I make use of the class org.springframework.security.jwt.JwtHelper
from org.springframework.security:spring-security-jwt:1.1.0.RELEASE
for decoding JWT tokens, e.g.
Jwt jwt = JwtHelper.decode(accessToken);
String claims = jwt.getClaims();
The above classes are deprecated and the deprecation comment points to Spring Security OAuth 2.0 Migration Guide.
This guide does not talk about any replacement for JwtHelper
.
I found the class JwtDecoders
which creates a JwtDecoder
in the new spring-security-oauth2
project. But JwtDecoders
requires an issuer
to be passed.
Since I do not wish to verify the token, is there a simple alternative available? Otherwise I can split on .
and base64-decode the token, and use any JSON library to parse.
The replacement used in Spring Security is nimbus-jose-jwt. If you don't use Spring Boot, you have to choose a version otherwise Spring Boot will choose one for you.
<dependency>
<groupId>com.nimbusds</groupId>
<artifactId>nimbus-jose-jwt</artifactId>
</dependency>
You can just use it like this:
import com.nimbusds.jwt.JWTParser;
....
JWT jwt = JWTParser.parse(accessToken)
Header = jwt.getHeader();
JWTClaimsSet jwtClaimSet = jwt.getJWTClaimsSet();
This worked fine for me without any new dependency
Jws<Claims> claimsJws = Jwts.parserBuilder().setSigningKey(Keys.hmacShaKeyFor("secretsecretsecretsecretsecretsecretsecretsecretsecretsecretsecretsecretsecretsecret".getBytes()))
.build().parseClaimsJws(token);
String username = claimsJws.getBody().getSubject();
Authentication authentication = new UsernamePasswordAuthenticationToken(username,null, null);
SecurityContextHolder.getContext().setAuthentication(authentication);
Do not skip token verification! Failure to verify the token properly will result in an insecure app.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With