This patch release:
-
Adds a new Maven BOM! This is useful for multi-module projects. See Issue 967.
-
Allows the
JwtParserBuilderto have empty nested algorithm collections, effectively disabling the parser's associated feature:- Emptying the
zip()nested collection disables JWT decompression. - Emptying the
sig()nested collection disables JWS mac/signature verification (i.e. all JWSs will be unsupported/rejected). - Emptying either the
enc()orkey()nested collections disables JWE decryption (i.e. all JWEs will be unsupported/rejected)
See Issue 996.
- Emptying the
-
Fixes bug 961 where
JwtParserBuildernested collection builders were not correctly replacing algorithms with the same id. -
Ensures a
JwkSet'skeyscollection is no longer entirely secret/redacted by default. This was an overzealous default that was unnecessarily restrictive; thekeyscollection itself should always be public, and each individual key within should determine which fields should be redacted when printed. See Issue 976. -
Improves performance slightly by ensuring all
jjwt-apiutility methods that create*Builderinstances (Jwts.builder(),Jwts.parserBuilder(),Jwks.builder(), etc) no longer use reflection.Instead,
staticfactories are created via reflection only once during initialjjwt-apiclassloading, and then*Builders are created via standard instantiation using thenewoperator thereafter. This also benefits certain environments that may not have idealClassLoaderimplementations (e.g. Tomcat in some cases).NOTE: because this changes which classes are loaded via reflection, any environments that must explicitly reference reflective class names (e.g. GraalVM applications) will need to be updated to reflect the new factory class names.
See Issue 988.
-
Upgrades the Gson dependency to
2.11.0 -
Upgrades the BouncyCastle dependency to
1.78.1
New Contributors
- @sigpwned made their first contribution in #968
- @TheMrMilchmann made their first contribution in #979
- @atanasg made their first contribution in #974
Full Changelog: 0.12.6...0.12.7