You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@ofbiz.apache.org by Michael Brohl <mi...@ecomify.de> on 2019/01/19 11:57:37 UTC

[DISCUSSION] turn off OOTB JWT authorization/SSO functionality

Hi all,

during my work in [1] I realized that the OOTB JWT authorization / 
single sign on is switched on by default. The logic to retrieve the 
secret key uses a default if there is no configuration in SystemProperty 
or security.properties.

This makes it easy to prepare a JWT (e.g. by using [2] or [3]) and login 
using a guessed userLoginId and this token (which can be retrieved from 
the code).

I think we should secure this so that this cannot be done in an OOTB 
setting with the following additions:

1. make it configurable through a property which is initially turned 
off. I think thi is better than commenting the preprocessor in/out 
because it can be better integrated in (custom) configuration mechanisms.

2. don't use a default secret key if none is provided. The 
user/administrator must explicitly set a secret key and should know what 
he is doing then.

3. don't proceed if no secret key can be found (do not attempt a login 
using the JWT)


I think that we should turn this feature off by default for the 
following reasons:

1. it opens up a security hole if the user does not remove the 
checkJWTLogin preprocessor (see above)

2. the functionality to have a single sign on between two OFBiz 
instances will only be used in rare cases (I think). It is only designed 
for this special case and cannot be used for standard single sign on 
scenarios with other systems.

3. if it is not used, it will still try to read the authorization 
header, key etc. *on every request*


What do think?

Regards,

Michael


[1] https://issues.apache.org/jira/browse/OFBIZ-10814

[2] https://jwt.io/

[3] http://jwtbuilder.jamiekurtz.com/

Re: [DISCUSSION] turn off OOTB JWT authorization/SSO functionality

Posted by Deepak Dixit <de...@hotwax.co>.

Thanks Michael,
Looks good to me..!!

Thanks & Regards
--
Deepak Dixit



On Sat, Jan 19, 2019 at 5:27 PM Michael Brohl <mi...@ecomify.de>
wrote:

> Hi all,
>
> during my work in [1] I realized that the OOTB JWT authorization /
> single sign on is switched on by default. The logic to retrieve the
> secret key uses a default if there is no configuration in SystemProperty
> or security.properties.
>
> This makes it easy to prepare a JWT (e.g. by using [2] or [3]) and login
> using a guessed userLoginId and this token (which can be retrieved from
> the code).
>
> I think we should secure this so that this cannot be done in an OOTB
> setting with the following additions:
>
> 1. make it configurable through a property which is initially turned
> off. I think thi is better than commenting the preprocessor in/out
> because it can be better integrated in (custom) configuration mechanisms.
>
> 2. don't use a default secret key if none is provided. The
> user/administrator must explicitly set a secret key and should know what
> he is doing then.
>
> 3. don't proceed if no secret key can be found (do not attempt a login
> using the JWT)
>
>
> I think that we should turn this feature off by default for the
> following reasons:
>
> 1. it opens up a security hole if the user does not remove the
> checkJWTLogin preprocessor (see above)
>
> 2. the functionality to have a single sign on between two OFBiz
> instances will only be used in rare cases (I think). It is only designed
> for this special case and cannot be used for standard single sign on
> scenarios with other systems.
>
> 3. if it is not used, it will still try to read the authorization
> header, key etc. *on every request*
>
>
> What do think?
>
> Regards,
>
> Michael
>
>
> [1] https://issues.apache.org/jira/browse/OFBIZ-10814
>
> [2] https://jwt.io/
>
> [3] http://jwtbuilder.jamiekurtz.com/
>
>
>
>
>

Re: [DISCUSSION] turn off OOTB JWT authorization/SSO functionality

Posted by Michael Brohl <mi...@ecomify.de>.

This is now committed, see https://issues.apache.org/jira/browse/OFBIZ-10814

Thanks,

Michael


Am 23.01.19 um 15:12 schrieb Michael Brohl:
>
> [1] https://issues.apache.org/jira/browse/OFBIZ-10814

Re: [DISCUSSION] turn off OOTB JWT authorization/SSO functionality

Posted by Michael Brohl <mi...@ecomify.de>.

Hi Jacopo,

thanks for your repsonse!

I think it would be better to divide the concerns of the different 
concerns here and have a separate configuration to turn internal SSO 
on/off and to provide a secret for the JWT handling.

For example, if you want to use the JWT handling for another reason than 
internal SSO (e.g. REST interfaces) you would also be forced to use the 
internal SSO feature.

I'll provide my latest patch soon for review.

Best regards,Michael


Am 23.01.19 um 07:34 schrieb Jacopo Cappellato:
> +1 to disabling it by default.
> We could consider, rather than adding a new configuration flag, to disable
> the feature if no secret is set in the configuration files (and do not
> provide a secret out of the box).
>
> Jacopo
>
>
> On Sat, Jan 19, 2019 at 12:57 PM Michael Brohl <mi...@ecomify.de>
> wrote:
>
>> Hi all,
>>
>> during my work in [1] I realized that the OOTB JWT authorization /
>> single sign on is switched on by default. The logic to retrieve the
>> secret key uses a default if there is no configuration in SystemProperty
>> or security.properties.
>>
>> This makes it easy to prepare a JWT (e.g. by using [2] or [3]) and login
>> using a guessed userLoginId and this token (which can be retrieved from
>> the code).
>>
>> I think we should secure this so that this cannot be done in an OOTB
>> setting with the following additions:
>>
>> 1. make it configurable through a property which is initially turned
>> off. I think thi is better than commenting the preprocessor in/out
>> because it can be better integrated in (custom) configuration mechanisms.
>>
>> 2. don't use a default secret key if none is provided. The
>> user/administrator must explicitly set a secret key and should know what
>> he is doing then.
>>
>> 3. don't proceed if no secret key can be found (do not attempt a login
>> using the JWT)
>>
>>
>> I think that we should turn this feature off by default for the
>> following reasons:
>>
>> 1. it opens up a security hole if the user does not remove the
>> checkJWTLogin preprocessor (see above)
>>
>> 2. the functionality to have a single sign on between two OFBiz
>> instances will only be used in rare cases (I think). It is only designed
>> for this special case and cannot be used for standard single sign on
>> scenarios with other systems.
>>
>> 3. if it is not used, it will still try to read the authorization
>> header, key etc. *on every request*
>>
>>
>> What do think?
>>
>> Regards,
>>
>> Michael
>>
>>
>> [1] https://issues.apache.org/jira/browse/OFBIZ-10814
>>
>> [2] https://jwt.io/
>>
>> [3] http://jwtbuilder.jamiekurtz.com/
>>
>>
>>
>>
>>

Re: [DISCUSSION] turn off OOTB JWT authorization/SSO functionality

Posted by Jacopo Cappellato <ja...@hotwaxsystems.com>.

+1 to disabling it by default.
We could consider, rather than adding a new configuration flag, to disable
the feature if no secret is set in the configuration files (and do not
provide a secret out of the box).

Jacopo


On Sat, Jan 19, 2019 at 12:57 PM Michael Brohl <mi...@ecomify.de>
wrote:

> Hi all,
>
> during my work in [1] I realized that the OOTB JWT authorization /
> single sign on is switched on by default. The logic to retrieve the
> secret key uses a default if there is no configuration in SystemProperty
> or security.properties.
>
> This makes it easy to prepare a JWT (e.g. by using [2] or [3]) and login
> using a guessed userLoginId and this token (which can be retrieved from
> the code).
>
> I think we should secure this so that this cannot be done in an OOTB
> setting with the following additions:
>
> 1. make it configurable through a property which is initially turned
> off. I think thi is better than commenting the preprocessor in/out
> because it can be better integrated in (custom) configuration mechanisms.
>
> 2. don't use a default secret key if none is provided. The
> user/administrator must explicitly set a secret key and should know what
> he is doing then.
>
> 3. don't proceed if no secret key can be found (do not attempt a login
> using the JWT)
>
>
> I think that we should turn this feature off by default for the
> following reasons:
>
> 1. it opens up a security hole if the user does not remove the
> checkJWTLogin preprocessor (see above)
>
> 2. the functionality to have a single sign on between two OFBiz
> instances will only be used in rare cases (I think). It is only designed
> for this special case and cannot be used for standard single sign on
> scenarios with other systems.
>
> 3. if it is not used, it will still try to read the authorization
> header, key etc. *on every request*
>
>
> What do think?
>
> Regards,
>
> Michael
>
>
> [1] https://issues.apache.org/jira/browse/OFBIZ-10814
>
> [2] https://jwt.io/
>
> [3] http://jwtbuilder.jamiekurtz.com/
>
>
>
>
>