This is now committed, see https://issues.apache.org/jira/browse/OFBIZ-10814
Thanks,
Michael
Am 23.01.19 um 15:12 schrieb Michael Brohl:
[1] https://issues.apache.org/jira/browse/OFBIZ-10814
smime.p7s
Description: S/MIME Cryptographic Signature
Hi Jacopo,
thanks for your repsonse!
I think it would be better to divide the concerns of the different
concerns here and have a separate configuration to turn internal SSO
on/off and to provide a secret for the JWT handling.
For example, if you want to use the JWT handling for another
+1 to disabling it by default.
We could consider, rather than adding a new configuration flag, to disable
the feature if no secret is set in the configuration files (and do not
provide a secret out of the box).
Jacopo
On Sat, Jan 19, 2019 at 12:57 PM Michael Brohl
wrote:
> Hi all,
>
> during
Le 22/01/2019 à 10:11, Michael Brohl a écrit :
3. if it is not used, it will still try to read the authorization
header, key etc. *on every request*
Yes, that's not a problem it's only few ms (if even) as long as there is no JWT
passed. Else all the other pre-processors would also be
Hi Jacques,
inline...
Am 22.01.19 um 09:51 schrieb Jacques Le Roux:
Hi Michael,
It seems there is a consensus for disabling the JWT feature OOTB and
it makes sense after testing with Postman.
Thanks, Jacques.
Rest inline:
Le 22/01/2019 à 07:43, Michael Brohl a écrit :
2. the
Hi Michael,
It seems there is a consensus for disabling the JWT feature OOTB and it makes
sense after testing with Postman.
Rest inline:
Le 22/01/2019 à 07:43, Michael Brohl a écrit :
2. the functionality to have a single sign on between two OFBiz
instances will only be used in rare cases (I
Thank you all,
if there are no objections I will enhance the patch in [1] to make this
configurable and switched off as default.
Regards,
Michael
[1] https://issues.apache.org/jira/browse/OFBIZ-10814
Am 21.01.19 um 11:41 schrieb Dennis Balkir:
+1 for off as default
Am 21.01.19 um 10:03
+1 for off as default
Am 21.01.19 um 10:03 schrieb Taher Alkhateeb:
+1 to default off
On Sat, Jan 19, 2019 at 7:25 PM Michael Brohl wrote:
No, we are mainly discussing if we should turn off the JWT functionality
in the default setting and what could be done to make the current
implementation
+1 to default off
On Sat, Jan 19, 2019 at 7:25 PM Michael Brohl wrote:
>
> No, we are mainly discussing if we should turn off the JWT functionality
> in the default setting and what could be done to make the current
> implementation more secure / fail proof.
>
>
> Am 19.01.19 um 16:54 schrieb
Thanks Michael,
Looks good to me..!!
Thanks & Regards
--
Deepak Dixit
On Sat, Jan 19, 2019 at 5:27 PM Michael Brohl
wrote:
> Hi all,
>
> during my work in [1] I realized that the OOTB JWT authorization /
> single sign on is switched on by default. The logic to retrieve the
> secret key uses
No, we are mainly discussing if we should turn off the JWT functionality
in the default setting and what could be done to make the current
implementation more secure / fail proof.
Am 19.01.19 um 16:54 schrieb Shi Jinghai:
I've just reviewed the code of JWT implements. Sorry for my bad
I've just reviewed the code of JWT implements. Sorry for my bad English, I'm a
bit lost, are we discussing which one is more secure, the tomcat session or JWT?
-邮件原件-
发件人: Michael Brohl [mailto:michael.br...@ecomify.de]
发送时间: 2019年1月19日 19:58
收件人: dev@ofbiz.apache.org
主题: [DISCUSSION]
12 matches
Mail list logo