svn commit: r1866255 - in /ofbiz/ofbiz-framework/trunk/framework: security/src/docs/asciidoc/_include/sy-password-and-JWT.adoc webapp/src/main/java/org/apache/ofbiz/webapp/control/RequestHandler.java

Author: jleroux
Date: Mon Sep  2 07:05:08 2019
New Revision: 1866255

URL: http://svn.apache.org/viewvc?rev=1866255&view=rev
Log:
Improved: Unknown request [images]; this request does not exist or cannot be
called directly.
(OFBIZ-11152)

Gives an advice to reassure users about the seriousness of the issue

This issue can be easily reproduced by going to example/control/FormWidgetExamples
Other backend components are less concerned but it happens sometimes in them too.
It's quite hard to understand what's happening.
This is a sequel of OFBIZ-10895

Added:
    ofbiz/ofbiz-framework/trunk/framework/security/src/docs/asciidoc/_include/sy-password-and-JWT.adoc   (with props)
Modified:
    ofbiz/ofbiz-framework/trunk/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/RequestHandler.java

Added: ofbiz/ofbiz-framework/trunk/framework/security/src/docs/asciidoc/_include/sy-password-and-JWT.adoc
URL: http://svn.apache.org/viewvc/ofbiz/ofbiz-framework/trunk/framework/security/src/docs/asciidoc/_include/sy-password-and-JWT.adoc?rev=1866255&view=auto
==============================================================================
--- ofbiz/ofbiz-framework/trunk/framework/security/src/docs/asciidoc/_include/sy-password-and-JWT.adoc (added)
+++ ofbiz/ofbiz-framework/trunk/framework/security/src/docs/asciidoc/_include/sy-password-and-JWT.adoc Mon Sep  2 07:05:08 2019
@@ -0,0 +1,76 @@
+////
+Licensed to the Apache Software Foundation (ASF) under one
+or more contributor license agreements.  See the NOTICE file
+distributed with this work for additional information
+regarding copyright ownership.  The ASF licenses this file
+to you under the Apache License, Version 2.0 (the
+"License"); you may not use this file except in compliance
+with the License.  You may obtain a copy of the License at
+
+http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing,
+software distributed under the License is distributed on an
+"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+KIND, either express or implied.  See the License for the
+specific language governing permissions and limitations
+under the License.
+////
+
+= Passwords and JWT (JSON Web Tokens) usage
+== How are set and used passwords and JWT  in Apache OFBiz
+The Apache OFBiz Project
+Release 17.12
+
+:imagesdir: ../../themes/common-theme/webapp/images/img/
+ifdef::backend-pdf[]
+:title-logo-image: image::OFBiz-Logo.svg[Apache OFBiz Logo, pdfwidth=4.25in, align=center]
+:source-highlighter: rouge
+endif::[]
+
+=== Passwords
+
+Demo and seed passwords are stored in files loaded through security ofbiz-component.xml. To know more about that be sure to read:
+
+
+* https://cwiki.apache.org/confluence/display/OFBIZ/Apache+OFBiz+Technical+Production+Setup+Guidehttp://url[The technical production setup guide] notably "Initial Data Loading" and "Security Settings" sections
+* https://cwiki.apache.org/confluence/display/OFBIZ/How+to+secure+your+deploymenthttp://url[How to secure your deployment]
+
+[CAUTION]
+These configuration steps are not to be neglected for the security of a *production environment*
+
+=== JWT usage
+
+https://en.wikipedia.org/wiki/JSON_Web_Token[As says Wikipedia]:
+____
+JSON Web Token (JWT) is an Internet standard for creating JSON-based access tokens that assert some number of claims.
+____
+
+
+We currently use JWT in 2 places:
+
+. To let users safely recreate passwords (in backend and frontend)
+. To allow SSO (Single Sig-on) jumpings from an OFBiz instance to another OFBiz instance on another domain, by also using https://en.wikipedia.org/wiki/Cross-origin_resource_sharing[CORS] (
+Cross-origin resource sharing) on the target server
+
+
+==== How to secure JWT
+When you use JWT, in order to sign your tokens, you have the choice of using a sole so called secret key or a pair of public/private keys:https://jwt.io/introduction/.
+
+You might prefer to use pair of public/private keys, but by default OFBiz uses a secret key. Remains the way how to store this secret key.
+
+. The first idea which comes to mind is to use a property in the security.properties file. It's safe as long as your filesystem is not compromised.
+. You may also pick a SystemProperty entity. It's safe as long as your DB is not compromised.
+. We recommend to not use an environment variable to pass the uuid as those can be considered weak:
+
+    http://movingfast.io/articles/environment-variables-considered-harmful/
+    https://security.stackexchange.com/questions/49725/is-it-really-secure-to-store-api-keys-in-environment-variables
+
+
+
+===== Properties
+
+The _security.properties_ file introduce two properties that control impersonation feature :
+
+=== Last but not least
+Be sure to read https://cwiki.apache.org/confluence/display/OFBIZ/Keeping+OFBiz+secure[Keeping OFBiz secure]
\ No newline at end of file

Propchange: ofbiz/ofbiz-framework/trunk/framework/security/src/docs/asciidoc/_include/sy-password-and-JWT.adoc
------------------------------------------------------------------------------
    svn:eol-style = native

Propchange: ofbiz/ofbiz-framework/trunk/framework/security/src/docs/asciidoc/_include/sy-password-and-JWT.adoc
------------------------------------------------------------------------------
    svn:keywords = Date Rev Author URL Id

Propchange: ofbiz/ofbiz-framework/trunk/framework/security/src/docs/asciidoc/_include/sy-password-and-JWT.adoc
------------------------------------------------------------------------------
    svn:mime-type = text/plain

Modified: ofbiz/ofbiz-framework/trunk/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/RequestHandler.java
URL: http://svn.apache.org/viewvc/ofbiz/ofbiz-framework/trunk/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/RequestHandler.java?rev=1866255&r1=1866254&r2=1866255&view=diff
==============================================================================
--- ofbiz/ofbiz-framework/trunk/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/RequestHandler.java (original)
+++ ofbiz/ofbiz-framework/trunk/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/RequestHandler.java Mon Sep  2 07:05:08 2019
@@ -277,6 +277,9 @@ public class RequestHandler {
                 if (path.contains("/checkLogin/")) {
                     // Nested requests related with checkLogin uselessly clutter the log. There is nothing to worry about, better remove this wrong error message.
                     return;
+                } else if (path.contains("/images/")) {
+                    if (Debug.warningOn()) Debug.logWarning("You should check if this request is really a problem or a false alarm: " + request.getRequestURL(), module);
+                    throw new RequestHandlerException(requestMissingErrorMessage);
                 } else {
                     throw new RequestHandlerException(requestMissingErrorMessage);
                 }