Clone Tools
  • last updated a few minutes ago
Constraints
Constraints: committers
 
Constraints: files
Constraints: dates
Improved: Prevent recurring errors block due to generateTokenForNonAjax

(OFBIZ-11609)

Fixes check style. I removed a space after a cast. That's how I wrote it so

far and that was wrong. BTW I did not invent it, our code is riddled of it:/

https://www.oracle.com/technetwork/java/javase/documentation/codeconventions-141388.html

Improved: Prevent recurring errors block due to generateTokenForNonAjax

(OFBIZ-11609)

Fixes the if(test): toString() is not the same than getCanonicalName()

Also while at it, in case of exception, uses NoCsrfDefenseStrategy as default

Improved: Prevent recurring errors block due to generateTokenForNonAjax

(OFBIZ-11609)

Fixes check style issues

Improved: Prevent recurring errors block due to generateTokenForNonAjax

(OFBIZ-)

After the VM demos crash yesterday, I had a look at the log of trunk demo and

found a lot of recurring errors block due to CsrfUtil::generateTokenForNonAjax.

It's not a big deal but it's annoying to have such useless errors cluttering the

logs

Improved: follow checkstyle conventions in files committed for CSRF token defense

Mostly manually-automated, so some changes are not perfect. I have manually

changed back excessive ones

Comments out ArrayTypeStyle checkstyle

Updates checkstyleMain.maxErrors

    • -10
    • +12
    ./ofbiz/security/CsrfDefenseStrategy.java
    • -2
    • +3
    ./ofbiz/security/ICsrfDefenseStrategy.java
  1. … 12 more files in changeset.
Improved: replaces module by MODULE everywhere

  1. … 682 more files in changeset.
Improved: fixes a Javadoc issue

Implemented: POC for CSRF Token (OFBIZ-11306)

Simple strategy is to rely on SameSite 'strict' value in SameSiteFilter in all

supported branches. No backport needed with the changes here.

Thanks: James for all the good work we did together :)

  1. … 1 more file in changeset.
Revert "Merge branch 'JacquesLeRoux-POC-for-CSRF-Token-OFBIZ-11306' into trunk"

This reverts commit 27e57522b15d71352c61919befc6eb451ed4e864.

    • -93
    • +0
    ./ofbiz/security/CsrfDefenseStrategy.java
    • -55
    • +0
    ./ofbiz/security/ICsrfDefenseStrategy.java
  1. … 24 more files in changeset.
Revert "Merge branch 'JacquesLeRoux-POC-for-CSRF-Token-OFBIZ-11306' into trunk"

This reverts commit 0add8bedbca231ffd839eb733f1041ce5487e9d6.

    • -93
    • +0
    ./ofbiz/security/CsrfDefenseStrategy.java
    • -55
    • +0
    ./ofbiz/security/ICsrfDefenseStrategy.java
  1. … 34 more files in changeset.
Merge branch 'JacquesLeRoux-POC-for-CSRF-Token-OFBIZ-11306' into trunk Because of GitHub message on PR56: This branch cannot be rebased due to conflicts

Much Conflicts, but that should be OK

    • -0
    • +93
    ./ofbiz/security/CsrfDefenseStrategy.java
    • -0
    • +358
    ./ofbiz/security/CsrfUtil.java
    • -0
    • +55
    ./ofbiz/security/ICsrfDefenseStrategy.java
    • -0
    • +50
    ./ofbiz/security/NoCsrfDefenseStrategy.java
  1. … 24 more files in changeset.
Merge branch 'JacquesLeRoux-POC-for-CSRF-Token-OFBIZ-11306' into trunk Because of GitHub message on PR56: This branch cannot be rebased due to conflicts

Conflicts handled by hand

RequestHandler.java

    • -0
    • +93
    ./ofbiz/security/CsrfDefenseStrategy.java
    • -0
    • +358
    ./ofbiz/security/CsrfUtil.java
    • -0
    • +55
    ./ofbiz/security/ICsrfDefenseStrategy.java
    • -0
    • +50
    ./ofbiz/security/NoCsrfDefenseStrategy.java
  1. … 34 more files in changeset.
Improved: Implemented: Documented: Completed: Reverted: Fixed:

(OFBIZ-)

Explanation

Thanks:

Improved: Implemented: Documented: Completed: Reverted: Fixed: Improved: no functional change (OFBIZ-) Explanation Thanks:

    • -0
    • +93
    ./ofbiz/security/CsrfDefenseStrategy.java
    • -0
    • +358
    ./ofbiz/security/CsrfUtil.java
    • -0
    • +55
    ./ofbiz/security/ICsrfDefenseStrategy.java
    • -0
    • +50
    ./ofbiz/security/NoCsrfDefenseStrategy.java
  1. … 37 more files in changeset.
Creates new POC-for-CSRF-Token-OFBIZ-11306 branch

To share with James and others and later when OK to create a PR

    • -0
    • +93
    ./ofbiz/security/CsrfDefenseStrategy.java
    • -0
    • +358
    ./ofbiz/security/CsrfUtil.java
    • -0
    • +55
    ./ofbiz/security/ICsrfDefenseStrategy.java
    • -0
    • +50
    ./ofbiz/security/NoCsrfDefenseStrategy.java
  1. … 37 more files in changeset.
Improved: Error in user impersonation with sub permission (OFBIZ-11342)

Improved javadoc

Set 'checkMultiLevelAdminPermissionValidity' visibility to default

Add another test verifying that hierarchy in permission is respected

Thanks Mathieu for your review

  1. … 1 more file in changeset.
Improved: Error in user impersonation with sub permission (OFBIZ-11342)

Improved javadoc

Set 'checkMultiLevelAdminPermissionValidity' visibility to default

Add another test verifying that hierarchy in permission is respected

Thanks Mathieu for your review

  1. … 1 more file in changeset.
Revert "Fixed: Error in user impersonation with sub permission (OFBIZ-11342)"

This reverts commit 73b7abbd

    • -168
    • +0
    ./ofbiz/security/SecurityUtil.java
  1. … 1 more file in changeset.
Fixed: Error in user impersonation with sub permission (OFBIZ-11342)

Add unit tests for permission control feature.

Add new method to manage multilevel permission control.

This allowing an user with PARTYMGR_ADMIN permission to impersonate

another user with PARTYMGR_PCM_CREATE permission.

  1. … 1 more file in changeset.
Fixed: Error in user impersonation with sub permission (OFBIZ-11342)

Add unit tests for permission control feature.

Add new method to manage multilevel permission control.

This allowing an user with PARTYMGR_ADMIN permission to impersonate

another user with PARTYMGR_PCM_CREATE permission.

    • -0
    • +168
    ./ofbiz/security/SecurityUtil.java
  1. … 1 more file in changeset.
Fixed: Error in user impersonation with sub permission (OFBIZ-11342)

Add unit tests for permission control feature.

Add new method to manage multilevel permission control.

This allowing an user with PARTYMGR_ADMIN permission to impersonate

another user with PARTYMGR_PCM_CREATE permission.

  1. … 1 more file in changeset.
Fixed: Any ecommerce user has the ability to reset anothers password (including admin) via 'Forget Your Password' (OFBIZ-4361) Trunk backport r1866478 and r1866518

Currently, any user (via ecommerce 'Forget Your Password') has the ability to

reset another users password, including 'admin' without permission.

By simply entering 'admin' and clicking 'Email Password', the following is

displayed:

The following occurred:

A new password has been created and sent to you. Please check your Email.

This now forces the user of the ERP to change their password.

It is also possible to generate a dictionary attack against ofbiz because there

is no capta code required. This is serious security risk.

I have modified the patch following comments I made in the Jira, notably

Removed unused Java variables

Removed a check in LoginEvents::forgotPassword which prevented to show error

messages

Changed fr and en SecurityExtPasswordSentToYou

+ SecurityExtThisEmailIsInResponseToYourRequestToHave labels

+ template PasswordEmail.ftl

+ loginservices.token_incorrect labels

Added fr and en SecurityExtIgnoreEmail + SecurityExtLinkOnce labels

Removed changes in general.properties

I did not remove the 2 GetSecurityQuestion.ftl files (webpos one was still in)

There is still room for improvement. I'll discuss them on the Jira and dev

ML. But this version is already strong enough to not wait that the patch is

inapplicable!

Thanks: mz4wheeler (Mike Z) for the Jira, Nicolas Malin for the patch, I guess

with some Gil's help, and all others for comments and ideas

git-svn-id: https://svn.apache.org/repos/asf/ofbiz/ofbiz-framework/branches/release18.12@1867296 13f79535-47bb-0310-9956-ffa450edef68

  1. … 22 more files in changeset.
Fixed: Any ecommerce user has the ability to reset anothers password (including admin) via "Forget Your Password" (OFBIZ-4361)

Currently, any user (via ecommerce "Forget Your Password") has the ability to

reset another users password, including "admin" without permission.

By simply entering "admin" and clicking "Email Password", the following is

displayed:

The following occurred:

A new password has been created and sent to you. Please check your Email.

This now forces the user of the ERP to change their password.

It is also possible to generate a dictionary attack against ofbiz because there

is no capta code required. This is serious security risk.

I have modified the patch following comments I made in the Jira, notably

Removed unused Java variables

Removed a check in LoginEvents::forgotPassword which prevented to show error

messages

Changed fr and en SecurityExtPasswordSentToYou

+ SecurityExtThisEmailIsInResponseToYourRequestToHave labels

+ template PasswordEmail.ftl

+ loginservices.token_incorrect labels

Added fr and en SecurityExtIgnoreEmail + SecurityExtLinkOnce labels

Removed changes in general.properties

I did not remove the 2 GetSecurityQuestion.ftl files (webpos one was still in)

There is still room for improvement. I'll discuss them on the Jira and dev

ML. But this version is already strong enough to not wait that the patch is

inapplicable!

Thanks: mz4wheeler (Mike Z) for the Jira, Nicolas Malin for the patch, I guess

with some Gil's help, and all others for comments and ideas

git-svn-id: https://svn.apache.org/repos/asf/ofbiz/ofbiz-framework/trunk@1866478 13f79535-47bb-0310-9956-ffa450edef68

  1. … 22 more files in changeset.
Improved: Use the ‘@Override’ annotation (OFBIZ-10939)

The ‘@Override’ annotation helps readers understand that the method at

hand is overriding a super class or implementing an interface.

Additionally it allows the compiler to check if the methods annotated

with ‘@Override’ are actually implementing an abstract method.

Using that annotation makes ‘@see foo.bar.ParentClass#myMethod’

comments useless, so those they have been removed for the newly

annotated methods.

Thanks Jacques Le Roux and Swapnil M Mane for acknowledging the commit.

git-svn-id: https://svn.apache.org/repos/asf/ofbiz/ofbiz-framework/trunk@1858295 13f79535-47bb-0310-9956-ffa450edef68

  1. … 168 more files in changeset.
Improved: Fix or Silence various warnings (OFBIZ-10701)

In order to detect potential issues early, the linting compiler option should be

used by default and disabled with {{./gradlew -PXlint:none build}}.

Additionally it is important to reduce the number of warnings otherwise new

warnings will remain unnoticed.

The warning related to the com.googlecode.concurrentlinkedhashmap dependency

should resolves itself once we handle upgrade to Caffeine like proposed in

OFBIZ-6747.

Thanks: Mathieu Lirzin

git-svn-id: https://svn.apache.org/repos/asf/ofbiz/ofbiz-framework/trunk@1848673 13f79535-47bb-0310-9956-ffa450edef68

  1. … 128 more files in changeset.
Implemented : Impersonation of userLogin feature (OFBIZ-10515)

Introduce a new feature that allow the impersonation of a login by an authorized user.

Add the documentation with all the details in security-impersonation.adoc.

Big thanks to Leila, Nicolas and Jacques for your contribution to this implementation.

Big thanks to Mathieu, Jacques, Pierre and Taher for your remarks and reviews that

improved this contribution quality.

git-svn-id: https://svn.apache.org/repos/asf/ofbiz/ofbiz-framework/trunk@1842110 13f79535-47bb-0310-9956-ffa450edef68

    • -0
    • +122
    ./ofbiz/security/SecurityUtil.java
  1. … 30 more files in changeset.
Improved: Always check if debug verbose is on when using Debug.logVerbose() (OFBIZ-10052)

This completes r1818010, there were much more cases.

Also few tabs automatically replaced by spaces

git-svn-id: https://svn.apache.org/repos/asf/ofbiz/ofbiz-framework/trunk@1818020 13f79535-47bb-0310-9956-ffa450edef68

  1. … 43 more files in changeset.
Improved: Always check if debug verbose is on when using Debug.logVerbose() (OFBIZ-10052)

We discussed on this point: http://markmail.org/message/mplvusuqn7oshl4v

and we agreed about better doing a check when using Debug.logVerbose().

I checked there are 300+ cases like that. Since it's an easy S/R

This implements it

git-svn-id: https://svn.apache.org/repos/asf/ofbiz/ofbiz-framework/trunk@1818005 13f79535-47bb-0310-9956-ffa450edef68

  1. … 95 more files in changeset.
Improved: Manage life span of SecurityGroupPermission entity. Applied patch from jira issue(OFBIZ-9801) Thanks Suraj Khurana for your contribution

git-svn-id: https://svn.apache.org/repos/asf/ofbiz/ofbiz-framework/trunk@1812383 13f79535-47bb-0310-9956-ffa450edef68

  1. … 43 more files in changeset.
Improved: Fixing defects reported by FindBugs, package org.apache.ofbiz.security. (OFBIZ-9635)

Thanks Dennis Balkir for reporting and providing the patch.

git-svn-id: https://svn.apache.org/repos/asf/ofbiz/ofbiz-framework/trunk@1811429 13f79535-47bb-0310-9956-ffa450edef68