Favor URL.toExternalForm

jzheaux · jzheaux · commit c70b65c5df0e · 2018-11-13T08:20:18.000-07:00
Converts URLs to Strings before comparing them. Uses toString(), which delegates to toExternalForm(). Fixes: gh-6073
diff --git a/oauth2/oauth2-jose/src/main/java/org/springframework/security/oauth2/jwt/JwtIssuerValidator.java b/oauth2/oauth2-jose/src/main/java/org/springframework/security/oauth2/jwt/JwtIssuerValidator.java
@@ -37,7 +37,7 @@ public final class JwtIssuerValidator implements OAuth2TokenValidator<Jwt> {
 					"This iss claim is not equal to the configured issuer",
 					"https://tools.ietf.org/html/rfc6750#section-3.1");
 
-	private final URL issuer;
+	private final String issuer;
 
 	/**
 	 * Constructs a {@link JwtIssuerValidator} using the provided parameters
@@ -48,7 +48,7 @@ public JwtIssuerValidator(String issuer) {
 		Assert.notNull(issuer, "issuer cannot be null");
 
 		try {
-			this.issuer = new URL(issuer);
+			this.issuer = new URL(issuer).toString();
 		} catch (MalformedURLException ex) {
 			throw new IllegalArgumentException(
 					"Invalid Issuer URL " + issuer + " : " + ex.getMessage(),
@@ -63,7 +63,8 @@ public JwtIssuerValidator(String issuer) {
 	public OAuth2TokenValidatorResult validate(Jwt token) {
 		Assert.notNull(token, "token cannot be null");
 
-		if (this.issuer.equals(token.getIssuer())) {
+		String tokenIssuer = token.getClaimAsString(JwtClaimNames.ISS);
+		if (this.issuer.equals(tokenIssuer)) {
 			return OAuth2TokenValidatorResult.success();
 		} else {
 			return OAuth2TokenValidatorResult.failure(INVALID_ISSUER);
diff --git a/oauth2/oauth2-jose/src/test/java/org/springframework/security/oauth2/jwt/JwtIssuerValidatorTests.java b/oauth2/oauth2-jose/src/test/java/org/springframework/security/oauth2/jwt/JwtIssuerValidatorTests.java
@@ -23,9 +23,6 @@
 
 import org.springframework.security.oauth2.core.OAuth2TokenValidatorResult;
 import org.springframework.security.oauth2.jose.jws.JwsAlgorithms;
-import org.springframework.security.oauth2.jwt.Jwt;
-import org.springframework.security.oauth2.jwt.JwtClaimNames;
-import org.springframework.security.oauth2.jwt.JwtIssuerValidator;
 
 import static org.assertj.core.api.Assertions.assertThat;
 import static org.assertj.core.api.Assertions.assertThatCode;
@@ -72,6 +69,19 @@ public void validateWhenIssuerMismatchesThenReturnsError() {
 		assertThat(result.getErrors()).isNotEmpty();
 	}
 
+	@Test
+	public void validateWhenJwtHasNoIssuerThenReturnsError() {
+		Jwt jwt = new Jwt(
+				MOCK_TOKEN,
+				MOCK_ISSUED_AT,
+				MOCK_EXPIRES_AT,
+				MOCK_HEADERS,
+				Collections.singletonMap(JwtClaimNames.AUD, "https://aud"));
+
+		OAuth2TokenValidatorResult result = this.validator.validate(jwt);
+		assertThat(result.getErrors()).isNotEmpty();
+	}
+
 	@Test
 	public void validateWhenJwtIsNullThenThrowsIllegalArgumentException() {
 		assertThatCode(() -> this.validator.validate(null))
