Clone Tools
  • last updated 23 mins ago
Constraints
Constraints: committers
 
Constraints: files
Constraints: dates
Improved: Cannot find the declaration of element 'web-app' in version 3.0 files. (OFBIZ-6993)

I missed to backport changes web.xml (was OK in plugins)

  1. … 24 more files in changeset.
Fixed: Ensure that the SameSite attribute is set to 'strict' for all cookies.

(OFBIZ-11470)

As reported by OWASP ZAP:

A cookie has been set without the SameSite attribute, which means that the

cookie can be sent as a result of a 'cross-site' request. The SameSite attribute

is an effective counter measure to cross-site request forgery, cross-site script

inclusion, and timing attacks.

The solution was not obvious in OFBiz for 2 reasons:

1. There is no HttpServletResponse::setHeader. So we need to use a filter

(SameSiteFilter) and even that is not enough because of 2:

2. To prevent session fixation we force Tomcat to generates a new jsessionId,

ultimately put in cookie, in LoginWorker::login. So we need to add a call to

SameSiteFilter::addSameSiteCookieAttribute in

UtilHttp::setResponseBrowserDefaultSecurityHeaders.

  1. … 15 more files in changeset.
Fixed: Ensure that the SameSite attribute is set to 'strict' for all cookies.

(OFBIZ-11470)

As reported by OWASP ZAP:

A cookie has been set without the SameSite attribute, which means that the

cookie can be sent as a result of a 'cross-site' request. The SameSite attribute

is an effective counter measure to cross-site request forgery, cross-site script

inclusion, and timing attacks.

The solution was not obvious in OFBiz for 2 reasons:

1. There is no HttpServletResponse::setHeader. So we need to use a filter

(SameSiteFilter) and even that is not enough because of 2:

2. To prevent session fixation we force Tomcat to generates a new jsessionId,

ultimately put in cookie, in LoginWorker::login. So we need to add a call to

SameSiteFilter::addSameSiteCookieAttribute in

UtilHttp::setResponseBrowserDefaultSecurityHeaders.

  1. … 15 more files in changeset.
Fixed: Ensure that the SameSite attribute is set to 'strict' for all cookies.

(OFBIZ-11470)

As reported by OWASP ZAP:

A cookie has been set without the SameSite attribute, which means that the

cookie can be sent as a result of a 'cross-site' request. The SameSite attribute

is an effective counter measure to cross-site request forgery, cross-site script

inclusion, and timing attacks.

The solution was not obvious in OFBiz for 2 reasons:

1. There is no HttpServletResponse::setHeader. So we need to use a filter

(SameSiteFilter) and even that is not enough because of 2:

2. To prevent session fixation we force Tomcat to generates a new jsessionId,

ultimately put in cookie, in LoginWorker::login. So we need to add a call to

SameSiteFilter::addSameSiteCookieAttribute in

UtilHttp::setResponseBrowserDefaultSecurityHeaders.

  1. … 15 more files in changeset.
Fixed: Ensure that the SameSite attribute is set to 'strict' for all cookies.

(OFBIZ-11470)

As reported by OWASP ZAP:

A cookie has been set without the SameSite attribute, which means that the

cookie can be sent as a result of a 'cross-site' request. The SameSite attribute

is an effective counter measure to cross-site request forgery, cross-site script

inclusion, and timing attacks.

The solution was not obvious in OFBiz for 2 reasons:

1. There is no HttpServletResponse::setHeader. So we need to use a filter

(SameSiteFilter) and even that is not enough because of 2:

2. To prevent session fixation we force Tomcat to generates a new jsessionId,

ultimately put in cookie, in LoginWorker::login. So we need to add a call to

SameSiteFilter::addSameSiteCookieAttribute in

UtilHttp::setResponseBrowserDefaultSecurityHeaders.

  1. … 15 more files in changeset.
Improved: Add Asciidoc template for plugin creation task (OFBIZ-10322)

Create a README.adoc stub and help file stub in the new format under

framework/resources/templates and use in the plugin creation task.

Thanks Ulrich Heidfeld for providing the patch.

  1. … 1 more file in changeset.
Reverted: "Fixed: add XML declaration in “web.xml” files (OFBIZ-6993)"

This reverts commit 3075027df7c82bcb381810d9d438150ef696254f.

  1. … 24 more files in changeset.
Reverted: "Fixed: add XML declaration in “web.xml” files (OFBIZ-6993)"

This reverts commit a93b1fcb7859a754ba84b810c4736e7ef6778689.

  1. … 24 more files in changeset.
Revert "Improved: Update “web.xml” files version 3.0 → 4.0 (OFBIZ-6993)"

This reverts commit 226e901981b68941bbcf3e1025d2208061d28db6.

  1. … 24 more files in changeset.
Reverted: "Fixed: add XML declaration in “web.xml” files (OFBIZ-6993)"

This reverts commit d1c037dca1ea14caf545c85c3741bb9af093f3c9.

  1. … 24 more files in changeset.
Improved: Update “web.xml” files version 3.0 → 4.0 (OFBIZ-6993)

  1. … 24 more files in changeset.
Fixed: add XML declaration in “web.xml” files (OFBIZ-6993)

these declarations avoid SAXParseException traceback when parsing web.xml

the first time in WebappUtil.parseWebXmlFile

  1. … 24 more files in changeset.
Fixed: Add XML declaration in “web.xml” files (OFBIZ-6993)

These declarations avoid SAXParseException traceback when parsing web.xml

the first time in WebappUtil.parseWebXmlFile

  1. … 24 more files in changeset.
Fixed: add XML declaration in “web.xml” files (OFBIZ-6993)

these declarations avoid SAXParseException traceback when parsing web.xml

the first time in WebappUtil.parseWebXmlFile

  1. … 24 more files in changeset.
Fixed: Add XML declaration in “web.xml” files (OFBIZ-6993)

These declarations avoid SAXParseException traceback when parsing web.xml

the first time in WebappUtil.parseWebXmlFile

  1. … 24 more files in changeset.
Fixed: add XML declaration in “web.xml” files (OFBIZ-6993)

these declarations avoid SAXParseException traceback when parsing web.xml

the first time in WebappUtil.parseWebXmlFile

  1. … 24 more files in changeset.
Improved: Remove redundant "dtd" directory from classpath (OFBIZ-11161)

the "dtd" directories are already present as resources distributed

inside OFBiz jar, so there is no need to augment the classpath to find

the XML schema inside those directories.

git-svn-id: https://svn.apache.org/repos/asf/ofbiz/ofbiz-framework/trunk@1865796 13f79535-47bb-0310-9956-ffa450edef68

  1. … 10 more files in changeset.
Improved: Improve error message page to support Theming (OFBIZ-10753)

When OFBiz raise an error, the framework use a jsp page to display it.

I improved the error page generation to support also ftl template rendering and by this way extend the theme engine to support to overide it

On controler.xml we can now use :

<errorpage>/error/error.jsp</errorpage>

or

<errorpage>component://common/webcommon/error/Error.ftl</errorpage> (default configuration)

On your theme you can add your own error page :

<template>

...

<template-file widget=menu location=component://common-theme/template/macro/HtmlMenuMacroLibrary.ftl/>

+ <template-file widget=error location=component://common-theme/template/ErrorPage.ftl/>

</template>

The component://common/webcommon/error/Error.ftl contains the logic theming connection and to simplify source code, all framework old error page (error.jsp) have been removed to centralize all on this new page.

Thanks to Marine Desmarchelier for the error page design

git-svn-id: https://svn.apache.org/repos/asf/ofbiz/ofbiz-framework/trunk@1856175 13f79535-47bb-0310-9956-ffa450edef68

# Conflicts:

# framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/ControlServlet.java

# themes/common/template/ErrorPage.ftl

  1. … 22 more files in changeset.
Improved: Improve error message page to support Theming (OFBIZ-10753)

When OFBiz raise an error, the framework use a jsp page to display it.

I improved the error page generation to support also ftl template rendering and by this way extend the theme engine to support to overide it

On controler.xml we can now use :

<errorpage>/error/error.jsp</errorpage>

or

<errorpage>component://common/webcommon/error/Error.ftl</errorpage> (default configuration)

On your theme you can add your own error page :

<template>

...

<template-file widget=menu location=component://common-theme/template/macro/HtmlMenuMacroLibrary.ftl/>

+ <template-file widget=error location=component://common-theme/template/ErrorPage.ftl/>

</template>

The component://common/webcommon/error/Error.ftl contains the logic theming connection and to simplify source code, all framework old error page (error.jsp) have been removed to centralize all on this new page.

Thanks to Marine Desmarchelier for the error page design

git-svn-id: https://svn.apache.org/repos/asf/ofbiz/ofbiz-framework/trunk@1856175 13f79535-47bb-0310-9956-ffa450edef68

  1. … 23 more files in changeset.
Improved: Improve error message page to support Theming (OFBIZ-10753)

When OFBiz raise an error, the framework use a jsp page to display it.

I improved the error page generation to support also ftl template rendering and by this way extend the theme engine to support to overide it

On controler.xml we can now use :

<errorpage>/error/error.jsp</errorpage>

or

<errorpage>component://common/webcommon/error/Error.ftl</errorpage> (default configuration)

On your theme you can add your own error page :

<template>

...

<template-file widget=menu location=component://common-theme/template/macro/HtmlMenuMacroLibrary.ftl/>

+ <template-file widget=error location=component://common-theme/template/ErrorPage.ftl/>

</template>

The component://common/webcommon/error/Error.ftl contains the logic theming connection and to simplify source code, all framework old error page (error.jsp) have been removed to centralize all on this new page.

Thanks to Marine Desmarchelier for the error page design

git-svn-id: https://svn.apache.org/repos/asf/ofbiz/ofbiz-framework/trunk@1856175 13f79535-47bb-0310-9956-ffa450edef68

  1. … 23 more files in changeset.
"Applied fix from trunk for revision: 1851068 " ------------------------------------------------------------------------ r1851068 | jleroux | 2019-01-11 17:12:01 +0100 (ven. 11 janv. 2019) | 12 lignes

Fixed: Add session tracking mode and make cookie secure

(OFBIZ-6655)

Following "Session timeout for webapps" discussion on dev ML

https://markmail.org/message/p6fbiojjrwb2ybxd

We decided to put back the session-timeout value in web.xml files and to remove

the line

session.setMaxInactiveInterval(60*60); //in seconds

from ControlEventListener.java

Thanks: Deepak Nigam for report and Girish Vasmatkar for discussion

------------------------------------------------------------------------

git-svn-id: https://svn.apache.org/repos/asf/ofbiz/ofbiz-framework/branches/release17.12@1851071 13f79535-47bb-0310-9956-ffa450edef68

  1. … 15 more files in changeset.
"Applied fix from trunk for revision: 1851068 " ------------------------------------------------------------------------ r1851068 | jleroux | 2019-01-11 17:12:01 +0100 (ven. 11 janv. 2019) | 12 lignes

Fixed: Add session tracking mode and make cookie secure

(OFBIZ-6655)

Following "Session timeout for webapps" discussion on dev ML

https://markmail.org/message/p6fbiojjrwb2ybxd

We decided to put back the session-timeout value in web.xml files and to remove

the line

session.setMaxInactiveInterval(60*60); //in seconds

from ControlEventListener.java

Thanks: Deepak Nigam for report and Girish Vasmatkar for discussion

------------------------------------------------------------------------

git-svn-id: https://svn.apache.org/repos/asf/ofbiz/ofbiz-framework/branches/release18.12@1851070 13f79535-47bb-0310-9956-ffa450edef68

  1. … 15 more files in changeset.
Fixed: Add session tracking mode and make cookie secure (OFBIZ-6655)

Following "Session timeout for webapps" discussion on dev ML

https://markmail.org/message/p6fbiojjrwb2ybxd

We decided to put back the session-timeout value in web.xml files and to remove

the line

session.setMaxInactiveInterval(60*60); //in seconds

from ControlEventListener.java

Thanks: Deepak Nigam for report and Girish Vasmatkar for discussion

git-svn-id: https://svn.apache.org/repos/asf/ofbiz/ofbiz-framework/trunk@1851068 13f79535-47bb-0310-9956-ffa450edef68

  1. … 15 more files in changeset.
Improved: Manage life span of SecurityGroupPermission entity. Applied patch from jira issue(OFBIZ-9801) Thanks Suraj Khurana for your contribution

git-svn-id: https://svn.apache.org/repos/asf/ofbiz/ofbiz-framework/trunk@1812383 13f79535-47bb-0310-9956-ffa450edef68

  1. … 42 more files in changeset.
Improved: No functional change, Only added license header

git-svn-id: https://svn.apache.org/repos/asf/ofbiz/ofbiz-framework/trunk@1812309 13f79535-47bb-0310-9956-ffa450edef68

    • -0
    • +19
    ./AdminNewTenantData-PostgreSQL.xml
  1. … 20 more files in changeset.
Improved: Add session tracking mode and make cookie secure (OFBIZ-6655)

Programmatically replaces the web.xml <session-config> declarations and uses

the @WebListener annotation to start the process. This avoid to duplicates

things everywhere in web.xml files. Since the web.xml files have precedence

on annotations, the setting can be easily overridden when necessary.

Now that we also use HTTPS in ecommerce the ecommerce session cookie is

also secured.

I also noted that we had 8 weird <session-timeout> declarations:

in solr component: <session-timeout>2</session-timeout>

in themes: <session-timeout>1</session-timeout>

Also in Rainbowstone we lacked the <cookie-config> and <tracking-mode>

declarations. I think it's not good.

I resolve these points by simply removing the <session-config> in web.xml files

of themes and Solr.

Thanks: Pradhan Yash Sharma for review

git-svn-id: https://svn.apache.org/repos/asf/ofbiz/ofbiz-framework/trunk@1811041 13f79535-47bb-0310-9956-ffa450edef68

  1. … 27 more files in changeset.
Fixed: Found some more vlaue=dollor pattern in set element.

git-svn-id: https://svn.apache.org/repos/asf/ofbiz/ofbiz-framework/trunk@1806329 13f79535-47bb-0310-9956-ffa450edef68

  1. … 8 more files in changeset.
Reverted: r1791143 for "The createTenant Gradle task fails" (OFBIZ-9273)

The fix was harmless but not to the point. Taher fixed the root cause at

r1791168

git-svn-id: https://svn.apache.org/repos/asf/ofbiz/ofbiz-framework/trunk@1791218 13f79535-47bb-0310-9956-ffa450edef68

Fixed: The createTenant Gradle task fails (OFBIZ-9273)

Problem:

When you enter

bq. gradlew createTenant -PtenantId=test

you get

FAILURE: Build failed with an exception.

* Where:

Build file 'C:\projectsASF\ofbiz-framework\build.gradle' line: 764

* What went wrong:

A problem occurred evaluating root project 'ofbiz'.

> Could not get unknown property 'pluginId' for task ':installAllPlugins' of

type org.gradle.api.DefaultTask.

Investigation:

This issue is due creation of build.gradle file in plugin (with empty gradle

task defined in it)

Solution:

Comment out build.gradle template content

Thanks: Deepak for confirmation, Swapnil M Mane for the investigation and patch

git-svn-id: https://svn.apache.org/repos/asf/ofbiz/ofbiz-framework/trunk@1791143 13f79535-47bb-0310-9956-ffa450edef68

No functional changes, code cleaning

While working on OFBIZ-9230 I noticed those needed changes

git-svn-id: https://svn.apache.org/repos/asf/ofbiz/ofbiz-framework/trunk@1785861 13f79535-47bb-0310-9956-ffa450edef68

  1. … 1 more file in changeset.