ishangsf/rspec
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
rspec/rules/S5659/java/rule.adoc

78 lines
2.0 KiB
Plaintext
Raw Blame History

== Why is this an issue?
include::../description.adoc[]
=== Noncompliant code example
Using https://github.com/jwtk/jjwt[jwtk/Java JWT] library (to verify a signed token (containing a JWS) don't use the ``++parse++`` method as it doesn't throw an exception if an unsigned token is provided):
[source,java]
----
// Signing:
io.jsonwebtoken.Jwts.builder() // Noncompliant, token is not signed.
.setSubject(USER_LOGIN)
.compact();
// Verifying:
io.jsonwebtoken.Jwts.parser().setSigningKey(SECRET_KEY).parse(token).getBody(); // Noncompliant
----
Using https://github.com/auth0/java-jwt[auth0/Java JWT] library:
[source,java]
----
// Signing:
com.auth0.jwt.JWT.create()
.withSubject(SUBJECT)
.sign(Algorithm.none()); // Noncompliant, use only strong cipher algorithms when signing this JWT.
// Verifying:
JWTVerifier nonCompliantVerifier = com.auth0.jwt.JWT.require(Algorithm.none()) // Noncompliant
.withSubject(LOGIN)
.build();
----
=== Compliant solution
Using https://github.com/jwtk/jjwt[Java JWT] library (to verify a signed token (containing a JWS) use the ``++parseClaimsJws++`` method that will throw an exception if an unsigned token is provided):
[source,java]
----
// Signing:
Jwts.builder() // Compliant
.setSubject(USER_LOGIN)
.signWith(SignatureAlgorithm.HS256, SECRET_KEY)
.compact();
// Verifying:
Jwts.parser().setSigningKey(SECRET_KEY).parseClaimsJws(token).getBody(); // Compliant
----
Using https://github.com/auth0/java-jwt[auth0/Java JWT] library. I
[source,java]
----
// Signing:
JWT.create()
.withSubject(SUBJECT)
.sign(Algorithm.HMAC256(SECRET_KEY)); // Compliant
// Verifying:
JWTVerifier nonCompliantVerifier = JWT.require(Algorithm.HMAC256(SECRET_KEY)) // Compliant
.withSubject(LOGIN)
.build();
----
include::../see.adoc[]
ifdef::env-github,rspecator-view[]
'''
== Implementation Specification
(visible only on this page)
include::../message.adoc[]
'''
== Comments And Links
(visible only on this page)
include::../comments-and-links.adoc[]
endif::env-github,rspecator-view[]
Reference in New Issue View Git Blame Copy Permalink