OFBiz OFBiz - Commits

svn commit: r1824857 - in /ofbiz/branches/release16.11: ./ applications/securityext/src/main/java/org/apache/ofbiz/securityext/login/LoginEvents.java framework/security/config/security.properties

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
1 message Options
jleroux@apache.org
Reply | Threaded
Open this post in threaded view
|

svn commit: r1824857 - in /ofbiz/branches/release16.11: ./ applications/securityext/src/main/java/org/apache/ofbiz/securityext/login/LoginEvents.java framework/security/config/security.properties

jleroux@apache.org
Author: jleroux
Date: Tue Feb 20 12:02:42 2018
New Revision: 1824857

URL: http://svn.apache.org/viewvc?rev=1824857&view=rev
Log:
"Applied fix from trunk framework for revision: 1814392 "
------------------------------------------------------------------------
r1814392 | jleroux | 2017-11-06 11:51:57 +0100 (lun., 06 nov. 2017) | 5 lines

Reverted: Secure the login.secret_key_string
(OFBIZ-9966)

Before having a discussion about the security of this, reverts on
Michael's request on dev ML
------------------------------------------------------------------------


Modified:
    ofbiz/branches/release16.11/   (props changed)
    ofbiz/branches/release16.11/applications/securityext/src/main/java/org/apache/ofbiz/securityext/login/LoginEvents.java
    ofbiz/branches/release16.11/framework/security/config/security.properties

Propchange: ofbiz/branches/release16.11/
------------------------------------------------------------------------------
--- svn:mergeinfo (original)
+++ svn:mergeinfo Tue Feb 20 12:02:42 2018
@@ -10,5 +10,5 @@
 /ofbiz/branches/json-integration-refactoring:1634077-1635900
 /ofbiz/branches/multitenant20100310:921280-927264
 /ofbiz/branches/release13.07:1547657
-/ofbiz/ofbiz-framework/trunk:1783202,1783388,1784549,1784558,1784708,1785882,1785925,1786079,1786214,1786525,1787047,1787133,1787176,1787535,1787906-1787911,1787949,1789665,1789863,1789874,1790396,1790810,1791277,1791288,1791342,1791346,1791490,1791496,1791625,1791634,1791791,1791804,1792270,1792272,1792275,1792432,1792609,1792638,1794008,1794132,1796047,1796262,1797733,1798668,1798682,1798796,1798803,1798808,1799088,1799183,1799327,1799417,1799687,1799767,1799793,1799859,1800250,1800780,1800832,1800853,1801094,1801262-1801263,1801273-1801274,1801303,1801318-1801319,1801336,1801340,1801346,1801349-1801350,1801359,1801742,1802657,1802766,1803525,1804656,1804843,1804847,1804859,1805143,1805558,1805880,1806036,1806220,1806266,1806269,1806951,1807597,1807890,1808834,1809399,1809429,1809594,1809741,1810102,1811794,1812387,1813600,1813617,1813647,1813833,1814277,1814319,1814349,1814501,1814591,1814642,1814644,1814709,1814873,1814928,1814934,1815059,1816264,1816273,1816289,1816291,1816297,
 1816369,1816373,1816461,1816635,1816795,1818101,1818269,1818273,1818402,1819122,1819136,1819144,1819811,1820823,1820949,1820966,1821012,1821036,1821613,1821965,1822310,1822377,1822383,1823876,1824314,1824316,1824732,1824803,1824847
+/ofbiz/ofbiz-framework/trunk:1783202,1783388,1784549,1784558,1784708,1785882,1785925,1786079,1786214,1786525,1787047,1787133,1787176,1787535,1787906-1787911,1787949,1789665,1789863,1789874,1790396,1790810,1791277,1791288,1791342,1791346,1791490,1791496,1791625,1791634,1791791,1791804,1792270,1792272,1792275,1792432,1792609,1792638,1794008,1794132,1796047,1796262,1797733,1798668,1798682,1798796,1798803,1798808,1799088,1799183,1799327,1799417,1799687,1799767,1799793,1799859,1800250,1800780,1800832,1800853,1801094,1801262-1801263,1801273-1801274,1801303,1801318-1801319,1801336,1801340,1801346,1801349-1801350,1801359,1801742,1802657,1802766,1803525,1804656,1804843,1804847,1804859,1805143,1805558,1805880,1806036,1806220,1806266,1806269,1806951,1807597,1807890,1808834,1809399,1809429,1809594,1809741,1810102,1811794,1812387,1813600,1813617,1813647,1813833,1814277,1814319,1814349,1814392,1814501,1814591,1814642,1814644,1814709,1814873,1814928,1814934,1815059,1816264,1816273,1816289,1816291,
 1816297,1816369,1816373,1816461,1816635,1816795,1818101,1818269,1818273,1818402,1819122,1819136,1819144,1819811,1820823,1820949,1820966,1821012,1821036,1821613,1821965,1822310,1822377,1822383,1823876,1824314,1824316,1824732,1824803,1824847,1824855
 /ofbiz/trunk:1770481,1770490,1770540,1771440,1771448,1771516,1771935,1772346,1772880,1774772,1775441,1779724,1780659,1781109,1781125,1781979,1782498,1782520

Modified: ofbiz/branches/release16.11/applications/securityext/src/main/java/org/apache/ofbiz/securityext/login/LoginEvents.java
URL: http://svn.apache.org/viewvc/ofbiz/branches/release16.11/applications/securityext/src/main/java/org/apache/ofbiz/securityext/login/LoginEvents.java?rev=1824857&r1=1824856&r2=1824857&view=diff
==============================================================================
--- ofbiz/branches/release16.11/applications/securityext/src/main/java/org/apache/ofbiz/securityext/login/LoginEvents.java (original)
+++ ofbiz/branches/release16.11/applications/securityext/src/main/java/org/apache/ofbiz/securityext/login/LoginEvents.java Tue Feb 20 12:02:42 2018
@@ -65,12 +65,7 @@ public class LoginEvents {
     public static final String module = LoginEvents.class.getName();
     public static final String resource = "SecurityextUiLabels";
     public static final String usernameCookieName = "OFBiz.Username";
-    // OOTB the loginSecretKeyString is not properly initialised and can not be OOTB.
-    // The best way to create the loginSecretKeyString is to use a temporary way to load in a static final key when compiling.
-    // This is simple and most secure. One of the proposed way is to use sed and uuidgen to modify the loginSecretKeyString value
-    // The magic words here are TEMPORARY and FINAL!
-    private static final String loginSecretKeyString = "loginSecretKeyString";
-    
+    private static final String keyValue = UtilProperties.getPropertyValue(LoginWorker.securityProperties, "login.secret_key_string");
     /**
      * Save USERNAME and PASSWORD for use by auth pages even if we start in non-auth pages.
      *
@@ -254,7 +249,7 @@ public class LoginEvents {
                 autoPassword = RandomStringUtils.randomAlphanumeric(EntityUtilProperties.getPropertyAsInteger("security", "password.length.min", 5).intValue());
                 EntityCrypto entityCrypto = new EntityCrypto(delegator,null);
                 try {
-                    passwordToSend = entityCrypto.encrypt(loginSecretKeyString, EncryptMethod.TRUE, autoPassword);
+                    passwordToSend = entityCrypto.encrypt(keyValue, EncryptMethod.TRUE, autoPassword);
                 } catch (GeneralException e) {
                     Debug.logWarning(e, "Problem in encryption", module);
                 }

Modified: ofbiz/branches/release16.11/framework/security/config/security.properties
URL: http://svn.apache.org/viewvc/ofbiz/branches/release16.11/framework/security/config/security.properties?rev=1824857&r1=1824856&r2=1824857&view=diff
==============================================================================
--- ofbiz/branches/release16.11/framework/security/config/security.properties (original)
+++ ofbiz/branches/release16.11/framework/security/config/security.properties Tue Feb 20 12:02:42 2018
@@ -124,3 +124,7 @@ default.error.response.view=view:viewBlo
 
 # -- If false, then no externalLoginKey parameters will be added to cross-webapp urls
 security.login.externalLoginKey.enabled=true
+
+# -- Security key used to encrypt and decrypt the autogenerated password in forgot password functionality.
+login.secret_key_string=Secret Key
+


Free forum by Nabble Edit this page