Colm O hEigeartaigh created WSS-584:
---------------------------------------
Summary: Don't create ReplayCache instances internally
Key: WSS-584
URL: https://issues.apache.org/jira/browse/WSS-584
Project: WSS4J
Issue Type: Improvement
Affects Versions: 2.1.6, 2.0.8
Reporter: Colm O hEigeartaigh
Assignee: Colm O hEigeartaigh
Fix For: 2.2.0, 2.0.9, 2.1.7
We support creating ReplayCache instances to detect replay attacks for signed
Timestamps, SAML (one-time-use) + UsernameToken nonces. The ReplayCache
instances should be created externally and set on the RequestData Object for
verification.
However, if the caches are enabled (by boolean methods on RequestData), and no
caches are actually specified, we end up creating new instances internally.
However, as these are not stored for the next request, we end up with a load of
open cache instances (on each request).
The fix is not to create the ReplayCache instances internally. It's up to the
calling code to manage them.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
