In that case make use of the parser function like we have below but you'll have to note that some of the function have been deprecated for this particular dependency version.
In this tutorial i did not understand how you verfy the token when you make a request from the UI or postman to the beckend. You only check if the token is not exiperd, if the user is present in the db and if the user is logged in, but you never verify the token sign. Can you ,with your implementation, have multiple user logged in at the same time? If i'm not wrong no. And if you can, you could have logged in a user with User Role and a user logged in with an Admin Role at the same time, an attacker can forge a token which is not exipired and has set as username the username of an admin user and interact with your application as an admin because you never check the token sign. Am i wrong?
@alessandrocattaneo-v7q Firstly I'll love to start of by saying yes, you can have multiple logged in user at the same time making a request to the application, although I've implemented the project with the use of an 'In Memory Db', it is still very possible to have other logged in users in the application because I've included a '/register' endpoint where a new user can be registered. And Secondly with every request that is been made from the client to the server the jwtToken is been verified due to the presence of the extractClaims method in the JwtService class, which the defined snippet is seen below; public Claims extractClaims(String jwtToken) { return Jwts.parser() .verifyWith(generateSigningKey()) // This line ensures that the token is verified with the initial key that was used in the creation of the token. .build() .parseSignedClaims(jwtToken) .getPayload(); } and the process of checking if the token has expired involves extracting the claims which also involves verifying the token with the initial key that was used in signing it. I hope with this response I've answered your questions?
![Spring Security - Аутентификация, Авторизация, oAuth, и все остальное - [СЛИВ]](http://i.ytimg.com/vi/wcbqwYFfG70/mqdefault.jpg)
@Sliepov checkout these video using the link ruclips.net/video/KW5EwW1iPJE/видео.html
Cannot resolve method 'parserBuilder' in 'Jwts'
for jjwt-api:0.12.5
In that case make use of the parser function like we have below
but you'll have to note that some of the function have been deprecated for this particular dependency version.
Jwts.parser()
.setSigningKey(generateSigningKey())
.build()
.parseClaimsJws(jwtToken)
.getBody();
In this tutorial i did not understand how you verfy the token when you make a request from the UI or postman to the beckend. You only check if the token is not exiperd, if the user is present in the db and if the user is logged in, but you never verify the token sign. Can you ,with your implementation, have multiple user logged in at the same time? If i'm not wrong no. And if you can, you could have logged in a user with User Role and a user logged in with an Admin Role at the same time, an attacker can forge a token which is not exipired and has set as username the username of an admin user and interact with your application as an admin because you never check the token sign. Am i wrong?
@alessandrocattaneo-v7q
Firstly I'll love to start of by saying yes, you can have multiple logged in user at the same time making a request to the application, although I've implemented the project with the use of an 'In Memory Db', it is still very possible to have other logged in users in the application because I've included a '/register' endpoint where a new user can be registered.
And Secondly with every request that is been made from the client to the server the jwtToken is been verified due to the presence of the extractClaims method in the JwtService class, which the defined snippet is seen below;
public Claims extractClaims(String jwtToken) {
return Jwts.parser()
.verifyWith(generateSigningKey()) // This line ensures that the token is verified with the initial key that was used in the creation of the token.
.build()
.parseSignedClaims(jwtToken)
.getPayload();
}
and the process of checking if the token has expired involves extracting the claims which also involves verifying the token with the initial key that was used in signing it.
I hope with this response I've answered your questions?