JWT signature does not match locally computed signature. JWT validity cannot be asserted and should not be trusted

Question

I am building a server side REST service application. I have a problem with the JWT authentication token. I can get the token easily after sign in (Here I use Postman).

But when I am trying to authenticate a request to access a protected REST controller using the same token, I get the following error:

io.jsonwebtoken.SignatureException: JWT signature does not match locally computed signature. JWT validity cannot be asserted and should not be trusted.
    at io.jsonwebtoken.impl.DefaultJwtParser.parse(DefaultJwtParser.java:354)
    at io.jsonwebtoken.impl.DefaultJwtParser.parse(DefaultJwtParser.java:481)
    at io.jsonwebtoken.impl.DefaultJwtParser.parseClaimsJws(DefaultJwtParser.java:541)
    at com.configuration.jwt.JwtTokenUtil.extractClaims(JwtTokenUtil.java:104)
    at com.configuration.jwt.JwtTokenUtil.getUsernameFromToken(JwtTokenUtil.java:39)
    at com.configuration.jwt.JwtAuthenticationFilter.doFilterInternal(JwtAuthenticationFilter.java:44)
    at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
...

it's like the application doesn't remember the token it generated. Here is the get request from Postman that generated this error:

I guess the source of the exception is from the method extractClaims of my class JwtTokenUtil:

@Component
public final class JwtTokenUtil {

    public static final int EXPIRATION_IN_SECONDS = 120;

    private static final String JWT_SECRET = "Some$ecretKey";

    private Clock clock = DefaultClock.INSTANCE;

    @Value("${jwt.secret}")
    private String secret;

    @Value("${jwt.expiration}")
    private Long expiration;

    private JwtTokenUtil() {
        // Hide default constructor
    }

    public String getUsernameFromToken(String token) {
        return extractClaims(token).getSubject();
    }

    public Boolean validateToken(String token, UserDetails userDetails) {
        UserDetailsImp user = (UserDetailsImp) userDetails;
        final String username = getUsernameFromToken(token);
        return (username.equals(user.getUsername()) && !isTokenExpired(token));
    }

    public Date getIssuedAtDateFromToken(String token) {
        return extractClaims(token).getIssuedAt();
    }

    public String generateToken(UserDetails userDetails) {
        Map<String, Object> claims = new HashMap<String, Object>();
        return doGenerateToken(claims, userDetails.getUsername());
    }

    private String doGenerateToken(Map<String, Object> claims, String subject) {
        final Date createdDate = clock.now();
        final Date expirationDate = calculateExpirationDate(createdDate);

        return Jwts.builder().setClaims(claims).setSubject(subject).setIssuedAt(createdDate)
                .setExpiration(expirationDate).signWith(SignatureAlgorithm.HS512, secret).compact();
    }

    private Date calculateExpirationDate(Date createdDate) {
        return new Date(createdDate.getTime() + expiration * 1000);
    }

    public static String createToken(String username, Date issueDate) {
        String jwtToken = Jwts.builder().setSubject(username).setIssuedAt(issueDate)
                .setExpiration(new Date(issueDate.getTime() + EXPIRATION_IN_SECONDS))
                .signWith(SignatureAlgorithm.HS512, JWT_SECRET).compact();

        return jwtToken;
    }

    public static String getSubject(String token) {
        Claims claims = extractClaims(token);
        return claims.getSubject();
    }

    public static String refreshToken(String token, long expirationInSeconds) {
        final Claims claims = extractClaims(token);

        Date now = new Date();
        claims.setIssuedAt(now);
        claims.setExpiration(new Date(now.getTime() + EXPIRATION_IN_SECONDS));

        return createTokenFromClaims(claims);
    }

    public static boolean isTokenExpired(String token) {
        final Claims claims = extractClaims(token);
        Date now = new Date();

        return now.after(claims.getExpiration());
    }

    private static String createTokenFromClaims(Claims claims) {
        return Jwts.builder().setClaims(claims).signWith(SignatureAlgorithm.HS512, JWT_SECRET).compact();
    }

    private static Claims extractClaims(String token) {
        return Jwts.parser().setSigningKey(JWT_SECRET).parseClaimsJws(token).getBody();
    }

}

This is my JwtAuthenticationFilter class:

public class JwtAuthenticationFilter extends OncePerRequestFilter {

    @Autowired
    private UserDetailsService userDetailsService;

    @Autowired
    private JwtTokenUtil jwtTokenUtil;

    @Override
    protected void doFilterInternal(HttpServletRequest req, HttpServletResponse res, FilterChain chain)
            throws IOException, ServletException {

        String header = req.getHeader("Authorization");
        String username = null;
        String authToken = null;

        if (header != null && header.startsWith("Bearer ")) {

            authToken = header.replace("Bearer ", "");

            try {

                username = jwtTokenUtil.getUsernameFromToken(authToken);

            } catch (IllegalArgumentException e) {

                logger.error("an error occured during getting username from token", e);

            } catch (ExpiredJwtException e) {

                logger.warn("the token is expired and not valid anymore", e);
            }
        } else {
            logger.warn("couldn't find bearer string, will ignore the header");
        }

        if (username != null && SecurityContextHolder.getContext().getAuthentication() == null) {

            UserDetails userDetails = userDetailsService.loadUserByUsername(username);

            if (jwtTokenUtil.validateToken(authToken, userDetails)) {

                String role = "";

                role = userDetails.getAuthorities().size() > 1 ? "ROLE_ADMIN" : "ROLE_TOURIST";

                UsernamePasswordAuthenticationToken authentication = new UsernamePasswordAuthenticationToken(
                        userDetails, null, Arrays.asList(new SimpleGrantedAuthority(role)));

                authentication.setDetails(new WebAuthenticationDetailsSource().buildDetails(req));

                logger.info("authenticated user " + username + ", setting security context");

                SecurityContextHolder.getContext().setAuthentication(authentication);
            }
        }

        chain.doFilter(req, res);
    }
}

and I don't know if the sign in controller have anything to do with the issue, but here is the code for it anyway:

@PostMapping(value = "/signin")
    public ResponseEntity<?> signin(@Valid @RequestBody LoginForm loginForm) throws AuthenticationException {

        final Authentication authentication = authenticationManager.authenticate(
                new UsernamePasswordAuthenticationToken(loginForm.getUsername(), loginForm.getPassword()));
        SecurityContextHolder.getContext().setAuthentication(authentication);

        final UserDetails user = userService.loadUserByUsername(loginForm.getUsername());

        final String token = jwtTokenUtil.generateToken(user);

        return ResponseEntity.ok(new JwtResponse(token, user.getUsername(), user.getAuthorities()));
    }

I hope somebody can help.

Answer 1

The error occurs when the JWT signature validation fails, often due to mismatched signing keys or token tampering. Ensure that:

1. Secret Key Consistency – The same secret key used for signing is also used for verification.
2. Proper Exception Handling – Handle JWT parsing exceptions correctly to return meaningful responses.
3. Authorization Header Extraction – Ensure the token is correctly extracted and prefixed with "Bearer ".

Solution: Implement a robust JWT filter with proper exception handling.

@Component
public class JwtFilter extends OncePerRequestFilter {
    @Autowired
    private JwtService jwtService;
    @Autowired
    private UserDetailsServiceImpl userDetailsService;

    @Override
    protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) 
            throws ServletException, IOException {
        String authHeader = request.getHeader("Authorization");

        try {
            if (authHeader != null && authHeader.startsWith("Bearer ")) {
                String token = authHeader.substring(7);
                String username = jwtService.extractUsername(token);

                if (username != null && SecurityContextHolder.getContext().getAuthentication() == null) {
                    UserDetails userDetails = userDetailsService.loadUserByUsername(username);

                    if (jwtService.validateToken(token, userDetails)) {
                        UsernamePasswordAuthenticationToken authentication = 
                            new UsernamePasswordAuthenticationToken(userDetails, null, userDetails.getAuthorities());
                        authentication.setDetails(new WebAuthenticationDetailsSource().buildDetails(request));
                        SecurityContextHolder.getContext().setAuthentication(authentication);
                    }
                }
            }
        } catch (Exception e) {
            generateResponseError(response, e);
            return;
        }
        filterChain.doFilter(request, response);
    }

    private void generateResponseError(HttpServletResponse response, Exception e) throws IOException {
        response.setContentType("application/json");
        response.setStatus(HttpStatus.UNAUTHORIZED.value());
        response.getWriter().write(new ObjectMapper().writeValueAsString(Map.of("status", "failed", "message", e.getMessage())));
    }
}

private Claims extractAllClaims(String token) {
    try {
        return Jwts.parser()
                .verifyWith(decryptKey(secretKey))
                .build()
                .parseSignedClaims(token)
                .getPayload();
    } catch (ExpiredJwtException e) {
        throw new JwtTokenExpiredException("Token is Expired");
    } catch (JwtException e) {
        throw new JwtTokenExpiredException("Invalid Jwt Token");
    }
}

• Check Roles & Permissions – Ensure the user has the correct roles for accessing endpoints.
• Use Secure Keys – Store and manage keys securely (e.g., environment variables, vaults).

Answer 2

I know it is old question, but I had the same problem and found a solution that works for me so it might be helpful for someone else.

The hashing algorithm converts the provided secret (String value) into a byte array and then performs encoding. The created token is based on bytes and when you try to use a String value to decode the token, error is thrown. Solution was to use bytes arrays as a secret and provide it to decoding function. You can simply turn a String value into a byte array using:

byte[] secret = stringSecret.getBytes();

and use it for decoding.

In your case it would be a little change in the JwtTokenUtil.class:

private static Claims extractClaims(String token) {
    return Jwts.parser().setSigningKey(JWT_SECRET.getBytes()).parseClaimsJws(token).getBody();
}

Answer 3

I had this error while trying to parse my JWT BUT my mistake was using two different instances of my TokenUtils.class, and they had different keys because I delegated the Key creating to the lib.

SOLUTION: Created a @Component anotated TokenUtilsBean class with a @Bean annotated method returning a instance of TokenUtils.class. So I used dependency injection to get the same instance on my AuthFilter.class and CustomUserService.class.

@Component
public class TokenUtilsBean {

  @Bean
  public TokenUtils tokenUtils() {
    return new TokenUtils();
  }
}

Here's my class and the JUnit tests, maybe someone is doing this wrongly like me.

public class TokenUtils {
  private final KeyPair keys = Keys.keyPairFor(SignatureAlgorithm.RS512);
  private final ObjectMapper mapper = new ObjectMapper();

  public String generateToken(CustomUser user) {
    Map<String, Object> claims = mapper.convertValue(user, Map.class);

    return Jwts.builder()
            .setSubject(user.getUsername())
            .setClaims(claims)
            .signWith(keys.getPrivate())
            .compact();
  }

  public Boolean validateToken(String jwt) {
    try {
      Jwts.parserBuilder()
              .setSigningKey(keys.getPublic())
              .build()
              .parseClaimsJws(jwt);

      return true;
    } catch (Exception e) {
      return false;
    }
  }
}

Here's the JUnit Unit tests

  @Test
  public void validateTokenWithDifferentInstanceShouldBeFalse() {
    String jwt = tokenUtils.generateToken(user);

    //Validating token with a different instance
    Assertions.assertFalse(secondTokenUtils.validateToken(jwt));
  }

Answer 4

Got the same issue, in my case the token passing from angular has quotes in start/end. Resolved by removing them.

intercept(request: HttpRequest<any>, next: HttpHandler): Observable<HttpEvent<any>> {
    let token = localStorage.getItem('token');
    if (token) {
        token = token.replace(/^"(.*)"$/, '$1');
    }

    if (token) {
        request = request.clone({ headers: request.headers.set('Authorization', 'Bearer ' + token) });
    }

    if (!request.headers.has('Content-Type')) {
        request = request.clone({ headers: request.headers.set('Content-Type', 'application/json') });
    }

    request = request.clone({ headers: request.headers.set('Accept', 'application/json') });
    console.log("............");
    return next.handle(request);
}

   

Answer 5

Had similar issue with same error message. I realized it was due to white spacing in the public key provided. You might check it out. Fixed with this code snippet:

   String PUB_KEY = System.getenv("PUBLIC_KEY") ;  // remove ---PUBLIC KEY--- & ---END PUBLIC KEY ---
   String PUBLIC_KEY = "";
        if (!PUB_KEY.isEmpty()) {
            PUBLIC_KEY = PUB_KEY.replace(" ", "");
        }

Hope it helps.

Answer 6

I think EXPIRATION_IN_SECONDS should be in milliseconds, because you're adding it to getTime(), which is in milliseconds. So it should be 120000 actually.