jjwt v0.11.0 Release Notes
-
๐ This minor release:
- โ Adds Google's Gson as a natively supported JSON parser. Installation instructions have been updated and new JJWT Gson usage guidelines have been added.
- ๐ Updates the Jackson dependency version to 2.9.10 ๐ to address three security vulnerabilities in Jackson.
๐ A new
JwtParserBuilder
interface has been added and is the recommended way of creating an immutable and thread-safe JwtParser instance. Mutable methods inJwtParser
will be removed before v1.0. Migration to the new signatures is straightforward, for example:Previous Version:
Jwts.parser() .requireAudience("string") .parse(jwtString)
Current Version:
Jwts.parserBuilder() .requireAudience("string") .build() .parse(jwtString)
โ Adds
io.jsonwebtoken.lang.Maps
utility class to make creation of maps fluent, as demonstrated next.โ Adds support for custom types when deserializing with Jackson. To use configure your parser:
Jwts.parserBuilder().deserializeJsonWith( new JacksonDeserializer( Maps.of("claimName", YourType.class).build() // <-- ) ).build()
๐ฆ Moves JSON Serializer/Deserializer implementations to a different package name.
io.jsonwebtoken.io.JacksonSerializer
->io.jsonwebtoken.jackson.io.JacksonSerializer
io.jsonwebtoken.io.JacksonDeserializer
->io.jsonwebtoken.jackson.io.JacksonDeserializer
io.jsonwebtoken.io.OrgJsonSerializer
->io.jsonwebtoken.orgjson.io.OrgJsonSerializer
io.jsonwebtoken.io.OrgJsonDeserializer
->io.jsonwebtoken.orgjson.io.OrgJsonDeserializer
A backward compatibility modules has been created using the
deprecated
classifier (io.jsonwebtoken:jjwt-jackson:0.11.0:deprecated
andio.jsonwebtoken:jjwt-orjson:0.11.0:deprecated
), if you are compiling against these classes directly, otherwise you will be unaffected.โ Backwards Compatibility Warning
๐ฆ Due to this package move, if you are currently using one of the above four existing (pre 0.11.0) classes with
compile
scope, you must either:- change your code to use the newer package classes (recommended), or
- change your build/dependency configuration to use the
deprecated
dependency classifier to use the existing classes, as follows:
Maven
<dependency> <groupId>io.jsonwebtoken</groupId> <artifactId>jjwt-jackson</artifactId> <version>0.11.0</version> <classifier>deprecated</classifier> <scope>compile</scope> </dependency>
Gradle
compile 'io.jsonwebtoken:jjwt-jackson:0.11.0:deprecated'
Note: that the first option is recommended since the second option will not be available starting with the 1.0 release.