You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ofbiz.apache.org by jl...@apache.org on 2019/09/02 07:05:09 UTC
svn commit: r1866255 - in /ofbiz/ofbiz-framework/trunk/framework:
security/src/docs/asciidoc/_include/sy-password-and-JWT.adoc
webapp/src/main/java/org/apache/ofbiz/webapp/control/RequestHandler.java
Author: jleroux
Date: Mon Sep 2 07:05:08 2019
New Revision: 1866255
URL: http://svn.apache.org/viewvc?rev=1866255&view=rev
Log:
Improved: Unknown request [images]; this request does not exist or cannot be
called directly.
(OFBIZ-11152)
Gives an advice to reassure users about the seriousness of the issue
This issue can be easily reproduced by going to example/control/FormWidgetExamples
Other backend components are less concerned but it happens sometimes in them too.
It's quite hard to understand what's happening.
This is a sequel of OFBIZ-10895
Added:
ofbiz/ofbiz-framework/trunk/framework/security/src/docs/asciidoc/_include/sy-password-and-JWT.adoc (with props)
Modified:
ofbiz/ofbiz-framework/trunk/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/RequestHandler.java
Added: ofbiz/ofbiz-framework/trunk/framework/security/src/docs/asciidoc/_include/sy-password-and-JWT.adoc
URL: http://svn.apache.org/viewvc/ofbiz/ofbiz-framework/trunk/framework/security/src/docs/asciidoc/_include/sy-password-and-JWT.adoc?rev=1866255&view=auto
==============================================================================
--- ofbiz/ofbiz-framework/trunk/framework/security/src/docs/asciidoc/_include/sy-password-and-JWT.adoc (added)
+++ ofbiz/ofbiz-framework/trunk/framework/security/src/docs/asciidoc/_include/sy-password-and-JWT.adoc Mon Sep 2 07:05:08 2019
@@ -0,0 +1,76 @@
+////
+Licensed to the Apache Software Foundation (ASF) under one
+or more contributor license agreements. See the NOTICE file
+distributed with this work for additional information
+regarding copyright ownership. The ASF licenses this file
+to you under the Apache License, Version 2.0 (the
+"License"); you may not use this file except in compliance
+with the License. You may obtain a copy of the License at
+
+http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing,
+software distributed under the License is distributed on an
+"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+KIND, either express or implied. See the License for the
+specific language governing permissions and limitations
+under the License.
+////
+
+= Passwords and JWT (JSON Web Tokens) usage
+== How are set and used passwords and JWT in Apache OFBiz
+The Apache OFBiz Project
+Release 17.12
+
+:imagesdir: ../../themes/common-theme/webapp/images/img/
+ifdef::backend-pdf[]
+:title-logo-image: image::OFBiz-Logo.svg[Apache OFBiz Logo, pdfwidth=4.25in, align=center]
+:source-highlighter: rouge
+endif::[]
+
+=== Passwords
+
+Demo and seed passwords are stored in files loaded through security ofbiz-component.xml. To know more about that be sure to read:
+
+
+* https://cwiki.apache.org/confluence/display/OFBIZ/Apache+OFBiz+Technical+Production+Setup+Guidehttp://url[The technical production setup guide] notably "Initial Data Loading" and "Security Settings" sections
+* https://cwiki.apache.org/confluence/display/OFBIZ/How+to+secure+your+deploymenthttp://url[How to secure your deployment]
+
+[CAUTION]
+These configuration steps are not to be neglected for the security of a *production environment*
+
+=== JWT usage
+
+https://en.wikipedia.org/wiki/JSON_Web_Token[As says Wikipedia]:
+____
+JSON Web Token (JWT) is an Internet standard for creating JSON-based access tokens that assert some number of claims.
+____
+
+
+We currently use JWT in 2 places:
+
+. To let users safely recreate passwords (in backend and frontend)
+. To allow SSO (Single Sig-on) jumpings from an OFBiz instance to another OFBiz instance on another domain, by also using https://en.wikipedia.org/wiki/Cross-origin_resource_sharing[CORS] (
+Cross-origin resource sharing) on the target server
+
+
+==== How to secure JWT
+When you use JWT, in order to sign your tokens, you have the choice of using a sole so called secret key or a pair of public/private keys:https://jwt.io/introduction/.
+
+You might prefer to use pair of public/private keys, but by default OFBiz uses a secret key. Remains the way how to store this secret key.
+
+. The first idea which comes to mind is to use a property in the security.properties file. It's safe as long as your filesystem is not compromised.
+. You may also pick a SystemProperty entity. It's safe as long as your DB is not compromised.
+. We recommend to not use an environment variable to pass the uuid as those can be considered weak:
+
+ http://movingfast.io/articles/environment-variables-considered-harmful/
+ https://security.stackexchange.com/questions/49725/is-it-really-secure-to-store-api-keys-in-environment-variables
+
+
+
+===== Properties
+
+The _security.properties_ file introduce two properties that control impersonation feature :
+
+=== Last but not least
+Be sure to read https://cwiki.apache.org/confluence/display/OFBIZ/Keeping+OFBiz+secure[Keeping OFBiz secure]
\ No newline at end of file
Propchange: ofbiz/ofbiz-framework/trunk/framework/security/src/docs/asciidoc/_include/sy-password-and-JWT.adoc
------------------------------------------------------------------------------
svn:eol-style = native
Propchange: ofbiz/ofbiz-framework/trunk/framework/security/src/docs/asciidoc/_include/sy-password-and-JWT.adoc
------------------------------------------------------------------------------
svn:keywords = Date Rev Author URL Id
Propchange: ofbiz/ofbiz-framework/trunk/framework/security/src/docs/asciidoc/_include/sy-password-and-JWT.adoc
------------------------------------------------------------------------------
svn:mime-type = text/plain
Modified: ofbiz/ofbiz-framework/trunk/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/RequestHandler.java
URL: http://svn.apache.org/viewvc/ofbiz/ofbiz-framework/trunk/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/RequestHandler.java?rev=1866255&r1=1866254&r2=1866255&view=diff
==============================================================================
--- ofbiz/ofbiz-framework/trunk/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/RequestHandler.java (original)
+++ ofbiz/ofbiz-framework/trunk/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/RequestHandler.java Mon Sep 2 07:05:08 2019
@@ -277,6 +277,9 @@ public class RequestHandler {
if (path.contains("/checkLogin/")) {
// Nested requests related with checkLogin uselessly clutter the log. There is nothing to worry about, better remove this wrong error message.
return;
+ } else if (path.contains("/images/")) {
+ if (Debug.warningOn()) Debug.logWarning("You should check if this request is really a problem or a false alarm: " + request.getRequestURL(), module);
+ throw new RequestHandlerException(requestMissingErrorMessage);
} else {
throw new RequestHandlerException(requestMissingErrorMessage);
}
Re: svn commit: r1866255 - in /ofbiz/ofbiz-framework/trunk/framework:
security/src/docs/asciidoc/_include/sy-password-and-JWT.adoc
webapp/src/main/java/org/apache/ofbiz/webapp/control/RequestHandler.java
Posted by Jacques Le Roux <ja...@les7arts.com>.
Hi,
sy-password-and-JWT.adoc slipped in inadvertently. Not a big deal it's a WIP part of OFBIZ-10751, to be continued...
Jacques
Le 02/09/2019 à 09:05, jleroux@apache.org a écrit :
> Author: jleroux
> Date: Mon Sep 2 07:05:08 2019
> New Revision: 1866255
>
> URL: http://svn.apache.org/viewvc?rev=1866255&view=rev
> Log:
> Improved: Unknown request [images]; this request does not exist or cannot be
> called directly.
> (OFBIZ-11152)
>
> Gives an advice to reassure users about the seriousness of the issue
>
> This issue can be easily reproduced by going to example/control/FormWidgetExamples
> Other backend components are less concerned but it happens sometimes in them too.
> It's quite hard to understand what's happening.
> This is a sequel of OFBIZ-10895
>
> Added:
> ofbiz/ofbiz-framework/trunk/framework/security/src/docs/asciidoc/_include/sy-password-and-JWT.adoc (with props)
> Modified:
> ofbiz/ofbiz-framework/trunk/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/RequestHandler.java
>
> Added: ofbiz/ofbiz-framework/trunk/framework/security/src/docs/asciidoc/_include/sy-password-and-JWT.adoc
> URL: http://svn.apache.org/viewvc/ofbiz/ofbiz-framework/trunk/framework/security/src/docs/asciidoc/_include/sy-password-and-JWT.adoc?rev=1866255&view=auto
> ==============================================================================
> --- ofbiz/ofbiz-framework/trunk/framework/security/src/docs/asciidoc/_include/sy-password-and-JWT.adoc (added)
> +++ ofbiz/ofbiz-framework/trunk/framework/security/src/docs/asciidoc/_include/sy-password-and-JWT.adoc Mon Sep 2 07:05:08 2019
> @@ -0,0 +1,76 @@
> +////
> +Licensed to the Apache Software Foundation (ASF) under one
> +or more contributor license agreements. See the NOTICE file
> +distributed with this work for additional information
> +regarding copyright ownership. The ASF licenses this file
> +to you under the Apache License, Version 2.0 (the
> +"License"); you may not use this file except in compliance
> +with the License. You may obtain a copy of the License at
> +
> +http://www.apache.org/licenses/LICENSE-2.0
> +
> +Unless required by applicable law or agreed to in writing,
> +software distributed under the License is distributed on an
> +"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
> +KIND, either express or implied. See the License for the
> +specific language governing permissions and limitations
> +under the License.
> +////
> +
> += Passwords and JWT (JSON Web Tokens) usage
> +== How are set and used passwords and JWT in Apache OFBiz
> +The Apache OFBiz Project
> +Release 17.12
> +
> +:imagesdir: ../../themes/common-theme/webapp/images/img/
> +ifdef::backend-pdf[]
> +:title-logo-image: image::OFBiz-Logo.svg[Apache OFBiz Logo, pdfwidth=4.25in, align=center]
> +:source-highlighter: rouge
> +endif::[]
> +
> +=== Passwords
> +
> +Demo and seed passwords are stored in files loaded through security ofbiz-component.xml. To know more about that be sure to read:
> +
> +
> +* https://cwiki.apache.org/confluence/display/OFBIZ/Apache+OFBiz+Technical+Production+Setup+Guidehttp://url[The technical production setup guide] notably "Initial Data Loading" and "Security Settings" sections
> +* https://cwiki.apache.org/confluence/display/OFBIZ/How+to+secure+your+deploymenthttp://url[How to secure your deployment]
> +
> +[CAUTION]
> +These configuration steps are not to be neglected for the security of a *production environment*
> +
> +=== JWT usage
> +
> +https://en.wikipedia.org/wiki/JSON_Web_Token[As says Wikipedia]:
> +____
> +JSON Web Token (JWT) is an Internet standard for creating JSON-based access tokens that assert some number of claims.
> +____
> +
> +
> +We currently use JWT in 2 places:
> +
> +. To let users safely recreate passwords (in backend and frontend)
> +. To allow SSO (Single Sig-on) jumpings from an OFBiz instance to another OFBiz instance on another domain, by also using https://en.wikipedia.org/wiki/Cross-origin_resource_sharing[CORS] (
> +Cross-origin resource sharing) on the target server
> +
> +
> +==== How to secure JWT
> +When you use JWT, in order to sign your tokens, you have the choice of using a sole so called secret key or a pair of public/private keys:https://jwt.io/introduction/.
> +
> +You might prefer to use pair of public/private keys, but by default OFBiz uses a secret key. Remains the way how to store this secret key.
> +
> +. The first idea which comes to mind is to use a property in the security.properties file. It's safe as long as your filesystem is not compromised.
> +. You may also pick a SystemProperty entity. It's safe as long as your DB is not compromised.
> +. We recommend to not use an environment variable to pass the uuid as those can be considered weak:
> +
> + http://movingfast.io/articles/environment-variables-considered-harmful/
> + https://security.stackexchange.com/questions/49725/is-it-really-secure-to-store-api-keys-in-environment-variables
> +
> +
> +
> +===== Properties
> +
> +The _security.properties_ file introduce two properties that control impersonation feature :
> +
> +=== Last but not least
> +Be sure to read https://cwiki.apache.org/confluence/display/OFBIZ/Keeping+OFBiz+secure[Keeping OFBiz secure]
> \ No newline at end of file
>
> Propchange: ofbiz/ofbiz-framework/trunk/framework/security/src/docs/asciidoc/_include/sy-password-and-JWT.adoc
> ------------------------------------------------------------------------------
> svn:eol-style = native
>
> Propchange: ofbiz/ofbiz-framework/trunk/framework/security/src/docs/asciidoc/_include/sy-password-and-JWT.adoc
> ------------------------------------------------------------------------------
> svn:keywords = Date Rev Author URL Id
>
> Propchange: ofbiz/ofbiz-framework/trunk/framework/security/src/docs/asciidoc/_include/sy-password-and-JWT.adoc
> ------------------------------------------------------------------------------
> svn:mime-type = text/plain
>
> Modified: ofbiz/ofbiz-framework/trunk/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/RequestHandler.java
> URL: http://svn.apache.org/viewvc/ofbiz/ofbiz-framework/trunk/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/RequestHandler.java?rev=1866255&r1=1866254&r2=1866255&view=diff
> ==============================================================================
> --- ofbiz/ofbiz-framework/trunk/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/RequestHandler.java (original)
> +++ ofbiz/ofbiz-framework/trunk/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/RequestHandler.java Mon Sep 2 07:05:08 2019
> @@ -277,6 +277,9 @@ public class RequestHandler {
> if (path.contains("/checkLogin/")) {
> // Nested requests related with checkLogin uselessly clutter the log. There is nothing to worry about, better remove this wrong error message.
> return;
> + } else if (path.contains("/images/")) {
> + if (Debug.warningOn()) Debug.logWarning("You should check if this request is really a problem or a false alarm: " + request.getRequestURL(), module);
> + throw new RequestHandlerException(requestMissingErrorMessage);
> } else {
> throw new RequestHandlerException(requestMissingErrorMessage);
> }
>
>
>