Inicio Explorar Ayuda
Registro Iniciar sesión
github
/
spring-security
espejo de https://github.com/spring-projects/spring-security
2
0
Fork 0
Archivos Incidencias 0 Wiki
Explorar el Código

Favor URL.toExternalForm

Converts URLs to Strings before comparing them. Uses toString(),
which delegates to toExternalForm().

Fixes: gh-6073
Josh Cummings hace 6 años
padre
a32d19ec7d
commit
c70b65c5df
Se han modificado 2 ficheros con 17 adiciones y 6 borrados
Dividir vista Mostrar estadísticas de diff
  1. 4 3
      oauth2/oauth2-jose/src/main/java/org/springframework/security/oauth2/jwt/JwtIssuerValidator.java
  2. 13 3
      oauth2/oauth2-jose/src/test/java/org/springframework/security/oauth2/jwt/JwtIssuerValidatorTests.java

+ 4 - 3
oauth2/oauth2-jose/src/main/java/org/springframework/security/oauth2/jwt/JwtIssuerValidator.java
Ver fichero 

@@ -37,7 +37,7 @@ public final class JwtIssuerValidator implements OAuth2TokenValidator<Jwt> {
 
 					"This iss claim is not equal to the configured issuer",
 
 					"https://tools.ietf.org/html/rfc6750#section-3.1");
 
 
-	private final URL issuer;
 
+	private final String issuer;
 
 
 	/**
 
 	 * Constructs a {@link JwtIssuerValidator} using the provided parameters
 
@@ -48,7 +48,7 @@ public final class JwtIssuerValidator implements OAuth2TokenValidator<Jwt> {
 
 		Assert.notNull(issuer, "issuer cannot be null");
 
 
 		try {
 
-			this.issuer = new URL(issuer);
 
+			this.issuer = new URL(issuer).toString();
 
 		} catch (MalformedURLException ex) {
 
 			throw new IllegalArgumentException(
 
 					"Invalid Issuer URL " + issuer + " : " + ex.getMessage(),
 
@@ -63,7 +63,8 @@ public final class JwtIssuerValidator implements OAuth2TokenValidator<Jwt> {
 
 	public OAuth2TokenValidatorResult validate(Jwt token) {
 
 		Assert.notNull(token, "token cannot be null");
 
 
-		if (this.issuer.equals(token.getIssuer())) {
 
+		String tokenIssuer = token.getClaimAsString(JwtClaimNames.ISS);
 
+		if (this.issuer.equals(tokenIssuer)) {
 
 			return OAuth2TokenValidatorResult.success();
 
 		} else {
 
 			return OAuth2TokenValidatorResult.failure(INVALID_ISSUER);

+ 13 - 3
oauth2/oauth2-jose/src/test/java/org/springframework/security/oauth2/jwt/JwtIssuerValidatorTests.java
Ver fichero 

@@ -23,9 +23,6 @@ import org.junit.Test;
 
 
 import org.springframework.security.oauth2.core.OAuth2TokenValidatorResult;
 
 import org.springframework.security.oauth2.jose.jws.JwsAlgorithms;
 
-import org.springframework.security.oauth2.jwt.Jwt;
 
-import org.springframework.security.oauth2.jwt.JwtClaimNames;
 
-import org.springframework.security.oauth2.jwt.JwtIssuerValidator;
 
 
 import static org.assertj.core.api.Assertions.assertThat;
 
 import static org.assertj.core.api.Assertions.assertThatCode;
 
@@ -72,6 +69,19 @@ public class JwtIssuerValidatorTests {
 
 		assertThat(result.getErrors()).isNotEmpty();
 
 	}
 
 
+	@Test
 
+	public void validateWhenJwtHasNoIssuerThenReturnsError() {
 
+		Jwt jwt = new Jwt(
 
+				MOCK_TOKEN,
 
+				MOCK_ISSUED_AT,
 
+				MOCK_EXPIRES_AT,
 
+				MOCK_HEADERS,
 
+				Collections.singletonMap(JwtClaimNames.AUD, "https://aud"));
 
+
 
+		OAuth2TokenValidatorResult result = this.validator.validate(jwt);
 
+		assertThat(result.getErrors()).isNotEmpty();
 
+	}
 
+
 
 	@Test
 
 	public void validateWhenJwtIsNullThenThrowsIllegalArgumentException() {
 
 		assertThatCode(() -> this.validator.validate(null))