[
https://issues.apache.org/jira/browse/JUDDI-559?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Kurt T Stam updated JUDDI-559:
------------------------------
Fix Version/s: 3.1.5
Issue Type: Improvement (was: Bug)
> Authentication Tokens do not expire
> -----------------------------------
>
> Key: JUDDI-559
> URL: https://issues.apache.org/jira/browse/JUDDI-559
> Project: jUDDI
> Issue Type: Improvement
> Affects Versions: 3.1.4
> Reporter: Alex O'Ree
> Assignee: Kurt T Stam
> Labels: authentication, security
> Fix For: 3.1.5
>
> Attachments: ExpiringAuthTokens.patch
>
>
> This is a potential security vulnerability. Tokens issued by the Security API
> do not expire. This increases the chances if a token could be obtained
> through a man in the middle attack or through session hijacking that the
> stolen token could be used to impersonate the user.
> Suggestion, assign expiration timestamps to tokens that is administrator
> configurable. Default setting should be about 15 minutes.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
