You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@cxf.apache.org by "Sergey Beryozkin (JIRA)" <ji...@apache.org> on 2014/02/13 14:28:19 UTC

[jira] [Resolved] (CXF-5561) AccessTokenValidatorService is not secure

     [ https://issues.apache.org/jira/browse/CXF-5561?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Sergey Beryozkin resolved CXF-5561.
-----------------------------------

    Resolution: Fixed
      Assignee: Sergey Beryozkin

> AccessTokenValidatorService is not secure
> -----------------------------------------
>
>                 Key: CXF-5561
>                 URL: https://issues.apache.org/jira/browse/CXF-5561
>             Project: CXF
>          Issue Type: Bug
>          Components: JAX-RS, JAX-RS Security
>            Reporter: Sergey Beryozkin
>            Assignee: Sergey Beryozkin
>             Fix For: 3.0.0-milestone2, 2.7.11
>
>
> AccessTokenValidatorService is a simple JAX-RS service which accepts validation requests remotely and delegates the actual validation to the super-class it extends, after validating the token it returns an internal token representation to the remote OAuthRequestFilter which does some more validation.
> The fundamental problem with AccessTokenValidatorService is that it expects the 3rd party client authorization credentials passed in as Authorization header so if the bad client which stole the access token and somehow invokes directly on AccessTokenValidatorService then it will get the internal token state back.
> I'm not marking it as Critical because this service can easily be replaced.



--
This message was sent by Atlassian JIRA
(v6.1.5#6160)