return claims
}

func getClaimsFromTokenWithSecret(token, secret string) (*xjwt.MapClaims, error) {
	// JWT token for x-amz-security-token is signed with admin
	// secret key, temporary credentials become invalid if
	// server admin credentials change. This is done to ensure
	// that clients cannot decode the token using the temp
	// secret keys and generate an entirely new claim by essentially

		}
		if accessKey != "" {
			os.Setenv(config.EnvRootUser, accessKey)
		}
	}

	if env.IsSet(config.EnvSecretKeyFile) {
		secretKey, err := readFromSecret(env.Get(config.EnvSecretKeyFile, ""))
		if err != nil {
			logger.Fatal(config.ErrInvalidCredentials(err),
				"Unable to validate credentials inherited from the secret file(s)")
		}
		if secretKey != "" {

    void testHandlePasswordOnly() throws Exception {
        JAASAuthenticator auth = new JAASAuthenticator("DOM", "user", "secret");
        PasswordCallback pc = new PasswordCallback("pass:", false);
        auth.handle(new Callback[] { pc });
        assertEquals("secret", new String(pc.getPassword()));
    }

    @Test
    @DisplayName("handle: empty user/domain edge yields '@' and null password")

	}
	return nil
}

// getTokenSigningKey returns secret key used to sign JWT session tokens
func getTokenSigningKey() (string, error) {
	secret := globalActiveCred.SecretKey
	if globalSiteReplicationSys.isEnabled() {
		secretKey, err := globalSiteReplicatorCred.Get(GlobalContext)
		if err != nil {
			return "", err
		}
		return secretKey, nil
	}
	return secret, nil
}

///

## Handle JWT tokens { #handle-jwt-tokens }

Import the modules installed.

Create a random secret key that will be used to sign the JWT tokens.

To generate a secure random secret key use the command:

<div class="termy">

```console
$ openssl rand -hex 32

09d25e094faa6ca2556c818166b7a9563b93f7099f6f0f4caa6cf63b88e8d3e7
```

Pydantic models have a `.dict()` method that returns a `dict` with the model's data.

So, if we create a Pydantic object `user_in` like:

```Python
user_in = UserIn(username="john", password="secret", email="******@****.***")
```

and then we call:

```Python
user_dict = user_in.dict()
```

          role-to-assume: arn:aws:iam::992382829881:role/GHASecrets_gradle_all
          aws-region: "eu-central-1"
      - name: get secrets
        uses: aws-actions/aws-secretsmanager-get-secrets@v2
        with:
          secret-ids: |
            PERFORMANCE_DB_URL, gha/gradle/_all/PERFORMANCE_DB_URL
            PERFORMANCE_DB_USERNAME, gha/gradle/_all/PERFORMANCE_DB_USERNAME

Melden Sie sich bei der Anwendung auf die gleiche Weise wie zuvor an.

Verwenden Sie die Anmeldeinformationen:

Benutzername: `johndoe`
Passwort: `secret`.

/// check

Beachten Sie, dass im Code nirgendwo das Klartext-Passwort "`secret`" steht, wir haben nur die gehashte Version.

///

<img src="/img/tutorial/security/image08.png">

Autoriza la aplicación de la misma manera que antes.

Usando las credenciales:

Usuario: `johndoe`
Contraseña: `secret`

/// check | Revisa

Observa que en ninguna parte del código está la contraseña en texto claro "`secret`", solo tenemos la versión con hash.

///

<img src="/img/tutorial/security/image08.png">

Llama al endpoint `/users/me/`, obtendrás el response como:

                case FessConfig.APP_CIPHER_KEY:
                    return "___change__me___";
                case FessConfig.APP_ENCRYPT_PROPERTY_PATTERN:
                    return ".*password|.*key|.*token|.*secret";
                case FessConfig.APP_EXTENSION_NAMES:
                    return "jpg,jpeg,gif,png";

                case FessConfig.JOB_MAX_CRAWLER_PROCESSES:
                    return "3";