Jacques Le Roux closed OFBIZ-10206.
    Resolution: Fixed

Now that OFBIZ-4959 is fixed this can be closed

> Security issue in Token Based Authentication
> --------------------------------------------
>                 Key: OFBIZ-10206
>                 URL: https://issues.apache.org/jira/browse/OFBIZ-10206
>             Project: OFBiz
>          Issue Type: Bug
>          Components: framework
>    Affects Versions: 17.12.01
>            Reporter: Jacques Le Roux
>            Assignee: Jacques Le Roux
>            Priority: Major
>         Attachments: OFBIZ-10206-external-server-test-example.patch
> The version I commited so far in OFBIZ-9833 has a small security issue.
> I added the JWT (JSON Web Token 
> [https://fr.wikipedia.org/wiki/JSON_Web_Token]), which guarantees an exchange 
> between 2 servers. But the way I used it did not prevent from changing the 
> parameter externalServerLoginKey in the URL. Note that this is only possible 
> from the server where the JWT was sent from. This is still a risk (minor) if 
> an unauthorized and malicious person managed to gain access to the backend of 
> the source server.
> The flaw is that I was using a query parameter in the ContextFilter. doFilter 
> () wrapper where the JWT is created.
> I just replaced it with an autoLoginCookie reading on the source server. I 
> would have preferred to use the session, but when creating the JWT, the 
> session contains neither userLogin nor userLoginId. I also need the source 
> server webapp to read the autoLoginCookie. The webapp must therefore be 
> passed as a new parameter in the query. On the target server I use a 
> userLoginId reading from the JWT and no longer from the request, that was the 
> goal I missed!
> I have secured all cookies with OFBIZ-6655, so an autoLoginCookie can only be 
> created or updated when creating the session on the source server. However, 
> autoLoginCookies have a lifetime of one year and are not deleted during a 
> logout. So an autoLoginCookie of another webapp (webapp passed in parameter 
> thus modifiable in the URL) could in theory be used to force another 
> loginUser contained in the autoLoginCookie of this other webapp.
> I think that this lifespan may make sense for frontends (ecommerce, ecomseo, 
> webpos), which have their own logout and where I suppose this feature (from 
> ecommerce in fact) comes to keep a customer's memory. For the backend I don't 
> see the interest also I propose to delete autoLoginCookies to the logout on 
> backend. For that I'll reopen and use OFBIZ-4959 that I closed as incomplete.
> I will commit an improved version in the trunk that I have tested locally 
> with 2 different webapps but still have to test on 2 servers. I'm going to do 
> it using the trunk demo from my machine.

This message was sent by Atlassian JIRA

Reply via email to