svn commit: r1822882 - in /ofbiz/ofbiz-framework/trunk/framework: security/config/security.properties webapp/src/main/java/org/apache/ofbiz/webapp/control/ExternalLoginKeysManager.java

Author: jleroux
Date: Thu Feb  1 15:27:17 2018
New Revision: 1822882

URL: http://svn.apache.org/viewvc?rev=1822882&view=rev
Log:
Improved: Token Based Authentication
(OFBIZ-9833)

I just thought that for security it's best to have both the source and
target server using the use-external-server property.

Also default to N when requesting this property

Modified:
    ofbiz/ofbiz-framework/trunk/framework/security/config/security.properties
    ofbiz/ofbiz-framework/trunk/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/ExternalLoginKeysManager.java

Modified: ofbiz/ofbiz-framework/trunk/framework/security/config/security.properties
URL: http://svn.apache.org/viewvc/ofbiz/ofbiz-framework/trunk/framework/security/config/security.properties?rev=1822882&r1=1822881&r2=1822882&view=diff
==============================================================================
--- ofbiz/ofbiz-framework/trunk/framework/security/config/security.properties (original)
+++ ofbiz/ofbiz-framework/trunk/framework/security/config/security.properties Thu Feb  1 15:27:17 2018
@@ -132,14 +132,14 @@ default.error.response.view=view:viewBlo
 # -- If false, then no externalLoginKey parameters will be added to cross-webapp urls
 security.login.externalLoginKey.enabled=true
 
-### This only needs to be changed on the source server, not the target server
-# -- An example of the change needed on the source server is available in OFBIZ-9833-external-server-test-example.patch
-# -- Then external-server-query must be changed to /catalog/control/
+### To have this working, an example of the change needed on the source server is available in OFBIZ-9833-external-server-test-example.patch
+### With this example, the external-server-query must be /catalog/control/
 # -- If true, then it's possible to connect to another webapp on another server w/o signing in
+# -- This needs to be changed on both the source server and the target server
 use-external-server=N
 # -- Name of the external server (DNS) ex: demo-trunk.ofbiz.apache.org where the port is not needed
-external-server-name=localhost:8443
+external-server-name=demo-trunk.ofbiz.apache.org
 # -- Query part of the URL to use
-external-server-query=/example/control/
+external-server-query=/catalog/control/
 # -- Time To Live of the token send to the external server in seconds
 external-server-token-duration=30

Modified: ofbiz/ofbiz-framework/trunk/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/ExternalLoginKeysManager.java
URL: http://svn.apache.org/viewvc/ofbiz/ofbiz-framework/trunk/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/ExternalLoginKeysManager.java?rev=1822882&r1=1822881&r2=1822882&view=diff
==============================================================================
--- ofbiz/ofbiz-framework/trunk/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/ExternalLoginKeysManager.java (original)
+++ ofbiz/ofbiz-framework/trunk/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/ExternalLoginKeysManager.java Thu Feb  1 15:27:17 2018
@@ -181,6 +181,7 @@ public class ExternalLoginKeysManager {
 
         String externalServerUserLoginId = request.getParameter(EXTERNAL_SERVER_LOGIN_KEY);
         if (externalServerUserLoginId == null) return "success"; // Nothing to do here
+        if (!"Y".equals(EntityUtilProperties.getPropertyValue("security", "use-external-server", "N", delegator))) return "success"; // The target server does not allow external login by default
 
         GenericValue currentUserLogin = (GenericValue) session.getAttribute("userLogin");
 
@@ -313,7 +314,7 @@ public class ExternalLoginKeysManager {
     public static String getExternalServerName(HttpServletRequest request) {
         String reportingServerName = "";
         Delegator delegator = (Delegator) request.getAttribute("delegator");
-        if (delegator != null && "Y".equals(EntityUtilProperties.getPropertyValue("security", "use-external-server", "Y", delegator))) {
+        if (delegator != null && "Y".equals(EntityUtilProperties.getPropertyValue("security", "use-external-server", "N", delegator))) {
             reportingServerName = EntityUtilProperties.getPropertyValue("security", "external-server-name", "localhost:8443", delegator);
             String reportingServerQuery = EntityUtilProperties.getPropertyValue("security", "external-server-query", "/catalog/control/", delegator);
             reportingServerName = "https://" + reportingServerName + reportingServerQuery;