cxf-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Evgeni Kisel (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (CXF-4425) OAuth 1.0 timestamp and nonces are not validated and the validation can not be customized
Date Mon, 23 Jul 2012 14:03:34 GMT

    [ https://issues.apache.org/jira/browse/CXF-4425?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13420663#comment-13420663
] 

Evgeni Kisel commented on CXF-4425:
-----------------------------------

I'm sorry. I've made a quick look, seem it's fixed. Waiting for new release. 
                
> OAuth 1.0 timestamp and nonces are not validated and the validation can not be customized
> -----------------------------------------------------------------------------------------
>
>                 Key: CXF-4425
>                 URL: https://issues.apache.org/jira/browse/CXF-4425
>             Project: CXF
>          Issue Type: Bug
>          Components: JAX-RS, JAX-RS Security
>    Affects Versions: 2.6.1
>            Reporter: Evgeni Kisel
>            Assignee: Sergey Beryozkin
>             Fix For: 2.6.2, 2.7.0
>
>
> It's possible to send multiple request with the same header. Actually it's a security
violation.
> Specifically, the default OAuthValidator is created per-request - this is OK for validating
that a given OAuth message contains the expected parameters and that the signature is correct,
but the default nonces cache is lost after the validation is done. Additionally, it is not
possible to customize the validation process

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

        

Mime
View raw message