svn commit: r1823316 - in /ofbiz/ofbiz-framework/branches/release17.12: ./ framework/security/config/security.properties framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/ExternalLoginKeysManager.java

Author: jleroux
Date: Tue Feb  6 12:18:15 2018
New Revision: 1823316

URL: http://svn.apache.org/viewvc?rev=1823316&view=rev
Log:
"Applied fix from trunk for revision: 1822882"
------------------------------------------------------------------------
r1822882 | jleroux | 2018-02-01 16:27:17 +0100 (jeu., 01 févr. 2018) | 7 lines

Improved: Token Based Authentication
(OFBIZ-9833)

I just thought that for security it's best to have both the source and
target server using the use-external-server property.

Also default to N when requesting this property
------------------------------------------------------------------------

Modified:
    ofbiz/ofbiz-framework/branches/release17.12/   (props changed)
    ofbiz/ofbiz-framework/branches/release17.12/framework/security/config/security.properties
    ofbiz/ofbiz-framework/branches/release17.12/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/ExternalLoginKeysManager.java

Propchange: ofbiz/ofbiz-framework/branches/release17.12/
------------------------------------------------------------------------------
--- svn:mergeinfo (original)
+++ svn:mergeinfo Tue Feb  6 12:18:15 2018
@@ -10,4 +10,4 @@
 /ofbiz/branches/json-integration-refactoring:1634077-1635900
 /ofbiz/branches/multitenant20100310:921280-927264
 /ofbiz/branches/release13.07:1547657
-/ofbiz/ofbiz-framework/trunk:1819499,1819598,1819800,1819805,1819811,1820038,1820262,1820374-1820375,1820441,1820457,1820644,1820658,1820790,1820823,1820949,1820966,1821012,1821036,1821112,1821115,1821144,1821186,1821219,1821226,1821230,1821386,1821600,1821613,1821628,1821965,1822125,1822310,1822377,1822383,1822393
+/ofbiz/ofbiz-framework/trunk:1819499,1819598,1819800,1819805,1819811,1820038,1820262,1820374-1820375,1820441,1820457,1820644,1820658,1820790,1820823,1820949,1820966,1821012,1821036,1821112,1821115,1821144,1821186,1821219,1821226,1821230,1821386,1821600,1821613,1821628,1821965,1822125,1822310,1822377,1822383,1822393,1822882

Modified: ofbiz/ofbiz-framework/branches/release17.12/framework/security/config/security.properties
URL: http://svn.apache.org/viewvc/ofbiz/ofbiz-framework/branches/release17.12/framework/security/config/security.properties?rev=1823316&r1=1823315&r2=1823316&view=diff
==============================================================================
--- ofbiz/ofbiz-framework/branches/release17.12/framework/security/config/security.properties (original)
+++ ofbiz/ofbiz-framework/branches/release17.12/framework/security/config/security.properties Tue Feb  6 12:18:15 2018
@@ -132,11 +132,14 @@ default.error.response.view=view:viewBlo
 # -- If false, then no externalLoginKey parameters will be added to cross-webapp urls
 security.login.externalLoginKey.enabled=true
 
+### To have this working, an example of the change needed on the source server is available in OFBIZ-9833-external-server-test-example.patch
+### With this example, the external-server-query must be /catalog/control/
 # -- If true, then it's possible to connect to another webapp on another server w/o signing in
+# -- This needs to be changed on both the source server and the target server
 use-external-server=N
 # -- Name of the external server (DNS)  
-external-server-name=localhost:8443
+external-server-name=demo-trunk.ofbiz.apache.org
 # -- Query part of the URL to use
-external-server-query=/example/control/
+external-server-query=/catalog/control/
 # -- Time To Live of the token send to the external server in seconds
 external-server-token-duration=30

Modified: ofbiz/ofbiz-framework/branches/release17.12/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/ExternalLoginKeysManager.java
URL: http://svn.apache.org/viewvc/ofbiz/ofbiz-framework/branches/release17.12/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/ExternalLoginKeysManager.java?rev=1823316&r1=1823315&r2=1823316&view=diff
==============================================================================
--- ofbiz/ofbiz-framework/branches/release17.12/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/ExternalLoginKeysManager.java (original)
+++ ofbiz/ofbiz-framework/branches/release17.12/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/ExternalLoginKeysManager.java Tue Feb  6 12:18:15 2018
@@ -181,6 +181,7 @@ public class ExternalLoginKeysManager {
 
         String externalServerUserLoginId = request.getParameter(EXTERNAL_SERVER_LOGIN_KEY);
         if (externalServerUserLoginId == null) return "success"; // Nothing to do here
+        if (!"Y".equals(EntityUtilProperties.getPropertyValue("security", "use-external-server", "N", delegator))) return "success"; // The target server does not allow external login by default
 
         GenericValue currentUserLogin = (GenericValue) session.getAttribute("userLogin");
 
@@ -313,7 +314,7 @@ public class ExternalLoginKeysManager {
     public static String getExternalServerName(HttpServletRequest request) {
         String reportingServerName = "";
         Delegator delegator = (Delegator) request.getAttribute("delegator");
-        if (delegator != null && "Y".equals(EntityUtilProperties.getPropertyValue("security", "use-external-server", "Y", delegator))) {
+        if (delegator != null && "Y".equals(EntityUtilProperties.getPropertyValue("security", "use-external-server", "N", delegator))) {
             reportingServerName = EntityUtilProperties.getPropertyValue("security", "external-server-name", "localhost:8443", delegator);
             String reportingServerQuery = EntityUtilProperties.getPropertyValue("security", "external-server-query", "/catalog/control/", delegator);
             reportingServerName = "https://" + reportingServerName + reportingServerQuery;