[
https://issues.apache.org/jira/browse/OFBIZ-9833?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16594702#comment-16594702 ]
Nicolas Malin commented on OFBIZ-9833:
--------------------------------------
Hello,
I reviewed the path and this solution take a good way :)
I found just the token generation a little weak, maybe we can improve this part with a multiple key generation :
* generate a key at the fly stored in database enable during the token life time
* use the key on security properties or resolve it from java keystore
* use the key stored on delegator definition in entityengine.xml
* concat and hash them and use the result as encrypted key to generate the token
With this to success an attack you need to access to the server file and database continuously, otherwise if a secret key is corrupt all login will be corrupt
A last point, they missing the controller entries to use it
Thanks for this works !
> Token Based Authentication
> --------------------------
>
> Key: OFBIZ-9833
> URL:
https://issues.apache.org/jira/browse/OFBIZ-9833> Project: OFBiz
> Issue Type: New Feature
> Components: framework
> Reporter: Deepak Dixit
> Assignee: Deepak Dixit
> Priority: Major
> Attachments: JSON Web Tokens.pdf, OFBIZ-9833-JWTManager.patch, Token Based Authentication in Apache OfBiz.pdf, Token Based Authentication.pdf, rfc7519.pdf
>
>
> Here is dev list discussion for token based authentication work:
>
http://markmail.org/message/vyskeh2wujqpkbwg--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
Locked
