[cxf] 01/02: CXF-7693 - If JwtConstants.EXPECTED_CLAIM_AUDIENCE is set then it must be present in the token

Tue, 10 Apr 2018 05:15:15 -0700 

This is an automated email from the ASF dual-hosted git repository.

coheigea pushed a commit to branch 3.1.x-fixes
in repository https://gitbox.apache.org/repos/asf/cxf.git

commit 0145fc549ce39688416341307be678d56e604c10
Author: Colm O hEigeartaigh <cohei...@apache.org>
AuthorDate: Tue Apr 10 11:09:55 2018 +0100

    CXF-7693 - If JwtConstants.EXPECTED_CLAIM_AUDIENCE is set then it must be 
present in the token
    
    (cherry picked from commit c35556412b1af7db867df0b2044dca7516cbfad1)
---
 .../apache/cxf/rs/security/jose/jwt/JwtUtils.java  | 18 +++++++---
 .../cxf/rs/security/jose/jwt/JwtUtilsTest.java     | 38 ++++++++++++++++++++++
 2 files changed, 51 insertions(+), 5 deletions(-)

diff --git 
a/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwt/JwtUtils.java
 
b/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwt/JwtUtils.java
index 0910913..1161159 100644
--- 
a/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwt/JwtUtils.java
+++ 
b/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwt/JwtUtils.java
@@ -115,18 +115,26 @@ public final class JwtUtils {
     }
     
     public static void validateJwtAudienceRestriction(JwtClaims claims, 
Message message) {
-        if (claims.getAudiences().isEmpty()) {
-            return;
+        // If the expected audience is configured, a matching "aud" must be 
present
+        String expectedAudience = 
(String)message.getContextualProperty(JwtConstants.EXPECTED_CLAIM_AUDIENCE);
+        if (expectedAudience != null) {
+            if (claims.getAudiences().contains(expectedAudience)) {
+                return;
+            }
+            throw new JwtException("Invalid audience restriction");
         }
 
-        String expectedAudience = 
(String)message.getContextualProperty(JwtConstants.EXPECTED_CLAIM_AUDIENCE);
-        if (expectedAudience == null) {
-            expectedAudience = 
(String)message.getContextualProperty(Message.REQUEST_URL);
+        // Otherwise if we have no aud claims then the token is valid
+        if (claims.getAudiences().isEmpty()) {
+            return;
         }
 
+        // Otherwise one of the aud claims must match the request URL
+        expectedAudience = 
(String)message.getContextualProperty(Message.REQUEST_URL);
         if (expectedAudience != null && 
claims.getAudiences().contains(expectedAudience)) {
             return;
         }
+
         throw new JwtException("Invalid audience restriction");
     }
     
diff --git 
a/rt/rs/security/jose-parent/jose/src/test/java/org/apache/cxf/rs/security/jose/jwt/JwtUtilsTest.java
 
b/rt/rs/security/jose-parent/jose/src/test/java/org/apache/cxf/rs/security/jose/jwt/JwtUtilsTest.java
index 9a2050e..c9e3715 100644
--- 
a/rt/rs/security/jose-parent/jose/src/test/java/org/apache/cxf/rs/security/jose/jwt/JwtUtilsTest.java
+++ 
b/rt/rs/security/jose-parent/jose/src/test/java/org/apache/cxf/rs/security/jose/jwt/JwtUtilsTest.java
@@ -21,6 +21,9 @@ package org.apache.cxf.rs.security.jose.jwt;
 import java.util.Calendar;
 import java.util.Date;
 
+import org.apache.cxf.message.Message;
+import org.apache.cxf.message.MessageImpl;
+
 import org.junit.Assert;
 
 /**
@@ -140,5 +143,40 @@ public class JwtUtilsTest extends Assert {
             // expected
         }
     }
+
+    @org.junit.Test
+    public void testExpectedAudience() throws Exception {
+        // Create the JWT Token
+        JwtClaims claims = new JwtClaims();
+        claims.setSubject("alice");
+        claims.setIssuer("DoubleItSTSIssuer");
+
+        // No aud claim should validate OK
+        Message message = new MessageImpl();
+        JwtUtils.validateJwtAudienceRestriction(claims, message);
+
+        // It should fail when we have an unknown aud claim
+        claims.setAudience("Receiver");
+        try {
+            JwtUtils.validateJwtAudienceRestriction(claims, message);
+            fail("Failure expected on an invalid audience");
+        } catch (JwtException ex) {
+            // expected
+        }
+
+        // Here the aud claim matches what is expected
+        message.put(JwtConstants.EXPECTED_CLAIM_AUDIENCE, "Receiver");
+        JwtUtils.validateJwtAudienceRestriction(claims, message);
+
+        // It should fail when the expected aud claim is not present
+        claims.removeProperty(JwtConstants.CLAIM_AUDIENCE);
+        try {
+            JwtUtils.validateJwtAudienceRestriction(claims, message);
+            fail("Failure expected on an invalid audience");
+        } catch (JwtException ex) {
+            // expected
+        }
+    }
+
 }
 

-- 
To stop receiving notification emails like this one, please contact
cohei...@apache.org.

Reply via email to