Hi Scott,
Thanks for your review, much appreciated.
You are right my mechanism was flawed.
It did not occur to me that by using JavaScript I opened the client side.
For instance by using what follows, I can log as a limited admin.
function getJwtToken1(webAppName) {
var JwtToken = "";
var userLoginId = "ltdadmin"
if (userLoginId != null && userLoginId != "") {
jQuery.ajax({
url: "getJwtToken",
type: "POST",
async: false,
dataType: "text",
data: {"userLoginId" : userLoginId},
success: function(data) {
JwtToken = data;
},
error: function(textStatus, errorThrown){
alert('Failure, errorThrown: ' + errorThrown);
}
});
}
return JwtToken;
}
function sendJwtToken1(webAppName, targetUrl) {
var redirectUrl = targetUrl;
var jwtToken = getJwtToken1(webAppName);
if (jwtToken != null && jwtToken != "") {
jQuery.ajax({
url: targetUrl,
async: false,
type: 'POST',
xhrFields: {withCredentials: true},
headers: {"Authorization" : jwtToken},
success: function(){
window.location.assign(redirectUrl);
}
});
}
}
sendJwtToken1('catalog', 'https://jleroux.nereide.fr/content/control/main')
I was plain stupid, I don't need to pass by the client side with the
getAutoUserLoginId() js function.
I can get the login on the server side inside CommonEvents::getJwtToken. I
initially created LoginWorker::getAutoUserLoginId just for that!
The Java code was ready and I lost myself during all these wandering (as Jacopo
said like in Jame Joyce's Ulysse).
I must say the code seems "simple" now, but there was a lot of work to get
there.
I have attached a new patch, please double check.
Thanks again for your help.
Jacques
Le 16/08/2018 à 22:08, Scott Gray a écrit :
Hi Jacques,
Assuming I was looking at the correct patch, it looks like I could use this
feature to login as anyone. All I need to do is send any userLoginId to
getJwtToken and then I can login as that user with the token that comes
back. Am I missing something?
Regards
Scott
On 15 August 2018 at 07:08, Jacques Le Roux <jacques.le.r...@les7arts.com>
wrote:
Hi,
Some time ago I created https://issues.apache.org/jira/browse/OFBIZ-10307.
I asked for reviews but only Taher answered and he asked to know the goal
of this new feature.
It was actually developed for a client who needed to get from one OFBiz
instance on a server (on a domain) to another OFBiz instance on another
server (on another domain) without having to sign up between the 2 while
keeping things secure.
There could be many reasons why you want to split OFBiz application on
servers. In their case it was for performance issues.
The technology used is as secure as possible. Like OAuth 2.0 it uses a
token but it does not need a middle authorization server (think to
two-factor authentication) because it's only for OFBiz instances of the
same version.
To commit this work we need 1st to agree an commit the work done by Deepak
at OFBIZ-9833 "Token Based Authentication" that I use in my last patch.
For me there is only one question outstanding: how to store the Token
secret. But this should not prevent us to commit Deepak's work.
It's now a long time (9 months) since I started this work. And my last
patch is ready for a month.
I crossed several issues which are now all resolved. So please review and
answer to this thread.
Without negative comments well argumented I'll commit both OFBIZ-9833 and
OFBIZ-10307 in a week. You can always test and review later, we use RTC.
Also a veto on a commit is always possible... Of course, as ever, a good
consensus is preferred.
Let me know if you need more information about the goal. For the technical
details I think I already provided them the in OFBIZ-10307.
Jacques
