Fix split package issue in extensions/jackson and extensions/orgjson (#488)

* Fix split package issue in extensions/jackson and extensions/orgjson

This moves the implementation specific classes:
- `io.jsonwebtoken.io.Jackson*` to `io.jsonwebtoken.jackson.io.Jackson*`
- `io.jsonwebtoken.io.OrgJson*` to `io.jsonwebtoken.orgjson.io.OrgJson*`

* Add Backwards Compatibility Warning to CHANGELOG
* Add `jjwt-jackson:deprecated` and `jjwt-orgjson:deprecated` modules to retain backward-compatible versions of the Jackson and OrgJson Serializers (this is built with the shade plugin and binary compatibility validated with japicmp)

Fixes: #399
This commit is contained in:
Brian Demers 2019-09-27 17:11:19 -04:00 committed by GitHub
parent b5958202c0
commit 6e74be0b8d
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
18 changed files with 208 additions and 24 deletions

View File

@ -3,7 +3,40 @@
### 0.11.0
* Updates the Jackson dependency version to [2.9.10](https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.9#patches)
to address three security vulnerabilities in Jackson:
to address three security vulnerabilities in Jackson.
* Moves JSON Serializer/Deserializer implementations to a different package name.
- `io.jsonwebtoken.io.JacksonSerializer` -> `io.jsonwebtoken.jackson.io.JacksonSerializer`
- `io.jsonwebtoken.io.JacksonDeserializer` -> `io.jsonwebtoken.jackson.io.JacksonDeserializer`
- `io.jsonwebtoken.io.OrgJsonSerializer` -> `io.jsonwebtoken.orgjson.io.OrgJsonSerializer`
- `io.jsonwebtoken.io.OrgJsonDeserializer` -> `io.jsonwebtoken.orgjson.io.OrgJsonDeserializer`
A backward compatibility modules has been created using the `deprecated` classifier (`io.jsonwebtoken:jjwt-jackson:0.11.0:deprecated` and `io.jsonwebtoken:jjwt-orjson:0.11.0:deprecated`), if you are compiling against these classes directly, otherwise you will be unaffected.
#### Backwards Compatibility Warning
Due to this package move, if you are currently using one of the above four existing (pre 0.11.0) classes with `compile` scope, you must either:
1. change your code to use the newer package classes (recommended), or
1. change your build/dependency configuration to use the `deprecated` dependency classifier to use the existing classes, as follows:
**Maven**
```xml
<dependency>
<groupId>io.jsonwebtoken</groupId>
<artifactId>jjwt-jackson</artifactId>
<version>0.11.0</version>
<classifier>deprecated</classifier>
<scope>compile</scope>
</dependency>
```
**Gradle**
```groovy
compile 'io.jsonwebtoken:jjwt-jackson:0.11.0:deprecated'
```
**Note:** that the first option is recommended since the second option will not be available starting with the 1.0 release.
### 0.10.7

View File

@ -44,4 +44,37 @@
</dependency>
</dependencies>
<build>
<plugins>
<!-- The following plugin section is used in jjwt-jackson and jjwt-orgjson, to repackage (and verify)
binary compatibility with previous versions. In v0.11.0 the implementations changed packages to
avoid split package issues with Java 9+ see: https://github.com/jwtk/jjwt/issues/399 -->
<!-- TODO: remove these deprecated packages and this config before v1.0 -->
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-shade-plugin</artifactId>
<configuration>
<relocations>
<relocation>
<pattern>io.jsonwebtoken.jackson.io</pattern>
<shadedPattern>io.jsonwebtoken.io</shadedPattern>
<includes>io.jsonwebtoken.jackson.io.*</includes>
</relocation>
</relocations>
</configuration>
</plugin>
<plugin>
<groupId>com.github.siom79.japicmp</groupId>
<artifactId>japicmp-maven-plugin</artifactId>
<configuration>
<newVersion>
<file>
<!-- compare the previous version with the new 'deprecated' package -->
<path>${project.build.directory}/${project.artifactId}-${project.version}-deprecated.${project.packaging}</path>
</file>
</newVersion>
</configuration>
</plugin>
</plugins>
</build>
</project>

View File

@ -13,9 +13,11 @@
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package io.jsonwebtoken.io;
package io.jsonwebtoken.jackson.io;
import com.fasterxml.jackson.databind.ObjectMapper;
import io.jsonwebtoken.io.DeserializationException;
import io.jsonwebtoken.io.Deserializer;
import io.jsonwebtoken.lang.Assert;
import java.io.IOException;

View File

@ -13,10 +13,12 @@
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package io.jsonwebtoken.io;
package io.jsonwebtoken.jackson.io;
import com.fasterxml.jackson.core.JsonProcessingException;
import com.fasterxml.jackson.databind.ObjectMapper;
import io.jsonwebtoken.io.SerializationException;
import io.jsonwebtoken.io.Serializer;
import io.jsonwebtoken.lang.Assert;
/**

View File

@ -13,9 +13,11 @@
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package io.jsonwebtoken.io
package io.jsonwebtoken.jackson.io
import com.fasterxml.jackson.databind.ObjectMapper
import io.jsonwebtoken.io.DeserializationException
import io.jsonwebtoken.jackson.io.JacksonDeserializer
import io.jsonwebtoken.lang.Strings
import org.junit.Test

View File

@ -13,10 +13,12 @@
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package io.jsonwebtoken.io
package io.jsonwebtoken.jackson.io
import com.fasterxml.jackson.core.JsonProcessingException
import com.fasterxml.jackson.databind.ObjectMapper
import io.jsonwebtoken.io.SerializationException
import io.jsonwebtoken.jackson.io.JacksonSerializer
import io.jsonwebtoken.lang.Strings
import org.junit.Test

View File

@ -44,4 +44,37 @@
</dependency>
</dependencies>
<build>
<plugins>
<!-- The following plugin section is used in jjwt-jackson and jjwt-orgjson, to repackage (and verify)
binary compatibility with previous versions. In v0.11.0 the implementations changed packages to
avoid split package issues with Java 9+ see: https://github.com/jwtk/jjwt/issues/399 -->
<!-- TODO: remove these deprecated packages and this config before v1.0 -->
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-shade-plugin</artifactId>
<configuration>
<relocations>
<relocation>
<pattern>io.jsonwebtoken.orgjson.io</pattern>
<shadedPattern>io.jsonwebtoken.io</shadedPattern>
<includes>io.jsonwebtoken.orgjson.io.*</includes>
</relocation>
</relocations>
</configuration>
</plugin>
<plugin>
<groupId>com.github.siom79.japicmp</groupId>
<artifactId>japicmp-maven-plugin</artifactId>
<configuration>
<newVersion>
<file>
<!-- compare the previous version with the new 'deprecated' package -->
<path>${project.build.directory}/${project.artifactId}-${project.version}-deprecated.${project.packaging}</path>
</file>
</newVersion>
</configuration>
</plugin>
</plugins>
</build>
</project>

View File

@ -13,8 +13,10 @@
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package io.jsonwebtoken.io;
package io.jsonwebtoken.orgjson.io;
import io.jsonwebtoken.io.DeserializationException;
import io.jsonwebtoken.io.Deserializer;
import io.jsonwebtoken.lang.Assert;
import io.jsonwebtoken.lang.Strings;
import org.json.JSONArray;

View File

@ -13,8 +13,11 @@
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package io.jsonwebtoken.io;
package io.jsonwebtoken.orgjson.io;
import io.jsonwebtoken.io.Encoders;
import io.jsonwebtoken.io.SerializationException;
import io.jsonwebtoken.io.Serializer;
import io.jsonwebtoken.lang.Classes;
import io.jsonwebtoken.lang.Collections;
import io.jsonwebtoken.lang.DateFormats;

View File

@ -13,9 +13,10 @@
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package io.jsonwebtoken.io
package io.jsonwebtoken.orgjson.io
import io.jsonwebtoken.lang.Classes
import io.jsonwebtoken.orgjson.io.OrgJsonSerializer
import org.junit.Test
import org.junit.runner.RunWith
import org.powermock.core.classloader.annotations.PrepareForTest

View File

@ -13,9 +13,11 @@
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package io.jsonwebtoken.io
package io.jsonwebtoken.orgjson.io
import io.jsonwebtoken.io.DeserializationException
import io.jsonwebtoken.lang.Strings
import io.jsonwebtoken.orgjson.io.OrgJsonDeserializer
import org.junit.Test
import static org.junit.Assert.*

View File

@ -13,11 +13,13 @@
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package io.jsonwebtoken.io
package io.jsonwebtoken.orgjson.io
import io.jsonwebtoken.SignatureAlgorithm
import io.jsonwebtoken.io.SerializationException
import io.jsonwebtoken.lang.DateFormats
import io.jsonwebtoken.lang.Strings
import io.jsonwebtoken.orgjson.io.OrgJsonSerializer
import org.json.JSONObject
import org.json.JSONString
import org.junit.Before

View File

@ -38,5 +38,4 @@
<module>orgjson</module>
<module>gson</module>
</modules>
</project>

View File

@ -45,10 +45,10 @@ public class RuntimeClasspathDeserializerLocator<T> implements InstanceLocator<D
@SuppressWarnings("WeakerAccess") //to allow testing override
protected Deserializer<T> locate() {
if (isAvailable("io.jsonwebtoken.io.JacksonDeserializer")) {
return Classes.newInstance("io.jsonwebtoken.io.JacksonDeserializer");
} else if (isAvailable("io.jsonwebtoken.io.OrgJsonDeserializer")) {
return Classes.newInstance("io.jsonwebtoken.io.OrgJsonDeserializer");
if (isAvailable("io.jsonwebtoken.jackson.io.JacksonDeserializer")) {
return Classes.newInstance("io.jsonwebtoken.jackson.io.JacksonDeserializer");
} else if (isAvailable("io.jsonwebtoken.orgjson.io.OrgJsonDeserializer")) {
return Classes.newInstance("io.jsonwebtoken.orgjson.io.OrgJsonDeserializer");
} else if (isAvailable("io.jsonwebtoken.gson.io.GsonDeserializer")) {
return Classes.newInstance("io.jsonwebtoken.gson.io.GsonDeserializer");
} else {

View File

@ -45,10 +45,10 @@ public class RuntimeClasspathSerializerLocator implements InstanceLocator<Serial
@SuppressWarnings("WeakerAccess") //to allow testing override
protected Serializer<Object> locate() {
if (isAvailable("io.jsonwebtoken.io.JacksonSerializer")) {
return Classes.newInstance("io.jsonwebtoken.io.JacksonSerializer");
} else if (isAvailable("io.jsonwebtoken.io.OrgJsonSerializer")) {
return Classes.newInstance("io.jsonwebtoken.io.OrgJsonSerializer");
if (isAvailable("io.jsonwebtoken.jackson.io.JacksonSerializer")) {
return Classes.newInstance("io.jsonwebtoken.jackson.io.JacksonSerializer");
} else if (isAvailable("io.jsonwebtoken.orgjson.io.OrgJsonSerializer")) {
return Classes.newInstance("io.jsonwebtoken.orgjson.io.OrgJsonSerializer");
} else if (isAvailable("io.jsonwebtoken.gson.io.GsonSerializer")) {
return Classes.newInstance("io.jsonwebtoken.gson.io.GsonSerializer");
} else {

View File

@ -15,10 +15,10 @@
*/
package io.jsonwebtoken.impl.io
import com.fasterxml.jackson.databind.ObjectMapper
import io.jsonwebtoken.io.Deserializer
import io.jsonwebtoken.io.JacksonDeserializer
import io.jsonwebtoken.io.OrgJsonDeserializer
import io.jsonwebtoken.jackson.io.JacksonDeserializer
import io.jsonwebtoken.orgjson.io.OrgJsonDeserializer
import io.jsonwebtoken.gson.io.GsonDeserializer
import org.junit.After
import org.junit.Before

View File

@ -16,8 +16,8 @@
package io.jsonwebtoken.impl.io
import io.jsonwebtoken.io.Serializer
import io.jsonwebtoken.io.JacksonSerializer
import io.jsonwebtoken.io.OrgJsonSerializer
import io.jsonwebtoken.jackson.io.JacksonSerializer
import io.jsonwebtoken.orgjson.io.OrgJsonSerializer
import io.jsonwebtoken.gson.io.GsonSerializer
import org.junit.After
import org.junit.Before

68
pom.xml
View File

@ -86,6 +86,7 @@
<properties>
<jjwt.root>${basedir}</jjwt.root>
<jjwt.previousVersion>0.10.7</jjwt.previousVersion>
<maven.jar.version>3.0.2</maven.jar.version>
<maven.compiler.version>3.6.1</maven.compiler.version>
@ -269,6 +270,73 @@
<source>${jdk.version}</source>
</configuration>
</plugin>
<plugin>
<!-- japicmp will scan code for binary breaking changes, Open api/target/japicmp/japicmp.html
for a report of the changes since ${jjwt.previousVersion} -->
<groupId>com.github.siom79.japicmp</groupId>
<artifactId>japicmp-maven-plugin</artifactId>
<version>0.13.0</version>
<configuration>
<oldVersion>
<dependency>
<groupId>${project.groupId}</groupId>
<artifactId>${project.artifactId}</artifactId>
<version>${jjwt.previousVersion}</version>
<type>jar</type>
</dependency>
</oldVersion>
<parameter>
<onlyModified>true</onlyModified>
<breakBuildOnBinaryIncompatibleModifications>true</breakBuildOnBinaryIncompatibleModifications>
<!-- TODO: enable after 1.0 -->
<!-- <breakBuildBasedOnSemanticVersioning>true</breakBuildBasedOnSemanticVersioning>-->
</parameter>
</configuration>
</plugin>
<!-- The following plugin section is used in jjwt-jackson and jjwt-orgjson, to repackage (and verify)
binary compatibility with previous versions. In v0.11.0 the implementations changed packages to
avoid split package issues with Java 9+ see: https://github.com/jwtk/jjwt/issues/399 -->
<!-- TODO: remove these deprecated packages and this config before v1.0 -->
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-shade-plugin</artifactId>
<version>3.2.1</version>
<configuration>
<shadedClassifierName>deprecated</shadedClassifierName>
<shadedArtifactAttached>true</shadedArtifactAttached>
<createDependencyReducedPom>false</createDependencyReducedPom>
<artifactSet>
<includes>
<include>${project.groupId}:${project.artifactId}</include>
</includes>
</artifactSet>
<transformers>
<transformer implementation="org.apache.maven.plugins.shade.resource.ServicesResourceTransformer"/>
</transformers>
</configuration>
<executions>
<execution>
<phase>package</phase>
<goals>
<goal>shade</goal>
</goals>
</execution>
</executions>
</plugin>
<plugin>
<groupId>com.github.siom79.japicmp</groupId>
<artifactId>japicmp-maven-plugin</artifactId>
<version>0.13.1</version>
<executions>
<execution>
<id>japicmp</id>
<goals>
<goal>cmp</goal>
</goals>
</execution>
</executions>
</plugin>
</plugins>
</pluginManagement>
<plugins>