Guanping Zhang created CXF-9223:
-----------------------------------
Summary: completeAudienceMatch=false defaults to prefix matching
for audience validation, widening resource access
Key: CXF-9223
URL: https://issues.apache.org/jira/browse/CXF-9223
Project: CXF
Issue Type: Bug
Components: JAX-RS
Affects Versions: 4.2.2
Reporter: Guanping Zhang
In {{{}OAuthRequestFilter.validateAudiences(){}}}, when
{{completeAudienceMatch}} is {{false}} (which is the default) and
{{audienceIsEndpointAddress}} is {{{}true{}}}, the filter matches the incoming
request path against the configured audience list using
{{{}requestPath.startsWith(s){}}}.
This means an audience entry configured as {{/api/read}} will inadvertently
authorize access to {{/api/readwrite}} or {{{}/api/readAdmin{}}}. This widens
the resource-server access boundary beyond the intended audience configuration.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)