JWT 签名与本地计算的签名不匹配。 JWT 有效性不能被断言,也不应该被信任
Posted
技术标签:
【中文标题】JWT 签名与本地计算的签名不匹配。 JWT 有效性不能被断言,也不应该被信任【英文标题】:JWT signature does not match locally computed signature. JWT validity cannot be asserted and should not be trusted 【发布时间】:2019-10-31 12:35:07 【问题描述】:我正在构建一个服务器端 REST 服务应用程序。 JWT 身份验证令牌有问题。登录后我可以轻松获取令牌(这里我使用Postman)。
但是当我尝试使用相同的令牌验证访问受保护 REST 控制器的请求时,我收到以下错误:
io.jsonwebtoken.SignatureException: JWT signature does not match locally computed signature. JWT validity cannot be asserted and should not be trusted.
at io.jsonwebtoken.impl.DefaultJwtParser.parse(DefaultJwtParser.java:354)
at io.jsonwebtoken.impl.DefaultJwtParser.parse(DefaultJwtParser.java:481)
at io.jsonwebtoken.impl.DefaultJwtParser.parseClaimsJws(DefaultJwtParser.java:541)
at com.configuration.jwt.JwtTokenUtil.extractClaims(JwtTokenUtil.java:104)
at com.configuration.jwt.JwtTokenUtil.getUsernameFromToken(JwtTokenUtil.java:39)
at com.configuration.jwt.JwtAuthenticationFilter.doFilterInternal(JwtAuthenticationFilter.java:44)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
...
就像应用程序不记得它生成的令牌一样。这是来自 Postman 的 get 请求,它产生了这个错误:
我猜这个异常的来源是我班级JwtTokenUtil的方法extractClaims:
@Component
public final class JwtTokenUtil
public static final int EXPIRATION_IN_SECONDS = 120;
private static final String JWT_SECRET = "Some$ecretKey";
private Clock clock = DefaultClock.INSTANCE;
@Value("$jwt.secret")
private String secret;
@Value("$jwt.expiration")
private Long expiration;
private JwtTokenUtil()
// Hide default constructor
public String getUsernameFromToken(String token)
return extractClaims(token).getSubject();
public Boolean validateToken(String token, UserDetails userDetails)
UserDetailsImp user = (UserDetailsImp) userDetails;
final String username = getUsernameFromToken(token);
return (username.equals(user.getUsername()) && !isTokenExpired(token));
public Date getIssuedAtDateFromToken(String token)
return extractClaims(token).getIssuedAt();
public String generateToken(UserDetails userDetails)
Map<String, Object> claims = new HashMap<String, Object>();
return doGenerateToken(claims, userDetails.getUsername());
private String doGenerateToken(Map<String, Object> claims, String subject)
final Date createdDate = clock.now();
final Date expirationDate = calculateExpirationDate(createdDate);
return Jwts.builder().setClaims(claims).setSubject(subject).setIssuedAt(createdDate)
.setExpiration(expirationDate).signWith(SignatureAlgorithm.HS512, secret).compact();
private Date calculateExpirationDate(Date createdDate)
return new Date(createdDate.getTime() + expiration * 1000);
public static String createToken(String username, Date issueDate)
String jwtToken = Jwts.builder().setSubject(username).setIssuedAt(issueDate)
.setExpiration(new Date(issueDate.getTime() + EXPIRATION_IN_SECONDS))
.signWith(SignatureAlgorithm.HS512, JWT_SECRET).compact();
return jwtToken;
public static String getSubject(String token)
Claims claims = extractClaims(token);
return claims.getSubject();
public static String refreshToken(String token, long expirationInSeconds)
final Claims claims = extractClaims(token);
Date now = new Date();
claims.setIssuedAt(now);
claims.setExpiration(new Date(now.getTime() + EXPIRATION_IN_SECONDS));
return createTokenFromClaims(claims);
public static boolean isTokenExpired(String token)
final Claims claims = extractClaims(token);
Date now = new Date();
return now.after(claims.getExpiration());
private static String createTokenFromClaims(Claims claims)
return Jwts.builder().setClaims(claims).signWith(SignatureAlgorithm.HS512, JWT_SECRET).compact();
private static Claims extractClaims(String token)
return Jwts.parser().setSigningKey(JWT_SECRET).parseClaimsJws(token).getBody();
这是我的JwtAuthenticationFilter 班级:
public class JwtAuthenticationFilter extends OncePerRequestFilter
@Autowired
private UserDetailsService userDetailsService;
@Autowired
private JwtTokenUtil jwtTokenUtil;
@Override
protected void doFilterInternal(HttpServletRequest req, HttpServletResponse res, FilterChain chain)
throws IOException, ServletException
String header = req.getHeader("Authorization");
String username = null;
String authToken = null;
if (header != null && header.startsWith("Bearer "))
authToken = header.replace("Bearer ", "");
try
username = jwtTokenUtil.getUsernameFromToken(authToken);
catch (IllegalArgumentException e)
logger.error("an error occured during getting username from token", e);
catch (ExpiredJwtException e)
logger.warn("the token is expired and not valid anymore", e);
else
logger.warn("couldn't find bearer string, will ignore the header");
if (username != null && SecurityContextHolder.getContext().getAuthentication() == null)
UserDetails userDetails = userDetailsService.loadUserByUsername(username);
if (jwtTokenUtil.validateToken(authToken, userDetails))
String role = "";
role = userDetails.getAuthorities().size() > 1 ? "ROLE_ADMIN" : "ROLE_TOURIST";
UsernamePasswordAuthenticationToken authentication = new UsernamePasswordAuthenticationToken(
userDetails, null, Arrays.asList(new SimpleGrantedAuthority(role)));
authentication.setDetails(new WebAuthenticationDetailsSource().buildDetails(req));
logger.info("authenticated user " + username + ", setting security context");
SecurityContextHolder.getContext().setAuthentication(authentication);
chain.doFilter(req, res);
我不知道登录控制器是否与该问题有关,但无论如何这里是它的代码:
@PostMapping(value = "/signin")
public ResponseEntity<?> signin(@Valid @RequestBody LoginForm loginForm) throws AuthenticationException
final Authentication authentication = authenticationManager.authenticate(
new UsernamePasswordAuthenticationToken(loginForm.getUsername(), loginForm.getPassword()));
SecurityContextHolder.getContext().setAuthentication(authentication);
final UserDetails user = userService.loadUserByUsername(loginForm.getUsername());
final String token = jwtTokenUtil.generateToken(user);
return ResponseEntity.ok(new JwtResponse(token, user.getUsername(), user.getAuthorities()));
希望有人能帮忙。
【问题讨论】:
我遇到了同样的问题,this 【参考方案1】:遇到了同样的问题,在我的情况下,从 angular 传递的令牌在开始/结束时有引号。通过删除它们来解决。
intercept(request: HttpRequest<any>, next: HttpHandler): Observable<HttpEvent<any>>
let token = localStorage.getItem('token');
if (token)
token = token.replace(/^"(.*)"$/, '$1');
if (token)
request = request.clone( headers: request.headers.set('Authorization', 'Bearer ' + token) );
if (!request.headers.has('Content-Type'))
request = request.clone( headers: request.headers.set('Content-Type', 'application/json') );
request = request.clone( headers: request.headers.set('Accept', 'application/json') );
console.log("............");
return next.handle(request);
【讨论】:
【参考方案2】:有同样的错误信息有类似的问题。我意识到这是由于提供的公钥中的空白。你可能会检查一下。用这个代码sn-p修复:
String PUB_KEY = System.getenv("PUBLIC_KEY") ; // remove ---PUBLIC KEY--- & ---END PUBLIC KEY ---
String PUBLIC_KEY = "";
if (!PUB_KEY.isEmpty())
PUBLIC_KEY = PUB_KEY.replace(" ", "");
希望对你有帮助。
【讨论】:
我遇到了同样的问题。 ***.com/questions/57297249/…为我解决了。【参考方案3】:我认为EXPIRATION_IN_SECONDS 应该以毫秒为单位,因为您将它添加到 getTime() 中,以毫秒为单位。所以实际应该是120000。
【讨论】:
以上是关于JWT 签名与本地计算的签名不匹配。 JWT 有效性不能被断言,也不应该被信任的主要内容,如果未能解决你的问题,请参考以下文章