ofbiz-notifications mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Jacopo Cappellato (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (OFBIZ-9833) Token Based Authentication
Date Tue, 20 Feb 2018 15:10:00 GMT

    [ https://issues.apache.org/jira/browse/OFBIZ-9833?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16370127#comment-16370127
] 

Jacopo Cappellato commented on OFBIZ-9833:
------------------------------------------

[~jacques.le.roux] it is really a bad idea to store a secret key as a field of a Java class,
even if the source file is removed from the server. In fact, Java byte code is very easy
to read (e.g. all IDEs provide this feature).

For this reason it is a bad idea to adopt out of the box this pattern as you did with 
ExternalLoginKeysManager.ExternalServerJwtMasterSecretKey

I have other concerns about the design of this work but I don't have time to describe them
at the moment, however I am wondering if you could revert your work and provide one complete
patch (I know you have committed it in different revisions) that you can attach here or to
a brand new ticket and then we could discuss around them; I think this would be the easiest
way since you know exactly all the commits that are relevant.

> Token Based Authentication
> --------------------------
>
>                 Key: OFBIZ-9833
>                 URL: https://issues.apache.org/jira/browse/OFBIZ-9833
>             Project: OFBiz
>          Issue Type: New Feature
>          Components: framework
>            Reporter: Deepak Dixit
>            Assignee: Deepak Dixit
>            Priority: Major
>         Attachments: JSON Web Tokens.pdf, OFBIZ-9833-external-server-test-example.patch,
OFBIZ-9833-external-server-test-example.patch, OFBIZ-9833-external-server.patch, OFBIZ-9833-external-server.patch,
OFBIZ-9833-external-server.patch, Token Based Authentication in Apache OfBiz.pdf, Token Based
Authentication.pdf, rfc7519.pdf
>
>
> Here is dev list discussion for token based authentication work:
> http://markmail.org/message/vyskeh2wujqpkbwg



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Mime
View raw message