Cwikius-Spring
/
spring-security
mirror of https://github.com/spring-projects/spring-security.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

JwtIssuerValidator handles issuer (iss) claim values as Strings and URLs 

- NimbusJwtDecoder uses claim set converters: issuer claim is converted to an URL object
- JwtIssuerValidator (created by JwtValidators.createDefaultWithIssuer(String)) wraps a JwtClaimValidator<String>
- because of different data types, equal() is always false

This change allows both Strings and URLs as values of the issuer

Closes gh-9136
This commit is contained in:
Christian Mouttet 2020-10-17 15:54:10 +02:00 committed by Josh Cummings
parent a362ab53bc
commit 6486857462
2 changed files with 25 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
oauth2/oauth2-jose/src/main/java/org/springframework/security/oauth2/jwt/JwtIssuerValidator.java
View File

@ -16,6 +16,8 @@
package org.springframework.security.oauth2.jwt;
import java.util.function.Predicate;
import org.springframework.security.oauth2.core.OAuth2TokenValidator;
import org.springframework.security.oauth2.core.OAuth2TokenValidatorResult;
import org.springframework.util.Assert;
@ -28,7 +30,7 @@ import org.springframework.util.Assert;
*/
public final class JwtIssuerValidator implements OAuth2TokenValidator<Jwt> {
private final JwtClaimValidator<String> validator;
private final JwtClaimValidator<Object> validator;
/**
* Constructs a {@link JwtIssuerValidator} using the provided parameters
@ -36,7 +38,9 @@ public final class JwtIssuerValidator implements OAuth2TokenValidator<Jwt> {
*/
public JwtIssuerValidator(String issuer) {
Assert.notNull(issuer, "issuer cannot be null");
this.validator = new JwtClaimValidator(JwtClaimNames.ISS, issuer::equals);
Predicate<Object> testClaimValue = (claimValue) -> (claimValue != null) && issuer.equals(claimValue.toString());
this.validator = new JwtClaimValidator<>(JwtClaimNames.ISS, testClaimValue);
}
@Override

19
oauth2/oauth2-jose/src/test/java/org/springframework/security/oauth2/jwt/JwtIssuerValidatorTests.java
View File

@ -16,6 +16,9 @@
package org.springframework.security.oauth2.jwt;
import java.net.MalformedURLException;
import java.net.URL;
import org.junit.Test;
import org.springframework.security.oauth2.core.OAuth2TokenValidatorResult;
@ -42,6 +45,13 @@ public class JwtIssuerValidatorTests {
// @formatter:on
}
@Test
public void validateWhenIssuerUrlMatchesThenReturnsSuccess() throws MalformedURLException {
Jwt jwt = TestJwts.jwt().claim("iss", new URL(ISSUER)).build();
assertThat(this.validator.validate(jwt)).isEqualTo(OAuth2TokenValidatorResult.success());
}
@Test
public void validateWhenIssuerMismatchesThenReturnsError() {
Jwt jwt = TestJwts.jwt().claim(JwtClaimNames.ISS, "https://other").build();
@ -49,6 +59,15 @@ public class JwtIssuerValidatorTests {
assertThat(result.getErrors()).isNotEmpty();
}
@Test
public void validateWhenIssuerUrlMismatchesThenReturnsError() throws MalformedURLException {
Jwt jwt = TestJwts.jwt().claim(JwtClaimNames.ISS, new URL("https://other")).build();
OAuth2TokenValidatorResult result = this.validator.validate(jwt);
assertThat(result.getErrors()).isNotEmpty();
}
@Test
public void validateWhenJwtHasNoIssuerThenReturnsError() {
Jwt jwt = TestJwts.jwt().claim(JwtClaimNames.AUD, "https://aud").build();