Enable internal checking of JWT signature
This property controls whether the agent checks the JWT signature before it calls AM to validate the entire JWT. It isn’t necessary for the agent to check the signature, as AM will validate it.
When this property is set to false (default), the agent checks for the presence of a signature, a valid public key ID and algorithm before AM is invoked to perform the signature checking.
Setting this property to true can help mitigate DoS attacks where an attacker overwhelms a site with requests using valid JWTs containing invalid public key IDs. An attack like this would increase network traffic as the agent would pass each JWT to AM for validation. With internal signature checking enabled, such requests would immediately be rejected (before reaching AM).
There is an expected drop in performance when internal signature checking is enabled. Additionally, JWTs are only parsed when first seen and not on each request specifying the JWT.
Property name |
|
Aliases |
|
Function |
Authentication service |
Type |
Boolean: |
Default |
|
Bootstrap property |
Yes |
Required property |
No |
Restart required |
Yes - Restart the container after changing the property |
Local configuration file |
|