Re: svn commit: r1814402 - /ofbiz/ofbiz-framework/trunk/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/ExternalLoginKeysManager.java

Mon, 06 Nov 2017 04:58:05 -0800 

Hi Jacques,
this is the same solution pattern as we've discussed in [1]. I think we should discuss this general pattern for both cases. 

I will wait for other opinions in [1] and do my follow-up later.

Thanks,

Michael


[1] 
https://lists.apache.org/thread.html/71a9b1d73246655753ef71abf9cdf530c951ff372d14e335f3e9fd77@%3Cdev.ofbiz.apache.org%3E



Am 06.11.17 um 13:41 schrieb jler...@apache.org:

Author: jleroux
Date: Mon Nov  6 12:41:33 2017
New Revision: 1814402

URL: http://svn.apache.org/viewvc?rev=1814402&view=rev
Log:
Implemented: Token Based Authentication
(OFBIZ-9833)

Comment about production server

I thought it was obvious that you should not keep this file on a production
server after having changed the default value of
ExternalServerJwtMasterSecretKey

Moreover we recommend to have the value of ExternalServerJwtMasterSecretKey
dynamically generated during each build to increase security

Modified:
     
ofbiz/ofbiz-framework/trunk/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/ExternalLoginKeysManager.java

Modified: 
ofbiz/ofbiz-framework/trunk/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/ExternalLoginKeysManager.java
URL: 
http://svn.apache.org/viewvc/ofbiz/ofbiz-framework/trunk/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/ExternalLoginKeysManager.java?rev=1814402&r1=1814401&r2=1814402&view=diff
==============================================================================
--- 
ofbiz/ofbiz-framework/trunk/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/ExternalLoginKeysManager.java
 (original)
+++ 
ofbiz/ofbiz-framework/trunk/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/ExternalLoginKeysManager.java
 Mon Nov  6 12:41:33 2017
@@ -64,7 +64,8 @@ public class ExternalLoginKeysManager {
      // The best way to create the JWT masterSecretKey is to use a temporary 
way to load in a static final key when compiling.
      // This is simple and most secure. One of the proposed way is to use sed 
and uuidgen to modify the masterSecretKey value
      // This: sed -i /ExternalServerJwtMasterSecretKey/s//$(uuidgen)/\2 
framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/ExternalLoginKeysManager.java
-    // The magic words here are TEMPORARY and FINAL!
+    // Of course you should not let the ExternalLoginKeysManager.java file on 
a production server after compilation
+    // Because it will contain the dynamically generated 
ExternalServerJwtMasterSecretKey anyway
      private static final String ExternalServerJwtMasterSecretKey = 
"ExternalServerJwtMasterSecretKey";

  
      /**









Attachment:
smime.p7s

Description: S/MIME Cryptographic Signature






















					Reply via email to