[ https://issues.apache.org/jira/browse/JAMES-3423?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
René Cordier closed JAMES-3423. ------------------------------- Resolution: Done > WebAdmin should have it's ownJWT public key > ------------------------------------------- > > Key: JAMES-3423 > URL: https://issues.apache.org/jira/browse/JAMES-3423 > Project: James Server > Issue Type: Improvement > Components: webadmin > Reporter: Benoit Tellier > Priority: Major > Labels: security > Fix For: 3.6.0 > > > Today, webadmin relies on JWT configuration for the JMAP protocol. > This brings concerns, as the tenant are distinct (users vs admins), and the > token issuers are likely distinct. > The compromission of a webmail service would today easily grant access to the > webadmin APIs. > As such it is desirable to be able to specify distinct keys for both > protocols. > In order to avoid breaking changes, if the webadmin JWT public key is > unspecified, we should fallback to the JMAP one. -- This message was sent by Atlassian Jira (v8.3.4#803005) --------------------------------------------------------------------- To unsubscribe, e-mail: server-dev-unsubscr...@james.apache.org For additional commands, e-mail: server-dev-h...@james.apache.org