You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ofbiz.apache.org by jl...@apache.org on 2018/02/06 12:18:15 UTC
svn commit: r1823316 - in /ofbiz/ofbiz-framework/branches/release17.12: ./
framework/security/config/security.properties
framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/ExternalLoginKeysManager.java
Author: jleroux
Date: Tue Feb 6 12:18:15 2018
New Revision: 1823316
URL: http://svn.apache.org/viewvc?rev=1823316&view=rev
Log:
"Applied fix from trunk for revision: 1822882"
------------------------------------------------------------------------
r1822882 | jleroux | 2018-02-01 16:27:17 +0100 (jeu., 01 févr. 2018) | 7 lines
Improved: Token Based Authentication
(OFBIZ-9833)
I just thought that for security it's best to have both the source and
target server using the use-external-server property.
Also default to N when requesting this property
------------------------------------------------------------------------
Modified:
ofbiz/ofbiz-framework/branches/release17.12/ (props changed)
ofbiz/ofbiz-framework/branches/release17.12/framework/security/config/security.properties
ofbiz/ofbiz-framework/branches/release17.12/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/ExternalLoginKeysManager.java
Propchange: ofbiz/ofbiz-framework/branches/release17.12/
------------------------------------------------------------------------------
--- svn:mergeinfo (original)
+++ svn:mergeinfo Tue Feb 6 12:18:15 2018
@@ -10,4 +10,4 @@
/ofbiz/branches/json-integration-refactoring:1634077-1635900
/ofbiz/branches/multitenant20100310:921280-927264
/ofbiz/branches/release13.07:1547657
-/ofbiz/ofbiz-framework/trunk:1819499,1819598,1819800,1819805,1819811,1820038,1820262,1820374-1820375,1820441,1820457,1820644,1820658,1820790,1820823,1820949,1820966,1821012,1821036,1821112,1821115,1821144,1821186,1821219,1821226,1821230,1821386,1821600,1821613,1821628,1821965,1822125,1822310,1822377,1822383,1822393
+/ofbiz/ofbiz-framework/trunk:1819499,1819598,1819800,1819805,1819811,1820038,1820262,1820374-1820375,1820441,1820457,1820644,1820658,1820790,1820823,1820949,1820966,1821012,1821036,1821112,1821115,1821144,1821186,1821219,1821226,1821230,1821386,1821600,1821613,1821628,1821965,1822125,1822310,1822377,1822383,1822393,1822882
Modified: ofbiz/ofbiz-framework/branches/release17.12/framework/security/config/security.properties
URL: http://svn.apache.org/viewvc/ofbiz/ofbiz-framework/branches/release17.12/framework/security/config/security.properties?rev=1823316&r1=1823315&r2=1823316&view=diff
==============================================================================
--- ofbiz/ofbiz-framework/branches/release17.12/framework/security/config/security.properties (original)
+++ ofbiz/ofbiz-framework/branches/release17.12/framework/security/config/security.properties Tue Feb 6 12:18:15 2018
@@ -132,11 +132,14 @@ default.error.response.view=view:viewBlo
# -- If false, then no externalLoginKey parameters will be added to cross-webapp urls
security.login.externalLoginKey.enabled=true
+### To have this working, an example of the change needed on the source server is available in OFBIZ-9833-external-server-test-example.patch
+### With this example, the external-server-query must be /catalog/control/
# -- If true, then it's possible to connect to another webapp on another server w/o signing in
+# -- This needs to be changed on both the source server and the target server
use-external-server=N
# -- Name of the external server (DNS)
-external-server-name=localhost:8443
+external-server-name=demo-trunk.ofbiz.apache.org
# -- Query part of the URL to use
-external-server-query=/example/control/
+external-server-query=/catalog/control/
# -- Time To Live of the token send to the external server in seconds
external-server-token-duration=30
Modified: ofbiz/ofbiz-framework/branches/release17.12/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/ExternalLoginKeysManager.java
URL: http://svn.apache.org/viewvc/ofbiz/ofbiz-framework/branches/release17.12/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/ExternalLoginKeysManager.java?rev=1823316&r1=1823315&r2=1823316&view=diff
==============================================================================
--- ofbiz/ofbiz-framework/branches/release17.12/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/ExternalLoginKeysManager.java (original)
+++ ofbiz/ofbiz-framework/branches/release17.12/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/ExternalLoginKeysManager.java Tue Feb 6 12:18:15 2018
@@ -181,6 +181,7 @@ public class ExternalLoginKeysManager {
String externalServerUserLoginId = request.getParameter(EXTERNAL_SERVER_LOGIN_KEY);
if (externalServerUserLoginId == null) return "success"; // Nothing to do here
+ if (!"Y".equals(EntityUtilProperties.getPropertyValue("security", "use-external-server", "N", delegator))) return "success"; // The target server does not allow external login by default
GenericValue currentUserLogin = (GenericValue) session.getAttribute("userLogin");
@@ -313,7 +314,7 @@ public class ExternalLoginKeysManager {
public static String getExternalServerName(HttpServletRequest request) {
String reportingServerName = "";
Delegator delegator = (Delegator) request.getAttribute("delegator");
- if (delegator != null && "Y".equals(EntityUtilProperties.getPropertyValue("security", "use-external-server", "Y", delegator))) {
+ if (delegator != null && "Y".equals(EntityUtilProperties.getPropertyValue("security", "use-external-server", "N", delegator))) {
reportingServerName = EntityUtilProperties.getPropertyValue("security", "external-server-name", "localhost:8443", delegator);
String reportingServerQuery = EntityUtilProperties.getPropertyValue("security", "external-server-query", "/catalog/control/", delegator);
reportingServerName = "https://" + reportingServerName + reportingServerQuery;