Adding support for validating audiences for JWT tokens as well as supporting multiple audiences
# Conflicts: # rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwt/JwtUtils.java # rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/IdTokenReader.java Project: http://git-wip-us.apache.org/repos/asf/cxf/repo Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/d8443006 Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/d8443006 Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/d8443006 Branch: refs/heads/3.0.x-fixes Commit: d8443006008dd859fcc1fdfe1bf700315c073704 Parents: 86bbf7c Author: Colm O hEigeartaigh <[email protected]> Authored: Thu Dec 3 12:30:10 2015 +0000 Committer: Colm O hEigeartaigh <[email protected]> Committed: Thu Dec 3 14:20:54 2015 +0000 ---------------------------------------------------------------------- .../jose/jaxrs/JwtAuthenticationFilter.java | 2 +- .../cxf/rs/security/jose/jwt/JwtClaims.java | 20 +++++++++-- .../cxf/rs/security/jose/jwt/JwtUtils.java | 34 +++++++++++++++++++ .../oauth2/grants/jwt/AbstractJwtHandler.java | 5 +-- .../oauth2/tokens/jwt/JwtAccessTokenUtils.java | 35 +++++++++----------- .../oidc/rp/AbstractTokenValidator.java | 6 ++-- .../cxf/rs/security/oidc/rp/IdTokenReader.java | 9 +++++ .../cxf/rs/security/oidc/rp/UserInfoClient.java | 14 ++++---- .../security/jose/jwt/JWTAlgorithmTest.java | 14 ++++++++ .../security/jose/jwt/JWTAuthnAuthzTest.java | 5 +++ 10 files changed, 108 insertions(+), 36 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/cxf/blob/d8443006/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwtAuthenticationFilter.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwtAuthenticationFilter.java b/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwtAuthenticationFilter.java index be781b9..b1a1966 100644 --- a/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwtAuthenticationFilter.java +++ b/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwtAuthenticationFilter.java @@ -96,7 +96,7 @@ public class JwtAuthenticationFilter extends AbstractJoseJwtConsumer implements @Override protected void validateToken(JwtToken jwt) { - JwtUtils.validateTokenClaims(jwt.getClaims(), ttl, clockOffset); + JwtUtils.validateTokenClaims(jwt.getClaims(), ttl, clockOffset, true); } public int getClockOffset() { http://git-wip-us.apache.org/repos/asf/cxf/blob/d8443006/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwt/JwtClaims.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwt/JwtClaims.java b/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwt/JwtClaims.java index 6fcc85d..fe5b08a 100644 --- a/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwt/JwtClaims.java +++ b/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwt/JwtClaims.java @@ -19,6 +19,8 @@ package org.apache.cxf.rs.security.jose.jwt; +import java.util.Collections; +import java.util.List; import java.util.Map; import org.apache.cxf.jaxrs.json.basic.JsonMapObject; @@ -52,11 +54,23 @@ public class JwtClaims extends JsonMapObject { } public void setAudience(String audience) { - setClaim(JwtConstants.CLAIM_AUDIENCE, audience); + setAudiences(Collections.singletonList(audience)); } - public String getAudience() { - return (String)getClaim(JwtConstants.CLAIM_AUDIENCE); + public void setAudiences(List<String> audiences) { + setClaim(JwtConstants.CLAIM_AUDIENCE, audiences); + } + + @SuppressWarnings("unchecked") + public List<String> getAudiences() { + Object audiences = getClaim(JwtConstants.CLAIM_AUDIENCE); + if (audiences instanceof List<?>) { + return (List<String>)audiences; + } else if (audiences instanceof String) { + return Collections.singletonList((String)audiences); + } + + return Collections.emptyList(); } public void setExpiryTime(Long expiresIn) { http://git-wip-us.apache.org/repos/asf/cxf/blob/d8443006/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwt/JwtUtils.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwt/JwtUtils.java b/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwt/JwtUtils.java index e739347..68bcef9 100644 --- a/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwt/JwtUtils.java +++ b/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwt/JwtUtils.java @@ -20,6 +20,9 @@ package org.apache.cxf.rs.security.jose.jwt; import java.util.Date; +import org.apache.cxf.message.Message; +import org.apache.cxf.phase.PhaseInterceptorChain; + public final class JwtUtils { private JwtUtils() { @@ -109,6 +112,7 @@ public final class JwtUtils { } } } +<<<<<<< HEAD public static void validateJwtTimeClaims(JwtClaims claims, int clockOffset, int issuedAtRange, boolean claimsRequired) { @@ -134,6 +138,32 @@ public final class JwtUtils { } public static void validateTokenClaims(JwtClaims claims, int timeToLive, int clockOffset) { +======= + + public static void validateJwtAudienceRestriction(JwtClaims claims, Message message) { + // Get the endpoint URL + String requestURL = null; + if (message.getContextualProperty(org.apache.cxf.message.Message.REQUEST_URL) != null) { + requestURL = (String)message.getContextualProperty(org.apache.cxf.message.Message.REQUEST_URL); + } + + if (requestURL != null) { + boolean match = false; + for (String audience : claims.getAudiences()) { + if (requestURL.equals(audience)) { + match = true; + break; + } + } + if (!match) { + throw new JwtException("Invalid audience restriction"); + } + } + } + + public static void validateTokenClaims(JwtClaims claims, int timeToLive, int clockOffset, + boolean validateAudienceRestriction) { +>>>>>>> 21bbc38... Adding support for validating audiences for JWT tokens as well as supporting multiple audiences // If we have no issued time then we need to have an expiry boolean expiredRequired = claims.getIssuedAt() == null; validateJwtExpiry(claims, clockOffset, expiredRequired); @@ -143,6 +173,10 @@ public final class JwtUtils { // If we have no expiry then we must have an issued at boolean issuedAtRequired = claims.getExpiryTime() == null; validateJwtIssuedAt(claims, timeToLive, clockOffset, issuedAtRequired); + + if (validateAudienceRestriction) { + validateJwtAudienceRestriction(claims, PhaseInterceptorChain.getCurrentMessage()); + } } } http://git-wip-us.apache.org/repos/asf/cxf/blob/d8443006/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/jwt/AbstractJwtHandler.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/jwt/AbstractJwtHandler.java b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/jwt/AbstractJwtHandler.java index 0177323..5855165 100644 --- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/jwt/AbstractJwtHandler.java +++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/jwt/AbstractJwtHandler.java @@ -54,11 +54,10 @@ public abstract class AbstractJwtHandler extends AbstractGrantHandler { } protected void validateClaims(Client client, JwtClaims claims) { - JwtUtils.validateTokenClaims(claims, ttl, clockOffset); + JwtUtils.validateTokenClaims(claims, ttl, clockOffset, true); validateIssuer(claims.getIssuer()); validateSubject(client, claims.getSubject()); - validateAudience(client, claims.getAudience()); // We must have an Expiry if (claims.getClaim(JwtConstants.CLAIM_EXPIRY) == null) { @@ -78,8 +77,6 @@ public abstract class AbstractJwtHandler extends AbstractGrantHandler { throw new OAuthServiceException(OAuthConstants.INVALID_GRANT); } } - protected void validateAudience(Client client, String audience) { - } public void setSupportedIssuers(Set<String> supportedIssuers) { this.supportedIssuers = supportedIssuers; } http://git-wip-us.apache.org/repos/asf/cxf/blob/d8443006/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/tokens/jwt/JwtAccessTokenUtils.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/tokens/jwt/JwtAccessTokenUtils.java b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/tokens/jwt/JwtAccessTokenUtils.java index c413d00..76d371f 100644 --- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/tokens/jwt/JwtAccessTokenUtils.java +++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/tokens/jwt/JwtAccessTokenUtils.java @@ -20,6 +20,7 @@ package org.apache.cxf.rs.security.oauth2.tokens.jwt; import java.security.interfaces.RSAPrivateKey; import java.security.interfaces.RSAPublicKey; +import java.util.List; import javax.crypto.SecretKey; @@ -38,7 +39,6 @@ import org.apache.cxf.rs.security.jose.jws.JwsUtils; import org.apache.cxf.rs.security.jose.jws.NoneJwsSignatureProvider; import org.apache.cxf.rs.security.jose.jwt.JwtClaims; import org.apache.cxf.rs.security.jose.jwt.JwtToken; -import org.apache.cxf.rs.security.jose.jwt.JwtUtils; import org.apache.cxf.rs.security.oauth2.common.Client; import org.apache.cxf.rs.security.oauth2.common.ServerAccessToken; import org.apache.cxf.rs.security.oauth2.tokens.bearer.BearerAccessToken; @@ -110,32 +110,29 @@ public final class JwtAccessTokenUtils { throw new SecurityException(); } } - public static void validateJwtClaims(JwtClaims claims, int ttl, int clockOffset, Client c) { - validateJwtSubjectAndAudience(claims, c); - - // If we have no issued time then we need to have an expiry - boolean expiredRequired = claims.getIssuedAt() == null; - JwtUtils.validateJwtExpiry(claims, clockOffset, expiredRequired); - - JwtUtils.validateJwtNotBefore(claims, clockOffset, false); - - // If we have no expiry then we must have an issued at - boolean issuedAtRequired = claims.getExpiryTime() == null; - if (issuedAtRequired) { - JwtUtils.validateJwtIssuedAt(claims, ttl, clockOffset, issuedAtRequired); - } - } private static void validateJwtSubjectAndAudience(JwtClaims claims, Client c) { if (claims.getSubject() == null || !claims.getSubject().equals(c.getClientId())) { throw new SecurityException("Invalid subject"); } // validate audience - String aud = claims.getAudience(); - if (aud == null - || !c.getRegisteredAudiences().isEmpty() && !c.getRegisteredAudiences().contains(aud)) { + List<String> audiences = claims.getAudiences(); + if (audiences.isEmpty()) { throw new SecurityException("Invalid audience"); } + + if (!c.getRegisteredAudiences().isEmpty()) { + boolean match = false; + for (String audience : audiences) { + if (c.getRegisteredAudiences().contains(audience)) { + match = true; + break; + } + } + if (!match) { + throw new SecurityException("Invalid audience"); + } + } // TODO: the issuer is indirectly validated by validating the signature // but an extra check can be done } http://git-wip-us.apache.org/repos/asf/cxf/blob/d8443006/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/AbstractTokenValidator.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/AbstractTokenValidator.java b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/AbstractTokenValidator.java index 6011577..8fc0022 100644 --- a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/AbstractTokenValidator.java +++ b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/AbstractTokenValidator.java @@ -18,6 +18,7 @@ */ package org.apache.cxf.rs.security.oidc.rp; +import java.util.List; import java.util.concurrent.ConcurrentHashMap; import org.apache.cxf.jaxrs.client.WebClient; @@ -66,8 +67,9 @@ public abstract class AbstractTokenValidator extends AbstractOAuthJoseJwtConsume throw new SecurityException("Invalid subject"); } // validate audience - String aud = claims.getAudience(); - if (aud == null && validateClaimsAlways || aud != null && !clientId.equals(aud)) { + List<String> audiences = claims.getAudiences(); + if (audiences.isEmpty() && validateClaimsAlways + || !audiences.isEmpty() && !audiences.contains(clientId)) { throw new SecurityException("Invalid audience"); } http://git-wip-us.apache.org/repos/asf/cxf/blob/d8443006/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/IdTokenReader.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/IdTokenReader.java b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/IdTokenReader.java index b5bbbf1..c46505f 100644 --- a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/IdTokenReader.java +++ b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/IdTokenReader.java @@ -40,9 +40,18 @@ public class IdTokenReader extends AbstractTokenValidator { OidcUtils.validateAccessTokenHash(at, jwt, requireAtHash); return jwt; } +<<<<<<< HEAD public JwtToken getIdJwtToken(String idJwtToken, OAuthClientUtils.Consumer client) { JwtToken jwt = getJwtToken(idJwtToken, client.getSecret()); validateJwtClaims(jwt.getClaims(), client.getKey(), true); +======= + public JwtToken getIdJwtToken(String idJwtToken, Consumer client) { + JwtToken jwt = getJwtToken(idJwtToken, client.getClientSecret()); + if (jwt.getClaims().getAudiences().size() > 1) { + throw new SecurityException("Invalid audience"); + } + validateJwtClaims(jwt.getClaims(), client.getClientId(), true); +>>>>>>> 21bbc38... Adding support for validating audiences for JWT tokens as well as supporting multiple audiences return jwt; } private IdToken getIdTokenFromJwt(JwtToken jwt) { http://git-wip-us.apache.org/repos/asf/cxf/blob/d8443006/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/UserInfoClient.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/UserInfoClient.java b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/UserInfoClient.java index 78f18e5..c329ad9 100644 --- a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/UserInfoClient.java +++ b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/UserInfoClient.java @@ -39,7 +39,7 @@ public class UserInfoClient extends AbstractTokenValidator { return getUserInfoFromJwt(jwt, idToken, client); } else { UserInfo profile = profileClient.get(UserInfo.class); - validateUserInfo(profile, idToken); + validateUserInfo(profile, idToken, client); return profile; } } else { @@ -49,7 +49,7 @@ public class UserInfoClient extends AbstractTokenValidator { return getUserInfoFromJwt(jwt, idToken, client); } else { UserInfo profile = profileClient.form(form).readEntity(UserInfo.class); - validateUserInfo(profile, idToken); + validateUserInfo(profile, idToken, client); return profile; } } @@ -58,18 +58,18 @@ public class UserInfoClient extends AbstractTokenValidator { IdToken idToken, OAuthClientUtils.Consumer client) { JwtToken jwt = getUserInfoJwt(profileJwtToken, client); - return getUserInfoFromJwt(jwt, idToken); + return getUserInfoFromJwt(jwt, idToken, client); } - public UserInfo getUserInfoFromJwt(JwtToken jwt, IdToken idToken) { + public UserInfo getUserInfoFromJwt(JwtToken jwt, IdToken idToken, Consumer client) { UserInfo profile = new UserInfo(jwt.getClaims().asMap()); - validateUserInfo(profile, idToken); + validateUserInfo(profile, idToken, client); return profile; } public JwtToken getUserInfoJwt(String profileJwtToken, OAuthClientUtils.Consumer client) { return getJwtToken(profileJwtToken); } - public void validateUserInfo(UserInfo profile, IdToken idToken) { - validateJwtClaims(profile, idToken.getAudience(), false); + public void validateUserInfo(UserInfo profile, IdToken idToken, Consumer client) { + validateJwtClaims(profile, client.getClientId(), false); // validate subject if (!idToken.getSubject().equals(profile.getSubject())) { throw new SecurityException("Invalid subject"); http://git-wip-us.apache.org/repos/asf/cxf/blob/d8443006/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/jose/jwt/JWTAlgorithmTest.java ---------------------------------------------------------------------- diff --git a/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/jose/jwt/JWTAlgorithmTest.java b/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/jose/jwt/JWTAlgorithmTest.java index f745e3d..e9857ee 100644 --- a/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/jose/jwt/JWTAlgorithmTest.java +++ b/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/jose/jwt/JWTAlgorithmTest.java @@ -102,6 +102,7 @@ public class JWTAlgorithmTest extends AbstractBusClientServerTestBase { claims.setSubject("alice"); claims.setIssuer("DoubleItSTSIssuer"); claims.setIssuedAt(new Date().getTime() / 1000L); + claims.setAudience(address); JwtToken token = new JwtToken(claims); @@ -145,6 +146,7 @@ public class JWTAlgorithmTest extends AbstractBusClientServerTestBase { claims.setSubject("alice"); claims.setIssuer("DoubleItSTSIssuer"); claims.setIssuedAt(new Date().getTime() / 1000L); + claims.setAudience(address); JwtToken token = new JwtToken(claims); @@ -191,6 +193,7 @@ public class JWTAlgorithmTest extends AbstractBusClientServerTestBase { claims.setSubject("alice"); claims.setIssuer("DoubleItSTSIssuer"); claims.setIssuedAt(new Date().getTime() / 1000L); + claims.setAudience(address); JwtToken token = new JwtToken(claims); @@ -232,6 +235,7 @@ public class JWTAlgorithmTest extends AbstractBusClientServerTestBase { claims.setSubject("alice"); claims.setIssuer("DoubleItSTSIssuer"); claims.setIssuedAt(new Date().getTime() / 1000L); + claims.setAudience(address); JwtToken token = new JwtToken(claims); @@ -274,6 +278,7 @@ public class JWTAlgorithmTest extends AbstractBusClientServerTestBase { claims.setSubject("alice"); claims.setIssuer("DoubleItSTSIssuer"); claims.setIssuedAt(new Date().getTime() / 1000L); + claims.setAudience(address); JwtToken token = new JwtToken(claims); @@ -313,6 +318,7 @@ public class JWTAlgorithmTest extends AbstractBusClientServerTestBase { claims.setSubject("alice"); claims.setIssuer("DoubleItSTSIssuer"); claims.setIssuedAt(new Date().getTime() / 1000L); + claims.setAudience(address); JwtToken token = new JwtToken(claims); @@ -349,6 +355,7 @@ public class JWTAlgorithmTest extends AbstractBusClientServerTestBase { claims.setSubject("alice"); claims.setIssuer("DoubleItSTSIssuer"); claims.setIssuedAt(new Date().getTime() / 1000L); + claims.setAudience(address); JwtToken token = new JwtToken(claims); @@ -388,6 +395,7 @@ public class JWTAlgorithmTest extends AbstractBusClientServerTestBase { claims.setSubject("alice"); claims.setIssuer("DoubleItSTSIssuer"); claims.setIssuedAt(new Date().getTime() / 1000L); + claims.setAudience(address); JwtToken token = new JwtToken(claims); @@ -423,6 +431,7 @@ public class JWTAlgorithmTest extends AbstractBusClientServerTestBase { claims.setSubject("alice"); claims.setIssuer("DoubleItSTSIssuer"); claims.setIssuedAt(new Date().getTime() / 1000L); + claims.setAudience(address); JwtToken token = new JwtToken(claims); @@ -460,6 +469,7 @@ public class JWTAlgorithmTest extends AbstractBusClientServerTestBase { claims.setSubject("alice"); claims.setIssuer("DoubleItSTSIssuer"); claims.setIssuedAt(new Date().getTime() / 1000L); + claims.setAudience(address); JwtToken token = new JwtToken(claims); @@ -500,6 +510,7 @@ public class JWTAlgorithmTest extends AbstractBusClientServerTestBase { claims.setSubject("alice"); claims.setIssuer("DoubleItSTSIssuer"); claims.setIssuedAt(new Date().getTime() / 1000L); + claims.setAudience(address); JwtToken token = new JwtToken(claims); @@ -537,6 +548,7 @@ public class JWTAlgorithmTest extends AbstractBusClientServerTestBase { claims.setSubject("alice"); claims.setIssuer("DoubleItSTSIssuer"); claims.setIssuedAt(new Date().getTime() / 1000L); + claims.setAudience(address); JwtToken token = new JwtToken(claims); @@ -572,6 +584,7 @@ public class JWTAlgorithmTest extends AbstractBusClientServerTestBase { claims.setSubject("alice"); claims.setIssuer("DoubleItSTSIssuer"); claims.setIssuedAt(new Date().getTime() / 1000L); + claims.setAudience(address); JwtToken token = new JwtToken(claims); @@ -610,6 +623,7 @@ public class JWTAlgorithmTest extends AbstractBusClientServerTestBase { claims.setSubject("alice"); claims.setIssuer("DoubleItSTSIssuer"); claims.setIssuedAt(new Date().getTime() / 1000L); + claims.setAudience(address); JwtToken token = new JwtToken(claims); http://git-wip-us.apache.org/repos/asf/cxf/blob/d8443006/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/jose/jwt/JWTAuthnAuthzTest.java ---------------------------------------------------------------------- diff --git a/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/jose/jwt/JWTAuthnAuthzTest.java b/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/jose/jwt/JWTAuthnAuthzTest.java index 7f62b83..45d109d 100644 --- a/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/jose/jwt/JWTAuthnAuthzTest.java +++ b/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/jose/jwt/JWTAuthnAuthzTest.java @@ -84,6 +84,7 @@ public class JWTAuthnAuthzTest extends AbstractBusClientServerTestBase { claims.setSubject("alice"); claims.setIssuer("DoubleItSTSIssuer"); claims.setIssuedAt(new Date().getTime() / 1000L); + claims.setAudience(address); JwtToken token = new JwtToken(claims); @@ -123,6 +124,7 @@ public class JWTAuthnAuthzTest extends AbstractBusClientServerTestBase { claims.setSubject("alice"); claims.setIssuer("DoubleItSTSIssuer"); claims.setIssuedAt(new Date().getTime() / 1000L); + claims.setAudience(address); JwtToken token = new JwtToken(claims); @@ -160,6 +162,7 @@ public class JWTAuthnAuthzTest extends AbstractBusClientServerTestBase { claims.setSubject("alice"); claims.setIssuer("DoubleItSTSIssuer"); claims.setIssuedAt(new Date().getTime() / 1000L); + claims.setAudience(address); // The endpoint requires a role of "boss" claims.setProperty("role", "boss"); @@ -201,6 +204,7 @@ public class JWTAuthnAuthzTest extends AbstractBusClientServerTestBase { claims.setSubject("alice"); claims.setIssuer("DoubleItSTSIssuer"); claims.setIssuedAt(new Date().getTime() / 1000L); + claims.setAudience(address); JwtToken token = new JwtToken(claims); @@ -237,6 +241,7 @@ public class JWTAuthnAuthzTest extends AbstractBusClientServerTestBase { claims.setIssuer("DoubleItSTSIssuer"); claims.setIssuedAt(new Date().getTime() / 1000L); claims.setProperty("role", "manager"); + claims.setAudience(address); JwtToken token = new JwtToken(claims);
