[
https://issues.apache.org/jira/browse/CXF-9033?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17865568#comment-17865568
]
Markus Haugsdal commented on CXF-9033:
--------------------------------------
[~jan4talend] we have had a similar case where we wanted to disable some
algorithms (sha1). I believe using the alg header would be trivial but the
current solution might be by design.
> getSignatureAlgorithm ignores alg value set within JWS header
> -------------------------------------------------------------
>
> Key: CXF-9033
> URL: https://issues.apache.org/jira/browse/CXF-9033
> Project: CXF
> Issue Type: Improvement
> Components: JAX-RS Security
> Affects Versions: 3.5.8, 3.6.3, 4.0.4
> Reporter: Jan Bernhardt
> Assignee: Colm O hEigeartaigh
> Priority: Major
>
> The `getSignatureAlgorithm` method from the
> [JwsUtils|https://github.com/apache/cxf/blob/cxf-3.6.3/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsUtils.java]
> ignore any value set within the "alg" JWS header, instead the code looks for
> a static JAX-RS property (rs.security.signature.algorithm) or tries to detect
> the algorithm based on the selected alias in a keystore file. This makes it
> more complicated to configure a CXF provider and limits the token validation
> to a single specified algorythm. Using the header value instead would avoid
> such additional configuration properties and make the solution more dynamic.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
