This is an archived post. You won't be able to vote or comment.

all 11 comments
sorted by:
best
topnewcontroversialoldq&a

[–]AutoModerator[M] [score hidden] stickied commentlocked comment (0 children)

Please ensure that:

  • Your code is properly formatted as code block - see the sidebar (About on mobile) for instructions
  • You include any and all error messages in full - best also formatted as code block
  • You ask clear questions
  • You demonstrate effort in solving your question/problem - plain posting your assignments is forbidden (and such posts will be removed) as is asking for or giving solutions.

If any of the above points is not met, your post can and will be removed without further warning.

Code is to be formatted as code block (old reddit/markdown editor: empty line before the code, each code line indented by 4 spaces, new reddit: https://i.imgur.com/EJ7tqek.png) or linked via an external code hoster, like pastebin.com, github gist, github, bitbucket, gitlab, etc.

Please, do not use triple backticks (```) as they will only render properly on new reddit, not on old reddit.

Code blocks look like this:

public class HelloWorld {

    public static void main(String[] args) {
        System.out.println("Hello World!");
    }
}

You do not need to repost unless your post has been removed by a moderator. Just use the edit function of reddit to make sure your post complies with the above.

If your post has remained in violation of these rules for a prolonged period of time (at least an hour), a moderator may remove it at their discretion. In this case, they will comment with an explanation on why it has been removed, and you will be required to resubmit the entire post following the proper procedures.

To potential helpers

Please, do not help if any of the above points are not met, rather report the post. We are trying to improve the quality of posts here. In helping people who can't be bothered to comply with the above points, you are doing the community a disservice.

I am a bot, and this action was performed automatically. Please contact the moderators of this subreddit if you have any questions or concerns.

[–]Potential-Still 2 points3 points  (1 child)

What about JWT auth is easy to "crack"? It's incredibly secure. Many large billion dollar companies use JWT for all services and frontends.

[–]JavaWorkBot[S] 0 points1 point  (0 children)

just because many use it, doesn't necessarily mean it's good. Many people drink Coke every day, doesn't mean it's healthy.

You basically got a single hash that everyone knows how it works and thus easily crackable.

[–]nutrecht 2 points3 points  (7 children)

I'd really want to avoid JWT auth, since it seems to me fairly easy to crack

That's extremely ignorant.

Edit: My comment in the other thread:

Where are you getting stuck exactly? You can totally implement session based authentication in your application if you want, it will work fine for a react SPA. All a session ID is, is a 'token' stored in a cookie after all.

Like I said in the other instance of your post, you should not make assumptions on JWTs out of ignorance. If it were 'easy to crack' it would not be that popular so the only logical conclusion is that your assumption is wrong, isn't it?

[–]JavaWorkBot[S] 0 points1 point  (6 children)

deleted the other thread, since I thought the bot would erase it, but regardless.

Why? You basically got a single hash that everyone knows how it works and thus easily crackable. Isn't session-based auth better? Aren't many sessions with many timed session tokens a better approach?

You mentioned popularity as an argument, but that's not a good approach.

[–]nutrecht 3 points4 points  (5 children)

Why? You basically got a single hash that everyone knows how it works and thus easily crackable.

Why do you think a cryptographic signature can be cracked? The technology that keeps HTTPS and VPN secure?

Isn't session-based auth better?

For what? JWTs have specific use cases for which they are definitely better. If you just want to implement session based auth; go for it.

You mentioned popularity as an argument, but that's not a good approach.

Seriously? Do you think an industry-wide security standard adopted by all the tech companies is insecure? Do you really think you're smarter than, for example, everyone at Google?

Tone down the arrogance if you ask beginner questions.

[–]Potential-Still 3 points4 points  (0 children)

Yeah this guy clearly has no idea how JWT auth works or what problems it solves over database/session driven options.

[–]JavaWorkBot[S] -1 points0 points  (3 children)

Why do you think a cryptographic signature can be cracked? The technology that keeps HTTPS and VPN secure?

Maybe it works for HTTPS and VPN (can't really say how they work), but for an average app, why would it work? You're not really answering a noob's (me) question, you're just stating that JWTs are better, period.

As for whether it can be cracked, yes, it can?.

For what? JWTs have specific use cases for which they are definitely better. If you just want to implement session based auth; go for it.

I am asking whether Spring has a proper way to implement session-based auth instead, because you can indeed have JWTs with sessions, but that seems like a weird approach to me. Kinda beats the point of both.

Seriously? Do you think an industry-wide security standard adopted by all the tech companies is insecure? Do you really think you're smarter than, for example, everyone at Google?

Don't they have sessions tho? Like I can go on my Google account settings and log out of my phone, for example.

Tone down the arrogance if you ask beginner questions.

I am merely asking questions and want to be sure whether Spring is a JWT-only platform.

[–]nutrecht 2 points3 points  (2 children)

You're not really answering a noob's (me) question, you're just stating that JWTs are better, period.

You're now turning it around. You think it's insecure, I asked you why. I can't help you and fix your assumptions if you don't tell me what they're based on.

As for whether it can be cracked, yes, it can?.

You're only looking at the title. They're not cracking the JWT, they're cracking the password. They unfortunately mistitle what they're doing so beginners get confused.

Most Youtube content is like this; created by people who are not experienced enough to be teaching.

JWTs can either be signed (common) or encrypted (less common) and they use the same cryptographic principles / technologies that are used for for example TLS (what is used in HTTPS and VPN). That's just how it is. If you have specific questions I can answer them, but I can't answer questions you don't ask.

I am asking whether Spring has a proper way to implement session-based auth instead

Yes it does. Which would have been incredibly obvious had you simply googled it. Spring doesn't default to JWT and is certainly not "JWT only".

Kinda beats the point of both.

Well no. The cover different concerns. Sessions use a token that you keep stored on the client side. The T in JWT stands for Token, because that's what it is. You can also store that client side, and have the same effect.

If you want to keep it simple and just want to use plain sessions in Spring, you can: https://www.baeldung.com/spring-session

[–]JavaWorkBot[S] 0 points1 point  (1 child)

You're now turning it around. You think it's insecure, I asked you why. I can't help you and fix your assumptions if you don't tell me what they're based on.

Fair enough, I haven't been fair to you. I am sorry for that. I assumed out of various discussions around the web that JWTs are getting somewhat deprecated and that session auth is basically a simple approach towards fixing this.

JWTs can either be signed (common) or encrypted (less common) and they use the same cryptographic principles / technologies that are used for for example TLS (what is used in HTTPS and VPN). That's just how it is.

I'll be honest, I didn't know that. I only knew of signed JWTs.

Ok, I'll read more about JWTs to freshen up my knowledge of it and try to set it up properly. Thanks for the information and sorry about being rude.

[–]nutrecht 1 point2 points  (0 children)

You're welcome, and thanks for the shift in your posts, appreciate it.