From c70b65c5df0e170a2d34d812b83db0b7bc71ea25 Mon Sep 17 00:00:00 2001 From: Josh Cummings Date: Mon, 12 Nov 2018 22:00:02 -0700 Subject: [PATCH] Favor URL.toExternalForm Converts URLs to Strings before comparing them. Uses toString(), which delegates to toExternalForm(). Fixes: gh-6073 --- .../security/oauth2/jwt/JwtIssuerValidator.java | 7 ++++--- .../oauth2/jwt/JwtIssuerValidatorTests.java | 16 +++++++++++++--- 2 files changed, 17 insertions(+), 6 deletions(-) diff --git a/oauth2/oauth2-jose/src/main/java/org/springframework/security/oauth2/jwt/JwtIssuerValidator.java b/oauth2/oauth2-jose/src/main/java/org/springframework/security/oauth2/jwt/JwtIssuerValidator.java index 6abd9a49459..5558c272ac2 100644 --- a/oauth2/oauth2-jose/src/main/java/org/springframework/security/oauth2/jwt/JwtIssuerValidator.java +++ b/oauth2/oauth2-jose/src/main/java/org/springframework/security/oauth2/jwt/JwtIssuerValidator.java @@ -37,7 +37,7 @@ public final class JwtIssuerValidator implements OAuth2TokenValidator { "This iss claim is not equal to the configured issuer", "https://tools.ietf.org/html/rfc6750#section-3.1"); - private final URL issuer; + private final String issuer; /** * Constructs a {@link JwtIssuerValidator} using the provided parameters @@ -48,7 +48,7 @@ public JwtIssuerValidator(String issuer) { Assert.notNull(issuer, "issuer cannot be null"); try { - this.issuer = new URL(issuer); + this.issuer = new URL(issuer).toString(); } catch (MalformedURLException ex) { throw new IllegalArgumentException( "Invalid Issuer URL " + issuer + " : " + ex.getMessage(), @@ -63,7 +63,8 @@ public JwtIssuerValidator(String issuer) { public OAuth2TokenValidatorResult validate(Jwt token) { Assert.notNull(token, "token cannot be null"); - if (this.issuer.equals(token.getIssuer())) { + String tokenIssuer = token.getClaimAsString(JwtClaimNames.ISS); + if (this.issuer.equals(tokenIssuer)) { return OAuth2TokenValidatorResult.success(); } else { return OAuth2TokenValidatorResult.failure(INVALID_ISSUER); diff --git a/oauth2/oauth2-jose/src/test/java/org/springframework/security/oauth2/jwt/JwtIssuerValidatorTests.java b/oauth2/oauth2-jose/src/test/java/org/springframework/security/oauth2/jwt/JwtIssuerValidatorTests.java index 7a01da149e2..5839f74d3b3 100644 --- a/oauth2/oauth2-jose/src/test/java/org/springframework/security/oauth2/jwt/JwtIssuerValidatorTests.java +++ b/oauth2/oauth2-jose/src/test/java/org/springframework/security/oauth2/jwt/JwtIssuerValidatorTests.java @@ -23,9 +23,6 @@ import org.springframework.security.oauth2.core.OAuth2TokenValidatorResult; import org.springframework.security.oauth2.jose.jws.JwsAlgorithms; -import org.springframework.security.oauth2.jwt.Jwt; -import org.springframework.security.oauth2.jwt.JwtClaimNames; -import org.springframework.security.oauth2.jwt.JwtIssuerValidator; import static org.assertj.core.api.Assertions.assertThat; import static org.assertj.core.api.Assertions.assertThatCode; @@ -72,6 +69,19 @@ public void validateWhenIssuerMismatchesThenReturnsError() { assertThat(result.getErrors()).isNotEmpty(); } + @Test + public void validateWhenJwtHasNoIssuerThenReturnsError() { + Jwt jwt = new Jwt( + MOCK_TOKEN, + MOCK_ISSUED_AT, + MOCK_EXPIRES_AT, + MOCK_HEADERS, + Collections.singletonMap(JwtClaimNames.AUD, "https://aud")); + + OAuth2TokenValidatorResult result = this.validator.validate(jwt); + assertThat(result.getErrors()).isNotEmpty(); + } + @Test public void validateWhenJwtIsNullThenThrowsIllegalArgumentException() { assertThatCode(() -> this.validator.validate(null))