[jira] [Commented] (OFBIZ-9833) Token Based Authentication

    [ https://issues.apache.org/jira/browse/OFBIZ-9833?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16370265#comment-16370265 ]

Jacques Le Roux commented on OFBIZ-9833:
----------------------------------------

Hi Jacopo,

bq. it is really a bad idea to store a secret key as a field of a Java class, even if the source file is removed from the server. In fact, Java byte code is very easy to read (e.g. all IDEs provide this feature). For this reason it is a bad idea to adopt out of the box this pattern as you did with  ExternalLoginKeysManager.ExternalServerJwtMasterSecretKey

You are right, I did not think about that.

Now, as we need the same key on different servers, we can't dynamically create an ExternalServerJwtMasterSecretKey, it's only a one shot on one server. Also as explained at https://security.stackexchange.com/questions/12332/where-to-store-a-server-side-encryption-key storing the key in a properties file, the BD, or anywhere accessible on the disk is not a solution (as bad as using an IDE to grab a Java class). Also of course using a proprietary solution is no possible OOTB for us.

I just had a look and maybe https://github.com/auth0/java-jwt#using-a-keyprovider is a good solution. Else what would you suggest?

bq. I have other concerns about the design of this work but I don't have time to describe them at the moment, however I am wondering if you could revert your work and provide one complete patch (I know you have committed it in different revisions) that you can attach here or to a brand new ticket and then we could discuss around them; I think this would be the easiest way since you know exactly all the commits that are relevant.

That's possible but not this week. Nor the next, I'll be away. So I can't have a look before the begining of the 10th week (around 5 march)



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)