You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@cxf.apache.org by "Sergey Beryozkin (JIRA)" <ji...@apache.org> on 2016/11/08 11:35:58 UTC
[jira] [Resolved] (CXF-7110) Inflexible jwt audience restriction
validation
[ https://issues.apache.org/jira/browse/CXF-7110?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Sergey Beryozkin resolved CXF-7110.
-----------------------------------
Resolution: Fixed
Assignee: Sergey Beryozkin
Fix Version/s: 3.1.9
3.2.0
Let me close it but please re-open if you have more ideas on how to improve, thanks
> Inflexible jwt audience restriction validation
> ----------------------------------------------
>
> Key: CXF-7110
> URL: https://issues.apache.org/jira/browse/CXF-7110
> Project: CXF
> Issue Type: Improvement
> Components: JAX-RS Security
> Affects Versions: 3.1.7
> Environment: JVM 1.7, Ubuntu 14
> Reporter: Shaleen Mishra
> Assignee: Sergey Beryozkin
> Fix For: 3.2.0, 3.1.9
>
>
> JwtUtils.validateJwtAudienceRestriction checks the audience url matches the current request url (from the context). This works only during development but is most likely to fail because the actual url of the resource server may be behind the proxy or load balancer etc. e.g. The actual request is sent to mycomany.com/oauth and the requester sends this string in the audience parameter but the server actually serving the request may have a url like localhost:8080/oauth. So the match fails. And thanks to the static util function, it can not be customized easily.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)