ofbiz-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Jacques Le Roux" <jacques.le.r...@les7arts.com>
Subject Re: how to set security and permissions precedence
Date Mon, 04 Aug 2008 04:16:39 GMT
This works for sure from r682228, please check you locale instance... 
Except of course if we don't speak about the _SAME behavior_ (see my previous posts in ML)

Jacques

From: "Milind W" <mailinglist@mymunshi.com>
>I got the updated files.
> Did ant clean and then a new build.
> I still see the SAME behavior described in my previous email.
> I am attaching my controller.xml
> 
>> here is the fix
>> http://svn.apache.org/viewvc?rev=682228&view=rev
>>
>> Milind W sent the following on 8/3/2008 4:27 PM:
>>> Just tried "ant clean" it made no difference.
>>> I can proceed to main without being redirected to login with rev#679258.
>>>
>>>
>>> Relevant log for rev#679258
>>> 2008-08-03 16:15:04,515 (http-0.0.0.0-8080-1)
>>> [RequestHandler.java:243:INFO ] [Processing Request]: main
>>> sessionId=B2364C2D58837E9163B9B9214E2228FA.jvm1
>>> 2008-08-03 16:15:04,515 (http-0.0.0.0-8080-1)
>>> [RequestHandler.java:433:INFO ] [RequestHandler.doRequest]: Response is
>>> a
>>> view. sessionId=B2364C2D58837E9163B9B9214E2228FA.jvm1
>>> 2008-08-03 16:15:04,515 (http-0.0.0.0-8080-1)
>>> [RequestHandler.java:584:INFO ] servletName=control, view=main
>>> sessionId=B2364C2D58837E9163B9B9214E2228FA.jvm1
>>> 2008-08-03 16:15:04,515 (http-0.0.0.0-8080-1) [
>>> UtilJ2eeCompat.java:69
>>> :INFO ] serverInfo: apache tomcat/6.0.16
>>> 2008-08-03 16:15:04,515 (http-0.0.0.0-8080-1) [
>>> UtilJ2eeCompat.java:78
>>> :INFO ] Apache Tomcat detected, using response.getWriter to write text
>>> out
>>> instead of response.getOutputStream
>>>
>>> and with rev#677863
>>> 2008-08-03 18:11:55,343 (http-0.0.0.0-8080-Processor4) [
>>> RequestHandler.java:236:INFO ] [Processing Request]: main
>>> sessionId=72EE22303A9A4DCDB76F64EE41F963DA.jvm1
>>> 2008-08-03 18:11:55,343 (http-0.0.0.0-8080-Processor4) [
>>> LoginWorker.java:262:INFO ] reqParams Map: []
>>> 2008-08-03 18:11:55,343 (http-0.0.0.0-8080-Processor4) [
>>> LoginWorker.java:263:INFO ] queryString:
>>> 2008-08-03 18:11:55,343 (http-0.0.0.0-8080-Processor4) [
>>> LoginWorker.java:273:INFO ] checkLogin: queryString=
>>> 2008-08-03 18:11:55,343 (http-0.0.0.0-8080-Processor4) [
>>> LoginWorker.java:274:INFO ] checkLogin: PathInfo=/main
>>> 2008-08-03 18:11:55,343 (http-0.0.0.0-8080-Processor4) [
>>> RequestHandler.java:425:INFO ] [RequestHandler.doRequest]: Response is a
>>> view. sessionId=72EE22303A9A4DCDB76F64EE41F963DA.jvm1
>>> 2008-08-03 18:11:55,343 (http-0.0.0.0-8080-Processor4) [
>>> RequestHandler.java:578:INFO ] servletName=control, view=login
>>> sessionId=72EE22303A9A4DCDB76F64EE41F963DA.jvm1
>>> 2008-08-03 18:11:55,343 (http-0.0.0.0-8080-Processor4) [
>>> UtilJ2eeCompat.java:69 :INFO ] serverInfo: Apache Tomcat/5.5.20
>>> 2008-08-03 18:11:55,343 (http-0.0.0.0-8080-Processor4) [
>>> UtilJ2eeCompat.java:78 :INFO ] Apache Tomcat detected, using
>>> response.getWriter to write text out instead of response.getOutputStream
>>>
>>> The loginworker seems to be invoked with rev#677863 and not with
>>> rev#679258.
>>> Any Idea?
>>>
>>>> Did you try an "ant clean" ? There have been some changes recently that
>>>> implie this cleanup.
>>>>
>>>> Jacques
>>>>
>>>> From: "Milind W" <mailinglist@mymunshi.com>
>>>>> Looks like I have a problem making this example work with
>>>>> revision#679258
>>>>>
>>>>> It worked fine (i.e I was redirected to login screen before I could
>>>>> get
>>>>> to
>>>>> main) with rev#677863
>>>>>
>>>>> Looks like the view
>>>>> <view-map name="login" type="screen"
>>>>> page="component://marketing/widget/CommonScreens.xml#login" />
>>>>> is part of the problem. The CommonScreens.xml has moved and does no
>>>>> longer
>>>>> seem to have the 'login' screen.
>>>>>
>>>>> I tried finding another screen with the 'login' view. I found another
>>>>> one
>>>>> in the 'common' component and modified my hello controller to point to
>>>>> <view-map name="login" type="screen"
>>>>> page="component://common/widget/CommonScreens.xml#login"/>
>>>>> but it is no acting the same as previously.
>>>>>
>>>>> Please let me know what is missing (or any suggestion how best to
>>>>> illustrate login) so I can complete and contribute my tutorial for
>>>>> security. Would hate to create a tutorial that worked with one
>>>>> specific
>>>>> build.
>>>>>
>>>>> http://ofbiz.markmail.org/search/?q=Milind+W#query:Milind%20W+page:2+mid:kwgcnrsxjigfilp2+state:results
>>>>>
>>>>> Thanks
>>>>> -Milind
>>>>>
>>>>>> hi,
>>>>>> I got login to work by adding the changes below to my controller
>>>>>> using
>>>>>> ofbiz4.0.
>>>>>> I don't think I follow the reason with OFBTOOLS base persmission
not
>>>>>> taking effect in the ofbiz-component as explained in OFBIZ-829.
>>>>>> But I agree with Si Chen on OFBIZ-829
>>>>>> "The right way is to assume no permission until one of the list of
>>>>>> permissions is met." Seems more intitutive.
>>>>>> For now I can workaround it so thanks all.
>>>>>> -Milind
>>>>>>
>>>>>>
>>>>>>
>>>>>> <preprocessor>
>>>>>>         <!-- Events to run on every request before security (chains
>>>>>> exempt) -->
>>>>>>         <!-- <event type="java"
>>>>>> path="org.ofbiz.webapp.event.TestEvent"
>>>>>> invoke="test"/> -->
>>>>>>         <event type="java"
>>>>>> path="org.ofbiz.webapp.control.LoginWorker"
>>>>>> invoke="checkExternalLoginKey"/>
>>>>>>     </preprocessor>
>>>>>>
>>>>>> <!-- Request Mappings -->
>>>>>>
>>>>>>   <request-map uri="checkLogin" edit="false">
>>>>>>         <description>Verify a user is logged in.</description>
>>>>>>         <security https="false" auth="false"/>
>>>>>>         <event type="java"
>>>>>> path="org.ofbiz.webapp.control.LoginWorker"
>>>>>> invoke="checkLogin" />
>>>>>>         <response name="success" type="view" value="main" />
>>>>>>         <response name="error" type="view" value="login" />
>>>>>>     </request-map>
>>>>>>
>>>>>>     <request-map uri="login">
>>>>>>         <security https="false" auth="false"/>
>>>>>>         <event type="java"
>>>>>> path="org.ofbiz.webapp.control.LoginWorker"
>>>>>> invoke="login"/>
>>>>>>         <response name="success" type="view" value="main"/>
>>>>>>         <response name="error" type="view" value="login"/>
>>>>>>     </request-map>
>>>>>>
>>>>>>
>>>>>> <request-map uri="main">
>>>>>> <security https="false" auth="true" />
>>>>>> <response name="success" type="view" value="main"/>
>>>>>> </request-map>
>>>>>>
>>>>>> <view-map name="login" type="screen"
>>>>>> page="component://marketing/widget/CommonScreens.xml#login" />
>>>>>>
>>>>>>
>>>>>>> Not with a direct link to the comment where is the explanation
;p
>>>>>>> Actually it was more a didactic post
>>>>>>>
>>>>>>> Jacques
>>>>>>>
>>>>>>> From: "BJ Freeman" <bjfree@free-man.net>
>>>>>>>> LOL
>>>>>>>> that was the first link I sent on this thread.
>>>>>>>>
>>>>>>>> Jacques Le Roux sent the following on 7/30/2008 2:18 PM:
>>>>>>>>> OFBiz Wiki is your friend. Just look for OFBTOOLS.
>>>>>>>>>
>>>>>>>>> You would have get
>>>>>>>>> http://docs.ofbiz.org/display/OFBTECH/OFBiz+security?focusedCommentId=3615#comment-3615
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> Jacques
>>>>>>>>>
>>>>>>>>> ----- Original Message ----- From: "Milind W"
>>>>>>>>> <mailinglist@mymunshi.com>
>>>>>>>>> To: <user@ofbiz.apache.org>
>>>>>>>>> Sent: Wednesday, July 30, 2008 8:31 PM
>>>>>>>>> Subject: Re: how to set security and permissions precedence
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>> Let me try to break up questions.
>>>>>>>>>> Should'nt adding
>>>>>>>>>> base-permission="OFBTOOLS"
>>>>>>>>>> to the ofbiz-entity.xml force the user to login with
a user id
>>>>>>>>>> that
>>>>>>>>>> is
>>>>>>>>>> associated to the OFBTOOLS security group?
>>>>>>>>>> I can see the application I created and the line
seems to have no
>>>>>>>>>> effect.
>>>>>>>>>> What is the purpose of the line?
>>>>>>>>>> Thanks
>>>>>>>>>> -Milind
>>>>>>>>>>
>>>>>>>>>>> Please not that opentaps is not at the same level
of revision
>>>>>>>>>>> that
>>>>>>>>>>> ofbiz
>>>>>>>>>>> it
>>>>>>>>>>> there have been  changes to security.
>>>>>>>>>>> there are examples in the
>>>>>>>>>>> framework/example
>>>>>>>>>>> and
>>>>>>>>>>> framework/exampleext
>>>>>>>>>>> I believe this to better tutorial
>>>>>>>>>>> since they work already.
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> Balaji Sundar sent the following on 7/29/2008
9:40 PM:
>>>>>>>>>>>>
>>>>>>>>>>>> BJ Freeman wrote:
>>>>>>>>>>>>> http://docs.ofbiz.org/display/OFBTECH/OFBiz+security
>>>>>>>>>>>>>
>>>>>>>>>>>>> Milind W sent the following on 7/29/2008
7:58 PM:
>>>>>>>>>>>>>> hi,
>>>>>>>>>>>>>> Security Permissions
>>>>>>>>>>>>>> I am using ofbiz rev.79258
>>>>>>>>>>>>>> I want to understand how security
works so I made the
>>>>>>>>>>>>>> following
>>>>>>>>>>>>>> modifications to hello1
>>>>>>>>>>>>>> 1)I added base-permission="OFBTOOLS"
to the
>>>>>>>>>>>>>> ofbiz-component.xml
>>>>>>>>>>>>>> I could still see the application
I was assuming the
>>>>>>>>>>>>>> application
>>>>>>>>>>>>>> would
>>>>>>>>>>>>>> as
>>>>>>>>>>>>>> me to login or prevent me from seeing
the page.
>>>>>>>>>>>>>> 2)I added <security> to the
main request
>>>>>>>>>>>>>> <request-map uri="main">
>>>>>>>>>>>>>> <security https="false" auth="true"/>
>>>>>>>>>>>>>> <response name="success" type="view"
value="main"/>
>>>>>>>>>>>>>> </request-map>
>>>>>>>>>>>>>> This displays "java.lang.NullPointerException"
in the
>>>>>>>>>>>>>> browser.
>>>>>>>>>>>>>> How do permissions precedence work
starting from the UI to
>>>>>>>>>>>>>> the
>>>>>>>>>>>>>> entity
>>>>>>>>>>>>>> layer.
>>>>>>>>>>>>>> Help appreciated.
>>>>>>>>>>>>>> Thanks
>>>>>>>>>>>>>> -Milind
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Here is the log
>>>>>>>>>>>>>> 2008-07-29 19:07:17,031 (http-0.0.0.0-8080-1)
[
>>>>>>>>>>>>>> RequestHandler.java:243:INFO ] [Processing
Request]: main
>>>>>>>>>>>>>> sessionId=6E6BB45A4B5AB75A10A9B9404FA622A5.jvm1
>>>>>>>>>>>>>> 2008-07-29 19:07:17,031 (http-0.0.0.0-8080-1)
[
>>>>>>>>>>>>>> RequestManager.java:159:WARN ] [RequestManager.getEventType]
>>>>>>>>>>>>>> Type
>>>>>>>>>>>>>> of
>>>>>>>>>>>>>> event
>>>>>>>>>>>>>> for request "checkLogin" not found
>>>>>>>>>>>>>> 2008-07-29 19:07:17,031 (http-0.0.0.0-8080-1)
[
>>>>>>>>>>>>>> RequestManager.java:146:WARN ] [RequestManager.getEventPath]
>>>>>>>>>>>>>> Path
>>>>>>>>>>>>>> of
>>>>>>>>>>>>>> event
>>>>>>>>>>>>>> for request "checkLogin" not found
>>>>>>>>>>>>>> 2008-07-29 19:07:17,031 (http-0.0.0.0-8080-1)
[
>>>>>>>>>>>>>> RequestManager.java:172:WARN ]
>>>>>>>>>>>>>> [RequestManager.getEventMethod]
>>>>>>>>>>>>>> Method
>>>>>>>>>>>>>> of
>>>>>>>>>>>>>> event for request "checkLogin" not
found
>>>>>>>>>>>>>> 2008-07-29 19:07:17,031 (http-0.0.0.0-8080-1)
[
>>>>>>>>>>>>>> ControlServlet.java:205:ERROR]
>>>>>>>>>>>>>> ---- runtime exception report
>>>>>>>>>>>>>> --------------------------------------------------
>>>>>>>>>>>>>> Error in request handler:
>>>>>>>>>>>>>> Exception: java.lang.NullPointerException
>>>>>>>>>>>>>> Message: null
>>>>>>>>>>>>>> ---- stack trace
>>>>>>>>>>>>>> ---------------------------------------------------------------
>>>>>>>>>>>>>> java.lang.NullPointerException
>>>>>>>>>>>>>> javolution.util.FastMap.getEntry(Unknown
Source)
>>>>>>>>>>>>>> javolution.util.FastMap.containsKey(Unknown
Source)
>>>>>>>>>>>>>> org.ofbiz.webapp.control.RequestManager.getHandlerClass(RequestManager.java:78)
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> org.ofbiz.webapp.event.EventFactory.loadEventHandler(EventFactory.java:102)
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> org.ofbiz.webapp.event.EventFactory.getEventHandler(EventFactory.java:86)
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> org.ofbiz.webapp.control.RequestHandler.runEvent(RequestHandler.java:453)
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> org.ofbiz.webapp.control.RequestHandler.doRequest(RequestHandler.java:259)
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> org.ofbiz.webapp.control.ControlServlet.doGet(ControlServlet.java:198)
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> javax.servlet.http.HttpServlet.service(HttpServlet.java:690)
>>>>>>>>>>>>>> javax.servlet.http.HttpServlet.service(HttpServlet.java:803)
>>>>>>>>>>>>>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> org.ofbiz.webapp.control.ContextFilter.doFilter(ContextFilter.java:255)
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:175)
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:128)
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:568)
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:286)
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:844)
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:583)
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:447)
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> java.lang.Thread.run(Thread.java:595)
>>>>>>>>>>>>>> --------------------------------------------------------------------------------
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>> http://www.opensourcestrategies.com/ofbiz/security.php
>>>>>>>>>>>> http://www.opensourcestrategies.com/ofbiz/security.php
>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>
>>>>>
>>>
>>>
>>>
>>>
>>>
>>
>>
>

Mime
View raw message