This is an automated email from the ASF dual-hosted git repository. dblevins pushed a commit to branch main in repository https://gitbox.apache.org/repos/asf/tomee.git
The following commit(s) were added to refs/heads/main by this push: new e2dec101e7 TOMEE-3948 Reject signed JWTs when decryption key is configured e2dec101e7 is described below commit e2dec101e7a38629e9bfb8d70b9568ca6d18d8aa Author: David Blevins <dblev...@tomitribe.com> AuthorDate: Fri Sep 9 20:17:25 2022 -0700 TOMEE-3948 Reject signed JWTs when decryption key is configured --- .../src/main/java/org/apache/tomee/microprofile/jwt/MPJWTFilter.java | 3 +++ 1 file changed, 3 insertions(+) diff --git a/mp-jwt/src/main/java/org/apache/tomee/microprofile/jwt/MPJWTFilter.java b/mp-jwt/src/main/java/org/apache/tomee/microprofile/jwt/MPJWTFilter.java index 23b086f3e0..da951b974c 100644 --- a/mp-jwt/src/main/java/org/apache/tomee/microprofile/jwt/MPJWTFilter.java +++ b/mp-jwt/src/main/java/org/apache/tomee/microprofile/jwt/MPJWTFilter.java @@ -415,11 +415,14 @@ public class MPJWTFilter implements Filter { if (authContextInfo.getDecryptKeys().size() == 1) { final Key decryptionKey = authContextInfo.getDecryptKeys().values().iterator().next(); builder.setDecryptionKey(decryptionKey); + builder.setEnableRequireEncryption(); } else if (authContextInfo.getDecryptKeys().size() > 1) { builder.setDecryptionKeyResolver(new JwksDecryptionKeyResolver(asJwks(authContextInfo.getDecryptKeys()))); + builder.setEnableRequireEncryption(); } + final JwtConsumer jwtConsumer = builder.build(); final JwtContext jwtContext = jwtConsumer.process(token); final String type = jwtContext.getJoseObjects().get(0).getHeader("typ");