java – io.jsonwebtoken.UnsupportedJwtException: Signed claims JWSs are not supported

I just added Jwt to my application. When I try to post a Get request that requires authorization, I get the following error message:

io.jsonwebtoken.UnsupportedJwtException: Signed claims JWSs are not supported.

I send "Authorization" as header and "Bearer Token-Value" as value.

Does anyone have any idea how to solve this?

Here is my JWT class:

public class JwtUtil {

private String SECRET_KEY = "secret";

public String extractUsername(String token) {
    return extractClaim(token, Claims::getSubject);

public Date extractExpiration(String token) {
    return extractClaim(token, Claims::getExpiration);

public  T extractClaim(String token, Function claimsResolver) {
    final Claims claims = extractAllClaims(token);
    return claimsResolver.apply(claims);

public Claims extractAllClaims(String token) {
    return Jwts.parser().setSigningKey(SECRET_KEY).parseClaimsJwt(token).getBody();

public Boolean isTokenExpired(String token) {
    return extractExpiration(token).before(new Date());

public String generateToken(UserDetails userDetails) {
    Map claims = new HashMap<>();
    return createToken(claims, userDetails.getUsername());

public String createToken(Map claims, String subject) {
    return Jwts.builder()
            .setIssuedAt(new Date(System.currentTimeMillis()))
            .setExpiration(new Date(System.currentTimeMillis() + 1000 * 60 * 60 * 10))
            .signWith(SignatureAlgorithm.HS256, SECRET_KEY).compact();

public Boolean validateToken(String token, UserDetails userDetails) {
    final String userName = extractUsername(token);
    return (userName.equals(userDetails.getUsername()) && !isTokenExpired(token));


and here is my filter:

protected void doFilterInternal(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, FilterChain filterChain) throws ServletException, IOException {
    final String authorizationHeader = httpServletRequest.getHeader("Authorization");

    String userName = null;
    String jwt = null;

    if (authorizationHeader != null && authorizationHeader.startsWith("Bearer")) {
        jwt = authorizationHeader.substring(7);
        userName = jwtUtil.extractUsername(jwt);

    if (userName != null && SecurityContextHolder.getContext().getAuthentication() == null) {
        UserDetails userDetails = this.myUserDetailsService.loadUserByUsername(userName);

        if (jwtUtil.validateToken(jwt, userDetails)) {
            UsernamePasswordAuthenticationToken usernamePasswordAuthenticationToken =
                    new UsernamePasswordAuthenticationToken(userDetails, null, userDetails.getAuthorities());
            usernamePasswordAuthenticationToken.setDetails(new WebAuthenticationDetailsSource().buildDetails(httpServletRequest));

    filterChain.doFilter(httpServletRequest, httpServletResponse);

Wallet – Bitcoin sent, recipient claims not to have received

The address received 0.07014343 BTC in 3d727e3f4565e011c0348f813c2d5480210b6bae2003a0f7abaa949d1a7c599a. These coins have already been issued so that at least the recipient's wallet provider is informed of the transaction. Depending on the type of wallet, the recipient's account may not have been credited due to internal system problems.

Alternatively, the recipient has received the money and is trying to defraud you for an additional payment.

In both cases, your first transaction is successful and the recipient has to work with their wallet provider. You shouldn't send them any more money.

Verify that a transaction is complete

Based on the attention that this question receives, I will go through some of the best practices in verifying the finality / completion / status of a transaction.

In order for a Bitcoin transaction to be complete and irreversible, it must be summarized in one block.

To check whether a transaction has been closed, you can check a block explorer. Block Explorer are websites that read information from the blockchain and make it accessible to people who do not run their own nodes. Some commonly used Bitcoin discoverers are,, and (not affiliated with them).

If you look up the transaction, e.g. For example, using the link above, either a transaction details page or a form of an error not found is displayed.

If a transaction is not found, it is almost certain that it has not been cleared. In this case, you should aim for it Repetition the transaction instead of sending a new one. It is possible that the transaction has actually been sent and has not yet been picked up by Explorer. Submitting a second transaction can therefore result in a double payment.

If a transaction is found, it may be listed as unconfirmed. In this case, just wait until it is confirmed. If a transaction has already been confirmed, you should see an indication of the block into which it was mined (either in the form of a block number or a block hash that begins with a series of zeros). When a transaction is confirmed, it is complete and irreversible.

The recipient says that he did not receive the coins

There are a handful of scenarios in which the recipient may not see the coins even after the transaction is complete:

  1. The recipient's wallet is out of sync / is not updated correctly. This is a more common scenario if you're using Exchange or other hosted wallets, or using a normal wallet with a spotty or weak internet connection. In this case, the recipient must check with their wallet provider to find and credit the coins.
  2. The address is wrong – either you made a mistake when copying the address, or the recipient provided an incorrect address. In this case, you should work with the recipient to find out who needs to absorb the loss since the coins are most likely not recoverable.
  3. The recipient tries to cheat you. Once a transaction is complete, only the recipient can access the coins, find them, or otherwise try to work with them. If they insist that they have not received them, there is no problem on your part and you may be cheated.

Things to consider

  1. Do not use an Explorer recommended by the recipient. It's trivial to create an explorer that hides certain transactions and makes you think that when they're completed, they're not complete. Always use multiple third party explorers if you have to. Ideally, you should run your own instance of Bitcoin Core -txindex activated and check the transaction yourself, but for many users this is not possible in the short term.
  2. If you really need to resend the coins, first make a transaction in your own wallet that will send the entire balance to yourself and wait for this to be confirmed. This prevents you from accidentally paying twice if the original transaction simply wasn't sent properly.
  3. Be patient – it can take a few days for low fee transactions to be confirmed in times of high network activity. If you see an unconfirmed transaction, just wait.

VULTR opens complaint tickets and claims that they come from Google :) And more about abusive claims

I run a site that hosts Android apps and APK files. It's a pretty big site with roughly 500,000 entries.
I recently tried Vultr Cloud Hosting. The site has some traffic, of course, so I put an above-average load on the CPUs and the network.

I received Safe Browsing Report tickets in my Vultr account almost immediately

Dear customer,
We will notify you of malicious software that Google has discovered on your servers. Please review the following warnings:

I've browsed through them, most of them were simple, clean files, I scan them with ~ 50 antivirus software using the VirusTotal API, some had reports on ads / adware and I removed them, but just to be clear that this was the Types of files are These are also accepted on Google Play (same number of false alarms or files with ads).

I tried to explain it to them. You keep telling me that "Google is the complainant" and not her. I told them that if Google actually sent these complaints, they would have to have an original email or something similar.

After asking three times and pretending not to see my question, They told me I had 48 hours to move my domain because my account is closed.

– The actual files are not even in the Vultr network, but under a "download". Subdomain because this other host offers unlimited 100 Mbps traffic and site brands around 24 TB of traffic per month.
– I checked all Google services (Google Webmaster console, Google Safe Browsing report). Everyone says they have no records and the website under these Google services is clean.
– Google AdSense ads are also displayed on the website. Strict guidelines apply to AdSense websites.

Nevertheless, Vultr claims that Google sends these complaints, but refuses to show me the original "complaint".
It looks like they just want me to go away because it is more profitable to house customers who pay and use little resources.

Due to the size of the website, legitimate complaints can also arise. There was one such complaint and I removed this file in less than 24 hours. However, I found that many complaints from competitors are abusive. As far as I know, the DMCA law enables me to make a counter notification.

For example, Coinbase pays a company called RiskIQ to take out competitors. This company has reported most of the Bitcoin wallet applications on my website and claims to be infringing Coinbase's copyrights. These apps have nothing to do with Coinbase except that they are other wallet providers. And ISPs like Vultr have their backs free without a minimal investigation. None of these complainants replied when you contact them.

You can also take people's ads offline by making a false DMCA claim with Google. These automatically take ads offline and then activate them manually after you have proven that the claim was improper (takes about 7 days). The abuser can then take them offline again immediately. It's crazy.

So Vultr, can I please see this complaint from Google? Ticket # DHZ-84ODO

Diagrams – CLRS Exercise 24.3-4 – Confirm the output of a program that claims to implement the Dijkstra algorithm

I'm trying to better understand CLRS question 24.3-4 below:

Professor Gaedel has written a program that he claims implements the Dijkstra algorithm.
The program produces $ v.d $ and $ v. pi $ for each vertex $ v in V $. Enter
$ O (V + E) $ Algorithm for checking the output of the professor program. It should
determine if the $ d $ and $ pi $ Attributes match those of a tree with the shortest paths.
You can assume that all edge weights are not negative.

I have the answer from the solution guide, but I just don't understand how this answer actually works: (below on page 5/19, Exercise 24.3-4 didn't want to overload the question with a long solution):

Basically, the solution says that we have to check every edge $ (u, v) $ for all $ v neq s $. I understand that we just have to make sure of that $ s.d = 0 $ and $ s. pi = NIL $ since the $ delta (s, s) = 0 $ and $ s $ should not have a predecessor as this is the first vertex in the diagram. The solution mentions the following:

"Check that $ v. pi $ is the vertex that minimizes $ u.d + w (u, v) $ to the
all key points $ u $ for which there is an edge $ (u, v) $, and the $ v.d =
> v.π.d + w (v.π, v) $
. If this is ever wrong, return false. "

So I understand that for everyone $ v neq s $ The $ v. pi.d <v.d $ by the fact that $ v.d = v. pi.d + w (v.pi, v) $ Therefore, due to the simple property, the distance of the predecessor of a node must always be smaller than that of the node.

How do we manage to check that?: "$ v. pi $ is the vertex that minimizes $ u.d + w (u, v) $ for all key points $ u $ for which there is an edge $ (u, v) $? "

Since we say we pick a random vertex in the graph that is a neighbor of $ s $Call this node $ v $. So $ delta (s, v) $ could possibly be calculated by going through half of the graph and then using $ v $ through another knot, $ u $ if the $ w (s, v) $ is extremely large. How does the algorithm check such cases? Does it make sure it starts? just with the neighbors of $ s $ First, check these distances and essentially continue inductively to check the remaining predecessors and distances.

It seems that for $ v in V – {s} $ that if $ v. pi $ is correct, then only remains to be checked $ v.d $? I just don't really understand how the algorithm can do this correctly. It loops through the graph or iterates over the adjacency list / set of edges for each node, so that for a node, $ v $ we check all edge $ (u, v) $ somehow and then with an understanding of whether the knot $ v $ has the right one $ v. pi $?

Could someone please help / explain how this solution works? I've been struggling with it for a few hours now and have walked through the algorithm with written examples, but I don't see the pattern here. Thank you very much.

Windows Authentication – Changes from a Windows identity context to a context that represents a Sharepoint Windows Claims user

In a Windows service with a delegated Windows identity, we access Sharepoint 2016 or 2019 using the Sharepoint server object model (SSOM) in the "Microsoft.SharePoint.dll" file. The Windows service is running .NET 4.5.1 and SharePoint is in claims-based mode. The code to access SharePoint looks like this:

   using (ServiceSecurityContext.Current.WindowsIdentity.Impersonate())
       using (SPSite archive = new SPSite(siteId))
       using (SPWeb workArea = archive.OpenWeb(webId))
           SPList list = workArea.Lists(listId);
           SPFile spFile = RetrieveSPFileFromSPList(list, fileId);

The Windows users pretend and the SharePoint objects are created. This works well for the site administrator who is a normal Windows user. If the impersonated user is another domain user, e.g. Access to SharePoint with the name "domain user1" is not permitted. SharePoint knows the "Domain User1" as a Windows claim user like "i: 0 # .w | Domain User1". So how can we do a context switch that can represent the Windows user "domain user1" as "i: 0 # .w | domain user1" to access server-side SharePoint objects?

external calls – RegisterExternalEvaluator claims MissingDependencies even though ZMQ is installed

I have an Anaconda Python installation in a non-standard location. So I ran

RegisterExternalEvaluator["Python", "path-to-python.exe"]

But I got the following error message:

StartExternalSession::depend: The installation does not have the required dependencies.


The only dependency listed for Python is ZMQ, which is installed:

Python zmq

Any idea how I can come RegisterExternalEvaluator to recognize the fact that ZMQ is installed in Python?

The search for M $ claims stinks today

Boy, the anti-M $ preachers never preach an opportunity, do they?

I think they have to come back to us on the other side at every opportunity.

Shawn, I think M $ will also use data centers that run Linux servers. How do we know where they will place the load?

Perhaps it is a huge research and development project like IBM's WebFountain search project. Distributed computing is the future, as is outsourcing. Search projects help these companies learn more about these two areas.

Data centers will become so important in the future that they will all quickly develop their own versions and flavors. Sure M $ will use their own technology. Can you imagine a better way for R&D?

Building a search engine is the best way to do it.

oauth2 – JWT with a single target group claims access to a resource server with several configured target group values

When a single audience JWT ID_Token is presented to a resource server with multiple configured audience values, the resource server should reject the validity of the token due to the mismatch in the audience (i.e. JWT has one, the resource server wants all of those that we configured), or should the resource server accept the validity of the token based on a single match (ie JWT has one, resource server has it in its list of 4, it passes validation as a result)?

Linking app – IOS device child has changed the passcode for the screen time and claims that he did not. Help me catch him

My son has an iPhone xs. We set a screen time passcode because it kept turning off its phone location. and then when I looked at the phone, the same restrictions were shown as locked. I changed "Share my location" to "Always" or "Allow". It has now been changed to "never" or is grayed out. My son seems to have found out and changed the screen time passcode. I can no longer log in to the Screentime passcode I have set. I wrote it down. It is now with so many attempts that I have to wait over an hour before trying again, the warning says. I have 87 attempts. it has been changed.

I found an app that finds the last password set, and this app can't even find it. The location of the phone is still displayed on my phone, but the location option on his phone is set to never be released.

I also noticed that in section 3 of the text messages … I never saw. They told me when the phone was updated it was connected to it.

The shortcut app on the phone that I noticed provides an option for scripts and the like. Is this a new standard update of the app or has it been installed on the phone?

In any case, I have access to the phone, but I can't do anything and I don't know which passcode has been set up. Of course, no one can help me in any shop. I will pay everyone who helps me. You're welcome. and please don't tell me how to educate his help in catching. A link that enables recordings or the like is great and can no doubt be kept confidential. will stop if there is a way to determine if there are problems with the phone. How can I overdue what they did on the phone?