You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@ofbiz.apache.org by jl...@apache.org on 2017/11/06 12:41:33 UTC

svn commit: r1814402 - /ofbiz/ofbiz-framework/trunk/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/ExternalLoginKeysManager.java

Author: jleroux
Date: Mon Nov  6 12:41:33 2017
New Revision: 1814402

URL: http://svn.apache.org/viewvc?rev=1814402&view=rev
Log:
Implemented: Token Based Authentication
(OFBIZ-9833)

Comment about production server

I thought it was obvious that you should not keep this file on a production
server after having changed the default value of 
ExternalServerJwtMasterSecretKey

Moreover we recommend to have the value of ExternalServerJwtMasterSecretKey 
dynamically generated during each build to increase security

Modified:
    ofbiz/ofbiz-framework/trunk/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/ExternalLoginKeysManager.java

Modified: ofbiz/ofbiz-framework/trunk/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/ExternalLoginKeysManager.java
URL: http://svn.apache.org/viewvc/ofbiz/ofbiz-framework/trunk/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/ExternalLoginKeysManager.java?rev=1814402&r1=1814401&r2=1814402&view=diff
==============================================================================
--- ofbiz/ofbiz-framework/trunk/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/ExternalLoginKeysManager.java (original)
+++ ofbiz/ofbiz-framework/trunk/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/ExternalLoginKeysManager.java Mon Nov  6 12:41:33 2017
@@ -64,7 +64,8 @@ public class ExternalLoginKeysManager {
     // The best way to create the JWT masterSecretKey is to use a temporary way to load in a static final key when compiling. 
     // This is simple and most secure. One of the proposed way is to use sed and uuidgen to modify the masterSecretKey value
     // This: sed -i /ExternalServerJwtMasterSecretKey/s//$(uuidgen)/\2 framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/ExternalLoginKeysManager.java
-    // The magic words here are TEMPORARY and FINAL!
+    // Of course you should not let the ExternalLoginKeysManager.java file on a production server after compilation 
+    // Because it will contain the dynamically generated ExternalServerJwtMasterSecretKey anyway
     private static final String ExternalServerJwtMasterSecretKey = "ExternalServerJwtMasterSecretKey";
 
     /**

Re: svn commit: r1814402 - /ofbiz/ofbiz-framework/trunk/framework/webapp/src/main/java/org/apache/ofbi z/webapp/control/ExternalLoginKeysManager.java

Posted by Jacques Le Roux <ja...@les7arts.com>.

Hi Michael,

I put my last thoughts at https://s.apache.org/cFeK

I'll need to slightly change my comments in ExternalLoginKeysManager, will do later...

Jacques


Le 06/11/2017 à 13:57, Michael Brohl a écrit :
> Hi Jacques,
>
> this is the same solution pattern as we've discussed in [1]. I think we should discuss this general pattern for both cases.
>
> I will wait for other opinions in [1] and do my follow-up later.
>
> Thanks,
>
> Michael
>
> [1] https://lists.apache.org/thread.html/71a9b1d73246655753ef71abf9cdf530c951ff372d14e335f3e9fd77@%3Cdev.ofbiz.apache.org%3E
>
>
> Am 06.11.17 um 13:41 schrieb jleroux@apache.org:
>> Author: jleroux
>> Date: Mon Nov  6 12:41:33 2017
>> New Revision: 1814402
>>
>> URL: http://svn.apache.org/viewvc?rev=1814402&view=rev
>> Log:
>> Implemented: Token Based Authentication
>> (OFBIZ-9833)
>>
>> Comment about production server
>>
>> I thought it was obvious that you should not keep this file on a production
>> server after having changed the default value of
>> ExternalServerJwtMasterSecretKey
>>
>> Moreover we recommend to have the value of ExternalServerJwtMasterSecretKey
>> dynamically generated during each build to increase security
>>
>> Modified:
>> ofbiz/ofbiz-framework/trunk/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/ExternalLoginKeysManager.java
>>
>> Modified: ofbiz/ofbiz-framework/trunk/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/ExternalLoginKeysManager.java
>> URL: 
>> http://svn.apache.org/viewvc/ofbiz/ofbiz-framework/trunk/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/ExternalLoginKeysManager.java?rev=1814402&r1=1814401&r2=1814402&view=diff
>> ==============================================================================
>> --- ofbiz/ofbiz-framework/trunk/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/ExternalLoginKeysManager.java (original)
>> +++ ofbiz/ofbiz-framework/trunk/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/ExternalLoginKeysManager.java Mon Nov  6 12:41:33 2017
>> @@ -64,7 +64,8 @@ public class ExternalLoginKeysManager {
>>       // The best way to create the JWT masterSecretKey is to use a temporary way to load in a static final key when compiling.
>>       // This is simple and most secure. One of the proposed way is to use sed and uuidgen to modify the masterSecretKey value
>>       // This: sed -i /ExternalServerJwtMasterSecretKey/s//$(uuidgen)/\2 
>> framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/ExternalLoginKeysManager.java
>> -    // The magic words here are TEMPORARY and FINAL!
>> +    // Of course you should not let the ExternalLoginKeysManager.java file on a production server after compilation
>> +    // Because it will contain the dynamically generated ExternalServerJwtMasterSecretKey anyway
>>       private static final String ExternalServerJwtMasterSecretKey = "ExternalServerJwtMasterSecretKey";
>>         /**
>>
>>
>
>

Re: svn commit: r1814402 - /ofbiz/ofbiz-framework/trunk/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/ExternalLoginKeysManager.java

Posted by Michael Brohl <mi...@ecomify.de>.

Hi Jacques,

this is the same solution pattern as we've discussed in [1]. I think we 
should discuss this general pattern for both cases.

I will wait for other opinions in [1] and do my follow-up later.

Thanks,

Michael

[1] 
https://lists.apache.org/thread.html/71a9b1d73246655753ef71abf9cdf530c951ff372d14e335f3e9fd77@%3Cdev.ofbiz.apache.org%3E


Am 06.11.17 um 13:41 schrieb jleroux@apache.org:
> Author: jleroux
> Date: Mon Nov  6 12:41:33 2017
> New Revision: 1814402
>
> URL: http://svn.apache.org/viewvc?rev=1814402&view=rev
> Log:
> Implemented: Token Based Authentication
> (OFBIZ-9833)
>
> Comment about production server
>
> I thought it was obvious that you should not keep this file on a production
> server after having changed the default value of
> ExternalServerJwtMasterSecretKey
>
> Moreover we recommend to have the value of ExternalServerJwtMasterSecretKey
> dynamically generated during each build to increase security
>
> Modified:
>      ofbiz/ofbiz-framework/trunk/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/ExternalLoginKeysManager.java
>
> Modified: ofbiz/ofbiz-framework/trunk/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/ExternalLoginKeysManager.java
> URL: http://svn.apache.org/viewvc/ofbiz/ofbiz-framework/trunk/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/ExternalLoginKeysManager.java?rev=1814402&r1=1814401&r2=1814402&view=diff
> ==============================================================================
> --- ofbiz/ofbiz-framework/trunk/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/ExternalLoginKeysManager.java (original)
> +++ ofbiz/ofbiz-framework/trunk/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/ExternalLoginKeysManager.java Mon Nov  6 12:41:33 2017
> @@ -64,7 +64,8 @@ public class ExternalLoginKeysManager {
>       // The best way to create the JWT masterSecretKey is to use a temporary way to load in a static final key when compiling.
>       // This is simple and most secure. One of the proposed way is to use sed and uuidgen to modify the masterSecretKey value
>       // This: sed -i /ExternalServerJwtMasterSecretKey/s//$(uuidgen)/\2 framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/ExternalLoginKeysManager.java
> -    // The magic words here are TEMPORARY and FINAL!
> +    // Of course you should not let the ExternalLoginKeysManager.java file on a production server after compilation
> +    // Because it will contain the dynamically generated ExternalServerJwtMasterSecretKey anyway
>       private static final String ExternalServerJwtMasterSecretKey = "ExternalServerJwtMasterSecretKey";
>   
>       /**
>
>