[
https://issues.apache.org/jira/browse/OFBIZ-12724?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17647947#comment-17647947
]
ASF subversion and git services commented on OFBIZ-12724:
---------------------------------------------------------
Commit 2ec3d24299eb110a6d696046ef51a1ebea37ef74 in ofbiz-framework's branch
refs/heads/trunk from Jacques Le Roux
[ https://gitbox.apache.org/repos/asf?p=ofbiz-framework.git;h=2ec3d24299 ]
Fixed: JWT Authentication Error (OFBIZ-12724)
Ensures the length of the secret is at least 512 bit long
https://www.rfc-editor.org/rfc/rfc7518#page-7
https://javadoc.io/doc/com.auth0/java-jwt/latest/com/auth0/jwt/algorithms/Algorithm.html#HMAC512
We should follow the rule and give a 512 bit key by default and provide
validation based on the same rule.
jleroux:
based on recommendation by Les Hazlewood (JJWT founder, Apache Shiro founder):
https://github.com/jhipster/generator-jhipster/issues/8165#issuecomment-416246549
I used a 512 bits key I created using https://www.allkeysgenerator.com
(Encryption key mode).
But I got this error:
EntitySaxReader |E| Fatal Error reading XML on line 23, column 155
org.xml.sax.SAXParseException: The reference to entity "F" must end with the ';'
delimiter. It was due to SSOJWTDemoData content. So I removed security.token.key
from this file and used only the property in security.properties.
Thanks: Ayan Farooqui for report and suggestion
> JWT Authentication Error
> ------------------------
>
> Key: OFBIZ-12724
> URL: https://issues.apache.org/jira/browse/OFBIZ-12724
> Project: OFBiz
> Issue Type: Bug
> Components: framework/security, framework/webapp
> Affects Versions: 17.12.09
> Environment: OS - Ubuntu 16.04
> DB - MySql
> Reporter: Ayan Farooqui
> Assignee: Jacques Le Roux
> Priority: Trivial
> Fix For: Upcoming Branch
>
>
> I have secured my Solr setup using solr.JWTAuthPlugin. I need to provide the
> algorithm name (HS512) and the secret key to verify the payload in solr. The
> rest api for my Solr setup will be triggered from OFBiz for which I am
> generating a JWT token and validating it.
> Using the given key & following methods -
> secret key - KeS5mHZGWAD6-5V9qwCE (This is 120 bit key)
> public static String createJwt(Delegator delegator, Map<String, String>
> claims, String keySalt, int expireTime)
> public static Map<String, Object> validateToken(String jwtToken, String key)
> https://github.com/apache/ofbiz-framework/blob/trunk/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/JWTManager.java
>
> When I use the above generated token and key in Solr I get the
> InvalidKeyException which says The secret is only 120 bits, 512 bits is
> required by HS512.
> I suppose we should get such exception in OFbiz also, when generating a token
> using shorter than recommended key size.
> As mentioned in jawa-jwt docs
> "Ensure the length of the secret is at least 512 bit long" under HMAC512
> header (
> https://javadoc.io/doc/com.auth0/java-jwt/latest/com/auth0/jwt/algorithms/Algorithm.html
> )
> But I am using only 120 bit key (KeS5mHZGWAD6-5V9qwCE) in the
> validateToken(String jwtToken, String key) method and it is not throwing any
> exception for key size.
> We should follow the rule and give a 512 bit key by default and provide
> validation based on the same rule.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
