This is an automated email from the ASF dual-hosted git repository.
jleroux pushed a commit to branch release18.12 in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git The following commit(s) were added to refs/heads/release18.12 by this push: new 3566bd3 Fixed: fixes wrong wiki URLs 3566bd3 is described below commit 3566bd3ff8732d4a30a29a0cec25c1a4caf8b7f5 Author: Jacques Le Roux <[hidden email]> AuthorDate: Mon Feb 22 11:26:21 2021 +0100 Fixed: fixes wrong wiki URLs --- .../src/docs/asciidoc/_include/sy-password-and-JWT.adoc | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/framework/security/src/docs/asciidoc/_include/sy-password-and-JWT.adoc b/framework/security/src/docs/asciidoc/_include/sy-password-and-JWT.adoc index e991241..85c07f8 100644 --- a/framework/security/src/docs/asciidoc/_include/sy-password-and-JWT.adoc +++ b/framework/security/src/docs/asciidoc/_include/sy-password-and-JWT.adoc @@ -33,8 +33,8 @@ endif::[] Demo and seed passwords are stored in files loaded through security ofbiz-component.xml. To know more about that be sure to read: -* https://cwiki.apache.org/confluence/display/OFBIZ/Apache+OFBiz+Technical+Production+Setup+Guidehttp://url[The technical production setup guide] notably "Initial Data Loading" and "Security Settings" sections -* https://cwiki.apache.org/confluence/display/OFBIZ/How+to+secure+your+deploymenthttp://url[How to secure your deployment] +* https://cwiki.apache.org/confluence/display/OFBIZ/Apache+OFBiz+Technical+Production+Setup+Guide[The technical production setup guide] notably "Initial Data Loading" and "Security Settings" sections +* https://cwiki.apache.org/confluence/display/OFBIZ/How+to+secure+your+deployment[How to secure your deployment] [CAUTION] These configuration steps are not to be neglected for the security of a *production environment* @@ -55,20 +55,20 @@ Cross-origin resource sharing) on the target server ==== How to secure JWT -When you use JWT, in order to sign your tokens, you have the choice of using a sole so called secret key or a pair of public/private keys: https://jwt.io/introduction/. +When you use JWT, in order to sign your tokens, you have the choice of using a sole so called secret key or a pair of public/private keys: https://jwt.io/introduction/. You might prefer to use pair of public/private keys, for now by default OFBiz uses a simple secret key. Remains the way how to store this secret key. https://security.stackexchange.com/questions/87130/json-web-tokens-how-to-securely-store-the-key[This is an interesting introduction about this question]. -. The first idea which comes to mind is to use a property in the security.properties file. It's safe as long as your file system is not compromised. -. You may also pick a SystemProperty entity (overrides the file property). It's safe as long as your DB is not compromised. +. The first idea which comes to mind is to use a property in the security.properties file. It's safe as long as your file system is not compromised. +. You may also pick a SystemProperty entity (overrides the file property). It's safe as long as your DB is not compromised. . We recommend to not use an environment variable as those can be considered weak: * http://movingfast.io/articles/environment-variables-considered-harmful * https://security.stackexchange.com/questions/49725/is-it-really-secure-to-store-api-keys-in-environment-variables . You may want to tie the encryption key to the logged in user. This is used by the password recreation feature. The JWT secret key is salted with a combination of the current logged in user and her/his password. This is a simple and effective safe way. -. Use a https://tools.ietf.org/html/rfc7519#section-4.1.7[JTI] (JWT ID). A JTI prevents a JWT from being replayed. This https://auth0.com/blog/blacklist-json-web-token-api-keys/http://url[auth0 blog article get deeper in that]. The same is kinda achieved with the password recreation feature. When the user log in after the new password creation, the password has already been changed. So the link (in the sent email) containing the JWT for the creation of the new password can't be reused. +. Use a https://tools.ietf.org/html/rfc7519#section-4.1.7[JTI] (JWT ID). A JTI prevents a JWT from being replayed. This https://auth0.com/blog/blacklist-json-web-token-api-keys[auth0 blog article get deeper in that]. The same is kinda achieved with the password recreation feature. When the user log in after the new password creation, the password has already been changed. So the link (in the sent email) containing the JWT for the creation of the new password can't be reused. . Tie the encryption key to the hardware. You can refer to this https://en.wikipedia.org/wiki/Hardware_security_module[Wikipedia page] for more information. -. If you want to get deeper in this get to this https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Key_Management_Cheat_Sheet.md#user-content-storage[OWASP documentation] +. If you want to get deeper in this get to this https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Key_Management_Cheat_Sheet.md#user-content-storage[OWASP documentation] Note: if you want to use a pair of public/private keys you might want to consider leveraging the Java Key Store that is also used by the "catalina" component to store certificates. Then don't miss to read: @@ -99,4 +99,4 @@ The _security.properties_ file contains five related properties: === Last but not least -Be sure to read https://cwiki.apache.org/confluence/display/OFBIZ/Keeping+OFBiz+secure[Keeping OFBiz secure] \ No newline at end of file +Be sure to read https://cwiki.apache.org/confluence/display/OFBIZ/Keeping+OFBiz+secure[Keeping OFBiz secure] |
Free forum by Nabble | Edit this page |