Project:
| View Issue Details[ Jump to Notes ] | [ Issue History ] [ Print ] | |||||||
| ID | ||||||||
| 0032284 | ||||||||
| Type | Category | Severity | Reproducibility | Date Submitted | Last Update | |||
| defect | [Retail Modules] Web POS | minor | have not tried | 2016-02-19 10:04 | 2016-03-01 16:57 | |||
| Reporter | mtaal | View Status | public | |||||
| Assigned To | mtaal | |||||||
| Priority | normal | Resolution | fixed | Fixed in Version | ||||
| Status | closed | Fix in branch | Fixed in SCM revision | 77ea9517d878 | ||||
| Projection | none | ETA | none | Target Version | RR16Q2 | |||
| OS | Any | Database | Any | Java version | ||||
| OS Version | Database version | Ant version | ||||||
| Product Version | SCM revision | |||||||
| Review Assigned To | migueldejuana | |||||||
| Regression level | ||||||||
| Regression date | ||||||||
| Regression introduced in release | ||||||||
| Regression introduced by commit | ||||||||
| Triggers an Emergency Pack | No | |||||||
| Summary | 0032284: Mobile authentication key exported in sample data | |||||||
| Description | It was noticed that a security key was included in the retail sample data for white valley ([1]) and delivery in Q4 retail sample data module. The security key is used to encrypt authentication tokens when doing multi-server logins. It is used in combination with a custom multi-server authentication manager ([2]). The security token is stored for each client in the database in the ad_client table. It is auto-generated (random) if not present in the database. However, in this case ([1]) we already set it for white-valley as it is part of the sample data. If you have the security key, and the server uses the custom multi-server auth manager ([2]) and know how to build a security token (with client id, org id, role id, user id and timestamp), then you can create a valid authentication token and login remotely on OB server in the client for associated with the key (in this case white valley). The key we published is for white valley so helps to login into that client. It does not allow logging into other clients (which have other keys). The authentication key is only relevant when using the customer authentication manager. It does not apply to our standard/other authentication managers. [1] https://code.openbravo.com/erp/pmods/org.openbravo.retail.sampledata/diff/d1bc8d1509f3/referencedata/sampledata/The_White_Valley_Group/AD_CLIENT.xml#l1.18 [^] [2] https://code.openbravo.com/erp/pmods/org.openbravo.mobile.core/file/tip/src/org/openbravo/mobile/core/authenticate/MobileKeyAuthenticationManager.java [^] … | |||||||
| Steps To Reproduce | check sample data AD_CLIENT.xml after export sample data | |||||||
| Proposed Solution | - remove the key from the sample data - exclude the column from being exported in sample data - hardcode in the custom authentication manager that the key we published can not be used | |||||||
| Tags | No tags attached. | |||||||
| Attached Files | ||||||||
 Relationships [ Relation Graph ]
[ Dependency Graph ]
|
|
 Relationships |
|
Notes |
|
|
(0084447) hgbot (developer) 2016-02-23 20:32 |
Repository: erp/pmods/org.openbravo.retail.sampledata Changeset: eea2e10021e6ef1a940e141e01ec3b7d45b217a8 Author: Martin Taal <martin.taal <at> openbravo.com> Date: Mon Feb 22 22:35:26 2016 +0100 URL: http://code.openbravo.com/erp/pmods/org.openbravo.retail.sampledata/rev/eea2e10021e6ef1a940e141e01ec3b7d45b217a8 [^] Related to issue 32284: Mobile authentication key exported in sample data Remove unintended exported key --- M referencedata/sampledata/The_White_Valley_Group/AD_CLIENT.xml --- |
|
(0084448) hgbot (developer) 2016-02-23 20:34 |
Repository: erp/pmods/org.openbravo.mobile.core Changeset: 77ea9517d8784fd7627af204c4e6b3fe7855160d Author: Martin Taal <martin.taal <at> openbravo.com> Date: Mon Feb 22 22:36:21 2016 +0100 URL: http://code.openbravo.com/erp/pmods/org.openbravo.mobile.core/rev/77ea9517d8784fd7627af204c4e6b3fe7855160d [^] Fixes issue 32284: Mobile authentication key exported in sample data Prevent export of client key in sample data, prevent using accidentally exported key --- M src/org/openbravo/mobile/core/authenticate/MobileAuthenticationKeyUtils.java A src-db/database/sourcedata/AD_DATASET_COLUMN.xml --- |
|
(0084482) hgbot (developer) 2016-02-25 08:35 |
Repository: erp/pmods/org.openbravo.mobile.core Changeset: b891665f8137e90f9370160b8f92fc5508a39acc Author: Martin Taal <martin.taal <at> openbravo.com> Date: Thu Feb 25 08:35:05 2016 +0100 URL: http://code.openbravo.com/erp/pmods/org.openbravo.mobile.core/rev/b891665f8137e90f9370160b8f92fc5508a39acc [^] Related to issue 32284: Mobile authentication key exported in sample data Updating copyright year --- M src/org/openbravo/mobile/core/authenticate/MobileAuthenticationKeyUtils.java --- |
|
(0084634) migueldejuana (developer) 2016-03-01 16:57 |
Reviewed |
|
Notes |
|
Issue History |
|||
| Date Modified | Username | Field | Change |
| 2016-02-19 10:04 | mtaal | New Issue | |
| 2016-02-19 10:04 | mtaal | Assigned To | => mtaal |
| 2016-02-19 10:04 | mtaal | Triggers an Emergency Pack | => No |
| 2016-02-23 20:32 | hgbot | Checkin | |
| 2016-02-23 20:32 | hgbot | Note Added: 0084447 | |
| 2016-02-23 20:34 | hgbot | Checkin | |
| 2016-02-23 20:34 | hgbot | Note Added: 0084448 | |
| 2016-02-23 20:34 | hgbot | Status | new => resolved |
| 2016-02-23 20:34 | hgbot | Resolution | open => fixed |
| 2016-02-23 20:34 | hgbot | Fixed in SCM revision | => http://code.openbravo.com/erp/pmods/org.openbravo.mobile.core/rev/77ea9517d8784fd7627af204c4e6b3fe7855160d [^] |
| 2016-02-23 23:17 | mtaal | Review Assigned To | => migueldejuana |
| 2016-02-25 08:35 | hgbot | Checkin | |
| 2016-02-25 08:35 | hgbot | Note Added: 0084482 | |
| 2016-03-01 16:57 | migueldejuana | Note Added: 0084634 | |
| 2016-03-01 16:57 | migueldejuana | Status | resolved => closed |
|
Issue History |
| Copyright © 2000 - 2009 MantisBT Group |
 |