0

signWith(SignatureAlgorithm alg, Key key) has deprecated. We should use signWith(Key, SignatureAlgorithm) instead. But we how to do it. just swap the position?

How should I change the original code as follows to use a correct method?

public class JwtUtil {
    public static final long JWT_TTL = 60 * 60 * 1000L * 24 * 14;  
    public static final String JWT_KEY = "JSDFSDFSDFASJDHASDASDdfa32dJHASFDA67765asda123dsdsw";

    public static String getUUID() {
        return UUID.randomUUID().toString().replaceAll("-", "");
    }

    public static String createJWT(String subject) {
        JwtBuilder builder = getJwtBuilder(subject, null, getUUID());
        return builder.compact();
    }

    private static JwtBuilder getJwtBuilder(String subject, Long ttlMillis, String uuid) {
        SignatureAlgorithm signatureAlgorithm = SignatureAlgorithm.HS256;
        SecretKey secretKey = generalKey();
        long nowMillis = System.currentTimeMillis();
        Date now = new Date(nowMillis);
        if (ttlMillis == null) {
            ttlMillis = JwtUtil.JWT_TTL;
        }

        long expMillis = nowMillis + ttlMillis;
        Date expDate = new Date(expMillis);
        return Jwts.builder()
                .setId(uuid)
                .setSubject(subject)
                .setIssuer("sg")
                .setIssuedAt(now)
                .signWith(signatureAlgorithm, secretKey)
                .setExpiration(expDate);
    }

    public static SecretKey generalKey() {
        byte[] encodeKey = Base64.getDecoder().decode(JwtUtil.JWT_KEY);
        return new SecretKeySpec(encodeKey, 0, encodeKey.length, "HmacSHA256");
    }

    public static Claims parseJWT(String jwt) throws Exception {
        SecretKey secretKey = generalKey();
        return Jwts.parserBuilder()
                .setSigningKey(secretKey)
                .build()
                .parseClaimsJws(jwt)
                .getBody();
    }
}

I notice that its doc for key is different. The deprecated is key – the algorithm-specific signing key to use to digitally sign the JWT. The other is key – the signing key to use to digitally sign the JWT.

So I think the key is different. But I don't know how to adjust my code.

awxiaoxian2020
  • 35
  • 5

1 Answers1

0

Since signWith(SignatureAlgorithm, SecretKey) is deprecated, you can use signWith(SecretKey) or signWith(SecretKey, SignatureAlgorithm).

When using HMAC-SHA, ensure that the secret key provided is at least as many bits as the algorithm's signature.

  • HMAC-SHA-256: 256 bits.

  • HMAC-SHA-384: 384 bits.

  • HMAC-SHA-512: 512 bits.

      private static JwtBuilder getJwtBuilder(String subject, Long ttlMillis, String uuid) {
  .
  .
  .
  SecretKey secretKey = generalKey();
  return Jwts.builder()
          .setId(uuid)
          .setSubject(subject)
          .setIssuer("sg")
          .setIssuedAt(now)
          .signWith(secretKey) //The signature algorithm is selected according to the size of secret key
          .setExpiration(expDate);
  }

  public static SecretKey generalKey(){
      byte[] encodeKey = Base64.getDecoder().decode(JwtUtil.JWT_KEY);
      return Keys.hmacShaKeyFor(encodeKey);
  }

Also, add the following dependencies:

For Maven:

<dependency>
    <groupId>io.jsonwebtoken</groupId>
    <artifactId>jjwt-api</artifactId>
    <version>0.11.5</version>
</dependency>
<dependency>
    <groupId>io.jsonwebtoken</groupId>
    <artifactId>jjwt-impl</artifactId>
    <version>0.11.5</version>
    <scope>runtime</scope>
</dependency>
<dependency>
    <groupId>io.jsonwebtoken</groupId>
    <artifactId>jjwt-jackson</artifactId>
    <version>0.11.5</version>
    <scope>runtime</scope>
</dependency>

For Gradle:

dependencies {
    implementation 'io.jsonwebtoken:jjwt-api:0.11.5'
    runtime 'io.jsonwebtoken:jjwt-impl:0.11.5'
    implementation 'io.jsonwebtoken:jjwt-jackson:0.11.5'
}
TC4Y
  • 18
  • 2