Hi Scott, Yeah agreed. I think logging for failed serialization might be a bit heavy because you might need to use reflections or custom class loaders to dig around and provide useful messages. If a runtime exceptions bubbles up to main then it will show up in the console and I think this could be enough for developers to investigate.
On Sunday, 7 August 2016, Scott Gray <[email protected]> wrote: > I would suggest enabling the whitelist by default, adding whatever classes > OFBiz needs OOTB and then having a clear failure message in the logs when a > custom class fails serialization. Would that work? > > Regards > Scott > > On 6/08/2016 23:13, "Jacques Le Roux" <[email protected] > <javascript:;>> wrote: > > > I'd not be against but we need to be clear while documenting that it's > not > > enough for security (when needed, users need to refer to the wiki page), > a > > white list is necessary (again only when needed, not OOTB) > > > > I guess (at least I hope for them) most sysadmin, devops are aware of the > > possible issue, but simpler users need to be warned... > > > > Jacques > > > > Le 06/08/2016 à 12:49, Taher Alkhateeb a écrit : > > > >> Hi Jacques, > >> > >> As I referred to earlier I suggest the following: > >> > >> - remove ofbizSecure and ofbizBackgroundSecure > >> - make all other server tasks secure by default (i.e. loading > notsoserial > >> and all other jvm args which are currently used in ofbizSecure). This > >> means > >> ofbiz, ofbizBackground and ofbizDebug > >> - update the documentation so that users need not worry about calling > any > >> secure tasks. So they only need to do custom work such as the whitelist, > >> etc ... > >> > >> I am not sure but I think there is no performance penalty right? That is > >> why I suggest lumping them together. > >> > >> Taher Alkhateeb > >> > >> On Aug 6, 2016 11:40 AM, "Jacques Le Roux" < > [email protected] <javascript:;>> > >> wrote: > >> > >> Le 06/08/2016 à 11:43, Taher Alkhateeb a écrit : > >>> > >>> Hi Jacques, > >>>> > >>>> I think that filling the white list ,etc ... might be something to > keep > >>>> in > >>>> the page on securing OFBiz (documentation). > >>>> > >>>> I prefer to have a direct link to notsoserial documentation to be sure > >>> it's up to date. That's what I did on the related wiki page > >>> > >>> I understand your point about > >>> > >>>> making it more "explicit" which makes sense, it has, however, the > >>>> downside > >>>> of making the users aware that there are different tasks to run, and > >>>> also > >>>> the rc scripts need to be modified to production and might be > confusing > >>>> (ofbiz, ofbizBackground, ofbizBackgroundSecure, ofbizSecure) might be > >>>> too > >>>> many options to choose from in a production environment. > >>>> > >>>> No strong opinion, but I am suggesting to make it a little easier for > >>>> people with a less-is-more kind of approach. > >>>> > >>>> What would you suggest? It seems to me that removing these options > would > >>> degrade the information about rare but possible vulnerabilities > >>> > >>> Jacques > >>> > >>> > >>> Taher Alkhateeb > >>>> > >>>> On Sat, Aug 6, 2016 at 11:44 AM, Jacques Le Roux < > >>>> [email protected] <javascript:;>> wrote: > >>>> > >>>> The idea is that by default the task does not do much. You have to > >>>> follow > >>>> > >>>>> the advices they give to make it really effective (filling a white > list > >>>>> is > >>>>> the better way) > >>>>> > >>>>> That's why I separated it from the rest to make it more obvious for > >>>>> users. > >>>>> > >>>>> Currently "gradlew tasks" gives you this information > >>>>> > >>>>> Pattern: ofbizSecure <Commands>: Execute OFBiz startup commands > >>>>> pre-loading the notsoserial Java agent > >>>>> Pattern: ofbizBackgroundSecure <Commands>: Execute OFBiz startup > >>>>> commands > >>>>> in background (secure mode) and output to console.log > >>>>> > >>>>> Jacques > >>>>> > >>>>> > >>>>> > >>>>> Le 06/08/2016 à 03:33, Scott Gray a écrit : > >>>>> > >>>>> Why isn't whatever functionality 'ofbizSecure' provides, just > included > >>>>> as > >>>>> > >>>>>> part of the regular 'ofbiz' task? > >>>>>> > >>>>>> On 5 August 2016 at 21:35, Jacques Le Roux < > >>>>>> [email protected] <javascript:;>> > >>>>>> wrote: > >>>>>> > >>>>>> Le 05/08/2016 à 11:21, Taher Alkhateeb a écrit : > >>>>>> > >>>>>> +1 makes sense > >>>>>>> > >>>>>>> Should we also remove the tasks ofbizSecure and > ofbizBackgroundSecure > >>>>>>>> and > >>>>>>>> replace them with some scripts in /tools if people are not using > >>>>>>>> them? > >>>>>>>> (I > >>>>>>>> assume we only use them with demos?) > >>>>>>>> > >>>>>>>> On Aug 5, 2016 10:07 AM, "Jacques Le > Roux"<jacques.le.roux@les7arts > >>>>>>>> .com > >>>>>>>> wrote: > >>>>>>>> > >>>>>>>> Nope, those are intended to be used in production if ever you need > >>>>>>>> it. > >>>>>>>> > >>>>>>>> See the warning there https://cwiki.apache.org/confl > >>>>>>> uence/display/OFBIZ/Keeping+OFBiz+secure for details > >>>>>>> > >>>>>>> Jacques > >>>>>>> > >>>>>>> > >>>>>>> > >>>>>>> > >>>>>>> > > >
