[
https://issues.apache.org/jira/browse/OFBIZ-9833?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16370127#comment-16370127
]
Jacopo Cappellato commented on OFBIZ-9833:
------------------------------------------
[~jacques.le.roux] it is really a bad idea to store a secret key as a field of
a Java class, even if the source file is removed from the server. In fact, Java
byte code is very easy to read (e.g. all IDEs provide this feature).
For this reason it is a bad idea to adopt out of the box this pattern as you
did with ExternalLoginKeysManager.ExternalServerJwtMasterSecretKey
I have other concerns about the design of this work but I don't have time to
describe them at the moment, however I am wondering if you could revert your
work and provide one complete patch (I know you have committed it in different
revisions) that you can attach here or to a brand new ticket and then we could
discuss around them; I think this would be the easiest way since you know
exactly all the commits that are relevant.
> Token Based Authentication
> --------------------------
>
> Key: OFBIZ-9833
> URL: https://issues.apache.org/jira/browse/OFBIZ-9833
> Project: OFBiz
> Issue Type: New Feature
> Components: framework
> Reporter: Deepak Dixit
> Assignee: Deepak Dixit
> Priority: Major
> Attachments: JSON Web Tokens.pdf,
> OFBIZ-9833-external-server-test-example.patch,
> OFBIZ-9833-external-server-test-example.patch,
> OFBIZ-9833-external-server.patch, OFBIZ-9833-external-server.patch,
> OFBIZ-9833-external-server.patch, Token Based Authentication in Apache
> OfBiz.pdf, Token Based Authentication.pdf, rfc7519.pdf
>
>
> Here is dev list discussion for token based authentication work:
> http://markmail.org/message/vyskeh2wujqpkbwg
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
