Guanping Zhang created CXF-9223:
-----------------------------------

             Summary: completeAudienceMatch=false defaults to prefix matching 
for audience validation, widening resource access
                 Key: CXF-9223
                 URL: https://issues.apache.org/jira/browse/CXF-9223
             Project: CXF
          Issue Type: Bug
          Components: JAX-RS
    Affects Versions: 4.2.2
            Reporter: Guanping Zhang


In {{{}OAuthRequestFilter.validateAudiences(){}}}, when 
{{completeAudienceMatch}} is {{false}} (which is the default) and 
{{audienceIsEndpointAddress}} is {{{}true{}}}, the filter matches the incoming 
request path against the configured audience list using 
{{{}requestPath.startsWith(s){}}}.
 
This means an audience entry configured as {{/api/read}} will inadvertently 
authorize access to {{/api/readwrite}} or {{{}/api/readAdmin{}}}. This widens 
the resource-server access boundary beyond the intended audience configuration.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to