cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From cohei...@apache.org
Subject [1/2] cxf git commit: Make sure that the JwtRequestCodeFilter checks that the response_type/client_id in the request (if present) match the OAuth parameters. Also fixed a bug in checking the response type.
Date Wed, 17 Feb 2016 16:37:34 GMT
Repository: cxf
Updated Branches:
  refs/heads/3.1.x-fixes afaf1debd -> 58f1631ff


Make sure that the JwtRequestCodeFilter checks that the response_type/client_id in the request
(if present) match the OAuth parameters. Also fixed a bug in checking the response type.


Project: http://git-wip-us.apache.org/repos/asf/cxf/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/43fafd04
Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/43fafd04
Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/43fafd04

Branch: refs/heads/3.1.x-fixes
Commit: 43fafd0440a8d5ffd6eaf4ace917b62fb3f3181b
Parents: afaf1de
Author: Colm O hEigeartaigh <coheigea@apache.org>
Authored: Wed Feb 17 16:17:27 2016 +0000
Committer: Colm O hEigeartaigh <coheigea@apache.org>
Committed: Wed Feb 17 16:32:42 2016 +0000

----------------------------------------------------------------------
 .../grants/code/JwtRequestCodeFilter.java       | 20 +++++++++++++++++---
 1 file changed, 17 insertions(+), 3 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cxf/blob/43fafd04/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/JwtRequestCodeFilter.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/JwtRequestCodeFilter.java
b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/JwtRequestCodeFilter.java
index 0017850..e05404d 100644
--- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/JwtRequestCodeFilter.java
+++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/JwtRequestCodeFilter.java
@@ -63,12 +63,26 @@ public class JwtRequestCodeFilter extends OAuthJoseJwtConsumer implements
Author
             JwsSignatureVerifier theSigVerifier = getInitializedSigVerifier(client);
             JwtToken jwt = getJwtToken(requestToken, theDecryptor, theSigVerifier);
             JwtClaims claims = jwt.getClaims();
+            
+            // Check issuer
             String iss = issuer != null ? issuer : client.getClientId();  
-            if (!iss.equals(claims.getIssuer())
-                || claims.getClaim(OAuthConstants.CLIENT_ID) != null 
-                && claims.getStringProperty(OAuthConstants.CLIENT_ID).equals(client.getClientId()))
{
+            if (!iss.equals(claims.getIssuer())) {
                 throw new SecurityException();
             }
+            
+            // Check client_id - if present it must match the client_id specified in the
request
+            if (claims.getClaim(OAuthConstants.CLIENT_ID) != null 
+                && !claims.getStringProperty(OAuthConstants.CLIENT_ID).equals(client.getClientId()))
{
+                throw new SecurityException();
+            }
+            
+            // Check response_type - if present it must match the response_type specified
in the request
+            String tokenResponseType = (String)claims.getClaim(OAuthConstants.RESPONSE_TYPE);
+            if (tokenResponseType != null 
+                && !tokenResponseType.equals(params.getFirst(OAuthConstants.RESPONSE_TYPE)))
{
+                throw new SecurityException();
+            }
+            
             MultivaluedMap<String, String> newParams = new MetadataMap<String, String>();
             Map<String, Object> claimsMap = claims.asMap();
             for (Map.Entry<String, Object> entry : claimsMap.entrySet()) {


Mime
View raw message