This is an automated email from the ASF dual-hosted git repository.
jacopoc pushed a commit to branch trunk
in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git
The following commit(s) were added to refs/heads/trunk by this push:
new 185c9a0406 Implemented: Remove demo secret keys from security.property
and add a gradle task to generate and set the keys
185c9a0406 is described below
commit 185c9a04062de874082d2322ad6c3d98d16ed614
Author: Jacopo Cappellato <[email protected]>
AuthorDate: Tue Mar 10 18:59:36 2026 +0100
Implemented: Remove demo secret keys from security.property and add a
gradle task to generate and set the keys
The new task, generateSecretKeys, is automatically triggered when the
loadAll is executed.
---
build.gradle | 32 ++++++++++++++++++++++++++-
framework/security/config/security.properties | 6 +++--
2 files changed, 35 insertions(+), 3 deletions(-)
diff --git a/build.gradle b/build.gradle
index 84aabfc0b1..3556a0d597 100644
--- a/build.gradle
+++ b/build.gradle
@@ -371,10 +371,13 @@ eclipse.classpath.file.whenMerged { classpath ->
tasks.eclipse.dependsOn(cleanEclipse)
test {
+ dependsOn 'generateSecretKeys'
useJUnit()
jvmArgs "-javaagent:${classpath.find { it.name.contains('jmockit')
}.absolutePath}"
}
+processResources.mustRunAfter 'generateSecretKeys'
+
/* ========================================================
* Tasks
* ======================================================== */
@@ -389,7 +392,7 @@ def sysadminGroup = 'System Administration'
// ========== OFBiz Server tasks ==========
task loadAll(group: ofbizServer) {
- dependsOn 'ofbiz --load-data'
+ dependsOn 'generateSecretKeys', 'ofbiz --load-data'
description 'Load default data; meant for OFBiz development, testing, and
demo purposes'
}
@@ -745,6 +748,33 @@ task gitInfoFooter(group: sysadminGroup, description:
'Update the Git Branch-rev
}
}
+task generateSecretKeys(group: sysadminGroup,
+ description: 'Generate cryptographically secure 512-bit (64-char)
secret keys for JWT token signing and password encryption, and write them to
security.properties') {
+ doLast {
+ def propertiesFile =
file('framework/security/config/security.properties')
+
+ def generateAndWriteKey = { String propertyName ->
+ def keyBytes = new byte[48] // 48 bytes * 4/3 = 64 Base64 chars
(no padding needed)
+ new java.security.SecureRandom().nextBytes(keyBytes)
+ def key = java.util.Base64.getEncoder().encodeToString(keyBytes)
+ def content = propertiesFile.text
+ def escapedName = propertyName.replace('.', '\\.')
+ if (content =~ /(?m)^#?${escapedName}=.*$/) {
+ content = content.replaceAll(/(?m)^#?${escapedName}=.*$/,
"${propertyName}=${key}")
+ } else {
+ content += "\n${propertyName}=${key}\n"
+ }
+ propertiesFile.text = content
+ }
+
+ generateAndWriteKey('login.secret_key_string')
+ generateAndWriteKey('security.token.key')
+
+ println "New secret keys have been generated and written to
framework/security/config/security.properties"
+ println "Keep these keys secret and do not commit them to version
control."
+ }
+}
+
// ========== OFBiz Plugin Management ==========
task createPlugin(group: ofbizPlugin, description: 'create a new plugin
component based on specified templates') {
doLast {
diff --git a/framework/security/config/security.properties
b/framework/security/config/security.properties
index eece746e72..2e0d3ba0ed 100644
--- a/framework/security/config/security.properties
+++ b/framework/security/config/security.properties
@@ -144,7 +144,8 @@ security.login.externalLoginKey.enabled=true
# -- Security key used to encrypt and decrypt the autogenerated password in
forgot password functionality.
# Read Passwords and JWT (JSON Web Tokens) usage documentation to choose
the way you want to store this key
# The key must be 512 bits (ie 64 chars) as we use HMAC512 to create the
token, cf. OFBIZ-12724
-login.secret_key_string=p2s5u8x/A?D(G+KbPeShVmYq3t6w9z$B&E)H@McQfTjWnZr4u7x!A%D*F-JaNdRg
+# Run './gradlew generateSecretKeys' to generate a cryptographically secure
random key.
+login.secret_key_string=
# -- Time To Live of the token send to the external server in seconds
security.jwt.token.expireTime=1800
@@ -159,7 +160,8 @@ security.internal.sso.enabled=false
# -- The secret key for the JWT token signature.
# Read Passwords and JWT (JSON Web Tokens) usage documentation to choose
the way you want to store this key
# The key must be 512 bits (ie 64 chars) as we use HMAC512 to create the
token, cf. OFBIZ-12724
-security.token.key=%D*G-JaNdRgUkXp2s5v8y/B?E(H+MbPeShVmYq3t6w9z$C&F)J@NcRfTjWnZr4u7
+# Run './gradlew generateSecretKeys' to generate a cryptographically secure
random key.
+security.token.key=
# -- Specifies the expected issuer (the "iss" claim) of JSON Web Tokens (JWTs).
# If this property is set, the system assumes that tokens are issued and
signed by an external
