+1 to default off
On Sat, Jan 19, 2019 at 7:25 PM Michael Brohl <michael.br...@ecomify.de> wrote: > > No, we are mainly discussing if we should turn off the JWT functionality > in the default setting and what could be done to make the current > implementation more secure / fail proof. > > > Am 19.01.19 um 16:54 schrieb Shi Jinghai: > > I've just reviewed the code of JWT implements. Sorry for my bad English, > > I'm a bit lost, are we discussing which one is more secure, the tomcat > > session or JWT? > > > > > > -----邮件原件----- > > 发件人: Michael Brohl [mailto:michael.br...@ecomify.de] > > 发送时间: 2019年1月19日 19:58 > > 收件人: dev@ofbiz.apache.org > > 主题: [DISCUSSION] turn off OOTB JWT authorization/SSO functionality > > > > Hi all, > > > > during my work in [1] I realized that the OOTB JWT authorization / > > single sign on is switched on by default. The logic to retrieve the > > secret key uses a default if there is no configuration in SystemProperty > > or security.properties. > > > > This makes it easy to prepare a JWT (e.g. by using [2] or [3]) and login > > using a guessed userLoginId and this token (which can be retrieved from > > the code). > > > > I think we should secure this so that this cannot be done in an OOTB > > setting with the following additions: > > > > 1. make it configurable through a property which is initially turned > > off. I think thi is better than commenting the preprocessor in/out > > because it can be better integrated in (custom) configuration mechanisms. > > > > 2. don't use a default secret key if none is provided. The > > user/administrator must explicitly set a secret key and should know what > > he is doing then. > > > > 3. don't proceed if no secret key can be found (do not attempt a login > > using the JWT) > > > > > > I think that we should turn this feature off by default for the > > following reasons: > > > > 1. it opens up a security hole if the user does not remove the > > checkJWTLogin preprocessor (see above) > > > > 2. the functionality to have a single sign on between two OFBiz > > instances will only be used in rare cases (I think). It is only designed > > for this special case and cannot be used for standard single sign on > > scenarios with other systems. > > > > 3. if it is not used, it will still try to read the authorization > > header, key etc. *on every request* > > > > > > What do think? > > > > Regards, > > > > Michael > > > > > > [1] https://issues.apache.org/jira/browse/OFBIZ-10814 > > > > [2] https://jwt.io/ > > > > [3] http://jwtbuilder.jamiekurtz.com/ > > > > > > > > >