[
https://issues.apache.org/jira/browse/CXF-4425?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13415132#comment-13415132
]
Sergey Beryozkin commented on CXF-4425:
---------------------------------------
> 1. I send the request to Service Provider and also sniffer it (get all
> authorization data from header element)
You mean you can sniffer it over HTTP ? This in not something CXF can prevent,
so please use HTTPS for example.
The only thing that OAuth 1.0 can do is to provide the signature which is
indeed provided and validated on the server.
Or do you mean something else ?
> 2. Send another request with the same data (nonce, timestamp and so on).
AFAIK, the client code will create a new nonce and timestamp per every request.
I guess the timestamp might be the same across
a couple of requests going immediately one after another, but the nonce should
be per-request specific
> [OAuth] enable to send multiple requests with the same header
> -------------------------------------------------------------
>
> Key: CXF-4425
> URL: https://issues.apache.org/jira/browse/CXF-4425
> Project: CXF
> Issue Type: Bug
> Components: JAX-RS Security
> Affects Versions: 2.6.1
> Reporter: Evgeni Kisel
>
> It's possible to send multiple request with the same header. Actually it's a
> security violation.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators:
https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
