juddi-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Alex O'Ree (JIRA)" <juddi-...@ws.apache.org>
Subject [jira] [Commented] (JUDDI-559) Authentication Tokens do not expire
Date Sun, 03 Mar 2013 19:33:12 GMT

    [ https://issues.apache.org/jira/browse/JUDDI-559?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13591844#comment-13591844

Alex O'Ree commented on JUDDI-559:

I changed it simple because it's an easier to use data structure, however Date can be used
solely with some api calls. 

> Authentication Tokens do not expire
> -----------------------------------
>                 Key: JUDDI-559
>                 URL: https://issues.apache.org/jira/browse/JUDDI-559
>             Project: jUDDI
>          Issue Type: Improvement
>    Affects Versions: 3.1.4
>            Reporter: Alex O'Ree
>            Assignee: Kurt T Stam
>              Labels: authentication, security
>             Fix For: 3.1.5
>         Attachments: ExpiringAuthTokens.patch, revised Expiration patch.patch
> This is a potential security vulnerability. Tokens issued by the Security API do not
expire. This increases the chances if a token could be obtained through a man in the middle
attack or through session hijacking that the stolen token could be used to impersonate the
> Suggestion, assign expiration timestamps to tokens that is administrator configurable.
Default setting should be about 15 minutes.

This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

View raw message