JSON Web Signature (JWS) Hello App
Learn about the JSON Web Signature with a code example.
We'll cover the following...
In this lesson, we will be using JWT to play around with JSON Web Signature. Our goal is to get a feel for what it is and what its internal structure looks like.
Create the project
We start from the project template we defined earlier. Although we will not create a web application, we could use the template for one.
If you want to work within the Educative platform, simply use the project we’ve created at the end of this lesson. If you choose to work locally, you will need to create a Maven project
jwtHelloas described in "Introduction to Window Shopping."
Add dependency
Add the following JWT dependency to the pom.xml file:
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd"><modelVersion>4.0.0</modelVersion><groupId>be.rubus.security.workshop</groupId><artifactId>jwtHello</artifactId><version>1.0-SNAPSHOT</version><packaging>war</packaging><properties><project.build.sourceEncoding>UTF-8</project.build.sourceEncoding><maven.compiler.source>11</maven.compiler.source><maven.compiler.target>11</maven.compiler.target><failOnMissingWebXml>false</failOnMissingWebXml></properties><dependencies><dependency><groupId>jakarta.platform</groupId><artifactId>jakarta.jakartaee-web-api</artifactId><version>8.0.0</version><scope>provided</scope></dependency><dependency><groupId>com.nimbusds</groupId><artifactId>nimbus-jose-jwt</artifactId><version>9.21</version></dependency></dependencies><build><plugins><plugin><groupId>org.codehaus.mojo</groupId><artifactId>exec-maven-plugin</artifactId><version>1.2.1</version><configuration><mainClass>be.rubus.security.workshop.jwt.JWSHello</mainClass><arguments><argument>argument1</argument></arguments></configuration></plugin></plugins><finalName>jwtHello</finalName></build></project>
Explanation
Lines 24–28: We add the JWT dependence, which contains all the utility classes and methods to work with JWT and similar concepts.
Class JWSHello
Let's go ahead and create the new class file JWSHello.java in the Maven jwt directory src/main/java/be/rubus/workshop/security/workshop/jwt:
package be.rubus.security.workshop.jwt;import com.nimbusds.jose.*;import com.nimbusds.jose.crypto.MACSigner;import com.nimbusds.jose.crypto.MACVerifier;import java.security.SecureRandom;import java.text.ParseException;import java.util.Base64;public class JWSHello {public static void main(String[] args) throws JOSEException, ParseException {SecureRandom random = new SecureRandom();byte[] sharedSecret = new byte[32]; // == 256 Bit, \ OKfor256-bitbasedhashrandom.nextBytes(sharedSecret);JWSSigner signer = new MACSigner(sharedSecret);JWSObject jwsObject = new JWSObject(new JWSHeader(JWSAlgorithm.HS256), new Payload("Hello, world!"));jwsObject.sign(signer);String s = jwsObject.serialize();System.out.println("JWT = " + s);JWSObject jws = JWSObject.parse(s);JWSVerifier verifier = new MACVerifier(sharedSecret);if (jws.verify(verifier)) {System.out.println("Payload of JWT " + jws.getPayload());}String payload = "SGVsbG8sIHdvcmxkIQ"; // Between the . (dots)byte[] content = Base64.getDecoder().decode(payload);// Use the Base64 of the JDK don't need dependenciesSystem.out.println("BASE64 decoded =" + new String(content));String tamperedPayload = Base64.getEncoder().encodeToString("Tamperedmessage".getBytes());System.out.println("tampered Payload " + tamperedPayload);String tamperedMessage = "eyJhbGciOiJIUzI1NiJ9." + tamperedPayload.replace("=", "") + ".EV6iwJwHAPEPGosSnaqk7oa8z8YHiCiv21pci5e9Wjc";JWSObject myMessage = JWSObject.parse(tamperedMessage);System.out.println("Verify success ? " + myMessage.verify(verifier));}}
Explanation
Line 14: We create a new class called
JWSHello...