[
https://issues.apache.org/jira/browse/CXF-8686?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Oliver Wulff updated CXF-8686:
------------------------------
Description:
The JwtTokenSecurityContext class expects a tokenized string for the role
claim. If the JWT contains an array of strings to represent the roles the role
claim is incorrectly parsed.
The following line shows that it always first tokenize the array:
[https://github.com/apache/cxf/blob/master/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwtTokenSecurityContext.java#L48]
Here is a snippet of the sample JWT:
{\{{}}
{{ "sub": "myid",}}
{{ "jti": "f42150ef-2743-4ca0-ae06-a23b307edaca",}}
{{ "iss": "STS INT",}}
{{ "roles": [}}
{{ "READ",}}
{{ "UPDATE"}}
{{ ],}}
{{ "iat": 1649079679,}}
{{ "nbf": 1649079679,}}
{{ "exp": 1649086879,}}
{{ "aud": [}}
{{ "urn:mycompany:application:foo"}}
{{ ]}}
{{}}}
I propose to improve this logic thus both roles in tokenized string as well as
a propery array list are properly parsed.
Here a snippet of the debugger. The above example ends-up with two roles
"[READ" and " UPDATE]".
!image-2022-04-05-14-08-09-726.png!
was:
The JwtTokenSecurityContext class expects a tokenized string for the role
claim. If the JWT contains an array of strings to represent the roles the role
claim is incorrectly parsed.
The following line shows that it always first tokenize the array:
[https://github.com/apache/cxf/blob/master/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwtTokenSecurityContext.java#L48]
Here is a snippet of the sample JWT:
{{{}}
{{ "sub": "myid",}}
{{ "jti": "f42150ef-2743-4ca0-ae06-a23b307edaca",}}
{{ "iss": "STS INT",}}
{{ "roles": [}}
{{ "READ",}}
{{ "UPDATE"}}
{{ ],}}
{{ "iat": 1649079679,}}
{{ "nbf": 1649079679,}}
{{ "exp": 1649086879,}}
{{ "aud": [}}
{{ "urn:mycompany:application:foo"}}
{{ ]}}
{{}}}
I propose to improve this logic thus both roles in tokenized string as well as
a propery array list are properly parsed.
> JWT role claim incorrectly parsed if not tokenized as string
> ------------------------------------------------------------
>
> Key: CXF-8686
> URL: https://issues.apache.org/jira/browse/CXF-8686
> Project: CXF
> Issue Type: Bug
> Components: JAX-RS Security
> Affects Versions: 3.4.6, 3.5.1
> Reporter: Oliver Wulff
> Priority: Major
> Fix For: 3.5.2, 4.0.0
>
> Attachments: image-2022-04-05-14-08-09-726.png
>
>
> The JwtTokenSecurityContext class expects a tokenized string for the role
> claim. If the JWT contains an array of strings to represent the roles the
> role claim is incorrectly parsed.
> The following line shows that it always first tokenize the array:
> [https://github.com/apache/cxf/blob/master/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwtTokenSecurityContext.java#L48]
> Here is a snippet of the sample JWT:
>
> {\{{}}
> {{ "sub": "myid",}}
> {{ "jti": "f42150ef-2743-4ca0-ae06-a23b307edaca",}}
> {{ "iss": "STS INT",}}
> {{ "roles": [}}
> {{ "READ",}}
> {{ "UPDATE"}}
> {{ ],}}
> {{ "iat": 1649079679,}}
> {{ "nbf": 1649079679,}}
> {{ "exp": 1649086879,}}
> {{ "aud": [}}
> {{ "urn:mycompany:application:foo"}}
> {{ ]}}
> {{}}}
>
> I propose to improve this logic thus both roles in tokenized string as well
> as a propery array list are properly parsed.
>
> Here a snippet of the debugger. The above example ends-up with two roles
> "[READ" and " UPDATE]".
>
> !image-2022-04-05-14-08-09-726.png!
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
