This is an automated email from the ASF dual-hosted git repository.

coheigea pushed a commit to branch 3.1.x-fixes
in repository https://gitbox.apache.org/repos/asf/cxf.git

commit 29f50f9b1bf4ce6198ce72cbdc7eec989bba2284
Author: Colm O hEigeartaigh <cohei...@apache.org>
AuthorDate: Tue Apr 3 17:20:38 2018 +0100

    CXF-7693 - Allow JWT aud claim to be empty
    
    (cherry picked from commit 9a90413fff82236806ae42c045ac7f3256f8f224)
    
    # Conflicts:
    #   
rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwt/JwtClaims.java
    #   
rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwt/JwtUtils.java
---
 .../org/apache/cxf/rs/security/jose/jwt/JwtClaims.java   |  3 +--
 .../org/apache/cxf/rs/security/jose/jwt/JwtUtils.java    | 16 ++++++++--------
 .../jaxrs/security/jose/jwt/JWTPropertiesTest.java       |  2 +-
 3 files changed, 10 insertions(+), 11 deletions(-)

diff --git 
a/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwt/JwtClaims.java
 
b/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwt/JwtClaims.java
index d6a940d..b698a8a 100644
--- 
a/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwt/JwtClaims.java
+++ 
b/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwt/JwtClaims.java
@@ -98,8 +98,7 @@ public class JwtClaims extends JsonMapObject {
         } else if (audiences instanceof String) {
             return Collections.singletonList((String)audiences);
         }
-        
-        return null;
+        return Collections.emptyList();
     }
     
     public void setExpiryTime(Long expiresIn) {
diff --git 
a/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwt/JwtUtils.java
 
b/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwt/JwtUtils.java
index 14604c9..0910913 100644
--- 
a/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwt/JwtUtils.java
+++ 
b/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwt/JwtUtils.java
@@ -96,7 +96,7 @@ public final class JwtUtils {
         if (clockOffset > 0) {
             validCreation.setTime(currentTime + (long)clockOffset * 1000L);
         }
-        
+
         // Check to see if the IssuedAt time is in the future
         if (createdDate.after(validCreation)) {
             throw new JwtException("Invalid issuedAt");
@@ -115,17 +115,17 @@ public final class JwtUtils {
     }
     
     public static void validateJwtAudienceRestriction(JwtClaims claims, 
Message message) {
+        if (claims.getAudiences().isEmpty()) {
+            return;
+        }
+
         String expectedAudience = 
(String)message.getContextualProperty(JwtConstants.EXPECTED_CLAIM_AUDIENCE);
         if (expectedAudience == null) {
             expectedAudience = 
(String)message.getContextualProperty(Message.REQUEST_URL);
         }
-        
-        if (expectedAudience != null) {
-            for (String audience : claims.getAudiences()) {
-                if (expectedAudience.equals(audience)) {
-                    return;
-                }
-            }
+
+        if (expectedAudience != null && 
claims.getAudiences().contains(expectedAudience)) {
+            return;
         }
         throw new JwtException("Invalid audience restriction");
     }
diff --git 
a/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/jose/jwt/JWTPropertiesTest.java
 
b/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/jose/jwt/JWTPropertiesTest.java
index 16b890d..48ac7e9 100644
--- 
a/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/jose/jwt/JWTPropertiesTest.java
+++ 
b/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/jose/jwt/JWTPropertiesTest.java
@@ -374,7 +374,7 @@ public class JWTPropertiesTest extends 
AbstractBusClientServerTestBase {
         WebClient.getConfig(client).getRequestContext().putAll(properties);
 
         Response response = client.post(new Book("book", 123L));
-        assertNotEquals(response.getStatus(), 200);
+        assertEquals(response.getStatus(), 200);
     }
     
     @org.junit.Test

-- 
To stop receiving notification emails like this one, please contact
cohei...@apache.org.

Reply via email to