certificate verification issues when get the public keys used to verify JWT.

[KANIXB]

Hi, we are a research group to help developers build secure applications. We designed a cryptographic misuse detector on Java language(Our main concern is the secure implementation and use of Json Web Token). We found your great public repository (i.e., practical-microservices-architectural-patternsfrom Github, and a security issue detected by our detector are shown in the following. The specific security issues we found are as follows:
(1) Location: Package: com.acme.ecom.order.history.security; Class:** JwtConfiguration.class**
Security issue: not verify the public key certificate used to validate JWT signature.

We detected that the** JwtAccessTokenConverter** method get public key from the certificate without any verification. An attacker may use the private key corresponding to a revoked or expired or self-signed public key certificate to forge a JWT. We recommend to verify the validity of certificates and certificate chains to improve system security.

We wish the above security issues cloud truly help you to build a secure application. If you have any concern or suggestion, please feel free to contact us, we are looking forwart to your reply. Thanks.

[jspetrak]

@KANIXB You know that this is a book example that tends to be simplified in order to capture the explained topic, not cover every corner case?