[
https://issues.apache.org/jira/browse/CXF-4425?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Sergey Beryozkin resolved CXF-4425.
-----------------------------------
Resolution: Fixed
Fix Version/s: 2.5.5
OK, thanks
> OAuth 1.0 timestamp and nonces are not validated and the validation can not
> be customized
> -----------------------------------------------------------------------------------------
>
> Key: CXF-4425
> URL: https://issues.apache.org/jira/browse/CXF-4425
> Project: CXF
> Issue Type: Bug
> Components: JAX-RS, JAX-RS Security
> Affects Versions: 2.6.1
> Reporter: Evgeni Kisel
> Assignee: Sergey Beryozkin
> Fix For: 2.5.5, 2.6.2, 2.7.0
>
>
> It's possible to send multiple request with the same header. Actually it's a
> security violation.
> Specifically, the default OAuthValidator is created per-request - this is OK
> for validating that a given OAuth message contains the expected parameters
> and that the signature is correct, but the default nonces cache is lost after
> the validation is done. Additionally, it is not possible to customize the
> validation process
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators:
https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
