[
https://issues.apache.org/jira/browse/JUDDI-559?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13591844#comment-13591844
]
Alex O'Ree commented on JUDDI-559:
----------------------------------
I changed it simple because it's an easier to use data structure, however Date
can be used solely with some api calls.
> Authentication Tokens do not expire
> -----------------------------------
>
> Key: JUDDI-559
> URL: https://issues.apache.org/jira/browse/JUDDI-559
> Project: jUDDI
> Issue Type: Improvement
> Affects Versions: 3.1.4
> Reporter: Alex O'Ree
> Assignee: Kurt T Stam
> Labels: authentication, security
> Fix For: 3.1.5
>
> Attachments: ExpiringAuthTokens.patch, revised Expiration patch.patch
>
>
> This is a potential security vulnerability. Tokens issued by the Security API
> do not expire. This increases the chances if a token could be obtained
> through a man in the middle attack or through session hijacking that the
> stolen token could be used to impersonate the user.
> Suggestion, assign expiration timestamps to tokens that is administrator
> configurable. Default setting should be about 15 minutes.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
