svn commit: r1866544 - /ofbiz/ofbiz-framework/trunk/framework/security/src/docs/asciidoc/_include/sy-password-and-JWT.adoc

Fri, 06 Sep 2019 23:27:37 -0700 

Author: jleroux
Date: Sat Sep  7 06:26:52 2019
New Revision: 1866544

URL: http://svn.apache.org/viewvc?rev=1866544&view=rev
Log:
Improved: Document how to store the JWT secret key
(OFBIZ-10751)

Fixes a typo

Modified:
    
ofbiz/ofbiz-framework/trunk/framework/security/src/docs/asciidoc/_include/sy-password-and-JWT.adoc

Modified: 
ofbiz/ofbiz-framework/trunk/framework/security/src/docs/asciidoc/_include/sy-password-and-JWT.adoc
URL: 
http://svn.apache.org/viewvc/ofbiz/ofbiz-framework/trunk/framework/security/src/docs/asciidoc/_include/sy-password-and-JWT.adoc?rev=1866544&r1=1866543&r2=1866544&view=diff
==============================================================================
--- 
ofbiz/ofbiz-framework/trunk/framework/security/src/docs/asciidoc/_include/sy-password-and-JWT.adoc
 (original)
+++ 
ofbiz/ofbiz-framework/trunk/framework/security/src/docs/asciidoc/_include/sy-password-and-JWT.adoc
 Sat Sep  7 06:26:52 2019
@@ -65,7 +65,7 @@ You might prefer to use pair of public/p
 * http://movingfast.io/articles/environment-variables-considered-harmful
 * 
https://security.stackexchange.com/questions/49725/is-it-really-secure-to-store-api-keys-in-environment-variables
     
-. You may want to tie the encryption key to the logged in user. This is with 
the password recreation feature. The JWT secret key is salted with a 
combination of the current logged in user and her/his password. This is a 
simple and effective safe way.
+. You may want to tie the encryption key to the logged in user. This is used 
by the password recreation feature. The JWT secret key is salted with a 
combination of the current logged in user and her/his password. This is a 
simple and effective safe way.
 . Use a https://tools.ietf.org/html/rfc7519#section-4.1.7[JTI] (JWT ID). A JTI 
prevents a JWT from being replayed. This 
https://auth0.com/blog/blacklist-json-web-token-api-keys/http://url[auth0 blog 
article get deeper in that].  The same is kinda achieved with the password 
recreation feature. When the user log in after the new password creation, the 
password has already been  changed. So the link (in the sent email) containing 
the JWT for the creation of the new password can't be reused.
 . Tie the encryption key to the hardware. You can refer to this 
https://en.wikipedia.org/wiki/Hardware_security_module[Wikipedia page] for more 
information.

Reply via email to