Hello,
Gil is currently in vacation but I can answer :)
On 12/08/2018 10:21, Taher Alkhateeb wrote:
Very nice feature, and a lovely addition.
Before we go ahead and commit it, can we ensure that security will be
okay?
I'm hoping ! because it's deployed on production site
I noted that you had permission checks around the service
definition and UI for IMPERSONATE_ADMIN. Are we comfortable that we
didn't create any loop holes, especially around the login worker? In
other words, do you feel comfortable that we tightened all screws
around that?
When you impersonate an user, you store your current userLogin in
session to originUserLogin and replace the userLogin with the user
spotted. You keep your session and use the usurpation only when
alongside security control and functional environment that analyze the
current userLogin. When you restore your login, the impersonate user is
removed from session and the originUserLogin is restored to userLogin.
For the loops and security, you can't impersonate yourself, you can't
impersonate when impersonation is enable and you can't impersonate a
user with more security permission than you.
Maybe I can see two security improvements :
* When impersonate we can create an hash with the originUserLogin,
impersonateUserLogin and the impersonate started date to be sure that
the impersonate security context doesn't change
* We can change the impersonnate userLogin.currentPassword hash on the
fly when loading it in context if we have fear to a password hash
collect by the user who have the impersonate permission
Nicolas
The reason I ask is because I note that you can
impersonate and then get back to your regular user. Where is the
session stored? Is this a servlet session variable? Is it secured?
On Sun, Aug 12, 2018 at 6:22 AM Shi Jinghai <huaru...@hotmail.com> wrote:
+1.
Now we can hold a cosplay party in OFBiz, right? :)
-----邮件原件-----
发件人: Gil Portenseigne [mailto:gil.portensei...@nereide.fr]
发送时间: 2018年8月11日 4:00
收件人: dev OFBiz
主题: New Impersonate Feature : OFBIZ-10515
Hello !
I would like to introduce to you a new feature, i already talked about some
time ago (last year?). We needed it for one of our customer, that is
using it for some time and is very happy with it (like we are).
Indeed this impersonation feature comes to be very useful when we need
to validate some behaviour or to assist a user in production without
asking for its credential. It's became so easy to use that even in
preproduction/integration environment we use it daily to impersonate
specific configured userlogin without trying to remember the password...
It's kinda basic, a new permission is created and can be granted to an
authorized user, that will be offered a way to select a userlogin to
impersonate.
It's a common feature that can be found for example in Gitlab.
If you wanna try it out it's available here :
https://issues.apache.org/jira/browse/OFBIZ-10515
Feedback are welcomed :), although i'll be partly offline next week.
Looking forward reading you !
Gil
