Openbravo Issue Tracking System - Openbravo ERP
View Issue Details
IDProjectCategoryView StatusDate SubmittedLast Update
0034331Openbravo ERPA. Platformpublic2016-10-28 10:442016-12-28 11:20
Reportermtaal 
Assigned Tomtaal 
PrioritynormalSeveritymajorReproducibilityhave not tried
StatusclosedResolutionfixed 
PlatformOS5OS Version
Product Version 
Target Version3.0PR17Q1Fixed in Version3.0PR17Q1 
Merge Request Status
Review Assigned ToSandrahuguet
OBNetwork customerNo
Web browser
ModulesCore
Support ticket
Regression level
Regression date
Regression introduced in release
Regression introduced by commit
Triggers an Emergency PackNo
Summary0034331: Support pre-defined allowed domains for cross-domain requests in a multi-server environment
DescriptionSee the related issue. In webpos we need to support multi-server requests. To accomplish this we have to set the Access-Control-Allow-Origin header to the allowed domain.

This has to happen in both the retail as well as in core erp BaseKernelServlet as it is being used by mobile warehouse.
Steps To ReproduceSee related issue
Proposed SolutionThe proposal is to implement a generic AllowedHttpOriginProvider class in core which can be supplied by modules to compute the Access-Control-Allow-Origin header setting.

This class will be used by a utility method to compute the correct the cors headers to be returned to the caller. The generic utility method can then be used by all the relevant classes to set the cors headers.
Additional Information
TagsNo tags attached.
Relationships
related to feature request 00342673.0PR17Q1 closed mtaal Openbravo ERP Let the basekernelservlet handle cors requests 
related to defect 0037627 closed jarmendariz Openbravo ERP AllowedCrossDomainsHandler.getInstance().setCORSHeaders is not executed calling to WebServices 
blocks design defect 0034330RR17Q1 closed mtaal Retail Modules Support multi-server requests in a better more secure way 
Attached Files
Issue History
Date ModifiedUsernameFieldChange
2016-10-28 10:44mtaalNew Issue
2016-10-28 10:44mtaalAssigned To => mtaal
2016-10-28 10:44mtaalOBNetwork customer => No
2016-10-28 10:44mtaalModules => Core
2016-10-28 10:44mtaalTriggers an Emergency Pack => No
2016-10-28 10:45mtaalRelationship addedblocks 0034330
2016-10-28 10:45mtaalRelationship addedrelated to 0034267
2016-11-23 20:51mtaalReview Assigned To => alostale
2016-11-23 20:55hgbotCheckin
2016-11-23 20:55hgbotNote Added: 0091769
2016-11-23 20:55hgbotStatusnew => resolved
2016-11-23 20:55hgbotResolutionopen => fixed
2016-11-23 20:55hgbotFixed in SCM revision => http://code.openbravo.com/erp/devel/pi/rev/a0080aeca8605919ce2a1a17dfe9c686ea79aace [^]
2016-11-24 08:50hgbotCheckin
2016-11-24 08:50hgbotNote Added: 0091770
2016-11-25 10:49alostaleNote Added: 0091821
2016-11-25 10:49alostaleStatusresolved => new
2016-11-25 10:49alostaleResolutionfixed => open
2016-11-27 21:10hgbotCheckin
2016-11-27 21:10hgbotNote Added: 0091870
2016-11-27 21:10hgbotStatusnew => resolved
2016-11-27 21:10hgbotResolutionopen => fixed
2016-11-27 21:10hgbotFixed in SCM revisionhttp://code.openbravo.com/erp/devel/pi/rev/a0080aeca8605919ce2a1a17dfe9c686ea79aace [^] => http://code.openbravo.com/erp/devel/pi/rev/3d24fc9233285a621a20c0da0ae464cffee7c6f0 [^]
2016-12-02 08:12alostaleNote Added: 0091998
2016-12-02 08:12alostaleStatusresolved => closed
2016-12-02 08:12alostaleFixed in Version => 3.0PR17Q1
2016-12-03 12:31mtaalNote Added: 0092065
2016-12-03 12:31mtaalStatusclosed => new
2016-12-03 12:31mtaalResolutionfixed => open
2016-12-03 12:31mtaalFixed in Version3.0PR17Q1 =>
2016-12-03 12:33hgbotCheckin
2016-12-03 12:33hgbotNote Added: 0092066
2016-12-03 12:33hgbotStatusnew => resolved
2016-12-03 12:33hgbotResolutionopen => fixed
2016-12-03 12:33hgbotFixed in SCM revisionhttp://code.openbravo.com/erp/devel/pi/rev/3d24fc9233285a621a20c0da0ae464cffee7c6f0 [^] => http://code.openbravo.com/erp/devel/pi/rev/61868ad9886813a957b6ad11608afc5a5034f2b7 [^]
2016-12-03 12:46hgbotCheckin
2016-12-03 12:46hgbotNote Added: 0092073
2016-12-09 16:46hgbotCheckin
2016-12-09 16:46hgbotNote Added: 0092264
2016-12-13 08:20alostaleNote Added: 0092298
2016-12-13 08:20alostaleStatusresolved => closed
2016-12-13 08:20alostaleFixed in Version => 3.0PR17Q1
2016-12-16 18:38hudsonbotCheckin
2016-12-16 18:38hudsonbotNote Added: 0092653
2016-12-16 18:38hudsonbotCheckin
2016-12-16 18:38hudsonbotNote Added: 0092654
2016-12-16 18:39hudsonbotCheckin
2016-12-16 18:39hudsonbotNote Added: 0092666
2016-12-16 18:39hudsonbotCheckin
2016-12-16 18:39hudsonbotNote Added: 0092689
2016-12-16 18:39hudsonbotCheckin
2016-12-16 18:39hudsonbotNote Added: 0092690
2016-12-16 18:39hudsonbotCheckin
2016-12-16 18:39hudsonbotNote Added: 0092695
2016-12-27 06:59mtaalStatusclosed => new
2016-12-27 06:59mtaalResolutionfixed => open
2016-12-27 06:59mtaalFixed in Version3.0PR17Q1 =>
2016-12-27 06:59mtaalReview Assigned Toalostale => Sandrahuguet
2016-12-27 07:02hgbotCheckin
2016-12-27 07:02hgbotNote Added: 0093002
2016-12-27 07:02hgbotStatusnew => resolved
2016-12-27 07:02hgbotResolutionopen => fixed
2016-12-27 07:02hgbotFixed in SCM revisionhttp://code.openbravo.com/erp/devel/pi/rev/61868ad9886813a957b6ad11608afc5a5034f2b7 [^] => http://code.openbravo.com/erp/devel/pi/rev/3871cdf1a2e9b1e8fb5a5ceece5f117fce1532a5 [^]
2016-12-27 07:57hgbotCheckin
2016-12-27 07:57hgbotNote Added: 0093004
2016-12-27 12:41hudsonbotCheckin
2016-12-27 12:41hudsonbotNote Added: 0093019
2016-12-28 11:20SandrahuguetNote Added: 0093038
2016-12-28 11:20SandrahuguetStatusresolved => closed
2016-12-28 11:20SandrahuguetFixed in Version => 3.0PR17Q1
2018-01-26 14:54caristuRelationship addedrelated to 0037627

Notes
(0091769)
hgbot   
2016-11-23 20:55   
Repository: erp/devel/pi
Changeset: a0080aeca8605919ce2a1a17dfe9c686ea79aace
Author: Martin Taal <martin.taal <at> openbravo.com>
Date: Wed Nov 23 20:55:26 2016 +0100
URL: http://code.openbravo.com/erp/devel/pi/rev/a0080aeca8605919ce2a1a17dfe9c686ea79aace [^]

Fixes issue 34331: Support pre-defined allowed domains for cross-domain requests in a multi-server environment
Implement utility class which supports setting cors headers and checking validity of a http origins. Add
cors header setting to main OB servlet.

- AllowedCrossDomainsHandler: new class, main entry point for servlets to set cors headers, provides utility methods to check origin validity, calls AllowedCrossDomainsChecker classes which implement the actual checking logic. The AllowedCrossDomainsChecker can be implemented by a module.
- HttpSecureAppServlet: set cors header and handle the OPTIONS http method

---
M src/org/openbravo/base/secureApp/HttpSecureAppServlet.java
A src/org/openbravo/base/secureApp/AllowedCrossDomainsHandler.java
---
(0091770)
hgbot   
2016-11-24 08:50   
Repository: erp/devel/pi
Changeset: 9f77b61ad54251a56d2e5056c41ade7a8f0cb996
Author: Martin Taal <martin.taal <at> openbravo.com>
Date: Thu Nov 24 08:49:33 2016 +0100
URL: http://code.openbravo.com/erp/devel/pi/rev/9f77b61ad54251a56d2e5056c41ade7a8f0cb996 [^]

Related to issue 34331: Support pre-defined allowed domains for cross-domain requests in a multi-server environment
Do not log/do anything if no checkers defined

---
M src/org/openbravo/base/secureApp/AllowedCrossDomainsHandler.java
---
(0091821)
alostale   
2016-11-25 10:49   
Found some small issues in code review:

* AllowedCrossDomainsHandler: Why is it Apache license?
* AllowedCrossDomainsHandler.isAllowedOrigin: can be private
* AllowedCrossDomainsHandler.AllowedCrossDomainsChecker: Add @ApplicationScoped anotation so by default sublcasses inherit it also
(0091870)
hgbot   
2016-11-27 21:10   
Repository: erp/devel/pi
Changeset: 3d24fc9233285a621a20c0da0ae464cffee7c6f0
Author: Martin Taal <martin.taal <at> openbravo.com>
Date: Sun Nov 27 21:10:20 2016 +0100
URL: http://code.openbravo.com/erp/devel/pi/rev/3d24fc9233285a621a20c0da0ae464cffee7c6f0 [^]

Fixes issue 34331: Support pre-defined allowed domains for cross-domain requests in a multi-server environment
Solve code review comments: changed license text, update visibility and set application scoped

---
M src/org/openbravo/base/secureApp/AllowedCrossDomainsHandler.java
---
(0091998)
alostale   
2016-12-02 08:12   
code reviewed
(0092065)
mtaal   
2016-12-03 12:31   
adding one more smaller commit to make method public available
(0092066)
hgbot   
2016-12-03 12:33   
Repository: erp/devel/pi
Changeset: 61868ad9886813a957b6ad11608afc5a5034f2b7
Author: Martin Taal <martin.taal <at> openbravo.com>
Date: Sat Dec 03 12:32:30 2016 +0100
URL: http://code.openbravo.com/erp/devel/pi/rev/61868ad9886813a957b6ad11608afc5a5034f2b7 [^]

Fixes issue 34331: Support pre-defined allowed domains for cross-domain requests in a multi-server environment
Make method public so that it can be used by others to check if a url is in an allowed domain

---
M src/org/openbravo/base/secureApp/AllowedCrossDomainsHandler.java
---
(0092073)
hgbot   
2016-12-03 12:46   
Repository: erp/devel/pi
Changeset: b84917f47a7f82a4360f47593f4dfd1199cc0505
Author: Martin Taal <martin.taal <at> openbravo.com>
Date: Sat Dec 03 12:46:21 2016 +0100
URL: http://code.openbravo.com/erp/devel/pi/rev/b84917f47a7f82a4360f47593f4dfd1199cc0505 [^]

Related to issue 34331: Support pre-defined allowed domains for cross-domain requests
Remove unintended javadoc

---
M src/org/openbravo/base/secureApp/AllowedCrossDomainsHandler.java
---
(0092264)
hgbot   
2016-12-09 16:46   
Repository: erp/devel/pi
Changeset: 75e2d670435ea372cf33a44b661c5af8f22d04c4
Author: Martin Taal <martin.taal <at> openbravo.com>
Date: Fri Dec 09 16:45:43 2016 +0100
URL: http://code.openbravo.com/erp/devel/pi/rev/75e2d670435ea372cf33a44b661c5af8f22d04c4 [^]

Related to issue 34331: Support pre-defined allowed domains for cross-domain requests
Handle null origin

---
M src/org/openbravo/base/secureApp/AllowedCrossDomainsHandler.java
---
(0092298)
alostale   
2016-12-13 08:20   
code reviewed
(0092653)
hudsonbot   
2016-12-16 18:38   
A changeset related to this issue has been promoted main and to the
Central Repository, after passing a series of tests.

Promotion changeset: https://code.openbravo.com/erp/devel/main/rev/dc8bf00badd0 [^]
Maturity status: Test
(0092654)
hudsonbot   
2016-12-16 18:38   
A changeset related to this issue has been promoted main and to the
Central Repository, after passing a series of tests.

Promotion changeset: https://code.openbravo.com/erp/devel/main/rev/dc8bf00badd0 [^]
Maturity status: Test
(0092666)
hudsonbot   
2016-12-16 18:39   
A changeset related to this issue has been promoted main and to the
Central Repository, after passing a series of tests.

Promotion changeset: https://code.openbravo.com/erp/devel/main/rev/dc8bf00badd0 [^]
Maturity status: Test
(0092689)
hudsonbot   
2016-12-16 18:39   
A changeset related to this issue has been promoted main and to the
Central Repository, after passing a series of tests.

Promotion changeset: https://code.openbravo.com/erp/devel/main/rev/dc8bf00badd0 [^]
Maturity status: Test
(0092690)
hudsonbot   
2016-12-16 18:39   
A changeset related to this issue has been promoted main and to the
Central Repository, after passing a series of tests.

Promotion changeset: https://code.openbravo.com/erp/devel/main/rev/dc8bf00badd0 [^]
Maturity status: Test
(0092695)
hudsonbot   
2016-12-16 18:39   
A changeset related to this issue has been promoted main and to the
Central Repository, after passing a series of tests.

Promotion changeset: https://code.openbravo.com/erp/devel/main/rev/dc8bf00badd0 [^]
Maturity status: Test
(0093002)
hgbot   
2016-12-27 07:02   
Repository: erp/devel/pi
Changeset: 3871cdf1a2e9b1e8fb5a5ceece5f117fce1532a5
Author: Martin Taal <martin.taal <at> openbravo.com>
Date: Tue Dec 27 07:01:53 2016 +0100
URL: http://code.openbravo.com/erp/devel/pi/rev/3871cdf1a2e9b1e8fb5a5ceece5f117fce1532a5 [^]

Fixes issue 34331: Support pre-defined allowed domains for cross-domain requests in a multi-server environment
Added new public method to validate that an invalid origin is set on the header, other method is made private
again to limit public methods.

---
M src/org/openbravo/base/secureApp/AllowedCrossDomainsHandler.java
---
(0093004)
hgbot   
2016-12-27 07:57   
Repository: erp/devel/api-checks
Changeset: a276b0b823195ff56044760a26b90170c1921f77
Author: Martin Taal <martin.taal <at> openbravo.com>
Date: Tue Dec 27 07:56:29 2016 +0100
URL: http://code.openbravo.com/erp/devel/api-checks/rev/a276b0b823195ff56044760a26b90170c1921f77 [^]

Related to issue 34331: Support pre-defined allowed domains for cross-domain
Update java api as the change done by previous commit in the same issue is not
an api change as it makes a method private which was added in this release.

---
M java/reference/java.japi.gz
---
(0093019)
hudsonbot   
2016-12-27 12:41   
A changeset related to this issue has been promoted main and to the
Central Repository, after passing a series of tests.

Promotion changeset: https://code.openbravo.com/erp/devel/main/rev/631648405cf0 [^]
Maturity status: Test
(0093038)
Sandrahuguet   
2016-12-28 11:20   
verified