Re: [DISCUSSION] turn off OOTB JWT authorization/SSO functionality

2019-02-04 Thread Michael Brohl

This is now committed, see https://issues.apache.org/jira/browse/OFBIZ-10814

Thanks,

Michael


Am 23.01.19 um 15:12 schrieb Michael Brohl:


[1] https://issues.apache.org/jira/browse/OFBIZ-10814




smime.p7s
Description: S/MIME Cryptographic Signature


Re: [DISCUSSION] turn off OOTB JWT authorization/SSO functionality

2019-01-23 Thread Michael Brohl

Hi Jacopo,

thanks for your repsonse!

I think it would be better to divide the concerns of the different 
concerns here and have a separate configuration to turn internal SSO 
on/off and to provide a secret for the JWT handling.


For example, if you want to use the JWT handling for another reason than 
internal SSO (e.g. REST interfaces) you would also be forced to use the 
internal SSO feature.


I'll provide my latest patch soon for review.

Best regards,Michael


Am 23.01.19 um 07:34 schrieb Jacopo Cappellato:

+1 to disabling it by default.
We could consider, rather than adding a new configuration flag, to disable
the feature if no secret is set in the configuration files (and do not
provide a secret out of the box).

Jacopo


On Sat, Jan 19, 2019 at 12:57 PM Michael Brohl 
wrote:


Hi all,

during my work in [1] I realized that the OOTB JWT authorization /
single sign on is switched on by default. The logic to retrieve the
secret key uses a default if there is no configuration in SystemProperty
or security.properties.

This makes it easy to prepare a JWT (e.g. by using [2] or [3]) and login
using a guessed userLoginId and this token (which can be retrieved from
the code).

I think we should secure this so that this cannot be done in an OOTB
setting with the following additions:

1. make it configurable through a property which is initially turned
off. I think thi is better than commenting the preprocessor in/out
because it can be better integrated in (custom) configuration mechanisms.

2. don't use a default secret key if none is provided. The
user/administrator must explicitly set a secret key and should know what
he is doing then.

3. don't proceed if no secret key can be found (do not attempt a login
using the JWT)


I think that we should turn this feature off by default for the
following reasons:

1. it opens up a security hole if the user does not remove the
checkJWTLogin preprocessor (see above)

2. the functionality to have a single sign on between two OFBiz
instances will only be used in rare cases (I think). It is only designed
for this special case and cannot be used for standard single sign on
scenarios with other systems.

3. if it is not used, it will still try to read the authorization
header, key etc. *on every request*


What do think?

Regards,

Michael


[1] https://issues.apache.org/jira/browse/OFBIZ-10814

[2] https://jwt.io/

[3] http://jwtbuilder.jamiekurtz.com/









smime.p7s
Description: S/MIME Cryptographic Signature


Re: [DISCUSSION] turn off OOTB JWT authorization/SSO functionality

2019-01-22 Thread Jacopo Cappellato
+1 to disabling it by default.
We could consider, rather than adding a new configuration flag, to disable
the feature if no secret is set in the configuration files (and do not
provide a secret out of the box).

Jacopo


On Sat, Jan 19, 2019 at 12:57 PM Michael Brohl 
wrote:

> Hi all,
>
> during my work in [1] I realized that the OOTB JWT authorization /
> single sign on is switched on by default. The logic to retrieve the
> secret key uses a default if there is no configuration in SystemProperty
> or security.properties.
>
> This makes it easy to prepare a JWT (e.g. by using [2] or [3]) and login
> using a guessed userLoginId and this token (which can be retrieved from
> the code).
>
> I think we should secure this so that this cannot be done in an OOTB
> setting with the following additions:
>
> 1. make it configurable through a property which is initially turned
> off. I think thi is better than commenting the preprocessor in/out
> because it can be better integrated in (custom) configuration mechanisms.
>
> 2. don't use a default secret key if none is provided. The
> user/administrator must explicitly set a secret key and should know what
> he is doing then.
>
> 3. don't proceed if no secret key can be found (do not attempt a login
> using the JWT)
>
>
> I think that we should turn this feature off by default for the
> following reasons:
>
> 1. it opens up a security hole if the user does not remove the
> checkJWTLogin preprocessor (see above)
>
> 2. the functionality to have a single sign on between two OFBiz
> instances will only be used in rare cases (I think). It is only designed
> for this special case and cannot be used for standard single sign on
> scenarios with other systems.
>
> 3. if it is not used, it will still try to read the authorization
> header, key etc. *on every request*
>
>
> What do think?
>
> Regards,
>
> Michael
>
>
> [1] https://issues.apache.org/jira/browse/OFBIZ-10814
>
> [2] https://jwt.io/
>
> [3] http://jwtbuilder.jamiekurtz.com/
>
>
>
>
>


Re: [DISCUSSION] turn off OOTB JWT authorization/SSO functionality

2019-01-22 Thread Jacques Le Roux

Le 22/01/2019 à 10:11, Michael Brohl a écrit :

3. if it is not used, it will still try to read the authorization
header, key etc. *on every request*


Yes, that's not a problem it's only few ms (if even) as long as there is no JWT 
passed. Else all the other pre-processors would also be concerned...



The problem is: without explicitely switching it off, it will parse a provided JWT token on every request *even if you don't want to use the SSO 
feature*. You might want to use the Authorization: Bearer  header for other scenarios than SSO. Implementing a REST service for example, 
which is the reason I stumbled upon this.


Implicitely turning the feature on when the header is present is not a good idea, we should separate concerns. 


Ha I see your point now, I had still my code in mind. Before I was only doing a

   request.getHeader("Authorization");

And that was also the reason I wanted a simple Authorization header, that's 
fast.

In one the first implementations I remember I used to have a properties to decide if the JWT was on or off for the same reason. I removed it after 
because it was not costly with the code above


I agree it makes sense again now

Thanks

Jacques



Re: [DISCUSSION] turn off OOTB JWT authorization/SSO functionality

2019-01-22 Thread Michael Brohl

Hi Jacques,

inline...

Am 22.01.19 um 09:51 schrieb Jacques Le Roux:

Hi Michael,

It seems there is a consensus for disabling the JWT feature OOTB and 
it makes sense after testing with Postman.


Thanks, Jacques.



Rest inline:

Le 22/01/2019 à 07:43, Michael Brohl a écrit :

2. the functionality to have a single sign on between two OFBiz
instances will only be used in rare cases (I think). It is only designed
for this special case and cannot be used for standard single sign on
scenarios with other systems.


If we make this feature implicitly non-operational, what about showing 
it in example?
I guess showing it should depend of the property which switch on/off 
the JWT feature.


Yes, this would be another improvement.






3. if it is not used, it will still try to read the authorization
header, key etc. *on every request*


Yes, that's not a problem it's only few ms (if even) as long as there 
is no JWT passed. Else all the other pre-processors would also be 
concerned...



The problem is: without explicitely switching it off, it will parse a 
provided JWT token on every request *even if you don't want to use the 
SSO feature*. You might want to use the Authorization: Bearer  
header for other scenarios than SSO. Implementing a REST service for 
example, which is the reason I stumbled upon this.


Implicitely turning the feature on when the header is present is not a 
good idea, we should separate concerns.


I'm going to provide an enhanced patch for all this.

Thanks,

Michael





smime.p7s
Description: S/MIME Cryptographic Signature


Re: [DISCUSSION] turn off OOTB JWT authorization/SSO functionality

2019-01-22 Thread Jacques Le Roux

Hi Michael,

It seems there is a consensus for disabling the JWT feature OOTB and it makes 
sense after testing with Postman.
Rest inline:

Le 22/01/2019 à 07:43, Michael Brohl a écrit :

2. the functionality to have a single sign on between two OFBiz
instances will only be used in rare cases (I think). It is only designed
for this special case and cannot be used for standard single sign on
scenarios with other systems.


If we make this feature implicitly non-operational, what about showing it in 
example?
I guess showing it should depend of the property which switch on/off the JWT 
feature.



3. if it is not used, it will still try to read the authorization
header, key etc. *on every request*


Yes, that's not a problem it's only few ms (if even) as long as there is no JWT 
passed. Else all the other pre-processors would also be concerned...

Jacques


Re: [DISCUSSION] turn off OOTB JWT authorization/SSO functionality

2019-01-21 Thread Michael Brohl

Thank you all,

if there are no objections I will enhance the patch in [1] to make this 
configurable and switched off as default.


Regards,

Michael

[1] https://issues.apache.org/jira/browse/OFBIZ-10814



Am 21.01.19 um 11:41 schrieb Dennis Balkir:

+1 for off as default

Am 21.01.19 um 10:03 schrieb Taher Alkhateeb:

+1 to default off

On Sat, Jan 19, 2019 at 7:25 PM Michael Brohl 
 wrote:
No, we are mainly discussing if we should turn off the JWT 
functionality

in the default setting and what could be done to make the current
implementation more secure / fail proof.


Am 19.01.19 um 16:54 schrieb Shi Jinghai:
I've just reviewed the code of JWT implements. Sorry for my bad 
English, I'm a bit lost, are we discussing which one is more 
secure, the tomcat session or JWT?



-邮件原件-
发件人: Michael Brohl [mailto:michael.br...@ecomify.de]
发送时间: 2019年1月19日 19:58
收件人: dev@ofbiz.apache.org
主题: [DISCUSSION] turn off OOTB JWT authorization/SSO functionality

Hi all,

during my work in [1] I realized that the OOTB JWT authorization /
single sign on is switched on by default. The logic to retrieve the
secret key uses a default if there is no configuration in 
SystemProperty

or security.properties.

This makes it easy to prepare a JWT (e.g. by using [2] or [3]) and 
login
using a guessed userLoginId and this token (which can be retrieved 
from

the code).

I think we should secure this so that this cannot be done in an OOTB
setting with the following additions:

1. make it configurable through a property which is initially turned
off. I think thi is better than commenting the preprocessor in/out
because it can be better integrated in (custom) configuration 
mechanisms.


2. don't use a default secret key if none is provided. The
user/administrator must explicitly set a secret key and should know 
what

he is doing then.

3. don't proceed if no secret key can be found (do not attempt a login
using the JWT)


I think that we should turn this feature off by default for the
following reasons:

1. it opens up a security hole if the user does not remove the
checkJWTLogin preprocessor (see above)

2. the functionality to have a single sign on between two OFBiz
instances will only be used in rare cases (I think). It is only 
designed

for this special case and cannot be used for standard single sign on
scenarios with other systems.

3. if it is not used, it will still try to read the authorization
header, key etc. *on every request*


What do think?

Regards,

Michael


[1] https://issues.apache.org/jira/browse/OFBIZ-10814

[2] https://jwt.io/

[3] http://jwtbuilder.jamiekurtz.com/








smime.p7s
Description: S/MIME Cryptographic Signature


Re: [DISCUSSION] turn off OOTB JWT authorization/SSO functionality

2019-01-21 Thread Dennis Balkir

+1 for off as default

Am 21.01.19 um 10:03 schrieb Taher Alkhateeb:

+1 to default off

On Sat, Jan 19, 2019 at 7:25 PM Michael Brohl  wrote:

No, we are mainly discussing if we should turn off the JWT functionality
in the default setting and what could be done to make the current
implementation more secure / fail proof.


Am 19.01.19 um 16:54 schrieb Shi Jinghai:

I've just reviewed the code of JWT implements. Sorry for my bad English, I'm a 
bit lost, are we discussing which one is more secure, the tomcat session or JWT?


-邮件原件-
发件人: Michael Brohl [mailto:michael.br...@ecomify.de]
发送时间: 2019年1月19日 19:58
收件人: dev@ofbiz.apache.org
主题: [DISCUSSION] turn off OOTB JWT authorization/SSO functionality

Hi all,

during my work in [1] I realized that the OOTB JWT authorization /
single sign on is switched on by default. The logic to retrieve the
secret key uses a default if there is no configuration in SystemProperty
or security.properties.

This makes it easy to prepare a JWT (e.g. by using [2] or [3]) and login
using a guessed userLoginId and this token (which can be retrieved from
the code).

I think we should secure this so that this cannot be done in an OOTB
setting with the following additions:

1. make it configurable through a property which is initially turned
off. I think thi is better than commenting the preprocessor in/out
because it can be better integrated in (custom) configuration mechanisms.

2. don't use a default secret key if none is provided. The
user/administrator must explicitly set a secret key and should know what
he is doing then.

3. don't proceed if no secret key can be found (do not attempt a login
using the JWT)


I think that we should turn this feature off by default for the
following reasons:

1. it opens up a security hole if the user does not remove the
checkJWTLogin preprocessor (see above)

2. the functionality to have a single sign on between two OFBiz
instances will only be used in rare cases (I think). It is only designed
for this special case and cannot be used for standard single sign on
scenarios with other systems.

3. if it is not used, it will still try to read the authorization
header, key etc. *on every request*


What do think?

Regards,

Michael


[1] https://issues.apache.org/jira/browse/OFBIZ-10814

[2] https://jwt.io/

[3] http://jwtbuilder.jamiekurtz.com/





--
Dennis Balkir
Consultant

Fon   +49 521 448 157-93
Fax   +49 521 448 157-99
Mobil +49 151 17762475
Xing  https://www.xing.com/profile/Dennis_Balkir/
LinkedIn  https://www.linkedin.com/in/dennis-balkir-165962165

Company and Management Headquarters:
ecomify GmbH, Gustav-Winkler-Str. 22, 33699 Bielefeld, Deutschland
Fon: +49 521 448157-90, Fax: +49 521 448157-99, www.ecomify.de

Court Registration: Amtsgericht Bielefeld HRB 41683
Chief Executive Officer: Martin Becker, Michael Brohl



Re: [DISCUSSION] turn off OOTB JWT authorization/SSO functionality

2019-01-21 Thread Taher Alkhateeb
+1 to default off

On Sat, Jan 19, 2019 at 7:25 PM Michael Brohl  wrote:
>
> No, we are mainly discussing if we should turn off the JWT functionality
> in the default setting and what could be done to make the current
> implementation more secure / fail proof.
>
>
> Am 19.01.19 um 16:54 schrieb Shi Jinghai:
> > I've just reviewed the code of JWT implements. Sorry for my bad English, 
> > I'm a bit lost, are we discussing which one is more secure, the tomcat 
> > session or JWT?
> >
> >
> > -邮件原件-
> > 发件人: Michael Brohl [mailto:michael.br...@ecomify.de]
> > 发送时间: 2019年1月19日 19:58
> > 收件人: dev@ofbiz.apache.org
> > 主题: [DISCUSSION] turn off OOTB JWT authorization/SSO functionality
> >
> > Hi all,
> >
> > during my work in [1] I realized that the OOTB JWT authorization /
> > single sign on is switched on by default. The logic to retrieve the
> > secret key uses a default if there is no configuration in SystemProperty
> > or security.properties.
> >
> > This makes it easy to prepare a JWT (e.g. by using [2] or [3]) and login
> > using a guessed userLoginId and this token (which can be retrieved from
> > the code).
> >
> > I think we should secure this so that this cannot be done in an OOTB
> > setting with the following additions:
> >
> > 1. make it configurable through a property which is initially turned
> > off. I think thi is better than commenting the preprocessor in/out
> > because it can be better integrated in (custom) configuration mechanisms.
> >
> > 2. don't use a default secret key if none is provided. The
> > user/administrator must explicitly set a secret key and should know what
> > he is doing then.
> >
> > 3. don't proceed if no secret key can be found (do not attempt a login
> > using the JWT)
> >
> >
> > I think that we should turn this feature off by default for the
> > following reasons:
> >
> > 1. it opens up a security hole if the user does not remove the
> > checkJWTLogin preprocessor (see above)
> >
> > 2. the functionality to have a single sign on between two OFBiz
> > instances will only be used in rare cases (I think). It is only designed
> > for this special case and cannot be used for standard single sign on
> > scenarios with other systems.
> >
> > 3. if it is not used, it will still try to read the authorization
> > header, key etc. *on every request*
> >
> >
> > What do think?
> >
> > Regards,
> >
> > Michael
> >
> >
> > [1] https://issues.apache.org/jira/browse/OFBIZ-10814
> >
> > [2] https://jwt.io/
> >
> > [3] http://jwtbuilder.jamiekurtz.com/
> >
> >
> >
> >
>


Re: [DISCUSSION] turn off OOTB JWT authorization/SSO functionality

2019-01-20 Thread Deepak Dixit
Thanks Michael,
Looks good to me..!!

Thanks & Regards
--
Deepak Dixit



On Sat, Jan 19, 2019 at 5:27 PM Michael Brohl 
wrote:

> Hi all,
>
> during my work in [1] I realized that the OOTB JWT authorization /
> single sign on is switched on by default. The logic to retrieve the
> secret key uses a default if there is no configuration in SystemProperty
> or security.properties.
>
> This makes it easy to prepare a JWT (e.g. by using [2] or [3]) and login
> using a guessed userLoginId and this token (which can be retrieved from
> the code).
>
> I think we should secure this so that this cannot be done in an OOTB
> setting with the following additions:
>
> 1. make it configurable through a property which is initially turned
> off. I think thi is better than commenting the preprocessor in/out
> because it can be better integrated in (custom) configuration mechanisms.
>
> 2. don't use a default secret key if none is provided. The
> user/administrator must explicitly set a secret key and should know what
> he is doing then.
>
> 3. don't proceed if no secret key can be found (do not attempt a login
> using the JWT)
>
>
> I think that we should turn this feature off by default for the
> following reasons:
>
> 1. it opens up a security hole if the user does not remove the
> checkJWTLogin preprocessor (see above)
>
> 2. the functionality to have a single sign on between two OFBiz
> instances will only be used in rare cases (I think). It is only designed
> for this special case and cannot be used for standard single sign on
> scenarios with other systems.
>
> 3. if it is not used, it will still try to read the authorization
> header, key etc. *on every request*
>
>
> What do think?
>
> Regards,
>
> Michael
>
>
> [1] https://issues.apache.org/jira/browse/OFBIZ-10814
>
> [2] https://jwt.io/
>
> [3] http://jwtbuilder.jamiekurtz.com/
>
>
>
>
>


Re: [DISCUSSION] turn off OOTB JWT authorization/SSO functionality

2019-01-19 Thread Michael Brohl
No, we are mainly discussing if we should turn off the JWT functionality 
in the default setting and what could be done to make the current 
implementation more secure / fail proof.



Am 19.01.19 um 16:54 schrieb Shi Jinghai:

I've just reviewed the code of JWT implements. Sorry for my bad English, I'm a 
bit lost, are we discussing which one is more secure, the tomcat session or JWT?


-邮件原件-
发件人: Michael Brohl [mailto:michael.br...@ecomify.de]
发送时间: 2019年1月19日 19:58
收件人: dev@ofbiz.apache.org
主题: [DISCUSSION] turn off OOTB JWT authorization/SSO functionality

Hi all,

during my work in [1] I realized that the OOTB JWT authorization /
single sign on is switched on by default. The logic to retrieve the
secret key uses a default if there is no configuration in SystemProperty
or security.properties.

This makes it easy to prepare a JWT (e.g. by using [2] or [3]) and login
using a guessed userLoginId and this token (which can be retrieved from
the code).

I think we should secure this so that this cannot be done in an OOTB
setting with the following additions:

1. make it configurable through a property which is initially turned
off. I think thi is better than commenting the preprocessor in/out
because it can be better integrated in (custom) configuration mechanisms.

2. don't use a default secret key if none is provided. The
user/administrator must explicitly set a secret key and should know what
he is doing then.

3. don't proceed if no secret key can be found (do not attempt a login
using the JWT)


I think that we should turn this feature off by default for the
following reasons:

1. it opens up a security hole if the user does not remove the
checkJWTLogin preprocessor (see above)

2. the functionality to have a single sign on between two OFBiz
instances will only be used in rare cases (I think). It is only designed
for this special case and cannot be used for standard single sign on
scenarios with other systems.

3. if it is not used, it will still try to read the authorization
header, key etc. *on every request*


What do think?

Regards,

Michael


[1] https://issues.apache.org/jira/browse/OFBIZ-10814

[2] https://jwt.io/

[3] http://jwtbuilder.jamiekurtz.com/








smime.p7s
Description: S/MIME Cryptographic Signature


Re: [DISCUSSION] turn off OOTB JWT authorization/SSO functionality

2019-01-19 Thread Shi Jinghai
I've just reviewed the code of JWT implements. Sorry for my bad English, I'm a 
bit lost, are we discussing which one is more secure, the tomcat session or JWT?


-邮件原件-
发件人: Michael Brohl [mailto:michael.br...@ecomify.de] 
发送时间: 2019年1月19日 19:58
收件人: dev@ofbiz.apache.org
主题: [DISCUSSION] turn off OOTB JWT authorization/SSO functionality

Hi all,

during my work in [1] I realized that the OOTB JWT authorization / 
single sign on is switched on by default. The logic to retrieve the 
secret key uses a default if there is no configuration in SystemProperty 
or security.properties.

This makes it easy to prepare a JWT (e.g. by using [2] or [3]) and login 
using a guessed userLoginId and this token (which can be retrieved from 
the code).

I think we should secure this so that this cannot be done in an OOTB 
setting with the following additions:

1. make it configurable through a property which is initially turned 
off. I think thi is better than commenting the preprocessor in/out 
because it can be better integrated in (custom) configuration mechanisms.

2. don't use a default secret key if none is provided. The 
user/administrator must explicitly set a secret key and should know what 
he is doing then.

3. don't proceed if no secret key can be found (do not attempt a login 
using the JWT)


I think that we should turn this feature off by default for the 
following reasons:

1. it opens up a security hole if the user does not remove the 
checkJWTLogin preprocessor (see above)

2. the functionality to have a single sign on between two OFBiz 
instances will only be used in rare cases (I think). It is only designed 
for this special case and cannot be used for standard single sign on 
scenarios with other systems.

3. if it is not used, it will still try to read the authorization 
header, key etc. *on every request*


What do think?

Regards,

Michael


[1] https://issues.apache.org/jira/browse/OFBIZ-10814

[2] https://jwt.io/

[3] http://jwtbuilder.jamiekurtz.com/






[DISCUSSION] turn off OOTB JWT authorization/SSO functionality

2019-01-19 Thread Michael Brohl

Hi all,

during my work in [1] I realized that the OOTB JWT authorization / 
single sign on is switched on by default. The logic to retrieve the 
secret key uses a default if there is no configuration in SystemProperty 
or security.properties.


This makes it easy to prepare a JWT (e.g. by using [2] or [3]) and login 
using a guessed userLoginId and this token (which can be retrieved from 
the code).


I think we should secure this so that this cannot be done in an OOTB 
setting with the following additions:


1. make it configurable through a property which is initially turned 
off. I think thi is better than commenting the preprocessor in/out 
because it can be better integrated in (custom) configuration mechanisms.


2. don't use a default secret key if none is provided. The 
user/administrator must explicitly set a secret key and should know what 
he is doing then.


3. don't proceed if no secret key can be found (do not attempt a login 
using the JWT)



I think that we should turn this feature off by default for the 
following reasons:


1. it opens up a security hole if the user does not remove the 
checkJWTLogin preprocessor (see above)


2. the functionality to have a single sign on between two OFBiz 
instances will only be used in rare cases (I think). It is only designed 
for this special case and cannot be used for standard single sign on 
scenarios with other systems.


3. if it is not used, it will still try to read the authorization 
header, key etc. *on every request*



What do think?

Regards,

Michael


[1] https://issues.apache.org/jira/browse/OFBIZ-10814

[2] https://jwt.io/

[3] http://jwtbuilder.jamiekurtz.com/






smime.p7s
Description: S/MIME Cryptographic Signature