ofbiz 确保部署安全



This is an outline of a few steps that should be taken to ensure that live deployed OFBiz systems do not leave open access for others to abuse.

It is not the intention to provide security advice on specific application servers as they are best researched elsewhere.

• If you loaded the default data ensure that you have changed the passwords or disabled the user logins for the following:
  • admin
  • flexadmin
  • demoadmin
  • ltdadmin
  • supplier

To do this, use the Party Manager (http://<host:port>/partymgr). Log in as an administrator if necessary. Click Find All to find all parties. Click on desired party. Scroll down to user names and click edit on desired ID. You should ALWAYS change the password and optionally disable the account from there. If you choose to disable an account, be sure and leave the disabled date blank. If a disabled date is present, the account will automatically be re-enabled 30 minutes later. (This behavior is determined by the value for login.disable.minutes which is located in components/security/config/security.properties)

• Shut down unused webapps.
  OFBiz comes with a number of webapps that you may not need. You may wish to shut them down to save resources and to deny possible methods of attack.
  To do this you may,
  • edit base/config/component-load.xml and comment out the unneeded lines.
  • If you need ressources in those components but don't want to make them available to user simply put app-bar-display="false" in the webapp section of corresponding ofbiz-component.xml files.

There are a few more things you should probably do:

• Change the port from 8080 to 80
• Possibly add or move a webapp to respond to "/".
• If you uncommented ou the BeanShell telnet service on 9989, 9990, BeanShell service ports are not secure, so protect the ports and requires attention for deployment!
• If you loaded the demo data be sure to disable all user logins except "admin" and maybe "flexadmin" Be sure to change their passwords if you expose your server to Internet
• This page may not be uptodate to the latest version of OFBiz at all times therefore you should always be careful and check your system for other possible holes.

原文来自：https://cwiki.apache.org/confluence/display/OFBTECH/How+to+secure+your+deployment