Re: [DISCUSSION] turn off OOTB JWT authorization/SSO functionality

Mon, 21 Jan 2019 22:44:17 -0800 

Thank you all,
if there are no objections I will enhance the patch in [1] to make this configurable and switched off as default. 

Regards,

Michael

[1] https://issues.apache.org/jira/browse/OFBIZ-10814



Am 21.01.19 um 11:41 schrieb Dennis Balkir:

+1 for off as default

Am 21.01.19 um 10:03 schrieb Taher Alkhateeb:

+1 to default off


On Sat, Jan 19, 2019 at 7:25 PM Michael Brohl 
<michael.br...@ecomify.de> wrote:

No, we are mainly discussing if we should turn off the JWT 
functionality

in the default setting and what could be done to make the current
implementation more secure / fail proof.


Am 19.01.19 um 16:54 schrieb Shi Jinghai:

I've just reviewed the code of JWT implements. Sorry for my bad 
English, I'm a bit lost, are we discussing which one is more 
secure, the tomcat session or JWT?



-----邮件原件-----
发件人: Michael Brohl [mailto:michael.br...@ecomify.de]
发送时间: 2019年1月19日 19:58
收件人: dev@ofbiz.apache.org
主题: [DISCUSSION] turn off OOTB JWT authorization/SSO functionality

Hi all,

during my work in [1] I realized that the OOTB JWT authorization /
single sign on is switched on by default. The logic to retrieve the

secret key uses a default if there is no configuration in 
SystemProperty

or security.properties.


This makes it easy to prepare a JWT (e.g. by using [2] or [3]) and 
login
using a guessed userLoginId and this token (which can be retrieved 
from

the code).

I think we should secure this so that this cannot be done in an OOTB
setting with the following additions:

1. make it configurable through a property which is initially turned
off. I think thi is better than commenting the preprocessor in/out

because it can be better integrated in (custom) configuration 
mechanisms.


2. don't use a default secret key if none is provided. The

user/administrator must explicitly set a secret key and should know 
what

he is doing then.

3. don't proceed if no secret key can be found (do not attempt a login
using the JWT)


I think that we should turn this feature off by default for the
following reasons:

1. it opens up a security hole if the user does not remove the
checkJWTLogin preprocessor (see above)

2. the functionality to have a single sign on between two OFBiz

instances will only be used in rare cases (I think). It is only 
designed

for this special case and cannot be used for standard single sign on
scenarios with other systems.

3. if it is not used, it will still try to read the authorization
header, key etc. *on every request*


What do think?

Regards,

Michael


[1] https://issues.apache.org/jira/browse/OFBIZ-10814

[2] https://jwt.io/

[3] http://jwtbuilder.jamiekurtz.com/









Attachment:
smime.p7s

Description: S/MIME Cryptographic Signature






















					Reply via email to