Hi Jacques, Johan,

According to my investigation to this class (
WebAppServletContextListener.java
<https://github.com/apache/ofbiz-framework/blame/31eb051326bcec29f4c932a6d829e0d7c9979a16/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/WebAppServletContextListener.java#L41>)

It seems to be that this listener is never registered , so that it has no
effect.
Note that its annotated with
@WebListener

So confirm that I am correct, or wrong.

Regards

On Fri, Aug 30, 2024 at 6:30 PM Jacques Le Roux <
jacques.le.r...@les7arts.com> wrote:

> Hi,
>
> Actually it's not related to embedded Tomcat in OFBiz.
>
> Since we 2017 in WebAppServletContextListener.java we use this line
>
>
> <<servletContext.setSessionTrackingModes(EnumSet.of(SessionTrackingMode.COOKIE));>>
>
>
> https://github.com/apache/ofbiz-framework/blame/31eb051326bcec29f4c932a6d829e0d7c9979a16/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/WebAppServletContextListener.java#L41
>
> If you test locally or maybe in another server than demo one, you will not
> find in access_logs files any line similar to the one below. At least I did
> not, and that's logical since we use cookies for that.
>
> I'm not sure what's the reason yet. If you could confirm that it's not
> reproductible but in demo server that would help to restrain the
> possibilities
>
> TIA
>
> Jacques
>
> Le 29/08/2024 à 10:17, Jacques Le Roux a écrit :
> > Hi,
> >
> > Finally it's not that clear.
> >
> > As can be found in trunk demo access_logs, such URLs exist at least
> since June 17 2024.
> >
> >    access_log.2024-06-17:28:66.249.75.98 - - [17/Jun/2024:00:11:51
> +0000] "GET
> >
> /partymgr/control/main%3FexternalLoginKey=ELf5183769-2759-476b-946c-2a70afe3c42d&amp;sortField=partyId;jsessionid=EBB57C6C3C345E70501827509E05744C.jvm1
> >    HTTP/1.1" 500 1165 "-" "Mozilla/5.0 (Linux; Android 6.0.1; Nexus 5X
> Build/MMB29P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.6422.175
> >    Mobile Safari/537.36 (compatible; Googlebot/2.1; +
> http://www.google.com/bot.html)"
> >
> > As you can see they are rejected (HTTP 500) since then too. Actually I
> guess they exist for a very long time. Have yet no idea why and how these
> > URLs are generated.
> >
> > The rejection is "new" and due to a security fix done in May 20 2024
> with (OFBIZ-13092) "Prevent special encoded characters sequences in URLs"
> >
> > So we need to clearly define steps to manually generate these URLs.
> Then, if it's OK, we could allow URLs containing ";jsessionid=" to bypass
> the
> > security filter.
> >
> > I copy this email to the dev ML because of its importance
> >
> > Jacques
> >
> >
> > Le 28/08/2024 à 15:27, Jacques Le Roux a écrit :
> >> Thanks Guys,
> >>
> >> I could not reproduce yet, but I think we have already enough clues to
> fix that.
> >> Also I can find a lot of in trunk demo log. That will be helpful too.
> >>
> >> Jacques
> >>
> >> Le 27/08/2024 à 16:20, 雷咩咩 a écrit :
> >>> i can reproduce by login with admin, randomly click severl places,
> then when click logout, see such error:
> >>>
> >>>
> >>> HTTP Status 500 – Internal Server Error
> >>> Type Exception Report
> >>>
> >>>
> >>> Message For security reason this URL is not accepted
> >>>
> >>>
> >>> Description The server encountered an unexpected condition that
> prevented it from fulfilling the request.
> >>>
> >>>
> >>> Exception
> >>>
> >>>
> >>> java.lang.RuntimeException: For security reason this URL is not
> accepted
> >>>
>     
> org.apache.ofbiz.webapp.control.ControlFilter.doFilter(ControlFilter.java:144)
> >>>
>     
> org.apache.logging.log4j.web.Log4jServletFilter.doFilter(Log4jServletFilter.java:71)
> >>> Note The full stack trace of the root cause is available in the server
> logs.
> >>>
> >>>
> >>> Apache Tomcat/9.0.91
> >>>
> >>>
> >>>
> >>>
> >>> Regards,
> >>> Yang
> >>>
> >>>
> >>> ------------------&nbsp;原始邮件&nbsp;------------------
> >>> 发件人: "user" <johanhpcro...@gmail.com&gt;;
> >>> 发送时间:&nbsp;2024年8月27日(星期二) 晚上9:12
> >>> 收件人:&nbsp;"user"<user@ofbiz.apache.org&gt;;
> >>>
> >>> 主题:&nbsp;URL Issue
> >>>
> >>>
> >>>
> >>> Hi,
> >>>
> >>> Not sure if anyone would be able to assist me, I have found an issue
> which
> >>> can also be replicated within the demo.
> >>> This issue normally occurs as you navigate to a module after login. It
> is
> >>> not easily replicable, once you refresh it works and does not occur
> again.
> >>> Replicated the issue in multiple modules.
> >>> It usually adds ;jsessionid=######################.jvm1 to all the
> URLs and
> >>> this causes a navigation issue.
> >>> Once you submit a form or try to click the logout link, an Internal 500
> >>> Internal Server Error is being returned
> >>> As an example:
> >>> https://demo-stable.ofbiz.apache.org/partymgr/control/main
> >>>
> >>> I have screenshots available, however I am not able to attach to this
> mail.
> >>> Please let me know if you need me to upload it somewhere.
> >>>
> >>> Kind Regards,
> >>> Johan Cronjé



-- 
Omar Abu-Arab
Java Engineer

Reply via email to