HI Jacques , Here are a few lines of the logs containing jsessionid 127.0.0.1 - - [26/Aug/2024:20:51:14 +0300] "GET /accounting/control/ListCompanies HTTP/2.0" 200 5147 " https://localhost:8443/accounting/control/globalGLSettings"; "Mozilla/5.0 (X11; Linux x86_64; rv:129.0) Gecko/20100101 Firefox/129.0" 127.0.0.1 - - [26/Aug/2024:20:51:18 +0300] "GET /rainbowstone/RAINBOWSTONE_SAPHIR.less HTTP/2.0" 200 1560 " https://localhost:8443/ordermgr/control/main?externalLoginKey=ELd87879e0-9c8b-45e4-8c51-efc0d40748f4"; "Mozilla/5.0 (X11; Linux x86_64; rv:129.0) Gecko/20100101 Firefox/129.0" 127.0.0.1 - - [26/Aug/2024:20:51:19 +0300] "GET /ordermgr/control/main?externalLoginKey=ELd87879e0-9c8b-45e4-8c51-efc0d40748f4 HTTP/2.0" 200 4571 "https://localhost:8443/accounting/control/ListCompanies"; "Mozilla/5.0 (X11; Linux x86_64; rv:129.0) Gecko/20100101 Firefox/129.0" 127.0.0.1 - - [26/Aug/2024:20:51:24 +0300] "GET /facility/control/main?externalLoginKey=ELf5b96d38-f415-4bdf-94d4-7666a2445a03 HTTP/2.0" 200 4327 " https://localhost:8443/ordermgr/control/main?externalLoginKey=ELd87879e0-9c8b-45e4-8c51-efc0d40748f4"; "Mozilla/5.0 (X11; Linux x86_64; rv:129.0) Gecko/20100101 Firefox/129.0" 127.0.0.1 - - [26/Aug/2024:20:51:29 +0300] "POST /facility/control/EditFacility;jsessionid=132931D4CDCAC10AC958ED9DD3F6511A.jvm1 HTTP/2.0" 500 2038 " https://localhost:8443/facility/control/main?externalLoginKey=ELf5b96d38-f415-4bdf-94d4-7666a2445a03"; "Mozilla/5.0 (X11; Linux x86_64; rv:129.0) Gecko/20100101 Firefox/129.0" 127.0.0.1 - - [26/Aug/2024:20:51:36 +0300] "POST /facility/control/EditFacility;jsessionid=132931D4CDCAC10AC958ED9DD3F6511A.jvm1 HTTP/2.0" 500 2038 " https://localhost:8443/facility/control/main?externalLoginKey=ELf5b96d38-f415-4bdf-94d4-7666a2445a03"; "Mozilla/5.0 (X11; Linux x86_64; rv:129.0) Gecko/20100101 Firefox/129.0" 127.0.0.1 - - [26/Aug/2024:20:51:42 +0300] "GET /rainbowstone/RAINBOWSTONE_SAPHIR.less HTTP/2.0" 200 1560 " https://localhost:8443/facility/control/FindFacility"; "Mozilla/5.0 (X11; Linux x86_64; rv:129.0) Gecko/20100101 Firefox/129.0" 127.0.0.1 - - [26/Aug/2024:20:51:42 +0300] "GET /facility/control/FindFacility HTTP/2.0" 200 4274 " https://localhost:8443/facility/control/main?externalLoginKey=ELf5b96d38-f415-4bdf-94d4-7666a2445a03"; "Mozilla/5.0 (X11; Linux x86_64; rv:129.0) Gecko/20100101 Firefox/129.0"
Regards On Sat, Aug 31, 2024 at 2:30 PM Jacques Le Roux < [email protected]> wrote: > Hi Omar, > > Since Java 7 : > https://docs.oracle.com/javaee/7/api/javax/servlet/annotation/WebListener.html > > In OFBiz, ControlEventListener implements HttpSessionListener > > Did you check locally or on a server your access_logs if you find a > jsessionid there (trunk)? > > Jacques > > Le 31/08/2024 à 13:07, Omar Abdullwahhab a écrit : > > Hi Jacques, Johan, > > > > According to my investigation to this class ( > > WebAppServletContextListener.java > > < > https://github.com/apache/ofbiz-framework/blame/31eb051326bcec29f4c932a6d829e0d7c9979a16/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/WebAppServletContextListener.java#L41 > >) > > > > It seems to be that this listener is never registered , so that it has no > > effect. > > Note that its annotated with > > @WebListener > > > > So confirm that I am correct, or wrong. > > > > Regards > > > > On Fri, Aug 30, 2024 at 6:30 PM Jacques Le Roux < > > [email protected]> wrote: > > > >> Hi, > >> > >> Actually it's not related to embedded Tomcat in OFBiz. > >> > >> Since we 2017 in WebAppServletContextListener.java we use this line > >> > >> > >> > <<servletContext.setSessionTrackingModes(EnumSet.of(SessionTrackingMode.COOKIE));>> > >> > >> > >> > https://github.com/apache/ofbiz-framework/blame/31eb051326bcec29f4c932a6d829e0d7c9979a16/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/WebAppServletContextListener.java#L41 > >> > >> If you test locally or maybe in another server than demo one, you will > not > >> find in access_logs files any line similar to the one below. At least I > did > >> not, and that's logical since we use cookies for that. > >> > >> I'm not sure what's the reason yet. If you could confirm that it's not > >> reproductible but in demo server that would help to restrain the > >> possibilities > >> > >> TIA > >> > >> Jacques > >> > >> Le 29/08/2024 à 10:17, Jacques Le Roux a écrit : > >>> Hi, > >>> > >>> Finally it's not that clear. > >>> > >>> As can be found in trunk demo access_logs, such URLs exist at least > >> since June 17 2024. > >>> access_log.2024-06-17:28:66.249.75.98 - - [17/Jun/2024:00:11:51 > >> +0000] "GET > >> > /partymgr/control/main%3FexternalLoginKey=ELf5183769-2759-476b-946c-2a70afe3c42d&sortField=partyId;jsessionid=EBB57C6C3C345E70501827509E05744C.jvm1 > >>> HTTP/1.1" 500 1165 "-" "Mozilla/5.0 (Linux; Android 6.0.1; Nexus 5X > >> Build/MMB29P) AppleWebKit/537.36 (KHTML, like Gecko) > Chrome/125.0.6422.175 > >>> Mobile Safari/537.36 (compatible; Googlebot/2.1; + > >> http://www.google.com/bot.html)" > >>> As you can see they are rejected (HTTP 500) since then too. Actually I > >> guess they exist for a very long time. Have yet no idea why and how > these > >>> URLs are generated. > >>> > >>> The rejection is "new" and due to a security fix done in May 20 2024 > >> with (OFBIZ-13092) "Prevent special encoded characters sequences in > URLs" > >>> So we need to clearly define steps to manually generate these URLs. > >> Then, if it's OK, we could allow URLs containing ";jsessionid=" to > bypass > >> the > >>> security filter. > >>> > >>> I copy this email to the dev ML because of its importance > >>> > >>> Jacques > >>> > >>> > >>> Le 28/08/2024 à 15:27, Jacques Le Roux a écrit : > >>>> Thanks Guys, > >>>> > >>>> I could not reproduce yet, but I think we have already enough clues to > >> fix that. > >>>> Also I can find a lot of in trunk demo log. That will be helpful too. > >>>> > >>>> Jacques > >>>> > >>>> Le 27/08/2024 à 16:20, 雷咩咩 a écrit : > >>>>> i can reproduce by login with admin, randomly click severl places, > >> then when click logout, see such error: > >>>>> > >>>>> HTTP Status 500 – Internal Server Error > >>>>> Type Exception Report > >>>>> > >>>>> > >>>>> Message For security reason this URL is not accepted > >>>>> > >>>>> > >>>>> Description The server encountered an unexpected condition that > >> prevented it from fulfilling the request. > >>>>> > >>>>> Exception > >>>>> > >>>>> > >>>>> java.lang.RuntimeException: For security reason this URL is not > >> accepted > >> > org.apache.ofbiz.webapp.control.ControlFilter.doFilter(ControlFilter.java:144) > >> > org.apache.logging.log4j.web.Log4jServletFilter.doFilter(Log4jServletFilter.java:71) > >>>>> Note The full stack trace of the root cause is available in the > server > >> logs. > >>>>> > >>>>> Apache Tomcat/9.0.91 > >>>>> > >>>>> > >>>>> > >>>>> > >>>>> Regards, > >>>>> Yang > >>>>> > >>>>> > >>>>> ------------------ 原始邮件 ------------------ > >>>>> 发件人: "user" <[email protected]>; > >>>>> 发送时间: 2024年8月27日(星期二) 晚上9:12 > >>>>> 收件人: "user"<[email protected]>; > >>>>> > >>>>> 主题: URL Issue > >>>>> > >>>>> > >>>>> > >>>>> Hi, > >>>>> > >>>>> Not sure if anyone would be able to assist me, I have found an issue > >> which > >>>>> can also be replicated within the demo. > >>>>> This issue normally occurs as you navigate to a module after login. > It > >> is > >>>>> not easily replicable, once you refresh it works and does not occur > >> again. > >>>>> Replicated the issue in multiple modules. > >>>>> It usually adds ;jsessionid=######################.jvm1 to all the > >> URLs and > >>>>> this causes a navigation issue. > >>>>> Once you submit a form or try to click the logout link, an Internal > 500 > >>>>> Internal Server Error is being returned > >>>>> As an example: > >>>>> https://demo-stable.ofbiz.apache.org/partymgr/control/main > >>>>> > >>>>> I have screenshots available, however I am not able to attach to this > >> mail. > >>>>> Please let me know if you need me to upload it somewhere. > >>>>> > >>>>> Kind Regards, > >>>>> Johan Cronjé > > > > -- Omar Abu-Arab Java Engineer
