This is an automated email from the ASF dual-hosted git repository. jacopoc pushed a commit to branch release24.09 in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git
commit 6ba1356af67dbda4848f4c852b9ad8d3afb545c1 Author: Jacopo Cappellato <[email protected]> AuthorDate: Tue Mar 10 18:59:36 2026 +0100 Implemented: Remove demo secret keys from security.property and add a gradle task to generate and set the keys Backported from trunk 185c9a0406 with minor modifications. The new task, generateSecretKeys, is automatically triggered when the loadAll is executed. --- build.gradle | 33 ++++++++++++++++++++++++++- framework/security/config/security.properties | 6 +++-- 2 files changed, 36 insertions(+), 3 deletions(-) diff --git a/build.gradle b/build.gradle index b4815d5de5..617a891fbd 100644 --- a/build.gradle +++ b/build.gradle @@ -309,9 +309,13 @@ eclipse.classpath.file.whenMerged { classpath -> tasks.eclipse.dependsOn(cleanEclipse) test { + dependsOn 'generateSecretKeys' + useJUnit() jvmArgs "-javaagent:${classpath.find { it.name.contains('jmockit') }.absolutePath}" } +processResources.mustRunAfter 'generateSecretKeys' + /* ======================================================== * Tasks * ======================================================== */ @@ -326,7 +330,7 @@ def sysadminGroup = 'System Administration' // ========== OFBiz Server tasks ========== task loadAll(group: ofbizServer) { - dependsOn 'ofbiz --load-data' + dependsOn 'generateSecretKeys', 'ofbiz --load-data' description 'Load default data; meant for OFBiz development, testing, and demo purposes' } @@ -677,6 +681,33 @@ task gitInfoFooter(group: sysadminGroup, description: 'Update the Git Branch-rev } } +task generateSecretKeys(group: sysadminGroup, + description: 'Generate cryptographically secure 512-bit (64-char) secret keys for JWT token signing and password encryption, and write them to security.properties') { + doLast { + def propertiesFile = file('framework/security/config/security.properties') + + def generateAndWriteKey = { String propertyName -> + def keyBytes = new byte[48] // 48 bytes * 4/3 = 64 Base64 chars (no padding needed) + new java.security.SecureRandom().nextBytes(keyBytes) + def key = java.util.Base64.getEncoder().encodeToString(keyBytes) + def content = propertiesFile.text + def escapedName = propertyName.replace('.', '\\.') + if (content =~ /(?m)^#?${escapedName}=.*$/) { + content = content.replaceAll(/(?m)^#?${escapedName}=.*$/, "${propertyName}=${key}") + } else { + content += "\n${propertyName}=${key}\n" + } + propertiesFile.text = content + } + + generateAndWriteKey('login.secret_key_string') + generateAndWriteKey('security.token.key') + + println "New secret keys have been generated and written to framework/security/config/security.properties" + println "Keep these keys secret and do not commit them to version control." + } +} + // ========== OFBiz Plugin Management ========== task createPlugin(group: ofbizPlugin, description: 'create a new plugin component based on specified templates') { doLast { diff --git a/framework/security/config/security.properties b/framework/security/config/security.properties index 4a4e7bfdcb..569ceae370 100644 --- a/framework/security/config/security.properties +++ b/framework/security/config/security.properties @@ -144,7 +144,8 @@ security.login.externalLoginKey.enabled=true # -- Security key used to encrypt and decrypt the autogenerated password in forgot password functionality. # Read Passwords and JWT (JSON Web Tokens) usage documentation to choose the way you want to store this key # The key must be 512 bits (ie 64 chars) as we use HMAC512 to create the token, cf. OFBIZ-12724 -login.secret_key_string=p2s5u8x/A?D(G+KbPeShVmYq3t6w9z$B&E)H@McQfTjWnZr4u7x!A%D*F-JaNdRg +# Run './gradlew generateSecretKeys' to generate a cryptographically secure random key. +login.secret_key_string= # -- Time To Live of the token send to the external server in seconds security.jwt.token.expireTime=1800 @@ -156,7 +157,8 @@ security.internal.sso.enabled=false # -- The secret key for the JWT token signature. # Read Passwords and JWT (JSON Web Tokens) usage documentation to choose the way you want to store this key # The key must be 512 bits (ie 64 chars) as we use HMAC512 to create the token, cf. OFBIZ-12724 -security.token.key=%D*G-JaNdRgUkXp2s5v8y/B?E(H+MbPeShVmYq3t6w9z$C&F)J@NcRfTjWnZr4u7 +# Run './gradlew generateSecretKeys' to generate a cryptographically secure random key. +security.token.key= # -- List of domains or IP addresses to be checked to prevent Host Header Injection, # -- no spaces after commas,no wildcard, can be extended of course...
