Creating and Parsing a secret key signed JWT containing payload

Posted in JJWT

In this post under JWT, I will show with example how to create and parse a signed JWT containing payload.

As mentioned in previous posts we will use an instance of “JwtBuilder” to construct a JSON Web Token.

Below is the code snippet for your reference

Snippet 1

1 JwtBuilder jwtBuilder = Jwts.builder();
2 
3 jwtBuilder.header().add("alg", "none").add("typ", "JWT");
4 
5 String payload = "Hi my name is Sumanth";
6 jwtBuilder.content(payload);
7 String jwt = jwtBuilder.compact();

In the above code snippet, at line 1 I created an instance of “JwtBuilder” class named “jwtBuilder”.

At line 3, I configure the header information

At line 5, I configure the claims information

At line 7, I generate the token by calling “compact” method on “jwtBuilder” instance.

The JWT created following the above approach is an unsecured JWT.

To generate a signed JWT we have to configure the “jwtBuilder” to use a key, by taking help of “signWith” method. This method takes a secret key as an argument. After setting the key, any JWT generated by calling “compact” on the instance “jwtBuilder”, is a signed JWT.

Below is the code snippet that generates a signed JWT.

Snippet 1

1 JwtBuilder jwtBuilder = Jwts.builder();
2 jwtBuilder.signWith(secretKey);
3 
4 jwtBuilder.header().add("alg", "HS512").add("typ", "JWT");
5 
6 String payload = "Hi my name is Sumanth";
7 jwtBuilder.content(payload);
8 String jwtString = jwtBuilder.compact();

If we compare “Snippet 1” and “Snippet 2”, the only difference is the call to “signWith” to set the secret key. Refer to line 2 in “Snippet 2”.

Once the secretKey is set, the builder will use the secret key to generate a signed JWT.

Sometimes we don’t have to generate a signed JWT but instead we have to parse it.

From the previous post we can see that we use an instance of “JwtParserBuilder” to parse a unsigned JWT. Below is the code snippet for your reference

Snippet 3

1 JwtParserBuilder jwtParserBuilder = Jwts.parser();
2 jwtParserBuilder.unsecured();
3 JwtParser jwtParser = jwtParserBuilder.build();
4 Jwt<Header, byte[]> jwt = jwtParser.parseUnsecuredContent("eyJ0eXAiOiJKV1QiLCJhbGciOiJub25lIn0.SGkgbXkgbmFtZSBpcyBTdW1hbnRo.");

We use similar code to parse signed JWT as shown in the below snippet

Snippet 4

1 JwtParserBuilder jwtParserBuilder = Jwts.parser();
2 jwtParserBuilder.verifyWith(secretKey);
3 JwtParser jwtParser = jwtParserBuilder.build();
4 Jws<Claims> jws = jwtParser.parseSignedContent(data);

If we compared “snippet 3” and “snippet 4”, they are two differences (line 2 and line 4).

In line 2 of snippet 4, we have to call “verifyWith” method on “jwtParserBuilder” instance and pass the secret key as an argument. We no longer need to call “unsecured” method as done in “snippet 3”.

Remember we need to use same secret key that is used to generate the signed JWT.

In line 4 of snippet 4, we have to call “parseSignedContent” method on “jwtParser” instance to parse the signed JWT. We no longer need to call “parseUnsecuredContent” method as done in “snippet 3”.

In this way we can generate and parse a signed JWT containing payload.

Below is the complete main code for your reference.

Main class

package defaultPackage;
import javax.crypto.SecretKey;

import io.jsonwebtoken.Jws;
import io.jsonwebtoken.JwtBuilder;
import io.jsonwebtoken.JwtParser;
import io.jsonwebtoken.JwtParserBuilder;
import io.jsonwebtoken.Jwts;
import io.jsonwebtoken.security.MacAlgorithm;

public class Example7 {
    public static void main(String[] args) throws Exception {
        Example7 example7 = new Example7();
        MacAlgorithm macAlgorithm = Jwts.SIG.HS512;
        SecretKey secretKey = macAlgorithm.key().build();
        String data = example7.toJWTString(secretKey);
        System.out.println(data);
        Jws<byte[]> jws = example7.toJWS(secretKey, data);
        System.out.println(jws.getHeader());
        System.out.println(new String(jws.getPayload()));
    }

    public String toJWTString(SecretKey secretKey) {
        JwtBuilder jwtBuilder = Jwts.builder();
        jwtBuilder.signWith(secretKey);

        jwtBuilder.header().add("alg", "HS512").add("typ", "JWT");

        String payload = "Hi my name is Sumanth";
        jwtBuilder.content(payload);

        String jwt = jwtBuilder.compact();
        return jwt;
    }

    public Jws<byte[]> toJWS(SecretKey secretKey, String data) {
        JwtParserBuilder jwtParserBuilder = Jwts.parser();
        jwtParserBuilder.verifyWith(secretKey);
        JwtParser jwtParser = jwtParserBuilder.build();
        Jws<byte[]> jws = jwtParser.parseSignedContent(data);
        return jws;
    }
}
Unknown's avatar

Published by sumanthprabhakar

Leave a comment