Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Using hardcoded/Constant cryptographic key when creating and verifing Json Web Token. #64

Open
KANIXB opened this issue Dec 6, 2022 · 0 comments

Comments

@KANIXB
Copy link

KANIXB commented Dec 6, 2022

Hi, we are a research group to help developers build secure applications. We designed a cryptographic misuse detector on Java language(Our main concern is the secure implementation and use of Json Web Token). We found your great public repository (i.e., matecloud
Public) from GitHub, and several security issues detected by our detector are shown in the following. The specific security issues we found are as follows:
(1) Location: Package: cpackage vip.mate.uaa.config; Class: AuthServerConfig .class
Method:jwtAccessTokenConverter
Hard-coded key: public static final String SIGN_KEY = "MATE";
Security issue: Using predictable/constant cryptographic key when creating and verifing Json Web Token.
Using a hard-coded secret does not conform to the security implementation specification of JWT, which may bring security risks to your system. It is recommended that you use a more secure way to store the secret used to generate the JWT. (For the hazards of hardcoded keys, you can refer to CWE-321, NIST Special Publication 800-57).

We wish the above security issues cloud truly help you to build a secure application. If you have any concern or suggestion, please feel free to contact us, we are looking forward to your reply. Thanks.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant