[
https://issues.apache.org/jira/browse/JUDDI-559?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Kurt T Stam resolved JUDDI-559.
-------------------------------
Resolution: Fixed
Thanks Alex,
I have applied the patch. I changed the patch slightly by adding expiration of
old age (as well as expiration by timeout). Expiration is turned off by
default, but expiration by timeout is set to 15 minutes in the
juddiv3.properties files we ship.
--Kurt
> Authentication Tokens do not expire
> -----------------------------------
>
> Key: JUDDI-559
> URL: https://issues.apache.org/jira/browse/JUDDI-559
> Project: jUDDI
> Issue Type: Improvement
> Affects Versions: 3.1.4
> Reporter: Alex O'Ree
> Assignee: Kurt T Stam
> Labels: authentication, security
> Fix For: 3.1.5
>
> Attachments: ExpiringAuthTokens.patch, revised Expiration patch.patch
>
>
> This is a potential security vulnerability. Tokens issued by the Security API
> do not expire. This increases the chances if a token could be obtained
> through a man in the middle attack or through session hijacking that the
> stolen token could be used to impersonate the user.
> Suggestion, assign expiration timestamps to tokens that is administrator
> configurable. Default setting should be about 15 minutes.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
