This is now committed, see https://issues.apache.org/jira/browse/OFBIZ-10814
Thanks,
Michael
Am 23.01.19 um 15:12 schrieb Michael Brohl:
[1] https://issues.apache.org/jira/browse/OFBIZ-10814
smime.p7s
Description: S/MIME Cryptographic Signature
Hi Jacopo,
thanks for your repsonse!
I think it would be better to divide the concerns of the different
concerns here and have a separate configuration to turn internal SSO
on/off and to provide a secret for the JWT handling.
For example, if you want to use the JWT handling for another reaso
+1 to disabling it by default.
We could consider, rather than adding a new configuration flag, to disable
the feature if no secret is set in the configuration files (and do not
provide a secret out of the box).
Jacopo
On Sat, Jan 19, 2019 at 12:57 PM Michael Brohl
wrote:
> Hi all,
>
> during m
Le 22/01/2019 à 10:11, Michael Brohl a écrit :
3. if it is not used, it will still try to read the authorization
header, key etc. *on every request*
Yes, that's not a problem it's only few ms (if even) as long as there is no JWT
passed. Else all the other pre-processors would also be concerned
Hi Jacques,
inline...
Am 22.01.19 um 09:51 schrieb Jacques Le Roux:
Hi Michael,
It seems there is a consensus for disabling the JWT feature OOTB and
it makes sense after testing with Postman.
Thanks, Jacques.
Rest inline:
Le 22/01/2019 à 07:43, Michael Brohl a écrit :
2. the functional
Hi Michael,
It seems there is a consensus for disabling the JWT feature OOTB and it makes
sense after testing with Postman.
Rest inline:
Le 22/01/2019 à 07:43, Michael Brohl a écrit :
2. the functionality to have a single sign on between two OFBiz
instances will only be used in rare cases (I t
Thank you all,
if there are no objections I will enhance the patch in [1] to make this
configurable and switched off as default.
Regards,
Michael
[1] https://issues.apache.org/jira/browse/OFBIZ-10814
Am 21.01.19 um 11:41 schrieb Dennis Balkir:
+1 for off as default
Am 21.01.19 um 10:03
+1 for off as default
Am 21.01.19 um 10:03 schrieb Taher Alkhateeb:
+1 to default off
On Sat, Jan 19, 2019 at 7:25 PM Michael Brohl wrote:
No, we are mainly discussing if we should turn off the JWT functionality
in the default setting and what could be done to make the current
implementation
+1 to default off
On Sat, Jan 19, 2019 at 7:25 PM Michael Brohl wrote:
>
> No, we are mainly discussing if we should turn off the JWT functionality
> in the default setting and what could be done to make the current
> implementation more secure / fail proof.
>
>
> Am 19.01.19 um 16:54 schrieb Shi
Thanks Michael,
Looks good to me..!!
Thanks & Regards
--
Deepak Dixit
On Sat, Jan 19, 2019 at 5:27 PM Michael Brohl
wrote:
> Hi all,
>
> during my work in [1] I realized that the OOTB JWT authorization /
> single sign on is switched on by default. The logic to retrieve the
> secret key uses a
No, we are mainly discussing if we should turn off the JWT functionality
in the default setting and what could be done to make the current
implementation more secure / fail proof.
Am 19.01.19 um 16:54 schrieb Shi Jinghai:
I've just reviewed the code of JWT implements. Sorry for my bad English
I've just reviewed the code of JWT implements. Sorry for my bad English, I'm a
bit lost, are we discussing which one is more secure, the tomcat session or JWT?
-邮件原件-
发件人: Michael Brohl [mailto:michael.br...@ecomify.de]
发送时间: 2019年1月19日 19:58
收件人: dev@ofbiz.apache.org
主题: [DISCUSSION] t
12 matches
Mail list logo