Hi Michael,
I put my last thoughts at https://s.apache.org/cFeK
I'll need to slightly change my comments in ExternalLoginKeysManager, will do
later...
Jacques
Le 06/11/2017 à 13:57, Michael Brohl a écrit :
Hi Jacques,
this is the same solution pattern as we've discussed in [1]. I think we should
discuss this general pattern for both cases.
I will wait for other opinions in [1] and do my follow-up later.
Thanks,
Michael
[1]
https://lists.apache.org/thread.html/71a9b1d73246655753ef71abf9cdf530c951ff372d14e335f3e9fd77@%3Cdev.ofbiz.apache.org%3E
Am 06.11.17 um 13:41 schrieb [email protected]:
Author: jleroux
Date: Mon Nov 6 12:41:33 2017
New Revision: 1814402
URL: http://svn.apache.org/viewvc?rev=1814402&view=rev
Log:
Implemented: Token Based Authentication
(OFBIZ-9833)
Comment about production server
I thought it was obvious that you should not keep this file on a production
server after having changed the default value of
ExternalServerJwtMasterSecretKey
Moreover we recommend to have the value of ExternalServerJwtMasterSecretKey
dynamically generated during each build to increase security
Modified:
ofbiz/ofbiz-framework/trunk/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/ExternalLoginKeysManager.java
Modified:
ofbiz/ofbiz-framework/trunk/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/ExternalLoginKeysManager.java
URL:
http://svn.apache.org/viewvc/ofbiz/ofbiz-framework/trunk/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/ExternalLoginKeysManager.java?rev=1814402&r1=1814401&r2=1814402&view=diff
==============================================================================
---
ofbiz/ofbiz-framework/trunk/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/ExternalLoginKeysManager.java
(original)
+++
ofbiz/ofbiz-framework/trunk/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/ExternalLoginKeysManager.java
Mon Nov 6 12:41:33 2017
@@ -64,7 +64,8 @@ public class ExternalLoginKeysManager {
// The best way to create the JWT masterSecretKey is to use a temporary
way to load in a static final key when compiling.
// This is simple and most secure. One of the proposed way is to use sed
and uuidgen to modify the masterSecretKey value
// This: sed -i /ExternalServerJwtMasterSecretKey/s//$(uuidgen)/\2
framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/ExternalLoginKeysManager.java
- // The magic words here are TEMPORARY and FINAL!
+ // Of course you should not let the ExternalLoginKeysManager.java file on
a production server after compilation
+ // Because it will contain the dynamically generated
ExternalServerJwtMasterSecretKey anyway
private static final String ExternalServerJwtMasterSecretKey =
"ExternalServerJwtMasterSecretKey";
/**
