Releases: jwtk/jjwt
0.12.5
This release fixes issue #916 and ensures that builders' NestedCollection changes are applied to the collection immediately as mutation methods are called, no longer requiring application developers to call .and() to 'commit' or apply a change. For example, prior to this release, the following code did not apply changes:
JwtBuilder builder = Jwts.builder();
builder.audience().add("an-audience"); // no .and() call
builder.compact(); // would not keep 'an-audience'Now this code works as expected and all other NestedCollection instances like it apply changes immediately (e.g. when calling
.add(value)).
However, standard fluent builder chains are still recommended for readability when feasible, e.g.
Jwts.builder()
.audience().add("an-audience").and() // allows fluent chaining
.subject("Joe")
// etc...
.compact()These same notes are repeated in the CHANGELOG, and as always, project documentation is in the README.
Please allow 30 minutes from the time this announcement is published for the release to be available in Maven Central.
0.12.4
This is patch release completes 10 issues, with two especially noteworthy changes, and a number of other smaller bug fixes and enhancements.
- The default Jackson deserializer will now reject duplicate JSON members by default in an attempt to be a little more strict at rejecting potentially malicious or malformed JSON. This is a default and can be overridden with a custom
ObjectMapperif desired. - Password-based JWE encryption key algorithms (
PBES2_HS256_A128KW,PBES2_HS384_A192KWandPBES2_HS512_A256KW) now enforce an upper bound (maximum) number of iterations allowed during decryption to mitigate against potential DoS attacks. Many thanks to Jingcheng Yang and Jianjun Chen from Sichuan University and Zhongguancun Lab for their work on this!
A number of other issues fixed: thread-safe ServiceLoader usage for dynamic JSON processor lookup, Android enhancements for JSON Reader APIs, fixed Elliptic Curve field element padding, and more. Please read the 0.12.4 CHANGELOG for full details of all of these changes, and as always, project documentation is in the 0.12.4 README.
Please allow 30 minutes from the time this announcement is published for the release to be available in Maven Central.
0.12.3
This is a minor patch release that address two issues:
-
The
org.jsondependency has been upgraded to20231013to address that library's
CVE-2023-5072 vulnerability. -
Empty custom claims values are (re-)enabled which was the behavior in <= 0.11.5. See Issue 858.
These same notes are repeated in the CHANGELOG, and as always, project documentation is in the README.
Please allow 30 minutes from the time this announcement is published for the release to be available in Maven Central.
0.12.2
This is a follow-up release to finalize the work in 0.12.1 that tried to fix a reflection scope problem
on >= JDK 17. The 0.12.1 fix worked, but only if the importing project or application did not have its own
module-info.java file.
This release removes that reflection code entirely in favor of a JJWT-native implementation, eliminating JPMS
module (scope) problems on >= JDK 17. As such, --add-opens flags are no longer required to use JJWT.
The fix has been tested up through JDK 21 in a separate application environment (out of JJWT's codebase) to assert
expected functionality in a 'clean room' environment in a project both with and without module-info.java usage.
Notes are in the CHANGELOG, and project documentation is in the README.
Please allow 30 minutes from the time this announcement is published for the release to be available in Maven Central.
0.12.1
0.12.0
It is finally here! This release includes full support for JSON Web Encryption (JWE), JSON Web Keys (JWK), JSON Web Key Thumbprints, JSON Web Key Thumbprint URIs, and so, so much more.
This is the culmination of hundreds of hours worth of work and testing, and we're glad to finally release it. However, please note:
This is our first-ever breaking change release. While we tried hard to minimize the breakages, some were just necessary in preparation for 1.0 and to finalize all JWT RFC features. If you are not partial to fixing changes when upgrading a library, we strongly encourage you to wait until the 1.0 release.
Please pay particular attention to the CHANGELOG listing breaking changes.
Full documentation is available in the README.