You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ofbiz.apache.org by jl...@apache.org on 2017/11/05 17:33:30 UTC

svn commit: r1814363 - in /ofbiz/ofbiz-framework/trunk/framework: common/webcommon/WEB-INF/common-controller.xml security/config/security.properties webapp/src/main/java/org/apache/ofbiz/webapp/control/ExternalLoginKeysManager.java

Author: jleroux
Date: Sun Nov  5 17:33:30 2017
New Revision: 1814363

URL: http://svn.apache.org/viewvc?rev=1814363&view=rev
Log:
Implemented: Token Based Authentication
(OFBIZ-9833)

I have tested the Token Based Authentication between my local machine and the 
trunk demo. It works as expected.

This completes the previous commit by:
  adding a new externalServerLoginCheck pre processor
  Documenting how to set the ExternalServerJwtMasterSecretKey in production
    using sed and uuidgen
  Adding documenting properties in security.properties, not set to be used OOTB
   but ready to be set in production

Modified:
    ofbiz/ofbiz-framework/trunk/framework/common/webcommon/WEB-INF/common-controller.xml
    ofbiz/ofbiz-framework/trunk/framework/security/config/security.properties
    ofbiz/ofbiz-framework/trunk/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/ExternalLoginKeysManager.java

Modified: ofbiz/ofbiz-framework/trunk/framework/common/webcommon/WEB-INF/common-controller.xml
URL: http://svn.apache.org/viewvc/ofbiz/ofbiz-framework/trunk/framework/common/webcommon/WEB-INF/common-controller.xml?rev=1814363&r1=1814362&r2=1814363&view=diff
==============================================================================
--- ofbiz/ofbiz-framework/trunk/framework/common/webcommon/WEB-INF/common-controller.xml (original)
+++ ofbiz/ofbiz-framework/trunk/framework/common/webcommon/WEB-INF/common-controller.xml Sun Nov  5 17:33:30 2017
@@ -31,6 +31,7 @@ under the License.
         <event name="checkRequestHeaderLogin" type="java" path="org.apache.ofbiz.webapp.control.LoginWorker" invoke="checkRequestHeaderLogin"/>
         <event name="checkServletRequestRemoteUserLogin" type="java" path="org.apache.ofbiz.webapp.control.LoginWorker" invoke="checkServletRequestRemoteUserLogin"/>
         <event name="checkExternalLoginKey" type="java" path="org.apache.ofbiz.webapp.control.ExternalLoginKeysManager" invoke="checkExternalLoginKey"/>
+        <event name="externalServerLoginCheck" type="java" path="org.apache.ofbiz.webapp.control.ExternalLoginKeysManager" invoke="externalServerLoginCheck"/>
         <event name="checkProtectedView" type="java" path="org.apache.ofbiz.webapp.control.ProtectViewWorker" invoke="checkProtectedView"/>
         <event name="extensionConnectLogin" type="java" path="org.apache.ofbiz.webapp.control.LoginWorker" invoke="extensionConnectLogin"/>
     </preprocessor>

Modified: ofbiz/ofbiz-framework/trunk/framework/security/config/security.properties
URL: http://svn.apache.org/viewvc/ofbiz/ofbiz-framework/trunk/framework/security/config/security.properties?rev=1814363&r1=1814362&r2=1814363&view=diff
==============================================================================
--- ofbiz/ofbiz-framework/trunk/framework/security/config/security.properties (original)
+++ ofbiz/ofbiz-framework/trunk/framework/security/config/security.properties Sun Nov  5 17:33:30 2017
@@ -128,3 +128,12 @@ default.error.response.view=view:viewBlo
 
 # -- If false, then no externalLoginKey parameters will be added to cross-webapp urls
 security.login.externalLoginKey.enabled=true
+
+# -- If true, then it's possible to connect to another webapp on another server w/o signing in
+use-external-server=N
+# -- Name of the external server (DNS)  
+external-server-name=localhost:8443
+# -- Query part of the URL to use
+external-server-query=/example/control/
+# -- Time To Live of the token send to the external server
+external-server-token-duration=30

Modified: ofbiz/ofbiz-framework/trunk/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/ExternalLoginKeysManager.java
URL: http://svn.apache.org/viewvc/ofbiz/ofbiz-framework/trunk/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/ExternalLoginKeysManager.java?rev=1814363&r1=1814362&r2=1814363&view=diff
==============================================================================
--- ofbiz/ofbiz-framework/trunk/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/ExternalLoginKeysManager.java (original)
+++ ofbiz/ofbiz-framework/trunk/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/ExternalLoginKeysManager.java Sun Nov  5 17:33:30 2017
@@ -63,6 +63,7 @@ public class ExternalLoginKeysManager {
     // As we sign on on several servers, so have different sessions, we can't use the externalLoginKey way to create the JWT masterSecretKey.
     // The best way to create the JWT masterSecretKey is to use a temporary way to load in a static final key when compiling. 
     // This is simple and most secure. One of the proposed way is to use sed and uuidgen to modify the masterSecretKey value
+    // This: sed -i /ExternalServerJwtMasterSecretKey/s//$(uuidgen)/\2 framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/ExternalLoginKeysManager.java
     // The magic words here are TEMPORARY and FINAL!
     private static final String ExternalServerJwtMasterSecretKey = "ExternalServerJwtMasterSecretKey";