You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@juddi.apache.org by "Kurt T Stam (JIRA)" <ju...@ws.apache.org> on 2013/03/03 19:03:15 UTC

[jira] [Commented] (JUDDI-559) Authentication Tokens do not expire

    [ https://issues.apache.org/jira/browse/JUDDI-559?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13591812#comment-13591812 ] 

Kurt T Stam commented on JUDDI-559:
-----------------------------------

Hi Alex,

Thanks for the patch! I have two questions for you:

1. Why did you change the create and update fields on AuthToken from util.Date to GregorianCalendar? 

2. Rather then adding the expiration column in AuthToken I think checking if the token is older then whatever the node wide policy is, is not less performant. And this would not require any changes to the database (which is always preferable for existing installs)

3. http://uddi.org/pubs/uddi_v3.htm#_Toc85908115 states that token expiration is an optional feature, and I think default behavior should probably not expire tokens. Which actually aligns with the patch where you add the 15 min to each juddiv3.properties files.

There is no need to revise your patch, I can do that, I just want to understand your reasoning.

Thanks,

--Kurt
                
> Authentication Tokens do not expire
> -----------------------------------
>
>                 Key: JUDDI-559
>                 URL: https://issues.apache.org/jira/browse/JUDDI-559
>             Project: jUDDI
>          Issue Type: Bug
>    Affects Versions: 3.1.4
>            Reporter: Alex O'Ree
>            Assignee: Kurt T Stam
>              Labels: authentication, security
>         Attachments: ExpiringAuthTokens.patch
>
>
> This is a potential security vulnerability. Tokens issued by the Security API do not expire. This increases the chances if a token could be obtained through a man in the middle attack or through session hijacking that the stolen token could be used to impersonate the user.
> Suggestion, assign expiration timestamps to tokens that is administrator configurable. Default setting should be about 15 minutes.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira