Repository: cxf Updated Branches: refs/heads/master 2726b68fa -> 52bdff074
Make sure that the JwtRequestCodeFilter checks that the response_type/client_id in the request (if present) match the OAuth parameters. Also fixed a bug in checking the response type. Project: http://git-wip-us.apache.org/repos/asf/cxf/repo Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/e265a32d Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/e265a32d Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/e265a32d Branch: refs/heads/master Commit: e265a32de75478ae4f39b9031baa7e878f31a72c Parents: 2726b68 Author: Colm O hEigeartaigh <[email protected]> Authored: Wed Feb 17 16:17:27 2016 +0000 Committer: Colm O hEigeartaigh <[email protected]> Committed: Wed Feb 17 16:17:27 2016 +0000 ---------------------------------------------------------------------- .../grants/code/JwtRequestCodeFilter.java | 20 +++++++++++++++++--- 1 file changed, 17 insertions(+), 3 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/cxf/blob/e265a32d/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/JwtRequestCodeFilter.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/JwtRequestCodeFilter.java b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/JwtRequestCodeFilter.java index 0017850..e05404d 100644 --- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/JwtRequestCodeFilter.java +++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/JwtRequestCodeFilter.java @@ -63,12 +63,26 @@ public class JwtRequestCodeFilter extends OAuthJoseJwtConsumer implements Author JwsSignatureVerifier theSigVerifier = getInitializedSigVerifier(client); JwtToken jwt = getJwtToken(requestToken, theDecryptor, theSigVerifier); JwtClaims claims = jwt.getClaims(); + + // Check issuer String iss = issuer != null ? issuer : client.getClientId(); - if (!iss.equals(claims.getIssuer()) - || claims.getClaim(OAuthConstants.CLIENT_ID) != null - && claims.getStringProperty(OAuthConstants.CLIENT_ID).equals(client.getClientId())) { + if (!iss.equals(claims.getIssuer())) { throw new SecurityException(); } + + // Check client_id - if present it must match the client_id specified in the request + if (claims.getClaim(OAuthConstants.CLIENT_ID) != null + && !claims.getStringProperty(OAuthConstants.CLIENT_ID).equals(client.getClientId())) { + throw new SecurityException(); + } + + // Check response_type - if present it must match the response_type specified in the request + String tokenResponseType = (String)claims.getClaim(OAuthConstants.RESPONSE_TYPE); + if (tokenResponseType != null + && !tokenResponseType.equals(params.getFirst(OAuthConstants.RESPONSE_TYPE))) { + throw new SecurityException(); + } + MultivaluedMap<String, String> newParams = new MetadataMap<String, String>(); Map<String, Object> claimsMap = claims.asMap(); for (Map.Entry<String, Object> entry : claimsMap.entrySet()) {
