[
https://issues.apache.org/jira/browse/CXF-9033?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17871039#comment-17871039
]
Jan Bernhardt edited comment on CXF-9033 at 8/5/24 12:01 PM:
-------------------------------------------------------------
Hi [~coheigea], of course allowing {{NONE}} algorithm needs to be disabled by
default, but could be enabled if needed (for whatever reason). There should be
a blacklisting option to also reject SHA1 signed token, etc.
But in general the signer of a message decides which algorithm to use, not the
receiver. Making this hard coded on the CXF service provider does not give much
flexibility for the token provider. If the token provider decides to sign token
with a better hash alg all token consumers need to be updated within the same
moment. Also in case of a federation where the service trusts token from
multiple token provider, this could not be supported in the current setup, as
both provider could use different signing alg.
Also when I look at SOAP / SAML use case, the used signature algorithm is
defined within the message/token not on the CXF provider.
was (Author: jan4talend):
Hi [~coheigea], of course allowing {{NONE}} algorithm needs to be disabled by
default, but could be enabled if needed (for whatever reason). There should be
a blacklisting option to also reject SHA1 signed token, etc.
But in general the signer of a message decides which algorithm to use, not the
receiver. Making this hard coded on the CXF service provider does not give much
flexibility for the token provider. If the token provider decides to sign token
with a better hash alg all token consumers need to be updated within the same
moment.
Also when I look at SOAP / SAML use case, the used signature algorithm is
defined within the message/token not on the CXF provider.
> getSignatureAlgorithm ignores alg value set within JWS header
> -------------------------------------------------------------
>
> Key: CXF-9033
> URL: https://issues.apache.org/jira/browse/CXF-9033
> Project: CXF
> Issue Type: Improvement
> Components: JAX-RS Security
> Affects Versions: 3.5.8, 3.6.3, 4.0.4
> Reporter: Jan Bernhardt
> Assignee: Colm O hEigeartaigh
> Priority: Major
>
> The `getSignatureAlgorithm` method from the
> [JwsUtils|https://github.com/apache/cxf/blob/cxf-3.6.3/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsUtils.java]
> ignore any value set within the "alg" JWS header, instead the code looks for
> a static JAX-RS property (rs.security.signature.algorithm) or tries to detect
> the algorithm based on the selected alias in a keystore file. This makes it
> more complicated to configure a CXF provider and limits the token validation
> to a single specified algorythm. Using the header value instead would avoid
> such additional configuration properties and make the solution more dynamic.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
