[jira] [Updated] (CXF-9033) getSignatureAlgorithm ignores alg value set within JWS header

Jan Bernhardt (Jira) Wed, 26 Jun 2024 01:19:03 -0700


     [ 
https://issues.apache.org/jira/browse/CXF-9033?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]


Jan Bernhardt updated CXF-9033:
-------------------------------
    Issue Type: Improvement  (was: Bug)

> getSignatureAlgorithm ignores alg value set within JWS header
> -------------------------------------------------------------
>
>                 Key: CXF-9033
>                 URL: https://issues.apache.org/jira/browse/CXF-9033
>             Project: CXF
>          Issue Type: Improvement
>          Components: JAX-RS Security
>    Affects Versions: 3.5.8, 3.6.3, 4.0.4
>            Reporter: Jan Bernhardt
>            Assignee: Colm O hEigeartaigh
>            Priority: Major
>
> The `getSignatureAlgorithm` method from the 
> [JwsUtils|https://github.com/apache/cxf/blob/cxf-3.6.3/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsUtils.java]
>  ignore any value set within the "alg" JWS header, instead the code looks for 
> a static JAX-RS property (rs.security.signature.algorithm) or tries to detect 
> the algorithm based on the selected alias in a keystore file. This makes it 
> more complicated to configure a CXF provider and limits the token validation 
> to a single specified algorythm. Using the header value instead would avoid 
> such additional configuration properties and make the solution more dynamic.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

[jira] [Updated] (CXF-9033) getSignatureAlgorithm ignores alg value set within JWS header

Reply via email to