Cwikius-Spring/spring-security
1
0
Fork 0
mirror of https://github.com/spring-projects/spring-security.git synced 2025-11-10 19:48:50 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merge remote-tracking branch 'origin/6.5.x'

Browse Source
This commit is contained in:
Josh Cummings 2025-10-28 12:08:53 -06:00
commit 4daf089e46
2 changed files with 12 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
oauth2/oauth2-jose/src/main/java/org/springframework/security/oauth2/jwt/JwtTypeValidator.java
View File

@ -72,8 +72,10 @@ public final class JwtTypeValidator implements OAuth2TokenValidator<Jwt> {
if (this.allowEmpty && !StringUtils.hasText(typ)) {
return OAuth2TokenValidatorResult.success();
}
if (this.validTypes.contains(typ)) {
return OAuth2TokenValidatorResult.success();
for (String validType : this.validTypes) {
if (validType.equalsIgnoreCase(typ)) {
return OAuth2TokenValidatorResult.success();
}
}
return OAuth2TokenValidatorResult.failure(new OAuth2Error(OAuth2ErrorCodes.INVALID_TOKEN,
"the given typ value needs to be one of " + this.validTypes,

8
oauth2/oauth2-jose/src/test/java/org/springframework/security/oauth2/jwt/JwtTypeValidatorTests.java
View File

@ -44,4 +44,12 @@ class JwtTypeValidatorTests {
assertThat(validator.validate(jwt.build()).hasErrors()).isFalse();
}
@Test
void validateWhenTypHeaderHasDifferentCaseThenSuccess() {
Jwt.Builder jwt = TestJwts.jwt();
JwtTypeValidator validator = new JwtTypeValidator("at+jwt");
jwt.header(JoseHeaderNames.TYP, "AT+JWT");
assertThat(validator.validate(jwt.build()).hasErrors()).isFalse();
}
}