You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by co...@apache.org on 2021/01/06 10:38:47 UTC

[cxf] branch master updated: Make sure both a request + request_uri can't be specified

This is an automated email from the ASF dual-hosted git repository.

coheigea pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/cxf.git


The following commit(s) were added to refs/heads/master by this push:
     new aa789c5  Make sure both a request + request_uri can't be specified
aa789c5 is described below

commit aa789c5c4686597a7bdef2443909ab491fc2bc04
Author: Colm O hEigeartaigh <co...@apache.org>
AuthorDate: Wed Jan 6 10:38:21 2021 +0000

    Make sure both a request + request_uri can't be specified
---
 .../rs/security/oauth2/grants/code/JwtRequestCodeFilter.java | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/JwtRequestCodeFilter.java b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/JwtRequestCodeFilter.java
index 29ac000..15fe40b 100644
--- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/JwtRequestCodeFilter.java
+++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/JwtRequestCodeFilter.java
@@ -21,9 +21,11 @@ package org.apache.cxf.rs.security.oauth2.grants.code;
 import java.security.cert.X509Certificate;
 import java.util.List;
 import java.util.Map;
+import java.util.logging.Logger;
 
 import javax.ws.rs.core.MultivaluedMap;
 
+import org.apache.cxf.common.logging.LogUtils;
 import org.apache.cxf.helpers.CastUtils;
 import org.apache.cxf.jaxrs.client.WebClient;
 import org.apache.cxf.jaxrs.impl.MetadataMap;
@@ -42,23 +44,31 @@ import org.apache.cxf.rs.security.oauth2.utils.OAuthConstants;
 import org.apache.cxf.rt.security.crypto.CryptoUtils;
 
 public class JwtRequestCodeFilter extends OAuthJoseJwtConsumer implements AuthorizationRequestFilter {
+    protected static final Logger LOG = LogUtils.getL7dLogger(JwtRequestCodeFilter.class);
     private static final String REQUEST_URI_CONTENT_TYPE = "application/oauth-authz-req+jwt";
     private static final String REQUEST_PARAM = "request";
     private static final String REQUEST_URI_PARAM = "request_uri";
+
     private boolean verifyWithClientCertificates;
     private String issuer;
     private JsonMapObjectReaderWriter jsonHandler = new JsonMapObjectReaderWriter();
+
     @Override
     public MultivaluedMap<String, String> process(MultivaluedMap<String, String> params,
                                                   UserSubject endUser,
                                                   Client client) {
         String requestToken = params.getFirst(REQUEST_PARAM);
+        String requestUri = params.getFirst(REQUEST_URI_PARAM);
+
         if (requestToken == null) {
-            String requestUri = params.getFirst(REQUEST_URI_PARAM);
             if (isRequestUriValid(client, requestUri)) {
                 requestToken = WebClient.create(requestUri).accept(REQUEST_URI_CONTENT_TYPE).get(String.class);
             }
+        } else if (requestUri != null) {
+            LOG.warning("It is not valid to specify both a request and request_uri value");
+            throw new SecurityException();
         }
+
         if (requestToken != null) {
             JweDecryptionProvider theDecryptor = super.getInitializedDecryptionProvider(client.getClientSecret());
             JwsSignatureVerifier theSigVerifier = getInitializedSigVerifier(client);