[
https://issues.apache.org/jira/browse/JUDDI-559?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13591812#comment-13591812
]
Kurt T Stam commented on JUDDI-559:
-----------------------------------
Hi Alex,
Thanks for the patch! I have two questions for you:
1. Why did you change the create and update fields on AuthToken from util.Date
to GregorianCalendar?
2. Rather then adding the expiration column in AuthToken I think checking if
the token is older then whatever the node wide policy is, is not less
performant. And this would not require any changes to the database (which is
always preferable for existing installs)
3. http://uddi.org/pubs/uddi_v3.htm#_Toc85908115 states that token expiration
is an optional feature, and I think default behavior should probably not expire
tokens. Which actually aligns with the patch where you add the 15 min to each
juddiv3.properties files.
There is no need to revise your patch, I can do that, I just want to understand
your reasoning.
Thanks,
--Kurt
> Authentication Tokens do not expire
> -----------------------------------
>
> Key: JUDDI-559
> URL: https://issues.apache.org/jira/browse/JUDDI-559
> Project: jUDDI
> Issue Type: Bug
> Affects Versions: 3.1.4
> Reporter: Alex O'Ree
> Assignee: Kurt T Stam
> Labels: authentication, security
> Attachments: ExpiringAuthTokens.patch
>
>
> This is a potential security vulnerability. Tokens issued by the Security API
> do not expire. This increases the chances if a token could be obtained
> through a man in the middle attack or through session hijacking that the
> stolen token could be used to impersonate the user.
> Suggestion, assign expiration timestamps to tokens that is administrator
> configurable. Default setting should be about 15 minutes.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
