Return-Path: <issues-return-40141-archive-asf-public=cust-asf.ponee.io@cxf.apache.org>
X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io
Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io
Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183])
	by cust-asf2.ponee.io (Postfix) with ESMTP id 4B028200BAD
	for <archive-asf-public-internal@cust-asf2.ponee.io>; Tue, 25 Oct 2016 20:28:05 +0200 (CEST)
Received: by cust-asf.ponee.io (Postfix)
	id 49ABA160AF3; Tue, 25 Oct 2016 18:28:05 +0000 (UTC)
Delivered-To: archive-asf-public@cust-asf.ponee.io
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by cust-asf.ponee.io (Postfix) with SMTP id B8EAD160AD8
	for <archive-asf-public@cust-asf.ponee.io>; Tue, 25 Oct 2016 20:28:04 +0200 (CEST)
Received: (qmail 35924 invoked by uid 500); 25 Oct 2016 18:27:58 -0000
Mailing-List: contact issues-help@cxf.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:issues-help@cxf.apache.org>
List-Unsubscribe: <mailto:issues-unsubscribe@cxf.apache.org>
List-Post: <mailto:issues@cxf.apache.org>
List-Id: <issues.cxf.apache.org>
Reply-To: dev@cxf.apache.org
Delivered-To: mailing list issues@cxf.apache.org
Received: (qmail 35881 invoked by uid 99); 25 Oct 2016 18:27:58 -0000
Received: from arcas.apache.org (HELO arcas) (140.211.11.28)
    by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 25 Oct 2016 18:27:58 +0000
Received: from arcas.apache.org (localhost [127.0.0.1])
	by arcas (Postfix) with ESMTP id 84DE42C0087
	for <issues@cxf.apache.org>; Tue, 25 Oct 2016 18:27:58 +0000 (UTC)
Date: Tue, 25 Oct 2016 18:27:58 +0000 (UTC)
From: "Shaleen Mishra (JIRA)" <jira@apache.org>
To: issues@cxf.apache.org
Message-ID: <JIRA.13015181.1477420018000.81786.1477420078539@Atlassian.JIRA>
In-Reply-To: <JIRA.13015181.1477420018000@Atlassian.JIRA>
References: <JIRA.13015181.1477420018000@Atlassian.JIRA> <JIRA.13015181.1477420018683@arcas>
Subject: [jira] [Created] (CXF-7110) Inflexible jwt audience restriction
 validation
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394
archived-at: Tue, 25 Oct 2016 18:28:05 -0000

Shaleen Mishra created CXF-7110:
-----------------------------------

             Summary: Inflexible jwt audience restriction validation
                 Key: CXF-7110
                 URL: https://issues.apache.org/jira/browse/CXF-7110
             Project: CXF
          Issue Type: Improvement
          Components: JAX-RS Security
    Affects Versions: 3.1.7
         Environment: JVM 1.7, Ubuntu 14
            Reporter: Shaleen Mishra


JwtUtils.validateJwtAudienceRestriction checks the audience url matches the current request url (from the context). This works only during development but is most likely to fail because the actual url of the resource server may be behind the proxy or load balancer etc. e.g. The actual request is sent to mycomany.com/oauth and the requester sends this string in the audience parameter but the server actually serving the request may have a url like localhost:8080/oauth. So the match fails. And thanks to the static util function, it can not be customized easily.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)