You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by co...@apache.org on 2018/04/03 16:21:24 UTC
[cxf] 02/02: CXF-7693 - Allow JWT aud claim to be empty
This is an automated email from the ASF dual-hosted git repository.
coheigea pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/cxf.git
commit 9a90413fff82236806ae42c045ac7f3256f8f224
Author: Colm O hEigeartaigh <co...@apache.org>
AuthorDate: Tue Apr 3 17:20:38 2018 +0100
CXF-7693 - Allow JWT aud claim to be empty
---
.../org/apache/cxf/rs/security/jose/jwt/JwtClaims.java | 2 +-
.../org/apache/cxf/rs/security/jose/jwt/JwtUtils.java | 16 ++++++++--------
.../jaxrs/security/jose/jwt/JWTPropertiesTest.java | 2 +-
3 files changed, 10 insertions(+), 10 deletions(-)
diff --git a/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwt/JwtClaims.java b/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwt/JwtClaims.java
index 7488f74..92d0374 100644
--- a/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwt/JwtClaims.java
+++ b/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwt/JwtClaims.java
@@ -98,7 +98,7 @@ public class JwtClaims extends JsonMapObject {
return Collections.singletonList((String)audiences);
}
- return null;
+ return Collections.emptyList();
}
public void setExpiryTime(Long expiresIn) {
diff --git a/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwt/JwtUtils.java b/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwt/JwtUtils.java
index 9ea3904..9342cba 100644
--- a/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwt/JwtUtils.java
+++ b/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwt/JwtUtils.java
@@ -90,12 +90,12 @@ public final class JwtUtils {
}
Instant createdDate = Instant.ofEpochMilli(issuedAtInSecs * 1000L);
-
+
Instant validCreation = Instant.now();
if (clockOffset != 0) {
validCreation = validCreation.plusSeconds(clockOffset);
}
-
+
// Check to see if the IssuedAt time is in the future
if (createdDate.isAfter(validCreation)) {
throw new JwtException("Invalid issuedAt");
@@ -113,17 +113,17 @@ public final class JwtUtils {
}
public static void validateJwtAudienceRestriction(JwtClaims claims, Message message) {
+ if (claims.getAudiences().isEmpty()) {
+ return;
+ }
+
String expectedAudience = (String)message.getContextualProperty(JwtConstants.EXPECTED_CLAIM_AUDIENCE);
if (expectedAudience == null) {
expectedAudience = (String)message.getContextualProperty(Message.REQUEST_URL);
}
- if (expectedAudience != null) {
- for (String audience : claims.getAudiences()) {
- if (expectedAudience.equals(audience)) {
- return;
- }
- }
+ if (expectedAudience != null && claims.getAudiences().contains(expectedAudience)) {
+ return;
}
throw new JwtException("Invalid audience restriction");
}
diff --git a/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/jose/jwt/JWTPropertiesTest.java b/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/jose/jwt/JWTPropertiesTest.java
index 81e892c..7466333 100644
--- a/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/jose/jwt/JWTPropertiesTest.java
+++ b/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/jose/jwt/JWTPropertiesTest.java
@@ -357,7 +357,7 @@ public class JWTPropertiesTest extends AbstractBusClientServerTestBase {
WebClient.getConfig(client).getRequestContext().putAll(properties);
Response response = client.post(new Book("book", 123L));
- assertNotEquals(response.getStatus(), 200);
+ assertEquals(response.getStatus(), 200);
}
@org.junit.Test
--
To stop receiving notification emails like this one, please contact
coheigea@apache.org.