OFBiz › OFBiz - Commits

svn commit: r1866936 - /ofbiz/ofbiz-framework/trunk/framework/security/src/docs/asciidoc/_include/sy-password-and-JWT.adoc

_‹ Previous Topic Next Topic _›

Classic

List

Threaded

1 message

jleroux@apache.org

svn commit: r1866936 - /ofbiz/ofbiz-framework/trunk/framework/security/src/docs/asciidoc/_include/sy-password-and-JWT.adoc

Author: jleroux
Date: Sat Sep 14 10:52:54 2019
New Revision: 1866936

URL: http://svn.apache.org/viewvc?rev=1866936&view=rev
Log:
Improved: Document how to store the JWT secret key
(OFBIZ-10751)

Adds a link to OWASP documentation

Modified:
ofbiz/ofbiz-framework/trunk/framework/security/src/docs/asciidoc/_include/sy-password-and-JWT.adoc

Modified: ofbiz/ofbiz-framework/trunk/framework/security/src/docs/asciidoc/_include/sy-password-and-JWT.adoc
URL: http://svn.apache.org/viewvc/ofbiz/ofbiz-framework/trunk/framework/security/src/docs/asciidoc/_include/sy-password-and-JWT.adoc?rev=1866936&r1=1866935&r2=1866936&view=diff
==============================================================================
--- ofbiz/ofbiz-framework/trunk/framework/security/src/docs/asciidoc/_include/sy-password-and-JWT.adoc (original)
+++ ofbiz/ofbiz-framework/trunk/framework/security/src/docs/asciidoc/_include/sy-password-and-JWT.adoc Sat Sep 14 10:52:54 2019
@@ -68,6 +68,7 @@ You might prefer to use pair of public/p
. You may want to tie the encryption key to the logged in user. This is used by the password recreation feature. The JWT secret key is salted with a combination of the current logged in user and her/his password. This is a simple and effective safe way.
. Use a https://tools.ietf.org/html/rfc7519#section-4.1.7[JTI] (JWT ID). A JTI prevents a JWT from being replayed. This https://auth0.com/blog/blacklist-json-web-token-api-keys/http://url[auth0 blog article get deeper in that]. The same is kinda achieved with the password recreation feature. When the user log in after the new password creation, the password has already been changed. So the link (in the sent email) containing the JWT for the creation of the new password can't be reused.
. Tie the encryption key to the hardware. You can refer to this https://en.wikipedia.org/wiki/Hardware_security_module[Wikipedia page] for more information.
+. If you want to get deeper in this get to this https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Key_Management_Cheat_Sheet.md#user-content-storage[OWASP documentation]

Note: if you want to use a pair of public/private keys you might want to consider leveraging the Java Key Store that is also used by the "catalina" component to store certificates. Then don't miss to read: