svn commit: r1814467 - /ofbiz/ofbiz-framework/trunk/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/ExternalLoginKeysManager.java

Author: jleroux
Date: Tue Nov  7 08:58:16 2017
New Revision: 1814467

URL: http://svn.apache.org/viewvc?rev=1814467&view=rev
Log:
Implemented: Token Based Authentication
(OFBIZ-9833)

Update the comments about ExternalServerJwtMasterSecretKey

Modified:
    ofbiz/ofbiz-framework/trunk/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/ExternalLoginKeysManager.java

Modified: ofbiz/ofbiz-framework/trunk/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/ExternalLoginKeysManager.java
URL: http://svn.apache.org/viewvc/ofbiz/ofbiz-framework/trunk/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/ExternalLoginKeysManager.java?rev=1814467&r1=1814466&r2=1814467&view=diff
==============================================================================
--- ofbiz/ofbiz-framework/trunk/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/ExternalLoginKeysManager.java (original)
+++ ofbiz/ofbiz-framework/trunk/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/ExternalLoginKeysManager.java Tue Nov  7 08:58:16 2017
@@ -57,15 +57,15 @@ public class ExternalLoginKeysManager {
     public static final String EXTERNAL_SERVER_LOGIN_KEY = "externalServerLoginKey";
     // This works the same way than externalLoginKey but between 2 servers, not 2 webapps on the same server.
     // The Single Sign On (SSO) is ensured by a JWT token, then all is handled as normal by a session on the reached server.
-    // The servers may or may not share a database but the 2 loginUserId must be the same.
+    // The servers may or may not share a database but the 2 loginUserIds must be the same.
     
     // OOTB the JWT masterSecretKey is not properly initialised and can not be OOTB.
     // As we sign on on several servers, so have different sessions, we can't use the externalLoginKey way to create the JWT masterSecretKey.
-    // The best way to create the JWT masterSecretKey is to use a temporary way to load in a static final key when compiling.
-    // This is simple and most secure. One of the proposed way is to use sed and uuidgen to modify the masterSecretKey value
-    // This: sed -i /ExternalServerJwtMasterSecretKey/s//$(uuidgen)/\2 framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/ExternalLoginKeysManager.java
-    // Of course you should not let the ExternalLoginKeysManager.java file on a production server after compilation
-    // Because it will contain the dynamically generated ExternalServerJwtMasterSecretKey anyway
+    // IMO the best way to create the JWT masterSecretKey is to use a temporary way to load in a static final key when compiling.
+    // This is simple and most secure. See OFBIZ-9833 for more, notably https://s.apache.org/cFeK
+    
+    // Because it will contain the ExternalServerJwtMasterSecretKey value;
+    // you should not let the ExternalLoginKeysManager.java file on a production server after its compilation
     private static final String ExternalServerJwtMasterSecretKey = "ExternalServerJwtMasterSecretKey";
 
     /**