OFBiz › OFBiz - Commits

svn commit: r1814402 - /ofbiz/ofbiz-framework/trunk/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/ExternalLoginKeysManager.java

_‹ Previous Topic Next Topic _›

Classic

List

Threaded

1 message

jleroux@apache.org

svn commit: r1814402 - /ofbiz/ofbiz-framework/trunk/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/ExternalLoginKeysManager.java

Author: jleroux
Date: Mon Nov 6 12:41:33 2017
New Revision: 1814402

URL: http://svn.apache.org/viewvc?rev=1814402&view=rev
Log:
Implemented: Token Based Authentication
(OFBIZ-9833)

Comment about production server

I thought it was obvious that you should not keep this file on a production
server after having changed the default value of
ExternalServerJwtMasterSecretKey

Moreover we recommend to have the value of ExternalServerJwtMasterSecretKey
dynamically generated during each build to increase security

Modified:
ofbiz/ofbiz-framework/trunk/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/ExternalLoginKeysManager.java

Modified: ofbiz/ofbiz-framework/trunk/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/ExternalLoginKeysManager.java
URL: http://svn.apache.org/viewvc/ofbiz/ofbiz-framework/trunk/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/ExternalLoginKeysManager.java?rev=1814402&r1=1814401&r2=1814402&view=diff
==============================================================================
--- ofbiz/ofbiz-framework/trunk/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/ExternalLoginKeysManager.java (original)
+++ ofbiz/ofbiz-framework/trunk/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/ExternalLoginKeysManager.java Mon Nov 6 12:41:33 2017
@@ -64,7 +64,8 @@ public class ExternalLoginKeysManager {
// The best way to create the JWT masterSecretKey is to use a temporary way to load in a static final key when compiling.
// This is simple and most secure. One of the proposed way is to use sed and uuidgen to modify the masterSecretKey value
// This: sed -i /ExternalServerJwtMasterSecretKey/s//$(uuidgen)/\2 framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/ExternalLoginKeysManager.java
- // The magic words here are TEMPORARY and FINAL!
+ // Of course you should not let the ExternalLoginKeysManager.java file on a production server after compilation
+ // Because it will contain the dynamically generated ExternalServerJwtMasterSecretKey anyway
private static final String ExternalServerJwtMasterSecretKey = "ExternalServerJwtMasterSecretKey";

/**