[ofbiz-framework] branch trunk updated: Documented: adds CSRF defense and updates password and JWT

This is an automated email from the ASF dual-hosted git repository.

jleroux pushed a commit to branch trunk
in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git


The following commit(s) were added to refs/heads/trunk by this push:
     new fdb995f  Documented: adds CSRF defense and updates password and JWT
fdb995f is described below

commit fdb995fd501876dd2293de1d85ce45e5f287ae70
Author: Jacques Le Roux <[hidden email]>
AuthorDate: Wed Apr 15 19:30:53 2020 +0200

    Documented: adds CSRF defense and updates password and JWT
---
 .../docs/asciidoc/_include/sy-CSRF-defense.adoc    | 68 ++++++++++++++--------
 .../asciidoc/_include/sy-password-and-JWT.adoc     | 31 +++++++++-
 2 files changed, 73 insertions(+), 26 deletions(-)

diff --git a/framework/security/src/docs/asciidoc/_include/sy-CSRF-defense.adoc b/framework/security/src/docs/asciidoc/_include/sy-CSRF-defense.adoc
index 2af0f48..867150e 100644
--- a/framework/security/src/docs/asciidoc/_include/sy-CSRF-defense.adoc
+++ b/framework/security/src/docs/asciidoc/_include/sy-CSRF-defense.adoc
@@ -28,32 +28,52 @@ ifdef::backend-pdf[]
 :source-highlighter: rouge
 endif::[]
 
-=== Same-Site attribute is set to 'strict' for all cookies
+=== The same-Site attribute
 
-By default the SameSite value in SameSiteFilter is 'strict'. This property allows to change to 'lax' if needed
-# -- If you use 'lax' we recommend that you set org.apache.ofbiz.security.CsrfDefenseStrategy for csrf.defense.strategy (see below)
+[quote,According to OWASP ZAP]
+____
+The SameSite attribute is an effective counter measure to cross-site request forgery, cross-site script inclusion, and timing attacks.
+____
 
+By default OOTB the SameSiteFilter property sets the same-site attribute value to 'strict. SameSiteFilter allows to change to 'lax' if needed. If you use 'lax' we recommend that you set the csrf.defense.strategy property to org.apache.ofbiz.security.CsrfDefenseStrategy in order to provide an effective defense against CSRF attacks.
 
-===== Properties
-
-The _security.properties_ file contains five related properties:
-
-    # -- If false, then no externalLoginKey parameters will be added to cross-webapp urls
-    security.login.externalLoginKey.enabled=true
-
-    # -- Security key used to encrypt and decrypt the autogenerated password in forgot password functionality.
-    login.secret_key_string=login.secret_key_string
-
-    # -- Time To Live of the token send to the external server in seconds, 10 seconds seems plenty enough OOTB. Custom projects might want set a lower value.
-    security.jwt.token.expireTime=1800
-
-    # -- Enables the internal Single Sign On feature which allows a token based login between OFBiz instances
-    # -- To make this work you also have to configure a secret key with security.token.key
-    security.internal.sso.enabled=false
-
-    # -- The secret key for the JWT token signature. Configuration in the SystemProperty entity is recommended for security reasons.
-    security.token.key=security.token.key
 
+===== Properties
 
-=== Last but not least
-Be sure to read https://cwiki.apache.org/confluence/display/OFBIZ/Keeping+OFBiz+secure[Keeping OFBiz secure]
\ No newline at end of file
+The _security.properties_ file contains related properties:
+
+    # -- By default the SameSite value in SameSiteFilter is 'strict'.
+    # -- This property allows to change to 'lax' if needed.
+    # -- If you use 'lax' we recommend that you set
+    # -- org.apache.ofbiz.security.CsrfDefenseStrategy
+    # -- for csrf.defense.strategy (see below)
+    SameSiteCookieAttribute=
+
+    # -- The cache size for the Tokens Maps that stores the CSRF tokens.
+    # -- RemoveEldestEntry is used when it's get above csrf.cache.size
+    # -- Default is 5000
+    # -- TODO: possibly separate tokenMap size from partyTokenMap size
+    csrf.cache.size=
+
+    # -- Parameter name for CSRF token. Default is "csrf" if not specified
+    csrf.tokenName.nonAjax=
+
+    # -- The csrf.entity.request.limit is used to show how to avoid cluttering the Tokens Maps cache with URIs starting with "entity/"
+    # -- It can be useful with large Database contents, ie with a large numbers of tuples, like "entity/edit/Agreement/10000, etc.
+    # -- The same principle can be extended to other cases similar to "entity/" URIs (harcoded or using similar properties).
+    # -- Default is 3
+    csrf.entity.request.limit=
+
+    # -- CSRF defense strategy.
+    # -- Because OFBiz OOTB also sets the SameSite attribute to 'strict' for all cookies,
+    # -- which is an effective CSRF defense,
+    # -- default is org.apache.ofbiz.security.NoCsrfDefenseStrategy if not specified.
+    # -- Use org.apache.ofbiz.security.CsrfDefenseStrategy
+    # -- if you need to use a 'lax' for SameSiteCookieAttribute
+    csrf.defense.strategy=
+
+There is also a SystemProperty in __SSOJWTDemoData.xml__:
+[source,xml]
+----
+<SystemProperty systemResourceId="security" systemPropertyId="SameSiteCookieAttribute" systemPropertyValue="strict"/>
+----
diff --git a/framework/security/src/docs/asciidoc/_include/sy-password-and-JWT.adoc b/framework/security/src/docs/asciidoc/_include/sy-password-and-JWT.adoc
index e1ebcf2..c1bdee4 100644
--- a/framework/security/src/docs/asciidoc/_include/sy-password-and-JWT.adoc
+++ b/framework/security/src/docs/asciidoc/_include/sy-password-and-JWT.adoc
@@ -85,18 +85,45 @@ The _security.properties_ file contains five related properties:
     security.login.externalLoginKey.enabled=true
 
     # -- Security key used to encrypt and decrypt the autogenerated password in forgot password functionality.
+    #    Read Passwords and JWT (JSON Web Tokens) usage documentation to choose the way you want to store this key
     login.secret_key_string=login.secret_key_string
 
-    # -- Time To Live of the token send to the external server in seconds, 10 seconds seems plenty enough OOTB. Custom projects might want set a lower value.
+    # -- Time To Live of the token send to the external server in seconds
     security.jwt.token.expireTime=1800
 
     # -- Enables the internal Single Sign On feature which allows a token based login between OFBiz instances
     # -- To make this work you also have to configure a secret key with security.token.key
     security.internal.sso.enabled=false
 
-    # -- The secret key for the JWT token signature. Configuration in the SystemProperty entity is recommended for security reasons.
+    # -- The secret key for the JWT token signature. Read Passwords and JWT (JSON Web Tokens) usage documentation to choose the way you want to store this key
     security.token.key=security.token.key
 
 
+There are also SSO related SystemProperties in __SSOJWTDemoData.xml__:
+[source,xml]
+----
+    <SystemProperty systemResourceId="security" systemPropertyId="security.internal.sso.enabled" systemPropertyValue="false"/>
+    <SystemProperty systemResourceId="security" systemPropertyId="security.token.key" systemPropertyValue="security.token.key"/>
+    <SystemProperty systemResourceId="security" systemPropertyId="SameSiteCookieAttribute" systemPropertyValue="strict"/>
+----
+
+==== Internal SSO
+The introduction of the same-site attribute set to 'strict' for all cookies prevents the internal Single Sign On feature. Why is clearly explained https://web.dev/samesite-cookies-explained[here].
+
+So same-site attribute set to 'none' is necessary for the internal SSO to work, https://github.com/whatwg/fetch/issues/769['lax' is not enough]. So if someone wants to use the internal SSO feature s/he also needs to use  the CSRF token defense. If s/he wants to be safe from CSRF attacks. Unfortunately, due backporting difficulties, this option is currently (2020-04-15) only available in trunk.
+
+====== Fecth API
+An alternative would be to use the Fetch Javascript API with the
+
+[source]
+----
+credentials: "include"
+----
+option https://developer.mozilla.org/en-US/docs/Web/API/Fetch_API#Differences_from_jQuery[to enable CORS]. https://javascript.info/fetch-crossorigin#credentials[Here is an example]
+
+For those interested, there are more information in https://issues.apache.org/jira/browse/OFBIZ-11594
+
+
+
 === Last but not least
 Be sure to read https://cwiki.apache.org/confluence/display/OFBIZ/Keeping+OFBiz+secure[Keeping OFBiz secure]
\ No newline at end of file