You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@juddi.apache.org by "Alex O'Ree (JIRA)" <ju...@ws.apache.org> on 2013/03/02 05:03:13 UTC

[jira] [Updated] (JUDDI-559) Authentication Tokens do not expire

     [ https://issues.apache.org/jira/browse/JUDDI-559?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Alex O'Ree updated JUDDI-559:
-----------------------------

    Attachment: ExpiringAuthTokens.patch

This patch covers the functionality, but without any unit tests
                
> Authentication Tokens do not expire
> -----------------------------------
>
>                 Key: JUDDI-559
>                 URL: https://issues.apache.org/jira/browse/JUDDI-559
>             Project: jUDDI
>          Issue Type: Bug
>    Affects Versions: 3.1.4
>            Reporter: Alex O'Ree
>            Assignee: Kurt T Stam
>              Labels: authentication, security
>         Attachments: ExpiringAuthTokens.patch
>
>
> This is a potential security vulnerability. Tokens issued by the Security API do not expire. This increases the chances if a token could be obtained through a man in the middle attack or through session hijacking that the stolen token could be used to impersonate the user.
> Suggestion, assign expiration timestamps to tokens that is administrator configurable. Default setting should be about 15 minutes.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira