Any web page may be set to require user authentication by way of the OFBiz login process by setting the corresponding request-map
entry in the controller.xml
file. A user need only log in one time per session as OFBiz will check each request for a protected web page against a requesting visitor's login status. If the requestor is already logged in, they will not be asked to login again. If the visitor is not logged in, they will be presented with an HTML login form.
Identify the web application and the web page, OFBiz Service, or OFBiz Event that requires user authentication.
You can protect your web pages by following these steps:
controller.xml
file containing the request-map entry for the web page to protect. request-map
entry for the URI to be protected by setting the security
element's auth
attribute to true
. For example, the following request-map has both the authorization and encryption (https) attributes for the authview
request-map set to true:<request-map uri="authview"> <security https="true" auth="true" /> <response name="success" type="view" value="main" /> </request-map>
controller.xml
file changes are immediate.Each web application has its own controller.xml
file used to map incoming HTTP/HTTPS requests with the appropriate OFBiz web application Event, Service, or web page view. When a request for a URL that has been configured to require authentication is made, OFBiz first checks the user's session, and if the user is already logged in, will let the user proceed to the URL. If the user is not yet logged in, OFBiz will present the configured login web page and form.
When presented with the login form, the user must enter a valid user login name and password. Values entered on this form are compared against known user account values as stored within the database.
Once the user has successfully logged in, the user's identification credentials are made part of the user's session by including them within a userLogin
session attribute, available programmatically by accessing the HttpServletRequest
object.
To override controller.xml
authentication settings for an entire OFBiz instance, use your favorite text editor to modify the ~framework/webapp/config/url.properties
file and change the following global URL conversion setting as shown here:
port.https.enabled=N
Restart OFBiz to make this change effective.
Setting this property as shown overrides all controller.xml
settings for the entire instance. All URL requests will be serviced using the HTTP port. Any explicit requests for secure port access, for example, https://www.myserver.com
will automatically be routed by OFBiz to the non-secure URL equivalent.
While not necessarily a security setting, session timeouts are configured within the web application deployment descriptor file per OFBiz webapp. The ~webapp/webappName/WEB-INF/web.xml
file is used directly by Tomcat to configure parameters specific to an individual web application. To set Tomcat session timeouts, add an entry similar to the following:
<session-config> <session-timeout>60</session-timeout> <!-- in minutes --> </session-config>
52.15.129.253