[ https://issues.apache.org/jira/browse/OFBIZ-10206?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Jacques Le Roux updated OFBIZ-10206: ------------------------------------ Attachment: (was: OFBIZ-10206-external-server-test-example.patch) > Security issue in Token Based Authentication > -------------------------------------------- > > Key: OFBIZ-10206 > URL: https://issues.apache.org/jira/browse/OFBIZ-10206 > Project: OFBiz > Issue Type: Bug > Components: framework > Affects Versions: 17.12.01 > Reporter: Jacques Le Roux > Assignee: Jacques Le Roux > Priority: Major > > The version I commited so far in OFBIZ-9833 has a small security issue. > I added the JWT (JSON Web Token > [https://fr.wikipedia.org/wiki/JSON_Web_Token]), which guarantees an exchange > between 2 servers. But the way I used it did not prevent from changing the > parameter externalServerLoginKey in the URL. Note that this is only possible > from the server where the JWT was sent from. This is still a risk (minor) if > an unauthorized and malicious person managed to gain access to the backend of > the source server. > The flaw is that I was using a query parameter in the ContextFilter. doFilter > () wrapper where the JWT is created. > I just replaced it with an autoLoginCookie reading on the source server. I > would have preferred to use the session, but when creating the JWT, the > session contains neither userLogin nor userLoginId. I also need the source > server webapp to read the autoLoginCookie. The webapp must therefore be > passed as a new parameter in the query. On the target server I use a > userLoginId reading from the JWT and no longer from the request, that was the > goal I missed! > I have secured all cookies with OFBIZ-6655, so an autoLoginCookie can only be > created or updated when creating the session on the source server. However, > autoLoginCookies have a lifetime of one year and are not deleted during a > logout. So an autoLoginCookie of another webapp (webapp passed in parameter > thus modifiable in the URL) could in theory be used to force another > loginUser contained in the autoLoginCookie of this other webapp. > I think that this lifespan may make sense for frontends (ecommerce, ecomseo, > webpos), which have their own logout and where I suppose this feature (from > ecommerce in fact) comes to keep a customer's memory. For the backend I don't > see the interest also I propose to delete autoLoginCookies to the logout on > backend. For that I'll reopen and use OFBIZ-4959 that I closed as incomplete. > I will commit an improved version in the trunk that I have tested locally > with 2 different webapps but still have to test on 2 servers. I'm going to do > it using the trunk demo from my machine. -- This message was sent by Atlassian JIRA (v7.6.3#76005)