Implements a proper way to reset password for a OFBiz user (OFBIZ-4361)

Today, there was two proposal into OFBiz Jira : https://issues.apache.org/jira/browse/OFBIZ-4361, this task is to help review and complete these improvements

Idea using JWT :

To remain simple with password update without adding much code into the codebase, we would like to propose a new idea as a first simple step.

Improve the service engine to allow the usage of JWT token to execute a given service as an authenticated user.

The JWT token is generated by OFBiz with its secret and contains into the data payload the allowed serviceName and the userLoginId.

Given the following usecase :

A user ask for a new password giving his userlogin id.

A mail is sent with a link containing the JWT toke with the serviceName updatePassword and the userLoginId into the data payload and a target to an OFBiz no auth required web page described below

The user access through the link to the webpage that present a form containing :

the JWT in its hidden parameters
a field asking the new password
a submit button.

The validation of this form will call the updatePassword service.

Since the user is not authenticated, the service engine will look into parameters if token exists and will validate it. Else authentication is required...

If a serviceName exists in the data and equals to the called one, other data from the JWT payload are added to the IN attributes.

That will simply allow a basic updatePassword process in trunk, that can be extended easily customizing url target and serviceName for adding verification and so on.

Edited Jan 04, 2019 by Gil Portenseigne

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information