0

I am trying to parse claims in a JJWT token that I retreive from X-AUTH-TOKEN header of a client request. The matter is that the parsing throws SignatureException, though the token is correctly signed.

Here is my Jersey filter :

@Provider
public class ClientClaimsFilter implements ContainerRequestFilter {

    @Override
    public void filter(ContainerRequestContext requestContext) throws IOException {
        String token = requestContext.getHeaderString("X-AUTH-TOKEN");
        if ((token != null) && (!token.isEmpty())) {
            Claims claims = Jwts.parse().setSigningKey(key).parseClaimsJws(token).getBody();
        }
    }
}

Where key was generated like this String key = TextCodec.BASE64.encode(MacProvider.generateKey(SignatureAlgorithm.HS256).getEncoded()); I verified that the key stays the same while generating token and while parsing it. But there is still SignatureException with the parsing.

Doudou G.
  • 29
  • 7
  • how are you storing the key after generating it? are you using static variable or temporal storage that that might have been reinitialized? Are you sure 'token' contains the same JWT that you sent? – pedrofb Mar 06 '17 at 15:23
  • I was setting as attribute of a singleton class that I @Inject everywhere I need the key. The matter was that the application was injecting two different instances whether I inject the singleton in an EJB or a Jersey component class. Consequence, the Jersey filter could not validate the the token produced by an EJB and always threw SignatureException. – Doudou G. Mar 06 '17 at 16:30
  • The solution I found was to inject the singleton class with secret key attribute into an EJB and the inject that EJB into my Jersey filter. – Doudou G. Mar 06 '17 at 16:32
  • I suggest to load the key from a file. If not, issued JwT will no longer be valid after a server restart – pedrofb Mar 06 '17 at 17:15
  • Yes, you are right. But I think that in production, my server won't restart frequently, so I thought it was preferable to change the key at every restart and not keep it in a file (i.e. keep it safer). – Doudou G. Mar 07 '17 at 10:53

0 Answers0