juddi-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Alex O'Ree (JIRA)" <juddi-...@ws.apache.org>
Subject [jira] [Updated] (JUDDI-559) Authentication Tokens do not expire
Date Sun, 03 Mar 2013 19:31:12 GMT

     [ https://issues.apache.org/jira/browse/JUDDI-559?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel

Alex O'Ree updated JUDDI-559:

    Attachment: revised Expiration patch.patch

revised patch 
> Authentication Tokens do not expire
> -----------------------------------
>                 Key: JUDDI-559
>                 URL: https://issues.apache.org/jira/browse/JUDDI-559
>             Project: jUDDI
>          Issue Type: Improvement
>    Affects Versions: 3.1.4
>            Reporter: Alex O'Ree
>            Assignee: Kurt T Stam
>              Labels: authentication, security
>             Fix For: 3.1.5
>         Attachments: ExpiringAuthTokens.patch, revised Expiration patch.patch
> This is a potential security vulnerability. Tokens issued by the Security API do not
expire. This increases the chances if a token could be obtained through a man in the middle
attack or through session hijacking that the stolen token could be used to impersonate the
> Suggestion, assign expiration timestamps to tokens that is administrator configurable.
Default setting should be about 15 minutes.

This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

View raw message