You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ofbiz.apache.org by jl...@apache.org on 2017/11/05 17:33:30 UTC
svn commit: r1814363 - in /ofbiz/ofbiz-framework/trunk/framework:
common/webcommon/WEB-INF/common-controller.xml
security/config/security.properties
webapp/src/main/java/org/apache/ofbiz/webapp/control/ExternalLoginKeysManager.java
Author: jleroux
Date: Sun Nov 5 17:33:30 2017
New Revision: 1814363
URL: http://svn.apache.org/viewvc?rev=1814363&view=rev
Log:
Implemented: Token Based Authentication
(OFBIZ-9833)
I have tested the Token Based Authentication between my local machine and the
trunk demo. It works as expected.
This completes the previous commit by:
adding a new externalServerLoginCheck pre processor
Documenting how to set the ExternalServerJwtMasterSecretKey in production
using sed and uuidgen
Adding documenting properties in security.properties, not set to be used OOTB
but ready to be set in production
Modified:
ofbiz/ofbiz-framework/trunk/framework/common/webcommon/WEB-INF/common-controller.xml
ofbiz/ofbiz-framework/trunk/framework/security/config/security.properties
ofbiz/ofbiz-framework/trunk/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/ExternalLoginKeysManager.java
Modified: ofbiz/ofbiz-framework/trunk/framework/common/webcommon/WEB-INF/common-controller.xml
URL: http://svn.apache.org/viewvc/ofbiz/ofbiz-framework/trunk/framework/common/webcommon/WEB-INF/common-controller.xml?rev=1814363&r1=1814362&r2=1814363&view=diff
==============================================================================
--- ofbiz/ofbiz-framework/trunk/framework/common/webcommon/WEB-INF/common-controller.xml (original)
+++ ofbiz/ofbiz-framework/trunk/framework/common/webcommon/WEB-INF/common-controller.xml Sun Nov 5 17:33:30 2017
@@ -31,6 +31,7 @@ under the License.
<event name="checkRequestHeaderLogin" type="java" path="org.apache.ofbiz.webapp.control.LoginWorker" invoke="checkRequestHeaderLogin"/>
<event name="checkServletRequestRemoteUserLogin" type="java" path="org.apache.ofbiz.webapp.control.LoginWorker" invoke="checkServletRequestRemoteUserLogin"/>
<event name="checkExternalLoginKey" type="java" path="org.apache.ofbiz.webapp.control.ExternalLoginKeysManager" invoke="checkExternalLoginKey"/>
+ <event name="externalServerLoginCheck" type="java" path="org.apache.ofbiz.webapp.control.ExternalLoginKeysManager" invoke="externalServerLoginCheck"/>
<event name="checkProtectedView" type="java" path="org.apache.ofbiz.webapp.control.ProtectViewWorker" invoke="checkProtectedView"/>
<event name="extensionConnectLogin" type="java" path="org.apache.ofbiz.webapp.control.LoginWorker" invoke="extensionConnectLogin"/>
</preprocessor>
Modified: ofbiz/ofbiz-framework/trunk/framework/security/config/security.properties
URL: http://svn.apache.org/viewvc/ofbiz/ofbiz-framework/trunk/framework/security/config/security.properties?rev=1814363&r1=1814362&r2=1814363&view=diff
==============================================================================
--- ofbiz/ofbiz-framework/trunk/framework/security/config/security.properties (original)
+++ ofbiz/ofbiz-framework/trunk/framework/security/config/security.properties Sun Nov 5 17:33:30 2017
@@ -128,3 +128,12 @@ default.error.response.view=view:viewBlo
# -- If false, then no externalLoginKey parameters will be added to cross-webapp urls
security.login.externalLoginKey.enabled=true
+
+# -- If true, then it's possible to connect to another webapp on another server w/o signing in
+use-external-server=N
+# -- Name of the external server (DNS)
+external-server-name=localhost:8443
+# -- Query part of the URL to use
+external-server-query=/example/control/
+# -- Time To Live of the token send to the external server
+external-server-token-duration=30
Modified: ofbiz/ofbiz-framework/trunk/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/ExternalLoginKeysManager.java
URL: http://svn.apache.org/viewvc/ofbiz/ofbiz-framework/trunk/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/ExternalLoginKeysManager.java?rev=1814363&r1=1814362&r2=1814363&view=diff
==============================================================================
--- ofbiz/ofbiz-framework/trunk/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/ExternalLoginKeysManager.java (original)
+++ ofbiz/ofbiz-framework/trunk/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/ExternalLoginKeysManager.java Sun Nov 5 17:33:30 2017
@@ -63,6 +63,7 @@ public class ExternalLoginKeysManager {
// As we sign on on several servers, so have different sessions, we can't use the externalLoginKey way to create the JWT masterSecretKey.
// The best way to create the JWT masterSecretKey is to use a temporary way to load in a static final key when compiling.
// This is simple and most secure. One of the proposed way is to use sed and uuidgen to modify the masterSecretKey value
+ // This: sed -i /ExternalServerJwtMasterSecretKey/s//$(uuidgen)/\2 framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/ExternalLoginKeysManager.java
// The magic words here are TEMPORARY and FINAL!
private static final String ExternalServerJwtMasterSecretKey = "ExternalServerJwtMasterSecretKey";