OFBiz › OFBiz - Commits

[ofbiz-framework] branch trunk updated (d0144d9 -> bef4843)

_‹ Previous Topic Next Topic _›

Classic

List

Threaded

3 messages Options

jleroux@apache.org

[ofbiz-framework] branch trunk updated (d0144d9 -> bef4843)

This is an automated email from the ASF dual-hosted git repository.

jleroux pushed a change to branch trunk
in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git.

from d0144d9 Improved: Increase the size of http.upload.max.sizethreshold
new a721ba7 Documented: fixes wrong indentations
new bef4843 Improved: Update build.gradle to the latest dependencies

The 2 revisions listed above as "new" are entirely new to this
repository and will be described in separate emails. The revisions
listed as "add" were already present in the repository and have only
been added to this reference.

Summary of changes:
build.gradle | 62 +++++++++++-----------
.../docs/asciidoc/_include/sy-CSRF-defense.adoc | 8 +--
.../asciidoc/_include/sy-password-and-JWT.adoc | 12 ++---
3 files changed, 41 insertions(+), 41 deletions(-)

jleroux@apache.org

[ofbiz-framework] 01/02: Documented: fixes wrong indentations

This is an automated email from the ASF dual-hosted git repository.

jleroux pushed a commit to branch trunk
in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git

commit a721ba7557a6b474a66efa6de2600d8894330a15
Author: Jacques Le Roux <[hidden email]>
AuthorDate: Mon Apr 20 18:57:58 2020 +0200

Documented: fixes wrong indentations
---
.../security/src/docs/asciidoc/_include/sy-CSRF-defense.adoc | 8 ++++----
.../src/docs/asciidoc/_include/sy-password-and-JWT.adoc | 12 ++++++------
2 files changed, 10 insertions(+), 10 deletions(-)

diff --git a/framework/security/src/docs/asciidoc/_include/sy-CSRF-defense.adoc b/framework/security/src/docs/asciidoc/_include/sy-CSRF-defense.adoc
index 867150e..889c960 100644
--- a/framework/security/src/docs/asciidoc/_include/sy-CSRF-defense.adoc
+++ b/framework/security/src/docs/asciidoc/_include/sy-CSRF-defense.adoc
@@ -38,14 +38,14 @@ ____
By default OOTB the SameSiteFilter property sets the same-site attribute value to 'strict. SameSiteFilter allows to change to 'lax' if needed. If you use 'lax' we recommend that you set the csrf.defense.strategy property to org.apache.ofbiz.security.CsrfDefenseStrategy in order to provide an effective defense against CSRF attacks.

-===== Properties
+==== Properties

The _security.properties_ file contains related properties:

# -- By default the SameSite value in SameSiteFilter is 'strict'.
# -- This property allows to change to 'lax' if needed.
- # -- If you use 'lax' we recommend that you set
- # -- org.apache.ofbiz.security.CsrfDefenseStrategy
+ # -- If you use 'lax' we recommend that you set
+ # -- org.apache.ofbiz.security.CsrfDefenseStrategy
# -- for csrf.defense.strategy (see below)
SameSiteCookieAttribute=

@@ -68,7 +68,7 @@ The _security.properties_ file contains related properties:
# -- Because OFBiz OOTB also sets the SameSite attribute to 'strict' for all cookies,
# -- which is an effective CSRF defense,
# -- default is org.apache.ofbiz.security.NoCsrfDefenseStrategy if not specified.
- # -- Use org.apache.ofbiz.security.CsrfDefenseStrategy
+ # -- Use org.apache.ofbiz.security.CsrfDefenseStrategy
# -- if you need to use a 'lax' for SameSiteCookieAttribute
csrf.defense.strategy=

diff --git a/framework/security/src/docs/asciidoc/_include/sy-password-and-JWT.adoc b/framework/security/src/docs/asciidoc/_include/sy-password-and-JWT.adoc
index c1bdee4..684a3f9 100644
--- a/framework/security/src/docs/asciidoc/_include/sy-password-and-JWT.adoc
+++ b/framework/security/src/docs/asciidoc/_include/sy-password-and-JWT.adoc
@@ -55,12 +55,12 @@ Cross-origin resource sharing) on the target server

==== How to secure JWT
-When you use JWT, in order to sign your tokens, you have the choice of using a sole so called secret key or a pair of public/private keys: https://jwt.io/introduction/.
+When you use JWT, in order to sign your tokens, you have the choice of using a sole so called secret key or a pair of public/private keys: https://jwt.io/introduction/.

You might prefer to use pair of public/private keys, for now by default OFBiz uses a simple secret key. Remains the way how to store this secret key. https://security.stackexchange.com/questions/87130/json-web-tokens-how-to-securely-store-the-key[This is an interesting introduction about this question].

-. The first idea which comes to mind is to use a property in the security.properties file. It's safe as long as your file system is not compromised.
-. You may also pick a SystemProperty entity (overrides the file property). It's safe as long as your DB is not compromised.
+. The first idea which comes to mind is to use a property in the security.properties file. It's safe as long as your file system is not compromised.
+. You may also pick a SystemProperty entity (overrides the file property). It's safe as long as your DB is not compromised.
. We recommend to not use an environment variable as those can be considered weak:
* http://movingfast.io/articles/environment-variables-considered-harmful
* https://security.stackexchange.com/questions/49725/is-it-really-secure-to-store-api-keys-in-environment-variables
@@ -68,7 +68,7 @@ You might prefer to use pair of public/private keys, for now by default OFBiz us
. You may want to tie the encryption key to the logged in user. This is used by the password recreation feature. The JWT secret key is salted with a combination of the current logged in user and her/his password. This is a simple and effective safe way.
. Use a https://tools.ietf.org/html/rfc7519#section-4.1.7[JTI] (JWT ID). A JTI prevents a JWT from being replayed. This https://auth0.com/blog/blacklist-json-web-token-api-keys/http://url[auth0 blog article get deeper in that]. The same is kinda achieved with the password recreation feature. When the user log in after the new password creation, the password has already been changed. So the link (in the sent email) containing the JWT for the creation of the new password can't be reused.
. Tie the encryption key to the hardware. You can refer to this https://en.wikipedia.org/wiki/Hardware_security_module[Wikipedia page] for more information.
-. If you want to get deeper in this get to this https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Key_Management_Cheat_Sheet.md#user-content-storage[OWASP documentation]
+. If you want to get deeper in this get to this https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Key_Management_Cheat_Sheet.md#user-content-storage[OWASP documentation]

Note: if you want to use a pair of public/private keys you might want to consider leveraging the Java Key Store that is also used by the "catalina" component to store certificates. Then don't miss to read:

@@ -112,7 +112,7 @@ The introduction of the same-site attribute set to 'strict' for all cookies prev

So same-site attribute set to 'none' is necessary for the internal SSO to work, https://github.com/whatwg/fetch/issues/769['lax' is not enough]. So if someone wants to use the internal SSO feature s/he also needs to use the CSRF token defense. If s/he wants to be safe from CSRF attacks. Unfortunately, due backporting difficulties, this option is currently (2020-04-15) only available in trunk.

-====== Fecth API
+===== Fecth API
An alternative would be to use the Fetch Javascript API with the

[source]
@@ -126,4 +126,4 @@ For those interested, there are more information in https://issues.apache.org/ji

=== Last but not least
-Be sure to read https://cwiki.apache.org/confluence/display/OFBIZ/Keeping+OFBiz+secure[Keeping OFBiz secure]
\ No newline at end of file
+Be sure to read https://cwiki.apache.org/confluence/display/OFBIZ/Keeping+OFBiz+secure[Keeping OFBiz secure]

jleroux@apache.org

[ofbiz-framework] 02/02: Improved: Update build.gradle to the latest dependencies

In reply to this post by jleroux@apache.org

This is an automated email from the ASF dual-hosted git repository.

jleroux pushed a commit to branch trunk
in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git

commit bef48434bbc24f8763ba0e01de3e0034df4cedbd
Author: Jacques Le Roux <[hidden email]>
AuthorDate: Tue Apr 21 12:00:25 2020 +0200

Improved: Update build.gradle to the latest dependencies

(OFBIZ-11603)

I tried to update to Groovy 3 but got a compile issue with commons-cli.
I did not dig further.
---
build.gradle | 62 ++++++++++++++++++++++++++++++------------------------------
1 file changed, 31 insertions(+), 31 deletions(-)

diff --git a/build.gradle b/build.gradle
index 7d74769..8112d34 100644
--- a/build.gradle
+++ b/build.gradle
@@ -29,11 +29,11 @@ plugins {
id 'eclipse'
id 'checkstyle'
id 'maven-publish'
- id 'at.bxm.svntools' version '2.2.1'
- id 'org.asciidoctor.convert' version '2.0.0'
- id 'org.owasp.dependencycheck' version '5.3.2' apply false
- id 'se.patrikerdes.use-latest-versions' version '0.2.12' apply false
- id 'com.github.ben-manes.versions' version '0.27.0' apply false
+ id 'at.bxm.svntools' version '2.2.1' // Don't update as long as we don't use Java 11, it's needed by version 3
+ id 'org.asciidoctor.convert' version '2.4.0'
+ id 'org.owasp.dependencycheck' version '5.3.2.1' apply false
+ id 'se.patrikerdes.use-latest-versions' version '0.2.13' apply false
+ id 'com.github.ben-manes.versions' version '0.28.0' apply false
id "com.github.ManifestClasspath" version "0.1.0-RELEASE"
}

@@ -157,9 +157,9 @@ dependencies {
implementation 'com.google.zxing:core:3.4.0'
implementation 'com.googlecode.concurrentlinkedhashmap:concurrentlinkedhashmap-lru:1.4.2'
implementation 'com.googlecode.ez-vcard:ez-vcard:0.9.10'
- implementation 'com.googlecode.owasp-java-html-sanitizer:owasp-java-html-sanitizer:20180219.1'
- implementation 'com.googlecode.libphonenumber:libphonenumber:8.10.20'
- implementation 'com.ibm.icu:icu4j:65.1'
+ implementation 'com.googlecode.owasp-java-html-sanitizer:owasp-java-html-sanitizer:1.1'
+ implementation 'com.googlecode.libphonenumber:libphonenumber:8.12.1'
+ implementation 'com.ibm.icu:icu4j:66.1'
implementation 'com.lowagie:itext:2.1.7' // Don't update due to license change in newer versions, see OFBIZ-10455
implementation 'com.sun.mail:javax.mail:1.6.2'
implementation 'com.sun.syndication:com.springsource.com.sun.syndication:0.9.0'
@@ -175,42 +175,42 @@ dependencies {
implementation 'org.apache.commons:commons-text:1.8'
implementation 'org.apache.geronimo.components:geronimo-transaction:3.1.4'
implementation 'org.apache.geronimo.specs:geronimo-jms_1.1_spec:1.1.1'
- implementation 'org.apache.httpcomponents:httpclient-cache:4.5.10'
- implementation 'org.apache.logging.log4j:log4j-api:2.12.1' // the API of log4j 2
- implementation 'org.apache.poi:poi:4.1.0'
- implementation 'org.apache.shiro:shiro-core:1.4.1'
- implementation 'org.apache.sshd:sshd-core:1.7.0'
- implementation 'org.apache.tika:tika-parsers:1.22'
- implementation 'org.apache.tomcat:tomcat-catalina-ha:9.0.31' // Remember to change the version number in javadoc block
- implementation 'org.apache.tomcat:tomcat-jasper:9.0.31'
+ implementation 'org.apache.httpcomponents:httpclient-cache:4.5.12'
+ implementation 'org.apache.logging.log4j:log4j-api:2.13.1' // the API of log4j 2
+ implementation 'org.apache.poi:poi:4.1.2'
+ implementation 'org.apache.shiro:shiro-core:1.5.2'
+ implementation 'org.apache.sshd:sshd-core:1.7.0' // So far we did not update from 1.7.0 because of a compile issue. You may try w/ a newer version than 2.4.0
+ implementation 'org.apache.tika:tika-parsers:1.24'
+ implementation 'org.apache.tomcat:tomcat-catalina-ha:9.0.34' // Remember to change the version number in javadoc block
+ implementation 'org.apache.tomcat:tomcat-jasper:9.0.34'
implementation 'org.apache.axis2:axis2-kernel:1.7.9'
- implementation 'org.apache.xmlgraphics:fop:2.3'
+ implementation 'org.apache.xmlgraphics:fop:2.3' // NOTE: in 2.4 dependencies are messed up. See https://github.com/moqui/moqui-fop/blob/master/build.gradle
implementation 'org.apache.xmlrpc:xmlrpc-client:3.1.3'
implementation 'org.apache.xmlrpc:xmlrpc-server:3.1.3'
- implementation 'org.codehaus.groovy:groovy-all:2.5.8' // Remember to change the version number in javadoc block
+ implementation 'org.codehaus.groovy:groovy-all:2.5.8' // Compile issue with commons-cli and Groovy 3. Remember to change the version number in javadoc block.
implementation 'org.freemarker:freemarker:2.3.30' // Remember to change the version number in FreeMarkerWorker class when upgrading. See OFBIZ-10019 if >= 2.4
implementation 'org.owasp.esapi:esapi:2.2.0.0'
- implementation 'org.springframework:spring-test:5.2.0.RELEASE'
+ implementation 'org.springframework:spring-test:5.2.5.RELEASE'
implementation 'org.zapodot:jackson-databind-java-optional:2.6.1'
implementation 'oro:oro:2.0.8'
implementation 'wsdl4j:wsdl4j:1.6.3'
- implementation 'com.auth0:java-jwt:3.8.3'
+ implementation 'com.auth0:java-jwt:3.10.2'
testImplementation 'org.hamcrest:hamcrest-library:2.2' // Enable junit4 to not depend on hamcrest-1.3
- testImplementation 'org.mockito:mockito-core:3.2.0'
+ testImplementation 'org.mockito:mockito-core:3.3.3'
testImplementation 'org.jmockit:jmockit:1.49'
- testImplementation 'com.pholser:junit-quickcheck-generators:0.9'
+ testImplementation 'com.pholser:junit-quickcheck-generators:0.9.1'
runtimeOnly 'javax.xml.soap:javax.xml.soap-api:1.4.0'
runtimeOnly 'de.odysseus.juel:juel-spi:2.2.7'
runtimeOnly 'net.sf.barcode4j:barcode4j-fop-ext:2.1'
runtimeOnly 'net.sf.barcode4j:barcode4j:2.1'
runtimeOnly 'org.apache.axis2:axis2-transport-http:1.7.9'
runtimeOnly 'org.apache.axis2:axis2-transport-local:1.7.9'
- runtimeOnly 'org.apache.derby:derby:10.14.2.0'
+ runtimeOnly 'org.apache.derby:derby:10.14.2.0' // So far we did not update from 10.14.2.0 because of a compile issue. You may try w/ a newer version than 10.15.1.3
runtimeOnly 'org.apache.geronimo.specs:geronimo-jaxrpc_1.1_spec:1.1'
- runtimeOnly 'org.apache.logging.log4j:log4j-1.2-api:2.12.1' // for external jars using the old log4j1.2: routes logging to log4j 2
- runtimeOnly 'org.apache.logging.log4j:log4j-core:2.12.1' // the implementation of the log4j 2 API
- runtimeOnly 'org.apache.logging.log4j:log4j-jul:2.12.1' // for external jars using the java.util.logging: routes logging to log4j 2
- runtimeOnly 'org.apache.logging.log4j:log4j-slf4j-impl:2.12.1' // for external jars using slf4j: routes logging to log4j 2
+ runtimeOnly 'org.apache.logging.log4j:log4j-1.2-api:2.13.1' // for external jars using the old log4j1.2: routes logging to log4j 2
+ runtimeOnly 'org.apache.logging.log4j:log4j-core:2.13.1' // the implementation of the log4j 2 API
+ runtimeOnly 'org.apache.logging.log4j:log4j-jul:2.13.1' // for external jars using the java.util.logging: routes logging to log4j 2
+ runtimeOnly 'org.apache.logging.log4j:log4j-slf4j-impl:2.13.1' // for external jars using slf4j: routes logging to log4j 2
runtimeOnly 'org.codeartisans.thirdparties.swing:batik-all:1.8pre-r1084380'

// Dependencies defined by the plugins
@@ -220,10 +220,10 @@ dependencies {
compileOnly project(path: subProject.path, configuration: 'pluginLibsCompileOnly')
}

- junitReport 'junit:junit:4.12'
+ junitReport 'junit:junit:4.13'
junitReport 'org.apache.ant:ant-junit:1.10.7'
- asciidoctor 'org.asciidoctor:asciidoctorj-pdf:1.5.0-alpha.16'
- asciidoctor 'org.jruby:jruby-complete:9.2.8.0' // bug workaround - see OFBIZ-9873
+ asciidoctor 'org.asciidoctor:asciidoctorj-pdf:1.5.3'
+ asciidoctor 'org.jruby:jruby-complete:9.2.11.1' // bug workaround - see OFBIZ-9873

// Libraries downloaded manually
implementation fileTree(dir: file("${rootDir}/lib"), include: '**/*.jar')
@@ -286,7 +286,7 @@ checkstyle {
// the sum of errors found last time it was changed after using the
// ‘checkstyle’ tool present in the framework and in the official
// plugins.
- tasks.checkstyleMain.maxErrors = 36910
+ tasks.checkstyleMain.maxErrors = 36902
// Currently there are a lot of errors so we need to temporarily
// hide them to avoid polluting the terminal output.
showViolations = false