You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@juddi.apache.org by "Alex O'Ree (JIRA)" <ju...@ws.apache.org> on 2013/03/02 05:03:13 UTC
[jira] [Updated] (JUDDI-559) Authentication Tokens do not expire
[ https://issues.apache.org/jira/browse/JUDDI-559?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Alex O'Ree updated JUDDI-559:
-----------------------------
Attachment: ExpiringAuthTokens.patch
This patch covers the functionality, but without any unit tests
> Authentication Tokens do not expire
> -----------------------------------
>
> Key: JUDDI-559
> URL: https://issues.apache.org/jira/browse/JUDDI-559
> Project: jUDDI
> Issue Type: Bug
> Affects Versions: 3.1.4
> Reporter: Alex O'Ree
> Assignee: Kurt T Stam
> Labels: authentication, security
> Attachments: ExpiringAuthTokens.patch
>
>
> This is a potential security vulnerability. Tokens issued by the Security API do not expire. This increases the chances if a token could be obtained through a man in the middle attack or through session hijacking that the stolen token could be used to impersonate the user.
> Suggestion, assign expiration timestamps to tokens that is administrator configurable. Default setting should be about 15 minutes.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira