Sergey Beryozkin created CXF-5561:
-------------------------------------
Summary: AccessTokenValidatorService is not secure
Key: CXF-5561
URL: https://issues.apache.org/jira/browse/CXF-5561
Project: CXF
Issue Type: Bug
Components: JAX-RS, JAX-RS Security
Reporter: Sergey Beryozkin
Fix For: 3.0.0-milestone2, 2.7.11
AccessTokenValidatorService is a simple JAX-RS service which accepts validation
requests remotely and delegates the actual validation to the super-class it
extends, after validating the token it return an internal token representation
to the remote OAuthRequestFilter which does some more validation.
The fundamental problem with AccessTokenValidatorService is that it expects the
3rd party client authorization credentials passed in as Authorization header so
if the bad client which stole the access token and somehow invokes directly on
AccessTokenValidatorService then it will get the internal token state back.
I'm not marking it as Critical because this service can easily be replaced.
--
This message was sent by Atlassian JIRA
(v6.1.5#6160)
