OFBiz OFBiz - Commits

svn commit: r1814392 - /ofbiz/ofbiz-framework/trunk/applications/securityext/src/main/java/org/apache/ofbiz/securityext/login/LoginEvents.java

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
1 message Options
jleroux@apache.org
Reply | Threaded
Open this post in threaded view
|

svn commit: r1814392 - /ofbiz/ofbiz-framework/trunk/applications/securityext/src/main/java/org/apache/ofbiz/securityext/login/LoginEvents.java

jleroux@apache.org
Author: jleroux
Date: Mon Nov  6 10:51:57 2017
New Revision: 1814392

URL: http://svn.apache.org/viewvc?rev=1814392&view=rev
Log:
Reverted: Secure the login.secret_key_string
(OFBIZ-9966)

Before having a discussion about the security of this, reverts on
Michael's request on dev ML

Modified:
    ofbiz/ofbiz-framework/trunk/applications/securityext/src/main/java/org/apache/ofbiz/securityext/login/LoginEvents.java

Modified: ofbiz/ofbiz-framework/trunk/applications/securityext/src/main/java/org/apache/ofbiz/securityext/login/LoginEvents.java
URL: http://svn.apache.org/viewvc/ofbiz/ofbiz-framework/trunk/applications/securityext/src/main/java/org/apache/ofbiz/securityext/login/LoginEvents.java?rev=1814392&r1=1814391&r2=1814392&view=diff
==============================================================================
--- ofbiz/ofbiz-framework/trunk/applications/securityext/src/main/java/org/apache/ofbiz/securityext/login/LoginEvents.java (original)
+++ ofbiz/ofbiz-framework/trunk/applications/securityext/src/main/java/org/apache/ofbiz/securityext/login/LoginEvents.java Mon Nov  6 10:51:57 2017
@@ -69,13 +69,7 @@ public class LoginEvents {
     public static final String module = LoginEvents.class.getName();
     public static final String resource = "SecurityextUiLabels";
     public static final String usernameCookieName = "OFBiz.Username";
-    // OOTB the loginSecretKeyString is not properly initialised and can not be OOTB.
-    // The best way to create the loginSecretKeyString is to use a temporary way to load in a static final key when compiling.
-    // This is simple and most secure. One of the proposed way is to use sed and uuidgen to modify the loginSecretKeyString value
-    // This: sed -i /loginSecretKeyString/s//$(uuidgen)/\2 applications/securityext/src/main/java/org/apache/ofbiz/securityext/login/LoginEvents.java
-    // The magic words here are TEMPORARY and FINAL!
-    private static final String loginSecretKeyString = "loginSecretKeyString";
-    
+    private static final String keyValue = UtilProperties.getPropertyValue(LoginWorker.securityProperties, "login.secret_key_string");
     /**
      * Save USERNAME and PASSWORD for use by auth pages even if we start in non-auth pages.
      *
@@ -259,7 +253,7 @@ public class LoginEvents {
                 autoPassword = RandomStringUtils.randomAlphanumeric(EntityUtilProperties.getPropertyAsInteger("security", "password.length.min", 5).intValue());
                 EntityCrypto entityCrypto = new EntityCrypto(delegator,null);
                 try {
-                    passwordToSend = entityCrypto.encrypt(loginSecretKeyString, EncryptMethod.TRUE, autoPassword);
+                    passwordToSend = entityCrypto.encrypt(keyValue, EncryptMethod.TRUE, autoPassword);
                 } catch (GeneralException e) {
                     Debug.logWarning(e, "Problem in encryption", module);
                 }


Free forum by Nabble Edit this page