import org.springframework.security.jwt.crypto.sign.InvalidSignatureException; //导入依赖的package包/类
@Override
public Authentication authenticate(Authentication t)
        throws AuthenticationException {
    JWTToken jwtToken = (JWTToken) t;
    try {
    	String username = jwtToken.getClaims().getUsername();
    	String secret = usernameAuthBean.getUserSecret().get(username);
    	if (secret != null) {
    		MacSigner signer = new MacSigner(secret);
    		JwtHelper.decodeAndVerify(jwtToken.getToken(), signer);
    		jwtToken.setAuthenticated(Boolean.TRUE);
    		String role = usernameAuthBean.getUserRoles().get(username);
    		jwtToken.addRole(role);
    		
    	}
        
    } catch (InvalidSignatureException e) {
        return null;
    }
    return jwtToken;
}
 

import org.springframework.security.jwt.crypto.sign.InvalidSignatureException; //导入依赖的package包/类
/**
 * Verifies the specified token, refreshing the cached token verification key if needed.
 * 
 * @param tokenString
 */
protected void verifyToken(String tokenString) {
    try {
        verify(tokenString);
    } catch (InvalidSignatureException e) {
        refreshTokenKey();
        verify(tokenString);
    }
}
 

import org.springframework.security.jwt.crypto.sign.InvalidSignatureException; //导入依赖的package包/类
@Test
public void testLoadAuthenticationForInvalidPublicKey() throws IOException {
    String publicKey = FileReaderUtils.readFileFromClasspath("invalid_token_key.pub");
    CachedRemoteTokenService tokenService = new CachedRemoteTokenService("clientId", "clientSecret", "http://localhost:8089", publicKey, identityClient);
    try {
        tokenService.loadAuthentication(token);
    } catch (InvalidSignatureException e) {
        Assert.assertEquals("RSA Signature did not match content", e.getMessage());
    }
}
 

import org.springframework.security.jwt.crypto.sign.InvalidSignatureException; //导入依赖的package包/类
@Test
public void testLoadAuthenticationForInvalidMacKeyUsed() throws IOException {
    CachedRemoteTokenService tokenService = new CachedRemoteTokenService("clientId", "clientSecret", "http://localhost:8089", "alma", identityClient);
    try {
        tokenService.loadAuthentication(token);
    } catch (InvalidSignatureException e) {
        Assert.assertEquals("Calculated signature did not match actual value", e.getMessage());
    }
}
 

import org.springframework.security.jwt.crypto.sign.InvalidSignatureException; //导入依赖的package包/类
@Test
public void testLoadAuthenticationForInvalidMacKey() throws IOException {
    String ssoToken = FileReaderUtils.readFileFromClasspath("sso_token_mac_signed.txt");
    CachedRemoteTokenService tokenService = new CachedRemoteTokenService("clientId", "clientSecret", "http://localhost:8089", "korte", identityClient);
    try {
        tokenService.loadAuthentication(ssoToken);
    } catch (InvalidSignatureException e) {
        Assert.assertEquals("Calculated signature did not match actual value", e.getMessage());
    }
}
 

import org.springframework.security.jwt.crypto.sign.InvalidSignatureException; //导入依赖的package包/类
@Nullable
@Override
public BlueWebToken decodeAndVerify(@Nonnull final String idToken){

    final long now = System.currentTimeMillis();
    if(log.isTraceEnabled()){
        log.trace("Decoding token [" + idToken + "]");
    }
    try{

        Jwt jwt = JwtHelper.decode(idToken);
        // Get the key ID we need to use to verify the token
        String keyId = getKeyId(idToken);
        if("".equals(keyId.trim())){
            log.warn("Failed to retrieve key ID for token");
            return null;
        }
        BlueWebToken token = typeSecuredObjectMapper().readValue(
          jwt.getClaims(),
          BlueWebToken.class);
        // Get the key and verify the JWT signature
        RSAPublicKey key = rsaPublicKey(keyId, token.getAuthContextReference());
        jwt.verifySignature(new RsaVerifier(key));

        // Validate the nonce

        if(!nonceService.isValid(token.getNonce())){
            log.warn("Failed to validate nonce in token. This could be a replay attack.");
            return null;
        }
        if(!claimValidationService.validateAudience(token)){
            log.warn("Failed to validate audience in token. This could be a replay attack.");
            return null;
        }
        if(!claimValidationService.validateIssuer(token)){
            log.warn("Failed to validate issuer of token. This could be a replay attack.");
            return null;
        }
        if(!claimValidationService.validateNotBefore(token, now)){
            log.warn("Failed to validate notBefore time in token. This could be a replay attack. 'Now' milliseconds: " + now + "; 'NotBefore' milliseconds: " + token
              .getNotBefore()
              .toInstant()
              .toEpochMilli());
            return null;
        }
        if(!claimValidationService.validateExpiration(token, now)){
            log.warn("Failed to validate expiration time in token. This could be a replay attack. 'Now' milliseconds: " + now + "; 'Expiration' milliseconds: " + token
              .getExpiration()
              .toInstant()
              .toEpochMilli());
            return null;
        }

        return token;

    }catch(IOException | IllegalArgumentException | InvalidSignatureException x){
        log.warn("Failed to extract data from JWT token: " + x.getMessage(), x);
    }
    return null;
}
 

import org.springframework.security.jwt.crypto.sign.InvalidSignatureException; //导入依赖的package包/类
@Test(expected=InvalidSignatureException.class)
public void invalidHmacSignatureRaisesException() {
	JwtHelper.decode(JOE_HMAC_TOKEN).verifySignature(new MacSigner("differentkey".getBytes()));
}
 

import org.springframework.security.jwt.crypto.sign.InvalidSignatureException; //导入依赖的package包/类
@Test(expected = InvalidSignatureException.class)
public void invalidRsaSignatureRaisesException() {
	JwtHelper.decodeAndVerify(JOE_RSA_TOKEN, new RsaVerifier(N, D));
}