Hi Jacques,


Am 22.01.19 um 09:51 schrieb Jacques Le Roux:
Hi Michael,

It seems there is a consensus for disabling the JWT feature OOTB and it makes sense after testing with Postman.

Thanks, Jacques.

Rest inline:

Le 22/01/2019 à 07:43, Michael Brohl a écrit :
2. the functionality to have a single sign on between two OFBiz
instances will only be used in rare cases (I think). It is only designed
for this special case and cannot be used for standard single sign on
scenarios with other systems.

If we make this feature implicitly non-operational, what about showing it in example? I guess showing it should depend of the property which switch on/off the JWT feature.

Yes, this would be another improvement.

3. if it is not used, it will still try to read the authorization
header, key etc. *on every request*

Yes, that's not a problem it's only few ms (if even) as long as there is no JWT passed. Else all the other pre-processors would also be concerned...

The problem is: without explicitely switching it off, it will parse a provided JWT token on every request *even if you don't want to use the SSO feature*. You might want to use the Authorization: Bearer <token> header for other scenarios than SSO. Implementing a REST service for example, which is the reason I stumbled upon this.

Implicitely turning the feature on when the header is present is not a good idea, we should separate concerns.

I'm going to provide an enhanced patch for all this.



Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

Reply via email to