Jan Bernhardt created CXF-9033:
----------------------------------
Summary: getSignatureAlgorithm ignores alg value set within JWS
header
Key: CXF-9033
URL: https://issues.apache.org/jira/browse/CXF-9033
Project: CXF
Issue Type: Bug
Components: JAX-RS Security
Affects Versions: 4.0.4, 3.6.3, 3.5.8
Reporter: Jan Bernhardt
Assignee: Colm O hEigeartaigh
The `getSignatureAlgorithm` method from the
[JwsUtils|https://github.com/apache/cxf/blob/cxf-3.6.3/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsUtils.java]
ignore any value set within the "alg" JWS header, instead the code looks for a
static JAX-RS property (rs.security.signature.algorithm) or tries to detect the
algorithm based on the selected alias in a keystore file. This makes it more
complicated to configure a CXF provider and limits the token validation to a
single specified algorythm. Using the header value instead would avoid such
additional configuration properties and make the solution more dynamic.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
