signWith(SignatureAlgorithm alg, Key key) has deprecated. We should use signWith(Key, SignatureAlgorithm) instead. But we how to do it. just swap the position?
How should I change the original code as follows to use a correct method?
public class JwtUtil {
public static final long JWT_TTL = 60 * 60 * 1000L * 24 * 14;
public static final String JWT_KEY = "JSDFSDFSDFASJDHASDASDdfa32dJHASFDA67765asda123dsdsw";
public static String getUUID() {
return UUID.randomUUID().toString().replaceAll("-", "");
}
public static String createJWT(String subject) {
JwtBuilder builder = getJwtBuilder(subject, null, getUUID());
return builder.compact();
}
private static JwtBuilder getJwtBuilder(String subject, Long ttlMillis, String uuid) {
SignatureAlgorithm signatureAlgorithm = SignatureAlgorithm.HS256;
SecretKey secretKey = generalKey();
long nowMillis = System.currentTimeMillis();
Date now = new Date(nowMillis);
if (ttlMillis == null) {
ttlMillis = JwtUtil.JWT_TTL;
}
long expMillis = nowMillis + ttlMillis;
Date expDate = new Date(expMillis);
return Jwts.builder()
.setId(uuid)
.setSubject(subject)
.setIssuer("sg")
.setIssuedAt(now)
.signWith(signatureAlgorithm, secretKey)
.setExpiration(expDate);
}
public static SecretKey generalKey() {
byte[] encodeKey = Base64.getDecoder().decode(JwtUtil.JWT_KEY);
return new SecretKeySpec(encodeKey, 0, encodeKey.length, "HmacSHA256");
}
public static Claims parseJWT(String jwt) throws Exception {
SecretKey secretKey = generalKey();
return Jwts.parserBuilder()
.setSigningKey(secretKey)
.build()
.parseClaimsJws(jwt)
.getBody();
}
}
I notice that its doc for key is different.
The deprecated is key – the algorithm-specific signing key to use to digitally sign the JWT.
The other is key – the signing key to use to digitally sign the JWT.
So I think the key is different. But I don't know how to adjust my code.
Since signWith(SignatureAlgorithm, SecretKey) is deprecated, you can use signWith(SecretKey) or signWith(SecretKey, SignatureAlgorithm).
When using HMAC-SHA, ensure that the secret key provided is at least as many bits as the algorithm's signature.
HMAC-SHA-256: 256 bits.
HMAC-SHA-384: 384 bits.
HMAC-SHA-512: 512 bits.
private static JwtBuilder getJwtBuilder(String subject, Long ttlMillis, String uuid) {
.
.
.
SecretKey secretKey = generalKey();
return Jwts.builder()
.setId(uuid)
.setSubject(subject)
.setIssuer("sg")
.setIssuedAt(now)
.signWith(secretKey) //The signature algorithm is selected according to the size of secret key
.setExpiration(expDate);
}
public static SecretKey generalKey(){
byte[] encodeKey = Base64.getDecoder().decode(JwtUtil.JWT_KEY);
return Keys.hmacShaKeyFor(encodeKey);
}
Also, add the following dependencies:
For Maven:
<dependency>
<groupId>io.jsonwebtoken</groupId>
<artifactId>jjwt-api</artifactId>
<version>0.11.5</version>
</dependency>
<dependency>
<groupId>io.jsonwebtoken</groupId>
<artifactId>jjwt-impl</artifactId>
<version>0.11.5</version>
<scope>runtime</scope>
</dependency>
<dependency>
<groupId>io.jsonwebtoken</groupId>
<artifactId>jjwt-jackson</artifactId>
<version>0.11.5</version>
<scope>runtime</scope>
</dependency>
For Gradle:
dependencies {
implementation 'io.jsonwebtoken:jjwt-api:0.11.5'
runtime 'io.jsonwebtoken:jjwt-impl:0.11.5'
implementation 'io.jsonwebtoken:jjwt-jackson:0.11.5'
}