Return-Path: 
 <issues-return-21750-apmail-cxf-issues-archive=cxf.apache.org@cxf.apache.org>
X-Original-To: apmail-cxf-issues-archive@www.apache.org
Delivered-To: apmail-cxf-issues-archive@www.apache.org
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by minotaur.apache.org (Postfix) with SMTP id 31921DEFE
	for <apmail-cxf-issues-archive@www.apache.org>;
 Tue, 17 Jul 2012 05:08:38 +0000 (UTC)
Received: (qmail 83215 invoked by uid 500); 17 Jul 2012 05:08:38 -0000
Delivered-To: apmail-cxf-issues-archive@cxf.apache.org
Received: (qmail 83166 invoked by uid 500); 17 Jul 2012 05:08:36 -0000
Mailing-List: contact issues-help@cxf.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:issues-help@cxf.apache.org>
List-Unsubscribe: <mailto:issues-unsubscribe@cxf.apache.org>
List-Post: <mailto:issues@cxf.apache.org>
List-Id: <issues.cxf.apache.org>
Reply-To: dev@cxf.apache.org
Delivered-To: mailing list issues@cxf.apache.org
Received: (qmail 83122 invoked by uid 99); 17 Jul 2012 05:08:35 -0000
Received: from issues-vm.apache.org (HELO issues-vm) (140.211.11.160)
    by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 17 Jul 2012 05:08:35 +0000
Received: from isssues-vm.apache.org (localhost [127.0.0.1])
	by issues-vm (Postfix) with ESMTP id A89441427F2
	for <issues@cxf.apache.org>; Tue, 17 Jul 2012 05:08:34 +0000 (UTC)
Date: Tue, 17 Jul 2012 05:08:34 +0000 (UTC)
From: "Evgeni Kisel (JIRA)" <jira@apache.org>
To: issues@cxf.apache.org
Message-ID: <27111865.62230.1342501714693.JavaMail.jiratomcat@issues-vm>
In-Reply-To: <1886450214.57648.1342445254490.JavaMail.jiratomcat@issues-vm>
Subject: [jira] [Commented] (CXF-4425) OAuth 1.0 timestamp and nonces are
 not validated and the validation can not be customized
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394


    [ https://issues.apache.org/jira/browse/CXF-4425?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13415898#comment-13415898 ] 

Evgeni Kisel commented on CXF-4425:
-----------------------------------

I'm apologize for my impudence but could you send me a built jar for experiments, please? 

Also could you clarify which release the fix will be included in, please?
                
> OAuth 1.0 timestamp and nonces are not validated and the validation can not be customized
> -----------------------------------------------------------------------------------------
>
>                 Key: CXF-4425
>                 URL: https://issues.apache.org/jira/browse/CXF-4425
>             Project: CXF
>          Issue Type: Bug
>          Components: JAX-RS, JAX-RS Security
>    Affects Versions: 2.6.1
>            Reporter: Evgeni Kisel
>            Assignee: Sergey Beryozkin
>             Fix For: 2.6.2, 2.7.0
>
>
> It's possible to send multiple request with the same header. Actually it's a security violation.
> Specifically, the default OAuthValidator is created per-request - this is OK for validating that a given OAuth message contains the expected parameters and that the signature is correct, but the default nonces cache is lost after the validation is done. Additionally, it is not possible to customize the validation process

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira