Open renovate[bot] opened 7 months ago
[!IMPORTANT]
Review skipped
Bot user detected.
To trigger a single review, invoke the
@coderabbitai review
command.You can disable this status message by setting the
reviews.review_status
tofalse
in the CodeRabbit configuration file.
This PR contains the following updates:
0.11.5
->0.12.6
Release Notes
jwtk/jjwt (io.jsonwebtoken:jjwt-api)
### [`v0.12.6`](https://redirect.github.com/jwtk/jjwt/blob/HEAD/CHANGELOG.md#0126) [Compare Source](https://redirect.github.com/jwtk/jjwt/compare/0.12.5...0.12.6) This patch release: - Ensures that after successful JWS signature verification, an application-configured Base64Url `Decoder` output is used to construct a `Jws` instance (instead of JJWT's default decoder). See [Issue 947](https://redirect.github.com/jwtk/jjwt/issues/947). - Fixes a decompression memory leak in concurrent/multi-threaded environments introduced in 0.12.0 when decompressing JWTs with a `zip` header of `GZIP`. See [Issue 949](https://redirect.github.com/jwtk/jjwt/issues/949). - Upgrades BouncyCastle to 1.78 via [PR 941](https://redirect.github.com/jwtk/jjwt/pull/941). ### [`v0.12.5`](https://redirect.github.com/jwtk/jjwt/blob/HEAD/CHANGELOG.md#0125) [Compare Source](https://redirect.github.com/jwtk/jjwt/compare/0.12.4...0.12.5) This patch release: - Ensures that builders' `NestedCollection` changes are applied to the collection immediately as mutation methods are called, no longer requiring application developers to call `.and()` to 'commit' or apply a change. For example, prior to this release, the following code did not apply changes: ```java JwtBuilder builder = Jwts.builder(); builder.audience().add("an-audience"); // no .and() call builder.compact(); // would not keep 'an-audience' ``` Now this code works as expected and all other `NestedCollection` instances like it apply changes immediately (e.g. when calling `.add(value)`). However, standard fluent builder chains are still recommended for readability when feasible, e.g. ```java Jwts.builder() .audience().add("an-audience").and() // allows fluent chaining .subject("Joe") // etc... .compact() ``` See [Issue 916](https://redirect.github.com/jwtk/jjwt/issues/916). ### [`v0.12.4`](https://redirect.github.com/jwtk/jjwt/blob/HEAD/CHANGELOG.md#0124) [Compare Source](https://redirect.github.com/jwtk/jjwt/compare/0.12.3...0.12.4) This patch release includes various changes listed below. ##### Jackson Default Parsing Behavior This release makes two behavioral changes to JJWT's default Jackson `ObjectMapper` parsing settings: 1. In the interest of having stronger standards to reject potentially malformed/malicious/accidental JSON that could have undesirable effects on an application, JJWT's default ` ObjectMapper `is now configured to explicitly reject/fail parsing JSON (JWT headers and/or Claims) if/when that JSON contains duplicate JSON member names. For example, now the following JSON, if parsed, would fail (be rejected) by default: ```json { "hello": "world", "thisWillFail": 42, "thisWillFail": "test" } ``` Technically, the JWT RFCs *do allow* duplicate named fields as long as the last parsed member is the one used (see [JWS RFC 7515, Section 4](https://datatracker.ietf.org/doc/html/rfc7515#section-4)), so this is allowed. However, because JWTs often reflect security concepts, it's usually better to be defensive and reject these unexpected scenarios by default. The RFC later supports this position/preference in [Section 10.12](https://datatracker.ietf.org/doc/html/rfc7515#section-10.12): Ambiguous and potentially exploitable situations could arise if the JSON parser used does not enforce the uniqueness of member names or returns an unpredictable value for duplicate member names. Finally, this is just a default, and the RFC does indeed allow duplicate member names if the last value is used, so applications that require duplicates to be allowed can simply configure their own `ObjectMapper` and use that with JJWT instead of assuming this (new) JJWT default. See [Issue #877](https://redirect.github.com/jwtk/jjwt/issues/877) for more. 2. If using JJWT's support to use Jackson to parse [Custom Claim Types](https://redirect.github.com/jwtk/jjwt#json-jackson-custom-types) (for example, a Claim that should be unmarshalled into a POJO), and the JSON for that POJO contained a member that is not represented in the specified class, Jackson would fail parsing by default. Because POJOs and JSON data models can sometimes be out of sync due to different class versions, the default behavior has been changed to ignore these unknown JSON members instead of failing (i.e. the `ObjectMapper`'s `DeserializationFeature.FAIL_ON_UNKNOWN_PROPERTIES` is now set to `false`) by default. Again, if you prefer the stricter behavior of rejecting JSON with extra or unknown properties, you can configure `true` on your own `ObjectMapper` instance and use that instance with the `Jwts.parser()` builder. ##### Additional Changes This release also: - Fixes a thread-safety issue when using `java.util.ServiceLoader` to dynamically lookup/instantiate pluggable implementations of JJWT interfaces (e.g. JSON parsers, etc). See [Issue #873](https://redirect.github.com/jwtk/jjwt/issues/873) and its documented fix in [PR #893](https://redirect.github.com/jwtk/jjwt/pull/892). - Ensures Android environments and older `org.json` library usages can parse JSON from a `JwtBuilder`-provided `java.io.Reader` instance. [Issue 882](https://redirect.github.com/jwtk/jjwt/issues/882). - Ensures a single string `aud` (Audience) claim is retained (without converting it to a `Set`) when copying/applying a source Claims instance to a destination Claims builder. [Issue 890](https://redirect.github.com/jwtk/jjwt/issues/890). - Ensures P-256, P-384 and P-521 Elliptic Curve JWKs zero-pad their field element (`x`, `y`, and `d`) byte array values if necessary before Base64Url-encoding per [RFC 7518](https://datatracker.ietf.org/doc/html/rfc7518), Sections [6.2.1.2](https://datatracker.ietf.org/doc/html/rfc7518#section-6.2.1.2), [6.2.1.3](https://datatracker.ietf.org/doc/html/rfc7518#section-6.2.1.3), and [6.2.2.1](https://datatracker.ietf.org/doc/html/rfc7518#section-6.2.2.1), respectively. [Issue 901](https://redirect.github.com/jwtk/jjwt/issues/901). - Ensures that Secret JWKs for HMAC-SHA algorithms with `k` sizes larger than the algorithm minimum can be parsed/used as expected. See [Issue #905](https://redirect.github.com/jwtk/jjwt/issues/905) - Ensures there is an upper bound (maximum) iterations enforced for PBES2 decryption to help mitigate potential DoS attacks. Many thanks to Jingcheng Yang and Jianjun Chen from Sichuan University and Zhongguancun Lab for their work on this. See [PR 911](https://redirect.github.com/jwtk/jjwt/pull/911). - Fixes various typos in documentation and JavaDoc. Thanks to those contributing pull requests for these! ### [`v0.12.3`](https://redirect.github.com/jwtk/jjwt/blob/HEAD/CHANGELOG.md#0123) [Compare Source](https://redirect.github.com/jwtk/jjwt/compare/0.12.2...0.12.3) This patch release: - Upgrades the `org.json` dependency to `20231013` to address that library's [CVE-2023-5072](https://nvd.nist.gov/vuln/detail/CVE-2023-5072) vulnerability. - (Re-)enables empty values for custom claims, which was the behavior in <= 0.11.5. [Issue 858](https://redirect.github.com/jwtk/jjwt/issues/858). ### [`v0.12.2`](https://redirect.github.com/jwtk/jjwt/blob/HEAD/CHANGELOG.md#0122) [Compare Source](https://redirect.github.com/jwtk/jjwt/compare/0.12.1...0.12.2) This is a follow-up release to finalize the work in 0.12.1 that tried to fix a reflection scope problem on >= JDK 17. The 0.12.1 fix worked, but only if the importing project or application did *not* have its own `module-info.java` file. This release removes that reflection code entirely in favor of a JJWT-native implementation, eliminating JPMS module (scope) problems on >= JDK 17. As such, `--add-opens` flags are no longer required to use JJWT. The fix has been tested up through JDK 21 in a separate application environment (out of JJWT's codebase) to assert expected functionality in a 'clean room' environment in a project both with and without `module-info.java` usage. ### [`v0.12.1`](https://redirect.github.com/jwtk/jjwt/blob/HEAD/CHANGELOG.md#0121) [Compare Source](https://redirect.github.com/jwtk/jjwt/compare/0.12.0...0.12.1) Enabled reflective access on JDK 17+ to `java.io.ByteArrayInputStream` and `sun.security.util.KeyUtil` for `jjwt-impl.jar` ### [`v0.12.0`](https://redirect.github.com/jwtk/jjwt/blob/HEAD/CHANGELOG.md#0120) [Compare Source](https://redirect.github.com/jwtk/jjwt/compare/0.11.5...0.12.0) This is a big release! JJWT now fully supports Encrypted JSON Web Tokens (JWE), JSON Web Keys (JWK) and more! See the sections below enumerating all new features as well as important notes on breaking changes or backwards-incompatible changes made in preparation for the upcoming 1.0 release. **Because breaking changes are being introduced, it is strongly recommended to wait until the upcoming 1.0 release where you can address breaking changes one time only**. Those that need immediate JWE encryption and JWK key support however will likely want to upgrade now and deal with the smaller subset of breaking changes in the 1.0 release. ##### Simplified Starter Jar Those upgrading to new modular JJWT versions from old single-jar versions will transparently obtain everything they need in their Maven, Gradle or Android projects. JJWT's early releases had one and only one .jar: `jjwt.jar`. Later releases moved to a modular design with 'api' and 'impl' jars including 'plugin' jars for Jackson, GSON, org.json, etc. Some users upgrading from the earlier single jar to JJWT's later versions have been frustrated by being forced to learn how to configure the more modular .jars. This release re-introduces the `jjwt.jar` artifact again, but this time it is simply an empty .jar with Maven metadata that will automatically transitively download the following into a project, retaining the old single-jar behavior: - `jjwt-api.jar` - `jjwt-impl.jar` - `jjwt-jackson.jar` Naturally, developers are still encouraged to configure the modular .jars as described in JJWT's documentation for greater control and to enable their preferred JSON parser, but this stop-gap should help those unaware when upgrading. ##### JSON Web Encryption (JWE) Support! This has been a long-awaited feature for JJWT, years in the making, and it is quite extensive - so many encryption algorithms and key management algorithms are defined by the JWA specification, and new API concepts had to be introduced for all of them, as well as extensive testing with RFC-defined test vectors. The wait is over!\ All JWA-defined encryption algorithms and key management algorithms are fully implemented and supported and available immediately. For example: ```java AeadAlgorithm enc = Jwts.ENC.A256GCM; SecretKey key = enc.key().build(); String compact = Jwts.builder().setSubject("Joe").encryptWith(key, enc).compact(); JweConfiguration
📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.