Merge branch 'master' into merge_master_jwe

.travis.yml

@@ -15,5 +15,5 @@ install: echo "No need to run mvn install -DskipTests then mvn install.  Running
 script: mvn install
 
 after_success:
-  - test -z "$BUILD_COVERAGE" || mvn clean test jacoco:report coveralls:report
+  - test -z "$BUILD_COVERAGE" || mvn clean test clover:check clover:clover coveralls:report
 

CHANGELOG.md

@@ -1,5 +1,21 @@
 ## Release Notes
 
+### 0.8.0
+
+This is a minor feature enhancement, dependency version update and build update release. We switched from Jacoco to 
+OpenClover as OpenClover delivers a higher quality of test metrics. As an interim measure, we introduced a new 
+repository that has an updated version of the coveralls-maven-plugin which includes support for Clover reporting to
+Coveralls. Once this change has been merged and released to the official coveralls-maven-plugin on maven central, 
+this repository will be removed. The following dependencies were updated to the latest release version: maven 
+compiler, maven enforcer, maven failsafe, maven release, maven scm provider, maven bundle, maven gpg, maven source, 
+maven javadoc, jackson, bouncy castle, groovy, logback and powermock. Of significance, is the upgrade for jackson as 
+a security issue was addressed in its latest release.
+
+An `addClaims` method is added to the `JwtBuilder` interface in this release. It adds all given name/value pairs to
+the JSON Claims in the payload.
+
+Additional tests were added to improve overall test coverage.
+
 ### 0.7.0
 
 This is a minor feature enhancement and bugfix release.  One of the bug fixes is particularly important if using

README.md

@@ -7,10 +7,10 @@ JJWT aims to be the easiest to use and understand library for creating and verif
 
 JJWT is a Java implementation based on the [JWT](https://tools.ietf.org/html/rfc7519), [JWS](https://tools.ietf.org/html/rfc7515), [JWE](https://tools.ietf.org/html/rfc7516), [JWK](https://tools.ietf.org/html/rfc7517) and [JWA](https://tools.ietf.org/html/rfc7518) RFC specifications.
 
-The library was created by [Stormpath's](http://www.stormpath.com) CTO, [Les Hazlewood](https://github.com/lhazlewood)
+The library was created by [Okta's](http://www.okta.com) Senior Architect, [Les Hazlewood](https://github.com/lhazlewood)
 and is now maintained by a [community](https://github.com/jwtk/jjwt/graphs/contributors) of contributors.
 
-[Stormpath](https://stormpath.com/) is a complete authentication and user management API for developers.
+[Okta](https://developer.okta.com/) is a complete authentication and user management API for developers.
 
 We've also added some convenience extensions that are not part of the specification, such as JWT compression and claim enforcement.
 
@@ -225,13 +225,13 @@ JJWT depends on Jackson 2.8.x (or later).  If you are already using a Jackson ve
 <dependency>
     <groupId>com.fasterxml.jackson.core</groupId>
     <artifactId>jackson-databind</artifactId>
-    <version>2.8.2</version>
+    <version>2.8.9</version>
 </dependency>
 ```
 
 ## Author
 
-Maintained by [Stormpath](https://stormpath.com/)
+Maintained by [Okta](https://okta.com/)
 
 ## Licensing
 

pom.xml

@@ -25,7 +25,7 @@
 
     <groupId>io.jsonwebtoken</groupId>
     <artifactId>jjwt</artifactId>
-    <version>0.8.0-SNAPSHOT</version>
+    <version>0.9.0-SNAPSHOT</version>
     <name>JSON Web Token support for the JVM</name>
     <packaging>jar</packaging>
 
@@ -52,6 +52,29 @@
         <url>https://travis-ci.org/jwtk/jjwt</url>
     </ciManagement>
 
+    <!-- temporary fix until official release of coverall-maven-plugin with clover support -->
+    <repositories>
+        <repository>
+            <snapshots>
+                <enabled>false</enabled>
+            </snapshots>
+            <id>bintray-jwtk-coveralls-maven-plugin</id>
+            <name>bintray</name>
+            <url>https://dl.bintray.com/jwtk/coveralls-maven-plugin</url>
+        </repository>
+    </repositories>
+    <pluginRepositories>
+        <pluginRepository>
+            <snapshots>
+                <enabled>false</enabled>
+            </snapshots>
+            <id>bintray-jwtk-coveralls-maven-plugin</id>
+            <name>bintray-plugins</name>
+            <url>https://dl.bintray.com/jwtk/coveralls-maven-plugin</url>
+        </pluginRepository>
+    </pluginRepositories>
+    <!-- temporary fix until official release of coverall-maven-plugin with clover support -->
+
     <properties>
 
         <maven.jar.version>3.0.2</maven.jar.version>
@@ -73,6 +96,7 @@
         <junit.version>4.12</junit.version>
         <powermock.version>1.6.6</powermock.version>
         <failsafe.plugin.version>2.19.1</failsafe.plugin.version>
+        <clover.version>4.2.0</clover.version>
 
     </properties>
 
@@ -151,7 +175,6 @@
             <version>4.12</version>
             <scope>test</scope>
         </dependency>
-
     </dependencies>
 
     <build>
@@ -270,19 +293,28 @@
                 </executions>
             </plugin>
             <plugin>
-                <groupId>org.jacoco</groupId>
+                <groupId>org.openclover</groupId>
-                <artifactId>jacoco-maven-plugin</artifactId>
+                <artifactId>clover-maven-plugin</artifactId>
-                <version>0.7.9</version>
+                <version>${clover.version}</version>
                 <configuration>
                     <excludes>
-                        <exclude>**/io/jsonwebtoken/lang/*</exclude>
+                        <exclude>**/*Test*</exclude>
+                        <!-- leaving out lang as it mostly comes from other sources -->
+                        <exclude>io/jsonwebtoken/lang/*</exclude>
                     </excludes>
+                    <methodPercentage>100%</methodPercentage>
+                    <statementPercentage>100%</statementPercentage>
+                    <conditionalPercentage>100%</conditionalPercentage>
+                    <targetPercentage>100%</targetPercentage>
                 </configuration>
                 <executions>
                     <execution>
-                        <id>prepare-agent</id>
+                        <id>clover</id>
+                        <phase>test</phase>
                         <goals>
-                            <goal>prepare-agent</goal>
+                            <goal>instrument</goal>
+                            <goal>check</goal>
+                            <goal>clover</goal>
                         </goals>
                     </execution>
                 </executions>
@@ -331,11 +363,13 @@
                     </instructions>
                 </configuration>
             </plugin>
+            <!-- Temporarily host coveralls SNAPSHOT with clover support locally  -->
             <plugin>
-                <groupId>org.eluder.coveralls</groupId>
+                <groupId>org.jwtk.coveralls</groupId>
                 <artifactId>coveralls-maven-plugin</artifactId>
-                <version>4.3.0</version>
+                <version>4.4.0</version>
             </plugin>
+            <!-- Temporarily host coveralls SNAPSHOT with clover support locally  -->
         </plugins>
     </build>
     <profiles>

src/main/java/io/jsonwebtoken/impl/compression/GzipCompressionCodec.java

@@ -50,9 +50,10 @@ public class GzipCompressionCodec extends AbstractCompressionCodec implements Co
             inputStream = new ByteArrayInputStream(compressed);
             gzipInputStream = new GZIPInputStream(inputStream);
             outputStream = new ByteArrayOutputStream();
-            int read;
+            int read = gzipInputStream.read(buffer);
-            while ((read = gzipInputStream.read(buffer)) != -1) {
+            while (read != -1) {
                 outputStream.write(buffer, 0, read);
+                read = gzipInputStream.read(buffer);
             }
             return outputStream.toByteArray();
         } finally {

src/test/groovy/io/jsonwebtoken/JwtParserTest.groovy

@@ -1518,4 +1518,76 @@ class JwtParserTest {
             assertTrue e.getMessage().startsWith('JWT expired at ')
         }
     }
+
+    @Test
+    void testParseMalformedJwt() {
+
+        String header = '{"alg":"none"}'
+
+        String payload = '{"subject":"Joe"}'
+
+        String badSig = ";aklsjdf;kajsd;fkjas;dklfj"
+
+        String bogus = 'bogus'
+
+        String bad = TextCodec.BASE64.encode(header) + '.' +
+            TextCodec.BASE64.encode(payload) + '.' +
+            TextCodec.BASE64.encode(badSig) + '.' +
+            TextCodec.BASE64.encode(bogus)
+
+
+        try {
+            Jwts.parser().setSigningKey(randomKey()).parse(bad)
+            fail()
+        } catch (MalformedJwtException se) {
+            assertEquals 'JWT strings must contain exactly 2 period characters. Found: 3', se.message
+        }
+
+    }
+
+    @Test
+    void testNoHeaderNoSig() {
+        String payload = '{"subject":"Joe"}'
+
+        String jwtStr = '.' + TextCodec.BASE64.encode(payload) + '.'
+
+        Jwt jwt = Jwts.parser().parse(jwtStr)
+
+        assertTrue jwt.header == null
+        assertEquals 'Joe', jwt.body.get('subject')
+    }
+
+    @Test
+    void testNoHeaderSig() {
+        String payload = '{"subject":"Joe"}'
+
+        String sig = ";aklsjdf;kajsd;fkjas;dklfj"
+
+        String jwtStr = '.' + TextCodec.BASE64.encode(payload) + '.' + TextCodec.BASE64.encode(sig)
+
+        try {
+            Jwt jwt = Jwts.parser().parse(jwtStr)
+            fail()
+        } catch (MalformedJwtException se) {
+            assertEquals 'JWT string has a digest/signature, but the header does not reference a valid signature algorithm.', se.message
+        }
+    }
+
+    @Test
+    void testBadHeaderSig() {
+        String header = '{"alg":"none"}'
+
+        String payload = '{"subject":"Joe"}'
+
+        String sig = ";aklsjdf;kajsd;fkjas;dklfj"
+
+        String jwtStr = TextCodec.BASE64.encode(payload) + '.' + TextCodec.BASE64.encode(payload) + '.' + TextCodec.BASE64.encode(sig)
+
+        try {
+            Jwt jwt = Jwts.parser().parse(jwtStr)
+            fail()
+        } catch (MalformedJwtException se) {
+            assertEquals 'JWT string has a digest/signature, but the header does not reference a valid signature algorithm.', se.message
+        }
+    }
 }