[jira] [Updated] (CXF-4425) OAuth 1.0 timestamp and nonces are not validated and the validation can not be customized

Mon, 16 Jul 2012 09:19:35 -0700 

     [ 
https://issues.apache.org/jira/browse/CXF-4425?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Sergey Beryozkin updated CXF-4425:
----------------------------------

      Component/s: JAX-RS
      Description: 
It's possible to send multiple request with the same header. Actually it's a 
security violation.

Specifically, the default OAuthValidator is created per-request - this is OK 
for validating that a given OAuth message contains the expected parameters and 
that the signature is correct, but the default nonces cache is lost after the 
validation is done. Additionally, it is not possible to customize the 
validation process

  was:It's possible to send multiple request with the same header. Actually 
it's a security violation.

    Fix Version/s: 2.7.0
                   2.6.2
         Assignee: Sergey Beryozkin
          Summary: OAuth 1.0 timestamp and nonces are not validated and the 
validation can not be customized  (was: [OAuth] enable to send multiple 
requests with the same header)
    
> OAuth 1.0 timestamp and nonces are not validated and the validation can not 
> be customized
> -----------------------------------------------------------------------------------------
>
>                 Key: CXF-4425
>                 URL: https://issues.apache.org/jira/browse/CXF-4425
>             Project: CXF
>          Issue Type: Bug
>          Components: JAX-RS, JAX-RS Security
>    Affects Versions: 2.6.1
>            Reporter: Evgeni Kisel
>            Assignee: Sergey Beryozkin
>             Fix For: 2.6.2, 2.7.0
>
>
> It's possible to send multiple request with the same header. Actually it's a 
> security violation.
> Specifically, the default OAuthValidator is created per-request - this is OK 
> for validating that a given OAuth message contains the expected parameters 
> and that the signature is correct, but the default nonces cache is lost after 
> the validation is done. Additionally, it is not possible to customize the 
> validation process

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: 
https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

Reply via email to