cxf-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Shaleen Mishra (JIRA)" <j...@apache.org>
Subject [jira] [Created] (CXF-7110) Inflexible jwt audience restriction validation
Date Tue, 25 Oct 2016 18:27:58 GMT
Shaleen Mishra created CXF-7110:
-----------------------------------

             Summary: Inflexible jwt audience restriction validation
                 Key: CXF-7110
                 URL: https://issues.apache.org/jira/browse/CXF-7110
             Project: CXF
          Issue Type: Improvement
          Components: JAX-RS Security
    Affects Versions: 3.1.7
         Environment: JVM 1.7, Ubuntu 14
            Reporter: Shaleen Mishra


JwtUtils.validateJwtAudienceRestriction checks the audience url matches the current request
url (from the context). This works only during development but is most likely to fail because
the actual url of the resource server may be behind the proxy or load balancer etc. e.g. The
actual request is sent to mycomany.com/oauth and the requester sends this string in the audience
parameter but the server actually serving the request may have a url like localhost:8080/oauth.
So the match fails. And thanks to the static util function, it can not be customized easily.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message