OFBiz OFBiz - Commits

[ofbiz-framework] branch trunk updated: Improved: moves "10 seconds" comments from security.properties to CommonEvents.java

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
1 message Options
jleroux@apache.org
Reply | Threaded
Open this post in threaded view
|

[ofbiz-framework] branch trunk updated: Improved: moves "10 seconds" comments from security.properties to CommonEvents.java

jleroux@apache.org
This is an automated email from the ASF dual-hosted git repository.

jleroux pushed a commit to branch trunk
in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git


The following commit(s) were added to refs/heads/trunk by this push:
     new e1988a2  Improved: moves "10 seconds" comments from security.properties to CommonEvents.java
e1988a2 is described below

commit e1988a29c8503251bfa68756efafc0c4d44be53d
Author: Jacques Le Roux <[hidden email]>
AuthorDate: Mon Apr 13 11:40:58 2020 +0200

    Improved: moves "10 seconds" comments from security.properties to CommonEvents.java
   
    Also removes trailing blanks in security.properties
---
 .../java/org/apache/ofbiz/common/CommonEvents.java   |  1 +
 framework/security/config/security.properties        | 20 ++++++++++----------
 2 files changed, 11 insertions(+), 10 deletions(-)

diff --git a/framework/common/src/main/java/org/apache/ofbiz/common/CommonEvents.java b/framework/common/src/main/java/org/apache/ofbiz/common/CommonEvents.java
index f03a87d..9a48d62 100644
--- a/framework/common/src/main/java/org/apache/ofbiz/common/CommonEvents.java
+++ b/framework/common/src/main/java/org/apache/ofbiz/common/CommonEvents.java
@@ -402,6 +402,7 @@ public class CommonEvents {
         String securedUserLoginId = LoginWorker.getSecuredUserLoginId(request);
         if (securedUserLoginId != null) {
             types.put("userLoginId", securedUserLoginId);
+            // 10 seconds seems plenty enough OOTB. Custom projects might want set a lower value.
             int ttlSeconds = (int) Long.parseLong(EntityUtilProperties.getPropertyValue("security",
                     "security.jwt.token.expireTime", "10", delegator));
             String token = JWTManager.createJwt(delegator, types, ttlSeconds);
diff --git a/framework/security/config/security.properties b/framework/security/config/security.properties
index 5e195a3..64dce02 100644
--- a/framework/security/config/security.properties
+++ b/framework/security/config/security.properties
@@ -30,24 +30,24 @@ security.login.password.pattern=^.*(?=.{5,}).*$
 security.login.password.pattern.description=loginservices.password_must_be_least_characters_long
 # -- For More restrictive pattern you can use the following, no localisation-
 #security.login.password.pattern=^.*(?=.{5,})(?=.*[a-zA-Z])(?=.*[!@#$%^&*]).*$
-#security.login.password.pattern.description=Your password must be 5 characters long, Only contains alphanumeric(number optional) and at least one from following special characters: !@#$%^&*.  
+#security.login.password.pattern.description=Your password must be 5 characters long, Only contains alphanumeric(number optional) and at least one from following special characters: !@#$%^&*.
 #    Only contains alphanumeric and the following special characters: !@#$%^&*
 #    Contains at least 1 of the special characters in the list above
 #    The required special character can appear anywhere in the string (for example: !abc, a!bc, abc!)
 #    minimum length 5 digit.
 # HELP
 # Start of group
-# (
+# (
 #   (?=.*\d)         #   must contains one digit from 0-9
 #   (?=.*[a-z])      #   must contains one lowercase characters
 #   (?=.*[A-Z])      #   must contains one uppercase characters
 #   (?=.*[!@#$%^&*]) #   must contains one special symbols in the list "!@#$%^&*"
 #   .                #   match anything with previous condition checking
 #   {5,20}           #   length at least 5 characters and maximum of 20
-#   {5,}             #   minimum length 5 chars and no linitation to max length.
+#   {5,}             #   minimum length 5 chars and no linitation to max length.
 # )
 # End of group
-# For further password patterns look at
+# For further password patterns look at
 # http://docs.oracle.com/javase/1.4.2/docs/api/java/util/regex/Pattern.html#sum
 
 # -- disable the account after this many logins --
@@ -142,7 +142,7 @@ security.login.externalLoginKey.enabled=true
 #    Read Passwords and JWT (JSON Web Tokens) usage documentation to choose the way you want to store this key
 login.secret_key_string=login.secret_key_string
 
-# -- Time To Live of the token send to the external server in seconds, 10 seconds seems plenty enough OOTB. Custom projects might want set a lower value.
+# -- Time To Live of the token send to the external server in seconds
 security.jwt.token.expireTime=1800
 
 # -- Enables the internal Single Sign On feature which allows a token based login between OFBiz instances
@@ -152,7 +152,7 @@ security.internal.sso.enabled=false
 # -- The secret key for the JWT token signature. Read Passwords and JWT (JSON Web Tokens) usage documentation to choose the way you want to store this key
 security.token.key=security.token.key
 
-# -- List of domains or IP addresses to be checked to prevent Host Header Injection,
+# -- List of domains or IP addresses to be checked to prevent Host Header Injection,
 # -- no spaces after commas,no wildcard, can be extended of course...
 host-headers-allowed=localhost,127.0.0.1,demo-trunk.ofbiz.apache.org,demo-stable.ofbiz.apache.org,demo-old.ofbiz.apache.org
 
@@ -160,7 +160,7 @@ host-headers-allowed=localhost,127.0.0.1,demo-trunk.ofbiz.apache.org,demo-stable
 # -- If you use 'lax' we recommend that you set org.apache.ofbiz.security.CsrfDefenseStrategy for csrf.defense.strategy (see below)
 SameSiteCookieAttribute=
 
-# -- The cache size for the Tokens Maps that stores the CSRF tokens.
+# -- The cache size for the Tokens Maps that stores the CSRF tokens.
 # -- RemoveEldestEntry is used when it's get above csrf.cache.size
 # -- Default is 5000
 # -- TODO: separate tokenMap from partyTokenMap
@@ -169,14 +169,14 @@ csrf.cache.size=
 # -- Parameter name for CSRF token. Default is "csrf" if not specified
 csrf.tokenName.nonAjax=
 
-# -- The csrf.entity.request.limit is used to show how to avoid cluttering the Tokens Maps cache with URIs starting with "entity/"
+# -- The csrf.entity.request.limit is used to show how to avoid cluttering the Tokens Maps cache with URIs starting with "entity/"
 # -- It can be useful with large Database contents, ie with a large numbers of tuples, like "entity/edit/Agreement/10000, etc.
 # -- The same principle can be extended to other cases similar to "entity/" URIs (harcoded or using similar properties).
 # -- Default is 3
 csrf.entity.request.limit=
 
-# -- CSRF defense strategy.
+# -- CSRF defense strategy.
 # -- Because OFBiz OOTB also sets the SameSite attribute to 'strict' for all cookies,
 # -- default is org.apache.ofbiz.security.NoCsrfDefenseStrategy if not specified.
 # -- Use org.apache.ofbiz.security.CsrfDefenseStrategy if you want to use a 'lax' for SameSiteCookieAttribute
-csrf.defense.strategy=
\ No newline at end of file
+csrf.defense.strategy=

Free forum by Nabble Edit this page