…bypass

- Validate the 'tid' (tenant ID) claim in JWT tokens against the configured tenant
- Only accept tokens from the configured tenant if tenant ID is specified
- Maintains backward compatibility by skipping validation when tenant is not configured
- Fixes the authentication bypass vulnerability in UserPrincipalManager

Changes:
1. UserPrincipalManager.java:
   - Added tenant ID claim validation in getValidator() method
   - Extract configured tenant ID from AadAuthenticationProperties
   - Reject tokens where tid doesn't match configured tenant
   - Added debug logging for successful tenant validation
   - Added org.springframework.util.StringUtils import

2. UserPrincipalManagerTests.java:
   - Added 4 new unit tests for tenant ID validation:
     * tenantIdValidationSucceedsWhenMatchingConfiguredTenant()
     * tenantIdValidationFailsWhenMismatchedTenant()
     * tenantIdValidationSkippedWhenNoTenantConfigured()
     * tenantIdValidationSkippedWhenTenantPropertyIsEmpty()
   - Added reflection helper methods for testing private methods
   - All 9 tests pass successfully (5 original + 4 new)

Add entry for the cross-tenant authentication bypass fix in AAD authentication filters to the 7.4.0-beta.1 release notes.

- Skip tenant ID validation for multi-tenant values (common, organizations, consumers)
- Normalize tenant IDs to lowercase for case-insensitive comparison
- Fix test helper method to properly accept and use JWSAlgorithm parameter
- Update tests to reflect actual Spring behavior (default 'common' for unconfigured tenant)
- Use 'organizations' instead of empty string for multi-tenant test scenario

These changes ensure:
1. Multi-tenant applications (using common/organizations/consumers endpoints) still work
2. Tenant ID comparison is case-insensitive and normalized
3. Tests accurately reflect real-world Spring configuration defaults
4. Code is cleaner and follows best practices

- Use Locale.ROOT for security-sensitive tenant ID normalization (prevents locale-dependent behavior)
- Change direct String cast to Object cast with toString() to safely handle non-String tid claims
- Rename test method from tenantIdValidationSkippedWhenTenantPropertyIsEmpty() to tenantIdValidationSkippedWhenOrganizationsConfigured() for clarity
- Maintains consistency with AadResourceServerConfiguration#getTrimmedTenantId patterns
- Improves robustness against malicious tokens with unexpected claim types

…h rule

- Reformatted normalizedTokenTid initialization to split the ternary operator across multiple lines
- Ensures line 236 stays under 120 characters as enforced by Checkstyle
- All 9 tests pass, BUILD SUCCESS

…n of final fields

- Added UserPrincipalManager(JWKSource, AadAuthenticationProperties) package-private constructor
- Updated tenant ID validation tests to use the new constructor instead of reflection
- Removed setAadAuthenticationProperties() helper method that modified private final fields
- Tests now avoid brittle reflection and are cleaner
- All 9 tests pass, BUILD SUCCESS

- Make AadJwtClaimsVerifier package-private and final (internal implementation detail)
- Extract issuer validation logic into AadIssuerValidator utility class to prevent duplication
- Update UserPrincipalManager to use AadIssuerValidator instead of local isAadIssuer method
- Add unit test tenantIdValidationSkippedWhenConsumersConfigured to cover 'consumers' multi-tenant value
- Remove duplicate issuer prefix constants from UserPrincipalManager

These changes improve code reusability, reduce duplication in security validation logic, and ensure consistent issuer validation across the package.

- Handle null/empty audience list gracefully with BadJWTException instead of NPE
- Remove trailing whitespace from blank lines in test file

…y test comments

… reflection in tests

Tests now directly instantiate AadJwtClaimsVerifier (same package), eliminating
the need for the package-private UserPrincipalManager constructor and the
reflection-based getValidator() helper.