OFBiz › OFBiz - Commits

svn commit: r1866518 - /ofbiz/ofbiz-framework/trunk/framework/security/config/security.properties

_‹ Previous Topic Next Topic _›

Classic

List

Threaded

1 message

jleroux@apache.org

svn commit: r1866518 - /ofbiz/ofbiz-framework/trunk/framework/security/config/security.properties

Author: jleroux
Date: Fri Sep 6 15:34:09 2019
New Revision: 1866518

URL: http://svn.apache.org/viewvc?rev=1866518&view=rev
Log:
Fixed: Any ecommerce user has the ability to reset anothers password
(including admin) via "Forget Your Password"
(OFBIZ-4361)

Adds the security.token.key value and change the login.secret_key_string value

The security.token.key value is not mandatory for the "Forget Your Password"
feature but then only the username and password are used to create the JWT key.

Adds a reference for both properties to the
"Passwords and JWT (JSON Web Tokens) usage"
documentation to suggest users to choose the way to store these keys

Modified:
ofbiz/ofbiz-framework/trunk/framework/security/config/security.properties

Modified: ofbiz/ofbiz-framework/trunk/framework/security/config/security.properties
URL: http://svn.apache.org/viewvc/ofbiz/ofbiz-framework/trunk/framework/security/config/security.properties?rev=1866518&r1=1866517&r2=1866518&view=diff
==============================================================================
--- ofbiz/ofbiz-framework/trunk/framework/security/config/security.properties (original)
+++ ofbiz/ofbiz-framework/trunk/framework/security/config/security.properties Fri Sep 6 15:34:09 2019
@@ -139,7 +139,8 @@ default.error.response.view=view:viewBlo
security.login.externalLoginKey.enabled=true

# -- Security key used to encrypt and decrypt the autogenerated password in forgot password functionality.
-login.secret_key_string=Secret Key
+# Read Passwords and JWT (JSON Web Tokens) usage documentation to choose the way you want to store this key
+login.secret_key_string=login.secret_key_string

# -- Time To Live of the token send to the external server in seconds, 10 seconds seems plenty enough OOTB. Custom projects might want set a lower value.
security.jwt.token.expireTime=1800
@@ -148,5 +149,5 @@ security.jwt.token.expireTime=1800
# -- To make this work you also have to configure a secret key with security.token.key
security.internal.sso.enabled=false

-# -- The secret key for the JWT token signature. Configuration in the SystemProperty entity is recommended for security reasons.
-#security.token.key=
+# -- The secret key for the JWT token signature. Read Passwords and JWT (JSON Web Tokens) usage documentation to choose the way you want to store this key
+security.token.key=security.token.key