honeymoose
/
jjwt
mirror of https://github.com/jwtk/jjwt.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
Java JWT: JSON Web Token for Java and Android
25 Commits 16 Branches 33 Tags 154 MiB
Java 61%
Groovy 38.6%
Shell 0.4%
Go to file
Les Hazlewood 4f64231600 added Claims mutation methods to JwtBuilder for convenience 2014-09-26 17:47:15 -07:00
src added Claims mutation methods to JwtBuilder for convenience 2014-09-26 17:47:15 -07:00
.gitignore Added 'target' build output directory 2014-09-18 19:15:39 -07:00
.travis.yml Removed JDK6 build (JDK6 is EOL) 2014-09-19 20:15:04 -07:00
LICENSE Initial commit 2014-09-12 18:06:24 -07:00
README.md Update README.md 2014-09-25 13:52:02 -07:00
pom.xml [maven-release-plugin] prepare for next development iteration 2014-09-19 20:37:13 -07:00

README.md

Build Status

Java JWT: JSON Web Token for Java

JJWT aims to be the easiest to use and understand library for creating and verifying JSON Web Tokens (JWTs) on the JVM.

JJWT is a 'clean room' implementation based solely on the JWT, JWS, JWE and JWA RFC draft specifications.

Installation

Use your favorite Maven-compatible build tool to pull the dependency (and its transitive dependencies) from Maven Central:


<dependency>
    <groupId>io.jsonwebtoken</groupId>
    <artifactId>jjwt</artifactId>
    <version>0.1</version>
</dependency>

Usage

Most complexity is hidden behind convenient and readable Builder chaining calls. Here's an example:

import io.jsonwebtoken.Jwts;
import static io.jsonwebtoken.SignatureAlgorithm.*;

//Let's create a random signing key for testing:
Random random = new SecureRandom();
byte[] key = new byte[64];
random.nextBytes(key);

Claims claims = Jwts.claims().setIssuer("Me").setSubject("Joe");

String jwt = Jwts.builder().setClaims(claims).signWith(HS256, key).compact();

How easy was that!?

Now let's verify the JWT (you should always discard JWTs that don't match an expected signature):

Token token = Jwts.parser().setSigningKey(key).parse(jwt);

assert token.getClaims().getSubject().equals("Joe");

You have to love one-line code snippets in Java!

But what if signature validation failed? You can catch SignatureException and react accordingly:

try {

    Jwts.parser().setSigningKey(key).parse(jwt);

    //OK, we can trust this JWT

} catch (SignatureException e) {

    //don't trust the JWT!
}

Supported Features

  • Creating and parsing plaintext compact JWTs

  • Creating, parsing and verifying digitally signed compact JWTs (aka JWSs) with the following algorithms:

    • HS256: HMAC using SHA-384
    • HS384: HMAC using SHA-384
    • HS512: HMAC using SHA-512
    • RS256: RSASSA-PKCS-v1_5 using SHA-256
    • RS384: RSASSA-PKCS-v1_5 using SHA-384
    • RS512: RSASSA-PKCS-v1_5 using SHA-512
    • PS256: RSASSA-PSS using SHA-256 and MGF1 with SHA-256
    • PS384: RSASSA-PSS using SHA-384 and MGF1 with SHA-384
    • PS512: RSASSA-PSS using SHA-512 and MGF1 with SHA-512

Currently Unsupported Features

  • Non-compact serialization and parsing.
  • Elliptic Curve signature algorithms ES256, ES384 and ES512.
  • JWE (Encryption for JWT)

These feature sets will be implemented in a future release when possible. Community contributions are welcome!