我打算将 JWT 应用到我使用 Java-Jersey 开发的 REST API 中.我正在将此库用于 JWT - https://github.com/auth0/java-jwt
我对 JWT - Secret 有几个问题
Secret
必须是唯一的吗?
- 这个
Secret
必须是唯一的吗?
它应该是您的应用程序独有的 —毕竟它必须是一个秘密 —但它不会对每个令牌都是唯一的.相反,在任何给定时间,您都应该拥有相对较少数量的密钥(例如,通常只有一个密钥,但在从一个密钥轮换到另一个密钥时,您会在短时间内拥有两个密钥).
<块引用>不,有两个原因:
GoPackers123
.然后,在您的秘密中使用密码意味着有人可以轻松地测试给定的潜在密码,看看它是否会产生正确的签名;而且,更重要的是,他们可以轻松测试大量潜在密码,看看其中是否有任何一个给出了正确的签名.这是一次离线攻击,因此您甚至都不会知道它发生了.I am going to apply JWT into my REST API developed using Java-Jersey. I am using this library for JWT - https://github.com/auth0/java-jwt
I have few questions about the JWT - Secret
Secret
has to be unique?
- Does this
Secret
has to be unique?
It should be unique to your application — it needs to be a secret, after all — but it won't be unique for each token. Rather, you should have a relatively small number of secret keys at any given time (e.g., usually having just one key, but having brief periods where you have two keys as you rotate from one to the next).
- Shall I use the hashed version of user's password for secret?
No, for two reasons:
GoPackers123
. Using the password in your secret then means that someone can easily test a given potential password to see if it results in the right signature; and, more to the point, they can easily test huge numbers of potential passwords to see if any of them gives the right signature. This is an offline attack, so you would never even know it happened.
这篇关于“秘密"应该是什么?在智威汤逊?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持跟版网!