You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@tomee.apache.org by db...@apache.org on 2022/09/10 03:18:02 UTC
[tomee] branch main updated: TOMEE-3948 Reject signed JWTs when decryption key is configured
This is an automated email from the ASF dual-hosted git repository.
dblevins pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/tomee.git
The following commit(s) were added to refs/heads/main by this push:
new e2dec101e7 TOMEE-3948 Reject signed JWTs when decryption key is configured
e2dec101e7 is described below
commit e2dec101e7a38629e9bfb8d70b9568ca6d18d8aa
Author: David Blevins <db...@tomitribe.com>
AuthorDate: Fri Sep 9 20:17:25 2022 -0700
TOMEE-3948 Reject signed JWTs when decryption key is configured
---
.../src/main/java/org/apache/tomee/microprofile/jwt/MPJWTFilter.java | 3 +++
1 file changed, 3 insertions(+)
diff --git a/mp-jwt/src/main/java/org/apache/tomee/microprofile/jwt/MPJWTFilter.java b/mp-jwt/src/main/java/org/apache/tomee/microprofile/jwt/MPJWTFilter.java
index 23b086f3e0..da951b974c 100644
--- a/mp-jwt/src/main/java/org/apache/tomee/microprofile/jwt/MPJWTFilter.java
+++ b/mp-jwt/src/main/java/org/apache/tomee/microprofile/jwt/MPJWTFilter.java
@@ -415,11 +415,14 @@ public class MPJWTFilter implements Filter {
if (authContextInfo.getDecryptKeys().size() == 1) {
final Key decryptionKey = authContextInfo.getDecryptKeys().values().iterator().next();
builder.setDecryptionKey(decryptionKey);
+ builder.setEnableRequireEncryption();
} else if (authContextInfo.getDecryptKeys().size() > 1) {
builder.setDecryptionKeyResolver(new JwksDecryptionKeyResolver(asJwks(authContextInfo.getDecryptKeys())));
+ builder.setEnableRequireEncryption();
}
+
final JwtConsumer jwtConsumer = builder.build();
final JwtContext jwtContext = jwtConsumer.process(token);
final String type = jwtContext.getJoseObjects().get(0).getHeader("typ");