svn commit: r1814352 - in /ofbiz/branches/release16.11: ./ applications/securityext/src/main/java/org/apache/ofbiz/securityext/login/LoginEvents.java framework/security/config/security.properties

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

svn commit: r1814352 - in /ofbiz/branches/release16.11: ./ applications/securityext/src/main/java/org/apache/ofbiz/securityext/login/LoginEvents.java framework/security/config/security.properties

jleroux@apache.org
Author: jleroux
Date: Sun Nov  5 12:32:40 2017
New Revision: 1814352

URL: http://svn.apache.org/viewvc?rev=1814352&view=rev
Log:
"Applied fix from trunk framework for revision: 1814349  "
------------------------------------------------------------------------
r1814349 | jleroux | 2017-11-05 12:28:42 +0100 (dim., 05 nov. 2017) | 12 lines

Fixed: Secure the login.secret_key_string
(OFBIZ-9966)

When OFBIZ-4983 was implemented I missed that we put the login.secret_key_string
 as a property in security properties. This should not have been because it
eases attackers work.

The recommended way is to have it as a private static final String that can be
changed just when compiling using sed and uuidgen. So then the key is temporay
and final and it gets quite harder for a possible attacker to use this mean.


------------------------------------------------------------------------


Modified:
    ofbiz/branches/release16.11/   (props changed)
    ofbiz/branches/release16.11/applications/securityext/src/main/java/org/apache/ofbiz/securityext/login/LoginEvents.java
    ofbiz/branches/release16.11/framework/security/config/security.properties

Propchange: ofbiz/branches/release16.11/
------------------------------------------------------------------------------
--- svn:mergeinfo (original)
+++ svn:mergeinfo Sun Nov  5 12:32:40 2017
@@ -10,5 +10,5 @@
 /ofbiz/branches/json-integration-refactoring:1634077-1635900
 /ofbiz/branches/multitenant20100310:921280-927264
 /ofbiz/branches/release13.07:1547657
-/ofbiz/ofbiz-framework/trunk:1783202,1783388,1784549,1784558,1784708,1785882,1785925,1786079,1786214,1786525,1787047,1787133,1787176,1787535,1787906-1787911,1787949,1789665,1789863,1789874,1790396,1790810,1791277,1791288,1791342,1791346,1791490,1791496,1791625,1791634,1791791,1791804,1792270,1792272,1792275,1792432,1792609,1792638,1794008,1794132,1796047,1796262,1797733,1798668,1798682,1798796,1798803,1798808,1799088,1799183,1799327,1799417,1799687,1799767,1799793,1799859,1800250,1800780,1800832,1800853,1801094,1801262-1801263,1801273-1801274,1801303,1801318-1801319,1801336,1801340,1801346,1801359,1801742,1802657,1802766,1803525,1804656,1804843,1804847,1804859,1805143,1805558,1805880,1806036,1806220,1806266,1806269,1806951,1807597,1807890,1808834,1809399,1809429,1809594,1809741,1810102,1811794,1812387,1813600,1813617,1813647,1813833,1814277,1814319
+/ofbiz/ofbiz-framework/trunk:1783202,1783388,1784549,1784558,1784708,1785882,1785925,1786079,1786214,1786525,1787047,1787133,1787176,1787535,1787906-1787911,1787949,1789665,1789863,1789874,1790396,1790810,1791277,1791288,1791342,1791346,1791490,1791496,1791625,1791634,1791791,1791804,1792270,1792272,1792275,1792432,1792609,1792638,1794008,1794132,1796047,1796262,1797733,1798668,1798682,1798796,1798803,1798808,1799088,1799183,1799327,1799417,1799687,1799767,1799793,1799859,1800250,1800780,1800832,1800853,1801094,1801262-1801263,1801273-1801274,1801303,1801318-1801319,1801336,1801340,1801346,1801359,1801742,1802657,1802766,1803525,1804656,1804843,1804847,1804859,1805143,1805558,1805880,1806036,1806220,1806266,1806269,1806951,1807597,1807890,1808834,1809399,1809429,1809594,1809741,1810102,1811794,1812387,1813600,1813617,1813647,1813833,1814277,1814319,1814349
 /ofbiz/trunk:1770481,1770490,1770540,1771440,1771448,1771516,1771935,1772346,1772880,1774772,1775441,1779724,1780659,1781109,1781125,1781979,1782498,1782520

Modified: ofbiz/branches/release16.11/applications/securityext/src/main/java/org/apache/ofbiz/securityext/login/LoginEvents.java
URL: http://svn.apache.org/viewvc/ofbiz/branches/release16.11/applications/securityext/src/main/java/org/apache/ofbiz/securityext/login/LoginEvents.java?rev=1814352&r1=1814351&r2=1814352&view=diff
==============================================================================
--- ofbiz/branches/release16.11/applications/securityext/src/main/java/org/apache/ofbiz/securityext/login/LoginEvents.java (original)
+++ ofbiz/branches/release16.11/applications/securityext/src/main/java/org/apache/ofbiz/securityext/login/LoginEvents.java Sun Nov  5 12:32:40 2017
@@ -65,7 +65,12 @@ public class LoginEvents {
     public static final String module = LoginEvents.class.getName();
     public static final String resource = "SecurityextUiLabels";
     public static final String usernameCookieName = "OFBiz.Username";
-    private static final String keyValue = UtilProperties.getPropertyValue(LoginWorker.securityProperties, "login.secret_key_string");
+    // OOTB the loginSecretKeyString is not properly initialised and can not be OOTB.
+    // The best way to create the loginSecretKeyString is to use a temporary way to load in a static final key when compiling.
+    // This is simple and most secure. One of the proposed way is to use sed and uuidgen to modify the loginSecretKeyString value
+    // The magic words here are TEMPORARY and FINAL!
+    private static final String loginSecretKeyString = "loginSecretKeyString";
+    
     /**
      * Save USERNAME and PASSWORD for use by auth pages even if we start in non-auth pages.
      *
@@ -249,7 +254,7 @@ public class LoginEvents {
                 autoPassword = RandomStringUtils.randomAlphanumeric(EntityUtilProperties.getPropertyAsInteger("security", "password.length.min", 5).intValue());
                 EntityCrypto entityCrypto = new EntityCrypto(delegator,null);
                 try {
-                    passwordToSend = entityCrypto.encrypt(keyValue, EncryptMethod.TRUE, (Object) autoPassword);
+                    passwordToSend = entityCrypto.encrypt(loginSecretKeyString, EncryptMethod.TRUE, autoPassword);
                 } catch (GeneralException e) {
                     Debug.logWarning(e, "Problem in encryption", module);
                 }

Modified: ofbiz/branches/release16.11/framework/security/config/security.properties
URL: http://svn.apache.org/viewvc/ofbiz/branches/release16.11/framework/security/config/security.properties?rev=1814352&r1=1814351&r2=1814352&view=diff
==============================================================================
--- ofbiz/branches/release16.11/framework/security/config/security.properties (original)
+++ ofbiz/branches/release16.11/framework/security/config/security.properties Sun Nov  5 12:32:40 2017
@@ -122,7 +122,5 @@ protect-view.preprocessor=java.org.apach
 #default.error.response.view=none:
 default.error.response.view=view:viewBlocked
 
-# If false, then no externalLoginKey parameters will be added to cross-webapp urls
+# -- If false, then no externalLoginKey parameters will be added to cross-webapp urls
 security.login.externalLoginKey.enabled=true
-#Security key used to encrypt and decrypt the autogenerated password in forgot password functionality.
-login.secret_key_string=Secret Key
\ No newline at end of file