[
https://issues.apache.org/jira/browse/CXF-4425?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13420663#comment-13420663
]
Evgeni Kisel edited comment on CXF-4425 at 7/23/12 2:03 PM:
------------------------------------------------------------
I've made a quick look, seem it's fixed. Waiting for new release.
was (Author: evgeni_kisel):
I'm sorry. I've made a quick look, seem it's fixed. Waiting for new
release.
> OAuth 1.0 timestamp and nonces are not validated and the validation can not
> be customized
> -----------------------------------------------------------------------------------------
>
> Key: CXF-4425
> URL: https://issues.apache.org/jira/browse/CXF-4425
> Project: CXF
> Issue Type: Bug
> Components: JAX-RS, JAX-RS Security
> Affects Versions: 2.6.1
> Reporter: Evgeni Kisel
> Assignee: Sergey Beryozkin
> Fix For: 2.6.2, 2.7.0
>
>
> It's possible to send multiple request with the same header. Actually it's a
> security violation.
> Specifically, the default OAuthValidator is created per-request - this is OK
> for validating that a given OAuth message contains the expected parameters
> and that the signature is correct, but the default nonces cache is lost after
> the validation is done. Additionally, it is not possible to customize the
> validation process
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators:
https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
