
not
find in access_logs files any line similar to the one below. At least
I
did
not, and that's logical since we use cookies for that.
I'm not sure what's the reason yet. If you could confirm that it's not
reproductible but in demo server that would help to restrain the
possibilities
TIA
Jacques
Le 29/08/2024 à 10:17, Jacques Le Roux a écrit :
Hi,
Finally it's not that clear.
As can be found in trunk demo access_logs, such URLs exist at least
since June 17 2024.
access_log.2024-06-17:28:66.249.75.98 - - [17/Jun/2024:00:11:51
+0000] "GET
/partymgr/control/main%3FexternalLoginKey=ELf5183769-2759-476b-946c-2a70afe3c42d&sortField=partyId;jsessionid=EBB57C6C3C345E70501827509E05744C.jvm1
HTTP/1.1" 500 1165 "-" "Mozilla/5.0 (Linux; Android 6.0.1;
Nexus 5X
Build/MMB29P) AppleWebKit/537.36 (KHTML, like Gecko)
Chrome/125.0.6422.175
Mobile Safari/537.36 (compatible; Googlebot/2.1; +
http://www.google.com/bot.html)"
As you can see they are rejected (HTTP 500) since then too. Actually
I
guess they exist for a very long time. Have yet no idea why and how
these
URLs are generated.
The rejection is "new" and due to a security fix done in May 20 2024
with (OFBIZ-13092) "Prevent special encoded characters sequences in
URLs"
So we need to clearly define steps to manually generate these URLs.
Then, if it's OK, we could allow URLs containing ";jsessionid=" to
bypass
the
security filter.
I copy this email to the dev ML because of its importance
Jacques
Le 28/08/2024 à 15:27, Jacques Le Roux a écrit :
Thanks Guys,
I could not reproduce yet, but I think we have already enough clues
to
fix that.
Also I can find a lot of in trunk demo log. That will be helpful
too.
Jacques
Le 27/08/2024 à 16:20, 雷咩咩 a écrit :
i can reproduce by login with admin, randomly click severl places,
then when click logout, see such error:
HTTP Status 500 – Internal Server Error
Type Exception Report
Message For security reason this URL is not accepted
Description The server encountered an unexpected condition that
prevented it from fulfilling the request.
Exception
java.lang.RuntimeException: For security reason this URL is not
accepted
org.apache.ofbiz.webapp.control.ControlFilter.doFilter(ControlFilter.java:144)
org.apache.logging.log4j.web.Log4jServletFilter.doFilter(Log4jServletFilter.java:71)
Note The full stack trace of the root cause is available in the
server
logs.
Apache Tomcat/9.0.91
Regards,
Yang
------------------ 原始邮件 ------------------
发件人: "user" <johanhpcro...@gmail.com>;
发送时间: 2024年8月27日(星期二) 晚上9:12
收件人: "user"<user@ofbiz.apache.org>;
主题: URL Issue
Hi,
Not sure if anyone would be able to assist me, I have found an
issue
which
can also be replicated within the demo.
This issue normally occurs as you navigate to a module after login.
It
is
not easily replicable, once you refresh it works and does not occur
again.
Replicated the issue in multiple modules.
It usually adds ;jsessionid=######################.jvm1 to all the
URLs and
this causes a navigation issue.
Once you submit a form or try to click the logout link, an Internal
500
Internal Server Error is being returned
As an example:
https://demo-stable.ofbiz.apache.org/partymgr/control/main
I have screenshots available, however I am not able to attach to
this
mail.
Please let me know if you need me to upload it somewhere.
Kind Regards,
Johan Cronjé