rspec/rules/S5659/java/rule.adoc

== Why is this an issue?

include::../description.adoc[]

=== Noncompliant code example

Using https://github.com/jwtk/jjwt[jwtk/Java JWT] library (to verify a signed token (containing a JWS) don't use the ``++parse++`` method as it doesn't throw an exception if an unsigned token is provided):

[source,java]
----
// Signing:
io.jsonwebtoken.Jwts.builder() // Noncompliant, token is not signed.
  .setSubject(USER_LOGIN)
  .compact();
// Verifying:
io.jsonwebtoken.Jwts.parser().setSigningKey(SECRET_KEY).parse(token).getBody(); // Noncompliant
----

Using https://github.com/auth0/java-jwt[auth0/Java JWT] library:

[source,java]
----
// Signing:
com.auth0.jwt.JWT.create()
  .withSubject(SUBJECT)
  .sign(Algorithm.none()); // Noncompliant, use only strong cipher algorithms when signing this JWT.
// Verifying:
JWTVerifier nonCompliantVerifier = com.auth0.jwt.JWT.require(Algorithm.none()) // Noncompliant
  .withSubject(LOGIN)
  .build();
----

=== Compliant solution

Using https://github.com/jwtk/jjwt[Java JWT] library (to verify a signed token (containing a JWS) use the ``++parseClaimsJws++`` method that will throw an exception if an unsigned token is provided):

[source,java]
----
// Signing:
Jwts.builder() // Compliant
  .setSubject(USER_LOGIN)
  .signWith(SignatureAlgorithm.HS256, SECRET_KEY)
  .compact();
// Verifying:
Jwts.parser().setSigningKey(SECRET_KEY).parseClaimsJws(token).getBody(); // Compliant
----

Using https://github.com/auth0/java-jwt[auth0/Java JWT] library. I

[source,java]
----
// Signing:
JWT.create()
  .withSubject(SUBJECT)
  .sign(Algorithm.HMAC256(SECRET_KEY)); // Compliant
// Verifying:
JWTVerifier nonCompliantVerifier = JWT.require(Algorithm.HMAC256(SECRET_KEY)) // Compliant
  .withSubject(LOGIN)
  .build();
----

include::../see.adoc[]

ifdef::env-github,rspecator-view[]

'''
== Implementation Specification
(visible only on this page)

include::../message.adoc[]

'''
== Comments And Links
(visible only on this page)

include::../comments-and-links.adoc[]
endif::env-github,rspecator-view[]
migrate rule descriptions to new education format 2023-05-03 11:06:20 +02:00			`== Why is this an issue?`

Add APEX into the covered languages for missing rules 2021-02-15 17:20:44 +01:00			`include::../description.adoc[]`
Nightly update 2021-01-23 04:07:47 +00:00
migrate rule descriptions to new education format 2023-05-03 11:06:20 +02:00			`=== Noncompliant code example`
Nightly update 2021-01-23 04:07:47 +00:00
Add APEX into the covered languages for missing rules 2021-02-15 17:20:44 +01:00			Using https://github.com/jwtk/jjwt[jwtk/Java JWT] library (to verify a signed token (containing a JWS) don't use the ``++parse++`` method as it doesn't throw an exception if an unsigned token is provided):
Nightly update 2021-01-23 04:07:47 +00:00
RULEAPI-661: Add syntax coloring 2022-02-04 17:28:24 +01:00			`[source,java]`
Nightly update 2021-01-23 04:07:47 +00:00			`----`
Add APEX into the covered languages for missing rules 2021-02-15 17:20:44 +01:00			`// Signing:`
Nightly update 2021-01-23 04:07:47 +00:00			`io.jsonwebtoken.Jwts.builder() // Noncompliant, token is not signed.`
			`.setSubject(USER_LOGIN)`
			`.compact();`
			`// Verifying:`
Add APEX into the covered languages for missing rules 2021-02-15 17:20:44 +01:00			`io.jsonwebtoken.Jwts.parser().setSigningKey(SECRET_KEY).parse(token).getBody(); // Noncompliant`
Nightly update 2021-01-23 04:07:47 +00:00			`----`

			`Using https://github.com/auth0/java-jwt[auth0/Java JWT] library:`

RULEAPI-661: Add syntax coloring 2022-02-04 17:28:24 +01:00			`[source,java]`
Nightly update 2021-01-23 04:07:47 +00:00			`----`
Add APEX into the covered languages for missing rules 2021-02-15 17:20:44 +01:00			`// Signing:`
Nightly update 2021-01-23 04:07:47 +00:00			`com.auth0.jwt.JWT.create()`
			`.withSubject(SUBJECT)`
			`.sign(Algorithm.none()); // Noncompliant, use only strong cipher algorithms when signing this JWT.`
			`// Verifying:`
			`JWTVerifier nonCompliantVerifier = com.auth0.jwt.JWT.require(Algorithm.none()) // Noncompliant`
			`.withSubject(LOGIN)`
			`.build();`
			`----`

migrate rule descriptions to new education format 2023-05-03 11:06:20 +02:00			`=== Compliant solution`
Nightly update 2021-01-23 04:07:47 +00:00
Add APEX into the covered languages for missing rules 2021-02-15 17:20:44 +01:00			Using https://github.com/jwtk/jjwt[Java JWT] library (to verify a signed token (containing a JWS) use the ``++parseClaimsJws++`` method that will throw an exception if an unsigned token is provided):
Nightly update 2021-01-23 04:07:47 +00:00
RULEAPI-661: Add syntax coloring 2022-02-04 17:28:24 +01:00			`[source,java]`
Nightly update 2021-01-23 04:07:47 +00:00			`----`
Add APEX into the covered languages for missing rules 2021-02-15 17:20:44 +01:00			`// Signing:`
Nightly update 2021-01-23 04:07:47 +00:00			`Jwts.builder() // Compliant`
			`.setSubject(USER_LOGIN)`
			`.signWith(SignatureAlgorithm.HS256, SECRET_KEY)`
			`.compact();`
			`// Verifying:`
			`Jwts.parser().setSigningKey(SECRET_KEY).parseClaimsJws(token).getBody(); // Compliant`
			`----`

Add APEX into the covered languages for missing rules 2021-02-15 17:20:44 +01:00			`Using https://github.com/auth0/java-jwt[auth0/Java JWT] library. I`
Nightly update 2021-01-23 04:07:47 +00:00
RULEAPI-661: Add syntax coloring 2022-02-04 17:28:24 +01:00			`[source,java]`
Nightly update 2021-01-23 04:07:47 +00:00			`----`
Add APEX into the covered languages for missing rules 2021-02-15 17:20:44 +01:00			`// Signing:`
Nightly update 2021-01-23 04:07:47 +00:00			`JWT.create()`
			`.withSubject(SUBJECT)`
Nightly update 2021-05-21 01:24:06 +00:00			`.sign(Algorithm.HMAC256(SECRET_KEY)); // Compliant`
Nightly update 2021-01-23 04:07:47 +00:00			`// Verifying:`
Nightly update 2021-05-21 01:24:06 +00:00			`JWTVerifier nonCompliantVerifier = JWT.require(Algorithm.HMAC256(SECRET_KEY)) // Compliant`
Nightly update 2021-01-23 04:07:47 +00:00			`.withSubject(LOGIN)`
			`.build();`
			`----`

			`include::../see.adoc[]`
Export comments and rspec-to-rspec links from jira 2021-06-02 20:44:38 +02:00
Fix the comment display: rule-id, timestamp, GH visibility, link direction 2021-06-03 09:05:38 +02:00			`ifdef::env-github,rspecator-view[]`
RULEAPI-666: Migrate the "List of parameters", "Highlighting" and "Message" fields from jira RSPEC (#346) 2021-09-20 15:38:42 +02:00
			`'''`
			`== Implementation Specification`
			`(visible only on this page)`

			`include::../message.adoc[]`

RULEAPI-576: add a horizontal rule between rule description and comments 2021-06-08 15:52:13 +02:00			`'''`
Export comments and rspec-to-rspec links from jira 2021-06-02 20:44:38 +02:00			`== Comments And Links`
			`(visible only on this page)`

			`include::../comments-and-links.adoc[]`
Fix the comment display: rule-id, timestamp, GH visibility, link direction 2021-06-03 09:05:38 +02:00			`endif::env-github,rspecator-view[]`