You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@cxf.apache.org by "Sergey Beryozkin (JIRA)" <ji...@apache.org> on 2012/07/16 18:35:34 UTC

[jira] [Commented] (CXF-4425) OAuth 1.0 timestamp and nonces are not validated and the validation can not be customized

    [ https://issues.apache.org/jira/browse/CXF-4425?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13415361#comment-13415361 ] 

Sergey Beryozkin commented on CXF-4425:
---------------------------------------

Evgeni, indeed, there was a bug to do with the per-request instantiation of the default validators, thanks for catching it.

I believe that it has been fixed now, see 
http://svn.apache.org/viewvc?rev=1362114&view=rev (trunk)
http://svn.apache.org/viewvc?rev=1362118&view=rev (2.6.x)

Note that the way nonces are kept/managed can be customized by extending CXF DefaultOAuthValidator (or net.oauth.SimpleOAuthValidator) and overriding its "validateNonce(OAuthMessage message, long timestamp, long currentTimeMsec)" method. RequestTokenService, AccessTokenService and OAuthRequestFilter all have a 'setValidator' method now that can be used to inject a custom validator

Can you experiment with the updated source (snapshots should be ready shortly - check the timestamps just in case, or building from the source) ?







                
> OAuth 1.0 timestamp and nonces are not validated and the validation can not be customized
> -----------------------------------------------------------------------------------------
>
>                 Key: CXF-4425
>                 URL: https://issues.apache.org/jira/browse/CXF-4425
>             Project: CXF
>          Issue Type: Bug
>          Components: JAX-RS, JAX-RS Security
>    Affects Versions: 2.6.1
>            Reporter: Evgeni Kisel
>            Assignee: Sergey Beryozkin
>             Fix For: 2.6.2, 2.7.0
>
>
> It's possible to send multiple request with the same header. Actually it's a security violation.
> Specifically, the default OAuthValidator is created per-request - this is OK for validating that a given OAuth message contains the expected parameters and that the signature is correct, but the default nonces cache is lost after the validation is done. Additionally, it is not possible to customize the validation process

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira