You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by co...@apache.org on 2015/12/03 15:24:22 UTC
[2/3] cxf git commit: Adding support for validating audiences for JWT
tokens as well as supporting multiple audiences
Adding support for validating audiences for JWT tokens as well as supporting multiple audiences
# Conflicts:
# rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwt/JwtUtils.java
# rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/IdTokenReader.java
Project: http://git-wip-us.apache.org/repos/asf/cxf/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/d8443006
Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/d8443006
Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/d8443006
Branch: refs/heads/3.0.x-fixes
Commit: d8443006008dd859fcc1fdfe1bf700315c073704
Parents: 86bbf7c
Author: Colm O hEigeartaigh <co...@apache.org>
Authored: Thu Dec 3 12:30:10 2015 +0000
Committer: Colm O hEigeartaigh <co...@apache.org>
Committed: Thu Dec 3 14:20:54 2015 +0000
----------------------------------------------------------------------
.../jose/jaxrs/JwtAuthenticationFilter.java | 2 +-
.../cxf/rs/security/jose/jwt/JwtClaims.java | 20 +++++++++--
.../cxf/rs/security/jose/jwt/JwtUtils.java | 34 +++++++++++++++++++
.../oauth2/grants/jwt/AbstractJwtHandler.java | 5 +--
.../oauth2/tokens/jwt/JwtAccessTokenUtils.java | 35 +++++++++-----------
.../oidc/rp/AbstractTokenValidator.java | 6 ++--
.../cxf/rs/security/oidc/rp/IdTokenReader.java | 9 +++++
.../cxf/rs/security/oidc/rp/UserInfoClient.java | 14 ++++----
.../security/jose/jwt/JWTAlgorithmTest.java | 14 ++++++++
.../security/jose/jwt/JWTAuthnAuthzTest.java | 5 +++
10 files changed, 108 insertions(+), 36 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cxf/blob/d8443006/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwtAuthenticationFilter.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwtAuthenticationFilter.java b/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwtAuthenticationFilter.java
index be781b9..b1a1966 100644
--- a/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwtAuthenticationFilter.java
+++ b/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwtAuthenticationFilter.java
@@ -96,7 +96,7 @@ public class JwtAuthenticationFilter extends AbstractJoseJwtConsumer implements
@Override
protected void validateToken(JwtToken jwt) {
- JwtUtils.validateTokenClaims(jwt.getClaims(), ttl, clockOffset);
+ JwtUtils.validateTokenClaims(jwt.getClaims(), ttl, clockOffset, true);
}
public int getClockOffset() {
http://git-wip-us.apache.org/repos/asf/cxf/blob/d8443006/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwt/JwtClaims.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwt/JwtClaims.java b/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwt/JwtClaims.java
index 6fcc85d..fe5b08a 100644
--- a/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwt/JwtClaims.java
+++ b/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwt/JwtClaims.java
@@ -19,6 +19,8 @@
package org.apache.cxf.rs.security.jose.jwt;
+import java.util.Collections;
+import java.util.List;
import java.util.Map;
import org.apache.cxf.jaxrs.json.basic.JsonMapObject;
@@ -52,11 +54,23 @@ public class JwtClaims extends JsonMapObject {
}
public void setAudience(String audience) {
- setClaim(JwtConstants.CLAIM_AUDIENCE, audience);
+ setAudiences(Collections.singletonList(audience));
}
- public String getAudience() {
- return (String)getClaim(JwtConstants.CLAIM_AUDIENCE);
+ public void setAudiences(List<String> audiences) {
+ setClaim(JwtConstants.CLAIM_AUDIENCE, audiences);
+ }
+
+ @SuppressWarnings("unchecked")
+ public List<String> getAudiences() {
+ Object audiences = getClaim(JwtConstants.CLAIM_AUDIENCE);
+ if (audiences instanceof List<?>) {
+ return (List<String>)audiences;
+ } else if (audiences instanceof String) {
+ return Collections.singletonList((String)audiences);
+ }
+
+ return Collections.emptyList();
}
public void setExpiryTime(Long expiresIn) {
http://git-wip-us.apache.org/repos/asf/cxf/blob/d8443006/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwt/JwtUtils.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwt/JwtUtils.java b/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwt/JwtUtils.java
index e739347..68bcef9 100644
--- a/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwt/JwtUtils.java
+++ b/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwt/JwtUtils.java
@@ -20,6 +20,9 @@ package org.apache.cxf.rs.security.jose.jwt;
import java.util.Date;
+import org.apache.cxf.message.Message;
+import org.apache.cxf.phase.PhaseInterceptorChain;
+
public final class JwtUtils {
private JwtUtils() {
@@ -109,6 +112,7 @@ public final class JwtUtils {
}
}
}
+<<<<<<< HEAD
public static void validateJwtTimeClaims(JwtClaims claims, int clockOffset,
int issuedAtRange, boolean claimsRequired) {
@@ -134,6 +138,32 @@ public final class JwtUtils {
}
public static void validateTokenClaims(JwtClaims claims, int timeToLive, int clockOffset) {
+=======
+
+ public static void validateJwtAudienceRestriction(JwtClaims claims, Message message) {
+ // Get the endpoint URL
+ String requestURL = null;
+ if (message.getContextualProperty(org.apache.cxf.message.Message.REQUEST_URL) != null) {
+ requestURL = (String)message.getContextualProperty(org.apache.cxf.message.Message.REQUEST_URL);
+ }
+
+ if (requestURL != null) {
+ boolean match = false;
+ for (String audience : claims.getAudiences()) {
+ if (requestURL.equals(audience)) {
+ match = true;
+ break;
+ }
+ }
+ if (!match) {
+ throw new JwtException("Invalid audience restriction");
+ }
+ }
+ }
+
+ public static void validateTokenClaims(JwtClaims claims, int timeToLive, int clockOffset,
+ boolean validateAudienceRestriction) {
+>>>>>>> 21bbc38... Adding support for validating audiences for JWT tokens as well as supporting multiple audiences
// If we have no issued time then we need to have an expiry
boolean expiredRequired = claims.getIssuedAt() == null;
validateJwtExpiry(claims, clockOffset, expiredRequired);
@@ -143,6 +173,10 @@ public final class JwtUtils {
// If we have no expiry then we must have an issued at
boolean issuedAtRequired = claims.getExpiryTime() == null;
validateJwtIssuedAt(claims, timeToLive, clockOffset, issuedAtRequired);
+
+ if (validateAudienceRestriction) {
+ validateJwtAudienceRestriction(claims, PhaseInterceptorChain.getCurrentMessage());
+ }
}
}
http://git-wip-us.apache.org/repos/asf/cxf/blob/d8443006/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/jwt/AbstractJwtHandler.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/jwt/AbstractJwtHandler.java b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/jwt/AbstractJwtHandler.java
index 0177323..5855165 100644
--- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/jwt/AbstractJwtHandler.java
+++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/jwt/AbstractJwtHandler.java
@@ -54,11 +54,10 @@ public abstract class AbstractJwtHandler extends AbstractGrantHandler {
}
protected void validateClaims(Client client, JwtClaims claims) {
- JwtUtils.validateTokenClaims(claims, ttl, clockOffset);
+ JwtUtils.validateTokenClaims(claims, ttl, clockOffset, true);
validateIssuer(claims.getIssuer());
validateSubject(client, claims.getSubject());
- validateAudience(client, claims.getAudience());
// We must have an Expiry
if (claims.getClaim(JwtConstants.CLAIM_EXPIRY) == null) {
@@ -78,8 +77,6 @@ public abstract class AbstractJwtHandler extends AbstractGrantHandler {
throw new OAuthServiceException(OAuthConstants.INVALID_GRANT);
}
}
- protected void validateAudience(Client client, String audience) {
- }
public void setSupportedIssuers(Set<String> supportedIssuers) {
this.supportedIssuers = supportedIssuers;
}
http://git-wip-us.apache.org/repos/asf/cxf/blob/d8443006/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/tokens/jwt/JwtAccessTokenUtils.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/tokens/jwt/JwtAccessTokenUtils.java b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/tokens/jwt/JwtAccessTokenUtils.java
index c413d00..76d371f 100644
--- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/tokens/jwt/JwtAccessTokenUtils.java
+++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/tokens/jwt/JwtAccessTokenUtils.java
@@ -20,6 +20,7 @@ package org.apache.cxf.rs.security.oauth2.tokens.jwt;
import java.security.interfaces.RSAPrivateKey;
import java.security.interfaces.RSAPublicKey;
+import java.util.List;
import javax.crypto.SecretKey;
@@ -38,7 +39,6 @@ import org.apache.cxf.rs.security.jose.jws.JwsUtils;
import org.apache.cxf.rs.security.jose.jws.NoneJwsSignatureProvider;
import org.apache.cxf.rs.security.jose.jwt.JwtClaims;
import org.apache.cxf.rs.security.jose.jwt.JwtToken;
-import org.apache.cxf.rs.security.jose.jwt.JwtUtils;
import org.apache.cxf.rs.security.oauth2.common.Client;
import org.apache.cxf.rs.security.oauth2.common.ServerAccessToken;
import org.apache.cxf.rs.security.oauth2.tokens.bearer.BearerAccessToken;
@@ -110,32 +110,29 @@ public final class JwtAccessTokenUtils {
throw new SecurityException();
}
}
- public static void validateJwtClaims(JwtClaims claims, int ttl, int clockOffset, Client c) {
- validateJwtSubjectAndAudience(claims, c);
-
- // If we have no issued time then we need to have an expiry
- boolean expiredRequired = claims.getIssuedAt() == null;
- JwtUtils.validateJwtExpiry(claims, clockOffset, expiredRequired);
-
- JwtUtils.validateJwtNotBefore(claims, clockOffset, false);
-
- // If we have no expiry then we must have an issued at
- boolean issuedAtRequired = claims.getExpiryTime() == null;
- if (issuedAtRequired) {
- JwtUtils.validateJwtIssuedAt(claims, ttl, clockOffset, issuedAtRequired);
- }
- }
private static void validateJwtSubjectAndAudience(JwtClaims claims, Client c) {
if (claims.getSubject() == null || !claims.getSubject().equals(c.getClientId())) {
throw new SecurityException("Invalid subject");
}
// validate audience
- String aud = claims.getAudience();
- if (aud == null
- || !c.getRegisteredAudiences().isEmpty() && !c.getRegisteredAudiences().contains(aud)) {
+ List<String> audiences = claims.getAudiences();
+ if (audiences.isEmpty()) {
throw new SecurityException("Invalid audience");
}
+
+ if (!c.getRegisteredAudiences().isEmpty()) {
+ boolean match = false;
+ for (String audience : audiences) {
+ if (c.getRegisteredAudiences().contains(audience)) {
+ match = true;
+ break;
+ }
+ }
+ if (!match) {
+ throw new SecurityException("Invalid audience");
+ }
+ }
// TODO: the issuer is indirectly validated by validating the signature
// but an extra check can be done
}
http://git-wip-us.apache.org/repos/asf/cxf/blob/d8443006/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/AbstractTokenValidator.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/AbstractTokenValidator.java b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/AbstractTokenValidator.java
index 6011577..8fc0022 100644
--- a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/AbstractTokenValidator.java
+++ b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/AbstractTokenValidator.java
@@ -18,6 +18,7 @@
*/
package org.apache.cxf.rs.security.oidc.rp;
+import java.util.List;
import java.util.concurrent.ConcurrentHashMap;
import org.apache.cxf.jaxrs.client.WebClient;
@@ -66,8 +67,9 @@ public abstract class AbstractTokenValidator extends AbstractOAuthJoseJwtConsume
throw new SecurityException("Invalid subject");
}
// validate audience
- String aud = claims.getAudience();
- if (aud == null && validateClaimsAlways || aud != null && !clientId.equals(aud)) {
+ List<String> audiences = claims.getAudiences();
+ if (audiences.isEmpty() && validateClaimsAlways
+ || !audiences.isEmpty() && !audiences.contains(clientId)) {
throw new SecurityException("Invalid audience");
}
http://git-wip-us.apache.org/repos/asf/cxf/blob/d8443006/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/IdTokenReader.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/IdTokenReader.java b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/IdTokenReader.java
index b5bbbf1..c46505f 100644
--- a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/IdTokenReader.java
+++ b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/IdTokenReader.java
@@ -40,9 +40,18 @@ public class IdTokenReader extends AbstractTokenValidator {
OidcUtils.validateAccessTokenHash(at, jwt, requireAtHash);
return jwt;
}
+<<<<<<< HEAD
public JwtToken getIdJwtToken(String idJwtToken, OAuthClientUtils.Consumer client) {
JwtToken jwt = getJwtToken(idJwtToken, client.getSecret());
validateJwtClaims(jwt.getClaims(), client.getKey(), true);
+=======
+ public JwtToken getIdJwtToken(String idJwtToken, Consumer client) {
+ JwtToken jwt = getJwtToken(idJwtToken, client.getClientSecret());
+ if (jwt.getClaims().getAudiences().size() > 1) {
+ throw new SecurityException("Invalid audience");
+ }
+ validateJwtClaims(jwt.getClaims(), client.getClientId(), true);
+>>>>>>> 21bbc38... Adding support for validating audiences for JWT tokens as well as supporting multiple audiences
return jwt;
}
private IdToken getIdTokenFromJwt(JwtToken jwt) {
http://git-wip-us.apache.org/repos/asf/cxf/blob/d8443006/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/UserInfoClient.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/UserInfoClient.java b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/UserInfoClient.java
index 78f18e5..c329ad9 100644
--- a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/UserInfoClient.java
+++ b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/UserInfoClient.java
@@ -39,7 +39,7 @@ public class UserInfoClient extends AbstractTokenValidator {
return getUserInfoFromJwt(jwt, idToken, client);
} else {
UserInfo profile = profileClient.get(UserInfo.class);
- validateUserInfo(profile, idToken);
+ validateUserInfo(profile, idToken, client);
return profile;
}
} else {
@@ -49,7 +49,7 @@ public class UserInfoClient extends AbstractTokenValidator {
return getUserInfoFromJwt(jwt, idToken, client);
} else {
UserInfo profile = profileClient.form(form).readEntity(UserInfo.class);
- validateUserInfo(profile, idToken);
+ validateUserInfo(profile, idToken, client);
return profile;
}
}
@@ -58,18 +58,18 @@ public class UserInfoClient extends AbstractTokenValidator {
IdToken idToken,
OAuthClientUtils.Consumer client) {
JwtToken jwt = getUserInfoJwt(profileJwtToken, client);
- return getUserInfoFromJwt(jwt, idToken);
+ return getUserInfoFromJwt(jwt, idToken, client);
}
- public UserInfo getUserInfoFromJwt(JwtToken jwt, IdToken idToken) {
+ public UserInfo getUserInfoFromJwt(JwtToken jwt, IdToken idToken, Consumer client) {
UserInfo profile = new UserInfo(jwt.getClaims().asMap());
- validateUserInfo(profile, idToken);
+ validateUserInfo(profile, idToken, client);
return profile;
}
public JwtToken getUserInfoJwt(String profileJwtToken, OAuthClientUtils.Consumer client) {
return getJwtToken(profileJwtToken);
}
- public void validateUserInfo(UserInfo profile, IdToken idToken) {
- validateJwtClaims(profile, idToken.getAudience(), false);
+ public void validateUserInfo(UserInfo profile, IdToken idToken, Consumer client) {
+ validateJwtClaims(profile, client.getClientId(), false);
// validate subject
if (!idToken.getSubject().equals(profile.getSubject())) {
throw new SecurityException("Invalid subject");
http://git-wip-us.apache.org/repos/asf/cxf/blob/d8443006/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/jose/jwt/JWTAlgorithmTest.java
----------------------------------------------------------------------
diff --git a/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/jose/jwt/JWTAlgorithmTest.java b/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/jose/jwt/JWTAlgorithmTest.java
index f745e3d..e9857ee 100644
--- a/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/jose/jwt/JWTAlgorithmTest.java
+++ b/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/jose/jwt/JWTAlgorithmTest.java
@@ -102,6 +102,7 @@ public class JWTAlgorithmTest extends AbstractBusClientServerTestBase {
claims.setSubject("alice");
claims.setIssuer("DoubleItSTSIssuer");
claims.setIssuedAt(new Date().getTime() / 1000L);
+ claims.setAudience(address);
JwtToken token = new JwtToken(claims);
@@ -145,6 +146,7 @@ public class JWTAlgorithmTest extends AbstractBusClientServerTestBase {
claims.setSubject("alice");
claims.setIssuer("DoubleItSTSIssuer");
claims.setIssuedAt(new Date().getTime() / 1000L);
+ claims.setAudience(address);
JwtToken token = new JwtToken(claims);
@@ -191,6 +193,7 @@ public class JWTAlgorithmTest extends AbstractBusClientServerTestBase {
claims.setSubject("alice");
claims.setIssuer("DoubleItSTSIssuer");
claims.setIssuedAt(new Date().getTime() / 1000L);
+ claims.setAudience(address);
JwtToken token = new JwtToken(claims);
@@ -232,6 +235,7 @@ public class JWTAlgorithmTest extends AbstractBusClientServerTestBase {
claims.setSubject("alice");
claims.setIssuer("DoubleItSTSIssuer");
claims.setIssuedAt(new Date().getTime() / 1000L);
+ claims.setAudience(address);
JwtToken token = new JwtToken(claims);
@@ -274,6 +278,7 @@ public class JWTAlgorithmTest extends AbstractBusClientServerTestBase {
claims.setSubject("alice");
claims.setIssuer("DoubleItSTSIssuer");
claims.setIssuedAt(new Date().getTime() / 1000L);
+ claims.setAudience(address);
JwtToken token = new JwtToken(claims);
@@ -313,6 +318,7 @@ public class JWTAlgorithmTest extends AbstractBusClientServerTestBase {
claims.setSubject("alice");
claims.setIssuer("DoubleItSTSIssuer");
claims.setIssuedAt(new Date().getTime() / 1000L);
+ claims.setAudience(address);
JwtToken token = new JwtToken(claims);
@@ -349,6 +355,7 @@ public class JWTAlgorithmTest extends AbstractBusClientServerTestBase {
claims.setSubject("alice");
claims.setIssuer("DoubleItSTSIssuer");
claims.setIssuedAt(new Date().getTime() / 1000L);
+ claims.setAudience(address);
JwtToken token = new JwtToken(claims);
@@ -388,6 +395,7 @@ public class JWTAlgorithmTest extends AbstractBusClientServerTestBase {
claims.setSubject("alice");
claims.setIssuer("DoubleItSTSIssuer");
claims.setIssuedAt(new Date().getTime() / 1000L);
+ claims.setAudience(address);
JwtToken token = new JwtToken(claims);
@@ -423,6 +431,7 @@ public class JWTAlgorithmTest extends AbstractBusClientServerTestBase {
claims.setSubject("alice");
claims.setIssuer("DoubleItSTSIssuer");
claims.setIssuedAt(new Date().getTime() / 1000L);
+ claims.setAudience(address);
JwtToken token = new JwtToken(claims);
@@ -460,6 +469,7 @@ public class JWTAlgorithmTest extends AbstractBusClientServerTestBase {
claims.setSubject("alice");
claims.setIssuer("DoubleItSTSIssuer");
claims.setIssuedAt(new Date().getTime() / 1000L);
+ claims.setAudience(address);
JwtToken token = new JwtToken(claims);
@@ -500,6 +510,7 @@ public class JWTAlgorithmTest extends AbstractBusClientServerTestBase {
claims.setSubject("alice");
claims.setIssuer("DoubleItSTSIssuer");
claims.setIssuedAt(new Date().getTime() / 1000L);
+ claims.setAudience(address);
JwtToken token = new JwtToken(claims);
@@ -537,6 +548,7 @@ public class JWTAlgorithmTest extends AbstractBusClientServerTestBase {
claims.setSubject("alice");
claims.setIssuer("DoubleItSTSIssuer");
claims.setIssuedAt(new Date().getTime() / 1000L);
+ claims.setAudience(address);
JwtToken token = new JwtToken(claims);
@@ -572,6 +584,7 @@ public class JWTAlgorithmTest extends AbstractBusClientServerTestBase {
claims.setSubject("alice");
claims.setIssuer("DoubleItSTSIssuer");
claims.setIssuedAt(new Date().getTime() / 1000L);
+ claims.setAudience(address);
JwtToken token = new JwtToken(claims);
@@ -610,6 +623,7 @@ public class JWTAlgorithmTest extends AbstractBusClientServerTestBase {
claims.setSubject("alice");
claims.setIssuer("DoubleItSTSIssuer");
claims.setIssuedAt(new Date().getTime() / 1000L);
+ claims.setAudience(address);
JwtToken token = new JwtToken(claims);
http://git-wip-us.apache.org/repos/asf/cxf/blob/d8443006/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/jose/jwt/JWTAuthnAuthzTest.java
----------------------------------------------------------------------
diff --git a/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/jose/jwt/JWTAuthnAuthzTest.java b/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/jose/jwt/JWTAuthnAuthzTest.java
index 7f62b83..45d109d 100644
--- a/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/jose/jwt/JWTAuthnAuthzTest.java
+++ b/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/jose/jwt/JWTAuthnAuthzTest.java
@@ -84,6 +84,7 @@ public class JWTAuthnAuthzTest extends AbstractBusClientServerTestBase {
claims.setSubject("alice");
claims.setIssuer("DoubleItSTSIssuer");
claims.setIssuedAt(new Date().getTime() / 1000L);
+ claims.setAudience(address);
JwtToken token = new JwtToken(claims);
@@ -123,6 +124,7 @@ public class JWTAuthnAuthzTest extends AbstractBusClientServerTestBase {
claims.setSubject("alice");
claims.setIssuer("DoubleItSTSIssuer");
claims.setIssuedAt(new Date().getTime() / 1000L);
+ claims.setAudience(address);
JwtToken token = new JwtToken(claims);
@@ -160,6 +162,7 @@ public class JWTAuthnAuthzTest extends AbstractBusClientServerTestBase {
claims.setSubject("alice");
claims.setIssuer("DoubleItSTSIssuer");
claims.setIssuedAt(new Date().getTime() / 1000L);
+ claims.setAudience(address);
// The endpoint requires a role of "boss"
claims.setProperty("role", "boss");
@@ -201,6 +204,7 @@ public class JWTAuthnAuthzTest extends AbstractBusClientServerTestBase {
claims.setSubject("alice");
claims.setIssuer("DoubleItSTSIssuer");
claims.setIssuedAt(new Date().getTime() / 1000L);
+ claims.setAudience(address);
JwtToken token = new JwtToken(claims);
@@ -237,6 +241,7 @@ public class JWTAuthnAuthzTest extends AbstractBusClientServerTestBase {
claims.setIssuer("DoubleItSTSIssuer");
claims.setIssuedAt(new Date().getTime() / 1000L);
claims.setProperty("role", "manager");
+ claims.setAudience(address);
JwtToken token = new JwtToken(claims);