[DISCUSSION] turn off OOTB JWT authorization/SSO functionality
Locked
[DISCUSSION] turn off OOTB JWT authorization/SSO functionality
 
|
Hi all,
during my work in [1] I realized that the OOTB JWT authorization / single sign on is switched on by default. The logic to retrieve the secret key uses a default if there is no configuration in SystemProperty or security.properties. This makes it easy to prepare a JWT (e.g. by using [2] or [3]) and login using a guessed userLoginId and this token (which can be retrieved from the code). I think we should secure this so that this cannot be done in an OOTB setting with the following additions: 1. make it configurable through a property which is initially turned off. I think thi is better than commenting the preprocessor in/out because it can be better integrated in (custom) configuration mechanisms. 2. don't use a default secret key if none is provided. The user/administrator must explicitly set a secret key and should know what he is doing then. 3. don't proceed if no secret key can be found (do not attempt a login using the JWT) I think that we should turn this feature off by default for the following reasons: 1. it opens up a security hole if the user does not remove the checkJWTLogin preprocessor (see above) 2. the functionality to have a single sign on between two OFBiz instances will only be used in rare cases (I think). It is only designed for this special case and cannot be used for standard single sign on scenarios with other systems. 3. if it is not used, it will still try to read the authorization header, key etc. *on every request* What do think? Regards, Michael [1] https://issues.apache.org/jira/browse/OFBIZ-10814 [2] https://jwt.io/ [3] http://jwtbuilder.jamiekurtz.com/ |
smime.p7s (5K)
Re: [DISCUSSION] turn off OOTB JWT authorization/SSO functionality
|
|
Re: [DISCUSSION] turn off OOTB JWT authorization/SSO functionality
|
|
No, we are mainly discussing if we should turn off the JWT functionality
in the default setting and what could be done to make the current implementation more secure / fail proof. Am 19.01.19 um 16:54 schrieb Shi Jinghai: > I've just reviewed the code of JWT implements. Sorry for my bad English, I'm a bit lost, are we discussing which one is more secure, the tomcat session or JWT? > > > -----邮件原件----- > 发件人: Michael Brohl [mailto:[hidden email]] > 发送时间: 2019年1月19日 19:58 > 收件人: [hidden email] > 主题: [DISCUSSION] turn off OOTB JWT authorization/SSO functionality > > Hi all, > > during my work in [1] I realized that the OOTB JWT authorization / > single sign on is switched on by default. The logic to retrieve the > secret key uses a default if there is no configuration in SystemProperty > or security.properties. > > This makes it easy to prepare a JWT (e.g. by using [2] or [3]) and login > using a guessed userLoginId and this token (which can be retrieved from > the code). > > I think we should secure this so that this cannot be done in an OOTB > setting with the following additions: > > 1. make it configurable through a property which is initially turned > off. I think thi is better than commenting the preprocessor in/out > because it can be better integrated in (custom) configuration mechanisms. > > 2. don't use a default secret key if none is provided. The > user/administrator must explicitly set a secret key and should know what > he is doing then. > > 3. don't proceed if no secret key can be found (do not attempt a login > using the JWT) > > > I think that we should turn this feature off by default for the > following reasons: > > 1. it opens up a security hole if the user does not remove the > checkJWTLogin preprocessor (see above) > > 2. the functionality to have a single sign on between two OFBiz > instances will only be used in rare cases (I think). It is only designed > for this special case and cannot be used for standard single sign on > scenarios with other systems. > > 3. if it is not used, it will still try to read the authorization > header, key etc. *on every request* > > > What do think? > > Regards, > > Michael > > > [1] https://issues.apache.org/jira/browse/OFBIZ-10814 > > [2] https://jwt.io/ > > [3] http://jwtbuilder.jamiekurtz.com/ > > > > |
Re: [DISCUSSION] turn off OOTB JWT authorization/SSO functionality
|
|
Re: [DISCUSSION] turn off OOTB JWT authorization/SSO functionality
|
Re: [DISCUSSION] turn off OOTB JWT authorization/SSO functionality
|
|
Re: [DISCUSSION] turn off OOTB JWT authorization/SSO functionality
|
|
Thank you all,
if there are no objections I will enhance the patch in [1] to make this configurable and switched off as default. Regards, Michael [1] https://issues.apache.org/jira/browse/OFBIZ-10814 Am 21.01.19 um 11:41 schrieb Dennis Balkir: > +1 for off as default > > Am 21.01.19 um 10:03 schrieb Taher Alkhateeb: >> +1 to default off >> >> On Sat, Jan 19, 2019 at 7:25 PM Michael Brohl >> <[hidden email]> wrote: >>> No, we are mainly discussing if we should turn off the JWT >>> functionality >>> in the default setting and what could be done to make the current >>> implementation more secure / fail proof. >>> >>> >>> Am 19.01.19 um 16:54 schrieb Shi Jinghai: >>>> I've just reviewed the code of JWT implements. Sorry for my bad >>>> English, I'm a bit lost, are we discussing which one is more >>>> secure, the tomcat session or JWT? >>>> >>>> >>>> -----邮件原件----- >>>> 发件人: Michael Brohl [mailto:[hidden email]] >>>> 发送时间: 2019年1月19日 19:58 >>>> 收件人: [hidden email] >>>> 主题: [DISCUSSION] turn off OOTB JWT authorization/SSO functionality >>>> >>>> Hi all, >>>> >>>> during my work in [1] I realized that the OOTB JWT authorization / >>>> single sign on is switched on by default. The logic to retrieve the >>>> secret key uses a default if there is no configuration in >>>> SystemProperty >>>> or security.properties. >>>> >>>> This makes it easy to prepare a JWT (e.g. by using [2] or [3]) and >>>> login >>>> using a guessed userLoginId and this token (which can be retrieved >>>> from >>>> the code). >>>> >>>> I think we should secure this so that this cannot be done in an OOTB >>>> setting with the following additions: >>>> >>>> 1. make it configurable through a property which is initially turned >>>> off. I think thi is better than commenting the preprocessor in/out >>>> because it can be better integrated in (custom) configuration >>>> mechanisms. >>>> >>>> 2. don't use a default secret key if none is provided. The >>>> user/administrator must explicitly set a secret key and should know >>>> what >>>> he is doing then. >>>> >>>> 3. don't proceed if no secret key can be found (do not attempt a login >>>> using the JWT) >>>> >>>> >>>> I think that we should turn this feature off by default for the >>>> following reasons: >>>> >>>> 1. it opens up a security hole if the user does not remove the >>>> checkJWTLogin preprocessor (see above) >>>> >>>> 2. the functionality to have a single sign on between two OFBiz >>>> instances will only be used in rare cases (I think). It is only >>>> designed >>>> for this special case and cannot be used for standard single sign on >>>> scenarios with other systems. >>>> >>>> 3. if it is not used, it will still try to read the authorization >>>> header, key etc. *on every request* >>>> >>>> >>>> What do think? >>>> >>>> Regards, >>>> >>>> Michael >>>> >>>> >>>> [1] https://issues.apache.org/jira/browse/OFBIZ-10814 >>>> >>>> [2] https://jwt.io/ >>>> >>>> [3] http://jwtbuilder.jamiekurtz.com/ >>>> >>>> >>>> >>>> |
Re: [DISCUSSION] turn off OOTB JWT authorization/SSO functionality
Administrator
|
Re: [DISCUSSION] turn off OOTB JWT authorization/SSO functionality
|
|
Hi Jacques,
inline... Am 22.01.19 um 09:51 schrieb Jacques Le Roux: > Hi Michael, > > It seems there is a consensus for disabling the JWT feature OOTB and > it makes sense after testing with Postman. Thanks, Jacques. > Rest inline: > > Le 22/01/2019 à 07:43, Michael Brohl a écrit : >> 2. the functionality to have a single sign on between two OFBiz >> instances will only be used in rare cases (I think). It is only designed >> for this special case and cannot be used for standard single sign on >> scenarios with other systems. > > If we make this feature implicitly non-operational, what about showing > it in example? > I guess showing it should depend of the property which switch on/off > the JWT feature. > > >> 3. if it is not used, it will still try to read the authorization >> header, key etc. *on every request* > > Yes, that's not a problem it's only few ms (if even) as long as there > is no JWT passed. Else all the other pre-processors would also be > concerned... The problem is: without explicitely switching it off, it will parse a provided JWT token on every request *even if you don't want to use the SSO feature*. You might want to use the Authorization: Bearer <token> header for other scenarios than SSO. Implementing a REST service for example, which is the reason I stumbled upon this. Implicitely turning the feature on when the header is present is not a good idea, we should separate concerns. I'm going to provide an enhanced patch for all this. Thanks, Michael |
Re: [DISCUSSION] turn off OOTB JWT authorization/SSO functionality
|
Administrator
|
Re: [DISCUSSION] turn off OOTB JWT authorization/SSO functionality
|
|
Re: [DISCUSSION] turn off OOTB JWT authorization/SSO functionality
|
|
Hi Jacopo,
thanks for your repsonse! I think it would be better to divide the concerns of the different concerns here and have a separate configuration to turn internal SSO on/off and to provide a secret for the JWT handling. For example, if you want to use the JWT handling for another reason than internal SSO (e.g. REST interfaces) you would also be forced to use the internal SSO feature. I'll provide my latest patch soon for review. Best regards,Michael Am 23.01.19 um 07:34 schrieb Jacopo Cappellato: > +1 to disabling it by default. > We could consider, rather than adding a new configuration flag, to disable > the feature if no secret is set in the configuration files (and do not > provide a secret out of the box). > > Jacopo > > > On Sat, Jan 19, 2019 at 12:57 PM Michael Brohl <[hidden email]> > wrote: > >> Hi all, >> >> during my work in [1] I realized that the OOTB JWT authorization / >> single sign on is switched on by default. The logic to retrieve the >> secret key uses a default if there is no configuration in SystemProperty >> or security.properties. >> >> This makes it easy to prepare a JWT (e.g. by using [2] or [3]) and login >> using a guessed userLoginId and this token (which can be retrieved from >> the code). >> >> I think we should secure this so that this cannot be done in an OOTB >> setting with the following additions: >> >> 1. make it configurable through a property which is initially turned >> off. I think thi is better than commenting the preprocessor in/out >> because it can be better integrated in (custom) configuration mechanisms. >> >> 2. don't use a default secret key if none is provided. The >> user/administrator must explicitly set a secret key and should know what >> he is doing then. >> >> 3. don't proceed if no secret key can be found (do not attempt a login >> using the JWT) >> >> >> I think that we should turn this feature off by default for the >> following reasons: >> >> 1. it opens up a security hole if the user does not remove the >> checkJWTLogin preprocessor (see above) >> >> 2. the functionality to have a single sign on between two OFBiz >> instances will only be used in rare cases (I think). It is only designed >> for this special case and cannot be used for standard single sign on >> scenarios with other systems. >> >> 3. if it is not used, it will still try to read the authorization >> header, key etc. *on every request* >> >> >> What do think? >> >> Regards, >> >> Michael >> >> >> [1] https://issues.apache.org/jira/browse/OFBIZ-10814 >> >> [2] https://jwt.io/ >> >> [3] http://jwtbuilder.jamiekurtz.com/ >> >> >> >> >> |
Re: [DISCUSSION] turn off OOTB JWT authorization/SSO functionality
|
|
This is now committed, see https://issues.apache.org/jira/browse/OFBIZ-10814
Thanks, Michael Am 23.01.19 um 15:12 schrieb Michael Brohl: > > [1] https://issues.apache.org/jira/browse/OFBIZ-10814 |
| Free forum by Nabble | Edit this page |