Validation successful if signature key is altered #416
Comments
|
Duplicate of #211 #269 #324 #362. You can't just modify Base64-encoded text and expect it to decode differently. Please see #211 (comment) for why. |
# for free
to join this conversation on GitHub.
Already have an account?
# to comment
I am facing a strange issue. If I tweak the signature key with next couple of chars , validation is still successful. Shouldn't the validation fail if the signature is altered?
PS: I have tested with multiple secret keys and multiple tokens and the above behaviour exists.
Token Creation
public class ValidateJWTClaims {
public String createToken(String secretKey) {
SignatureAlgorithm signatureAlgorithm = SignatureAlgorithm.HS256;
Key key = new SecretKeySpec(secretKey.getBytes(), signatureAlgorithm.getJcaName());
JwtBuilder builder = Jwts.builder()
.setId("testId")
.setAudience("all")
.setIssuedAt(new Date(System.currentTimeMillis()))
.setSubject("testSubject")
.setIssuer("testOrg")
.signWith(key, signatureAlgorithm);
return builder.compact();
}
}
Signature Validation
@test
public void createTokenAndVerify() throws Exception{
secretKey = "jhakjdhflashdfjasdhfjkashdfjhsfuhjjkadfhl";
String jwt = validateJWTClaims.createToken(secretKey);
System.out.println(jwt);
String works = "eyJhbGciOiJIUzI1NiJ9.eyJqdGkiOiJ0ZXN0SWQiLCJhdWQiOiJhbGwiLCJpYXQiOjE1NDM5Mzc1MjIsInN1YiI6InRlc3RTdWJqZWN0IiwiaXNzIjoidGVzdE9yZyJ9.k0QyR_aHXREikUc25yQ1hLDox_NAdFxPgNQ42-eXEGQ";
// String works = "eyJhbGciOiJIUzI1NiJ9.eyJqdGkiOiJ0ZXN0SWQiLCJhdWQiOiJhbGwiLCJpYXQiOjE1NDM5Mzc1MjIsInN1YiI6InRlc3RTdWJqZWN0IiwiaXNzIjoidGVzdE9yZyJ9.k0QyR_aHXREikUc25yQ1hLDox_NAdFxPgNQ42-eXEGR";
// String works = "eyJhbGciOiJIUzI1NiJ9.eyJqdGkiOiJ0ZXN0SWQiLCJhdWQiOiJhbGwiLCJpYXQiOjE1NDM5Mzc1MjIsInN1YiI6InRlc3RTdWJqZWN0IiwiaXNzIjoidGVzdE9yZyJ9.k0QyR_aHXREikUc25yQ1hLDox_NAdFxPgNQ42-eXEGS";
// String works = "eyJhbGciOiJIUzI1NiJ9.eyJqdGkiOiJ0ZXN0SWQiLCJhdWQiOiJhbGwiLCJpYXQiOjE1NDM5Mzc1MjIsInN1YiI6InRlc3RTdWJqZWN0IiwiaXNzIjoidGVzdE9yZyJ9.k0QyR_aHXREikUc25yQ1hLDox_NAdFxPgNQ42-eXEGT";
// String fails = "eyJhbGciOiJIUzI1NiJ9.eyJqdGkiOiJ0ZXN0SWQiLCJhdWQiOiJhbGwiLCJpYXQiOjE1NDM5Mzc1MjIsInN1YiI6InRlc3RTdWJqZWN0IiwiaXNzIjoidGVzdE9yZyJ9.k0QyR_aHXREikUc25yQ1hLDox_NAdFxPgNQ42-eXEGO";
// String fails = "eyJhbGciOiJIUzI1NiJ9.eyJqdGkiOiJ0ZXN0SWQiLCJhdWQiOiJhbGwiLCJpYXQiOjE1NDM5Mzc1MjIsInN1YiI6InRlc3RTdWJqZWN0IiwiaXNzIjoidGVzdE9yZyJ9.k0QyR_aHXREikUc25yQ1hLDox_NAdFxPgNQ42-eXEGP";
// String fails = "eyJhbGciOiJIUzI1NiJ9.eyJqdGkiOiJ0ZXN0SWQiLCJhdWQiOiJhbGwiLCJpYXQiOjE1NDM5Mzc1MjIsInN1YiI6InRlc3RTdWJqZWN0IiwiaXNzIjoidGVzdE9yZyJ9.k0QyR_aHXREikUc25yQ1hLDox_NAdFxPgNQ42-eXEGU";
Claims claims = validateJWTClaims.getClaims(works,secretKey);
System.out.println(gson.toJson(claims));
}
please note that if I manually change the signature part's end char to something else , for some instances validation is still successful.
The text was updated successfully, but these errors were encountered: