[에러로그] io.jsonwebtoken.security.WeakKeyException

문제 상황

Member MVC 도메인 및 JWT 검증방식의 Security 구현 후, 로그인 시도중 발생

---

에러 로그

{
    "timestamp": "2023-08-20T15:36:25.798+00:00",
    "status": 500,
    "error": "Internal Server Error",
    "trace": "io.jsonwebtoken.security.WeakKeyException: 
     The specified key byte array is 216 bits which is not secure enough 
     for any JWT HMAC-SHA algorithm.  The JWT JWA Specification 
     (RFC 7518, Section 3.2) states that keys used with HMAC-SHA algorithms 
     MUST have a size >= 256 bits (the key size must be greater than or 
     equal to the hash output size).  
     Consider using the io.jsonwebtoken.security.Keys#secretKeyFor(SignatureAlgorithm)
     method to create a key guaranteed to be secure enough for your preferred 
     HMAC-SHA algorithm.  See https://tools.ietf.org/html/rfc7518#section-3.2 
     for more information.\r\n\tat io.jsonwebtoken.security.Keys.
     hmacShaKeyFor(Keys.java:96)\r\n\tat neoguri.springTemplate.security.
     jwt.JwtTokenizer.getSecretKeyFromPlainSecretKey(JwtTokenizer.java:95)\r\n\tat 
     neoguri.springTemplate.security.jwt.JwtTokenizer.createAccessToken
     (JwtTokenizer.java:57)\r\n\tat neoguri.springTemplate.security.jwt.JwtTokenizer.
     delegateAccessToken(JwtTokenizer.java:140)\r\n\tat neoguri.springTemplate.
     security.filter.JwtAuthenticationFilter.successfulAuthentication
     (JwtAuthenticationFilter.java:79)\r\n\tat org.springframework.security.web.
     authentication.AbstractAuthenticationProcessingFilter.doFilter
     (AbstractAuthenticationProcessingFilter.java:237)\r\n\tat org.springframework.
     security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter
     (AbstractAuthenticationProcessingFilter.java:217)\r\n\tat org.springframework.
     security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:346)
     \r\n\tat org.springframework.security.web.authentication.logout.LogoutFilter.
     doFilter(LogoutFilter.java:103)\r\n\tat org.springframework.security.web.
     authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:89)\r\n\tat 
     org.springframework.security.web.FilterChainProxy$VirtualFilterChain.
     doFilter(FilterChainProxy.java:346)\r\n\tat org.springframework.web.filter.
     CorsFilter.doFilterInternal(CorsFilter.java:91)\r\n\tat org.springframework.
     web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:117)
     \r\n\tat org.springframework.security.web.FilterChainProxy$VirtualFilterChain.
     doFilter(FilterChainProxy.java:346)\r\n\tat org.springframework.security.
     web.header.HeaderWriterFilter.doHeadersAfter(HeaderWriterFilter.java:90)\r\n\tat 
     org.springframework.security.web.header.HeaderWriterFilter.doFilterInternal
     (HeaderWriterFilter.java:75)\r\n\tat org.springframework.web.filter.
     OncePerRequestFilter.doFilter(OncePerRequestFilter.java:117)\r\n\tat
     org.springframework.security.web.FilterChainProxy$VirtualFilterChain.
     doFilter(FilterChainProxy.java:346)\r\n\tat org.springframework.security.
     web.context.SecurityContextPersistenceFilter.doFilter
     (SecurityContextPersistenceFilter.java:112)\r\n\tat org.springframework.
     security.web.context.SecurityContextPersistenceFilter.doFilter
     (SecurityContextPersistenceFilter.java:82)\r\n\tat org.springframework.
     security.web.FilterChainProxy$VirtualFilterChain.doFilter
     (FilterChainProxy.java:346)\r\n\tat org.springframework.security.web.
     context.request.async.WebAsyncManagerIntegrationFilter.doFilterInternal
     (WebAsyncManagerIntegrationFilter.java:55)\r\n\tat org.springframework.
     web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:117)
     \r\n\tat org.springframework.security.web.FilterChainProxy$VirtualFilterChain.
     doFilter(FilterChainProxy.java:346)\r\n\tat org.springframework.security.
     web.session.DisableEncodeUrlFilter.doFilterInternal(DisableEncodeUrlFilter.
     java:42)\r\n\tat org.springframework.web.filter.OncePerRequestFilter.
     doFilter(OncePerRequestFilter.java:117)\r\n\tat org.springframework.
     security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.
     java:346)\r\n\tat org.springframework.security.web.FilterChainProxy.
     doFilterInternal(FilterChainProxy.java:221)\r\n\tat org.springframework.
     security.web.FilterChainProxy.doFilter(FilterChainProxy.java:186)\r\n\tat
     org.springframework.security.web.debug.DebugFilter.invokeWithWrappedRequest
     (DebugFilter.java:90)\r\n\tat org.springframework.security.web.debug.
     DebugFilter.doFilter(DebugFilter.java:78)\r\n\tat org.springframework.
     security.web.debug.DebugFilter.doFilter(DebugFilter.java:67)\r\n\tat org.
     springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:354)\r\n\tat org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:267)\r\n\tat org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:178)\r\n\tat org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:153)\r\n\tat org.springframework.web.filter.RequestContextFilter.doFilterInternal(RequestContextFilter.java:100)\r\n\tat org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:117)\r\n\tat org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:178)\r\n\tat org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:153)\r\n\tat org.springframework.web.filter.FormContentFilter.doFilterInternal(FormContentFilter.java:93)\r\n\tat org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:117)\r\n\tat org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:178)\r\n\tat org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:153)\r\n\tat org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:201)\r\n\tat org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:117)\r\n\tat org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:178)\r\n\tat org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:153)\r\n\tat org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:167)\r\n\tat org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:90)\r\n\tat org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:481)\r\n\tat org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:130)\r\n\tat org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:93)\r\n\tat org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:74)\r\n\tat org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:343)\r\n\tat org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:390)\r\n\tat org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:63)\r\n\tat org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:926)\r\n\tat org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1791)\r\n\tat org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:52)\r\n\tat org.apache.tomcat.util.threads.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1191)\r\n\tat org.apache.tomcat.util.threads.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:659)\r\n\tat org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)\r\n\tat java.base/java.lang.Thread.run(Thread.java:829)\r\n",
    
    "message": "The specified key byte array is 216 bits which is not secure 
    enough for any JWT HMAC-SHA algorithm.  The JWT JWA Specification 
    (RFC 7518, Section 3.2) states that keys used with HMAC-SHA algorithms 
    MUST have a size >= 256 bits (the key size must be greater than or 
    equal to the hash output size).  Consider using the io.jsonwebtoken.security.
    Keys#secretKeyFor(SignatureAlgorithm) method to create a key guaranteed to be 
    secure enough for your preferred HMAC-SHA algorithm.  
    See https://tools.ietf.org/html/rfc7518#section-3.2 for more information.",
    
    "path": "/auth/login"
}

---

원인

JWT_SECRET의 value가 256비트(32바이트)를 넘기지 못해서 발생

가령, 필자의 경우 숫자로 JWT_SECRET을 설정해서, 길지만 32바이트를 못넘긴 상태로 설정해두어 오류가 발생했다.

---

 

해결 방법

1. 환경변수(시스템 환경변수 등)에 설정해둔 Value를 32 byte(=256비트) 이상으로 수정(영문 1개당 1byte)

2. 서버 및 PC를 재부팅한다. (windows 시스템 환경변수의 경우, 재부팅 해야 적용된다.)

---