[
https://issues.apache.org/jira/browse/CXF-5561?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Sergey Beryozkin resolved CXF-5561.
-----------------------------------
Resolution: Fixed
Assignee: Sergey Beryozkin
> AccessTokenValidatorService is not secure
> -----------------------------------------
>
> Key: CXF-5561
> URL: https://issues.apache.org/jira/browse/CXF-5561
> Project: CXF
> Issue Type: Bug
> Components: JAX-RS, JAX-RS Security
> Reporter: Sergey Beryozkin
> Assignee: Sergey Beryozkin
> Fix For: 3.0.0-milestone2, 2.7.11
>
>
> AccessTokenValidatorService is a simple JAX-RS service which accepts
> validation requests remotely and delegates the actual validation to the
> super-class it extends, after validating the token it returns an internal
> token representation to the remote OAuthRequestFilter which does some more
> validation.
> The fundamental problem with AccessTokenValidatorService is that it expects
> the 3rd party client authorization credentials passed in as Authorization
> header so if the bad client which stole the access token and somehow invokes
> directly on AccessTokenValidatorService then it will get the internal token
> state back.
> I'm not marking it as Critical because this service can easily be replaced.
--
This message was sent by Atlassian JIRA
(v6.1.5#6160)
