This is an automated email from the ASF dual-hosted git repository.
jleroux pushed a commit to branch trunk
in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git
The following commit(s) were added to refs/heads/trunk by this push:
new fdb995f Documented: adds CSRF defense and updates password and JWT
fdb995f is described below
commit fdb995fd501876dd2293de1d85ce45e5f287ae70
Author: Jacques Le Roux <jacques.le.r...@les7arts.com>
AuthorDate: Wed Apr 15 19:30:53 2020 +0200
Documented: adds CSRF defense and updates password and JWT
---
.../docs/asciidoc/_include/sy-CSRF-defense.adoc | 68 ++++++++++++++--------
.../asciidoc/_include/sy-password-and-JWT.adoc | 31 +++++++++-
2 files changed, 73 insertions(+), 26 deletions(-)
diff --git a/framework/security/src/docs/asciidoc/_include/sy-CSRF-defense.adoc
b/framework/security/src/docs/asciidoc/_include/sy-CSRF-defense.adoc
index 2af0f48..867150e 100644
--- a/framework/security/src/docs/asciidoc/_include/sy-CSRF-defense.adoc
+++ b/framework/security/src/docs/asciidoc/_include/sy-CSRF-defense.adoc
@@ -28,32 +28,52 @@ ifdef::backend-pdf[]
:source-highlighter: rouge
endif::[]
-=== Same-Site attribute is set to 'strict' for all cookies
+=== The same-Site attribute
-By default the SameSite value in SameSiteFilter is 'strict'. This property
allows to change to 'lax' if needed
-# -- If you use 'lax' we recommend that you set
org.apache.ofbiz.security.CsrfDefenseStrategy for csrf.defense.strategy (see
below)
+[quote,According to OWASP ZAP]
+____
+The SameSite attribute is an effective counter measure to cross-site request
forgery, cross-site script inclusion, and timing attacks.
+____
+By default OOTB the SameSiteFilter property sets the same-site attribute value
to 'strict. SameSiteFilter allows to change to 'lax' if needed. If you use
'lax' we recommend that you set the csrf.defense.strategy property to
org.apache.ofbiz.security.CsrfDefenseStrategy in order to provide an effective
defense against CSRF attacks.
-===== Properties
-
-The _security.properties_ file contains five related properties:
-
- # -- If false, then no externalLoginKey parameters will be added to
cross-webapp urls
- security.login.externalLoginKey.enabled=true
-
- # -- Security key used to encrypt and decrypt the autogenerated password
in forgot password functionality.
- login.secret_key_string=login.secret_key_string
-
- # -- Time To Live of the token send to the external server in seconds, 10
seconds seems plenty enough OOTB. Custom projects might want set a lower value.
- security.jwt.token.expireTime=1800
-
- # -- Enables the internal Single Sign On feature which allows a token
based login between OFBiz instances
- # -- To make this work you also have to configure a secret key with
security.token.key
- security.internal.sso.enabled=false
-
- # -- The secret key for the JWT token signature. Configuration in the
SystemProperty entity is recommended for security reasons.
- security.token.key=security.token.key
+===== Properties
-=== Last but not least
-Be sure to read
https://cwiki.apache.org/confluence/display/OFBIZ/Keeping+OFBiz+secure[Keeping
OFBiz secure]
\ No newline at end of file
+The _security.properties_ file contains related properties:
+
+ # -- By default the SameSite value in SameSiteFilter is 'strict'.
+ # -- This property allows to change to 'lax' if needed.
+ # -- If you use 'lax' we recommend that you set
+ # -- org.apache.ofbiz.security.CsrfDefenseStrategy
+ # -- for csrf.defense.strategy (see below)
+ SameSiteCookieAttribute=
+
+ # -- The cache size for the Tokens Maps that stores the CSRF tokens.
+ # -- RemoveEldestEntry is used when it's get above csrf.cache.size
+ # -- Default is 5000
+ # -- TODO: possibly separate tokenMap size from partyTokenMap size
+ csrf.cache.size=
+
+ # -- Parameter name for CSRF token. Default is "csrf" if not specified
+ csrf.tokenName.nonAjax=
+
+ # -- The csrf.entity.request.limit is used to show how to avoid cluttering
the Tokens Maps cache with URIs starting with "entity/"
+ # -- It can be useful with large Database contents, ie with a large
numbers of tuples, like "entity/edit/Agreement/10000, etc.
+ # -- The same principle can be extended to other cases similar to
"entity/" URIs (harcoded or using similar properties).
+ # -- Default is 3
+ csrf.entity.request.limit=
+
+ # -- CSRF defense strategy.
+ # -- Because OFBiz OOTB also sets the SameSite attribute to 'strict' for
all cookies,
+ # -- which is an effective CSRF defense,
+ # -- default is org.apache.ofbiz.security.NoCsrfDefenseStrategy if not
specified.
+ # -- Use org.apache.ofbiz.security.CsrfDefenseStrategy
+ # -- if you need to use a 'lax' for SameSiteCookieAttribute
+ csrf.defense.strategy=
+
+There is also a SystemProperty in __SSOJWTDemoData.xml__:
+[source,xml]
+----
+<SystemProperty systemResourceId="security"
systemPropertyId="SameSiteCookieAttribute" systemPropertyValue="strict"/>
+----
diff --git
a/framework/security/src/docs/asciidoc/_include/sy-password-and-JWT.adoc
b/framework/security/src/docs/asciidoc/_include/sy-password-and-JWT.adoc
index e1ebcf2..c1bdee4 100644
--- a/framework/security/src/docs/asciidoc/_include/sy-password-and-JWT.adoc
+++ b/framework/security/src/docs/asciidoc/_include/sy-password-and-JWT.adoc
@@ -85,18 +85,45 @@ The _security.properties_ file contains five related
properties:
security.login.externalLoginKey.enabled=true
# -- Security key used to encrypt and decrypt the autogenerated password
in forgot password functionality.
+ # Read Passwords and JWT (JSON Web Tokens) usage documentation to
choose the way you want to store this key
login.secret_key_string=login.secret_key_string
- # -- Time To Live of the token send to the external server in seconds, 10
seconds seems plenty enough OOTB. Custom projects might want set a lower value.
+ # -- Time To Live of the token send to the external server in seconds
security.jwt.token.expireTime=1800
# -- Enables the internal Single Sign On feature which allows a token
based login between OFBiz instances
# -- To make this work you also have to configure a secret key with
security.token.key
security.internal.sso.enabled=false
- # -- The secret key for the JWT token signature. Configuration in the
SystemProperty entity is recommended for security reasons.
+ # -- The secret key for the JWT token signature. Read Passwords and JWT
(JSON Web Tokens) usage documentation to choose the way you want to store this
key
security.token.key=security.token.key
+There are also SSO related SystemProperties in __SSOJWTDemoData.xml__:
+[source,xml]
+----
+ <SystemProperty systemResourceId="security"
systemPropertyId="security.internal.sso.enabled" systemPropertyValue="false"/>
+ <SystemProperty systemResourceId="security"
systemPropertyId="security.token.key" systemPropertyValue="security.token.key"/>
+ <SystemProperty systemResourceId="security"
systemPropertyId="SameSiteCookieAttribute" systemPropertyValue="strict"/>
+----
+
+==== Internal SSO
+The introduction of the same-site attribute set to 'strict' for all cookies
prevents the internal Single Sign On feature. Why is clearly explained
https://web.dev/samesite-cookies-explained[here].
+
+So same-site attribute set to 'none' is necessary for the internal SSO to
work, https://github.com/whatwg/fetch/issues/769['lax' is not enough]. So if
someone wants to use the internal SSO feature s/he also needs to use the CSRF
token defense. If s/he wants to be safe from CSRF attacks. Unfortunately, due
backporting difficulties, this option is currently (2020-04-15) only available
in trunk.
+
+====== Fecth API
+An alternative would be to use the Fetch Javascript API with the
+
+[source]
+----
+credentials: "include"
+----
+option
https://developer.mozilla.org/en-US/docs/Web/API/Fetch_API#Differences_from_jQuery[to
enable CORS]. https://javascript.info/fetch-crossorigin#credentials[Here is an
example]
+
+For those interested, there are more information in
https://issues.apache.org/jira/browse/OFBIZ-11594
+
+
+
=== Last but not least
Be sure to read
https://cwiki.apache.org/confluence/display/OFBIZ/Keeping+OFBiz+secure[Keeping
OFBiz secure]
\ No newline at end of file
