[jira] [Commented] (CXF-4425) OAuth 1.0 timestamp and nonces are not validated and the validation can not be customized

Mon, 16 Jul 2012 09:35:38 -0700 

    [ 
https://issues.apache.org/jira/browse/CXF-4425?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13415361#comment-13415361
 ] 

Sergey Beryozkin commented on CXF-4425:
---------------------------------------

Evgeni, indeed, there was a bug to do with the per-request instantiation of the 
default validators, thanks for catching it.

I believe that it has been fixed now, see 
http://svn.apache.org/viewvc?rev=1362114&view=rev (trunk)
http://svn.apache.org/viewvc?rev=1362118&view=rev (2.6.x)

Note that the way nonces are kept/managed can be customized by extending CXF 
DefaultOAuthValidator (or net.oauth.SimpleOAuthValidator) and overriding its 
"validateNonce(OAuthMessage message, long timestamp, long currentTimeMsec)" 
method. RequestTokenService, AccessTokenService and OAuthRequestFilter all have 
a 'setValidator' method now that can be used to inject a custom validator

Can you experiment with the updated source (snapshots should be ready shortly - 
check the timestamps just in case, or building from the source) ?







                
> OAuth 1.0 timestamp and nonces are not validated and the validation can not 
> be customized
> -----------------------------------------------------------------------------------------
>
>                 Key: CXF-4425
>                 URL: https://issues.apache.org/jira/browse/CXF-4425
>             Project: CXF
>          Issue Type: Bug
>          Components: JAX-RS, JAX-RS Security
>    Affects Versions: 2.6.1
>            Reporter: Evgeni Kisel
>            Assignee: Sergey Beryozkin
>             Fix For: 2.6.2, 2.7.0
>
>
> It's possible to send multiple request with the same header. Actually it's a 
> security violation.
> Specifically, the default OAuthValidator is created per-request - this is OK 
> for validating that a given OAuth message contains the expected parameters 
> and that the signature is correct, but the default nonces cache is lost after 
> the validation is done. Additionally, it is not possible to customize the 
> validation process

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: 
https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

Reply via email to