Re: [DISCUSSION] turn off OOTB JWT authorization/SSO functionality
No, we are mainly discussing if we should turn off the JWT functionality in the default setting and what could be done to make the current implementation more secure / fail proof. Am 19.01.19 um 16:54 schrieb Shi Jinghai: I've just reviewed the code of JWT implements. Sorry for my bad English, I'm a bit lost, are we discussing which one is more secure, the tomcat session or JWT? -邮件原件- 发件人: Michael Brohl [mailto:michael.br...@ecomify.de] 发送时间: 2019年1月19日 19:58 收件人: dev@ofbiz.apache.org 主题: [DISCUSSION] turn off OOTB JWT authorization/SSO functionality Hi all, during my work in [1] I realized that the OOTB JWT authorization / single sign on is switched on by default. The logic to retrieve the secret key uses a default if there is no configuration in SystemProperty or security.properties. This makes it easy to prepare a JWT (e.g. by using [2] or [3]) and login using a guessed userLoginId and this token (which can be retrieved from the code). I think we should secure this so that this cannot be done in an OOTB setting with the following additions: 1. make it configurable through a property which is initially turned off. I think thi is better than commenting the preprocessor in/out because it can be better integrated in (custom) configuration mechanisms. 2. don't use a default secret key if none is provided. The user/administrator must explicitly set a secret key and should know what he is doing then. 3. don't proceed if no secret key can be found (do not attempt a login using the JWT) I think that we should turn this feature off by default for the following reasons: 1. it opens up a security hole if the user does not remove the checkJWTLogin preprocessor (see above) 2. the functionality to have a single sign on between two OFBiz instances will only be used in rare cases (I think). It is only designed for this special case and cannot be used for standard single sign on scenarios with other systems. 3. if it is not used, it will still try to read the authorization header, key etc. *on every request* What do think? Regards, Michael [1] https://issues.apache.org/jira/browse/OFBIZ-10814 [2] https://jwt.io/ [3] http://jwtbuilder.jamiekurtz.com/ smime.p7s Description: S/MIME Cryptographic Signature
Re: [DISCUSSION] turn off OOTB JWT authorization/SSO functionality
I've just reviewed the code of JWT implements. Sorry for my bad English, I'm a bit lost, are we discussing which one is more secure, the tomcat session or JWT? -邮件原件- 发件人: Michael Brohl [mailto:michael.br...@ecomify.de] 发送时间: 2019年1月19日 19:58 收件人: dev@ofbiz.apache.org 主题: [DISCUSSION] turn off OOTB JWT authorization/SSO functionality Hi all, during my work in [1] I realized that the OOTB JWT authorization / single sign on is switched on by default. The logic to retrieve the secret key uses a default if there is no configuration in SystemProperty or security.properties. This makes it easy to prepare a JWT (e.g. by using [2] or [3]) and login using a guessed userLoginId and this token (which can be retrieved from the code). I think we should secure this so that this cannot be done in an OOTB setting with the following additions: 1. make it configurable through a property which is initially turned off. I think thi is better than commenting the preprocessor in/out because it can be better integrated in (custom) configuration mechanisms. 2. don't use a default secret key if none is provided. The user/administrator must explicitly set a secret key and should know what he is doing then. 3. don't proceed if no secret key can be found (do not attempt a login using the JWT) I think that we should turn this feature off by default for the following reasons: 1. it opens up a security hole if the user does not remove the checkJWTLogin preprocessor (see above) 2. the functionality to have a single sign on between two OFBiz instances will only be used in rare cases (I think). It is only designed for this special case and cannot be used for standard single sign on scenarios with other systems. 3. if it is not used, it will still try to read the authorization header, key etc. *on every request* What do think? Regards, Michael [1] https://issues.apache.org/jira/browse/OFBIZ-10814 [2] https://jwt.io/ [3] http://jwtbuilder.jamiekurtz.com/
[DISCUSSION] turn off OOTB JWT authorization/SSO functionality
Hi all, during my work in [1] I realized that the OOTB JWT authorization / single sign on is switched on by default. The logic to retrieve the secret key uses a default if there is no configuration in SystemProperty or security.properties. This makes it easy to prepare a JWT (e.g. by using [2] or [3]) and login using a guessed userLoginId and this token (which can be retrieved from the code). I think we should secure this so that this cannot be done in an OOTB setting with the following additions: 1. make it configurable through a property which is initially turned off. I think thi is better than commenting the preprocessor in/out because it can be better integrated in (custom) configuration mechanisms. 2. don't use a default secret key if none is provided. The user/administrator must explicitly set a secret key and should know what he is doing then. 3. don't proceed if no secret key can be found (do not attempt a login using the JWT) I think that we should turn this feature off by default for the following reasons: 1. it opens up a security hole if the user does not remove the checkJWTLogin preprocessor (see above) 2. the functionality to have a single sign on between two OFBiz instances will only be used in rare cases (I think). It is only designed for this special case and cannot be used for standard single sign on scenarios with other systems. 3. if it is not used, it will still try to read the authorization header, key etc. *on every request* What do think? Regards, Michael [1] https://issues.apache.org/jira/browse/OFBIZ-10814 [2] https://jwt.io/ [3] http://jwtbuilder.jamiekurtz.com/ smime.p7s Description: S/MIME Cryptographic Signature
