Hi,

sy-password-and-JWT.adoc slipped in inadvertently. Not a big deal it's a WIP 
part of OFBIZ-10751, to be continued...

Jacques

Le 02/09/2019 à 09:05, jler...@apache.org a écrit :
Author: jleroux
Date: Mon Sep  2 07:05:08 2019
New Revision: 1866255

URL: http://svn.apache.org/viewvc?rev=1866255&view=rev
Log:
Improved: Unknown request [images]; this request does not exist or cannot be
called directly.
(OFBIZ-11152)

Gives an advice to reassure users about the seriousness of the issue

This issue can be easily reproduced by going to 
example/control/FormWidgetExamples
Other backend components are less concerned but it happens sometimes in them 
too.
It's quite hard to understand what's happening.
This is a sequel of OFBIZ-10895

Added:
     
ofbiz/ofbiz-framework/trunk/framework/security/src/docs/asciidoc/_include/sy-password-and-JWT.adoc
   (with props)
Modified:
     
ofbiz/ofbiz-framework/trunk/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/RequestHandler.java

Added: 
ofbiz/ofbiz-framework/trunk/framework/security/src/docs/asciidoc/_include/sy-password-and-JWT.adoc
URL: 
http://svn.apache.org/viewvc/ofbiz/ofbiz-framework/trunk/framework/security/src/docs/asciidoc/_include/sy-password-and-JWT.adoc?rev=1866255&view=auto
==============================================================================
--- 
ofbiz/ofbiz-framework/trunk/framework/security/src/docs/asciidoc/_include/sy-password-and-JWT.adoc
 (added)
+++ 
ofbiz/ofbiz-framework/trunk/framework/security/src/docs/asciidoc/_include/sy-password-and-JWT.adoc
 Mon Sep  2 07:05:08 2019
@@ -0,0 +1,76 @@
+////
+Licensed to the Apache Software Foundation (ASF) under one
+or more contributor license agreements.  See the NOTICE file
+distributed with this work for additional information
+regarding copyright ownership.  The ASF licenses this file
+to you under the Apache License, Version 2.0 (the
+"License"); you may not use this file except in compliance
+with the License.  You may obtain a copy of the License at
+
+http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing,
+software distributed under the License is distributed on an
+"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+KIND, either express or implied.  See the License for the
+specific language governing permissions and limitations
+under the License.
+////
+
+= Passwords and JWT (JSON Web Tokens) usage
+== How are set and used passwords and JWT  in Apache OFBiz
+The Apache OFBiz Project
+Release 17.12
+
+:imagesdir: ../../themes/common-theme/webapp/images/img/
+ifdef::backend-pdf[]
+:title-logo-image: image::OFBiz-Logo.svg[Apache OFBiz Logo, pdfwidth=4.25in, 
align=center]
+:source-highlighter: rouge
+endif::[]
+
+=== Passwords
+
+Demo and seed passwords are stored in files loaded through security 
ofbiz-component.xml. To know more about that be sure to read:
+
+
+* 
https://cwiki.apache.org/confluence/display/OFBIZ/Apache+OFBiz+Technical+Production+Setup+Guidehttp://url[The
 technical production setup guide] notably "Initial Data Loading" and "Security 
Settings" sections
+* 
https://cwiki.apache.org/confluence/display/OFBIZ/How+to+secure+your+deploymenthttp://url[How
 to secure your deployment]
+
+[CAUTION]
+These configuration steps are not to be neglected for the security of a 
*production environment*
+
+=== JWT usage
+
+https://en.wikipedia.org/wiki/JSON_Web_Token[As says Wikipedia]:
+____
+JSON Web Token (JWT) is an Internet standard for creating JSON-based access 
tokens that assert some number of claims.
+____
+
+
+We currently use JWT in 2 places:
+
+. To let users safely recreate passwords (in backend and frontend)
+. To allow SSO (Single Sig-on) jumpings from an OFBiz instance to another 
OFBiz instance on another domain, by also using 
https://en.wikipedia.org/wiki/Cross-origin_resource_sharing[CORS] (
+Cross-origin resource sharing) on the target server
+
+
+==== How to secure JWT
+When you use JWT, in order to sign your tokens, you have the choice of using a 
sole so called secret key or a pair of public/private 
keys:https://jwt.io/introduction/.
+
+You might prefer to use pair of public/private keys, but by default OFBiz uses 
a secret key. Remains the way how to store this secret key.
+
+. The first idea which comes to mind is to use a property in the 
security.properties file. It's safe as long as your filesystem is not 
compromised.
+. You may also pick a SystemProperty entity. It's safe as long as your DB is 
not compromised.
+. We recommend to not use an environment variable to pass the uuid as those 
can be considered weak:
+
+    http://movingfast.io/articles/environment-variables-considered-harmful/
+    
https://security.stackexchange.com/questions/49725/is-it-really-secure-to-store-api-keys-in-environment-variables
+
+
+
+===== Properties
+
+The _security.properties_ file introduce two properties that control 
impersonation feature :
+
+=== Last but not least
+Be sure to read 
https://cwiki.apache.org/confluence/display/OFBIZ/Keeping+OFBiz+secure[Keeping 
OFBiz secure]
\ No newline at end of file

Propchange: 
ofbiz/ofbiz-framework/trunk/framework/security/src/docs/asciidoc/_include/sy-password-and-JWT.adoc
------------------------------------------------------------------------------
     svn:eol-style = native

Propchange: 
ofbiz/ofbiz-framework/trunk/framework/security/src/docs/asciidoc/_include/sy-password-and-JWT.adoc
------------------------------------------------------------------------------
     svn:keywords = Date Rev Author URL Id

Propchange: 
ofbiz/ofbiz-framework/trunk/framework/security/src/docs/asciidoc/_include/sy-password-and-JWT.adoc
------------------------------------------------------------------------------
     svn:mime-type = text/plain

Modified: 
ofbiz/ofbiz-framework/trunk/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/RequestHandler.java
URL: 
http://svn.apache.org/viewvc/ofbiz/ofbiz-framework/trunk/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/RequestHandler.java?rev=1866255&r1=1866254&r2=1866255&view=diff
==============================================================================
--- 
ofbiz/ofbiz-framework/trunk/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/RequestHandler.java
 (original)
+++ 
ofbiz/ofbiz-framework/trunk/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/RequestHandler.java
 Mon Sep  2 07:05:08 2019
@@ -277,6 +277,9 @@ public class RequestHandler {
                  if (path.contains("/checkLogin/")) {
                      // Nested requests related with checkLogin uselessly 
clutter the log. There is nothing to worry about, better remove this wrong 
error message.
                      return;
+                } else if (path.contains("/images/")) {
+                    if (Debug.warningOn()) Debug.logWarning("You should check if 
this request is really a problem or a false alarm: " + request.getRequestURL(), 
module);
+                    throw new 
RequestHandlerException(requestMissingErrorMessage);
                  } else {
                      throw new 
RequestHandlerException(requestMissingErrorMessage);
                  }



Reply via email to