[CXF-7110] Inflexible jwt audience restriction validation - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Improvement
Status: Closed
Priority: Major
Resolution: Fixed
Affects Version/s: 3.1.7
Fix Version/s: 3.1.9, 3.2.0
Component/s: JAX-RS Security
Labels:
None
Environment:

JVM 1.7, Ubuntu 14

Estimated Complexity:
Unknown
Flags:

Important

Description

JwtUtils.validateJwtAudienceRestriction checks the audience url matches the current request url (from the context). This works only during development but is most likely to fail because the actual url of the resource server may be behind the proxy or load balancer etc. e.g. The actual request is sent to mycomany.com/oauth and the requester sends this string in the audience parameter but the server actually serving the request may have a url like localhost:8080/oauth. So the match fails. And thanks to the static util function, it can not be customized easily.

Attachments

Activity

People

Assignee:: Sergey Beryozkin

Reporter:: Shaleen Mishra

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Dates

Created:: 25/Oct/16 18:26

Updated:: 22/Mar/17 17:24

Resolved:: 08/Nov/16 11:35