The specified key byte array is 136 bits which is not secure enough for any JWT HMAC-SHA algorithm.

最新推荐文章于 2025-09-17 09:32:11 发布
原创 最新推荐文章于 2025-09-17 09:32:11 发布 · 3.1k 阅读 · 0 ·
CC 4.0 BY-SA版权
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
文章标签:

#java #jwt

本文介绍了如何在使用jjwt库时,由于秘钥过短引发的安全警告,并指导读者将JWT_SECRET字段长度增加到256位以符合JWT标准。通过修改`generateToken`方法,确保HMAC-SHA算法使用的秘钥足够安全。

场景

集合了<jjwt.version>0.11.5</jjwt.version>版本的 jwt

<dependency>
            <groupId>io.jsonwebtoken</groupId>
            <artifactId>jjwt-api</artifactId>
            <version>${jjwt.version}</version>
        </dependency>
        <dependency>
            <groupId>io.jsonwebtoken</groupId>
            <artifactId>jjwt-impl</artifactId>
            <version>${jjwt.version}</version>
            <scope>runtime</scope>
        </dependency>
        <dependency>
            <groupId>io.jsonwebtoken</groupId>
            <artifactId>jjwt-jackson</artifactId> <!-- or jjwt-gson if Gson is preferred -->
            <version>${jjwt.version}</version>
            <scope>runtime</scope>
        </dependency>

原 signWith 方法过时,更改后报错如下

主要错误信息如下

The specified key byte array is 136 bits which is not secure enough for any JWT HMAC-SHA algorithm.

2022-05-11 16:44:38.748 ERROR 83332 --- [io-13921-exec-1] o.a.c.c.C.[.[.[.[dispatcherServlet]      : Servlet.service() for servlet [dispatcherServlet] in context with path [/admin] threw exception [Request processing failed; nested exception is io.jsonwebtoken.security.WeakKeyException: The specified key byte array is 136 bits which is not secure enough for any JWT HMAC-SHA algorithm.  The JWT JWA Specification (RFC 7518, Section 3.2) states that keys used with HMAC-SHA algorithms MUST have a size >= 256 bits (the key size must be greater than or equal to the hash output size).  Consider using the io.jsonwebtoken.security.Keys#secretKeyFor(SignatureAlgorithm) method to create a key guaranteed to be secure enough for your preferred HMAC-SHA algorithm.  See https://tools.ietf.org/html/rfc7518#section-3.2 for more information.] with root cause

io.jsonwebtoken.security.WeakKeyException: The specified key byte array is 136 bits which is not secure enough for any JWT HMAC-SHA algorithm.  The JWT JWA Specification (RFC 7518, Section 3.2) states that keys used with HMAC-SHA algorithms MUST have a size >= 256 bits (the key size must be greater than or equal to the hash output size).  Consider using the io.jsonwebtoken.security.Keys#secretKeyFor(SignatureAlgorithm) method to create a key guaranteed to be secure enough for your preferred HMAC-SHA algorithm.  See https://tools.ietf.org/html/rfc7518#section-3.2 for more information.
	at io.jsonwebtoken.security.Keys.hmacShaKeyFor(Keys.java:96) ~[jjwt-api-0.11.5.jar:0.11.5]
	at com.admin.utils.JwtTokenUtils.generateToken(JwtTokenUtils.java:42) ~[classes/:na]
	at com.admin.service.AdminUserService.adminLogin(AdminUserService.java:59) ~[classes/:na]
	at com.admin.service.AdminUserService$$FastClassBySpringCGLIB$$1.invoke(<generated>) ~[classes/:na]
	at org.springframework.cglib.proxy.MethodProxy.invoke(MethodProxy.java:218) ~[spring-core-5.3.19.jar:5.3.19]
	at org.springframework.aop.framework.CglibAopProxy.invokeMethod(CglibAopProxy.java:386) ~[spring-aop-5.3.19.jar:5.3.19]
	at org.springframework.aop.framework.CglibAopProxy.access$000(CglibAopProxy.java:85) ~[spring-aop-5.3.19.jar:5.3.19]
	at org.springframework.aop.framework.CglibAopProxy$DynamicAdvisedInterceptor.intercept(CglibAopProxy.java:704) ~[spring-aop-5.3.19.jar:5.3.19]
	at com.admin.service.AdminUserService$$EnhancerBySpringCGLIB$$1.adminLogin(<generated>) ~[classes/:na]
	at com.admin.controller.UserController.adminLogin(UserController.java:26) ~[classes/:na]
	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[na:1.8.0_332]
	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) ~[na:1.8.0_332]
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[na:1.8.0_332]
	at java.lang.reflect.Method.invoke(Method.java:498) ~[na:1.8.0_332]

解决

给下述代码中的JWT_SECRET字段弄长点,大概 256 来个字符的时候就可以了

    /**
     * 根据用户信息生成token
     */
    public String generateToken(String username) {

        Claims claims = Jwts.claims().setSubject(username);

        SignatureAlgorithm signatureAlgorithm = SignatureAlgorithm.HS256;
        SecretKey key = Keys.hmacShaKeyFor(JWT_SECRET.getBytes(StandardCharsets.UTF_8));
        return Jwts.builder()
                .setClaims(claims)
                .setExpiration(generateExpirationDate())
                .signWith(key, signatureAlgorithm)
                .compact();
    }
Java错误解决方案】JWT出现io.jsonwebtoken.xx.UnknownClassException:Unable to load..和HS256 MUST have a size>=.
流川枫NO.1
09-23 595
【终极解决】JWT出现io.jsonwebtoken.lang.UnknownClassException: Unable to load class named [io.jsonwebtoken.impl.DefaultJwtBuilder] from the thread context...和io.jsonwebtoken.security.WeakKeyExceptionCreate breakpoint : ...HS256 MUST have a size>= xx bits
Sanic实现HMAC-SHA256签名认证
乱舞的浮尘
06-04 446
Sanic框架上实现HMAC签名认证,同时同样的解决思路也可以使用在fastapi和flask上。
jjwt生成jwt token
蜗牛的高铁
05-12 5783
The signing key's algorithm 'AES' does not equal a valid HmacSHA* algorithm name and cannot be used with HS256.
jwt-api.zip
06-30
修改源码后的jar包 解决:The signing key's size is 1024 bits which is not secure enough for the RS256 algorithm.
从漏洞到堡垒:Java JWT令牌安全传输终极方案
gitblog_00179的博客
09-17 1033
你是否知道,超过68%的JWT安全漏洞源于传输过程中的防护缺失?在分布式系统架构中,JSON Web Token(JWT,JSON网络令牌)作为身份验证和授权的核心载体,其传输安全直接关系到整个系统的安全根基。本文将从实战角度出发,系统讲解如何利用Java JWT(JJWT)库构建坚不可摧的令牌传输安全体系,涵盖算法选择、密钥管理、传输加密、完整性校验等关键环节,帮助开发者彻底解决令牌在网络传输中...
JWT 认证报错:io.jsonwebtoken.security.WeakKeyException
Siona_xin 的博客
06-06 5931
SpringBoot 整合 SpringSecurity 实现 JWT 认证,选用了 SignatureAlgorithm.HS512 算法,在用使用 base64-secret 作为私钥 JWT 进行签名的时候报错。
nacos2.2启动报错The specified key byte array is 16 bits which is not secure enough for any JWT HMAC-SHA
qq_61407171的博客
03-09 622
nacos2.2是默认开启鉴权的,所以需要在application.properties中的配置信息
o.jsonwebtoken.security.WeakKeyException: The specified key byte array is 72 bits which is not secure enough for any JWT HMAC-SHA algorithm. The JWT JWA Specification (RFC 7518, Section 3.2) states that keys used with HMAC-SHA algorithms MUST have a size >= 256 bits (the key size must be greater than or equal to the hash output size). Consider using the io.jsonwebtoken.security.Keys#secretKeyFor(SignatureAlgorithm) method to create a key guaranteed to be secure enough for your preferred HMAC-SHA algorithm. See https://tools.ietf.org/html/rfc7518#section-3.2 for more information.
最新发布
11-03
`io.jsonwebtoken.security.WeakKeyException` 异常表明指定的密钥字节数组长度不足,对于任何 JWT HMAC - SHA 算法都不够安全。为解决该问题,可使用 `io.jsonwebtoken.security.Keys#secretKeyFor(Signature...
: java.lang.IllegalArgumentException: The specified key byte array is 0 bits which is not secure enough for any JWT HMAC-SHA algorithm. The JWT JWA Specification (RFC 7518, Section 3.2) states that keys used with HMAC-SHA algorithms MUST have a size >= 256 bits (the key size must be greater than or equal to the hash output size). See https://tools.ietf.org/html/rfc7518#section-3.2 for more information.
07-11
首先,用户的问题是关于解决Java中的java.lang.IllegalArgumentException异常,具体是JWT HMAC-SHA密钥长度不足256位的问题。我需要根据系统指令和用户意图来构建回答。 系统指令关键点: - 所有行内数学表达式必须...
引入ENC加密,window电脑上需要安装什么依赖吗?我有3台电脑,一模一样的配置文件,都使用了ENC加密,有2台能成功启动并且输入用户密码能正常登录;但是有一台就提示The specified key byte array is 16 bits which is not secure enough for any JWT HMAC-SHA。这应该是ENC解密的过程有问题吧
07-25
例如,HMAC-SHA256 要求密钥长度至少为 256 位(32 字节),而如果使用了 16 位的密钥,则会触发类似 `The specified key byte array is 16 bits which is not secure enough for any JWT HMAC-SHA` 的错误提示 [^1]...
ult-auth-plugin-2.4.0.jar!/com/alibaba/nacos/plugin/auth/impl/token/impl/JwtTokenManager.class]: Bean instantiation via constructor failed; nested exception is org.springframework.beans.BeanInstantiationException: Failed to instantiate [com.alibaba.nacos.plugin.auth.impl.token.impl.JwtTokenManager]: Constructor threw exception; nested exception is java.lang.IllegalArgumentException: the length of secret key must great than or equal 32 bytes; And the secret key must be encoded by base64.Please see https://nacos.io/zh-cn/docs/v2/guide/user/auth.html at org.springframework.beans.factory.support.ConstructorResolver.instantiate(ConstructorResolver.java:306) at org.springframework.beans.factory.support.ConstructorResolver.autowireConstructor(ConstructorResolver.java:287) at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.autowireConstructor(AbstractAutowireCapableBeanFactory.java:1372) at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBeanInstance(AbstractAutowireCapableBeanFactory.java:1222) at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:582) at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:542) at org.springframework.beans.factory.support.AbstractBeanFactory.lambda$doGetBean$0(AbstractBeanFactory.java:336) at org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.getSingleton(DefaultSingletonBeanRegistry.java:234) at org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:334) at org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:209) at org.springframework.beans.factory.config.DependencyDescriptor.resolveCandidate(DependencyDescriptor.java:276) at org.springframework.beans.factory.support.DefaultListableBeanFactory.doResolveDependency(DefaultListableBeanFactory.java:1391) at org.springframework.beans.factory.support.DefaultListableBeanFactory.resolveDependency(DefaultListableBeanFactory.java:1311) at org.springframework.beans.factory.annotation.AutowiredAnnotationBeanPostProcessor$AutowiredFieldElement.resolveFieldValue(AutowiredAnnotationBeanPostProcessor.java:710) ... 99 common frames omitted Caused by: org.springframework.beans.BeanInstantiationException: Failed to instantiate [com.alibaba.nacos.plugin.auth.impl.token.impl.JwtTokenManager]: Constructor threw exception; nested exception is java.lang.IllegalArgumentException: the length of secret key must great than or equal 32 bytes; And the secret key must be encoded by base64.Please see https://nacos.io/zh-cn/docs/v2/guide/user/auth.html at org.springframework.beans.BeanUtils.instantiateClass(BeanUtils.java:226) at org.springframework.beans.factory.support.SimpleInstantiationStrategy.instantiate(SimpleInstantiationStrategy.java:117) at org.springframework.beans.factory.support.ConstructorResolver.instantiate(ConstructorResolver.java:302) ... 112 common frames omitted Caused by: java.lang.IllegalArgumentException: the length of secret key must great than or equal 32 bytes; And the secret key must be encoded by base64.Please see https://nacos.io/zh-cn/docs/v2/guide/user/auth.html at com.alibaba.nacos.plugin.auth.impl.token.impl.JwtTokenManager.processProperties(JwtTokenManager.java:80) at com.alibaba.nacos.plugin.auth.impl.token.impl.JwtTokenManager.<init>(JwtTokenManager.java:66) at java.base/jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) at java.base/jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) at java.base/jdk.internal.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) at java.base/java.lang.reflect.Constructor.newInstance(Constructor.java:490) at org.springframework.beans.BeanUtils.instantiateClass(BeanUtils.java:213) ... 114 common frames omitted Caused by: java.lang.IllegalArgumentException: The specified key byte array is 128 bits which is not secure enough for any JWT HMAC-SHA algorithm. The JWT JWA Specification (RFC 7518, Section 3.2) states that keys used with HMAC-SHA algorithms MUST have a size >= 256 bits (the key size must be greater than or equal to the hash output size). See https://tools.ietf.org/html/rfc7518#section-3.2 for more information. at com.alibaba.nacos.plugin.auth.impl.jwt.NacosJwtParser.<init>(NacosJwtParser.java:49) at com.alibaba.nacos.plugin.auth.impl.token.impl.JwtTokenManager.processProperties(JwtTokenManager.java:76) ... 120 common frames omitted 2025-06-23 15:26:44,333 WARN [ThreadPoolManager] Start destroying ThreadPool
06-24
当 Nacos 的 `JwtTokenManager` 抛出 `IllegalArgumentException: the length of secret key must great than or equal 32 bytes` 异常时,根本原因是配置的密钥不满足以下任一条件: 1. **密钥长度不足 32 字节** 2...
Nacos v2.2运行出错
qq15620030的博客
03-23 8641
【代码】Nacos v2.2运行出错。
Nacos 2.2.1 启动报错
weixin_44295677的博客
04-11 2868
nacos 2.2.1 安装报错
Nacos2.2.1 启动报错:The specified key byte array is 0 bits which is not secure enough for any JWT HMAC-S
xsh4340的专栏
12-03 1986
Nacos2.2.1 启动报错:The specified key byte array is 0 bits which is not secure enough for any JWT HMAC-S
nacos踩坑之nacos运行报错
这里没有简介
04-02 6609
没错,是nacos没有配置key的原因,终期根本原因是nacos文档默认显示1.x的文档,在2.x之后需要自己手动配置密钥了。在2021年年底的时候使用docker的方式体验了一波nacos,现在有需求所以需要运行nacos,结果一旦运行始终报错,最开始以为是因为我是用arm服务器的原因,上x86结果还是同样报错,实在没法在nacos官网才看到,还需要。为公开默认值,可用于临时测试,实际使用时请。更换为自定义的其他有效值。注意,文档中的默认值。
配置了单机启动(standalone),也配置了数据库,但是Nacos依然启动失败
m0_56680022的博客
03-27 6549
其实这次的这个问题仔细看看官方文档是可以很快解决的,但是呢,我一直没有看官方文档的习惯,所以这次花了很多时间,算是给我长了记性了。我觉得其实数据库那个配置是可以不用更改的,总结一下吧,对于配置了单机启动()也配置了数据库,但是Nacos依然启动失败问题,检查下你是否配置了conf目录下的文件,设置其中的值。Nacos 快速开始。
学习JWT报错提示: The specified key byte array is 152 bits which is not secure enough for any JWT HMAC-SHA
m0_60320987的博客
06-27 1451
在学习过程中参照网上的教程自己在本地练习.由于是小白以为密钥随便写.当运行程序时出现错误提示,仔细对照教程发现没啥问题,错误提示字面意思就是密钥不够安全.可以去在线生成密钥的网站生成对应算法需要的密钥,也可以自己写方法生成密钥,以上解决方法参考。
[分布式踩坑]Nacos Server 2.2.x版本无法打开,报Error creating bean with name ‘basicAuthenticationFilter‘ defined
Wannabe_hacker的博客
03-28 4406
于是我们来到nacos\distribution\target\nacos-server-2.2.1\nacos\conf下找到application.properties。修改其中的:nacos.core.auth.plugin.nacos.token.secret.key=仔细勘察可以看出来很多bean没有打开,但是总的是关于Auth鉴权方面的问题,于是我们查看。nacos官方文档,找一找权限认证相关的教程。已经不报错了 ,我们进入可视化界面看一下。在新的2.0版本中可能要设置自定义的密钥。
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包

打赏作者

程序员鱼丸

你的鼓励将是我创作的最大动力

¥1 ¥2 ¥4 ¥6 ¥10 ¥20
扫码支付:¥1
获取中
扫码支付

您的余额不足,请更换扫码支付或充值

打赏作者

实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值