-
Notifications
You must be signed in to change notification settings - Fork 2k
Expand file tree
/
Copy pathMissingJWTSignatureCheck.java
More file actions
34 lines (31 loc) · 1.29 KB
/
MissingJWTSignatureCheck.java
File metadata and controls
34 lines (31 loc) · 1.29 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
public void badJwt(String token) {
Jwts.parserBuilder()
.setSigningKey("someBase64EncodedKey").build()
.parse(token); // BAD: Does not verify the signature
}
public void badJwtHandler(String token) {
Jwts.parserBuilder()
.setSigningKey("someBase64EncodedKey").build()
.parse(plaintextJwt, new JwtHandlerAdapter<Jwt<Header, String>>() {
@Override
public Jwt<Header, String> onPlaintextJwt(Jwt<Header, String> jwt) {
return jwt;
}
}); // BAD: The handler is called on an unverified JWT
}
public void goodJwt(String token) {
Jwts.parserBuilder()
.setSigningKey("someBase64EncodedKey").build()
.parseClaimsJws(token) // GOOD: Verify the signature
.getBody();
}
public void goodJwtHandler(String token) {
Jwts.parserBuilder()
.setSigningKey("someBase64EncodedKey").build()
.parse(plaintextJwt, new JwtHandlerAdapter<Jws<String>>() {
@Override
public Jws<String> onPlaintextJws(Jws<String> jws) {
return jws;
}
}); // GOOD: The handler is called on a verified JWS
}