You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ofbiz.apache.org by jl...@apache.org on 2020/04/15 17:31:54 UTC

[ofbiz-framework] branch trunk updated: Documented: improves security.properties documentation

This is an automated email from the ASF dual-hosted git repository.

jleroux pushed a commit to branch trunk
in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git


The following commit(s) were added to refs/heads/trunk by this push:
     new 07a472f  Documented: improves security.properties documentation
07a472f is described below

commit 07a472f89c9b30b525bac099ee90e3e4ffd90ea4
Author: Jacques Le Roux <ja...@les7arts.com>
AuthorDate: Wed Apr 15 19:31:51 2020 +0200

    Documented: improves security.properties documentation
---
 framework/security/config/security.properties | 13 +++++++++----
 1 file changed, 9 insertions(+), 4 deletions(-)

diff --git a/framework/security/config/security.properties b/framework/security/config/security.properties
index 64dce02..52fbf08 100644
--- a/framework/security/config/security.properties
+++ b/framework/security/config/security.properties
@@ -156,14 +156,17 @@ security.token.key=security.token.key
 # -- no spaces after commas,no wildcard, can be extended of course...
 host-headers-allowed=localhost,127.0.0.1,demo-trunk.ofbiz.apache.org,demo-stable.ofbiz.apache.org,demo-old.ofbiz.apache.org
 
-# -- By default the SameSite value in SameSiteFilter is 'strict'. This property allows to change to 'lax' if needed
-# -- If you use 'lax' we recommend that you set org.apache.ofbiz.security.CsrfDefenseStrategy for csrf.defense.strategy (see below)
+# -- By default the SameSite value in SameSiteFilter is 'strict'.
+# -- This property allows to change to 'lax' if needed.
+# -- If you use 'lax' we recommend that you set 
+# -- org.apache.ofbiz.security.CsrfDefenseStrategy 
+# -- for csrf.defense.strategy (see below)
 SameSiteCookieAttribute=
 
 # -- The cache size for the Tokens Maps that stores the CSRF tokens.
 # -- RemoveEldestEntry is used when it's get above csrf.cache.size
 # -- Default is 5000
-# -- TODO: separate tokenMap from partyTokenMap
+# -- TODO: possibly separate tokenMap size from partyTokenMap size
 csrf.cache.size=
 
 # -- Parameter name for CSRF token. Default is "csrf" if not specified
@@ -177,6 +180,8 @@ csrf.entity.request.limit=
 
 # -- CSRF defense strategy.
 # -- Because OFBiz OOTB also sets the SameSite attribute to 'strict' for all cookies,
+# -- which is an effective CSRF defense,
 # -- default is org.apache.ofbiz.security.NoCsrfDefenseStrategy if not specified.
-# -- Use org.apache.ofbiz.security.CsrfDefenseStrategy if you want to use a 'lax' for SameSiteCookieAttribute
+# -- Use org.apache.ofbiz.security.CsrfDefenseStrategy 
+# -- if you need to use a 'lax' for SameSiteCookieAttribute
 csrf.defense.strategy=