normal | wide

Signup for Training


More trainings...

Intalio|BPMS Webinars

Latest Posts


Show last 6 hrs - 24 hrs - 7 days

Forum tags


Top Posters

Last 30 days

  • Antoine (61)
  • ihabo01 (45)
  • gagan.virk (35)
  • dfrench (24)
  • ravinderjit.singh (22)
  • M.-Shah (19)
  • mabeena (16)
  • metabyte (15)
  • oleg.lemeshenko (14)
  • maximilian.faupel (11)

All time

  • Antoine (1208)
  • Shivanand (1189)
  • cshekhar (909)
  • psq (795)
  • jag (391)
  • metabyte (369)
  • arnaud (325)
  • jalateras (316)
  • dfrench (239)
  • venkaiah.k (189)

Show last 4 hrs - 12 hrs - 24 hrs

POLL

We are looking for more information to tailor our training to better meet the needs of our customers. Please indicate all options that apply.

I would like to attend specialized training from Intalio on BPM as it relates to my application area:

I would like to attend specialized training from Intalio on BPM as it relates to my job function:

I would like to attend specialized training from Intalio on BPM as it relates to my industry:

Login

Who's online?

MAIN arrow FORUMS
Intalio|BPMS Community Edition FAQ
Re:participantToken lifetime (0 viewing) 
Go to bottom Post Reply Favoured: 0
TOPIC: Re:participantToken lifetime
#5726
metabyte (User)
Platinum Boarder
User Offline Click here to see the profile of this user
participantToken lifetime 1 Year, 5 Months ago Karma: 16  
Once we authenticate against the TokenService, we get a participantToken. I was wondering what is the default lifetime of this token and if we can extend or reduce this lifetime by configuration...
 
Report to moderator   Logged Logged  
  The administrator has disabled public write access.
#5730
psq (Admin)
Admin
User Offline Click here to see the profile of this user
Re:participantToken lifetime 1 Year, 5 Months ago Karma: 28  
The token in itself does not expire. It only contains a timestamp (of when it was issued) that each application can read and then decide whether it's time to re-challenge the user with an authentication dialog, or whatever may be appropriate.

So you have to take a look on a case by case basis.

Thanks,
Pascal.
 
Report to moderator   Logged Logged  
  The administrator has disabled public write access.
#5732
metabyte (User)
Platinum Boarder
User Offline Click here to see the profile of this user
Re:participantToken lifetime 1 Year, 5 Months ago Karma: 16  
Pascal, thanks for the reply. This sounds like a potential security threat if the token cannot expire (implicitly I consider the token as an authentic session). Someone (malicious) could exploit this to perform actions on the TMS for example...
 
Report to moderator   Logged Logged  
  The administrator has disabled public write access.
#5758
psq (Admin)
Admin
User Offline Click here to see the profile of this user
Re:participantToken lifetime 1 Year, 5 Months ago Karma: 28  
If handled incorrectly by the service or application, yes, definitely.

In fact, a quick review of the TMS code seems to indicate that it does not check for expiration... (Patches welcome!)

Thanks,
Pascal.
 
Report to moderator   Logged Logged  
  The administrator has disabled public write access.
#5761
Hubert (User)
Senior Boarder
User Offline Click here to see the profile of this user
Re:participantToken lifetime 1 Year, 5 Months ago Karma: 3  
where is the wsdl for the token service?
 
Report to moderator   Logged Logged  
  The administrator has disabled public write access.
#5764
metabyte (User)
Platinum Boarder
User Offline Click here to see the profile of this user
Re:participantToken lifetime 1 Year, 5 Months ago Karma: 16  
Hello Hubert,

You can find that WSDL at http://yourserverip:8080/axis2/services/TokenService?wsdl

Cheers

Hicham
 
Report to moderator   Logged Logged  
  The administrator has disabled public write access.
Go to top Post Reply
get the latest posts directly to your desktop