Question about hashed passwords in seed data
Locked
Question about hashed passwords in seed data
 
|
Hi all,
what about adding the {SHA} prefix to the passwords we have in the PasswordSecurityData.xml file in the securityext component? This is the (standard) format used when passowrd are updated using OFBiz ui and services. Also, I would like to move the UserLogin record for the "admin" and "system" UserLogin (including the relevant entries in the PasswordSecurityData.xml file) from the securityext to the security component, i.e. from the applications to the framework. In this way we will be able to log in to the webtools application even if we are running a framework only version of OFBiz. Jacopo |
smime.p7s (3K)
Re: Question about hashed passwords in seed data
|
|
Re: Question about hashed passwords in seed data
|
|
Re: Question about hashed passwords in seed data
|
|
Re: Question about hashed passwords in seed data
|
|
Re: Question about hashed passwords in seed data
|
|
Re: Question about hashed passwords in seed data
Administrator
|
Re: Question about hashed passwords in seed data
|
|
In reply to this post by Adrian Crum-2
I can understand the concerns about security but... since the
passwords are loaded only by the seed-initial target (aka "ant run- install-extseed") I'd say that, if you run that task, it should be pretty clear what you are doing. A framework upgrade (aka "svn up framework" and "ant run-install- seed") will not be affected by this change. Actually, the "admin" user will be created (if not already there) but with empty password... hmmm, is it the concern about the security hole? Yes, this could be an issue, but only for existing db without admin user already defined. However I think we need to find a compromise so that it will be possible to log in into a framework only setup. Any suggestions? (maybe just adding a clear message in the ant output that explains what is happening when you run that task? Jacopo On Jan 25, 2009, at 9:59 PM, Adrian Crum wrote: > I suggested having the admin user login and password in the > framework. A couple of people responded that doing so would open up > a security hole. I asked how a user would log into a new > installation if there was no initial user login and password. The > discussion stopped there. > > -Adrian > > > --- On Sun, 1/25/09, David E Jones <[hidden email]> > wrote: > >> From: David E Jones <[hidden email]> >> Subject: Re: Question about hashed passwords in seed data >> To: "[hidden email]" <[hidden email]> >> Cc: "[hidden email]" <[hidden email]> >> Date: Sunday, January 25, 2009, 12:42 PM >> Maybe you understood incorrectly, if you are referring to >> what I think you are. >> >> >> -David >> >> >> On Jan 25, 2009, at 13:01, Adrian Crum >> <[hidden email]> wrote: >> >>> --- On Sun, 1/25/09, Jacopo Cappellato >> <[hidden email]> wrote: >>>> Also, I would like to move the UserLogin record >> for the >>>> "admin" and "system" UserLogin >>>> (including the relevant entries in the >>>> PasswordSecurityData.xml file) from the >> securityext to the >>>> security component, i.e. from the applications to >> the >>>> framework. >>>> >>>> In this way we will be able to log in to the >> webtools >>>> application even if we are running a framework >> only version >>>> of OFBiz. >>> >>> I suggested that some time ago and the reply was that >> there were to be no user login IDs or passwords supplied >> with the framework. >>> >>> -Adrian >>> >>> >>> >>> > > > |
Re: Question about hashed passwords in seed data
|
|
Re: Question about hashed passwords in seed data
|
|
Re: Question about hashed passwords in seed data
|
|
Re: Question about hashed passwords in seed data
|
|
In reply to this post by Jacopo Cappellato-4
I just spent some more time thinking about this and I would like to
share with you the following idea: 1) add a new ant task that prompts the user to enter a password for the admin user: the password will then be stored in the db 2) the above task will be executed the seed-initial target is run; if the password is not provided, the admin user is not created 3) running run-install (demo data) will automatically set the admin password to "ofbiz" as it is now Does it make sense? Jacopo On Jan 26, 2009, at 12:21 AM, Jacopo Cappellato wrote: > I can understand the concerns about security but... since the > passwords are loaded only by the seed-initial target (aka "ant run- > install-extseed") I'd say that, if you run that task, it should be > pretty clear what you are doing. > A framework upgrade (aka "svn up framework" and "ant run-install- > seed") will not be affected by this change. > Actually, the "admin" user will be created (if not already there) > but with empty password... hmmm, is it the concern about the > security hole? Yes, this could be an issue, but only for existing db > without admin user already defined. > However I think we need to find a compromise so that it will be > possible to log in into a framework only setup. > Any suggestions? (maybe just adding a clear message in the ant > output that explains what is happening when you run that task? > > Jacopo > > > On Jan 25, 2009, at 9:59 PM, Adrian Crum wrote: > >> I suggested having the admin user login and password in the >> framework. A couple of people responded that doing so would open up >> a security hole. I asked how a user would log into a new >> installation if there was no initial user login and password. The >> discussion stopped there. >> >> -Adrian >> >> >> --- On Sun, 1/25/09, David E Jones <[hidden email]> >> wrote: >> >>> From: David E Jones <[hidden email]> >>> Subject: Re: Question about hashed passwords in seed data >>> To: "[hidden email]" <[hidden email]> >>> Cc: "[hidden email]" <[hidden email]> >>> Date: Sunday, January 25, 2009, 12:42 PM >>> Maybe you understood incorrectly, if you are referring to >>> what I think you are. >>> >>> >>> -David >>> >>> >>> On Jan 25, 2009, at 13:01, Adrian Crum >>> <[hidden email]> wrote: >>> >>>> --- On Sun, 1/25/09, Jacopo Cappellato >>> <[hidden email]> wrote: >>>>> Also, I would like to move the UserLogin record >>> for the >>>>> "admin" and "system" UserLogin >>>>> (including the relevant entries in the >>>>> PasswordSecurityData.xml file) from the >>> securityext to the >>>>> security component, i.e. from the applications to >>> the >>>>> framework. >>>>> >>>>> In this way we will be able to log in to the >>> webtools >>>>> application even if we are running a framework >>> only version >>>>> of OFBiz. >>>> >>>> I suggested that some time ago and the reply was that >>> there were to be no user login IDs or passwords supplied >>> with the framework. >>>> >>>> -Adrian >>>> >>>> >>>> >>>> >> >> >> > |
Re: Question about hashed passwords in seed data
|
Administrator
|
Re: Question about hashed passwords in seed data
|
|
Re: Question about hashed passwords in seed data
|
|
David,
this is a great suggestion and I have implemented it in rev. 739563. Here is the commit log: Three new ant targets defined: * run-install-readers to pass the comma separated list of data readers (IMO this task should be named "run-install" and the existing one should be renamed "run-install-demo") * run-install-file to pass a file name to load data from * create-admin-user-login that prompts for a user login, then creates it with admin privileges and a temporary password equal to 'ofbiz' The last task is useful to build and setup a framework only distribution; the steps to get, build and run the OFBiz framework with seed data only are: 1) checkout OFBiz 2) remove the applications and specialpurpose folders 3) ant run-install-extseed 4) ant create-admin-user-login (and enter a user login id when prompted) 5) start ofbiz and login with the user login id created in step 4 (use the password 'ofbiz') 6) change the password when prompted Jacopo On Jan 30, 2009, at 10:34 PM, David E Jones wrote: > > That ant target to setup a user would be cool (and hopefully not too > hard to implement... I don't know as I've never tried). If we're > going to do that for seed-only (or seed, ext) data loading why not > also get a username instead of using admin? Having the admin user in > demo data is great, but for other installations it's nice to not > have any of the OOTB users (except the system user that should be > part of seed data), just new users that are setup that are specific > to the organization. > > So, yeah, sounds like a good plan. > > -David > > > On Jan 30, 2009, at 2:45 AM, Jacopo Cappellato wrote: > >> I just spent some more time thinking about this and I would like to >> share with you the following idea: >> >> 1) add a new ant task that prompts the user to enter a password for >> the admin user: the password will then be stored in the db >> 2) the above task will be executed the seed-initial target is run; >> if the password is not provided, the admin user is not created >> 3) running run-install (demo data) will automatically set the admin >> password to "ofbiz" as it is now >> >> Does it make sense? >> >> Jacopo >> >> >> On Jan 26, 2009, at 12:21 AM, Jacopo Cappellato wrote: >> >>> I can understand the concerns about security but... since the >>> passwords are loaded only by the seed-initial target (aka "ant run- >>> install-extseed") I'd say that, if you run that task, it should be >>> pretty clear what you are doing. >>> A framework upgrade (aka "svn up framework" and "ant run-install- >>> seed") will not be affected by this change. >>> Actually, the "admin" user will be created (if not already there) >>> but with empty password... hmmm, is it the concern about the >>> security hole? Yes, this could be an issue, but only for existing >>> db without admin user already defined. >>> However I think we need to find a compromise so that it will be >>> possible to log in into a framework only setup. >>> Any suggestions? (maybe just adding a clear message in the ant >>> output that explains what is happening when you run that task? >>> >>> Jacopo >>> >>> >>> On Jan 25, 2009, at 9:59 PM, Adrian Crum wrote: >>> >>>> I suggested having the admin user login and password in the >>>> framework. A couple of people responded that doing so would open >>>> up a security hole. I asked how a user would log into a new >>>> installation if there was no initial user login and password. The >>>> discussion stopped there. >>>> >>>> -Adrian >>>> >>>> >>>> --- On Sun, 1/25/09, David E Jones <[hidden email]> >>>> wrote: >>>> >>>>> From: David E Jones <[hidden email]> >>>>> Subject: Re: Question about hashed passwords in seed data >>>>> To: "[hidden email]" <[hidden email]> >>>>> Cc: "[hidden email]" <[hidden email]> >>>>> Date: Sunday, January 25, 2009, 12:42 PM >>>>> Maybe you understood incorrectly, if you are referring to >>>>> what I think you are. >>>>> >>>>> >>>>> -David >>>>> >>>>> >>>>> On Jan 25, 2009, at 13:01, Adrian Crum >>>>> <[hidden email]> wrote: >>>>> >>>>>> --- On Sun, 1/25/09, Jacopo Cappellato >>>>> <[hidden email]> wrote: >>>>>>> Also, I would like to move the UserLogin record >>>>> for the >>>>>>> "admin" and "system" UserLogin >>>>>>> (including the relevant entries in the >>>>>>> PasswordSecurityData.xml file) from the >>>>> securityext to the >>>>>>> security component, i.e. from the applications to >>>>> the >>>>>>> framework. >>>>>>> >>>>>>> In this way we will be able to log in to the >>>>> webtools >>>>>>> application even if we are running a framework >>>>> only version >>>>>>> of OFBiz. >>>>>> >>>>>> I suggested that some time ago and the reply was that >>>>> there were to be no user login IDs or passwords supplied >>>>> with the framework. >>>>>> >>>>>> -Adrian >>>>>> >>>>>> >>>>>> >>>>>> >>>> >>>> >>>> >>> >> > |
Re: Question about hashed passwords in seed data
|
|
In reply to this post by David E Jones-3
On Jan 25, 2009, at 9:51 PM, David E Jones wrote:
> I should also concede that I may not have communicated very well... > > The system account definitely needs to be there, and in seed data. > The admin account we be a good thing to have in demo data, but my > objection is to always having admin there, ie in seed data. Ok, I did some research and I have noticed the following things: 1) the "system" account is loaded with seed data in the framework: this is good 2) the "system" account password (ofbiz) is loaded with seed-initial data in the applications: do we really need to set a password for it? If the password is not required, it would be a good news and we could remove the password entry. 3) the "admin" user is loaded with seed data in the applications (and its password with seed-initial data): should we move it to demo data? I think that, now that we have an ant script to create a user, we could really move this to demo data without issues Jacopo > > > > -David > > > On Jan 25, 2009, at 13:42, David E Jones > <[hidden email]> wrote: > >> Maybe you understood incorrectly, if you are referring to what I >> think you are. >> >> >> -David >> >> >> On Jan 25, 2009, at 13:01, Adrian Crum <[hidden email]> wrote: >> >>> --- On Sun, 1/25/09, Jacopo Cappellato <[hidden email] >>> > wrote: >>>> Also, I would like to move the UserLogin record for the >>>> "admin" and "system" UserLogin >>>> (including the relevant entries in the >>>> PasswordSecurityData.xml file) from the securityext to the >>>> security component, i.e. from the applications to the >>>> framework. >>>> >>>> In this way we will be able to log in to the webtools >>>> application even if we are running a framework only version >>>> of OFBiz. >>> >>> I suggested that some time ago and the reply was that there were >>> to be no user login IDs or passwords supplied with the framework. >>> >>> -Adrian >>> >>> >>> >>> |
Re: Question about hashed passwords in seed data
|
|
Re: Question about hashed passwords in seed data
|
|
On Jan 31, 2009, at 7:55 PM, David E Jones wrote: > > On Jan 31, 2009, at 6:57 AM, Jacopo Cappellato wrote: > >> On Jan 25, 2009, at 9:51 PM, David E Jones wrote: >> >>> I should also concede that I may not have communicated very well... >>> >>> The system account definitely needs to be there, and in seed data. >>> The admin account we be a good thing to have in demo data, but my >>> objection is to always having admin there, ie in seed data. >> >> Ok, >> >> I did some research and I have noticed the following things: >> >> 1) the "system" account is loaded with seed data in the framework: >> this is good >> 2) the "system" account password (ofbiz) is loaded with seed- >> initial data in the applications: do we really need to set a >> password for it? If the password is not required, it would be a >> good news and we could remove the password entry. > > Technically it is system only so you can't authenticate with it > anyway, so it should be fine to not have a password on... > >> 3) the "admin" user is loaded with seed data in the applications >> (and its password with seed-initial data): should we move it to >> demo data? I think that, now that we have an ant script to create a >> user, we could really move this to demo data without issues > > Yeah, IMO we should move it to demo data (and all related data, and > similar accounts like flexadmin, demoadmin, etc that aren't already > in demo data). > > -David > I am working on this right now... I just have a doubt about the data in this file: http://svn.apache.org/repos/asf/ofbiz/trunk/applications/securityext/data/SecurityExtData.xml It is currently loaded as seed data; do you think it will be an issue to move it to demo data? To summarize, all the following entries: <entity-resource type="data" reader-name="seed" loader="main" location="data/SecurityExtData.xml"/> <entity-resource type="data" reader-name="demo" loader="main" location="data/UserDemoData.xml"/> <entity-resource type="data" reader-name="seed-initial" loader="main" location="data/PasswordSecurityData.xml"/> will be changed to: <entity-resource type="data" reader-name="demo" loader="main" location="data/SecurityExtData.xml"/> <entity-resource type="data" reader-name="demo" loader="main" location="data/UserDemoData.xml"/> <entity-resource type="data" reader-name="demo" loader="main" location="data/PasswordSecurityData.xml"/> and in the last one I will remove the password for the "system" user. Actually, we could even merge SecurityExtData.xml and UserDemoData.xml Jacopo |
Re: Question about hashed passwords in seed data
|
|
Re: Question about hashed passwords in seed data
|
|
Done in rev. 739743
Jacopo On Jan 31, 2009, at 9:39 PM, David E Jones wrote: > > On Jan 31, 2009, at 11:18 AM, Jacopo Cappellato wrote: > >> >> On Jan 31, 2009, at 7:55 PM, David E Jones wrote: >> >>> >>> On Jan 31, 2009, at 6:57 AM, Jacopo Cappellato wrote: >>> >>>> On Jan 25, 2009, at 9:51 PM, David E Jones wrote: >>>> >>>>> I should also concede that I may not have communicated very >>>>> well... >>>>> >>>>> The system account definitely needs to be there, and in seed >>>>> data. The admin account we be a good thing to have in demo data, >>>>> but my objection is to always having admin there, ie in seed data. >>>> >>>> Ok, >>>> >>>> I did some research and I have noticed the following things: >>>> >>>> 1) the "system" account is loaded with seed data in the >>>> framework: this is good >>>> 2) the "system" account password (ofbiz) is loaded with seed- >>>> initial data in the applications: do we really need to set a >>>> password for it? If the password is not required, it would be a >>>> good news and we could remove the password entry. >>> >>> Technically it is system only so you can't authenticate with it >>> anyway, so it should be fine to not have a password on... >>> >>>> 3) the "admin" user is loaded with seed data in the applications >>>> (and its password with seed-initial data): should we move it to >>>> demo data? I think that, now that we have an ant script to create >>>> a user, we could really move this to demo data without issues >>> >>> Yeah, IMO we should move it to demo data (and all related data, >>> and similar accounts like flexadmin, demoadmin, etc that aren't >>> already in demo data). >>> >>> -David >>> >> >> Sounds like a plan. >> I am working on this right now... I just have a doubt about the >> data in this file: >> >> http://svn.apache.org/repos/asf/ofbiz/trunk/applications/securityext/data/SecurityExtData.xml >> >> It is currently loaded as seed data; do you think it will be an >> issue to move it to demo data? >> >> To summarize, all the following entries: >> >> <entity-resource type="data" reader-name="seed" loader="main" >> location="data/SecurityExtData.xml"/> >> <entity-resource type="data" reader-name="demo" loader="main" >> location="data/UserDemoData.xml"/> >> <entity-resource type="data" reader-name="seed-initial" >> loader="main" location="data/PasswordSecurityData.xml"/> >> >> will be changed to: >> >> <entity-resource type="data" reader-name="demo" loader="main" >> location="data/SecurityExtData.xml"/> >> <entity-resource type="data" reader-name="demo" loader="main" >> location="data/UserDemoData.xml"/> >> <entity-resource type="data" reader-name="demo" loader="main" >> location="data/PasswordSecurityData.xml"/> >> >> and in the last one I will remove the password for the "system" >> user. Actually, we could even merge SecurityExtData.xml and >> UserDemoData.xml > > Yes, that sounds about right. I just checked out those files and I > also like the idea of merging SecurityExtData.xml into > UserDemoData.xml too. > > -David > > |
| Free forum by Nabble | Edit this page |