juddi-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Alex O'Ree (JIRA)" <juddi-...@ws.apache.org>
Subject [jira] [Commented] (JUDDI-559) Authentication Tokens do not expire
Date Sun, 03 Mar 2013 19:33:12 GMT

    [ https://issues.apache.org/jira/browse/JUDDI-559?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13591844#comment-13591844
] 

Alex O'Ree commented on JUDDI-559:
----------------------------------

I changed it simple because it's an easier to use data structure, however Date can be used
solely with some api calls. 

                
> Authentication Tokens do not expire
> -----------------------------------
>
>                 Key: JUDDI-559
>                 URL: https://issues.apache.org/jira/browse/JUDDI-559
>             Project: jUDDI
>          Issue Type: Improvement
>    Affects Versions: 3.1.4
>            Reporter: Alex O'Ree
>            Assignee: Kurt T Stam
>              Labels: authentication, security
>             Fix For: 3.1.5
>
>         Attachments: ExpiringAuthTokens.patch, revised Expiration patch.patch
>
>
> This is a potential security vulnerability. Tokens issued by the Security API do not
expire. This increases the chances if a token could be obtained through a man in the middle
attack or through session hijacking that the stolen token could be used to impersonate the
user.
> Suggestion, assign expiration timestamps to tokens that is administrator configurable.
Default setting should be about 15 minutes.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

Mime
View raw message