This is an outline of a few steps that should be taken to ensure that live deployed OFBiz systems do not leave open access for others to abuse.
It is not the intention to provide security advice on specific application servers as they are best researched elsewhere.
- If you loaded the default data ensure that you have changed the passwords or disabled the user logins for the following:
- admin
- flexadmin
- demoadmin
- ltdadmin
- supplier
To do this, use the Party Manager (http://<host:port>/partymgr). Log in as an administrator if necessary. Click Find All to find all parties. Click on desired party. Scroll down to user names and click edit on desired ID. You should ALWAYS change the password and optionally disable the account from there. If you choose to disable an account, be sure and leave the disabled date blank. If a disabled date is present, the account will automatically be re-enabled 30 minutes later. (This behavior is determined by the value for login.disable.minutes which is located in components/security/config/security.properties)
- Shut down unused webapps.
OFBiz comes with a number of webapps that you may not need. You may wish to shut them down to save resources and to deny possible methods of attack.
To do this you may,- edit base/config/component-load.xml and comment out the unneeded lines.
- If you need ressources in those components but don't want to make them available to user simply put app-bar-display="false" in the webapp section of corresponding ofbiz-component.xml files.
There are a few more things you should probably do:
- Change the ports from 8080 to 80 and 8443 to 443
- Possibly add or move a webapp to respond to "/".
- If you loaded the demo data be sure to disable all user logins except "admin" and maybe "flexadmin" Be sure to change their passwords if you expose your server to Internet
- This page may not be uptodate to the latest version of OFBiz at all times therefore you should always be careful and check your system for other possible holes.
- If it exists (new), set afterlogin.lastvisit.show in security.properties to true
To think about:
- Maybe generate a "production" script to modify and/or remove these logins for a production site Add a brief description (or a link to one) of each webapp to assist the user to determine which ones they need and which ones they don't.