Implemented: Remove demo secret keys from security.property and add a gradle task to generate and set the keys

build.gradle

@@ -371,10 +371,13 @@ eclipse.classpath.file.whenMerged { classpath ->
 tasks.eclipse.dependsOn(cleanEclipse)
 
 test {
+    dependsOn 'generateSecretKeys'
     useJUnit()
     jvmArgs "-javaagent:${classpath.find { it.name.contains('jmockit') }.absolutePath}"
 }
 
+processResources.mustRunAfter 'generateSecretKeys'
+
 /* ========================================================
  * Tasks
  * ======================================================== */
@@ -389,7 +392,7 @@ def sysadminGroup = 'System Administration'
 // ========== OFBiz Server tasks ==========
 
 task loadAll(group: ofbizServer) {
-    dependsOn 'ofbiz --load-data'
+    dependsOn 'generateSecretKeys', 'ofbiz --load-data'
     description 'Load default data; meant for OFBiz development, testing, and demo purposes'
 }
 
@@ -745,6 +748,33 @@ task gitInfoFooter(group: sysadminGroup, description: 'Update the Git Branch-rev
     }
 }
 
+task generateSecretKeys(group: sysadminGroup,
+        description: 'Generate cryptographically secure 512-bit (64-char) secret keys for JWT token signing and password encryption, and write them to security.properties') {
+    doLast {
+        def propertiesFile = file('framework/security/config/security.properties')
+
+        def generateAndWriteKey = { String propertyName ->
+            def keyBytes = new byte[48] // 48 bytes * 4/3 = 64 Base64 chars (no padding needed)
+            new java.security.SecureRandom().nextBytes(keyBytes)
+            def key = java.util.Base64.getEncoder().encodeToString(keyBytes)
+            def content = propertiesFile.text
+            def escapedName = propertyName.replace('.', '\\.')
+            if (content =~ /(?m)^#?${escapedName}=.*$/) {
+                content = content.replaceAll(/(?m)^#?${escapedName}=.*$/, "${propertyName}=${key}")
+            } else {
+                content += "\n${propertyName}=${key}\n"
+            }
+            propertiesFile.text = content
+        }
+
+        generateAndWriteKey('login.secret_key_string')
+        generateAndWriteKey('security.token.key')
+
+        println "New secret keys have been generated and written to framework/security/config/security.properties"
+        println "Keep these keys secret and do not commit them to version control."
+    }
+}
+
 // ========== OFBiz Plugin Management ==========
 task createPlugin(group: ofbizPlugin, description: 'create a new plugin component based on specified templates') {
     doLast {

framework/security/config/security.properties

@@ -144,7 +144,8 @@ security.login.externalLoginKey.enabled=true
 # -- Security key used to encrypt and decrypt the autogenerated password in forgot password functionality.
 #    Read Passwords and JWT (JSON Web Tokens) usage documentation to choose the way you want to store this key
 #    The key must be 512 bits (ie 64 chars) as we use HMAC512 to create the token, cf. OFBIZ-12724
-login.secret_key_string=p2s5u8x/A?D(G+KbPeShVmYq3t6w9z$B&E)H@McQfTjWnZr4u7x!A%D*F-JaNdRg
+#    Run './gradlew generateSecretKeys' to generate a cryptographically secure random key.
+login.secret_key_string=
 
 # -- Time To Live of the token send to the external server in seconds
 security.jwt.token.expireTime=1800
@@ -159,7 +160,8 @@ security.internal.sso.enabled=false
 # -- The secret key for the JWT token signature.
 #    Read Passwords and JWT (JSON Web Tokens) usage documentation to choose the way you want to store this key
 #    The key must be 512 bits (ie 64 chars) as we use HMAC512 to create the token, cf. OFBIZ-12724
-security.token.key=%D*G-JaNdRgUkXp2s5v8y/B?E(H+MbPeShVmYq3t6w9z$C&F)J@NcRfTjWnZr4u7
+#    Run './gradlew generateSecretKeys' to generate a cryptographically secure random key.
+security.token.key=
 
 # -- Specifies the expected issuer (the "iss" claim) of JSON Web Tokens (JWTs).
 #    If this property is set, the system assumes that tokens are issued and signed by an external