OFBiz › OFBiz - Commits

[ofbiz-framework] branch trunk updated: Documented: improves security.properties documentation

_‹ Previous Topic Next Topic _›

Classic

List

Threaded

1 message

jleroux@apache.org

[ofbiz-framework] branch trunk updated: Documented: improves security.properties documentation

This is an automated email from the ASF dual-hosted git repository.

jleroux pushed a commit to branch trunk
in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git

The following commit(s) were added to refs/heads/trunk by this push:
new 07a472f Documented: improves security.properties documentation
07a472f is described below

commit 07a472f89c9b30b525bac099ee90e3e4ffd90ea4
Author: Jacques Le Roux <[hidden email]>
AuthorDate: Wed Apr 15 19:31:51 2020 +0200

Documented: improves security.properties documentation
---
framework/security/config/security.properties | 13 +++++++++----
1 file changed, 9 insertions(+), 4 deletions(-)

diff --git a/framework/security/config/security.properties b/framework/security/config/security.properties
index 64dce02..52fbf08 100644
--- a/framework/security/config/security.properties
+++ b/framework/security/config/security.properties
@@ -156,14 +156,17 @@ security.token.key=security.token.key
# -- no spaces after commas,no wildcard, can be extended of course...
host-headers-allowed=localhost,127.0.0.1,demo-trunk.ofbiz.apache.org,demo-stable.ofbiz.apache.org,demo-old.ofbiz.apache.org

-# -- By default the SameSite value in SameSiteFilter is 'strict'. This property allows to change to 'lax' if needed
-# -- If you use 'lax' we recommend that you set org.apache.ofbiz.security.CsrfDefenseStrategy for csrf.defense.strategy (see below)
+# -- By default the SameSite value in SameSiteFilter is 'strict'.
+# -- This property allows to change to 'lax' if needed.
+# -- If you use 'lax' we recommend that you set
+# -- org.apache.ofbiz.security.CsrfDefenseStrategy
+# -- for csrf.defense.strategy (see below)
SameSiteCookieAttribute=

# -- The cache size for the Tokens Maps that stores the CSRF tokens.
# -- RemoveEldestEntry is used when it's get above csrf.cache.size
# -- Default is 5000
-# -- TODO: separate tokenMap from partyTokenMap
+# -- TODO: possibly separate tokenMap size from partyTokenMap size
csrf.cache.size=

# -- Parameter name for CSRF token. Default is "csrf" if not specified
@@ -177,6 +180,8 @@ csrf.entity.request.limit=

# -- CSRF defense strategy.
# -- Because OFBiz OOTB also sets the SameSite attribute to 'strict' for all cookies,
+# -- which is an effective CSRF defense,
# -- default is org.apache.ofbiz.security.NoCsrfDefenseStrategy if not specified.
-# -- Use org.apache.ofbiz.security.CsrfDefenseStrategy if you want to use a 'lax' for SameSiteCookieAttribute
+# -- Use org.apache.ofbiz.security.CsrfDefenseStrategy
+# -- if you need to use a 'lax' for SameSiteCookieAttribute
csrf.defense.strategy=