[
https://issues.apache.org/jira/browse/CXF-9033?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Jan Bernhardt closed CXF-9033.
------------------------------
Resolution: Won't Fix
> getSignatureAlgorithm ignores alg value set within JWS header
> -------------------------------------------------------------
>
> Key: CXF-9033
> URL: https://issues.apache.org/jira/browse/CXF-9033
> Project: CXF
> Issue Type: Improvement
> Components: JAX-RS Security
> Affects Versions: 3.5.8, 3.6.3, 4.0.4
> Reporter: Jan Bernhardt
> Assignee: Colm O hEigeartaigh
> Priority: Major
>
> The `getSignatureAlgorithm` method from the
> [JwsUtils|https://github.com/apache/cxf/blob/cxf-3.6.3/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsUtils.java]
> ignore any value set within the "alg" JWS header, instead the code looks for
> a static JAX-RS property (rs.security.signature.algorithm) or tries to detect
> the algorithm based on the selected alias in a keystore file. This makes it
> more complicated to configure a CXF provider and limits the token validation
> to a single specified algorythm. Using the header value instead would avoid
> such additional configuration properties and make the solution more dynamic.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
