Any web page may be set to require user authentication by way of the OFBiz login process by setting the corresponding request-map entry in the controller.xml file. A user need only log in one time per session as OFBiz will check each request for a protected web page against a requesting visitor's login status. If the requestor is already logged in, they will not be asked to login again. If the visitor is not logged in, they will be presented with an HTML login form.
Identify the web application and the web page, OFBiz Service, or OFBiz Event that requires user authentication.
You can protect your web pages by following these steps:
- Open the appropriate
controller.xmlfile containing the request-map entry for the web page to protect. - Edit the
request-mapentry for the URI to be protected by setting thesecurityelement'sauthattribute totrue. For example, the following request-map has both the authorization and encryption (https) attributes for theauthviewrequest-map set to true:<request-map uri="authview"> <security https="true" auth="true" /> <response name="success" type="view" value="main" /> </request-map>
- That is all you need to do to force a user to log in before accessing your web page. Note: there is no need to restart OFBiz. All
controller.xmlfile changes are immediate.
Each web application has its own controller.xml file used to map incoming HTTP/HTTPS requests with the appropriate OFBiz web application Event, Service, or web page view. When a request for a URL that has been configured to require authentication is made, OFBiz first checks the user's session, and if the user is already logged in, will let the user proceed to the URL. If the user is not yet logged in, OFBiz will present the configured login web page and form.
When presented with the login form, the user must enter a valid user login name and password. Values entered on this form are compared against known user account values as stored within the database.
Once the user has successfully logged in, the user's identification credentials are made part of the user's session by including them within a userLogin session attribute, available programmatically by accessing the HttpServletRequest object.
To override controller.xml authentication settings for an entire OFBiz instance, use your favorite text editor to modify the ~framework/webapp/config/url.properties file and change the following global URL conversion setting as shown here:
port.https.enabled=N
Restart OFBiz to make this change effective.
Setting this property as shown overrides all controller.xml settings for the entire instance. All URL requests will be serviced using the HTTP port. Any explicit requests for secure port access, for example, https://www.myserver.com will automatically be routed by OFBiz to the non-secure URL equivalent.
While not necessarily a security setting, session timeouts are configured within the web application deployment descriptor file per OFBiz webapp. The ~webapp/webappName/WEB-INF/web.xml file is used directly by Tomcat to configure parameters specific to an individual web application. To set Tomcat session timeouts, add an entry similar to the following:
<session-config> <session-timeout>60</session-timeout> <!-- in minutes --> </session-config>