Return-Path: 
 <user-return-15339-apmail-ofbiz-user-archive=ofbiz.apache.org@ofbiz.apache.org>
Delivered-To: apmail-ofbiz-user-archive@www.apache.org
Received: (qmail 85411 invoked from network); 4 Aug 2008 04:25:02 -0000
Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.2)
  by minotaur.apache.org with SMTP; 4 Aug 2008 04:25:02 -0000
Received: (qmail 65496 invoked by uid 500); 4 Aug 2008 04:25:01 -0000
Delivered-To: apmail-ofbiz-user-archive@ofbiz.apache.org
Received: (qmail 64972 invoked by uid 500); 4 Aug 2008 04:25:00 -0000
Mailing-List: contact user-help@ofbiz.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:user-help@ofbiz.apache.org>
List-Unsubscribe: <mailto:user-unsubscribe@ofbiz.apache.org>
List-Post: <mailto:user@ofbiz.apache.org>
List-Id: <user.ofbiz.apache.org>
Reply-To: user@ofbiz.apache.org
Delivered-To: mailing list user@ofbiz.apache.org
Received: (qmail 64961 invoked by uid 99); 4 Aug 2008 04:25:00 -0000
Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136)
    by apache.org (qpsmtpd/0.29) with ESMTP; Sun, 03 Aug 2008 21:25:00 -0700
X-ASF-Spam-Status: No, hits=1.2 required=10.0
	tests=SPF_NEUTRAL
X-Spam-Check-By: apache.org
Received-SPF: neutral (athena.apache.org: local policy)
Received: from [205.178.146.62] (HELO omr12.networksolutionsemail.com)
 (205.178.146.62)
    by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 04 Aug 2008 04:24:02 +0000
Received: from mail.networksolutionsemail.com
 (ns-omr12.mgt.hosting.dc2.netsol.com [10.49.6.75])
	by omr12.networksolutionsemail.com (8.13.6/8.13.6) with SMTP id
 m744MS9l022606
	for <user@ofbiz.apache.org>; Mon, 4 Aug 2008 00:22:28 -0400
Received: (qmail 9509 invoked by uid 78); 4 Aug 2008 04:22:27 -0000
Received: from unknown (HELO ?127.0.0.1?) (bjfree@free-man.net@75.216.8.238)
  by ns-omr12.lb.hosting.dc2.netsol.com with SMTP; 4 Aug 2008 04:22:27 -0000
Message-ID: <489683DF.1000401@free-man.net>
Date: Sun, 03 Aug 2008 21:21:51 -0700
From: BJ Freeman <bjfree@free-man.net>
User-Agent: Thunderbird 1.5.0.13 (Windows/20070809)
MIME-Version: 1.0
To: user@ofbiz.apache.org
Subject: Re: how to set security and permissions precedence
References: <43518.74.220.195.249.1217386738.squirrel@login.hostmonster.com>
    <488FDEF0.5070005@free-man.net> <18726014.post@talk.nabble.com>
    <4890119E.80706@free-man.net>
    <43404.74.220.195.249.1217442666.squirrel@login.hostmonster.com>
    <021901c8f289$e0e82250$0402a8c0@Dimension5000>
    <4890E077.4090402@free-man.net>
    <006101c8f2d4$72290aa0$0402a8c0@Dimension5000>
    <5597.71.80.181.85.1217626662.squirrel@mail.mymunshi.com>
    <14169.71.80.181.85.1217801427.squirrel@mail.mymunshi.com>
    <011f01c8f5ba$f61a73b0$0402a8c0@Dimension5000>
    <1728.71.80.181.85.1217806072.squirrel@mail.mymunshi.com>
    <48964213.9000601@free-man.net>
 <15524.71.80.181.85.1217810143.squirrel@mail.mymunshi.com>
In-Reply-To: <15524.71.80.181.85.1217810143.squirrel@mail.mymunshi.com>
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
X-Virus-Checked: Checked by ClamAV on apache.org

your controller does not conform to the current svn controllers.
please review them.


Milind W sent the following on 8/3/2008 5:35 PM:
> I got the updated files.
> Did ant clean and then a new build.
> I still see the SAME behavior described in my previous email.
> I am attaching my controller.xml
> 
>> here is the fix
>> http://svn.apache.org/viewvc?rev=682228&view=rev
>>
>> Milind W sent the following on 8/3/2008 4:27 PM:
>>> Just tried "ant clean" it made no difference.
>>> I can proceed to main without being redirected to login with rev#679258.
>>>
>>>
>>> Relevant log for rev#679258
>>> 2008-08-03 16:15:04,515 (http-0.0.0.0-8080-1)
>>> [RequestHandler.java:243:INFO ] [Processing Request]: main
>>> sessionId=B2364C2D58837E9163B9B9214E2228FA.jvm1
>>> 2008-08-03 16:15:04,515 (http-0.0.0.0-8080-1)
>>> [RequestHandler.java:433:INFO ] [RequestHandler.doRequest]: Response is
>>> a
>>> view. sessionId=B2364C2D58837E9163B9B9214E2228FA.jvm1
>>> 2008-08-03 16:15:04,515 (http-0.0.0.0-8080-1)
>>> [RequestHandler.java:584:INFO ] servletName=control, view=main
>>> sessionId=B2364C2D58837E9163B9B9214E2228FA.jvm1
>>> 2008-08-03 16:15:04,515 (http-0.0.0.0-8080-1) [
>>> UtilJ2eeCompat.java:69
>>> :INFO ] serverInfo: apache tomcat/6.0.16
>>> 2008-08-03 16:15:04,515 (http-0.0.0.0-8080-1) [
>>> UtilJ2eeCompat.java:78
>>> :INFO ] Apache Tomcat detected, using response.getWriter to write text
>>> out
>>> instead of response.getOutputStream
>>>
>>> and with rev#677863
>>> 2008-08-03 18:11:55,343 (http-0.0.0.0-8080-Processor4) [
>>> RequestHandler.java:236:INFO ] [Processing Request]: main
>>> sessionId=72EE22303A9A4DCDB76F64EE41F963DA.jvm1
>>> 2008-08-03 18:11:55,343 (http-0.0.0.0-8080-Processor4) [
>>> LoginWorker.java:262:INFO ] reqParams Map: []
>>> 2008-08-03 18:11:55,343 (http-0.0.0.0-8080-Processor4) [
>>> LoginWorker.java:263:INFO ] queryString:
>>> 2008-08-03 18:11:55,343 (http-0.0.0.0-8080-Processor4) [
>>> LoginWorker.java:273:INFO ] checkLogin: queryString=
>>> 2008-08-03 18:11:55,343 (http-0.0.0.0-8080-Processor4) [
>>> LoginWorker.java:274:INFO ] checkLogin: PathInfo=/main
>>> 2008-08-03 18:11:55,343 (http-0.0.0.0-8080-Processor4) [
>>> RequestHandler.java:425:INFO ] [RequestHandler.doRequest]: Response is a
>>> view. sessionId=72EE22303A9A4DCDB76F64EE41F963DA.jvm1
>>> 2008-08-03 18:11:55,343 (http-0.0.0.0-8080-Processor4) [
>>> RequestHandler.java:578:INFO ] servletName=control, view=login
>>> sessionId=72EE22303A9A4DCDB76F64EE41F963DA.jvm1
>>> 2008-08-03 18:11:55,343 (http-0.0.0.0-8080-Processor4) [
>>> UtilJ2eeCompat.java:69 :INFO ] serverInfo: Apache Tomcat/5.5.20
>>> 2008-08-03 18:11:55,343 (http-0.0.0.0-8080-Processor4) [
>>> UtilJ2eeCompat.java:78 :INFO ] Apache Tomcat detected, using
>>> response.getWriter to write text out instead of response.getOutputStream
>>>
>>> The loginworker seems to be invoked with rev#677863 and not with
>>> rev#679258.
>>> Any Idea?
>>>
>>>> Did you try an "ant clean" ? There have been some changes recently that
>>>> implie this cleanup.
>>>>
>>>> Jacques
>>>>
>>>> From: "Milind W" <mailinglist@mymunshi.com>
>>>>> Looks like I have a problem making this example work with
>>>>> revision#679258
>>>>>
>>>>> It worked fine (i.e I was redirected to login screen before I could
>>>>> get
>>>>> to
>>>>> main) with rev#677863
>>>>>
>>>>> Looks like the view
>>>>> <view-map name="login" type="screen"
>>>>> page="component://marketing/widget/CommonScreens.xml#login" />
>>>>> is part of the problem. The CommonScreens.xml has moved and does no
>>>>> longer
>>>>> seem to have the 'login' screen.
>>>>>
>>>>> I tried finding another screen with the 'login' view. I found another
>>>>> one
>>>>> in the 'common' component and modified my hello controller to point to
>>>>> <view-map name="login" type="screen"
>>>>> page="component://common/widget/CommonScreens.xml#login"/>
>>>>> but it is no acting the same as previously.
>>>>>
>>>>> Please let me know what is missing (or any suggestion how best to
>>>>> illustrate login) so I can complete and contribute my tutorial for
>>>>> security. Would hate to create a tutorial that worked with one
>>>>> specific
>>>>> build.
>>>>>
>>>>> http://ofbiz.markmail.org/search/?q=Milind+W#query:Milind%20W+page:2+mid:kwgcnrsxjigfilp2+state:results
>>>>>
>>>>> Thanks
>>>>> -Milind
>>>>>
>>>>>> hi,
>>>>>> I got login to work by adding the changes below to my controller
>>>>>> using
>>>>>> ofbiz4.0.
>>>>>> I don't think I follow the reason with OFBTOOLS base persmission not
>>>>>> taking effect in the ofbiz-component as explained in OFBIZ-829.
>>>>>> But I agree with Si Chen on OFBIZ-829
>>>>>> "The right way is to assume no permission until one of the list of
>>>>>> permissions is met." Seems more intitutive.
>>>>>> For now I can workaround it so thanks all.
>>>>>> -Milind
>>>>>>
>>>>>>
>>>>>>
>>>>>> <preprocessor>
>>>>>>         <!-- Events to run on every request before security (chains
>>>>>> exempt) -->
>>>>>>         <!-- <event type="java"
>>>>>> path="org.ofbiz.webapp.event.TestEvent"
>>>>>> invoke="test"/> -->
>>>>>>         <event type="java"
>>>>>> path="org.ofbiz.webapp.control.LoginWorker"
>>>>>> invoke="checkExternalLoginKey"/>
>>>>>>     </preprocessor>
>>>>>>
>>>>>> <!-- Request Mappings -->
>>>>>>
>>>>>>   <request-map uri="checkLogin" edit="false">
>>>>>>         <description>Verify a user is logged in.</description>
>>>>>>         <security https="false" auth="false"/>
>>>>>>         <event type="java"
>>>>>> path="org.ofbiz.webapp.control.LoginWorker"
>>>>>> invoke="checkLogin" />
>>>>>>         <response name="success" type="view" value="main" />
>>>>>>         <response name="error" type="view" value="login" />
>>>>>>     </request-map>
>>>>>>
>>>>>>     <request-map uri="login">
>>>>>>         <security https="false" auth="false"/>
>>>>>>         <event type="java"
>>>>>> path="org.ofbiz.webapp.control.LoginWorker"
>>>>>> invoke="login"/>
>>>>>>         <response name="success" type="view" value="main"/>
>>>>>>         <response name="error" type="view" value="login"/>
>>>>>>     </request-map>
>>>>>>
>>>>>>
>>>>>> <request-map uri="main">
>>>>>> <security https="false" auth="true" />
>>>>>> <response name="success" type="view" value="main"/>
>>>>>> </request-map>
>>>>>>
>>>>>> <view-map name="login" type="screen"
>>>>>> page="component://marketing/widget/CommonScreens.xml#login" />
>>>>>>
>>>>>>
>>>>>>> Not with a direct link to the comment where is the explanation ;p
>>>>>>> Actually it was more a didactic post
>>>>>>>
>>>>>>> Jacques
>>>>>>>
>>>>>>> From: "BJ Freeman" <bjfree@free-man.net>
>>>>>>>> LOL
>>>>>>>> that was the first link I sent on this thread.
>>>>>>>>
>>>>>>>> Jacques Le Roux sent the following on 7/30/2008 2:18 PM:
>>>>>>>>> OFBiz Wiki is your friend. Just look for OFBTOOLS.
>>>>>>>>>
>>>>>>>>> You would have get
>>>>>>>>> http://docs.ofbiz.org/display/OFBTECH/OFBiz+security?focusedCommentId=3615#comment-3615
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> Jacques
>>>>>>>>>
>>>>>>>>> ----- Original Message ----- From: "Milind W"
>>>>>>>>> <mailinglist@mymunshi.com>
>>>>>>>>> To: <user@ofbiz.apache.org>
>>>>>>>>> Sent: Wednesday, July 30, 2008 8:31 PM
>>>>>>>>> Subject: Re: how to set security and permissions precedence
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>> Let me try to break up questions.
>>>>>>>>>> Should'nt adding
>>>>>>>>>> base-permission="OFBTOOLS"
>>>>>>>>>> to the ofbiz-entity.xml force the user to login with a user id
>>>>>>>>>> that
>>>>>>>>>> is
>>>>>>>>>> associated to the OFBTOOLS security group?
>>>>>>>>>> I can see the application I created and the line seems to have no
>>>>>>>>>> effect.
>>>>>>>>>> What is the purpose of the line?
>>>>>>>>>> Thanks
>>>>>>>>>> -Milind
>>>>>>>>>>
>>>>>>>>>>> Please not that opentaps is not at the same level of revision
>>>>>>>>>>> that
>>>>>>>>>>> ofbiz
>>>>>>>>>>> it
>>>>>>>>>>> there have been  changes to security.
>>>>>>>>>>> there are examples in the
>>>>>>>>>>> framework/example
>>>>>>>>>>> and
>>>>>>>>>>> framework/exampleext
>>>>>>>>>>> I believe this to better tutorial
>>>>>>>>>>> since they work already.
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> Balaji Sundar sent the following on 7/29/2008 9:40 PM:
>>>>>>>>>>>> BJ Freeman wrote:
>>>>>>>>>>>>> http://docs.ofbiz.org/display/OFBTECH/OFBiz+security
>>>>>>>>>>>>>
>>>>>>>>>>>>> Milind W sent the following on 7/29/2008 7:58 PM:
>>>>>>>>>>>>>> hi,
>>>>>>>>>>>>>> Security Permissions
>>>>>>>>>>>>>> I am using ofbiz rev.79258
>>>>>>>>>>>>>> I want to understand how security works so I made the
>>>>>>>>>>>>>> following
>>>>>>>>>>>>>> modifications to hello1
>>>>>>>>>>>>>> 1)I added base-permission="OFBTOOLS" to the
>>>>>>>>>>>>>> ofbiz-component.xml
>>>>>>>>>>>>>> I could still see the application I was assuming the
>>>>>>>>>>>>>> application
>>>>>>>>>>>>>> would
>>>>>>>>>>>>>> as
>>>>>>>>>>>>>> me to login or prevent me from seeing the page.
>>>>>>>>>>>>>> 2)I added <security> to the main request
>>>>>>>>>>>>>> <request-map uri="main">
>>>>>>>>>>>>>> <security https="false" auth="true"/>
>>>>>>>>>>>>>> <response name="success" type="view" value="main"/>
>>>>>>>>>>>>>> </request-map>
>>>>>>>>>>>>>> This displays "java.lang.NullPointerException" in the
>>>>>>>>>>>>>> browser.
>>>>>>>>>>>>>> How do permissions precedence work starting from the UI to
>>>>>>>>>>>>>> the
>>>>>>>>>>>>>> entity
>>>>>>>>>>>>>> layer.
>>>>>>>>>>>>>> Help appreciated.
>>>>>>>>>>>>>> Thanks
>>>>>>>>>>>>>> -Milind
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Here is the log
>>>>>>>>>>>>>> 2008-07-29 19:07:17,031 (http-0.0.0.0-8080-1) [
>>>>>>>>>>>>>> RequestHandler.java:243:INFO ] [Processing Request]: main
>>>>>>>>>>>>>> sessionId=6E6BB45A4B5AB75A10A9B9404FA622A5.jvm1
>>>>>>>>>>>>>> 2008-07-29 19:07:17,031 (http-0.0.0.0-8080-1) [
>>>>>>>>>>>>>> RequestManager.java:159:WARN ] [RequestManager.getEventType]
>>>>>>>>>>>>>> Type
>>>>>>>>>>>>>> of
>>>>>>>>>>>>>> event
>>>>>>>>>>>>>> for request "checkLogin" not found
>>>>>>>>>>>>>> 2008-07-29 19:07:17,031 (http-0.0.0.0-8080-1) [
>>>>>>>>>>>>>> RequestManager.java:146:WARN ] [RequestManager.getEventPath]
>>>>>>>>>>>>>> Path
>>>>>>>>>>>>>> of
>>>>>>>>>>>>>> event
>>>>>>>>>>>>>> for request "checkLogin" not found
>>>>>>>>>>>>>> 2008-07-29 19:07:17,031 (http-0.0.0.0-8080-1) [
>>>>>>>>>>>>>> RequestManager.java:172:WARN ]
>>>>>>>>>>>>>> [RequestManager.getEventMethod]
>>>>>>>>>>>>>> Method
>>>>>>>>>>>>>> of
>>>>>>>>>>>>>> event for request "checkLogin" not found
>>>>>>>>>>>>>> 2008-07-29 19:07:17,031 (http-0.0.0.0-8080-1) [
>>>>>>>>>>>>>> ControlServlet.java:205:ERROR]
>>>>>>>>>>>>>> ---- runtime exception report
>>>>>>>>>>>>>> --------------------------------------------------
>>>>>>>>>>>>>> Error in request handler:
>>>>>>>>>>>>>> Exception: java.lang.NullPointerException
>>>>>>>>>>>>>> Message: null
>>>>>>>>>>>>>> ---- stack trace
>>>>>>>>>>>>>> ---------------------------------------------------------------
>>>>>>>>>>>>>> java.lang.NullPointerException
>>>>>>>>>>>>>> javolution.util.FastMap.getEntry(Unknown Source)
>>>>>>>>>>>>>> javolution.util.FastMap.containsKey(Unknown Source)
>>>>>>>>>>>>>> org.ofbiz.webapp.control.RequestManager.getHandlerClass(RequestManager.java:78)
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> org.ofbiz.webapp.event.EventFactory.loadEventHandler(EventFactory.java:102)
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> org.ofbiz.webapp.event.EventFactory.getEventHandler(EventFactory.java:86)
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> org.ofbiz.webapp.control.RequestHandler.runEvent(RequestHandler.java:453)
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> org.ofbiz.webapp.control.RequestHandler.doRequest(RequestHandler.java:259)
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> org.ofbiz.webapp.control.ControlServlet.doGet(ControlServlet.java:198)
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> javax.servlet.http.HttpServlet.service(HttpServlet.java:690)
>>>>>>>>>>>>>> javax.servlet.http.HttpServlet.service(HttpServlet.java:803)
>>>>>>>>>>>>>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> org.ofbiz.webapp.control.ContextFilter.doFilter(ContextFilter.java:255)
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:175)
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:128)
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:568)
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:286)
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:844)
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:583)
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:447)
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> java.lang.Thread.run(Thread.java:595)
>>>>>>>>>>>>>> --------------------------------------------------------------------------------
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>> http://www.opensourcestrategies.com/ofbiz/security.php
>>>>>>>>>>>> http://www.opensourcestrategies.com/ofbiz/security.php
>>>>>>>>>
>>>
>>>
>>>
>>>
>>