svn commit: r1866518 - /ofbiz/ofbiz-framework/trunk/framework/security/config/security.properties

Fri, 06 Sep 2019 08:34:26 -0700 

Author: jleroux
Date: Fri Sep  6 15:34:09 2019
New Revision: 1866518

URL: http://svn.apache.org/viewvc?rev=1866518&view=rev
Log:
Fixed: Any ecommerce user has the ability to reset anothers password 
(including admin) via "Forget Your Password"
(OFBIZ-4361)

Adds the security.token.key value and change the login.secret_key_string value

The security.token.key value is not mandatory for the "Forget Your Password"
feature but then only the username and password are used to create the JWT key.

Adds a reference for both properties to the 
"Passwords and JWT (JSON Web Tokens) usage" 
documentation to suggest users to choose the way to store these keys

Modified:
    ofbiz/ofbiz-framework/trunk/framework/security/config/security.properties

Modified: 
ofbiz/ofbiz-framework/trunk/framework/security/config/security.properties
URL: 
http://svn.apache.org/viewvc/ofbiz/ofbiz-framework/trunk/framework/security/config/security.properties?rev=1866518&r1=1866517&r2=1866518&view=diff
==============================================================================
--- ofbiz/ofbiz-framework/trunk/framework/security/config/security.properties 
(original)
+++ ofbiz/ofbiz-framework/trunk/framework/security/config/security.properties 
Fri Sep  6 15:34:09 2019
@@ -139,7 +139,8 @@ default.error.response.view=view:viewBlo
 security.login.externalLoginKey.enabled=true
 
 # -- Security key used to encrypt and decrypt the autogenerated password in 
forgot password functionality.
-login.secret_key_string=Secret Key
+#    Read Passwords and JWT (JSON Web Tokens) usage documentation to choose 
the way you want to store this key
+login.secret_key_string=login.secret_key_string
 
 # -- Time To Live of the token send to the external server in seconds, 10 
seconds seems plenty enough OOTB. Custom projects might want set a lower value.
 security.jwt.token.expireTime=1800
@@ -148,5 +149,5 @@ security.jwt.token.expireTime=1800
 # -- To make this work you also have to configure a secret key with 
security.token.key
 security.internal.sso.enabled=false
 
-# -- The secret key for the JWT token signature. Configuration in the 
SystemProperty entity is recommended for security reasons.
-#security.token.key=
+# -- The secret key for the JWT token signature. Read Passwords and JWT (JSON 
Web Tokens) usage documentation to choose the way you want to store this key 
+security.token.key=security.token.key

Reply via email to