[
https://issues.apache.org/jira/browse/JAMES-3423?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
René Cordier closed JAMES-3423.
-------------------------------
Resolution: Done
> WebAdmin should have it's ownJWT public key
> -------------------------------------------
>
> Key: JAMES-3423
> URL: https://issues.apache.org/jira/browse/JAMES-3423
> Project: James Server
> Issue Type: Improvement
> Components: webadmin
> Reporter: Benoit Tellier
> Priority: Major
> Labels: security
> Fix For: 3.6.0
>
>
> Today, webadmin relies on JWT configuration for the JMAP protocol.
> This brings concerns, as the tenant are distinct (users vs admins), and the
> token issuers are likely distinct.
> The compromission of a webmail service would today easily grant access to the
> webadmin APIs.
> As such it is desirable to be able to specify distinct keys for both
> protocols.
> In order to avoid breaking changes, if the webadmin JWT public key is
> unspecified, we should fallback to the JMAP one.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
