|
||||||||||||
|
This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators. For more information on JIRA, see: http://www.atlassian.com/software/jira |
||||||||||||
_______________________________________________ Amdatu-developers mailing list [email protected] http://lists.amdatu.org/mailman/listinfo/amdatu-developers
After fixing
AMDATUAUTH-158the unit test I wrote for this issue failed once again. The reason is that besides the timestamp issue there is one more issue.The problem is that upon the first validation the nonce is stored. When the validation is triggered again, for the same request, the validator will check if that nonce is already used by verifying if it is available in the store, which is the case. So effectively, in the current mechanism nonce validation can be triggered only once. This is problematic, especially if the OAuth request needs to be verified in 2 separate services or servlets.
To correct this design flaw, more refactoring is needed, probably requiring an API change in the nonce storage SPI. Therefore the actual fix is postponed to a next version (> 0.3). Until then, nonce validation is disabled.
Note that disabling nonce validation does not prevent us from replay attacks. But that doesn't change the current situtation, nonce validation has never worked due to
AMDATUAUTH-158.