Fix token signature validation
This commit is contained in:
		
				
					committed by
					
						 Nanne Baars
						Nanne Baars
					
				
			
			
				
	
			
			
			
						parent
						
							9403bbb851
						
					
				
				
					commit
					362248a065
				
			| @ -75,7 +75,7 @@ public class JWTSecretKeyEndpoint extends AssignmentEndpoint { | |||||||
|     @ResponseBody |     @ResponseBody | ||||||
|     public AttackResult login(@RequestParam String token) { |     public AttackResult login(@RequestParam String token) { | ||||||
|         try { |         try { | ||||||
|             Jwt jwt = Jwts.parser().setSigningKey(JWT_SECRET).parse(token); |             Jwt jwt = Jwts.parser().setSigningKey(JWT_SECRET).parseClaimsJws(token); | ||||||
|             Claims claims = (Claims) jwt.getBody(); |             Claims claims = (Claims) jwt.getBody(); | ||||||
|             if (!claims.keySet().containsAll(expectedClaims)) { |             if (!claims.keySet().containsAll(expectedClaims)) { | ||||||
|                 return failed(this).feedback("jwt-secret-claims-missing").build(); |                 return failed(this).feedback("jwt-secret-claims-missing").build(); | ||||||
|  | |||||||
| @ -128,4 +128,15 @@ public class JWTSecretKeyEndpointTest extends LessonTest { | |||||||
|                 .andExpect(status().isOk()) |                 .andExpect(status().isOk()) | ||||||
|                 .andExpect(jsonPath("$.feedback", CoreMatchers.is(messages.getMessage("jwt-invalid-token")))); |                 .andExpect(jsonPath("$.feedback", CoreMatchers.is(messages.getMessage("jwt-invalid-token")))); | ||||||
|     } |     } | ||||||
|  |  | ||||||
|  |     @Test | ||||||
|  |     void unsignedToken() throws Exception { | ||||||
|  |         Claims claims = createClaims("WebGoat"); | ||||||
|  |         String token = Jwts.builder().setClaims(claims).compact(); | ||||||
|  |  | ||||||
|  |         mockMvc.perform(MockMvcRequestBuilders.post("/JWT/secret") | ||||||
|  |                 .param("token", token)) | ||||||
|  |                 .andExpect(status().isOk()) | ||||||
|  |                 .andExpect(jsonPath("$.feedback", CoreMatchers.is(messages.getMessage("jwt-invalid-token")))); | ||||||
|  |     } | ||||||
| } | } | ||||||
		Reference in New Issue
	
	Block a user