Thanks Michael, Looks good to me..!! Thanks & Regards -- Deepak Dixit
On Sat, Jan 19, 2019 at 5:27 PM Michael Brohl <michael.br...@ecomify.de> wrote: > Hi all, > > during my work in [1] I realized that the OOTB JWT authorization / > single sign on is switched on by default. The logic to retrieve the > secret key uses a default if there is no configuration in SystemProperty > or security.properties. > > This makes it easy to prepare a JWT (e.g. by using [2] or [3]) and login > using a guessed userLoginId and this token (which can be retrieved from > the code). > > I think we should secure this so that this cannot be done in an OOTB > setting with the following additions: > > 1. make it configurable through a property which is initially turned > off. I think thi is better than commenting the preprocessor in/out > because it can be better integrated in (custom) configuration mechanisms. > > 2. don't use a default secret key if none is provided. The > user/administrator must explicitly set a secret key and should know what > he is doing then. > > 3. don't proceed if no secret key can be found (do not attempt a login > using the JWT) > > > I think that we should turn this feature off by default for the > following reasons: > > 1. it opens up a security hole if the user does not remove the > checkJWTLogin preprocessor (see above) > > 2. the functionality to have a single sign on between two OFBiz > instances will only be used in rare cases (I think). It is only designed > for this special case and cannot be used for standard single sign on > scenarios with other systems. > > 3. if it is not used, it will still try to read the authorization > header, key etc. *on every request* > > > What do think? > > Regards, > > Michael > > > [1] https://issues.apache.org/jira/browse/OFBIZ-10814 > > [2] https://jwt.io/ > > [3] http://jwtbuilder.jamiekurtz.com/ > > > > >
