[ https://issues.apache.org/jira/browse/OFBIZ-9833?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16370127#comment-16370127 ]
Jacopo Cappellato commented on OFBIZ-9833: ------------------------------------------ [~jacques.le.roux] it is really a bad idea to store a secret key as a field of a Java class, even if the source file is removed from the server. In fact, Java byte code is very easy to read (e.g. all IDEs provide this feature). For this reason it is a bad idea to adopt out of the box this pattern as you did with ExternalLoginKeysManager.ExternalServerJwtMasterSecretKey I have other concerns about the design of this work but I don't have time to describe them at the moment, however I am wondering if you could revert your work and provide one complete patch (I know you have committed it in different revisions) that you can attach here or to a brand new ticket and then we could discuss around them; I think this would be the easiest way since you know exactly all the commits that are relevant. > Token Based Authentication > -------------------------- > > Key: OFBIZ-9833 > URL: https://issues.apache.org/jira/browse/OFBIZ-9833 > Project: OFBiz > Issue Type: New Feature > Components: framework > Reporter: Deepak Dixit > Assignee: Deepak Dixit > Priority: Major > Attachments: JSON Web Tokens.pdf, > OFBIZ-9833-external-server-test-example.patch, > OFBIZ-9833-external-server-test-example.patch, > OFBIZ-9833-external-server.patch, OFBIZ-9833-external-server.patch, > OFBIZ-9833-external-server.patch, Token Based Authentication in Apache > OfBiz.pdf, Token Based Authentication.pdf, rfc7519.pdf > > > Here is dev list discussion for token based authentication work: > http://markmail.org/message/vyskeh2wujqpkbwg -- This message was sent by Atlassian JIRA (v7.6.3#76005)