Using predictable/constant cryptographic key when creating and verifing Json Web Token.

[xubowenW]

Hi, we are a research group to help developers build secure applications. We designed a cryptographic misuse detector on Java language(Our main concern is the secure implementation and use of Json Web Token). We found your great public repository (i.e.,
Spring-Boot-In-Action) from Github, and several security issues detected by our detector are shown in the following. The specific security issues we found are as follows:
(1) Location: Package: cn.codesheep.springbt_security_jwt.controller; Class: JwtAuthController.class
and Package cn.codesheep.springbt_security_jwt.comm; Class:Const.class
Security issue: Using predictable/constant cryptographic key when creating and verifing Json Web Token.

Using a predictable/constant secret does not conform to the security implementation specification of JWT, which may bring security risks to your system. It is recommended to use a more secure way to store the secret used to generate the JWT and use a strong enough key to improve the security of the project. （For the hazards of predictable/constant secret, you can refer to CWE-321, NIST Special Publication 800-57).

We wish the above security issues cloud truly help you to build a secure application. If you have any concern or suggestion, please feel free to contact us, we are looking forwart to your reply. Thanks.