Clone Tools
  • last updated 28 mins ago
Constraints
Constraints: committers
 
Constraints: files
Constraints: dates
Improved: Use Error.ftl everywhere it's not yet used (OFBIZ-11890)

Removes all error*.jsp reference, no longer used

  1. … 21 more files in changeset.
Fixed: Ensure that the SameSite attribute is set to 'strict' for all cookies.

(OFBIZ-11470)

As reported by OWASP ZAP:

A cookie has been set without the SameSite attribute, which means that the

cookie can be sent as a result of a 'cross-site' request. The SameSite attribute

is an effective counter measure to cross-site request forgery, cross-site script

inclusion, and timing attacks.

The solution was not obvious in OFBiz for 2 reasons:

1. There is no HttpServletResponse::setHeader. So we need to use a filter

(SameSiteFilter) and even that is not enough because of 2:

2. To prevent session fixation we force Tomcat to generates a new jsessionId,

ultimately put in cookie, in LoginWorker::login. So we need to add a call to

SameSiteFilter::addSameSiteCookieAttribute in

UtilHttp::setResponseBrowserDefaultSecurityHeaders.

  1. … 20 more files in changeset.
Fixed: Ensure that the SameSite attribute is set to 'strict' for all cookies.

(OFBIZ-11470)

As reported by OWASP ZAP:

A cookie has been set without the SameSite attribute, which means that the

cookie can be sent as a result of a 'cross-site' request. The SameSite attribute

is an effective counter measure to cross-site request forgery, cross-site script

inclusion, and timing attacks.

The solution was not obvious in OFBiz for 2 reasons:

1. There is no HttpServletResponse::setHeader. So we need to use a filter

(SameSiteFilter) and even that is not enough because of 2:

2. To prevent session fixation we force Tomcat to generates a new jsessionId,

ultimately put in cookie, in LoginWorker::login. So we need to add a call to

SameSiteFilter::addSameSiteCookieAttribute in

UtilHttp::setResponseBrowserDefaultSecurityHeaders.

  1. … 20 more files in changeset.
Fixed: Ensure that the SameSite attribute is set to 'strict' for all cookies.

(OFBIZ-11470)

As reported by OWASP ZAP:

A cookie has been set without the SameSite attribute, which means that the

cookie can be sent as a result of a 'cross-site' request. The SameSite attribute

is an effective counter measure to cross-site request forgery, cross-site script

inclusion, and timing attacks.

The solution was not obvious in OFBiz for 2 reasons:

1. There is no HttpServletResponse::setHeader. So we need to use a filter

(SameSiteFilter) and even that is not enough because of 2:

2. To prevent session fixation we force Tomcat to generates a new jsessionId,

ultimately put in cookie, in LoginWorker::login. So we need to add a call to

SameSiteFilter::addSameSiteCookieAttribute in

UtilHttp::setResponseBrowserDefaultSecurityHeaders.

  1. … 20 more files in changeset.
Fixed: Add XML declaration in “web.xml” files (OFBIZ-6993)

These declarations avoid SAXParseException traceback when parsing web.xml

the first time in WebappUtil.parseWebXmlFile

A schema conformance issue has been fixed in ecommerce “web.xml”.

(cherry picked from commit 1158664ba37264fa6b8429033bad768175ff10d5)

# Conflicts handled by hand

# msggateway/webapp/msggateway/WEB-INF/web.xml

  1. … 25 more files in changeset.
Fixed: Add XML declaration in “web.xml” files (OFBIZ-6993)

These declarations avoid SAXParseException traceback when parsing web.xml

the first time in WebappUtil.parseWebXmlFile

A schema conformance issue has been fixed in ecommerce “web.xml”.

  1. … 25 more files in changeset.
Fixed: Add XML declaration in “web.xml” files (OFBIZ-6993)

These declarations avoid SAXParseException traceback when parsing web.xml

the first time in WebappUtil.parseWebXmlFile

A schema conformance issue has been fixed in ecommerce “web.xml”.

# Conflicts handled by hand

# msggateway/webapp/msggateway/WEB-INF/web.xml

  1. … 25 more files in changeset.
"Applied fix from plugins for revision: 1851068 " ------------------------------------------------------------------------ r1851068 | jleroux | 2019-01-11 17:12:01 +0100 (ven. 11 janv. 2019) | 12 lignes

Fixed: Add session tracking mode and make cookie secure

(OFBIZ-6655)

Following "Session timeout for webapps" discussion on dev ML

https://markmail.org/message/p6fbiojjrwb2ybxd

We decided to put back the session-timeout value in web.xml files and to remove

the line

session.setMaxInactiveInterval(60*60); //in seconds

from ControlEventListener.java

Thanks: Deepak Nigam for report and Girish Vasmatkar for discussion

------------------------------------------------------------------------

git-svn-id: https://svn.apache.org/repos/asf/ofbiz/ofbiz-plugins/branches/release18.12@1851073 13f79535-47bb-0310-9956-ffa450edef68

  1. … 22 more files in changeset.
"Applied fix from plugins for revision: 1851068 " ------------------------------------------------------------------------ r1851068 | jleroux | 2019-01-11 17:12:01 +0100 (ven. 11 janv. 2019) | 12 lignes

Fixed: Add session tracking mode and make cookie secure

(OFBIZ-6655)

Following "Session timeout for webapps" discussion on dev ML

https://markmail.org/message/p6fbiojjrwb2ybxd

We decided to put back the session-timeout value in web.xml files and to remove

the line

session.setMaxInactiveInterval(60*60); //in seconds

from ControlEventListener.java

Thanks: Deepak Nigam for report and Girish Vasmatkar for discussion

------------------------------------------------------------------------

git-svn-id: https://svn.apache.org/repos/asf/ofbiz/ofbiz-plugins/branches/release17.12@1851072 13f79535-47bb-0310-9956-ffa450edef68

  1. … 22 more files in changeset.
Fixed: Add session tracking mode and make cookie secure (OFBIZ-6655)

Following "Session timeout for webapps" discussion on dev ML

https://markmail.org/message/p6fbiojjrwb2ybxd

We decided to put back the session-timeout value in web.xml files and to remove

the line

session.setMaxInactiveInterval(60*60); //in seconds

from ControlEventListener.java

Thanks: Deepak Nigam for report and Girish Vasmatkar for discussion

git-svn-id: https://svn.apache.org/repos/asf/ofbiz/ofbiz-plugins/trunk@1851068 13f79535-47bb-0310-9956-ffa450edef68

  1. … 22 more files in changeset.
Improved: Add session tracking mode and make cookie secure (OFBIZ-6655)

Programmatically replaces the web.xml <session-config> declarations and uses

the @WebListener annotation to start the process. This avoid to duplicates

things everywhere in web.xml files. Since the web.xml files have precedence

on annotations, the setting can be easily overridden when necessary.

Now that we also use HTTPS in ecommerce the ecommerce session cookie is

also secured.

I also noted that we had 8 weird <session-timeout> declarations:

in solr component: <session-timeout>2</session-timeout>

in themes: <session-timeout>1</session-timeout>

Also in Rainbowstone we lacked the <cookie-config> and <tracking-mode>

declarations. I think it's not good.

I resolve these points by simply removing the <session-config> in web.xml files

of themes and Solr.

Thanks: Pradhan Yash Sharma for review

git-svn-id: https://svn.apache.org/repos/asf/ofbiz/ofbiz-plugins/trunk@1811041 13f79535-47bb-0310-9956-ffa450edef68

  1. … 24 more files in changeset.
Fixed: Consistency and Readability improvements for view-map tag (OFBIZ-9110) Consistency on the attribute order for view-map element as : name, type, page Thanks to Ankush Upadhyay and Devanshu Vyas for the issue and the corrective patch

git-svn-id: https://svn.apache.org/repos/asf/ofbiz/ofbiz-plugins/trunk@1805891 13f79535-47bb-0310-9956-ffa450edef68

  1. … 3 more files in changeset.
No functional change, updates Supported Content Types in example controller to be the same than in birt controller

git-svn-id: https://svn.apache.org/repos/asf/ofbiz/trunk/plugins@1781037 13f79535-47bb-0310-9956-ffa450edef68

Implemented: removed the "controller" related logic, that is now provided by the new ControlFilter, from the ContextFilter; modified existing applications to use the two filters in a chain; removed from the other specialized filters all the logic that was duplicated or extended from ContextFilter.

A web application, in order to leverage the OFBiz framework, requires that a

series of objects are in its contexts (servlet context, session and request)

such as "delegator", "delegatorName", "dispatcher", "security" etc. etc...

This setup is performed by the logic contained in the servlet filter implemented

by the ContextFilter class.

The execution of this logic is required for the application to run properly.

However, before this commit, in the ContextFilter there was other logic, related

to access control and redirection rules (some of them performed in coordination

with the ControlServlet), making it difficult to deploy this filter in all the

web applications, especially the ones that implement special handling of paths.

In fact, this filter was deployed in most but not all the web application in the

OFBiz codebase: specifically it was not deployed in web applications that

require the execution of other filters (e.g. CatalogUrlFilter, etc...) like the

ones in the "ecommerce" and "solr" components.

git-svn-id: https://svn.apache.org/repos/asf/ofbiz/trunk/specialpurpose@1761304 13f79535-47bb-0310-9956-ffa450edef68

  1. … 25 more files in changeset.
[OFBIZ-7311] - Applied the patch from the ticket. Removing the unused references of the maincss.css from source code, following is done- 1) Removed 'maincss.css' entry from 'allowedPaths' param of from web.xml Reason: Since, there is no file like 'maincss.css' exist under any includes directory. 2) Removed the unused references of maincss.css from FTLs, code <link rel="stylesheet" href="${StringUtil.wrapString(baseUrl!)}/images/maincss.css" type="text/css"/> has been removed. Reason: This is an interesting thing, these FTLs were using the maincss.css located under the images directory. When I look the history of these files, following were my findings, The 'maincss.css' file under the 'images' directory exist in release4.0 http://svn.apache.org/repos/asf/ofbiz/branches/release4.0/framework/images/webapp/images/ after this release, this files no longer exist there. 3) Also, I have updated one file 'InventoryNoticeEmail.ftl' and used the basic HTML code to style, instead of using style defined in 'maincss.css' which were exist in release-4.0 4) Updated some references from 'maincss.css' to style.css in comments. 5) Also removed the entry of including '/images/maincss.css' and '/images/mainrtl.css' in SimpleDecorator Since, these files no longer exist after release-4.0.

Thanks Wai for reviewing the work and thanks Swapnil M Mane for the contribution.

git-svn-id: https://svn.apache.org/repos/asf/ofbiz/trunk/specialpurpose@1758389 13f79535-47bb-0310-9956-ffa450edef68

  1. … 20 more files in changeset.
(OFBIZ-6274) Renamed OFBiz artefacts from org.ofbiz.* to org.apache.ofbiz.*.Thanks to Taher for working on it.

git-svn-id: https://svn.apache.org/repos/asf/ofbiz/trunk/specialpurpose@1752920 13f79535-47bb-0310-9956-ffa450edef68

  1. … 634 more files in changeset.
A patch from Amardeep Singh Jhajj for "Add websocket support in OFBiz" https://issues.apache.org/jira/browse/OFBIZ-7073 It also contains a slightly modified patch from Amardeep Singh Jhajj for "WebSocket Example - Push Notifications" - https://issues.apache.org/jira/browse/OFBIZ-7467 - It's adding working example (in example application) of WebSocket support

I tried to use websockets in OFBiz. I simply added tomcat-embed-websocket.jar in catalina lib and created one webapp for websocket and also added server endpoint class.

It didn't work. After that, I tried the same thing with plain j2ee application with embedded tomcat. It worked there.

I researched on above issue in OFBiz and got the reason. Websockets implementation need jar scanning enabled and it is currently disabled in OFBiz. Below is the code snippet of disabling jar scan from CatalinaContainer.java:

JarScanner jarScanner = context.getJarScanner();

if (jarScanner instanceof StandardJarScanner) {

StandardJarScanner standardJarScanner = (StandardJarScanner) jarScanner;

standardJarScanner.setScanClassPath(false);

}

Jar scanning enabling increase OFBiz server startup time upto couples of minutes (in my case, it took approx 8 minutes), so we don't want this much of startup time for OFBiz.

I got the following document where I found the reason why websocket is not working if scanning disabled.

https://wiki.apache.org/tomcat/HowTo/FasterStartUp

Here tips are given to decrease the startup time. This tips also include disabling of jar scanning.

We can say disabling jar scanning is right approach because if we enable it then scanner will scan all the jars loaded in OFBiz startup that we don't want.

But, If we want websockets working then we have to enable jar scanning.

For enabling jar scanning, we need below code:

standardJarScanner.setScanClassPath(true); // Will increase server startup time.

Solution: We can add filter on jar scanning. It will allow only some kind of jars only. For example: jars having websockets endpoints. I am attaching patch for the same here.

I added filter like if jar name string contains "discoverable" word then only it will be considered for jar scan. We can change jar name of our jars using build.xml to make it discoverable for jar scanning.

For example: I have added my websocket endpoint class in "specialpurpose/ecommerce/src" and changed the "name" property in build.xml of ecommerce component from "ofbiz-ecommerce"

to "ofbiz-ecommerce-discoverable". Here is the code snippet from build.xml:

<property name="name" value="ofbiz-ecommerce-discoverable"/>

This change will create the jar with name "ofbiz-ecommerce-discoverable.jar" in "ecommerce/build/lib/".

Now created jar will be scanned in jar scanner as its name contains "discoverable" word in it.

This change will not increase server start up time more than couple of seconds (in my case, it just two seconds). So scanning time totally depends on the list of jars scanned.

Conclusion: We can use websocket support with the help of jar filters.

The very basic working example of sending push notifications to all connected clients using WebSocket added by Amardeep Singh Jhajj works as follow:

1. Adds support to show push notifications over every screen of an example application using WebSocket when any example created or updated.

2. As it's an example, so for now push notifications will only for example creation and update using SECA's.

3. Push notification will be shown on screen for 5 seconds only, we can close it before 5 seconds using close button if needed.

The UI of notification pop-up can be changed. I kept it simple (No fancy work) to just demonstrate the WebSocket usage.

To see it in action, Please follow the steps given in OFBIZ-7073 and apply patch given here.

jleroux: I committed the 2 patches at the same time because the changes in .classpath and the LICENSE files were in the example patch for OFBIZ-7467.

I also slightly modified the example patch in order to provide an example where no sync issues are possible by using a Collections.synchronizedSet for the javax.websocket.Session Set. I also used synchronized loops as it's requested for synchronizedSet where it's used. I know it rather symbolic in the example component but it will remember developers about the possible sync issue.

git-svn-id: https://svn.apache.org/repos/asf/ofbiz/trunk/specialpurpose@1750557 13f79535-47bb-0310-9956-ffa450edef68

    • -0
    • +67
    ./js/ExamplePushNotifications.js
  1. … 6 more files in changeset.
Fixes a "typo" in last commit for "Autocompletion for Compound Widget" - https://issues.apache.org/jira/browse/OFBIZ-7061

We used targetNamespace (should only be used in schema) instead of xsi:schemaLocation

git-svn-id: https://svn.apache.org/repos/asf/ofbiz/trunk/specialpurpose@1749634 13f79535-47bb-0310-9956-ffa450edef68

  1. … 222 more files in changeset.
Completes and finish "Autocompletion for Compound Widget" - https://issues.apache.org/jira/browse/OFBIZ-7061

This is the 2nd step: puts back the original names, so it will be transparent for remaining references in xml catalogs, Java code, etc.

git-svn-id: https://svn.apache.org/repos/asf/ofbiz/trunk/specialpurpose@1749489 13f79535-47bb-0310-9956-ffa450edef68

  1. … 222 more files in changeset.
Completes and finish "Autocompletion for Compound Widget" - https://issues.apache.org/jira/browse/OFBIZ-7061 by replacing xsd files references in xml files by -ns.xsd files and removing the concerned xsd files

This is a 1st step, in a 2nd I will put back the original names, so it will be transparent for remaining reference in xml catalogs, Java code, etc.

git-svn-id: https://svn.apache.org/repos/asf/ofbiz/trunk/specialpurpose@1749488 13f79535-47bb-0310-9956-ffa450edef68

  1. … 222 more files in changeset.
(OFBIZ-7238) Relocate .groovy files in the specialpurpose/example component

git-svn-id: https://svn.apache.org/repos/asf/ofbiz/trunk/specialpurpose@1747787 13f79535-47bb-0310-9956-ffa450edef68

  1. … 2 more files in changeset.
add missing content-type on ExampleReportXls to force the mime file type send to user. Correct previous commit related to OFBIZ-6931.

git-svn-id: https://svn.apache.org/repos/asf/ofbiz/trunk/specialpurpose@1746087 13f79535-47bb-0310-9956-ffa450edef68

Add xls screen renderer to convert a screen definition like an html flow directly ready by a spreadsheet application In addition, add an export example button on FindExample screen and add complete macro ftl renderer unit test. Issue OFBIZ-6931 proposed by Leila Mekika. Thanks to her, jacques and pierre for theirs remarks.

git-svn-id: https://svn.apache.org/repos/asf/ofbiz/trunk/specialpurpose@1746045 13f79535-47bb-0310-9956-ffa450edef68

  1. … 3 more files in changeset.
(OFBIZ-6831) relocate .ftl files in the specialpurpose/example component.

Thanks Pierre for your contribution.

git-svn-id: https://svn.apache.org/repos/asf/ofbiz/trunk/specialpurpose@1740583 13f79535-47bb-0310-9956-ffa450edef68

  1. … 6 more files in changeset.
A combined patch from Adrian's, James Yong's and my work for "Add Support For Compound Screen Widget XML Files" - https://issues.apache.org/jira/browse/OFBIZ-4090 and "Add Example for Compound Screen Widget" - https://issues.apache.org/jira/browse/OFBIZ-6990

Adrian: This adds the ability to include screen widgets, form widgets, menu widgets, and simple methods in a single XML file. This approach could be used in situations where the widgets share a logical grouping - so they can be kept in one place.

James: An example to test out Compound Screen Widget

jlerouxc: here are the changes and tests globally

# As James mentionned we no longer need *-v2.xsd files, I removed them from Adrian's patch

# I created a compound-widgets.xsd based on Adrian's and James Yong's previous work. From Paul Foxworthy's comment in OFBIZ-4090, I decided to name the root compound-widgets (hence the file name). I arranged its elements in another way, see below with ExampleCompoundWidgets.xml

# I slightly modified James Yong's ExampleCompoundScreenWidget.xml file and renamed it ExampleCompoundWidgets.xml. I added an "s" because there are several OFBiz widgets gathered in one place. For the modifications: I simply changed the names and arranged the elements in another way which I find better suited. I'm used to 1st create the query, then the menus, the screens and their forms. We rarely use widget-trees but it's there also. Finally the simple-method at end if any. The order is not enforced though, so everybody can use her/his own :)

# I added a French label

# I completed the widget-catalog.xml with this new entry and tested locally in Eclipse by reloading the XML catalog entries.

I hope I did not miss nor mixed things, the local instance I used is a bit overcrowded with pending changes...

git-svn-id: https://svn.apache.org/repos/asf/ofbiz/trunk/specialpurpose@1738958 13f79535-47bb-0310-9956-ffa450edef68

  1. … 3 more files in changeset.
Temporary fix for "UtilXml.LocalResolver.resolveEntity] could not find LOCAL DTD/Schema with publicId [null] and the file/resource is [web-app_3_0.xsd]" - https://issues.apache.org/jira/browse/OFBIZ-6807

As suggested by Deepak keeps only <<web-app version="3.0">> in web.xml files instead of whole xmlns and schemaLocation.

git-svn-id: https://svn.apache.org/repos/asf/ofbiz/trunk/specialpurpose@1726388 13f79535-47bb-0310-9956-ffa450edef68

  1. … 26 more files in changeset.
OFBIZ-(6655) Add session tracking mode and make cookie secure for all special purpose component. Also updated the web-app version for web.xml files.

git-svn-id: https://svn.apache.org/repos/asf/ofbiz/trunk/specialpurpose@1724940 13f79535-47bb-0310-9956-ffa450edef68

  1. … 18 more files in changeset.
Part of previous commit, just missed it, no functional changes

git-svn-id: https://svn.apache.org/repos/asf/ofbiz/trunk/specialpurpose@1707948 13f79535-47bb-0310-9956-ffa450edef68

[OFBIZ-6171] Applied patch from Pierre Smits for replacing 'Open for Business' references with 'Apache OFBiz'.Thanks Pierre for the contribution.

git-svn-id: https://svn.apache.org/repos/asf/ofbiz/trunk/specialpurpose@1706589 13f79535-47bb-0310-9956-ffa450edef68

  1. … 63 more files in changeset.
OFBIZ-4154 Use ZXing to generate QR 2d barcode.

1. Add zxing-core-3.2.0.jar to framework/base/lib and .classpath.

2. Add services_qrcode.xml and QRCodeService.java in framework/common/.

3. Add qrcode request in common-controller.xml and QRCodeEvents.java under framework/common/.

4. Add qrcode.properties and QRCodeUiLabels.xml under framework/common/.

5. Add a barcode example page in specialpurpose/example, entry is on page: /example/control/EditExample?exampleId=EX01, the example can be seen on page: /example/control/ExampleReportPdfBarcode?exampleId=EX01

git-svn-id: https://svn.apache.org/repos/asf/ofbiz/trunk/specialpurpose@1696921 13f79535-47bb-0310-9956-ffa450edef68

    • -0
    • +63
    ./reports/BarCode.fo.ftl
  1. … 3 more files in changeset.