Defaulting JWT settings to false

app/common/src/main/java/stirling/software/common/model/ApplicationProperties.java

@@ -379,7 +379,7 @@ public static class TempFileManagement {
         public String getBaseTmpDir() {
             return baseTmpDir != null && !baseTmpDir.isEmpty()
                     ? baseTmpDir
-                    : java.lang.System.getProperty("java.io.tmpdir") + "/stirling-pdf";
+                    : java.lang.System.getProperty("java.io.tmpdir") + "stirling-pdf";
         }
 
         @JsonIgnore

app/core/src/main/java/stirling/software/SPDF/controller/api/misc/ShowJavascript.java

@@ -1,9 +1,8 @@
 package stirling.software.SPDF.controller.api.misc;
 
-import io.github.pixee.security.Filenames;
-import io.swagger.v3.oas.annotations.Operation;
-import io.swagger.v3.oas.annotations.tags.Tag;
-import lombok.RequiredArgsConstructor;
+import java.nio.charset.StandardCharsets;
+import java.util.Map;
+
 import org.apache.pdfbox.pdmodel.PDDocument;
 import org.apache.pdfbox.pdmodel.common.PDNameTreeNode;
 import org.apache.pdfbox.pdmodel.interactive.action.PDActionJavaScript;
@@ -14,13 +13,17 @@
 import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.RestController;
 import org.springframework.web.multipart.MultipartFile;
+
+import io.github.pixee.security.Filenames;
+import io.swagger.v3.oas.annotations.Operation;
+import io.swagger.v3.oas.annotations.tags.Tag;
+
+import lombok.RequiredArgsConstructor;
+
 import stirling.software.common.model.api.PDFFile;
 import stirling.software.common.service.CustomPDFDocumentFactory;
 import stirling.software.common.util.WebResponseUtils;
 
-import java.nio.charset.StandardCharsets;
-import java.util.Map;
-
 @RestController
 @RequestMapping("/api/v1/misc")
 @Tag(name = "Misc", description = "Miscellaneous APIs")
@@ -55,22 +58,25 @@ public ResponseEntity<byte[]> extractHeader(@ModelAttribute PDFFile file) throws
 
                         if (jsCodeStr != null && !jsCodeStr.trim().isEmpty()) {
                             script.append("// File: ")
-                                .append(Filenames.toSimpleFileName(inputFile.getOriginalFilename()))
-                                .append(", Script: ")
-                                .append(name)
-                                .append("\n")
-                                .append(jsCodeStr)
-                                .append("\n");
+                                    .append(
+                                            Filenames.toSimpleFileName(
+                                                    inputFile.getOriginalFilename()))
+                                    .append(", Script: ")
+                                    .append(name)
+                                    .append("\n")
+                                    .append(jsCodeStr)
+                                    .append("\n");
                             foundScript = true;
                         }
                     }
                 }
             }
 
             if (!foundScript) {
-                script = new StringBuilder("PDF '")
-                    .append(Filenames.toSimpleFileName(inputFile.getOriginalFilename()))
-                    .append("' does not contain Javascript");
+                script =
+                        new StringBuilder("PDF '")
+                                .append(Filenames.toSimpleFileName(inputFile.getOriginalFilename()))
+                                .append("' does not contain Javascript");
             }
 
             return WebResponseUtils.bytesToWebResponse(

app/core/src/main/resources/settings.yml.template

@@ -60,9 +60,9 @@ security:
     privateKey: classpath:saml-private-key.key # Your private key. Generated from your keypair
     spCert: classpath:saml-public-cert.crt # Your signing certificate. Generated from your keypair
   jwt: # This feature is currently under development and not yet fully supported. Do not use in production.
-    persistence: true # Set to 'true' to enable JWT key store
-    enableKeyRotation: true # Set to 'true' to enable key pair rotation
-    enableKeyCleanup: true # Set to 'true' to enable key pair cleanup
+    persistence: false # Set to 'true' to enable JWT key store
+    enableKeyRotation: false # Set to 'true' to enable key pair rotation
+    enableKeyCleanup: false # Set to 'true' to enable key pair cleanup
     keyRetentionDays: 7 # Number of days to retain old keys. The default is 7 days.
     secureCookie: false # Set to 'true' to use secure cookies for JWTs
 

app/proprietary/src/main/java/stirling/software/proprietary/security/InitialSecuritySetup.java

@@ -5,6 +5,7 @@
 import java.util.Optional;
 import java.util.UUID;
 
+import org.springframework.beans.factory.annotation.Value;
 import org.springframework.stereotype.Component;
 
 import jakarta.annotation.PostConstruct;
@@ -26,6 +27,9 @@
 @RequiredArgsConstructor
 public class InitialSecuritySetup {
 
+    @Value("${v2:false}")
+    private boolean v2Enabled = false;
+
     private final UserService userService;
     private final TeamService teamService;
     private final ApplicationProperties applicationProperties;
@@ -43,6 +47,7 @@ public void init() {
                 }
             }
 
+            configureJWTSettings();
             assignUsersToDefaultTeamIfMissing();
             initializeInternalApiUser();
         } catch (IllegalArgumentException | SQLException | UnsupportedProviderException e) {
@@ -51,6 +56,19 @@ public void init() {
         }
     }
 
+    private void configureJWTSettings() {
+        ApplicationProperties.Security.Jwt jwtProperties =
+                applicationProperties.getSecurity().getJwt();
+
+        if (!v2Enabled) {
+            log.debug("v2 is disabled - disabling all JWT features");
+            jwtProperties.setEnableKeystore(false);
+            jwtProperties.setEnableKeyRotation(false);
+            jwtProperties.setEnableKeyCleanup(false);
+            jwtProperties.setSecureCookie(false);
+        }
+    }
+
     private void assignUsersToDefaultTeamIfMissing() {
         Team defaultTeam = teamService.getOrCreateDefaultTeam();
         Team internalTeam = teamService.getOrCreateInternalTeam();

app/proprietary/src/main/java/stirling/software/proprietary/security/filter/JwtAuthenticationFilter.java

@@ -62,7 +62,7 @@ public JwtAuthenticationFilter(
     protected void doFilterInternal(
             HttpServletRequest request, HttpServletResponse response, FilterChain filterChain)
             throws ServletException, IOException {
-        if (!jwtService.isJwtEnabled()) {
+        if (!validateAndNormalizeJwtSettings() && !jwtService.isJwtEnabled()) {
             filterChain.doFilter(request, response);
             return;
         }
@@ -112,6 +112,36 @@ protected void doFilterInternal(
         filterChain.doFilter(request, response);
     }
 
+    private boolean validateAndNormalizeJwtSettings() {
+        ApplicationProperties.Security.Jwt jwtProperties = securityProperties.getJwt();
+
+        boolean enableKeystore = jwtProperties.isEnableKeystore();
+        boolean enableKeyRotation = jwtProperties.isEnableKeyRotation();
+        boolean enableKeyCleanup = jwtProperties.isEnableKeyCleanup();
+        boolean secureCookie = jwtProperties.isSecureCookie();
+
+        // If any JWT property is disabled, disable all JWT properties for consistency
+        if (!enableKeystore || !enableKeyRotation || !enableKeyCleanup || !secureCookie) {
+            log.debug(
+                    "One or more JWT properties are disabled - normalizing all JWT settings to false");
+            log.debug(
+                    "Current settings: keystore={}, rotation={}, cleanup={}, secureCookie={}",
+                    enableKeystore,
+                    enableKeyRotation,
+                    enableKeyCleanup,
+                    secureCookie);
+
+            jwtProperties.setEnableKeystore(false);
+            jwtProperties.setEnableKeyRotation(false);
+            jwtProperties.setEnableKeyCleanup(false);
+            jwtProperties.setSecureCookie(false);
+
+            return false;
+        }
+
+        return true;
+    }
+
     private boolean apiKeyExists(HttpServletRequest request, HttpServletResponse response)
             throws IOException, ServletException {
         Authentication authentication = SecurityContextHolder.getContext().getAuthentication();

app/proprietary/src/main/java/stirling/software/proprietary/security/service/CustomUserDetailsService.java

@@ -75,8 +75,11 @@ public UserDetails loadUserByUsername(String username) throws UsernameNotFoundEx
      */
     private AuthenticationType determinePreferredSSOType() {
         // Check what SSO types are enabled and prefer in order: OAUTH2 > SAML2 > fallback to OAUTH2
-        boolean oauth2Enabled = securityProperties.getOauth2() != null && securityProperties.getOauth2().getEnabled();
-        boolean saml2Enabled = securityProperties.getSaml2() != null && securityProperties.getSaml2().getEnabled();
+        boolean oauth2Enabled =
+                securityProperties.getOauth2() != null
+                        && securityProperties.getOauth2().getEnabled();
+        boolean saml2Enabled =
+                securityProperties.getSaml2() != null && securityProperties.getSaml2().getEnabled();
 
         if (oauth2Enabled) {
             return AuthenticationType.OAUTH2;