In this chapter, you will find useful information on:
- Securing communications ports
- Disabling demonstration user accounts
- Protecting OFBiz web pages
- Creating user accounts
- Protecting applications using security groups
- Protecting views ("Tarpitting")
- Retrieving forgotten passwords
- Changing a password
- Adding or changing SSL certificates
- OFBiz web application single sign-on (the external login key)
Note
Note: if you are wondering why the screenshots in this chapter do not exactly match the out-of-the-box OFBiz web page views, then be advised that the visual theme has been changed from the default to one that makes it easier to view navigation links on backend OFBiz web applications. Managing OFBiz visual themes is discussed in Chapter 10.
In this chapter, we discuss strategies for securing your OFBiz installation and web applications ("webapps"). Such strategies take many forms allowing you, the OFBiz owner, maximum flexibility in designing and deploying the security policies that make the most sense for your business needs.
To begin with, OFBiz is distributed with a minimum of security features turned on. This is intentional to facilitate ease of initial software evaluation, customization, and testing. When your deployment requirements are known, security controls may be applied as required. While there are not many out-of-the-box security configuration settings that should be attended to before going into production, it is highly recommended that, at a minimum, you consider changing the default HyperText Transfer Protocol (HTTP) and HyperText Transfer Protocol Secure (HTTPS) communications ports and disabling demonstration login accounts.
Beyond these basic administrative security tasks, we shall also introduce in this chapter topics ranging from web page authentication settings to the use of an "external login key" to enable OFBiz web Application single sign-on.