Uploaded image for project: 'jUDDI'
  1. jUDDI
  2. JUDDI-559

Authentication Tokens do not expire

    Details

    • Type: Improvement
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 3.1.4
    • Fix Version/s: 3.1.5
    • Component/s: None

      Description

      This is a potential security vulnerability. Tokens issued by the Security API do not expire. This increases the chances if a token could be obtained through a man in the middle attack or through session hijacking that the stolen token could be used to impersonate the user.

      Suggestion, assign expiration timestamps to tokens that is administrator configurable. Default setting should be about 15 minutes.

      1. ExpiringAuthTokens.patch
        16 kB
        Alex O'Ree
      2. revised Expiration patch.patch
        8 kB
        Alex O'Ree

        Activity

        Hide
        spyhunter99 Alex O'Ree added a comment -

        This patch covers the functionality, but without any unit tests

        Show
        spyhunter99 Alex O'Ree added a comment - This patch covers the functionality, but without any unit tests
        Hide
        kurtstam Kurt T Stam added a comment -

        Hi Alex,

        Thanks for the patch! I have two questions for you:

        1. Why did you change the create and update fields on AuthToken from util.Date to GregorianCalendar?

        2. Rather then adding the expiration column in AuthToken I think checking if the token is older then whatever the node wide policy is, is not less performant. And this would not require any changes to the database (which is always preferable for existing installs)

        3. http://uddi.org/pubs/uddi_v3.htm#_Toc85908115 states that token expiration is an optional feature, and I think default behavior should probably not expire tokens. Which actually aligns with the patch where you add the 15 min to each juddiv3.properties files.

        There is no need to revise your patch, I can do that, I just want to understand your reasoning.

        Thanks,

        --Kurt

        Show
        kurtstam Kurt T Stam added a comment - Hi Alex, Thanks for the patch! I have two questions for you: 1. Why did you change the create and update fields on AuthToken from util.Date to GregorianCalendar? 2. Rather then adding the expiration column in AuthToken I think checking if the token is older then whatever the node wide policy is, is not less performant. And this would not require any changes to the database (which is always preferable for existing installs) 3. http://uddi.org/pubs/uddi_v3.htm#_Toc85908115 states that token expiration is an optional feature, and I think default behavior should probably not expire tokens. Which actually aligns with the patch where you add the 15 min to each juddiv3.properties files. There is no need to revise your patch, I can do that, I just want to understand your reasoning. Thanks, --Kurt
        Hide
        spyhunter99 Alex O'Ree added a comment -

        revised patch

        Show
        spyhunter99 Alex O'Ree added a comment - revised patch
        Hide
        spyhunter99 Alex O'Ree added a comment -

        I changed it simple because it's an easier to use data structure, however Date can be used solely with some api calls.

        Show
        spyhunter99 Alex O'Ree added a comment - I changed it simple because it's an easier to use data structure, however Date can be used solely with some api calls.
        Hide
        kurtstam Kurt T Stam added a comment -

        Thanks Alex,

        I have applied the patch. I changed the patch slightly by adding expiration of old age (as well as expiration by timeout). Expiration is turned off by default, but expiration by timeout is set to 15 minutes in the juddiv3.properties files we ship.

        --Kurt

        Show
        kurtstam Kurt T Stam added a comment - Thanks Alex, I have applied the patch. I changed the patch slightly by adding expiration of old age (as well as expiration by timeout). Expiration is turned off by default, but expiration by timeout is set to 15 minutes in the juddiv3.properties files we ship. --Kurt

          People

          • Assignee:
            kstam Kurt T Stam
            Reporter:
            spyhunter99 Alex O'Ree
          • Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Development