cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From cohei...@apache.org
Subject [2/3] cxf git commit: Adding support for validating audiences for JWT tokens as well as supporting multiple audiences
Date Thu, 03 Dec 2015 14:24:22 GMT
Adding support for validating audiences for JWT tokens as well as supporting multiple audiences

# Conflicts:
#	rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwt/JwtUtils.java
#	rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/IdTokenReader.java


Project: http://git-wip-us.apache.org/repos/asf/cxf/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/d8443006
Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/d8443006
Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/d8443006

Branch: refs/heads/3.0.x-fixes
Commit: d8443006008dd859fcc1fdfe1bf700315c073704
Parents: 86bbf7c
Author: Colm O hEigeartaigh <coheigea@apache.org>
Authored: Thu Dec 3 12:30:10 2015 +0000
Committer: Colm O hEigeartaigh <coheigea@apache.org>
Committed: Thu Dec 3 14:20:54 2015 +0000

----------------------------------------------------------------------
 .../jose/jaxrs/JwtAuthenticationFilter.java     |  2 +-
 .../cxf/rs/security/jose/jwt/JwtClaims.java     | 20 +++++++++--
 .../cxf/rs/security/jose/jwt/JwtUtils.java      | 34 +++++++++++++++++++
 .../oauth2/grants/jwt/AbstractJwtHandler.java   |  5 +--
 .../oauth2/tokens/jwt/JwtAccessTokenUtils.java  | 35 +++++++++-----------
 .../oidc/rp/AbstractTokenValidator.java         |  6 ++--
 .../cxf/rs/security/oidc/rp/IdTokenReader.java  |  9 +++++
 .../cxf/rs/security/oidc/rp/UserInfoClient.java | 14 ++++----
 .../security/jose/jwt/JWTAlgorithmTest.java     | 14 ++++++++
 .../security/jose/jwt/JWTAuthnAuthzTest.java    |  5 +++
 10 files changed, 108 insertions(+), 36 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cxf/blob/d8443006/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwtAuthenticationFilter.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwtAuthenticationFilter.java
b/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwtAuthenticationFilter.java
index be781b9..b1a1966 100644
--- a/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwtAuthenticationFilter.java
+++ b/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwtAuthenticationFilter.java
@@ -96,7 +96,7 @@ public class JwtAuthenticationFilter extends AbstractJoseJwtConsumer implements
     
     @Override
     protected void validateToken(JwtToken jwt) {
-        JwtUtils.validateTokenClaims(jwt.getClaims(), ttl, clockOffset);
+        JwtUtils.validateTokenClaims(jwt.getClaims(), ttl, clockOffset, true);
     }
 
     public int getClockOffset() {

http://git-wip-us.apache.org/repos/asf/cxf/blob/d8443006/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwt/JwtClaims.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwt/JwtClaims.java
b/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwt/JwtClaims.java
index 6fcc85d..fe5b08a 100644
--- a/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwt/JwtClaims.java
+++ b/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwt/JwtClaims.java
@@ -19,6 +19,8 @@
 
 package org.apache.cxf.rs.security.jose.jwt;
 
+import java.util.Collections;
+import java.util.List;
 import java.util.Map;
 
 import org.apache.cxf.jaxrs.json.basic.JsonMapObject;
@@ -52,11 +54,23 @@ public class JwtClaims extends JsonMapObject {
     }
     
     public void setAudience(String audience) {
-        setClaim(JwtConstants.CLAIM_AUDIENCE, audience);
+        setAudiences(Collections.singletonList(audience));
     }
     
-    public String getAudience() {
-        return (String)getClaim(JwtConstants.CLAIM_AUDIENCE);
+    public void setAudiences(List<String> audiences) {
+        setClaim(JwtConstants.CLAIM_AUDIENCE, audiences);
+    }
+    
+    @SuppressWarnings("unchecked")
+    public List<String> getAudiences() {
+        Object audiences = getClaim(JwtConstants.CLAIM_AUDIENCE);
+        if (audiences instanceof List<?>) {
+            return (List<String>)audiences;
+        } else if (audiences instanceof String) {
+            return Collections.singletonList((String)audiences);
+        }
+        
+        return Collections.emptyList();
     }
     
     public void setExpiryTime(Long expiresIn) {

http://git-wip-us.apache.org/repos/asf/cxf/blob/d8443006/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwt/JwtUtils.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwt/JwtUtils.java
b/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwt/JwtUtils.java
index e739347..68bcef9 100644
--- a/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwt/JwtUtils.java
+++ b/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwt/JwtUtils.java
@@ -20,6 +20,9 @@ package org.apache.cxf.rs.security.jose.jwt;
 
 import java.util.Date;
 
+import org.apache.cxf.message.Message;
+import org.apache.cxf.phase.PhaseInterceptorChain;
+
 public final class JwtUtils {
     private JwtUtils() {
         
@@ -109,6 +112,7 @@ public final class JwtUtils {
             }
         }
     }
+<<<<<<< HEAD
 
     public static void validateJwtTimeClaims(JwtClaims claims, int clockOffset,
                                              int issuedAtRange, boolean claimsRequired) {
@@ -134,6 +138,32 @@ public final class JwtUtils {
     }
 
     public static void validateTokenClaims(JwtClaims claims, int timeToLive, int clockOffset)
{
+=======
+    
+    public static void validateJwtAudienceRestriction(JwtClaims claims, Message message)
{
+        // Get the endpoint URL
+        String requestURL = null;
+        if (message.getContextualProperty(org.apache.cxf.message.Message.REQUEST_URL) !=
null) {
+            requestURL = (String)message.getContextualProperty(org.apache.cxf.message.Message.REQUEST_URL);
+        }
+        
+        if (requestURL != null) {
+            boolean match = false;
+            for (String audience : claims.getAudiences()) {
+                if (requestURL.equals(audience)) {
+                    match = true;
+                    break;
+                }
+            }
+            if (!match) {
+                throw new JwtException("Invalid audience restriction");
+            }
+        }
+    }
+    
+    public static void validateTokenClaims(JwtClaims claims, int timeToLive, int clockOffset,
+                                           boolean validateAudienceRestriction) {
+>>>>>>> 21bbc38... Adding support for validating audiences for JWT tokens
as well as supporting multiple audiences
         // If we have no issued time then we need to have an expiry
         boolean expiredRequired = claims.getIssuedAt() == null;
         validateJwtExpiry(claims, clockOffset, expiredRequired);
@@ -143,6 +173,10 @@ public final class JwtUtils {
         // If we have no expiry then we must have an issued at
         boolean issuedAtRequired = claims.getExpiryTime() == null;
         validateJwtIssuedAt(claims, timeToLive, clockOffset, issuedAtRequired);
+        
+        if (validateAudienceRestriction) {
+            validateJwtAudienceRestriction(claims, PhaseInterceptorChain.getCurrentMessage());
+        }
     }
     
 }

http://git-wip-us.apache.org/repos/asf/cxf/blob/d8443006/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/jwt/AbstractJwtHandler.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/jwt/AbstractJwtHandler.java
b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/jwt/AbstractJwtHandler.java
index 0177323..5855165 100644
--- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/jwt/AbstractJwtHandler.java
+++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/jwt/AbstractJwtHandler.java
@@ -54,11 +54,10 @@ public abstract class AbstractJwtHandler extends AbstractGrantHandler
{
     }
     
     protected void validateClaims(Client client, JwtClaims claims) {
-        JwtUtils.validateTokenClaims(claims, ttl, clockOffset);
+        JwtUtils.validateTokenClaims(claims, ttl, clockOffset, true);
         
         validateIssuer(claims.getIssuer());
         validateSubject(client, claims.getSubject());
-        validateAudience(client, claims.getAudience());
         
         // We must have an Expiry
         if (claims.getClaim(JwtConstants.CLAIM_EXPIRY) == null) {
@@ -78,8 +77,6 @@ public abstract class AbstractJwtHandler extends AbstractGrantHandler {
             throw new OAuthServiceException(OAuthConstants.INVALID_GRANT);
         }
     }
-    protected void validateAudience(Client client, String audience) {
-    }
     public void setSupportedIssuers(Set<String> supportedIssuers) {
         this.supportedIssuers = supportedIssuers;
     }

http://git-wip-us.apache.org/repos/asf/cxf/blob/d8443006/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/tokens/jwt/JwtAccessTokenUtils.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/tokens/jwt/JwtAccessTokenUtils.java
b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/tokens/jwt/JwtAccessTokenUtils.java
index c413d00..76d371f 100644
--- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/tokens/jwt/JwtAccessTokenUtils.java
+++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/tokens/jwt/JwtAccessTokenUtils.java
@@ -20,6 +20,7 @@ package org.apache.cxf.rs.security.oauth2.tokens.jwt;
 
 import java.security.interfaces.RSAPrivateKey;
 import java.security.interfaces.RSAPublicKey;
+import java.util.List;
 
 import javax.crypto.SecretKey;
 
@@ -38,7 +39,6 @@ import org.apache.cxf.rs.security.jose.jws.JwsUtils;
 import org.apache.cxf.rs.security.jose.jws.NoneJwsSignatureProvider;
 import org.apache.cxf.rs.security.jose.jwt.JwtClaims;
 import org.apache.cxf.rs.security.jose.jwt.JwtToken;
-import org.apache.cxf.rs.security.jose.jwt.JwtUtils;
 import org.apache.cxf.rs.security.oauth2.common.Client;
 import org.apache.cxf.rs.security.oauth2.common.ServerAccessToken;
 import org.apache.cxf.rs.security.oauth2.tokens.bearer.BearerAccessToken;
@@ -110,32 +110,29 @@ public final class JwtAccessTokenUtils {
             throw new SecurityException();
         }
     }
-    public static void validateJwtClaims(JwtClaims claims, int ttl, int clockOffset, Client
c) {
-        validateJwtSubjectAndAudience(claims, c);
-        
-        // If we have no issued time then we need to have an expiry
-        boolean expiredRequired = claims.getIssuedAt() == null;
-        JwtUtils.validateJwtExpiry(claims, clockOffset, expiredRequired);
-        
-        JwtUtils.validateJwtNotBefore(claims, clockOffset, false);
-        
-        // If we have no expiry then we must have an issued at
-        boolean issuedAtRequired = claims.getExpiryTime() == null;
-        if (issuedAtRequired) {
-            JwtUtils.validateJwtIssuedAt(claims, ttl, clockOffset, issuedAtRequired);
-        }
-    }
     
     private static void validateJwtSubjectAndAudience(JwtClaims claims, Client c) {
         if (claims.getSubject() == null || !claims.getSubject().equals(c.getClientId()))
{
             throw new SecurityException("Invalid subject");
         }
         // validate audience
-        String aud = claims.getAudience();
-        if (aud == null 
-            || !c.getRegisteredAudiences().isEmpty() && !c.getRegisteredAudiences().contains(aud))
{
+        List<String> audiences = claims.getAudiences();
+        if (audiences.isEmpty()) {
             throw new SecurityException("Invalid audience");
         }
+        
+        if (!c.getRegisteredAudiences().isEmpty()) {
+            boolean match = false;
+            for (String audience : audiences) {
+                if (c.getRegisteredAudiences().contains(audience)) {
+                    match = true;
+                    break;
+                }
+            }
+            if (!match) {
+                throw new SecurityException("Invalid audience");
+            }
+        }
         // TODO: the issuer is indirectly validated by validating the signature
         // but an extra check can be done
     }

http://git-wip-us.apache.org/repos/asf/cxf/blob/d8443006/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/AbstractTokenValidator.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/AbstractTokenValidator.java
b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/AbstractTokenValidator.java
index 6011577..8fc0022 100644
--- a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/AbstractTokenValidator.java
+++ b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/AbstractTokenValidator.java
@@ -18,6 +18,7 @@
  */
 package org.apache.cxf.rs.security.oidc.rp;
 
+import java.util.List;
 import java.util.concurrent.ConcurrentHashMap;
 
 import org.apache.cxf.jaxrs.client.WebClient;
@@ -66,8 +67,9 @@ public abstract class AbstractTokenValidator extends AbstractOAuthJoseJwtConsume
                 throw new SecurityException("Invalid subject");
             }
             // validate audience
-            String aud = claims.getAudience();
-            if (aud == null && validateClaimsAlways || aud != null && !clientId.equals(aud))
{
+            List<String> audiences = claims.getAudiences();
+            if (audiences.isEmpty() && validateClaimsAlways 
+                || !audiences.isEmpty() && !audiences.contains(clientId)) {
                 throw new SecurityException("Invalid audience");
             }
     

http://git-wip-us.apache.org/repos/asf/cxf/blob/d8443006/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/IdTokenReader.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/IdTokenReader.java
b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/IdTokenReader.java
index b5bbbf1..c46505f 100644
--- a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/IdTokenReader.java
+++ b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/IdTokenReader.java
@@ -40,9 +40,18 @@ public class IdTokenReader extends AbstractTokenValidator {
         OidcUtils.validateAccessTokenHash(at, jwt, requireAtHash);
         return jwt;
     }
+<<<<<<< HEAD
     public JwtToken getIdJwtToken(String idJwtToken, OAuthClientUtils.Consumer client) {
         JwtToken jwt = getJwtToken(idJwtToken, client.getSecret());
         validateJwtClaims(jwt.getClaims(), client.getKey(), true);
+=======
+    public JwtToken getIdJwtToken(String idJwtToken, Consumer client) {
+        JwtToken jwt = getJwtToken(idJwtToken, client.getClientSecret());
+        if (jwt.getClaims().getAudiences().size() > 1) {
+            throw new SecurityException("Invalid audience");
+        }
+        validateJwtClaims(jwt.getClaims(), client.getClientId(), true);
+>>>>>>> 21bbc38... Adding support for validating audiences for JWT tokens
as well as supporting multiple audiences
         return jwt;
     }
     private IdToken getIdTokenFromJwt(JwtToken jwt) {

http://git-wip-us.apache.org/repos/asf/cxf/blob/d8443006/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/UserInfoClient.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/UserInfoClient.java
b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/UserInfoClient.java
index 78f18e5..c329ad9 100644
--- a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/UserInfoClient.java
+++ b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/UserInfoClient.java
@@ -39,7 +39,7 @@ public class UserInfoClient extends AbstractTokenValidator {
                 return getUserInfoFromJwt(jwt, idToken, client);
             } else {
                 UserInfo profile = profileClient.get(UserInfo.class);
-                validateUserInfo(profile, idToken);
+                validateUserInfo(profile, idToken, client);
                 return profile;
             }
         } else {
@@ -49,7 +49,7 @@ public class UserInfoClient extends AbstractTokenValidator {
                 return getUserInfoFromJwt(jwt, idToken, client);
             } else {
                 UserInfo profile = profileClient.form(form).readEntity(UserInfo.class);
-                validateUserInfo(profile, idToken);
+                validateUserInfo(profile, idToken, client);
                 return profile;
             }
         }
@@ -58,18 +58,18 @@ public class UserInfoClient extends AbstractTokenValidator {
                                        IdToken idToken,
                                        OAuthClientUtils.Consumer client) {
         JwtToken jwt = getUserInfoJwt(profileJwtToken, client);
-        return getUserInfoFromJwt(jwt, idToken);
+        return getUserInfoFromJwt(jwt, idToken, client);
     }
-    public UserInfo getUserInfoFromJwt(JwtToken jwt, IdToken idToken) {
+    public UserInfo getUserInfoFromJwt(JwtToken jwt, IdToken idToken, Consumer client) {
         UserInfo profile = new UserInfo(jwt.getClaims().asMap());
-        validateUserInfo(profile, idToken);
+        validateUserInfo(profile, idToken, client);
         return profile;
     }
     public JwtToken getUserInfoJwt(String profileJwtToken, OAuthClientUtils.Consumer client)
{
         return getJwtToken(profileJwtToken);
     }
-    public void validateUserInfo(UserInfo profile, IdToken idToken) {
-        validateJwtClaims(profile, idToken.getAudience(), false);
+    public void validateUserInfo(UserInfo profile, IdToken idToken, Consumer client) {
+        validateJwtClaims(profile, client.getClientId(), false);
         // validate subject
         if (!idToken.getSubject().equals(profile.getSubject())) {
             throw new SecurityException("Invalid subject");

http://git-wip-us.apache.org/repos/asf/cxf/blob/d8443006/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/jose/jwt/JWTAlgorithmTest.java
----------------------------------------------------------------------
diff --git a/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/jose/jwt/JWTAlgorithmTest.java
b/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/jose/jwt/JWTAlgorithmTest.java
index f745e3d..e9857ee 100644
--- a/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/jose/jwt/JWTAlgorithmTest.java
+++ b/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/jose/jwt/JWTAlgorithmTest.java
@@ -102,6 +102,7 @@ public class JWTAlgorithmTest extends AbstractBusClientServerTestBase
{
         claims.setSubject("alice");
         claims.setIssuer("DoubleItSTSIssuer");
         claims.setIssuedAt(new Date().getTime() / 1000L);
+        claims.setAudience(address);
         
         JwtToken token = new JwtToken(claims);
 
@@ -145,6 +146,7 @@ public class JWTAlgorithmTest extends AbstractBusClientServerTestBase
{
         claims.setSubject("alice");
         claims.setIssuer("DoubleItSTSIssuer");
         claims.setIssuedAt(new Date().getTime() / 1000L);
+        claims.setAudience(address);
         
         JwtToken token = new JwtToken(claims);
 
@@ -191,6 +193,7 @@ public class JWTAlgorithmTest extends AbstractBusClientServerTestBase
{
         claims.setSubject("alice");
         claims.setIssuer("DoubleItSTSIssuer");
         claims.setIssuedAt(new Date().getTime() / 1000L);
+        claims.setAudience(address);
         
         JwtToken token = new JwtToken(claims);
 
@@ -232,6 +235,7 @@ public class JWTAlgorithmTest extends AbstractBusClientServerTestBase
{
         claims.setSubject("alice");
         claims.setIssuer("DoubleItSTSIssuer");
         claims.setIssuedAt(new Date().getTime() / 1000L);
+        claims.setAudience(address);
         
         JwtToken token = new JwtToken(claims);
 
@@ -274,6 +278,7 @@ public class JWTAlgorithmTest extends AbstractBusClientServerTestBase
{
         claims.setSubject("alice");
         claims.setIssuer("DoubleItSTSIssuer");
         claims.setIssuedAt(new Date().getTime() / 1000L);
+        claims.setAudience(address);
         
         JwtToken token = new JwtToken(claims);
 
@@ -313,6 +318,7 @@ public class JWTAlgorithmTest extends AbstractBusClientServerTestBase
{
         claims.setSubject("alice");
         claims.setIssuer("DoubleItSTSIssuer");
         claims.setIssuedAt(new Date().getTime() / 1000L);
+        claims.setAudience(address);
         
         JwtToken token = new JwtToken(claims);
 
@@ -349,6 +355,7 @@ public class JWTAlgorithmTest extends AbstractBusClientServerTestBase
{
         claims.setSubject("alice");
         claims.setIssuer("DoubleItSTSIssuer");
         claims.setIssuedAt(new Date().getTime() / 1000L);
+        claims.setAudience(address);
         
         JwtToken token = new JwtToken(claims);
 
@@ -388,6 +395,7 @@ public class JWTAlgorithmTest extends AbstractBusClientServerTestBase
{
         claims.setSubject("alice");
         claims.setIssuer("DoubleItSTSIssuer");
         claims.setIssuedAt(new Date().getTime() / 1000L);
+        claims.setAudience(address);
         
         JwtToken token = new JwtToken(claims);
 
@@ -423,6 +431,7 @@ public class JWTAlgorithmTest extends AbstractBusClientServerTestBase
{
         claims.setSubject("alice");
         claims.setIssuer("DoubleItSTSIssuer");
         claims.setIssuedAt(new Date().getTime() / 1000L);
+        claims.setAudience(address);
         
         JwtToken token = new JwtToken(claims);
 
@@ -460,6 +469,7 @@ public class JWTAlgorithmTest extends AbstractBusClientServerTestBase
{
         claims.setSubject("alice");
         claims.setIssuer("DoubleItSTSIssuer");
         claims.setIssuedAt(new Date().getTime() / 1000L);
+        claims.setAudience(address);
         
         JwtToken token = new JwtToken(claims);
 
@@ -500,6 +510,7 @@ public class JWTAlgorithmTest extends AbstractBusClientServerTestBase
{
         claims.setSubject("alice");
         claims.setIssuer("DoubleItSTSIssuer");
         claims.setIssuedAt(new Date().getTime() / 1000L);
+        claims.setAudience(address);
 
         JwtToken token = new JwtToken(claims);
 
@@ -537,6 +548,7 @@ public class JWTAlgorithmTest extends AbstractBusClientServerTestBase
{
         claims.setSubject("alice");
         claims.setIssuer("DoubleItSTSIssuer");
         claims.setIssuedAt(new Date().getTime() / 1000L);
+        claims.setAudience(address);
         
         JwtToken token = new JwtToken(claims);
         
@@ -572,6 +584,7 @@ public class JWTAlgorithmTest extends AbstractBusClientServerTestBase
{
         claims.setSubject("alice");
         claims.setIssuer("DoubleItSTSIssuer");
         claims.setIssuedAt(new Date().getTime() / 1000L);
+        claims.setAudience(address);
         
         JwtToken token = new JwtToken(claims);
         
@@ -610,6 +623,7 @@ public class JWTAlgorithmTest extends AbstractBusClientServerTestBase
{
         claims.setSubject("alice");
         claims.setIssuer("DoubleItSTSIssuer");
         claims.setIssuedAt(new Date().getTime() / 1000L);
+        claims.setAudience(address);
         
         JwtToken token = new JwtToken(claims);
 

http://git-wip-us.apache.org/repos/asf/cxf/blob/d8443006/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/jose/jwt/JWTAuthnAuthzTest.java
----------------------------------------------------------------------
diff --git a/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/jose/jwt/JWTAuthnAuthzTest.java
b/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/jose/jwt/JWTAuthnAuthzTest.java
index 7f62b83..45d109d 100644
--- a/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/jose/jwt/JWTAuthnAuthzTest.java
+++ b/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/jose/jwt/JWTAuthnAuthzTest.java
@@ -84,6 +84,7 @@ public class JWTAuthnAuthzTest extends AbstractBusClientServerTestBase {
         claims.setSubject("alice");
         claims.setIssuer("DoubleItSTSIssuer");
         claims.setIssuedAt(new Date().getTime() / 1000L);
+        claims.setAudience(address);
         
         JwtToken token = new JwtToken(claims);
 
@@ -123,6 +124,7 @@ public class JWTAuthnAuthzTest extends AbstractBusClientServerTestBase
{
         claims.setSubject("alice");
         claims.setIssuer("DoubleItSTSIssuer");
         claims.setIssuedAt(new Date().getTime() / 1000L);
+        claims.setAudience(address);
         
         JwtToken token = new JwtToken(claims);
 
@@ -160,6 +162,7 @@ public class JWTAuthnAuthzTest extends AbstractBusClientServerTestBase
{
         claims.setSubject("alice");
         claims.setIssuer("DoubleItSTSIssuer");
         claims.setIssuedAt(new Date().getTime() / 1000L);
+        claims.setAudience(address);
         // The endpoint requires a role of "boss"
         claims.setProperty("role", "boss");
         
@@ -201,6 +204,7 @@ public class JWTAuthnAuthzTest extends AbstractBusClientServerTestBase
{
         claims.setSubject("alice");
         claims.setIssuer("DoubleItSTSIssuer");
         claims.setIssuedAt(new Date().getTime() / 1000L);
+        claims.setAudience(address);
         
         JwtToken token = new JwtToken(claims);
 
@@ -237,6 +241,7 @@ public class JWTAuthnAuthzTest extends AbstractBusClientServerTestBase
{
         claims.setIssuer("DoubleItSTSIssuer");
         claims.setIssuedAt(new Date().getTime() / 1000L);
         claims.setProperty("role", "manager");
+        claims.setAudience(address);
         
         JwtToken token = new JwtToken(claims);
 


Mime
View raw message