|
||||||||
|
This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators. For more information on JIRA, see: http://www.atlassian.com/software/jira |
||||||||
_______________________________________________ Amdatu-developers mailing list [email protected] http://lists.amdatu.org/mailman/listinfo/amdatu-developers
Ok, so the problem is that we should somehow store the nonce and associate it with the current request instance. If a subsequent request on the same node or another request handled by another node is using the same nonce, oauth validation should fail. Adding a http filter that intercepts the nonce (if send along) and verifies if it has been used before would do the trick, but this would have a massive impact on performance. The nonce parameter can be added as request parameter but could also be encapsulated in the body. So we would need to verify this for every http request (no exceptions).
Proposed solution: the PluggableOAuthValidator could store the nonce in the persistent storage like it does right now. Additionally, it should put the nonce on a ThreadLocal and remember it for the lifetime of the request. If a subsequent validation is executed, it would detect that the nonce is on the ThreadLocal and nonce validation would succeed.