[ofbiz-framework] branch trunk updated: Improved: Add security.internal.sso.enabled and security.token.key SystemProperties

This is an automated email from the ASF dual-hosted git repository.

jleroux pushed a commit to branch trunk
in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git


The following commit(s) were added to refs/heads/trunk by this push:
     new d8025d4  Improved: Add security.internal.sso.enabled and security.token.key SystemProperties
d8025d4 is described below

commit d8025d41dc176b17800d74a6af004748c0a77a2f
Author: Jacques Le Roux <[hidden email]>
AuthorDate: Wed Apr 15 15:15:13 2020 +0200

    Improved: Add security.internal.sso.enabled and security.token.key
    SystemProperties
   
    (OFBIZ-11594)(OFBIZ-11470)
   
    After adding more latitude to set same site by using
    EntityUtilProperties::getPropertyValueFromDelegatorName for retrieving the value
    possibly from the DB as a SystemProperty, adds the value as strict in
    SSOJWTDemoData.xml
---
 framework/security/data/SSOJWTDemoData.xml         |  1 +
 .../docs/asciidoc/_include/sy-CSRF-defense.adoc    | 59 ++++++++++++++++++++++
 framework/security/src/docs/asciidoc/security.adoc |  1 +
 3 files changed, 61 insertions(+)

diff --git a/framework/security/data/SSOJWTDemoData.xml b/framework/security/data/SSOJWTDemoData.xml
index e073747..5e0e882 100644
--- a/framework/security/data/SSOJWTDemoData.xml
+++ b/framework/security/data/SSOJWTDemoData.xml
@@ -21,4 +21,5 @@ under the License.
 <entity-engine-xml>
     <SystemProperty systemResourceId="security" systemPropertyId="security.internal.sso.enabled" systemPropertyValue="false"/>
     <SystemProperty systemResourceId="security" systemPropertyId="security.token.key" systemPropertyValue="security.token.key"/>
+    <SystemProperty systemResourceId="security" systemPropertyId="SameSiteCookieAttribute" systemPropertyValue="strict"/>
 </entity-engine-xml>
diff --git a/framework/security/src/docs/asciidoc/_include/sy-CSRF-defense.adoc b/framework/security/src/docs/asciidoc/_include/sy-CSRF-defense.adoc
new file mode 100644
index 0000000..2af0f48
--- /dev/null
+++ b/framework/security/src/docs/asciidoc/_include/sy-CSRF-defense.adoc
@@ -0,0 +1,59 @@
+////
+Licensed to the Apache Software Foundation (ASF) under one
+or more contributor license agreements.  See the NOTICE file
+distributed with this work for additional information
+regarding copyright ownership.  The ASF licenses this file
+to you under the Apache License, Version 2.0 (the
+"License"); you may not use this file except in compliance
+with the License.  You may obtain a copy of the License at
+
+http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing,
+software distributed under the License is distributed on an
+"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+KIND, either express or implied.  See the License for the
+specific language governing permissions and limitations
+under the License.
+////
+
+= CSRF defense
+== How is done the CSRF defense in Apache OFBiz and how to adapt it if needed
+The Apache OFBiz Project
+Release 17.12
+
+:imagesdir: ../../themes/common-theme/webapp/images/img/
+ifdef::backend-pdf[]
+:title-logo-image: image::OFBiz-Logo.svg[Apache OFBiz Logo, pdfwidth=4.25in, align=center]
+:source-highlighter: rouge
+endif::[]
+
+=== Same-Site attribute is set to 'strict' for all cookies
+
+By default the SameSite value in SameSiteFilter is 'strict'. This property allows to change to 'lax' if needed
+# -- If you use 'lax' we recommend that you set org.apache.ofbiz.security.CsrfDefenseStrategy for csrf.defense.strategy (see below)
+
+
+===== Properties
+
+The _security.properties_ file contains five related properties:
+
+    # -- If false, then no externalLoginKey parameters will be added to cross-webapp urls
+    security.login.externalLoginKey.enabled=true
+
+    # -- Security key used to encrypt and decrypt the autogenerated password in forgot password functionality.
+    login.secret_key_string=login.secret_key_string
+
+    # -- Time To Live of the token send to the external server in seconds, 10 seconds seems plenty enough OOTB. Custom projects might want set a lower value.
+    security.jwt.token.expireTime=1800
+
+    # -- Enables the internal Single Sign On feature which allows a token based login between OFBiz instances
+    # -- To make this work you also have to configure a secret key with security.token.key
+    security.internal.sso.enabled=false
+
+    # -- The secret key for the JWT token signature. Configuration in the SystemProperty entity is recommended for security reasons.
+    security.token.key=security.token.key
+
+
+=== Last but not least
+Be sure to read https://cwiki.apache.org/confluence/display/OFBIZ/Keeping+OFBiz+secure[Keeping OFBiz secure]
\ No newline at end of file
diff --git a/framework/security/src/docs/asciidoc/security.adoc b/framework/security/src/docs/asciidoc/security.adoc
index b107242..a4b77c3 100644
--- a/framework/security/src/docs/asciidoc/security.adoc
+++ b/framework/security/src/docs/asciidoc/security.adoc
@@ -21,3 +21,4 @@ under the License.
 
 include::_include/sy-password-and-JWT.adoc[leveloffset=+1]
 include::_include/sy-impersonation.adoc[leveloffset=+1]
+include::_include/sy-CSRF-defense.adoc[leveloffset=+1]