/[Apache-SVN]
ViewVC logotype

Revision 1823324


Jump to revision: Previous Next
Author: jleroux
Date: Tue Feb 6 13:17:57 2018 UTC (6 years, 1 month ago)
Changed paths: 5
Log Message:
Fixed: Security issue in Token Based Authentication
(OFBIZ-10206)

The version I committed so far in OFBIZ-9833 has a small security issue.
See the Jira description for all details

To test I have attached a OFBIZ-10206-external-server-test-example.patch to 
the Jira

This removes the external-server-query property now useless

In  ContextFilter the getHeader (wrapper) now uses an autoLoginCookie to get 
the userLoginId passed in the JWT instead of externalServerUserLogin parameter.
A sourceServerWebappName parameter must be passed from the client request to
allow reading the autoLoginCookie.

This userLoginId is then retrieved on the target server from the JWT in the 
externalServerLoginCheck which is simplified.

In LoginWorker
  getAutoLoginCookieName() has now 2 versions to allow to pass a webappname

  A new autoLogoutFromAllBackendSessions() method has been added but for now 
  commented out. Decommenting it out will be submitted as a patch in OFBIZ-4959.

Thanks: Leila Mekika for reporting the security issue directly to me

Changed paths

Path Details
Directoryofbiz/ofbiz-framework/trunk/framework/common/groovyScripts/ExternalServerName.groovy deleted
Directoryofbiz/ofbiz-framework/trunk/framework/security/config/security.properties modified , text changed
Directoryofbiz/ofbiz-framework/trunk/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/ContextFilter.java modified , text changed
Directoryofbiz/ofbiz-framework/trunk/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/ExternalLoginKeysManager.java modified , text changed
Directoryofbiz/ofbiz-framework/trunk/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/LoginWorker.java modified , text changed

infrastructure at apache.org
ViewVC Help
Powered by ViewVC 1.1.26