Thanks Arifa for your return and confirm the case :)
I started a fix based on solution two.
I'll publish it on jira on the days !
Nicolas
Le 03/05/2025 à 05:31, Arifa Hashmi a écrit :
It looks like you've encountered a complex issue with OFBiz's AJAX call
handling, specifically how the `*SetTimeZoneFromBrowser*` request is
failing due to URL pattern mismatches, leading to a *405 error* .
*Issue Breakdown *
- The request `*SetTimeZoneFromBrowser*` is defined in `
*common-controller.xml*`, making it globally available.
- JavaScript attempts to execute it via a *relative URL*, causing
inconsistencies when combined with REST-style URLs.
- The `*ControlServlet*` fails to recognize the request format, leading to
the 405 error .
*Proposed Solution*
- Instead of using relative calls, '*a dedicated webapp*' (`common-js`) is
suggested for handling these requests, ensuring proper routing.
- The webapp would act as a relay, avoiding exposure of `framework/common`
and separating theming from functional requests.
- Example fix:
```js
$.ajax({
url: "/common-js/control/SetTimeZoneFromBrowser",
type: "POST",
async: false,
});
```
--------------------------------------------------------------
Implementing a *switch-case structure* can help manage different AJAX
requests effectively, but it needs additional adjustments to fully resolve
the '405 error issue' you described in Apache OFBiz. Below is a 'full
implementation strategy' that addresses the problem while ensuring security
and proper request routing.
---
Suggest Solution: Using a Dedicated WebApp with Dynamic Routing
Since the issue arises due to 'incorrect request routing in REST-style
URLs', we will:
1. Use a dedicated web app (`commonext`) to handle such AJAX requests.
2. Implement a switch-case structure in JavaScript to dynamically adjust
request URLs.
3. Ensure security by managing authentication separately for the web app.
---
Step-by-Step Implementation
1. Configure the Dedicated WebApp (`commonext`)
Modify `webapp.xml` to set up a new web app that will act as a relay for
common requests.
------------------------ xml
*<web-app name="commonext" location="commonext" app-bar-display="true">
<security security-constraint="true"/></web-app>*
------------------------
2. Define Request Handlers in `commonext-controller.xml`
Create handler mappings in `commonext-controller.xml` to process requests
properly.
*---------------------------xml<request-map uri="SetTimeZoneFromBrowser">
<security https-required="true" auth-required="false"/> <event
type="service" name="setTimeZoneService"
invoke="org.ofbiz.common.SetTimeZone"/> <response name="json"
type="json"/></request-map>----------------------------*
3. Update the JavaScript AJAX Calls
Modify the AJAX call in JavaScript to ensure requests are directed through
`commonext`.
*------------------------ jsfunction getRequestUrl(requestType) { switch
(requestType) { case "timezone": return
"/commonext/control/SetTimeZoneFromBrowser"; case "inventory":
return "/commonext/control/GetStockDetails"; case "order":
return "/commonext/control/FetchOrderStatus"; default:
return "/commonext/control/DefaultHandler"; }}*
*$.ajax({ url: getRequestUrl("timezone"), type: "POST", async:
false, success: function(response) { console.log("Request
successful!", response); }, error: function(error) {
console.log("Error in request!", error); }});*
-----------------------------------
4. Address Authentication Issue
Since separate web apps maintain independent sessions, use token-based
authentication or a cookie-based method.
- Option 1: SSO (Single Sign-On)
- Implement an OAuth-based authentication system .
- Users authenticate once, and tokens are passed across multiple web apps.
- Option 2: Secure Cookie-Based Authentication
- Generate a security token upon login.
- Store the token in a HTTP-only, secure cookie .
- Validate the token before processing requests in `commonext`.
---
### *Expected Results *
AJAX requests will no longer fail due to incorrect REST-style URL
handling.
Requests will be correctly routed via `commonext`, resolving the '405
error'.
Authentication is properly handled without exposing core framework
security.
This approach provides a 'scalable and maintainable solution' for handling
common OFBiz AJAX requests while ensuring security compliance.
with regards
Arifa Hashmi
On Fri, 2 May 2025 at 13:39, Nicolas Malin<nicolas.ma...@nereide.fr> wrote:
Hi all,
I'm in front of a particular issue where the fix isn't really easy and
need to share :) .
I detected a problem with some ajax call did by js script that failed
with error 405 like :
https://demo-next.ofbiz.apache.org/webtools/control/entity/find/SetTimeZoneFromBrowser
To reproduce just display the page
https://demo-next.ofbiz.apache.org/webtools/control/entity/find/Party
and analyze network traffic.
Ok the reason :
SetTimeZoneFromBrowser is a request define in common-controller.xml, so
available on all component. In js the call is realize by :
```js
$.ajax({
url: "SetTimeZoneFromBrowser",
type: "POST",
async: false,...
```
So the navigator use the relative url to execute the call. In general
case we have a page like
https://demo-next.ofbiz.apache.org/$component/control/$request so js
script realized their call with
https://demo-next.ofbiz.apache.org/$component/control/$request-js . Like
each request-js are present on common-controller.xml all component that
include it can response.
With rest url, the uri pattern is more complex and the script js that
generate a relative call like we have upper :
https://demo-next.ofbiz.apache.org/webtools/control/entity/find/SetTimeZoneFromBrowse
.
The ControlServlet behind failed to retrieve the correct request and
generate a http error 405
How to fix :
After different tries, I propose to remove all relative call and create
a dedicate webapp for that.
```js
$.ajax({
url: "/common-js/control/SetTimeZoneFromBrowser",
type: "POST",
async: false,...
```
Open a new webapp on commonext to do that and redirect all relative call
to it.
I propose to implement it on commonext because framework/common need to
keep without exposure. Common-theme is dedicate expose theming
information and not a direct relay to common request. So commonext seems
to be the better solution to be a relay for common request manage by the
common-controller.
The problem with this solution, all webapp are their session separate,
so access to a json request through commonext generate an security issue
if the request have auth enable. We can enable the sso on ofbiz for that
but do we need that for all OFBiz webapp by defaut. We can imagine a
spotted solution to use cookies system like autologin with more
security, only on commonext to be sure to allow the functionality on
many configuration.
Thanks to take this read time and if you have any sharing on it to found
the better solution.
Nicolas
