cxf-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Sergey Beryozkin (JIRA)" <j...@apache.org>
Subject [jira] [Resolved] (CXF-5561) AccessTokenValidatorService is not secure
Date Thu, 13 Feb 2014 13:28:19 GMT

     [ https://issues.apache.org/jira/browse/CXF-5561?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Sergey Beryozkin resolved CXF-5561.
-----------------------------------

    Resolution: Fixed
      Assignee: Sergey Beryozkin

> AccessTokenValidatorService is not secure
> -----------------------------------------
>
>                 Key: CXF-5561
>                 URL: https://issues.apache.org/jira/browse/CXF-5561
>             Project: CXF
>          Issue Type: Bug
>          Components: JAX-RS, JAX-RS Security
>            Reporter: Sergey Beryozkin
>            Assignee: Sergey Beryozkin
>             Fix For: 3.0.0-milestone2, 2.7.11
>
>
> AccessTokenValidatorService is a simple JAX-RS service which accepts validation requests
remotely and delegates the actual validation to the super-class it extends, after validating
the token it returns an internal token representation to the remote OAuthRequestFilter which
does some more validation.
> The fundamental problem with AccessTokenValidatorService is that it expects the 3rd party
client authorization credentials passed in as Authorization header so if the bad client which
stole the access token and somehow invokes directly on AccessTokenValidatorService then it
will get the internal token state back.
> I'm not marking it as Critical because this service can easily be replaced.



--
This message was sent by Atlassian JIRA
(v6.1.5#6160)

Mime
View raw message