root
/
spring-security
mirror of https://github.com/spring-projects/spring-security.git
1
0
Fork 0
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Favor URL.toExternalForm 

Converts URLs to Strings before comparing them. Uses toString(),
which delegates to toExternalForm().

Fixes: gh-6073
This commit is contained in:
Josh Cummings 2018-11-12 22:00:02 -07:00
parent a32d19ec7d
commit c70b65c5df
No known key found for this signature in database
GPG Key ID: 49EF60DD7FF83443
2 changed files with 17 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
oauth2/oauth2-jose/src/main/java/org/springframework/security/oauth2/jwt/JwtIssuerValidator.java
View File

@ -37,7 +37,7 @@ public final class JwtIssuerValidator implements OAuth2TokenValidator<Jwt> {
"This iss claim is not equal to the configured issuer",
"https://tools.ietf.org/html/rfc6750#section-3.1");
private final URL issuer;
private final String issuer;
/**
* Constructs a {@link JwtIssuerValidator} using the provided parameters
@ -48,7 +48,7 @@ public final class JwtIssuerValidator implements OAuth2TokenValidator<Jwt> {
Assert.notNull(issuer, "issuer cannot be null");
try {
this.issuer = new URL(issuer);
this.issuer = new URL(issuer).toString();
} catch (MalformedURLException ex) {
throw new IllegalArgumentException(
"Invalid Issuer URL " + issuer + " : " + ex.getMessage(),
@ -63,7 +63,8 @@ public final class JwtIssuerValidator implements OAuth2TokenValidator<Jwt> {
public OAuth2TokenValidatorResult validate(Jwt token) {
Assert.notNull(token, "token cannot be null");
if (this.issuer.equals(token.getIssuer())) {
String tokenIssuer = token.getClaimAsString(JwtClaimNames.ISS);
if (this.issuer.equals(tokenIssuer)) {
return OAuth2TokenValidatorResult.success();
} else {
return OAuth2TokenValidatorResult.failure(INVALID_ISSUER);

16
oauth2/oauth2-jose/src/test/java/org/springframework/security/oauth2/jwt/JwtIssuerValidatorTests.java
View File

@ -23,9 +23,6 @@ import org.junit.Test;
import org.springframework.security.oauth2.core.OAuth2TokenValidatorResult;
import org.springframework.security.oauth2.jose.jws.JwsAlgorithms;
import org.springframework.security.oauth2.jwt.Jwt;
import org.springframework.security.oauth2.jwt.JwtClaimNames;
import org.springframework.security.oauth2.jwt.JwtIssuerValidator;
import static org.assertj.core.api.Assertions.assertThat;
import static org.assertj.core.api.Assertions.assertThatCode;
@ -72,6 +69,19 @@ public class JwtIssuerValidatorTests {
assertThat(result.getErrors()).isNotEmpty();
}
@Test
public void validateWhenJwtHasNoIssuerThenReturnsError() {
Jwt jwt = new Jwt(
MOCK_TOKEN,
MOCK_ISSUED_AT,
MOCK_EXPIRES_AT,
MOCK_HEADERS,
Collections.singletonMap(JwtClaimNames.AUD, "https://aud"));
OAuth2TokenValidatorResult result = this.validator.validate(jwt);
assertThat(result.getErrors()).isNotEmpty();
}
@Test
public void validateWhenJwtIsNullThenThrowsIllegalArgumentException() {
assertThatCode(() -> this.validator.validate(null))