Access to add and change pages is restricted. See: https://cwiki.apache.org/confluence/display/OFBIZ/Wiki+access

This is an outline of a few steps that should be taken to ensure that live deployed OFBiz systems do not leave open access for others to abuse.

Best security practices advices

It is not the intention to provide security advice on specific application servers as they are best researched elsewhere.

In production never use the credentials contained in demo data. Not only the admins credentials, but all of them.

  • If ever you loaded the default data ensure that you have changed the passwords or disabled the user logins for the following:
    • admin
    • flexadmin
    • demoadmin
    • ltdadmin
    • supplier

To do this, use the Party Manager (http://<host:port>/partymgr). Log in as an administrator if necessary. Click Find All to find all parties. Click on desired party. Scroll down to user names and click edit on desired ID. You should ALWAYS change the password and optionally disable the account from there. If you choose to disable an account, be sure and leave the disabled date blank. If a disabled date is present, the account will automatically be re-enabled 30 minutes later. (This behavior is determined by the value for login.disable.minutes which is located in components/security/config/security.properties)

  • Shut down unused webapps.
    OFBiz comes with a number of webapps that you may not need. You may wish to shut them down to save resources and to deny possible methods of attack.
    To do this you may,
    • edit the component-load.xml files and comment out the unneeded lines.
    • If you need ressources in those components but don't want to make them available to user simply put app-bar-display="false" in the webapp section of corresponding ofbiz-component.xml files.
  • If you intend to upload images for products, because of possible embedded webshells despite the robust OFBiz protection, you should either:

There are a few more things you should probably do:

  • Change the ports from 8080 to 80 and 8443 to 443
  • Possibly add or move a webapp to respond to "/".
  • If you loaded the demo data be sure to disable all user logins except "admin" and maybe "flexadmin" Be sure to change their passwords if you expose your server to Internet
  • This page may not be uptodate to the latest version of OFBiz at all times therefore you should always be careful and check your system for other possible holes.
  • If it exists (new), set afterlogin.lastvisit.show in security.properties to true

Also we recommend to not use Windows Server in production because we are not supporting specific Windows related security issues.
If you want to use AJP on a non localhost OFBiz instance, you need to set the value of allowedRequestAttributesPattern in framework/catalina/ofbiz-component.xml

Currently, in last release branch (ie 24.09) OFBiz uses SHA-1 for passwords and other security points.
With OFBIZ-10843 - Getting issue details... STATUS we have unofficially planed to move the trunk from SHA-1 to SHA-512 before 2030. Then the passwords and the rest will be much more secure.
Waiting that we recommend to look at the top of the security.properties file.
We notably recommend to set the password.length.min property to at least 8.
And to set security.login.password.pattern to use at least upper and lower cases with special characters (eg like !@#$%^&* but not restricted of course).
Actually even with SHA-512 it can't hurt (wink).

Note that we have 2 different strategies for CSRF defense. See the SameSiteCookieAttribute property comments and line below in security.properties

  • No labels