Generated with Java JJWT signature fails at jwt.io debugger

淺唱寂寞╮ 提交于 2019-12-18 07:00:01

问题


I am using the jjwt Java library for server side generation of jwt in on servlets, the code snipper below straight from the jjwt GitHub page https://github.com/jwtk/jjwt generates and prints out this token.

eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJKb2UifQ.XIKER3owR8BS3Krhsksg9INh9VBSejdn_qN-ONtPans
 String compactJws = Jwts.builder()
      .setSubject("Joe")
      .signWith(SignatureAlgorithm.HS256, "secret")
      .compact();
  PrintWriter out = response.getWriter();
  out.println(compactJws);

However, when I try to verify this token on jwt.io's debugger, it fails the signature check. Both checking and unchecking secret base64 encoded didn't work

Am I using the library wrongly?


回答1:


Try with secr and check the base64 option :)

It is due to .signWith(SignatureAlgorithm.HS256, "secret"). It is implemented by DefaultJwtBuilder class

public JwtBuilder signWith(SignatureAlgorithm alg, String base64EncodedSecretKey) 

This method assumes that you are providing a key in base64 and secret is not base64. When the method decodes from base64 to byte[] the java converter used by jjwt provides a representation of the string secr which is different to the JavaScript decoder used at jwt.io

You can test yourself with

System.out.println(
                javax.xml.bind.DatatypeConverter.printBase64Binary(
                        javax.xml.bind.DatatypeConverter.parseBase64Binary("secret")));


来源:https://stackoverflow.com/questions/38263680/generated-with-java-jjwt-signature-fails-at-jwt-io-debugger

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!