You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@cxf.apache.org by co...@apache.org on 2018/04/10 12:13:58 UTC

[cxf] branch 3.1.x-fixes updated (b517ca7 -> b81f9c0)

This is an automated email from the ASF dual-hosted git repository.

coheigea pushed a change to branch 3.1.x-fixes
in repository https://gitbox.apache.org/repos/asf/cxf.git.


    from b517ca7  Recording .gitmergeinfo Changes
     new 0145fc5  CXF-7693 - If JwtConstants.EXPECTED_CLAIM_AUDIENCE is set then it must be present in the token
     new b81f9c0  Recording .gitmergeinfo Changes

The 2 revisions listed above as "new" are entirely new to this
repository and will be described in separate emails.  The revisions
listed as "add" were already present in the repository and have only
been added to this reference.


Summary of changes:
 .gitmergeinfo                                      |  2 ++
 .../apache/cxf/rs/security/jose/jwt/JwtUtils.java  | 18 +++++++---
 .../cxf/rs/security/jose/jwt/JwtUtilsTest.java     | 38 ++++++++++++++++++++++
 3 files changed, 53 insertions(+), 5 deletions(-)

-- 
To stop receiving notification emails like this one, please contact
coheigea@apache.org.

[cxf] 02/02: Recording .gitmergeinfo Changes

Posted by co...@apache.org.

This is an automated email from the ASF dual-hosted git repository.

coheigea pushed a commit to branch 3.1.x-fixes
in repository https://gitbox.apache.org/repos/asf/cxf.git

commit b81f9c038b26782e351b8518ae8a808fdec57bb2
Author: Colm O hEigeartaigh <co...@apache.org>
AuthorDate: Tue Apr 10 11:11:46 2018 +0100

    Recording .gitmergeinfo Changes
---
 .gitmergeinfo | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/.gitmergeinfo b/.gitmergeinfo
index 5b19026..10cbe67 100644
--- a/.gitmergeinfo
+++ b/.gitmergeinfo
@@ -345,6 +345,7 @@ B 699f4c03de1acb1cf9eb95ad2db792dba5a56ead
 B 69c7b4c1ce4a9d131802c9a198706581eb4a3e91
 B 6a1bc29634a5328fb3d5f5927cdebbde9af63715
 B 6a3f97e9f0d02eef72bf10c266d444ec3af78bf5
+B 6b87582164f2d6e950bc896176d72ff28cebfad0
 B 6be7575f81a791f8323519bf671841044041d949
 B 6c28faf7890b1043a1fd71a74acb5eb482eda006
 B 6c324421a358919b4ecb3cfdd8a2e0e16ff81724
@@ -1143,6 +1144,7 @@ M c02442840de4e8820c4df14a8cead58d5b86d5ec
 M c212240f696e3387df19bbcf22d1851aff320078
 M c255034b2d6eb99bb2753b3d6932af06fd6cbe16
 M c2b13b7473781c3c1a4225a01c319cf8aa92cd0f
+M c35556412b1af7db867df0b2044dca7516cbfad1
 M c48c368f4622d88673dcc77c5726f5563f792b07
 M c4fb6912abf68f83ace5e28a0e3b457e2125f447
 M c55034d9621bc904634017b552057474afb93ac2

-- 
To stop receiving notification emails like this one, please contact
coheigea@apache.org.

[cxf] 01/02: CXF-7693 - If JwtConstants.EXPECTED_CLAIM_AUDIENCE is set then it must be present in the token

Posted by co...@apache.org.

This is an automated email from the ASF dual-hosted git repository.

coheigea pushed a commit to branch 3.1.x-fixes
in repository https://gitbox.apache.org/repos/asf/cxf.git

commit 0145fc549ce39688416341307be678d56e604c10
Author: Colm O hEigeartaigh <co...@apache.org>
AuthorDate: Tue Apr 10 11:09:55 2018 +0100

    CXF-7693 - If JwtConstants.EXPECTED_CLAIM_AUDIENCE is set then it must be present in the token
    
    (cherry picked from commit c35556412b1af7db867df0b2044dca7516cbfad1)
---
 .../apache/cxf/rs/security/jose/jwt/JwtUtils.java  | 18 +++++++---
 .../cxf/rs/security/jose/jwt/JwtUtilsTest.java     | 38 ++++++++++++++++++++++
 2 files changed, 51 insertions(+), 5 deletions(-)

diff --git a/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwt/JwtUtils.java b/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwt/JwtUtils.java
index 0910913..1161159 100644
--- a/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwt/JwtUtils.java
+++ b/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwt/JwtUtils.java
@@ -115,18 +115,26 @@ public final class JwtUtils {
     }
     
     public static void validateJwtAudienceRestriction(JwtClaims claims, Message message) {
-        if (claims.getAudiences().isEmpty()) {
-            return;
+        // If the expected audience is configured, a matching "aud" must be present
+        String expectedAudience = (String)message.getContextualProperty(JwtConstants.EXPECTED_CLAIM_AUDIENCE);
+        if (expectedAudience != null) {
+            if (claims.getAudiences().contains(expectedAudience)) {
+                return;
+            }
+            throw new JwtException("Invalid audience restriction");
         }
 
-        String expectedAudience = (String)message.getContextualProperty(JwtConstants.EXPECTED_CLAIM_AUDIENCE);
-        if (expectedAudience == null) {
-            expectedAudience = (String)message.getContextualProperty(Message.REQUEST_URL);
+        // Otherwise if we have no aud claims then the token is valid
+        if (claims.getAudiences().isEmpty()) {
+            return;
         }
 
+        // Otherwise one of the aud claims must match the request URL
+        expectedAudience = (String)message.getContextualProperty(Message.REQUEST_URL);
         if (expectedAudience != null && claims.getAudiences().contains(expectedAudience)) {
             return;
         }
+
         throw new JwtException("Invalid audience restriction");
     }
     
diff --git a/rt/rs/security/jose-parent/jose/src/test/java/org/apache/cxf/rs/security/jose/jwt/JwtUtilsTest.java b/rt/rs/security/jose-parent/jose/src/test/java/org/apache/cxf/rs/security/jose/jwt/JwtUtilsTest.java
index 9a2050e..c9e3715 100644
--- a/rt/rs/security/jose-parent/jose/src/test/java/org/apache/cxf/rs/security/jose/jwt/JwtUtilsTest.java
+++ b/rt/rs/security/jose-parent/jose/src/test/java/org/apache/cxf/rs/security/jose/jwt/JwtUtilsTest.java
@@ -21,6 +21,9 @@ package org.apache.cxf.rs.security.jose.jwt;
 import java.util.Calendar;
 import java.util.Date;
 
+import org.apache.cxf.message.Message;
+import org.apache.cxf.message.MessageImpl;
+
 import org.junit.Assert;
 
 /**
@@ -140,5 +143,40 @@ public class JwtUtilsTest extends Assert {
             // expected
         }
     }
+
+    @org.junit.Test
+    public void testExpectedAudience() throws Exception {
+        // Create the JWT Token
+        JwtClaims claims = new JwtClaims();
+        claims.setSubject("alice");
+        claims.setIssuer("DoubleItSTSIssuer");
+
+        // No aud claim should validate OK
+        Message message = new MessageImpl();
+        JwtUtils.validateJwtAudienceRestriction(claims, message);
+
+        // It should fail when we have an unknown aud claim
+        claims.setAudience("Receiver");
+        try {
+            JwtUtils.validateJwtAudienceRestriction(claims, message);
+            fail("Failure expected on an invalid audience");
+        } catch (JwtException ex) {
+            // expected
+        }
+
+        // Here the aud claim matches what is expected
+        message.put(JwtConstants.EXPECTED_CLAIM_AUDIENCE, "Receiver");
+        JwtUtils.validateJwtAudienceRestriction(claims, message);
+
+        // It should fail when the expected aud claim is not present
+        claims.removeProperty(JwtConstants.CLAIM_AUDIENCE);
+        try {
+            JwtUtils.validateJwtAudienceRestriction(claims, message);
+            fail("Failure expected on an invalid audience");
+        } catch (JwtException ex) {
+            // expected
+        }
+    }
+
 }
 

-- 
To stop receiving notification emails like this one, please contact
coheigea@apache.org.