java为什么JWT令牌不安全?
我正在我的spring boot
项目中使用JWT
令牌。我很惊讶我的JWT令牌从他们的官方网站上被解码,所有数据都从令牌中恢复。
这是我的代币
eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJTdGVlbERvYyIsImV4cCI6MTU1NzU2ODQ1MiwibG9naW5JZCI6ImFkbWluIiwidXNlcklkIjoyLCJlbWFpbElkIjoiZGhpcmVuZHJhQHRlc3QuY29tIn0.o4UKtwO22cAXLjIsUuDRgAQf7OjUbe_O9DbSGxPYgfQ
解码的链接link..
这是我的密码
public class JwtHelper {
static String subject = "SteelDoc";
static String secret = "faa76006-6fef-413d-9cae-a05e63170cbf";
Integer userId = null;
String loginId = "";
String emailId = "";
public String getUserName() {
return loginId;
}
public void setUserName(String userName) {
this.loginId = userName;
}
public Integer getUserId() {
return userId;
}
public void setUserId(Integer userId) {
this.userId = userId;
}
public String getToken(String loginId, Integer userId, String email) {
try {
Date d = new Date();
Date de = d;
de.setYear(de.getYear() + 1);
String jwt = Jwts.builder().setSubject(subject).setExpiration(de).claim("loginId", loginId)
.claim("userId", userId).claim("emailId", email)
.signWith(SignatureAlgorithm.HS256, secret.getBytes("UTF-8")).compact();
return jwt;
} catch (UnsupportedEncodingException e) {
// TODO Auto-generated catch block
e.printStackTrace();
return null;
}
}
public boolean validateToken(String token) {
String jwt = token;
Jws<Claims> claims;
try {
claims = Jwts.parser().setSigningKey(secret.getBytes("UTF-8")).parseClaimsJws(jwt);
userId = (Integer) claims.getBody().get("userId");
loginId = (String) claims.getBody().get("loginId");
emailId = (String) claims.getBody().get("emailId");
return true;
} catch (ExpiredJwtException e) {
// TODO Auto-generated catch block
e.printStackTrace();
} catch (UnsupportedJwtException e) {
// TODO Auto-generated catch block
e.printStackTrace();
} catch (MalformedJwtException e) {
// TODO Auto-generated catch block
e.printStackTrace();
} catch (SignatureException e) {
// TODO Auto-generated catch block
e.printStackTrace();
} catch (IllegalArgumentException e) {
// TODO Auto-generated catch block
e.printStackTrace();
} catch (UnsupportedEncodingException e) {
// TODO Auto-generated catch block
e.printStackTrace();
} catch (Exception e) {
e.printStackTrace();
}
return false;
}}
我的问题是
为什么会这样
如果它不安全,那么我们为什么要使用它
有没有办法保护这个代币
共 (0) 个答案