Play secret WeakKeyException

brabo-hi · January 9, 2021, 10:05pm

Hi,
i generated a key for production environment using playGenerateSecret , however i am still getting an exception when making a post request

io.jsonwebtoken.security.WeakKeyException: The signing key's size is 168 bits which is not secure enough for the HS256 algorithm.  The JWT JWA Specification (RFC 7518, Section 3.2) states that keys used with HS256 MUST have a size >= 256 bits (the key size must be greater than or equal to the hash output size).  Consider using the io.jsonwebtoken.security.Keys class's 'secretKeyFor(SignatureAlgorithm.HS256)' method to create a key guaranteed to be secure enough for HS256.  See https://tools.ietf.org/html/rfc7518#section-3.2 for more information.
	at io.jsonwebtoken.SignatureAlgorithm.assertValid(SignatureAlgorithm.java:387)
	at io.jsonwebtoken.SignatureAlgorithm.assertValidSigningKey(SignatureAlgorithm.java:315)
	at io.jsonwebtoken.impl.DefaultJwtBuilder.signWith(DefaultJwtBuilder.java:122)
	at io.jsonwebtoken.impl.DefaultJwtBuilder.signWith(DefaultJwtBuilder.java:134)
	at io.jsonwebtoken.impl.DefaultJwtBuilder.signWith(DefaultJwtBuilder.java:142)
	at play.api.mvc.JWTCookieDataCodec$JWTFormatter.format(Cookie.scala:776)
	at play.api.mvc.JWTCookieDataCodec.encode(Cookie.scala:631)
	at play.api.mvc.JWTCookieDataCodec.encode$(Cookie.scala:629)
	at play.api.mvc.DefaultJWTCookieDataCodec.encode(Cookie.scala:816)
	at play.api.mvc.FallbackCookieDataCodec.encode(Cookie.scala:798)
	at play.api.mvc.FallbackCookieDataCodec.encode$(Cookie.scala:798)
	at play.api.mvc.DefaultSessionCookieBaker.encode(Session.scala:123)
	at play.api.mvc.CookieBaker.encodeAsCookie(Cookie.scala:466)
	at play.api.mvc.CookieBaker.encodeAsCookie$(Cookie.scala:465)
	at play.api.mvc.DefaultSessionCookieBaker.encodeAsCookie(Session.scala:123)
	at play.api.mvc.Result.$anonfun$bakeCookies$2(Results.scala:354)
	at scala.Option.map(Option.scala:242)
	at play.api.mvc.Result.bakeCookies(Results.scala:353)
	at play.core.server.common.ServerResultUtils.prepareCookies(ServerResultUtils.scala:291)
	at play.core.server.AkkaHttpServer.$anonfun$runAction$5(AkkaHttpServer.scala:432)
	at scala.concurrent.impl.Promise$Transformation.run(Promise.scala:434)
	at akka.dispatch.TaskInvocation.run(AbstractDispatcher.scala:48)
	at akka.dispatch.ForkJoinExecutorConfigurator$AkkaForkJoinTask.exec(ForkJoinExecutorConfigurator.scala:48)
	at java.base/java.util.concurrent.ForkJoinTask.doExec(Unknown Source)
	at java.base/java.util.concurrent.ForkJoinPool$WorkQueue.topLevelExec(Unknown Source)
	at java.base/java.util.concurrent.ForkJoinPool.scan(Unknown Source)
	at java.base/java.util.concurrent.ForkJoinPool.runWorker(Unknown Source)
	at java.base/java.util.concurrent.ForkJoinWorkerThread.run(Unknown Source)

I also generated a key using

 SecretKey key = Keys.secretKeyFor(SignatureAlgorithm.HS256);
 String secret = Encoders.BASE64.encode(key.getEncoded());

But still getting the same exception

brabo-hi · January 18, 2021, 10:31pm

I can confirm that the error was on my side i as using in application.conf play.http.secret.key = "${APPLICATION_SECRET}" which should be play.http.secret.key = ${APPLICATION_SECRET} instead

Topic		Replies	Views
Play WSClient connect to Binance API Play Framework	0	636	November 28, 2021
For custom body parser, getting error - Unexpected character ('<' (code 60)): expected a valid value (number, String, array, object, 'true', 'false' or 'null') Play Framework	0	2431	August 22, 2019
NullPointerException when a value is null on the session Play Framework	1	1069	March 22, 2018
Unfathomable NotEnoughDataException Play Framework scala	5	678	April 20, 2021
Does Play 2.6.15 support java 9 and java 10 Play Framework	3	3642	June 11, 2018

Play secret WeakKeyException

Related Topics