rest - Security Attacks possible on TokenBased Authentication? -


i have designed web application uses simple implementation of jwt token's provide authentication/authorization.

my implementation :

  1. there 2 types of urls's public , secure.
  2. public urls generate token username/password.

  3. i have added filter on secure url check authorization header , jwt token.

    @bean     public filterregistrationbean jwtfilter()  {      final filterregistrationbean registrationbean = new       filterregistrationbean();      registrationbean.setfilter(new jwtfilter());      registrationbean.addurlpatterns("/secure/*");       return registrationbean;

    }

  4. filter validate token. haven't added expiration date yet.

    final httpservletrequest request = (httpservletrequest) req; final httpservletresponse response = (httpservletresponse) res; final string authheader = request.getheader("authorization");  if ("options".equals(request.getmethod())) {     response.setstatus(httpservletresponse.sc_ok);      chain.dofilter(req, res); } else {      if (authheader == null || !authheader.startswith("bearer ")) {         throw new servletexception("missing or invalid authorization header");     }      final string token = authheader.substring(7);      try {         final claims claims = jwts.parser().setsigningkey(secretkey.tostring).parseclaimsjws(token).getbody();         request.setattribute("claims", claims);     } catch (final signatureexception e) {         throw new servletexception("invalid token");     }      chain.dofilter(req, res); }

this providing authentication , immune csrf.no 1 can create valid token without secret key.

are there other attacks possible on token base authentication service have missed?


Comments

Post a Comment

Popular posts from this blog

What is happening when Matlab is starting a "parallel pool"? -

running parallel cpu processes in matlab starts command parpool() according documentation , function: [creates] special job on pool of workers, , [connects] matlab client parallel pool. this function takes bit of time execute, on order of 30 seconds. in other multi-cpu paradigms openmp, parallel execution seems totally transparent -- i've never noticed behavior analogous matlab (granted i'm not experienced parallel programming). so, happening between time parpool() called , when finishes executing? takes long? parallel computing toolbox enables run matlab code in parallel using several different paradigms (e.g. jobs , tasks, parfor , spmd , parfeval , batch processing), , run either locally (parallelised across cores in local machine) or remotely (parallelised across machines in cluster - either 1 own, or 1 in cloud). in of these cases, code run on matlab workers , copies of matlab without interactive desktop. if you're intending run on remo...
Read more

php - Cannot override Laravel Spark authentication with own implementation -

during login process of laravel spark need request token of remote api. api stores exact same users , passwords laravel spark application. therefore need username , non hashed password of user during authentication process. i thought overriding authenticated method solution problem. in routes/web.php override post /login endpoint , pointing endpoint own logincontroller: <?php namespace app\http\controllers\auth; use illuminate\support\facades\log; use illuminate\http\request; use laravel\spark\http\controllers\auth\logincontroller sparklogincontroller; class logincontroller extends sparklogincontroller { /** * create new login controller instance. * * @return void */ public function __construct() { parent::__construct(); } /** * handle successful authentication attempt. * * @param request $request * @param \illuminate\contracts\auth\authenticatable $user * @return response */ public fu...
Read more

Qt QGraphicsScene is not accessable from QGraphicsView (on Qt 5.6.1) -

i new qt. trying catch mouse press , release in qgraphicsview area , draw line. this, extended qgraphicsview , called myqgraphicsview . seems scene not attached since added " hello world " , never appears in view. here code extended class: class myqgraphicsview : public qgraphicsview { q_object public: myqgraphicsview(qgraphicsscene *scene, qwidget *parent = q_nullptr) : qgraphicsview(scene,parent){ // qgraphicsview::qgraphicsview(scene,parent); } qpoint *pointptr, *startpos,*endpos; qgraphicsview *cv;//maa qgraphicsscene *c; qgraphicsscene *sceneptr; // maa protected: void paintevent(qpaintevent *event) { show(); } void mousepressevent(qmouseevent *event) { // pos wrt widget. global wer global screen qdebug()<<" mouse pressed @ "<<qwidget::mapfromglobal(event->globalpos()); //globalx(); startpos = new qpoint; startpos->setx(qwidget::mapfromglobal(event->globalpos()).x()); startpos->sety(qw...
Read more