You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by co...@apache.org on 2018/04/04 09:10:21 UTC
[cxf] 01/02: CXF-7693 - Allow JWT aud claim to be empty
This is an automated email from the ASF dual-hosted git repository.
coheigea pushed a commit to branch 3.1.x-fixes
in repository https://gitbox.apache.org/repos/asf/cxf.git
commit 29f50f9b1bf4ce6198ce72cbdc7eec989bba2284
Author: Colm O hEigeartaigh <co...@apache.org>
AuthorDate: Tue Apr 3 17:20:38 2018 +0100
CXF-7693 - Allow JWT aud claim to be empty
(cherry picked from commit 9a90413fff82236806ae42c045ac7f3256f8f224)
# Conflicts:
# rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwt/JwtClaims.java
# rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwt/JwtUtils.java
---
.../org/apache/cxf/rs/security/jose/jwt/JwtClaims.java | 3 +--
.../org/apache/cxf/rs/security/jose/jwt/JwtUtils.java | 16 ++++++++--------
.../jaxrs/security/jose/jwt/JWTPropertiesTest.java | 2 +-
3 files changed, 10 insertions(+), 11 deletions(-)
diff --git a/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwt/JwtClaims.java b/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwt/JwtClaims.java
index d6a940d..b698a8a 100644
--- a/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwt/JwtClaims.java
+++ b/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwt/JwtClaims.java
@@ -98,8 +98,7 @@ public class JwtClaims extends JsonMapObject {
} else if (audiences instanceof String) {
return Collections.singletonList((String)audiences);
}
-
- return null;
+ return Collections.emptyList();
}
public void setExpiryTime(Long expiresIn) {
diff --git a/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwt/JwtUtils.java b/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwt/JwtUtils.java
index 14604c9..0910913 100644
--- a/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwt/JwtUtils.java
+++ b/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwt/JwtUtils.java
@@ -96,7 +96,7 @@ public final class JwtUtils {
if (clockOffset > 0) {
validCreation.setTime(currentTime + (long)clockOffset * 1000L);
}
-
+
// Check to see if the IssuedAt time is in the future
if (createdDate.after(validCreation)) {
throw new JwtException("Invalid issuedAt");
@@ -115,17 +115,17 @@ public final class JwtUtils {
}
public static void validateJwtAudienceRestriction(JwtClaims claims, Message message) {
+ if (claims.getAudiences().isEmpty()) {
+ return;
+ }
+
String expectedAudience = (String)message.getContextualProperty(JwtConstants.EXPECTED_CLAIM_AUDIENCE);
if (expectedAudience == null) {
expectedAudience = (String)message.getContextualProperty(Message.REQUEST_URL);
}
-
- if (expectedAudience != null) {
- for (String audience : claims.getAudiences()) {
- if (expectedAudience.equals(audience)) {
- return;
- }
- }
+
+ if (expectedAudience != null && claims.getAudiences().contains(expectedAudience)) {
+ return;
}
throw new JwtException("Invalid audience restriction");
}
diff --git a/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/jose/jwt/JWTPropertiesTest.java b/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/jose/jwt/JWTPropertiesTest.java
index 16b890d..48ac7e9 100644
--- a/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/jose/jwt/JWTPropertiesTest.java
+++ b/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/jose/jwt/JWTPropertiesTest.java
@@ -374,7 +374,7 @@ public class JWTPropertiesTest extends AbstractBusClientServerTestBase {
WebClient.getConfig(client).getRequestContext().putAll(properties);
Response response = client.post(new Book("book", 123L));
- assertNotEquals(response.getStatus(), 200);
+ assertEquals(response.getStatus(), 200);
}
@org.junit.Test
--
To stop receiving notification emails like this one, please contact
coheigea@apache.org.