[
https://issues.apache.org/jira/browse/CXF-5561?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Sergey Beryozkin updated CXF-5561:
----------------------------------
Description:
AccessTokenValidatorService is a simple JAX-RS service which accepts validation
requests remotely and delegates the actual validation to the super-class it
extends, after validating the token it returns an internal token representation
to the remote OAuthRequestFilter which does some more validation.
The fundamental problem with AccessTokenValidatorService is that it expects the
3rd party client authorization credentials passed in as Authorization header so
if the bad client which stole the access token and somehow invokes directly on
AccessTokenValidatorService then it will get the internal token state back.
I'm not marking it as Critical because this service can easily be replaced.
was:
AccessTokenValidatorService is a simple JAX-RS service which accepts validation
requests remotely and delegates the actual validation to the super-class it
extends, after validating the token it return an internal token representation
to the remote OAuthRequestFilter which does some more validation.
The fundamental problem with AccessTokenValidatorService is that it expects the
3rd party client authorization credentials passed in as Authorization header so
if the bad client which stole the access token and somehow invokes directly on
AccessTokenValidatorService then it will get the internal token state back.
I'm not marking it as Critical because this service can easily be replaced.
> AccessTokenValidatorService is not secure
> -----------------------------------------
>
> Key: CXF-5561
> URL: https://issues.apache.org/jira/browse/CXF-5561
> Project: CXF
> Issue Type: Bug
> Components: JAX-RS, JAX-RS Security
> Reporter: Sergey Beryozkin
> Fix For: 3.0.0-milestone2, 2.7.11
>
>
> AccessTokenValidatorService is a simple JAX-RS service which accepts
> validation requests remotely and delegates the actual validation to the
> super-class it extends, after validating the token it returns an internal
> token representation to the remote OAuthRequestFilter which does some more
> validation.
> The fundamental problem with AccessTokenValidatorService is that it expects
> the 3rd party client authorization credentials passed in as Authorization
> header so if the bad client which stole the access token and somehow invokes
> directly on AccessTokenValidatorService then it will get the internal token
> state back.
> I'm not marking it as Critical because this service can easily be replaced.
--
This message was sent by Atlassian JIRA
(v6.1.5#6160)
