[CXF-4425] OAuth 1.0 timestamp and nonces are not validated and the validation can not be customized - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Closed
Priority: Major
Resolution: Fixed
Affects Version/s: 2.6.1
Fix Version/s: 2.5.5, 2.6.2, 2.7
Component/s: JAX-RS, JAX-RS Security
Labels:
None

Estimated Complexity:
Unknown

Description

It's possible to send multiple request with the same header. Actually it's a security violation.

Specifically, the default OAuthValidator is created per-request - this is OK for validating that a given OAuth message contains the expected parameters and that the signature is correct, but the default nonces cache is lost after the validation is done. Additionally, it is not possible to customize the validation process

Attachments

Activity

People

Assignee:: Sergey Beryozkin

Reporter:: Evgeni Kisel

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 16/Jul/12 13:27

Updated:: 28/Aug/12 17:44

Resolved:: 25/Jul/12 12:22