[
https://issues.apache.org/jira/browse/JUDDI-559?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Alex O'Ree updated JUDDI-559:
-----------------------------
Attachment: ExpiringAuthTokens.patch
This patch covers the functionality, but without any unit tests
> Authentication Tokens do not expire
> -----------------------------------
>
> Key: JUDDI-559
> URL: https://issues.apache.org/jira/browse/JUDDI-559
> Project: jUDDI
> Issue Type: Bug
> Affects Versions: 3.1.4
> Reporter: Alex O'Ree
> Assignee: Kurt T Stam
> Labels: authentication, security
> Attachments: ExpiringAuthTokens.patch
>
>
> This is a potential security vulnerability. Tokens issued by the Security API
> do not expire. This increases the chances if a token could be obtained
> through a man in the middle attack or through session hijacking that the
> stolen token could be used to impersonate the user.
> Suggestion, assign expiration timestamps to tokens that is administrator
> configurable. Default setting should be about 15 minutes.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
