Hi Jacques, Johan, According to my investigation to this class ( WebAppServletContextListener.java <https://github.com/apache/ofbiz-framework/blame/31eb051326bcec29f4c932a6d829e0d7c9979a16/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/WebAppServletContextListener.java#L41>)
It seems to be that this listener is never registered , so that it has no effect. Note that its annotated with @WebListener So confirm that I am correct, or wrong. Regards On Fri, Aug 30, 2024 at 6:30 PM Jacques Le Roux < jacques.le.r...@les7arts.com> wrote: > Hi, > > Actually it's not related to embedded Tomcat in OFBiz. > > Since we 2017 in WebAppServletContextListener.java we use this line > > > <<servletContext.setSessionTrackingModes(EnumSet.of(SessionTrackingMode.COOKIE));>> > > > https://github.com/apache/ofbiz-framework/blame/31eb051326bcec29f4c932a6d829e0d7c9979a16/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/WebAppServletContextListener.java#L41 > > If you test locally or maybe in another server than demo one, you will not > find in access_logs files any line similar to the one below. At least I did > not, and that's logical since we use cookies for that. > > I'm not sure what's the reason yet. If you could confirm that it's not > reproductible but in demo server that would help to restrain the > possibilities > > TIA > > Jacques > > Le 29/08/2024 à 10:17, Jacques Le Roux a écrit : > > Hi, > > > > Finally it's not that clear. > > > > As can be found in trunk demo access_logs, such URLs exist at least > since June 17 2024. > > > > access_log.2024-06-17:28:66.249.75.98 - - [17/Jun/2024:00:11:51 > +0000] "GET > > > /partymgr/control/main%3FexternalLoginKey=ELf5183769-2759-476b-946c-2a70afe3c42d&sortField=partyId;jsessionid=EBB57C6C3C345E70501827509E05744C.jvm1 > > HTTP/1.1" 500 1165 "-" "Mozilla/5.0 (Linux; Android 6.0.1; Nexus 5X > Build/MMB29P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.6422.175 > > Mobile Safari/537.36 (compatible; Googlebot/2.1; + > http://www.google.com/bot.html)" > > > > As you can see they are rejected (HTTP 500) since then too. Actually I > guess they exist for a very long time. Have yet no idea why and how these > > URLs are generated. > > > > The rejection is "new" and due to a security fix done in May 20 2024 > with (OFBIZ-13092) "Prevent special encoded characters sequences in URLs" > > > > So we need to clearly define steps to manually generate these URLs. > Then, if it's OK, we could allow URLs containing ";jsessionid=" to bypass > the > > security filter. > > > > I copy this email to the dev ML because of its importance > > > > Jacques > > > > > > Le 28/08/2024 à 15:27, Jacques Le Roux a écrit : > >> Thanks Guys, > >> > >> I could not reproduce yet, but I think we have already enough clues to > fix that. > >> Also I can find a lot of in trunk demo log. That will be helpful too. > >> > >> Jacques > >> > >> Le 27/08/2024 à 16:20, 雷咩咩 a écrit : > >>> i can reproduce by login with admin, randomly click severl places, > then when click logout, see such error: > >>> > >>> > >>> HTTP Status 500 – Internal Server Error > >>> Type Exception Report > >>> > >>> > >>> Message For security reason this URL is not accepted > >>> > >>> > >>> Description The server encountered an unexpected condition that > prevented it from fulfilling the request. > >>> > >>> > >>> Exception > >>> > >>> > >>> java.lang.RuntimeException: For security reason this URL is not > accepted > >>> > > org.apache.ofbiz.webapp.control.ControlFilter.doFilter(ControlFilter.java:144) > >>> > > org.apache.logging.log4j.web.Log4jServletFilter.doFilter(Log4jServletFilter.java:71) > >>> Note The full stack trace of the root cause is available in the server > logs. > >>> > >>> > >>> Apache Tomcat/9.0.91 > >>> > >>> > >>> > >>> > >>> Regards, > >>> Yang > >>> > >>> > >>> ------------------ 原始邮件 ------------------ > >>> 发件人: "user" <johanhpcro...@gmail.com>; > >>> 发送时间: 2024年8月27日(星期二) 晚上9:12 > >>> 收件人: "user"<user@ofbiz.apache.org>; > >>> > >>> 主题: URL Issue > >>> > >>> > >>> > >>> Hi, > >>> > >>> Not sure if anyone would be able to assist me, I have found an issue > which > >>> can also be replicated within the demo. > >>> This issue normally occurs as you navigate to a module after login. It > is > >>> not easily replicable, once you refresh it works and does not occur > again. > >>> Replicated the issue in multiple modules. > >>> It usually adds ;jsessionid=######################.jvm1 to all the > URLs and > >>> this causes a navigation issue. > >>> Once you submit a form or try to click the logout link, an Internal 500 > >>> Internal Server Error is being returned > >>> As an example: > >>> https://demo-stable.ofbiz.apache.org/partymgr/control/main > >>> > >>> I have screenshots available, however I am not able to attach to this > mail. > >>> Please let me know if you need me to upload it somewhere. > >>> > >>> Kind Regards, > >>> Johan Cronjé -- Omar Abu-Arab Java Engineer