Re: svn commit: r1866255 - in /ofbiz/ofbiz-framework/trunk/f
Locked
Re: svn commit: r1866255 - in /ofbiz/ofbiz-framework/trunk/f
 
Administrator
|
Hi,
sy-password-and-JWT.adoc slipped in inadvertently. Not a big deal it's a WIP part of OFBIZ-10751, to be continued... Jacques Le 02/09/2019 à 09:05, [hidden email] a écrit : > Author: jleroux > Date: Mon Sep 2 07:05:08 2019 > New Revision: 1866255 > > URL: http://svn.apache.org/viewvc?rev=1866255&view=rev > Log: > Improved: Unknown request [images]; this request does not exist or cannot be > called directly. > (OFBIZ-11152) > > Gives an advice to reassure users about the seriousness of the issue > > This issue can be easily reproduced by going to example/control/FormWidgetExamples > Other backend components are less concerned but it happens sometimes in them too. > It's quite hard to understand what's happening. > This is a sequel of OFBIZ-10895 > > Added: > ofbiz/ofbiz-framework/trunk/framework/security/src/docs/asciidoc/_include/sy-password-and-JWT.adoc (with props) > Modified: > ofbiz/ofbiz-framework/trunk/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/RequestHandler.java > > Added: ofbiz/ofbiz-framework/trunk/framework/security/src/docs/asciidoc/_include/sy-password-and-JWT.adoc > URL: http://svn.apache.org/viewvc/ofbiz/ofbiz-framework/trunk/framework/security/src/docs/asciidoc/_include/sy-password-and-JWT.adoc?rev=1866255&view=auto > ============================================================================== > --- ofbiz/ofbiz-framework/trunk/framework/security/src/docs/asciidoc/_include/sy-password-and-JWT.adoc (added) > +++ ofbiz/ofbiz-framework/trunk/framework/security/src/docs/asciidoc/_include/sy-password-and-JWT.adoc Mon Sep 2 07:05:08 2019 > @@ -0,0 +1,76 @@ > +//// > +Licensed to the Apache Software Foundation (ASF) under one > +or more contributor license agreements. See the NOTICE file > +distributed with this work for additional information > +regarding copyright ownership. The ASF licenses this file > +to you under the Apache License, Version 2.0 (the > +"License"); you may not use this file except in compliance > +with the License. You may obtain a copy of the License at > + > +http://www.apache.org/licenses/LICENSE-2.0 > + > +Unless required by applicable law or agreed to in writing, > +software distributed under the License is distributed on an > +"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY > +KIND, either express or implied. See the License for the > +specific language governing permissions and limitations > +under the License. > +//// > + > += Passwords and JWT (JSON Web Tokens) usage > +== How are set and used passwords and JWT in Apache OFBiz > +The Apache OFBiz Project > +Release 17.12 > + > +:imagesdir: ../../themes/common-theme/webapp/images/img/ > +ifdef::backend-pdf[] > +:title-logo-image: image::OFBiz-Logo.svg[Apache OFBiz Logo, pdfwidth=4.25in, align=center] > +:source-highlighter: rouge > +endif::[] > + > +=== Passwords > + > +Demo and seed passwords are stored in files loaded through security ofbiz-component.xml. To know more about that be sure to read: > + > + > +* https://cwiki.apache.org/confluence/display/OFBIZ/Apache+OFBiz+Technical+Production+Setup+Guidehttp://url[The technical production setup guide] notably "Initial Data Loading" and "Security Settings" sections > +* https://cwiki.apache.org/confluence/display/OFBIZ/How+to+secure+your+deploymenthttp://url[How to secure your deployment] > + > +[CAUTION] > +These configuration steps are not to be neglected for the security of a *production environment* > + > +=== JWT usage > + > +https://en.wikipedia.org/wiki/JSON_Web_Token[As says Wikipedia]: > +____ > +JSON Web Token (JWT) is an Internet standard for creating JSON-based access tokens that assert some number of claims. > +____ > + > + > +We currently use JWT in 2 places: > + > +. To let users safely recreate passwords (in backend and frontend) > +. To allow SSO (Single Sig-on) jumpings from an OFBiz instance to another OFBiz instance on another domain, by also using https://en.wikipedia.org/wiki/Cross-origin_resource_sharing[CORS] ( > +Cross-origin resource sharing) on the target server > + > + > +==== How to secure JWT > +When you use JWT, in order to sign your tokens, you have the choice of using a sole so called secret key or a pair of public/private keys:https://jwt.io/introduction/. > + > +You might prefer to use pair of public/private keys, but by default OFBiz uses a secret key. Remains the way how to store this secret key. > + > +. The first idea which comes to mind is to use a property in the security.properties file. It's safe as long as your filesystem is not compromised. > +. You may also pick a SystemProperty entity. It's safe as long as your DB is not compromised. > +. We recommend to not use an environment variable to pass the uuid as those can be considered weak: > + > + http://movingfast.io/articles/environment-variables-considered-harmful/ > + https://security.stackexchange.com/questions/49725/is-it-really-secure-to-store-api-keys-in-environment-variables > + > + > + > +===== Properties > + > +The _security.properties_ file introduce two properties that control impersonation feature : > + > +=== Last but not least > +Be sure to read https://cwiki.apache.org/confluence/display/OFBIZ/Keeping+OFBiz+secure[Keeping OFBiz secure] > \ No newline at end of file > > Propchange: ofbiz/ofbiz-framework/trunk/framework/security/src/docs/asciidoc/_include/sy-password-and-JWT.adoc > ------------------------------------------------------------------------------ > svn:eol-style = native > > Propchange: ofbiz/ofbiz-framework/trunk/framework/security/src/docs/asciidoc/_include/sy-password-and-JWT.adoc > ------------------------------------------------------------------------------ > svn:keywords = Date Rev Author URL Id > > Propchange: ofbiz/ofbiz-framework/trunk/framework/security/src/docs/asciidoc/_include/sy-password-and-JWT.adoc > ------------------------------------------------------------------------------ > svn:mime-type = text/plain > > Modified: ofbiz/ofbiz-framework/trunk/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/RequestHandler.java > URL: http://svn.apache.org/viewvc/ofbiz/ofbiz-framework/trunk/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/RequestHandler.java?rev=1866255&r1=1866254&r2=1866255&view=diff > ============================================================================== > --- ofbiz/ofbiz-framework/trunk/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/RequestHandler.java (original) > +++ ofbiz/ofbiz-framework/trunk/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/RequestHandler.java Mon Sep 2 07:05:08 2019 > @@ -277,6 +277,9 @@ public class RequestHandler { > if (path.contains("/checkLogin/")) { > // Nested requests related with checkLogin uselessly clutter the log. There is nothing to worry about, better remove this wrong error message. > return; > + } else if (path.contains("/images/")) { > + if (Debug.warningOn()) Debug.logWarning("You should check if this request is really a problem or a false alarm: " + request.getRequestURL(), module); > + throw new RequestHandlerException(requestMissingErrorMessage); > } else { > throw new RequestHandlerException(requestMissingErrorMessage); > } > > > |
«
Return to OFBiz - Dev
|
1 view|%1 views
| Free forum by Nabble | Edit this page |