Uploaded image for project: 'OFBiz'
  1. OFBiz
  2. OFBIZ-10206

Security issue in Token Based Authentication


    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 17.12.01
    • Fix Version/s: None
    • Component/s: framework
    • Labels:


      The version I commited so far in OFBIZ-9833 has a small security issue.

      I added the JWT (JSON Web Token https://fr.wikipedia.org/wiki/JSON_Web_Token), which guarantees an exchange between 2 servers. But the way I used it did not prevent from changing the parameter externalServerLoginKey in the URL. Note that this is only possible from the server where the JWT was sent from. This is still a risk (minor) if an unauthorized and malicious person managed to gain access to the backend of the source server.

      The flaw is that I was using a query parameter in the ContextFilter. doFilter () wrapper where the JWT is created.

      I just replaced it with an autoLoginCookie reading on the source server. I would have preferred to use the session, but when creating the JWT, the session contains neither userLogin nor userLoginId. I also need the source server webapp to read the autoLoginCookie. The webapp must therefore be passed as a new parameter in the query. On the target server I use a userLoginId reading from the JWT and no longer from the request, that was the goal I missed!

      I have secured all cookies with OFBIZ-6655, so an autoLoginCookie can only be created or updated when creating the session on the source server. However, autoLoginCookies have a lifetime of one year and are not deleted during a logout. So an autoLoginCookie of another webapp (webapp passed in parameter thus modifiable in the URL) could in theory be used to force another loginUser contained in the autoLoginCookie of this other webapp.

      I think that this lifespan may make sense for frontends (ecommerce, ecomseo, webpos), which have their own logout and where I suppose this feature (from ecommerce in fact) comes to keep a customer's memory. For the backend I don't see the interest also I propose to delete autoLoginCookies to the logout on backend. For that I'll reopen and use OFBIZ-4959 that I closed as incomplete.

      I will commit an improved version in the trunk that I have tested locally with 2 different webapps but still have to test on 2 servers. I'm going to do it using the trunk demo from my machine.


          Issue Links



              • Assignee:
                jacques.le.roux Jacques Le Roux
                jacques.le.roux Jacques Le Roux
              • Votes:
                0 Vote for this issue
                2 Start watching this issue


                • Created: