Versions Compared

Old Version 1

changes.mady.by.user Jacques Le Roux

Saved on

compared with

New Version 2

changes.mady.by.user Jacques Le Roux

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Migrated to Confluence 4.0

This come from this archive, I copied and updated it here to be sure to have this always on hand.

This is an outline of a few steps that should be taken to ensure that live deployed OFBiz systems do not leave open access for others to abuse.

It is not the intention to provide security advice on specific application servers as they are best researched elsewhere.

  • If you loaded the default data ensure that you have changed the passwords or disabled the user logins for the following:
    • admin
    • flexadmin
    • demoadmin
    • ltdadmin
    • supplier

To do this, use the Party Manager (http://<host:port>/partymgr). Log in as an administrator if necessary. Click Find All to find all parties. Click on desired party. Scroll down to user names and click edit on desired ID. You should ALWAYS change the password and optionally disable the account from there. If you choose to disable an account, be sure and leave the disabled date blank. If a disabled date is present, the account will automatically be re-enabled 30 minutes later. (This behavior is determined by the value for login.disable.minutes which is located in components/security/config/security.properties)

  • Shut down unused webapps.
    OFBiz comes with a number of webapps that you may not need. You may wish to shut them down to save resources and to deny possible methods of attack.
    To do this you may,
    • edit base/config/component-load.xml and comment out the unneeded lines.
    • If you need ressources in those components but don't want to make them available to user simply put app-bar-display="false" in the webapp section of corresponding ofbiz-component.xml files.

There are a few more things you should probably do:

  • Change the port from 8080 to 80
  • Possibly add or move a webapp to respond to "/".
  • This is now also in the system "Started BeanShell telnet service on 9989, 9990, BeanShell service ports are not secure. Please protect the ports" and requires attention for deployment!
  • This page coumd not be uptodate to the latest version of OFBiz at all times therefore you should always be careful and check your system for other possible holes.

To think about:

  • Should the default data be changed to disable all the user logins except "admin"?
  • Maybe generate a "production" script to modify and/or remove these logins for a production site Add a brief description (or a link to one) of each webapp to assist the user to determine which ones they need and which ones they don't.