Hi Jacques,this is the same solution pattern as we've discussed in [1]. I think we should discuss this general pattern for both cases.
I will wait for other opinions in [1] and do my follow-up later. Thanks, Michael[1] https://lists.apache.org/thread.html/71a9b1d73246655753ef71abf9cdf530c951ff372d14e335f3e9fd77@%3Cdev.ofbiz.apache.org%3E
Am 06.11.17 um 13:41 schrieb jler...@apache.org:
Author: jleroux Date: Mon Nov 6 12:41:33 2017 New Revision: 1814402 URL: http://svn.apache.org/viewvc?rev=1814402&view=rev Log: Implemented: Token Based Authentication (OFBIZ-9833) Comment about production server I thought it was obvious that you should not keep this file on a production server after having changed the default value of ExternalServerJwtMasterSecretKey Moreover we recommend to have the value of ExternalServerJwtMasterSecretKey dynamically generated during each build to increase security Modified: ofbiz/ofbiz-framework/trunk/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/ExternalLoginKeysManager.java Modified: ofbiz/ofbiz-framework/trunk/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/ExternalLoginKeysManager.java URL: http://svn.apache.org/viewvc/ofbiz/ofbiz-framework/trunk/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/ExternalLoginKeysManager.java?rev=1814402&r1=1814401&r2=1814402&view=diff ============================================================================== --- ofbiz/ofbiz-framework/trunk/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/ExternalLoginKeysManager.java (original) +++ ofbiz/ofbiz-framework/trunk/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/ExternalLoginKeysManager.java Mon Nov 6 12:41:33 2017 @@ -64,7 +64,8 @@ public class ExternalLoginKeysManager { // The best way to create the JWT masterSecretKey is to use a temporary way to load in a static final key when compiling. // This is simple and most secure. One of the proposed way is to use sed and uuidgen to modify the masterSecretKey value // This: sed -i /ExternalServerJwtMasterSecretKey/s//$(uuidgen)/\2 framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/ExternalLoginKeysManager.java - // The magic words here are TEMPORARY and FINAL! + // Of course you should not let the ExternalLoginKeysManager.java file on a production server after compilation + // Because it will contain the dynamically generated ExternalServerJwtMasterSecretKey anyway private static final String ExternalServerJwtMasterSecretKey = "ExternalServerJwtMasterSecretKey";/**
smime.p7s
Description: S/MIME Cryptographic Signature