Java Agents 2024.11

Enable internal checking of JWT signature

This property controls whether the agent checks the JWT signature before it calls AM to validate the entire JWT. It isn’t necessary for the agent to check the signature, as AM will validate it.

When this property is set to false (default), the agent checks for the presence of a signature, a valid public key ID and algorithm before AM is invoked to perform the signature checking.

Setting this property to true can help mitigate DoS attacks where an attacker overwhelms a site with requests using valid JWTs containing invalid public key IDs. An attack like this would increase network traffic as the agent would pass each JWT to AM for validation. With internal signature checking enabled, such requests would immediately be rejected (before reaching AM).

There is an expected drop in performance when internal signature checking is enabled. Additionally, JWTs are only parsed when first seen and not on each request specifying the JWT.

Property name

org.forgerock.agents.internal.check.jwt.signature.enabled

Aliases

org.forgerock.agents.internal.check.jwt.signature.enabled
  Introduced in Java Agent 2024.11

Function

Authentication service

Type

Boolean: true returns true; all other strings return false.

Default

false

Bootstrap property

Yes

Required property

No

Restart required

Yes - Restart the container after changing the property

Local configuration file

AgentBootstrap.properties