This is an automated email from the ASF dual-hosted git repository. coheigea pushed a commit to branch 3.1.x-fixes in repository https://gitbox.apache.org/repos/asf/cxf.git
commit 0145fc549ce39688416341307be678d56e604c10 Author: Colm O hEigeartaigh <cohei...@apache.org> AuthorDate: Tue Apr 10 11:09:55 2018 +0100 CXF-7693 - If JwtConstants.EXPECTED_CLAIM_AUDIENCE is set then it must be present in the token (cherry picked from commit c35556412b1af7db867df0b2044dca7516cbfad1) --- .../apache/cxf/rs/security/jose/jwt/JwtUtils.java | 18 +++++++--- .../cxf/rs/security/jose/jwt/JwtUtilsTest.java | 38 ++++++++++++++++++++++ 2 files changed, 51 insertions(+), 5 deletions(-) diff --git a/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwt/JwtUtils.java b/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwt/JwtUtils.java index 0910913..1161159 100644 --- a/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwt/JwtUtils.java +++ b/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwt/JwtUtils.java @@ -115,18 +115,26 @@ public final class JwtUtils { } public static void validateJwtAudienceRestriction(JwtClaims claims, Message message) { - if (claims.getAudiences().isEmpty()) { - return; + // If the expected audience is configured, a matching "aud" must be present + String expectedAudience = (String)message.getContextualProperty(JwtConstants.EXPECTED_CLAIM_AUDIENCE); + if (expectedAudience != null) { + if (claims.getAudiences().contains(expectedAudience)) { + return; + } + throw new JwtException("Invalid audience restriction"); } - String expectedAudience = (String)message.getContextualProperty(JwtConstants.EXPECTED_CLAIM_AUDIENCE); - if (expectedAudience == null) { - expectedAudience = (String)message.getContextualProperty(Message.REQUEST_URL); + // Otherwise if we have no aud claims then the token is valid + if (claims.getAudiences().isEmpty()) { + return; } + // Otherwise one of the aud claims must match the request URL + expectedAudience = (String)message.getContextualProperty(Message.REQUEST_URL); if (expectedAudience != null && claims.getAudiences().contains(expectedAudience)) { return; } + throw new JwtException("Invalid audience restriction"); } diff --git a/rt/rs/security/jose-parent/jose/src/test/java/org/apache/cxf/rs/security/jose/jwt/JwtUtilsTest.java b/rt/rs/security/jose-parent/jose/src/test/java/org/apache/cxf/rs/security/jose/jwt/JwtUtilsTest.java index 9a2050e..c9e3715 100644 --- a/rt/rs/security/jose-parent/jose/src/test/java/org/apache/cxf/rs/security/jose/jwt/JwtUtilsTest.java +++ b/rt/rs/security/jose-parent/jose/src/test/java/org/apache/cxf/rs/security/jose/jwt/JwtUtilsTest.java @@ -21,6 +21,9 @@ package org.apache.cxf.rs.security.jose.jwt; import java.util.Calendar; import java.util.Date; +import org.apache.cxf.message.Message; +import org.apache.cxf.message.MessageImpl; + import org.junit.Assert; /** @@ -140,5 +143,40 @@ public class JwtUtilsTest extends Assert { // expected } } + + @org.junit.Test + public void testExpectedAudience() throws Exception { + // Create the JWT Token + JwtClaims claims = new JwtClaims(); + claims.setSubject("alice"); + claims.setIssuer("DoubleItSTSIssuer"); + + // No aud claim should validate OK + Message message = new MessageImpl(); + JwtUtils.validateJwtAudienceRestriction(claims, message); + + // It should fail when we have an unknown aud claim + claims.setAudience("Receiver"); + try { + JwtUtils.validateJwtAudienceRestriction(claims, message); + fail("Failure expected on an invalid audience"); + } catch (JwtException ex) { + // expected + } + + // Here the aud claim matches what is expected + message.put(JwtConstants.EXPECTED_CLAIM_AUDIENCE, "Receiver"); + JwtUtils.validateJwtAudienceRestriction(claims, message); + + // It should fail when the expected aud claim is not present + claims.removeProperty(JwtConstants.CLAIM_AUDIENCE); + try { + JwtUtils.validateJwtAudienceRestriction(claims, message); + fail("Failure expected on an invalid audience"); + } catch (JwtException ex) { + // expected + } + } + } -- To stop receiving notification emails like this one, please contact cohei...@apache.org.