Shaleen Mishra created CXF-7110:
-----------------------------------
Summary: Inflexible jwt audience restriction validation
Key: CXF-7110
URL: https://issues.apache.org/jira/browse/CXF-7110
Project: CXF
Issue Type: Improvement
Components: JAX-RS Security
Affects Versions: 3.1.7
Environment: JVM 1.7, Ubuntu 14
Reporter: Shaleen Mishra
JwtUtils.validateJwtAudienceRestriction checks the audience url matches the
current request url (from the context). This works only during development but
is most likely to fail because the actual url of the resource server may be
behind the proxy or load balancer etc. e.g. The actual request is sent to
mycomany.com/oauth and the requester sends this string in the audience
parameter but the server actually serving the request may have a url like
localhost:8080/oauth. So the match fails. And thanks to the static util
function, it can not be customized easily.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
