Caught in an error. JWT validity cannot be asserted and should not be trusted
php editor Banana pointed out that when using JWT (JSON Web Tokens), you must note that its validity cannot be asserted and should not be trusted. JWT is a token used for authentication and authorization, but due to its self-contained nature, once the token is tampered with, its validity cannot be guaranteed. Therefore, when using JWT, we should take strict verification measures, including verifying signatures, expiration time, etc., and do not store sensitive information in JWT to avoid security risks.
Question content
My jwtutil.java code:
@service @requiredargsconstructor public class jwtutil { private secretkey getsigningkey() { return jwts.sig.hs512.key().build(); } public string generatetoken(securitymember securitymember) { map<string, object> claims = new hashmap<>(); return createtoken(claims, securitymember.getusername()); } public string createtoken(map<string, object> claims, string subject) { return jwts.builder().claims(claims).subject(subject).issuedat(new date(system.currenttimemillis())) .expiration(new date(system.currenttimemillis() + 1000 * 60 * 60 * 10)) .signwith(getsigningkey()) .compact(); } public boolean validatetoken(string token, securitymember securitymember) { final string username = extractusername(token); return (username.equals(securitymember.getusername()) && !istokenexpired(token)); } private boolean istokenexpired(string token) { return extractexpiration(token).before(new date(system.currenttimemillis())); } public date extractexpiration(string token) { return extractclaims(token,claims::getexpiration); } public string extractusername(string token) { return extractclaims(token,claims::getsubject); } private <t> t extractclaims(string token, function<claims, t> claimsresolver) { final jwe<claims> claims = extractallclaims(token); return claimsresolver.apply(claims.getpayload()); } private jwe<claims> extractallclaims(string token) { try { return jwts.parser() .requireissuer("http://localhost:8080") .verifywith(getsigningkey()) .build() .parse(token).accept(jwe.claims); } catch (jwtexception ex) { throw new jwtexception("wrong jwt"+ex.getmessage(),ex); } } }
The issue is:
Caused by: io.jsonwebtoken.security.SignatureException: JWT signature does not match locally computed signature. JWT validity cannot be asserted and should not be trusted.
Solution
Your functiongetsigningkey()
uses jwts.sig.hs512.key().build();
, each A new key is created each time it is called.
But when you sign the token and verify the token you call getsigningkey()
so you have different keys in both cases.
Instead create a key and store it and use the stored key. For example:
signingKey = getSigningKey(); // use it for signing Jwts.builder().signWith(signingKey)... // and verification Jwts.parser().verifyWith(signingKey)...
But the creation of the key should not happen every time a token is created, but should be separated from it. You should also consider retaining the key so that you still have the same key after restarting the program. Otherwise, all issued tokens will become invalid after restarting.
Verification means that you verify the token signature against the same key used to sign it.
The above is the detailed content of Caught in an error. JWT validity cannot be asserted and should not be trusted. For more information, please follow other related articles on the PHP Chinese website!

Hot AI Tools

Undresser.AI Undress
AI-powered app for creating realistic nude photos

AI Clothes Remover
Online AI tool for removing clothes from photos.

Undress AI Tool
Undress images for free

Clothoff.io
AI clothes remover

Video Face Swap
Swap faces in any video effortlessly with our completely free AI face swap tool!

Hot Article

Hot Tools

SAP NetWeaver Server Adapter for Eclipse
Integrate Eclipse with SAP NetWeaver application server.

Zend Studio 13.0.1
Powerful PHP integrated development environment

Atom editor mac version download
The most popular open source editor

ZendStudio 13.5.1 Mac
Powerful PHP integrated development environment

mPDF
mPDF is a PHP library that can generate PDF files from UTF-8 encoded HTML. The original author, Ian Back, wrote mPDF to output PDF files "on the fly" from his website and handle different languages. It is slower than original scripts like HTML2FPDF and produces larger files when using Unicode fonts, but supports CSS styles etc. and has a lot of enhancements. Supports almost all languages, including RTL (Arabic and Hebrew) and CJK (Chinese, Japanese and Korean). Supports nested block-level elements (such as P, DIV),
