Re: svn commit: r1866255 - in /ofbiz/ofbiz-framework/trunk/framework: security/src/docs/asciidoc/_include/sy-password-and-JWT.adoc webapp/src/main/java/org/apache/ofbiz/webapp/control/RequestHandler.java

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

Re: svn commit: r1866255 - in /ofbiz/ofbiz-framework/trunk/framework: security/src/docs/asciidoc/_include/sy-password-and-JWT.adoc webapp/src/main/java/org/apache/ofbiz/webapp/control/RequestHandler.java

Jacques Le Roux
Administrator
Hi,

sy-password-and-JWT.adoc slipped in inadvertently. Not a big deal it's a WIP part of OFBIZ-10751, to be continued...

Jacques

Le 02/09/2019 à 09:05, [hidden email] a écrit :

> Author: jleroux
> Date: Mon Sep  2 07:05:08 2019
> New Revision: 1866255
>
> URL: http://svn.apache.org/viewvc?rev=1866255&view=rev
> Log:
> Improved: Unknown request [images]; this request does not exist or cannot be
> called directly.
> (OFBIZ-11152)
>
> Gives an advice to reassure users about the seriousness of the issue
>
> This issue can be easily reproduced by going to example/control/FormWidgetExamples
> Other backend components are less concerned but it happens sometimes in them too.
> It's quite hard to understand what's happening.
> This is a sequel of OFBIZ-10895
>
> Added:
>      ofbiz/ofbiz-framework/trunk/framework/security/src/docs/asciidoc/_include/sy-password-and-JWT.adoc   (with props)
> Modified:
>      ofbiz/ofbiz-framework/trunk/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/RequestHandler.java
>
> Added: ofbiz/ofbiz-framework/trunk/framework/security/src/docs/asciidoc/_include/sy-password-and-JWT.adoc
> URL: http://svn.apache.org/viewvc/ofbiz/ofbiz-framework/trunk/framework/security/src/docs/asciidoc/_include/sy-password-and-JWT.adoc?rev=1866255&view=auto
> ==============================================================================
> --- ofbiz/ofbiz-framework/trunk/framework/security/src/docs/asciidoc/_include/sy-password-and-JWT.adoc (added)
> +++ ofbiz/ofbiz-framework/trunk/framework/security/src/docs/asciidoc/_include/sy-password-and-JWT.adoc Mon Sep  2 07:05:08 2019
> @@ -0,0 +1,76 @@
> +////
> +Licensed to the Apache Software Foundation (ASF) under one
> +or more contributor license agreements.  See the NOTICE file
> +distributed with this work for additional information
> +regarding copyright ownership.  The ASF licenses this file
> +to you under the Apache License, Version 2.0 (the
> +"License"); you may not use this file except in compliance
> +with the License.  You may obtain a copy of the License at
> +
> +http://www.apache.org/licenses/LICENSE-2.0
> +
> +Unless required by applicable law or agreed to in writing,
> +software distributed under the License is distributed on an
> +"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
> +KIND, either express or implied.  See the License for the
> +specific language governing permissions and limitations
> +under the License.
> +////
> +
> += Passwords and JWT (JSON Web Tokens) usage
> +== How are set and used passwords and JWT  in Apache OFBiz
> +The Apache OFBiz Project
> +Release 17.12
> +
> +:imagesdir: ../../themes/common-theme/webapp/images/img/
> +ifdef::backend-pdf[]
> +:title-logo-image: image::OFBiz-Logo.svg[Apache OFBiz Logo, pdfwidth=4.25in, align=center]
> +:source-highlighter: rouge
> +endif::[]
> +
> +=== Passwords
> +
> +Demo and seed passwords are stored in files loaded through security ofbiz-component.xml. To know more about that be sure to read:
> +
> +
> +* https://cwiki.apache.org/confluence/display/OFBIZ/Apache+OFBiz+Technical+Production+Setup+Guidehttp://url[The technical production setup guide] notably "Initial Data Loading" and "Security Settings" sections
> +* https://cwiki.apache.org/confluence/display/OFBIZ/How+to+secure+your+deploymenthttp://url[How to secure your deployment]
> +
> +[CAUTION]
> +These configuration steps are not to be neglected for the security of a *production environment*
> +
> +=== JWT usage
> +
> +https://en.wikipedia.org/wiki/JSON_Web_Token[As says Wikipedia]:
> +____
> +JSON Web Token (JWT) is an Internet standard for creating JSON-based access tokens that assert some number of claims.
> +____
> +
> +
> +We currently use JWT in 2 places:
> +
> +. To let users safely recreate passwords (in backend and frontend)
> +. To allow SSO (Single Sig-on) jumpings from an OFBiz instance to another OFBiz instance on another domain, by also using https://en.wikipedia.org/wiki/Cross-origin_resource_sharing[CORS] (
> +Cross-origin resource sharing) on the target server
> +
> +
> +==== How to secure JWT
> +When you use JWT, in order to sign your tokens, you have the choice of using a sole so called secret key or a pair of public/private keys:https://jwt.io/introduction/.
> +
> +You might prefer to use pair of public/private keys, but by default OFBiz uses a secret key. Remains the way how to store this secret key.
> +
> +. The first idea which comes to mind is to use a property in the security.properties file. It's safe as long as your filesystem is not compromised.
> +. You may also pick a SystemProperty entity. It's safe as long as your DB is not compromised.
> +. We recommend to not use an environment variable to pass the uuid as those can be considered weak:
> +
> +    http://movingfast.io/articles/environment-variables-considered-harmful/
> +    https://security.stackexchange.com/questions/49725/is-it-really-secure-to-store-api-keys-in-environment-variables
> +
> +
> +
> +===== Properties
> +
> +The _security.properties_ file introduce two properties that control impersonation feature :
> +
> +=== Last but not least
> +Be sure to read https://cwiki.apache.org/confluence/display/OFBIZ/Keeping+OFBiz+secure[Keeping OFBiz secure]
> \ No newline at end of file
>
> Propchange: ofbiz/ofbiz-framework/trunk/framework/security/src/docs/asciidoc/_include/sy-password-and-JWT.adoc
> ------------------------------------------------------------------------------
>      svn:eol-style = native
>
> Propchange: ofbiz/ofbiz-framework/trunk/framework/security/src/docs/asciidoc/_include/sy-password-and-JWT.adoc
> ------------------------------------------------------------------------------
>      svn:keywords = Date Rev Author URL Id
>
> Propchange: ofbiz/ofbiz-framework/trunk/framework/security/src/docs/asciidoc/_include/sy-password-and-JWT.adoc
> ------------------------------------------------------------------------------
>      svn:mime-type = text/plain
>
> Modified: ofbiz/ofbiz-framework/trunk/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/RequestHandler.java
> URL: http://svn.apache.org/viewvc/ofbiz/ofbiz-framework/trunk/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/RequestHandler.java?rev=1866255&r1=1866254&r2=1866255&view=diff
> ==============================================================================
> --- ofbiz/ofbiz-framework/trunk/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/RequestHandler.java (original)
> +++ ofbiz/ofbiz-framework/trunk/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/RequestHandler.java Mon Sep  2 07:05:08 2019
> @@ -277,6 +277,9 @@ public class RequestHandler {
>                   if (path.contains("/checkLogin/")) {
>                       // Nested requests related with checkLogin uselessly clutter the log. There is nothing to worry about, better remove this wrong error message.
>                       return;
> +                } else if (path.contains("/images/")) {
> +                    if (Debug.warningOn()) Debug.logWarning("You should check if this request is really a problem or a false alarm: " + request.getRequestURL(), module);
> +                    throw new RequestHandlerException(requestMissingErrorMessage);
>                   } else {
>                       throw new RequestHandlerException(requestMissingErrorMessage);
>                   }
>
>
>