You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by co...@apache.org on 2018/04/10 12:13:59 UTC
[cxf] 01/02: CXF-7693 - If JwtConstants.EXPECTED_CLAIM_AUDIENCE is
set then it must be present in the token
This is an automated email from the ASF dual-hosted git repository.
coheigea pushed a commit to branch 3.1.x-fixes
in repository https://gitbox.apache.org/repos/asf/cxf.git
commit 0145fc549ce39688416341307be678d56e604c10
Author: Colm O hEigeartaigh <co...@apache.org>
AuthorDate: Tue Apr 10 11:09:55 2018 +0100
CXF-7693 - If JwtConstants.EXPECTED_CLAIM_AUDIENCE is set then it must be present in the token
(cherry picked from commit c35556412b1af7db867df0b2044dca7516cbfad1)
---
.../apache/cxf/rs/security/jose/jwt/JwtUtils.java | 18 +++++++---
.../cxf/rs/security/jose/jwt/JwtUtilsTest.java | 38 ++++++++++++++++++++++
2 files changed, 51 insertions(+), 5 deletions(-)
diff --git a/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwt/JwtUtils.java b/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwt/JwtUtils.java
index 0910913..1161159 100644
--- a/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwt/JwtUtils.java
+++ b/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwt/JwtUtils.java
@@ -115,18 +115,26 @@ public final class JwtUtils {
}
public static void validateJwtAudienceRestriction(JwtClaims claims, Message message) {
- if (claims.getAudiences().isEmpty()) {
- return;
+ // If the expected audience is configured, a matching "aud" must be present
+ String expectedAudience = (String)message.getContextualProperty(JwtConstants.EXPECTED_CLAIM_AUDIENCE);
+ if (expectedAudience != null) {
+ if (claims.getAudiences().contains(expectedAudience)) {
+ return;
+ }
+ throw new JwtException("Invalid audience restriction");
}
- String expectedAudience = (String)message.getContextualProperty(JwtConstants.EXPECTED_CLAIM_AUDIENCE);
- if (expectedAudience == null) {
- expectedAudience = (String)message.getContextualProperty(Message.REQUEST_URL);
+ // Otherwise if we have no aud claims then the token is valid
+ if (claims.getAudiences().isEmpty()) {
+ return;
}
+ // Otherwise one of the aud claims must match the request URL
+ expectedAudience = (String)message.getContextualProperty(Message.REQUEST_URL);
if (expectedAudience != null && claims.getAudiences().contains(expectedAudience)) {
return;
}
+
throw new JwtException("Invalid audience restriction");
}
diff --git a/rt/rs/security/jose-parent/jose/src/test/java/org/apache/cxf/rs/security/jose/jwt/JwtUtilsTest.java b/rt/rs/security/jose-parent/jose/src/test/java/org/apache/cxf/rs/security/jose/jwt/JwtUtilsTest.java
index 9a2050e..c9e3715 100644
--- a/rt/rs/security/jose-parent/jose/src/test/java/org/apache/cxf/rs/security/jose/jwt/JwtUtilsTest.java
+++ b/rt/rs/security/jose-parent/jose/src/test/java/org/apache/cxf/rs/security/jose/jwt/JwtUtilsTest.java
@@ -21,6 +21,9 @@ package org.apache.cxf.rs.security.jose.jwt;
import java.util.Calendar;
import java.util.Date;
+import org.apache.cxf.message.Message;
+import org.apache.cxf.message.MessageImpl;
+
import org.junit.Assert;
/**
@@ -140,5 +143,40 @@ public class JwtUtilsTest extends Assert {
// expected
}
}
+
+ @org.junit.Test
+ public void testExpectedAudience() throws Exception {
+ // Create the JWT Token
+ JwtClaims claims = new JwtClaims();
+ claims.setSubject("alice");
+ claims.setIssuer("DoubleItSTSIssuer");
+
+ // No aud claim should validate OK
+ Message message = new MessageImpl();
+ JwtUtils.validateJwtAudienceRestriction(claims, message);
+
+ // It should fail when we have an unknown aud claim
+ claims.setAudience("Receiver");
+ try {
+ JwtUtils.validateJwtAudienceRestriction(claims, message);
+ fail("Failure expected on an invalid audience");
+ } catch (JwtException ex) {
+ // expected
+ }
+
+ // Here the aud claim matches what is expected
+ message.put(JwtConstants.EXPECTED_CLAIM_AUDIENCE, "Receiver");
+ JwtUtils.validateJwtAudienceRestriction(claims, message);
+
+ // It should fail when the expected aud claim is not present
+ claims.removeProperty(JwtConstants.CLAIM_AUDIENCE);
+ try {
+ JwtUtils.validateJwtAudienceRestriction(claims, message);
+ fail("Failure expected on an invalid audience");
+ } catch (JwtException ex) {
+ // expected
+ }
+ }
+
}
--
To stop receiving notification emails like this one, please contact
coheigea@apache.org.