Hi Jacques, As I referred to earlier I suggest the following:
- remove ofbizSecure and ofbizBackgroundSecure - make all other server tasks secure by default (i.e. loading notsoserial and all other jvm args which are currently used in ofbizSecure). This means ofbiz, ofbizBackground and ofbizDebug - update the documentation so that users need not worry about calling any secure tasks. So they only need to do custom work such as the whitelist, etc ... I am not sure but I think there is no performance penalty right? That is why I suggest lumping them together. Taher Alkhateeb On Aug 6, 2016 11:40 AM, "Jacques Le Roux" <[email protected]> wrote: > Le 06/08/2016 à 11:43, Taher Alkhateeb a écrit : > >> Hi Jacques, >> >> I think that filling the white list ,etc ... might be something to keep in >> the page on securing OFBiz (documentation). >> > > I prefer to have a direct link to notsoserial documentation to be sure > it's up to date. That's what I did on the related wiki page > > I understand your point about >> making it more "explicit" which makes sense, it has, however, the downside >> of making the users aware that there are different tasks to run, and also >> the rc scripts need to be modified to production and might be confusing >> (ofbiz, ofbizBackground, ofbizBackgroundSecure, ofbizSecure) might be too >> many options to choose from in a production environment. >> >> No strong opinion, but I am suggesting to make it a little easier for >> people with a less-is-more kind of approach. >> > > What would you suggest? It seems to me that removing these options would > degrade the information about rare but possible vulnerabilities > > Jacques > > >> Taher Alkhateeb >> >> On Sat, Aug 6, 2016 at 11:44 AM, Jacques Le Roux < >> [email protected]> wrote: >> >> The idea is that by default the task does not do much. You have to follow >>> the advices they give to make it really effective (filling a white list >>> is >>> the better way) >>> >>> That's why I separated it from the rest to make it more obvious for >>> users. >>> >>> Currently "gradlew tasks" gives you this information >>> >>> Pattern: ofbizSecure <Commands>: Execute OFBiz startup commands >>> pre-loading the notsoserial Java agent >>> Pattern: ofbizBackgroundSecure <Commands>: Execute OFBiz startup commands >>> in background (secure mode) and output to console.log >>> >>> Jacques >>> >>> >>> >>> Le 06/08/2016 à 03:33, Scott Gray a écrit : >>> >>> Why isn't whatever functionality 'ofbizSecure' provides, just included as >>>> part of the regular 'ofbiz' task? >>>> >>>> On 5 August 2016 at 21:35, Jacques Le Roux < >>>> [email protected]> >>>> wrote: >>>> >>>> Le 05/08/2016 à 11:21, Taher Alkhateeb a écrit : >>>> >>>>> +1 makes sense >>>>> >>>>>> Should we also remove the tasks ofbizSecure and ofbizBackgroundSecure >>>>>> and >>>>>> replace them with some scripts in /tools if people are not using them? >>>>>> (I >>>>>> assume we only use them with demos?) >>>>>> >>>>>> On Aug 5, 2016 10:07 AM, "Jacques Le Roux"<jacques.le.roux@les7arts >>>>>> .com >>>>>> wrote: >>>>>> >>>>>> Nope, those are intended to be used in production if ever you need it. >>>>>> >>>>> See the warning there https://cwiki.apache.org/confl >>>>> uence/display/OFBIZ/Keeping+OFBiz+secure for details >>>>> >>>>> Jacques >>>>> >>>>> >>>>> >>>>> >
