
Colm O hEigeartaigh commented on CXF-8686:

LGTM. If you can create a PR soon we will get it into 3.5.2, otherwise it will 
be deferred to a later release.

> JWT role claim incorrectly parsed if not tokenized as string
> ------------------------------------------------------------
>                 Key: CXF-8686
>                 URL: https://issues.apache.org/jira/browse/CXF-8686
>             Project: CXF
>          Issue Type: Bug
>          Components: JAX-RS Security
>    Affects Versions: 3.4.6, 3.5.1
>            Reporter: Oliver Wulff
>            Priority: Major
>             Fix For: 3.5.2, 4.0.0
>         Attachments: image-2022-04-05-14-08-09-726.png
> The JwtTokenSecurityContext class expects a tokenized string for the role 
> claim. If the JWT contains an array of strings to represent the roles the 
> role claim is incorrectly parsed.
> The following line shows that it always first tokenize the array:
> [https://github.com/apache/cxf/blob/master/rt/rs/security/jose-parent/jose-jaxrs/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwtTokenSecurityContext.java#L48]
> Here is a snippet of the sample JWT:
> {\{{}}
> {{  "sub": "myid",}}
> {{  "jti": "f42150ef-2743-4ca0-ae06-a23b307edaca",}}
> {{  "iss": "STS INT",}}
> {{  "roles": [}}
> {{    "READ",}}
> {{    "UPDATE"}}
> {{  ],}}
> {{  "iat": 1649079679,}}
> {{  "nbf": 1649079679,}}
> {{  "exp": 1649086879,}}
> {{  "aud": [}}
> {{    "urn:mycompany:application:foo"}}
> {{  ]}}
> {{}}}
> I propose to improve this logic thus both roles in tokenized string as well 
> as a propery array list are properly parsed.
> Here a snippet of the debugger. The above example ends-up with two roles 
> "[READ" and " UPDATE]".
> !image-2022-04-05-14-08-09-726.png!

This message was sent by Atlassian Jira

Reply via email to