From 36b38421e51c345ea24b0f8406eb8dc58272fe62 Mon Sep 17 00:00:00 2001 From: yukaidi Date: Fri, 29 May 2026 02:18:43 +0800 Subject: [PATCH] =?UTF-8?q?=E4=BF=AE=E5=A4=8DJWT=E7=AD=BE=E5=90=8D?= =?UTF-8?q?=E9=AA=8C=E8=AF=81=E6=97=B6=E5=BA=8F=E6=94=BB=E5=87=BB=EF=BC=9A?= =?UTF-8?q?=E4=BD=BF=E7=94=A8MessageDigest.isEqual()=E6=9B=BF=E4=BB=A3Stri?= =?UTF-8?q?ng.equals()=E8=BF=9B=E8=A1=8C=E7=AD=BE=E5=90=8D=E6=AF=94?= =?UTF-8?q?=E8=BE=83?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../src/main/java/cn/qaiu/lz/common/util/JwtUtil.java | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/web-service/src/main/java/cn/qaiu/lz/common/util/JwtUtil.java b/web-service/src/main/java/cn/qaiu/lz/common/util/JwtUtil.java index f1ef675..0da695f 100644 --- a/web-service/src/main/java/cn/qaiu/lz/common/util/JwtUtil.java +++ b/web-service/src/main/java/cn/qaiu/lz/common/util/JwtUtil.java @@ -7,6 +7,7 @@ import javax.crypto.Mac; import javax.crypto.spec.SecretKeySpec; import java.nio.charset.StandardCharsets; import java.security.InvalidKeyException; +import java.security.MessageDigest; import java.security.NoSuchAlgorithmException; import java.time.Instant; import java.time.LocalDateTime; @@ -93,9 +94,10 @@ public class JwtUtil { String encodedPayload = parts[1]; String signature = parts[2]; - // 验证签名 + // 验证签名(使用常量时间比较防止时序攻击) String expectedSignature = hmacSha256(encodedHeader + "." + encodedPayload, SECRET_KEY); - if (!expectedSignature.equals(signature)) { + if (!MessageDigest.isEqual(expectedSignature.getBytes(StandardCharsets.UTF_8), + signature.getBytes(StandardCharsets.UTF_8))) { return false; }