[
https://issues.apache.org/jira/browse/CXF-4425?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13416040#comment-13416040
]
Sergey Beryozkin commented on CXF-4425:
---------------------------------------
Fix will be available in CXF 2.6.2 and 2.7.0
Keep an eye on the following build, the last one hanged:
https://builds.apache.org/job/CXF-2.6-deploy/
You can also build by checking out the source, and doing 'mvn -Pfastinstall' in
the trunk and then building the trunk/distribution, there's a profile for
building it all in one go too. It will take 15 mins for the whole process to
complete.
> OAuth 1.0 timestamp and nonces are not validated and the validation can not
> be customized
> -----------------------------------------------------------------------------------------
>
> Key: CXF-4425
> URL: https://issues.apache.org/jira/browse/CXF-4425
> Project: CXF
> Issue Type: Bug
> Components: JAX-RS, JAX-RS Security
> Affects Versions: 2.6.1
> Reporter: Evgeni Kisel
> Assignee: Sergey Beryozkin
> Fix For: 2.6.2, 2.7.0
>
>
> It's possible to send multiple request with the same header. Actually it's a
> security violation.
> Specifically, the default OAuthValidator is created per-request - this is OK
> for validating that a given OAuth message contains the expected parameters
> and that the signature is correct, but the default nonces cache is lost after
> the validation is done. Additionally, it is not possible to customize the
> validation process
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators:
https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
