Caused by: io.jsonwebtoken.security.WeakKeyException: The specified key byte array is 40 bits which

最新推荐文章于 2024-03-11 23:57:30 发布
最新推荐文章于 2024-03-11 23:57:30 发布
阅读量3.9k 收藏 2
点赞数 1
分类专栏: SpringBoot 文章标签: jwt spring boot java
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/weixin_43364428/article/details/112179595
版权

项目:

一、说明:SpringBoot整合SpringSecurity实现JWT认证,选用了SignatureAlgorithm.HS512算法,在用使用base64-secret作为私钥JWT进行签名的时候报错:

org.springframework.context.ApplicationContextException: Unable to start web server; nested exception is org.springframework.boot.web.server.WebServerException: Unable to start embedded Tomcat
	at org.springframework.boot.web.servlet.context.ServletWebServerApplicationContext.onRefresh(ServletWebServerApplicationContext.java:155) ~[spring-boot-2.0.6.RELEASE.jar:2.0.6.RELEASE]
	at org.springframework.context.support.AbstractApplicationContext.refresh(AbstractApplicationContext.java:542) ~[spring-context-5.0.10.RELEASE.jar:5.0.10.RELEASE]
	at org.springframework.boot.web.servlet.context.ServletWebServerApplicationContext.refresh(ServletWebServerApplicationContext.java:140) ~[spring-boot-2.0.6.RELEASE.jar:2.0.6.RELEASE]
	at org.springframework.boot.SpringApplication.refresh(SpringApplication.java:754) [spring-boot-2.0.6.RELEASE.jar:2.0.6.RELEASE]
	at org.springframework.boot.SpringApplication.refreshContext(SpringApplication.java:386) [spring-boot-2.0.6.RELEASE.jar:2.0.6.RELEASE]
	at org.springframework.boot.SpringApplication.run(SpringApplication.java:307) [spring-boot-2.0.6.RELEASE.jar:2.0.6.RELEASE]
	at org.springframework.boot.SpringApplication.run(SpringApplication.java:1242) [spring-boot-2.0.6.RELEASE.jar:2.0.6.RELEASE]
	at org.springframework.boot.SpringApplication.run(SpringApplication.java:1230) [spring-boot-2.0.6.RELEASE.jar:2.0.6.RELEASE]	
Caused by: org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'jwtTokenUtils' defined in file [E:\CloneStudy\springcloud-token\target\classes\com\eureka\springcloudtoken\utils\JwtTokenUtils.class]: Invocation of init method failed; nested exception is io.jsonwebtoken.security.WeakKeyException: The specified key byte array is 40 bits which is not secure enough for any JWT HMAC-SHA algorithm.  The JWT JWA Specification (RFC 7518, Section 3.2) states that keys used with HMAC-SHA algorithms MUST have a size >= 256 bits (the key size must be greater than or equal to the hash output size).  Consider using the io.jsonwebtoken.security.Keys#secretKeyFor(SignatureAlgorithm) method to create a key guaranteed to be secure enough for your preferred HMAC-SHA algorithm.  See https://tools.ietf.org/html/rfc7518#section-3.2 for more information.
	at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.initializeBean(AbstractAutowireCapableBeanFactory.java:1694) ~[spring-beans-5.0.10.RELEASE.jar:5.0.10.RELEASE]
	at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:573) ~[spring-beans-5.0.10.RELEASE.jar:5.0.10.RELEASE]
	at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:495) ~[spring-beans-5.0.10.RELEASE.jar:5.0.10.RELEASE]
	at org.springframework.beans.factory.support.AbstractBeanFactory.lambda$doGetBean$0(AbstractBeanFactory.java:317) ~[spring-beans-5.0.10.RELEASE.jar:5.0.10.RELEASE]
	at org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.getSingleton(DefaultSingletonBeanRegistry.java:222) ~[spring-beans-5.0.10.RELEASE.jar:5.0.10.RELEASE]
	at org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:315) ~[spring-beans-5.0.10.RELEASE.jar:5.0.10.RELEASE]
	at org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:199) ~[spring-beans-5.0.10.RELEASE.jar:5.0.10.RELEASE]
	at org.springframework.beans.factory.config.DependencyDescriptor.resolveCandidate(DependencyDescriptor.java:251) ~[spring-beans-5.0.10.RELEASE.jar:5.0.10.RELEASE]
	at org.springframework.beans.factory.support.DefaultListableBeanFactory.doResolveDependency(DefaultListableBeanFactory.java:1135) ~[spring-beans-5.0.10.RELEASE.jar:5.0.10.RELEASE]
	at org.springframework.beans.factory.support.DefaultListableBeanFactory.resolveDependency(DefaultListableBeanFactory.java:1062) ~[spring-beans-5.0.10.RELEASE.jar:5.0.10.RELEASE]
	at org.springframework.beans.factory.support.ConstructorResolver.resolveAutowiredArgument(ConstructorResolver.java:819) ~[spring-beans-5.0.10.RELEASE.jar:5.0.10.RELEASE]
	at org.springframework.beans.factory.support.ConstructorResolver.createArgumentArray(ConstructorResolver.java:725) ~[spring-beans-5.0.10.RELEASE.jar:5.0.10.RELEASE]
	... 38 common frames omitted
Caused by: io.jsonwebtoken.security.WeakKeyException: The specified key byte array is 40 bits which is not secure enough for any JWT HMAC-SHA algorithm.  The JWT JWA Specification (RFC 7518, Section 3.2) states that keys used with HMAC-SHA algorithms MUST have a size >= 256 bits (the key size must be greater than or equal to the hash output size).  Consider using the io.jsonwebtoken.security.Keys#secretKeyFor(SignatureAlgorithm) method to create a key guaranteed to be secure enough for your preferred HMAC-SHA algorithm.  See https://tools.ietf.org/html/rfc7518#section-3.2 for more information.
	at io.jsonwebtoken.security.Keys.hmacShaKeyFor(Keys.java:81) ~[jjwt-api-0.10.6.jar:na]
	at com.eureka.springcloudtoken.utils.JwtTokenUtils.afterPropertiesSet(JwtTokenUtils.java:37) ~[classes/:na]
	at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.invokeInitMethods(AbstractAutowireCapableBeanFactory.java:1753) ~[spring-beans-5.0.10.RELEASE.jar:5.0.10.RELEASE]
	at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.initializeBean(AbstractAutowireCapableBeanFactory.java:1690) ~[spring-beans-5.0.10.RELEASE.jar:5.0.10.RELEASE]
	... 49 common frames omitted

二、分析:
主要报错在:
(1)Unable to start web server; nested exception is org.springframework.boot.web.server.WebServerException: Unable to start embedded Tomcat
一开始以为是版本依赖冲突问题,继续看后面的错误发现不是

(2)Caused by: io.jsonwebtoken.security.WeakKeyException: The specified key byte array is 40 bits which is not secure enough for any JWT HMAC-SHA algorithm.
大概的意思是Key的数组位数不足,返回来看自己Key代码的位置,
发现key是用于生成Token时候的签名密钥,附上生成token的部分代码:

public String createToken(Map<String,Object> claims){
    return Jwts.builder()
            .claim(AUTHORITIES_KEY,claims)
            .setId(UUID.randomUUID().toString())
            .setIssuedAt(new Date())
            .setExpiration(new Date((new Date()).getTime()+jwtSecurityProperties.getTokenValidityInSeconds()))
            .compressWith(CompressionCodecs.DEFLATE)
            .signWith(key, SignatureAlgorithm.HS512)
            .compact();
}

三、解决方法
(1)依赖jjwt0.9.1之后的版本对于密钥安全性要求更高(体现在secret密钥的长度要达到一定的位数),若仍想使用安全性较低的密钥,需使用0.9.1之前的版本。
(2)经排查,这问题是因为选用了HS512算法后,对安全要求更高了,原有的RSA算法私钥长度1024已经不符合要求,因此假如要使用该算法进行加密,需要重新更换秘钥长度,在生成RSA密钥对的时候,把keySize改为2048或者更高。
(3)本项目的key取值是从配置文件中获取的,所以只需要把key的值(即私钥)位数变多即可:


```java
jwt:
  header: Authorization
  #令牌前照
  token-start-with: Bearer
  #使用Base64对该令牌进行编码
  base64-secret: 1212121hsodhsdhasdhsaldhsalhdlsahdlsad(关键点)
  #令牌过期时间,单位毫秒
  token-validity-in-seconds: 1440000
@yang@yang
关注
  • 1
    点赞
  • 2
    收藏
    觉得还不错? 一键收藏
  • 0
    评论
专栏目录
Caused by: java.net.UnknownHostException: openapi.alipay.com
10-28
Caused by: java.net.UnknownHostException: openapi.alipay.com
Caused by: java.lang.ClassNotFoundException: org.apache.commons.collections.Transformer异常
08-18
主要介绍了Caused by: java.lang.ClassNotFoundException: org.objectweb.asm.Type异常,文中通过示例代码介绍的非常详细,对大家的学习或者工作具有一定的参考学习价值,需要的朋友们下面随着小编来一起学习学习吧
JWT实战之升级Java JWT
最新发布
lonelymanontheway的博客
03-11 1060
为何要升级、GAV变更、编译问题、废弃API、启动失败DefaultJwtBuilder、WeakKeyException HS512 algorithm、WeakKeyException HMAC-SHA algorithm、json Serializer、Compact JWT strings may not contain whitespace、JWT在线解密、postman Bearer TokenJWT Bearer、JWT signature does not match locally co
Caused by: android.os.NetworkOnMainThreadException错误解决办法
09-04
主要介绍了Caused by: android.os.NetworkOnMainThreadException错误解决办法,本文提供了2种解决方法,需要的朋友可以参考下
Oracle IO问题解析.pdf
06-15
Oracle IO问题解析.pdfOracle IO问题解析.pdfOracle IO问题解析.pdfOracle IO问题解析.pdfOracle IO问题解析.pdfOracle IO问题解析.pdf
jwt问题记录
生而为人我很抱歉
08-02 1715
jjwt使用中各种问题汇总。
JWT 认证报错:io.jsonwebtoken.security.WeakKeyException
Siona_xin 的博客
06-06 2619
SpringBoot 整合 SpringSecurity 实现 JWT 认证,选用了 SignatureAlgorithm.HS512 算法,在用使用 base64-secret 作为私钥 JWT 进行签名的时候报错。
Caused by: io.jsonwebtoken.security.WeakKeyException: The specified key byte array is 224 bits which
拒绝躺平,适当内卷
06-10 2100
Caused by: io.jsonwebtoken.security.WeakKeyException: The specified key byte array is 224 bits which is not secure enough for any JWT HMAC-SHA algorithm. The JWT JWA Specification (RFC 7518, Section 3.2) states that keys used with HMAC-SHA algorithms MUST.
nacos2.2启动报错The specified key byte array is 16 bits which is not secure enough for any JWT HMAC-SHA
dawei1980的专栏
03-03 5386
nacos2.2启动报错The specified key byte array is 16 bits which is not secure enough for any JWT HMAC-SHA
Nacos 2.2.1 启动报错
weixin_44295677的博客
04-11 1533
nacos 2.2.1 安装报错
JWT设置密钥长度
在这个充满危险的乱世之中,只有学会烤鸡才能顽强的活下去。
11-16 1万+
一、问题描述 我需要用调用这个系统本来就有的鉴权代码,然后让用户进行登录,但是在走JWT自动创建Token的时候,就开始报错了。报错信息如下: io.jsonwebtoken.security.WeakKeyException: The signing key's size is 40 bits which is not secure enough for the HS256 algorithm. The JWT JWA Specification (RFC 7518, Section 3.2..
Java异常之—-Caused by: java.lang.IllegalStateException: Method has too many Body parameters
01-20
异常:Caused by: java.lang.IllegalStateException: Method has too many Body parameters Caused by: java.lang.IllegalStateException: Method has too many Body parameters: public abstract ...
jwt令牌中token过期如何处理?
Black_penis的博客
07-31 1611
苍穹外卖token过期bug
微服务下使用jjwt生成token签名signwith带来的问题
热门推荐
weixin_40598838的博客
09-14 1万+
概述 token常用于分布式中,带着很多的用户信息,不存储于服务器,是常见的认证方式之一。在一个网站中,你要回复一个问题,那么就需要验证你的最低权限是用户。 引入jar包 <dependency> <groupId>io.jsonwebtoken</groupId> <artifactId>jjwt</artifactId> <version>0.6.0</v
Java JWTio.jsonwebtoken.jjwt-api的简单使用演示
DIA的博客
09-05 1741
理由:采用的极大好处就是,将大部分的数据运算、存储压力给转移至前端而非服务端。
The specified key byte array is 136 bits which is not secure enough for any JWT HMAC-SHA algorithm.
Java Pro
05-11 2595
场景 集合了<jjwt.version>0.11.5</jjwt.version>版本的 jwt <dependency> <groupId>io.jsonwebtoken</groupId> <artifactId>jjwt-api</artifactId> <version>${jjwt.version}</version>
Nacos v2.2运行出错
guyan999的专栏
03-23 6613
【代码】Nacos v2.2运行出错。
Caused by: io.lettuce.core.RedisCommandExecutionException: The client IP is not in the whitelist
06-03
这个错误提示是因为你的客户端IP没有被加入Redis的白名单中。Redis默认情况下只允许来自本地的连接,如果你想要从远程连接到Redis,需要在Redis配置文件中设置bind参数为0.0.0.0来允许所有IP连接,或者将你的IP地址加入Redis的白名单中。你可以通过修改Redis配置文件或者使用命令行工具来实现这个操作。如果你使用的是云服务提供商提供的Redis服务,可以在其管理控制台中进行相应的设置。

“相关推荐”对你有帮助么?

  • 非常没帮助
  • 没帮助
  • 一般
  • 有帮助
  • 非常有帮助
提交
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值