rspec/rules/S5659/java/rule.adoc

include::../description.adoc[]

== Noncompliant Code Example

Using https://github.com/jwtk/jjwt[jwtk/Java JWT] library (to verify a signed token (containing a JWS) don't use the ``++parse++`` method as it doesn't throw an exception if an unsigned token is provided):

----
// Signing:
io.jsonwebtoken.Jwts.builder() // Noncompliant, token is not signed.
  .setSubject(USER_LOGIN)
  .compact();
// Verifying:
io.jsonwebtoken.Jwts.parser().setSigningKey(SECRET_KEY).parse(token).getBody(); // Noncompliant
----

Using https://github.com/auth0/java-jwt[auth0/Java JWT] library:

----
// Signing:
com.auth0.jwt.JWT.create()
  .withSubject(SUBJECT)
  .sign(Algorithm.none()); // Noncompliant, use only strong cipher algorithms when signing this JWT.
// Verifying:
JWTVerifier nonCompliantVerifier = com.auth0.jwt.JWT.require(Algorithm.none()) // Noncompliant
  .withSubject(LOGIN)
  .build();
----

== Compliant Solution

Using https://github.com/jwtk/jjwt[Java JWT] library (to verify a signed token (containing a JWS) use the ``++parseClaimsJws++`` method that will throw an exception if an unsigned token is provided):

----
// Signing:
Jwts.builder() // Compliant
  .setSubject(USER_LOGIN)
  .signWith(SignatureAlgorithm.HS256, SECRET_KEY)
  .compact();
// Verifying:
Jwts.parser().setSigningKey(SECRET_KEY).parseClaimsJws(token).getBody(); // Compliant
----

Using https://github.com/auth0/java-jwt[auth0/Java JWT] library. I

----
// Signing:
JWT.create()
  .withSubject(SUBJECT)
  .sign(Algorithm.HMAC256(SECRET_KEY)); // Noncompliant, use only strong cipher algorithms when signing this JWT.
// Verifying:
JWTVerifier nonCompliantVerifier = JWT.require(Algorithm.HMAC256(SECRET_KEY)) // Noncompliant
  .withSubject(LOGIN)
  .build();
----

include::../see.adoc[]
Add APEX into the covered languages for missing rules 2021-02-15 17:20:44 +01:00			`include::../description.adoc[]`
Nightly update 2021-01-23 04:07:47 +00:00
Add APEX into the covered languages for missing rules 2021-02-15 17:20:44 +01:00			`== Noncompliant Code Example`
Nightly update 2021-01-23 04:07:47 +00:00
Add APEX into the covered languages for missing rules 2021-02-15 17:20:44 +01:00			Using https://github.com/jwtk/jjwt[jwtk/Java JWT] library (to verify a signed token (containing a JWS) don't use the ``++parse++`` method as it doesn't throw an exception if an unsigned token is provided):
Nightly update 2021-01-23 04:07:47 +00:00
			`----`
Add APEX into the covered languages for missing rules 2021-02-15 17:20:44 +01:00			`// Signing:`
Nightly update 2021-01-23 04:07:47 +00:00			`io.jsonwebtoken.Jwts.builder() // Noncompliant, token is not signed.`
			`.setSubject(USER_LOGIN)`
			`.compact();`
			`// Verifying:`
Add APEX into the covered languages for missing rules 2021-02-15 17:20:44 +01:00			`io.jsonwebtoken.Jwts.parser().setSigningKey(SECRET_KEY).parse(token).getBody(); // Noncompliant`
Nightly update 2021-01-23 04:07:47 +00:00			`----`

			`Using https://github.com/auth0/java-jwt[auth0/Java JWT] library:`

			`----`
Add APEX into the covered languages for missing rules 2021-02-15 17:20:44 +01:00			`// Signing:`
Nightly update 2021-01-23 04:07:47 +00:00			`com.auth0.jwt.JWT.create()`
			`.withSubject(SUBJECT)`
			`.sign(Algorithm.none()); // Noncompliant, use only strong cipher algorithms when signing this JWT.`
			`// Verifying:`
			`JWTVerifier nonCompliantVerifier = com.auth0.jwt.JWT.require(Algorithm.none()) // Noncompliant`
			`.withSubject(LOGIN)`
			`.build();`
			`----`

			`== Compliant Solution`

Add APEX into the covered languages for missing rules 2021-02-15 17:20:44 +01:00			Using https://github.com/jwtk/jjwt[Java JWT] library (to verify a signed token (containing a JWS) use the ``++parseClaimsJws++`` method that will throw an exception if an unsigned token is provided):
Nightly update 2021-01-23 04:07:47 +00:00
			`----`
Add APEX into the covered languages for missing rules 2021-02-15 17:20:44 +01:00			`// Signing:`
Nightly update 2021-01-23 04:07:47 +00:00			`Jwts.builder() // Compliant`
			`.setSubject(USER_LOGIN)`
			`.signWith(SignatureAlgorithm.HS256, SECRET_KEY)`
			`.compact();`
			`// Verifying:`
			`Jwts.parser().setSigningKey(SECRET_KEY).parseClaimsJws(token).getBody(); // Compliant`
			`----`

Add APEX into the covered languages for missing rules 2021-02-15 17:20:44 +01:00			`Using https://github.com/auth0/java-jwt[auth0/Java JWT] library. I`
Nightly update 2021-01-23 04:07:47 +00:00
			`----`
Add APEX into the covered languages for missing rules 2021-02-15 17:20:44 +01:00			`// Signing:`
Nightly update 2021-01-23 04:07:47 +00:00			`JWT.create()`
			`.withSubject(SUBJECT)`
			`.sign(Algorithm.HMAC256(SECRET_KEY)); // Noncompliant, use only strong cipher algorithms when signing this JWT.`
			`// Verifying:`
			`JWTVerifier nonCompliantVerifier = JWT.require(Algorithm.HMAC256(SECRET_KEY)) // Noncompliant`
			`.withSubject(LOGIN)`
			`.build();`
			`----`

			`include::../see.adoc[]`