[ https://issues.apache.org/jira/browse/CXF-9033?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17871564#comment-17871564 ]
Jan Bernhardt commented on CXF-9033: ------------------------------------ Hi [~coheigea], your linked article is convincing. Setting the expected algorithm on the receiver side, seems to be the most secure way. It is less convenient, but convenience and security usually don't match in most cases anyway. The JWS spec expects us to handle the alg header as it "MUST be understood and processed by implementations." [https://www.rfc-editor.org/rfc/rfc7515.html#section-4.1.1] But the spec also warns us about the risks with a freely definable alg header: [https://datatracker.ietf.org/doc/html/rfc7515#section-10.7] So in the end, the solution (as it is now) seems like a good choice. Even thou a whitelisting of allowed algorithms should also be a safe option, providing more flexibility. > getSignatureAlgorithm ignores alg value set within JWS header > ------------------------------------------------------------- > > Key: CXF-9033 > URL: https://issues.apache.org/jira/browse/CXF-9033 > Project: CXF > Issue Type: Improvement > Components: JAX-RS Security > Affects Versions: 3.5.8, 3.6.3, 4.0.4 > Reporter: Jan Bernhardt > Assignee: Colm O hEigeartaigh > Priority: Major > > The `getSignatureAlgorithm` method from the > [JwsUtils|https://github.com/apache/cxf/blob/cxf-3.6.3/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsUtils.java] > ignore any value set within the "alg" JWS header, instead the code looks for > a static JAX-RS property (rs.security.signature.algorithm) or tries to detect > the algorithm based on the selected alias in a keystore file. This makes it > more complicated to configure a CXF provider and limits the token validation > to a single specified algorythm. Using the header value instead would avoid > such additional configuration properties and make the solution more dynamic. -- This message was sent by Atlassian Jira (v8.20.10#820010)