This is an automated email from the ASF dual-hosted git repository.
dblevins pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/tomee.git
The following commit(s) were added to refs/heads/main by this push:
new e2dec101e7 TOMEE-3948 Reject signed JWTs when decryption key is
configured
e2dec101e7 is described below
commit e2dec101e7a38629e9bfb8d70b9568ca6d18d8aa
Author: David Blevins <[email protected]>
AuthorDate: Fri Sep 9 20:17:25 2022 -0700
TOMEE-3948 Reject signed JWTs when decryption key is configured
---
.../src/main/java/org/apache/tomee/microprofile/jwt/MPJWTFilter.java | 3 +++
1 file changed, 3 insertions(+)
diff --git
a/mp-jwt/src/main/java/org/apache/tomee/microprofile/jwt/MPJWTFilter.java
b/mp-jwt/src/main/java/org/apache/tomee/microprofile/jwt/MPJWTFilter.java
index 23b086f3e0..da951b974c 100644
--- a/mp-jwt/src/main/java/org/apache/tomee/microprofile/jwt/MPJWTFilter.java
+++ b/mp-jwt/src/main/java/org/apache/tomee/microprofile/jwt/MPJWTFilter.java
@@ -415,11 +415,14 @@ public class MPJWTFilter implements Filter {
if (authContextInfo.getDecryptKeys().size() == 1) {
final Key decryptionKey =
authContextInfo.getDecryptKeys().values().iterator().next();
builder.setDecryptionKey(decryptionKey);
+ builder.setEnableRequireEncryption();
} else if (authContextInfo.getDecryptKeys().size() > 1) {
builder.setDecryptionKeyResolver(new
JwksDecryptionKeyResolver(asJwks(authContextInfo.getDecryptKeys())));
+ builder.setEnableRequireEncryption();
}
+
final JwtConsumer jwtConsumer = builder.build();
final JwtContext jwtContext = jwtConsumer.process(token);
final String type =
jwtContext.getJoseObjects().get(0).getHeader("typ");
