I didn't understand well, But it's a local development machine. Not hosted in web or cloud servers.
On Sat, Aug 31, 2024, 4:21 PM Jacques Le Roux <[email protected]> wrote: > Thanks Omar, > > Is that local or on a server? > > Jacques > > Le 31/08/2024 à 14:17, Omar Abdullwahhab a écrit : > > HI Jacques , > > Here are a few lines of the logs containing jsessionid > > > > 127.0.0.1 - - [26/Aug/2024:20:51:14 +0300] "GET > > /accounting/control/ListCompanies HTTP/2.0" 200 5147 " > > https://localhost:8443/accounting/control/globalGLSettings"; "Mozilla/5.0 > > (X11; Linux x86_64; rv:129.0) Gecko/20100101 Firefox/129.0" > > 127.0.0.1 - - [26/Aug/2024:20:51:18 +0300] "GET > > /rainbowstone/RAINBOWSTONE_SAPHIR.less HTTP/2.0" 200 1560 " > > > https://localhost:8443/ordermgr/control/main?externalLoginKey=ELd87879e0-9c8b-45e4-8c51-efc0d40748f4 > " > > "Mozilla/5.0 (X11; Linux x86_64; rv:129.0) Gecko/20100101 Firefox/129.0" > > 127.0.0.1 - - [26/Aug/2024:20:51:19 +0300] "GET > > > /ordermgr/control/main?externalLoginKey=ELd87879e0-9c8b-45e4-8c51-efc0d40748f4 > > HTTP/2.0" 200 4571 " > https://localhost:8443/accounting/control/ListCompanies"; > > "Mozilla/5.0 (X11; Linux x86_64; rv:129.0) Gecko/20100101 Firefox/129.0" > > 127.0.0.1 - - [26/Aug/2024:20:51:24 +0300] "GET > > > /facility/control/main?externalLoginKey=ELf5b96d38-f415-4bdf-94d4-7666a2445a03 > > HTTP/2.0" 200 4327 " > > > https://localhost:8443/ordermgr/control/main?externalLoginKey=ELd87879e0-9c8b-45e4-8c51-efc0d40748f4 > " > > "Mozilla/5.0 (X11; Linux x86_64; rv:129.0) Gecko/20100101 Firefox/129.0" > > 127.0.0.1 - - [26/Aug/2024:20:51:29 +0300] "POST > > > /facility/control/EditFacility;jsessionid=132931D4CDCAC10AC958ED9DD3F6511A.jvm1 > > HTTP/2.0" 500 2038 " > > > https://localhost:8443/facility/control/main?externalLoginKey=ELf5b96d38-f415-4bdf-94d4-7666a2445a03 > " > > "Mozilla/5.0 (X11; Linux x86_64; rv:129.0) Gecko/20100101 Firefox/129.0" > > 127.0.0.1 - - [26/Aug/2024:20:51:36 +0300] "POST > > > /facility/control/EditFacility;jsessionid=132931D4CDCAC10AC958ED9DD3F6511A.jvm1 > > HTTP/2.0" 500 2038 " > > > https://localhost:8443/facility/control/main?externalLoginKey=ELf5b96d38-f415-4bdf-94d4-7666a2445a03 > " > > "Mozilla/5.0 (X11; Linux x86_64; rv:129.0) Gecko/20100101 Firefox/129.0" > > 127.0.0.1 - - [26/Aug/2024:20:51:42 +0300] "GET > > /rainbowstone/RAINBOWSTONE_SAPHIR.less HTTP/2.0" 200 1560 " > > https://localhost:8443/facility/control/FindFacility"; "Mozilla/5.0 (X11; > > Linux x86_64; rv:129.0) Gecko/20100101 Firefox/129.0" > > 127.0.0.1 - - [26/Aug/2024:20:51:42 +0300] "GET > > /facility/control/FindFacility HTTP/2.0" 200 4274 " > > > https://localhost:8443/facility/control/main?externalLoginKey=ELf5b96d38-f415-4bdf-94d4-7666a2445a03 > " > > "Mozilla/5.0 (X11; Linux x86_64; rv:129.0) Gecko/20100101 Firefox/129.0" > > > > Regards > > > > On Sat, Aug 31, 2024 at 2:30 PM Jacques Le Roux < > > [email protected]> wrote: > > > >> Hi Omar, > >> > >> Since Java 7 : > >> > https://docs.oracle.com/javaee/7/api/javax/servlet/annotation/WebListener.html > >> > >> In OFBiz, ControlEventListener implements HttpSessionListener > >> > >> Did you check locally or on a server your access_logs if you find a > >> jsessionid there (trunk)? > >> > >> Jacques > >> > >> Le 31/08/2024 à 13:07, Omar Abdullwahhab a écrit : > >>> Hi Jacques, Johan, > >>> > >>> According to my investigation to this class ( > >>> WebAppServletContextListener.java > >>> < > >> > https://github.com/apache/ofbiz-framework/blame/31eb051326bcec29f4c932a6d829e0d7c9979a16/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/WebAppServletContextListener.java#L41 > >>> ) > >>> > >>> It seems to be that this listener is never registered , so that it has > no > >>> effect. > >>> Note that its annotated with > >>> @WebListener > >>> > >>> So confirm that I am correct, or wrong. > >>> > >>> Regards > >>> > >>> On Fri, Aug 30, 2024 at 6:30 PM Jacques Le Roux < > >>> [email protected]> wrote: > >>> > >>>> Hi, > >>>> > >>>> Actually it's not related to embedded Tomcat in OFBiz. > >>>> > >>>> Since we 2017 in WebAppServletContextListener.java we use this line > >>>> > >>>> > >>>> > >> > <<servletContext.setSessionTrackingModes(EnumSet.of(SessionTrackingMode.COOKIE));>> > >>>> > >>>> > >> > https://github.com/apache/ofbiz-framework/blame/31eb051326bcec29f4c932a6d829e0d7c9979a16/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/WebAppServletContextListener.java#L41 > >>>> If you test locally or maybe in another server than demo one, you will > >> not > >>>> find in access_logs files any line similar to the one below. At least > I > >> did > >>>> not, and that's logical since we use cookies for that. > >>>> > >>>> I'm not sure what's the reason yet. If you could confirm that it's not > >>>> reproductible but in demo server that would help to restrain the > >>>> possibilities > >>>> > >>>> TIA > >>>> > >>>> Jacques > >>>> > >>>> Le 29/08/2024 à 10:17, Jacques Le Roux a écrit : > >>>>> Hi, > >>>>> > >>>>> Finally it's not that clear. > >>>>> > >>>>> As can be found in trunk demo access_logs, such URLs exist at least > >>>> since June 17 2024. > >>>>> access_log.2024-06-17:28:66.249.75.98 - - [17/Jun/2024:00:11:51 > >>>> +0000] "GET > >>>> > >> > /partymgr/control/main%3FexternalLoginKey=ELf5183769-2759-476b-946c-2a70afe3c42d&sortField=partyId;jsessionid=EBB57C6C3C345E70501827509E05744C.jvm1 > >>>>> HTTP/1.1" 500 1165 "-" "Mozilla/5.0 (Linux; Android 6.0.1; > Nexus 5X > >>>> Build/MMB29P) AppleWebKit/537.36 (KHTML, like Gecko) > >> Chrome/125.0.6422.175 > >>>>> Mobile Safari/537.36 (compatible; Googlebot/2.1; + > >>>> http://www.google.com/bot.html)" > >>>>> As you can see they are rejected (HTTP 500) since then too. Actually > I > >>>> guess they exist for a very long time. Have yet no idea why and how > >> these > >>>>> URLs are generated. > >>>>> > >>>>> The rejection is "new" and due to a security fix done in May 20 2024 > >>>> with (OFBIZ-13092) "Prevent special encoded characters sequences in > >> URLs" > >>>>> So we need to clearly define steps to manually generate these URLs. > >>>> Then, if it's OK, we could allow URLs containing ";jsessionid=" to > >> bypass > >>>> the > >>>>> security filter. > >>>>> > >>>>> I copy this email to the dev ML because of its importance > >>>>> > >>>>> Jacques > >>>>> > >>>>> > >>>>> Le 28/08/2024 à 15:27, Jacques Le Roux a écrit : > >>>>>> Thanks Guys, > >>>>>> > >>>>>> I could not reproduce yet, but I think we have already enough clues > to > >>>> fix that. > >>>>>> Also I can find a lot of in trunk demo log. That will be helpful > too. > >>>>>> > >>>>>> Jacques > >>>>>> > >>>>>> Le 27/08/2024 à 16:20, 雷咩咩 a écrit : > >>>>>>> i can reproduce by login with admin, randomly click severl places, > >>>> then when click logout, see such error: > >>>>>>> HTTP Status 500 – Internal Server Error > >>>>>>> Type Exception Report > >>>>>>> > >>>>>>> > >>>>>>> Message For security reason this URL is not accepted > >>>>>>> > >>>>>>> > >>>>>>> Description The server encountered an unexpected condition that > >>>> prevented it from fulfilling the request. > >>>>>>> Exception > >>>>>>> > >>>>>>> > >>>>>>> java.lang.RuntimeException: For security reason this URL is not > >>>> accepted > >>>> > >> > org.apache.ofbiz.webapp.control.ControlFilter.doFilter(ControlFilter.java:144) > >> > org.apache.logging.log4j.web.Log4jServletFilter.doFilter(Log4jServletFilter.java:71) > >>>>>>> Note The full stack trace of the root cause is available in the > >> server > >>>> logs. > >>>>>>> Apache Tomcat/9.0.91 > >>>>>>> > >>>>>>> > >>>>>>> > >>>>>>> > >>>>>>> Regards, > >>>>>>> Yang > >>>>>>> > >>>>>>> > >>>>>>> ------------------ 原始邮件 ------------------ > >>>>>>> 发件人: "user" <[email protected]>; > >>>>>>> 发送时间: 2024年8月27日(星期二) 晚上9:12 > >>>>>>> 收件人: "user"<[email protected]>; > >>>>>>> > >>>>>>> 主题: URL Issue > >>>>>>> > >>>>>>> > >>>>>>> > >>>>>>> Hi, > >>>>>>> > >>>>>>> Not sure if anyone would be able to assist me, I have found an > issue > >>>> which > >>>>>>> can also be replicated within the demo. > >>>>>>> This issue normally occurs as you navigate to a module after login. > >> It > >>>> is > >>>>>>> not easily replicable, once you refresh it works and does not occur > >>>> again. > >>>>>>> Replicated the issue in multiple modules. > >>>>>>> It usually adds ;jsessionid=######################.jvm1 to all the > >>>> URLs and > >>>>>>> this causes a navigation issue. > >>>>>>> Once you submit a form or try to click the logout link, an Internal > >> 500 > >>>>>>> Internal Server Error is being returned > >>>>>>> As an example: > >>>>>>> https://demo-stable.ofbiz.apache.org/partymgr/control/main > >>>>>>> > >>>>>>> I have screenshots available, however I am not able to attach to > this > >>>> mail. > >>>>>>> Please let me know if you need me to upload it somewhere. > >>>>>>> > >>>>>>> Kind Regards, > >>>>>>> Johan Cronjé > >>> > > > > >
