jjwt v0.11.0 Release Notes

  • ๐Ÿš€ This minor release:

    • โž• Adds Google's Gson as a natively supported JSON parser. Installation instructions have been updated and new JJWT Gson usage guidelines have been added.
    • ๐Ÿš€ Updates the Jackson dependency version to 2.9.10 ๐Ÿ”’ to address three security vulnerabilities in Jackson.
    • ๐Ÿšš A new JwtParserBuilder interface has been added and is the recommended way of creating an immutable and thread-safe JwtParser instance. Mutable methods in JwtParser will be removed before v1.0. Migration to the new signatures is straightforward, for example:

      Previous Version:

       Jwts.parser()
           .requireAudience("string")
           .parse(jwtString)
      

      Current Version:

      Jwts.parserBuilder()
          .requireAudience("string")
          .build()
          .parse(jwtString)
      
    • โž• Adds io.jsonwebtoken.lang.Maps utility class to make creation of maps fluent, as demonstrated next.

    • โž• Adds support for custom types when deserializing with Jackson. To use configure your parser:

      Jwts.parserBuilder().deserializeJsonWith(
          new JacksonDeserializer(
              Maps.of("claimName", YourType.class).build() // <--
          )
      ).build()
      
    • ๐Ÿ“ฆ Moves JSON Serializer/Deserializer implementations to a different package name.

      • io.jsonwebtoken.io.JacksonSerializer -> io.jsonwebtoken.jackson.io.JacksonSerializer
      • io.jsonwebtoken.io.JacksonDeserializer -> io.jsonwebtoken.jackson.io.JacksonDeserializer
      • io.jsonwebtoken.io.OrgJsonSerializer -> io.jsonwebtoken.orgjson.io.OrgJsonSerializer
      • io.jsonwebtoken.io.OrgJsonDeserializer -> io.jsonwebtoken.orgjson.io.OrgJsonDeserializer

    A backward compatibility modules has been created using the deprecated classifier (io.jsonwebtoken:jjwt-jackson:0.11.0:deprecated and io.jsonwebtoken:jjwt-orjson:0.11.0:deprecated), if you are compiling against these classes directly, otherwise you will be unaffected.

    โš  Backwards Compatibility Warning

    ๐Ÿ“ฆ Due to this package move, if you are currently using one of the above four existing (pre 0.11.0) classes with compile scope, you must either:

    1. change your code to use the newer package classes (recommended), or
    2. change your build/dependency configuration to use the deprecated dependency classifier to use the existing classes, as follows:

    Maven

    <dependency>
        <groupId>io.jsonwebtoken</groupId>
        <artifactId>jjwt-jackson</artifactId>
        <version>0.11.0</version>
        <classifier>deprecated</classifier>
        <scope>compile</scope>
    </dependency>
    

    Gradle

    compile 'io.jsonwebtoken:jjwt-jackson:0.11.0:deprecated'
    

    Note: that the first option is recommended since the second option will not be available starting with the 1.0 release.