Our application is encountering a WeakKeyException when attempting to process JWT tokens. The error indicates that the specified key byte array is 160 bits, which is not secure enough for any JWT HMAC-SHA algorithm. According to the JWT JWA Specification (RFC 7518, Section 3.2), keys used with HMAC-SHA algorithms must have a size of at least 256 bits.
Error Stack Trace:
2024-06-07T20:50:50.305+03:00 ERROR 24336 --- [nio-8080-exec-3] o.a.c.c.C.[.[.[.[dispatcherServlet] : Servlet.service() for servlet [dispatcherServlet] in context with path [/api/v1] threw exception [Request processing failed: io.jsonwebtoken.security.WeakKeyException: The specified key byte array is 160 bits which is not secure enough for any JWT HMAC-SHA algorithm. The JWT JWA Specification (RFC 7518, Section 3.2) states that keys used with HMAC-SHA algorithms MUST have a size >= 256 bits (the key size must be greater than or equal to the hash output size). Consider using the io.jsonwebtoken.security.Keys#secretKeyFor(SignatureAlgorithm) method to create a key guaranteed to be secure enough for your preferred HMAC-SHA algorithm. See https://tools.ietf.org/html/rfc7518#section-3.2 for more information.] with root cause
io.jsonwebtoken.security.WeakKeyException: The specified key byte array is 160 bits which is not secure enough for any JWT HMAC-SHA algorithm. The JWT JWA Specification (RFC 7518, Section 3.2) states that keys used with HMAC-SHA algorithms MUST have a size >= 256 bits (the key size must be greater than or equal to the hash output size). Consider using the io.jsonwebtoken.security.Keys#secretKeyFor(SignatureAlgorithm) method to create a key guaranteed to be secure enough for your preferred HMAC-SHA algorithm. See https://tools.ietf.org/html/rfc7518#section-3.2 for more information.
at io.jsonwebtoken.security.Keys.hmacShaKeyFor(Keys.java:96) ~[jjwt-api-0.11.5.jar:0.11.5]
at org.serp.booklending.security.services.JwtService.getSignKey(JwtService.java:89) ~[classes/:na]
at org.serp.booklending.security.services.JwtService.buildToken(JwtService.java:70) ~[classes/:na]
at org.serp.booklending.security.services.JwtService.generateToken(JwtService.java:55) ~[classes/:na]
at org.serp.booklending.security.services.AuthenticationService.authenticate(AuthenticationService.java:102) ~[classes/:na]
Kalmaasaly
commented
1 month ago
Our application is encountering a WeakKeyException when attempting to process JWT tokens. The error indicates that the specified key byte array is 160 bits, which is not secure enough for any JWT HMAC-SHA algorithm. According to the JWT JWA Specification (RFC 7518, Section 3.2), keys used with HMAC-SHA algorithms must have a size of at least 256 bits.
Error Stack Trace:
2024-06-07T20:50:50.305+03:00 ERROR 24336 --- [nio-8080-exec-3] o.a.c.c.C.[.[.[.[dispatcherServlet] : Servlet.service() for servlet [dispatcherServlet] in context with path [/api/v1] threw exception [Request processing failed: io.jsonwebtoken.security.WeakKeyException: The specified key byte array is 160 bits which is not secure enough for any JWT HMAC-SHA algorithm. The JWT JWA Specification (RFC 7518, Section 3.2) states that keys used with HMAC-SHA algorithms MUST have a size >= 256 bits (the key size must be greater than or equal to the hash output size). Consider using the io.jsonwebtoken.security.Keys#secretKeyFor(SignatureAlgorithm) method to create a key guaranteed to be secure enough for your preferred HMAC-SHA algorithm. See https://tools.ietf.org/html/rfc7518#section-3.2 for more information.] with root cause