4

I am facing a issue that whenever I am signing a token also I parse it and it is not throwing any signature exception.

You can see the key are different still it giving me the proper response.

public class JwtUtil {

 public String parseToken(String token) {
    try {
       Jws<Claims> jwt = Jwts.parser()                  
                .setSigningKey("Test@12")                    
                .parseClaimsJws(token);


        System.out.println(jwt.getBody().getSubject());
        return "Valid";

    } catch (SignatureException jwtException) {
        jwtException.printStackTrace();
        return null;
     }
 }


public String generateToken() {

    Claims claim = Jwts.claims();
    claim.put("GivenName", "Johnny");
    claim.put("Surname", "Rocket");
    claim.put("Email", "jrocket@example.com");      

    return Jwts.builder().setHeaderParam("typ", "JWT").setClaims(claim)
            .setIssuer("Online JWT Builder")
            .setAudience("www.example.com").setSubject("jrocket@example.com")
            .signWith(SignatureAlgorithm.HS256, "Test@123").compact();


}

public static void main(String[] args) {
    JwtUtil jwtUtil = new JwtUtil();        
    String token = jwtUtil.generateToken();
    System.out.println(token);  

    JwtUtil jwtUtil1 = new JwtUtil();
    jwtUtil1.parseToken(token);
 }
}
pedrofb
  • 37,271
  • 5
  • 94
  • 142
ashishl
  • 201
  • 5
  • 12
  • Can you post the console output? Also try removing `setHeaderParam("typ", "JWT")` and see if it makes any difference. – qwertz Aug 07 '16 at 12:22
  • Output : eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJHaXZlbk5hbWUiOiJKb2hubnkiLCJTdXJuYW1lIjoiUm9ja2V0IiwiRW1haWwiOiJqcm9ja2V0QGV4YW1wbGUuY29tIiwiaXNzIjoiT25saW5lIEpXVCBCdWlsZGVyIiwiYXVkIjoid3d3LmV4YW1wbGUuY29tIiwic3ViIjoianJvY2tldEBleGFtcGxlLmNvbSJ9.6rMHAdhvNyfe0Mqc6dgZ96QqEKzp4iEU3dle7eSIHMo I have also tried by removing the header but was getting same result – ashishl Aug 08 '16 at 01:48

1 Answers1

2

Really Test@12 and Test@123 are the same key

It is due to JwtBuilder.signWith(SignatureAlgorithm alg, String base64EncodedSecretKey). assumes that you are providing a key in base64 and your keys are not base64. When the method decodes from base64 to byte[] the java converter used by jjwt provides a representation of the string. Test@12 and Test@123 are encoded with the byte array

See https://stackoverflow.com/a/38269014/6371459

You can test yourself with

System.out.println(
            javax.xml.bind.DatatypeConverter.printBase64Binary(
                    javax.xml.bind.DatatypeConverter.parseBase64Binary("Test@12")));
System.out.println(
            javax.xml.bind.DatatypeConverter.printBase64Binary(
                    javax.xml.bind.DatatypeConverter.parseBase64Binary("Test@123")));

Try a (more) different key and the SignatureException will be thrown

Community
  • 1
  • 1
pedrofb
  • 37,271
  • 5
  • 94
  • 142
  • Thanks, I got the solution that I Can generate the key with my static key like that SecureRandom random1 = new SecureRandom("uwiueweuwiieuiuwiuiuewiiewiieuiew".getBytes()); SecretKey key1 = MacProvider.generateKey(SignatureAlgorithm.HS512,random1); – ashishl Aug 08 '16 at 17:15