[ https://issues.apache.org/jira/browse/OFBIZ-4361?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16734372#comment-16734372 ]
Gil Portenseigne commented on OFBIZ-4361: ----------------------------------------- h2. *Idea using JWT :* To remain simple with password update without adding much code into the codebase, we would like to propose a new idea as a first simple step. Improve the {{service engine}} to allow the usage of {{JWT token}} to *execute a given service as an authenticated user*. The JWT token is generated by OFBiz with its secret and contains into the data payload the allowed {{serviceName}} and the {{userLoginId}}. h2. Given the following usecase : A user ask for a new password giving his userlogin id. A mail is sent with a link containing the JWT toke with the {{serviceName}} *updatePassword* and the {{userLoginId}} into the data payload and a target to an OFBiz _no auth required_ web page described below The user access through the link to the webpage that present a form containing : * the JWT in its hidden parameters * a field asking the new password * a submit button. The validation of this form will call the *updatePassword* service. Since the user is _not authenticated_, the {{service engine}} will look into parameters if token exists and will validate it. Else authentication is required... If a serviceName exists in the data and equals to the called one, other data from the JWT payload are added to the IN service call attributes. That will simply allow a basic updatePassword process in trunk, that can be extended easily customizing url target and serviceName for adding verification and so on. This idea is a first attempt, and should be discussed in regards to the other suggestions. > Any ecommerce user has the ability to reset anothers password (including > admin) via "Forget Your Password" > ---------------------------------------------------------------------------------------------------------- > > Key: OFBIZ-4361 > URL: https://issues.apache.org/jira/browse/OFBIZ-4361 > Project: OFBiz > Issue Type: Bug > Components: framework > Affects Versions: Release Branch 11.04, Release Branch 13.07, Release > Branch 14.12, Trunk, Release Branch 15.12, Release Branch 16.11, Release > Branch 17.12 > Environment: Ubuntu and others > Reporter: mz4wheeler > Assignee: Jacques Le Roux > Priority: Major > Labels: security > Attachments: OFBIZ-4361.patch, OFBIZ-4361_OneScreen.patch, > OFBIZ-4361_ReworkPasswordLogic.patch, OFBIZ-4361_ReworkPasswordLogic.patch, > OFBIZ-4361_Token-Password-Registration.patch > > > Currently, any user (via ecommerce "Forget Your Password") has the ability to > reset another users password, including "admin" without permission. By > simply entering "admin" and clicking "Email Password", the following is > displayed. > The following occurred: > A new password has been created and sent to you. Please check your Email. > This now forces the user of the ERP to change their password. It is also > possible to generate a dictionary attack against ofbiz because there is no > capta code required. This is serious security risk. > This feature could be reduced to a certain sub-set of users, whose login name > is optionally in the format of an email address, and maybe require a capta > code to prevent dictionary attacks. > For example, limit the feature to role "Customer" of type "Person" which was > generated via an ecommerce transaction. -- This message was sent by Atlassian JIRA (v7.6.3#76005)