mirror of https://github.com/jwtk/jjwt.git
Merge branch 'master' into merge_master_jwe
This commit is contained in:
Micah Silverman
commit
8cfc9f5cba
|
|
@ -15,5 +15,5 @@ install: echo "No need to run mvn install -DskipTests then mvn install. Running
|
|||
script: mvn install
|
||||
|
||||
after_success:
|
||||
- test -z "$BUILD_COVERAGE" || mvn clean test jacoco:report coveralls:report
|
||||
- test -z "$BUILD_COVERAGE" || mvn clean test clover:check clover:clover coveralls:report
|
||||
|
||||
|
|
|
|||
16
CHANGELOG.md
16
CHANGELOG.md
|
|
@ -1,5 +1,21 @@
|
|||
## Release Notes
|
||||
|
||||
### 0.8.0
|
||||
|
||||
This is a minor feature enhancement, dependency version update and build update release. We switched from Jacoco to
|
||||
OpenClover as OpenClover delivers a higher quality of test metrics. As an interim measure, we introduced a new
|
||||
repository that has an updated version of the coveralls-maven-plugin which includes support for Clover reporting to
|
||||
Coveralls. Once this change has been merged and released to the official coveralls-maven-plugin on maven central,
|
||||
this repository will be removed. The following dependencies were updated to the latest release version: maven
|
||||
compiler, maven enforcer, maven failsafe, maven release, maven scm provider, maven bundle, maven gpg, maven source,
|
||||
maven javadoc, jackson, bouncy castle, groovy, logback and powermock. Of significance, is the upgrade for jackson as
|
||||
a security issue was addressed in its latest release.
|
||||
|
||||
An `addClaims` method is added to the `JwtBuilder` interface in this release. It adds all given name/value pairs to
|
||||
the JSON Claims in the payload.
|
||||
|
||||
Additional tests were added to improve overall test coverage.
|
||||
|
||||
### 0.7.0
|
||||
|
||||
This is a minor feature enhancement and bugfix release. One of the bug fixes is particularly important if using
|
||||
|
|
|
|||
|
|
@ -7,10 +7,10 @@ JJWT aims to be the easiest to use and understand library for creating and verif
|
|||
|
||||
JJWT is a Java implementation based on the [JWT](https://tools.ietf.org/html/rfc7519), [JWS](https://tools.ietf.org/html/rfc7515), [JWE](https://tools.ietf.org/html/rfc7516), [JWK](https://tools.ietf.org/html/rfc7517) and [JWA](https://tools.ietf.org/html/rfc7518) RFC specifications.
|
||||
|
||||
The library was created by [Stormpath's](http://www.stormpath.com) CTO, [Les Hazlewood](https://github.com/lhazlewood)
|
||||
The library was created by [Okta's](http://www.okta.com) Senior Architect, [Les Hazlewood](https://github.com/lhazlewood)
|
||||
and is now maintained by a [community](https://github.com/jwtk/jjwt/graphs/contributors) of contributors.
|
||||
|
||||
[Stormpath](https://stormpath.com/) is a complete authentication and user management API for developers.
|
||||
[Okta](https://developer.okta.com/) is a complete authentication and user management API for developers.
|
||||
|
||||
We've also added some convenience extensions that are not part of the specification, such as JWT compression and claim enforcement.
|
||||
|
||||
|
|
@ -225,13 +225,13 @@ JJWT depends on Jackson 2.8.x (or later). If you are already using a Jackson ve
|
|||
<dependency>
|
||||
<groupId>com.fasterxml.jackson.core</groupId>
|
||||
<artifactId>jackson-databind</artifactId>
|
||||
<version>2.8.2</version>
|
||||
<version>2.8.9</version>
|
||||
</dependency>
|
||||
```
|
||||
|
||||
## Author
|
||||
|
||||
Maintained by [Stormpath](https://stormpath.com/)
|
||||
Maintained by [Okta](https://okta.com/)
|
||||
|
||||
## Licensing
|
||||
|
||||
|
|
|
|||
54
pom.xml
54
pom.xml
|
|
@ -25,7 +25,7 @@
|
|||
|
||||
<groupId>io.jsonwebtoken</groupId>
|
||||
<artifactId>jjwt</artifactId>
|
||||
<version>0.8.0-SNAPSHOT</version>
|
||||
<version>0.9.0-SNAPSHOT</version>
|
||||
<name>JSON Web Token support for the JVM</name>
|
||||
<packaging>jar</packaging>
|
||||
|
||||
|
|
@ -52,6 +52,29 @@
|
|||
<url>https://travis-ci.org/jwtk/jjwt</url>
|
||||
</ciManagement>
|
||||
|
||||
<!-- temporary fix until official release of coverall-maven-plugin with clover support -->
|
||||
<repositories>
|
||||
<repository>
|
||||
<snapshots>
|
||||
<enabled>false</enabled>
|
||||
</snapshots>
|
||||
<id>bintray-jwtk-coveralls-maven-plugin</id>
|
||||
<name>bintray</name>
|
||||
<url>https://dl.bintray.com/jwtk/coveralls-maven-plugin</url>
|
||||
</repository>
|
||||
</repositories>
|
||||
<pluginRepositories>
|
||||
<pluginRepository>
|
||||
<snapshots>
|
||||
<enabled>false</enabled>
|
||||
</snapshots>
|
||||
<id>bintray-jwtk-coveralls-maven-plugin</id>
|
||||
<name>bintray-plugins</name>
|
||||
<url>https://dl.bintray.com/jwtk/coveralls-maven-plugin</url>
|
||||
</pluginRepository>
|
||||
</pluginRepositories>
|
||||
<!-- temporary fix until official release of coverall-maven-plugin with clover support -->
|
||||
|
||||
<properties>
|
||||
|
||||
<maven.jar.version>3.0.2</maven.jar.version>
|
||||
|
|
@ -73,6 +96,7 @@
|
|||
<junit.version>4.12</junit.version>
|
||||
<powermock.version>1.6.6</powermock.version>
|
||||
<failsafe.plugin.version>2.19.1</failsafe.plugin.version>
|
||||
<clover.version>4.2.0</clover.version>
|
||||
|
||||
</properties>
|
||||
|
||||
|
|
@ -151,7 +175,6 @@
|
|||
<version>4.12</version>
|
||||
<scope>test</scope>
|
||||
</dependency>
|
||||
|
||||
</dependencies>
|
||||
|
||||
<build>
|
||||
|
|
@ -270,19 +293,28 @@
|
|||
</executions>
|
||||
</plugin>
|
||||
<plugin>
|
||||
<groupId>org.jacoco</groupId>
|
||||
<artifactId>jacoco-maven-plugin</artifactId>
|
||||
<version>0.7.9</version>
|
||||
<groupId>org.openclover</groupId>
|
||||
<artifactId>clover-maven-plugin</artifactId>
|
||||
<version>${clover.version}</version>
|
||||
<configuration>
|
||||
<excludes>
|
||||
<exclude>**/io/jsonwebtoken/lang/*</exclude>
|
||||
<exclude>**/*Test*</exclude>
|
||||
<!-- leaving out lang as it mostly comes from other sources -->
|
||||
<exclude>io/jsonwebtoken/lang/*</exclude>
|
||||
</excludes>
|
||||
<methodPercentage>100%</methodPercentage>
|
||||
<statementPercentage>100%</statementPercentage>
|
||||
<conditionalPercentage>100%</conditionalPercentage>
|
||||
<targetPercentage>100%</targetPercentage>
|
||||
</configuration>
|
||||
<executions>
|
||||
<execution>
|
||||
<id>prepare-agent</id>
|
||||
<id>clover</id>
|
||||
<phase>test</phase>
|
||||
<goals>
|
||||
<goal>prepare-agent</goal>
|
||||
<goal>instrument</goal>
|
||||
<goal>check</goal>
|
||||
<goal>clover</goal>
|
||||
</goals>
|
||||
</execution>
|
||||
</executions>
|
||||
|
|
@ -331,11 +363,13 @@
|
|||
</instructions>
|
||||
</configuration>
|
||||
</plugin>
|
||||
<!-- Temporarily host coveralls SNAPSHOT with clover support locally -->
|
||||
<plugin>
|
||||
<groupId>org.eluder.coveralls</groupId>
|
||||
<groupId>org.jwtk.coveralls</groupId>
|
||||
<artifactId>coveralls-maven-plugin</artifactId>
|
||||
<version>4.3.0</version>
|
||||
<version>4.4.0</version>
|
||||
</plugin>
|
||||
<!-- Temporarily host coveralls SNAPSHOT with clover support locally -->
|
||||
</plugins>
|
||||
</build>
|
||||
<profiles>
|
||||
|
|
|
|||
|
|
@ -50,9 +50,10 @@ public class GzipCompressionCodec extends AbstractCompressionCodec implements Co
|
|||
inputStream = new ByteArrayInputStream(compressed);
|
||||
gzipInputStream = new GZIPInputStream(inputStream);
|
||||
outputStream = new ByteArrayOutputStream();
|
||||
int read;
|
||||
while ((read = gzipInputStream.read(buffer)) != -1) {
|
||||
int read = gzipInputStream.read(buffer);
|
||||
while (read != -1) {
|
||||
outputStream.write(buffer, 0, read);
|
||||
read = gzipInputStream.read(buffer);
|
||||
}
|
||||
return outputStream.toByteArray();
|
||||
} finally {
|
||||
|
|
|
|||
|
|
@ -1518,4 +1518,76 @@ class JwtParserTest {
|
|||
assertTrue e.getMessage().startsWith('JWT expired at ')
|
||||
}
|
||||
}
|
||||
|
||||
@Test
|
||||
void testParseMalformedJwt() {
|
||||
|
||||
String header = '{"alg":"none"}'
|
||||
|
||||
String payload = '{"subject":"Joe"}'
|
||||
|
||||
String badSig = ";aklsjdf;kajsd;fkjas;dklfj"
|
||||
|
||||
String bogus = 'bogus'
|
||||
|
||||
String bad = TextCodec.BASE64.encode(header) + '.' +
|
||||
TextCodec.BASE64.encode(payload) + '.' +
|
||||
TextCodec.BASE64.encode(badSig) + '.' +
|
||||
TextCodec.BASE64.encode(bogus)
|
||||
|
||||
|
||||
try {
|
||||
Jwts.parser().setSigningKey(randomKey()).parse(bad)
|
||||
fail()
|
||||
} catch (MalformedJwtException se) {
|
||||
assertEquals 'JWT strings must contain exactly 2 period characters. Found: 3', se.message
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
@Test
|
||||
void testNoHeaderNoSig() {
|
||||
String payload = '{"subject":"Joe"}'
|
||||
|
||||
String jwtStr = '.' + TextCodec.BASE64.encode(payload) + '.'
|
||||
|
||||
Jwt jwt = Jwts.parser().parse(jwtStr)
|
||||
|
||||
assertTrue jwt.header == null
|
||||
assertEquals 'Joe', jwt.body.get('subject')
|
||||
}
|
||||
|
||||
@Test
|
||||
void testNoHeaderSig() {
|
||||
String payload = '{"subject":"Joe"}'
|
||||
|
||||
String sig = ";aklsjdf;kajsd;fkjas;dklfj"
|
||||
|
||||
String jwtStr = '.' + TextCodec.BASE64.encode(payload) + '.' + TextCodec.BASE64.encode(sig)
|
||||
|
||||
try {
|
||||
Jwt jwt = Jwts.parser().parse(jwtStr)
|
||||
fail()
|
||||
} catch (MalformedJwtException se) {
|
||||
assertEquals 'JWT string has a digest/signature, but the header does not reference a valid signature algorithm.', se.message
|
||||
}
|
||||
}
|
||||
|
||||
@Test
|
||||
void testBadHeaderSig() {
|
||||
String header = '{"alg":"none"}'
|
||||
|
||||
String payload = '{"subject":"Joe"}'
|
||||
|
||||
String sig = ";aklsjdf;kajsd;fkjas;dklfj"
|
||||
|
||||
String jwtStr = TextCodec.BASE64.encode(payload) + '.' + TextCodec.BASE64.encode(payload) + '.' + TextCodec.BASE64.encode(sig)
|
||||
|
||||
try {
|
||||
Jwt jwt = Jwts.parser().parse(jwtStr)
|
||||
fail()
|
||||
} catch (MalformedJwtException se) {
|
||||
assertEquals 'JWT string has a digest/signature, but the header does not reference a valid signature algorithm.', se.message
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
|
|||
Loading…
Reference in New Issue