-
-
Notifications
You must be signed in to change notification settings - Fork 4.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[3.0.x] Allow users to upgrade to jjwt 0.12.5 #12474
Conversation
Users can put in their build.sbt: ``` val jjwtVersion = "0.12.5" val jjwts = Seq( "io.jsonwebtoken" % "jjwt-api", "io.jsonwebtoken" % "jjwt-impl" ).map(_ % jjwtVersion) ++ Seq( ("io.jsonwebtoken" % "jjwt-jackson" % jjwtVersion).excludeAll(ExclusionRule("com.fasterxml.jackson.core")) ) libraryDependencies ++= jjwts ```
private val jwtParser: JwtParser = Jwts | ||
.parserBuilder() | ||
private val jwtParser: JwtParser = Classes | ||
.newInstance[JwtParserBuilder]("io.jsonwebtoken.impl.DefaultJwtParserBuilder") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
No actual change here, we just call what the method does for us, which is identical in 0.11.5 and 0.12.5:
.getDeclaredMethod("parseClaimsJws", classOf[CharSequence]) | ||
.invoke(jwtParser, encodedString.asInstanceOf[CharSequence]) | ||
.asInstanceOf[Jws[Claims]] | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
That's the only part where we need to fall back to reflection:
parseClaimsJws(...)
takes aString
in 0.11.5: https://github.com/jwtk/jjwt/blob/0.11.5/api/src/main/java/io/jsonwebtoken/JwtParser.java#L595-L596parseClaimsJws(...)
takes aCharSequence
in 0.12+: https://github.com/jwtk/jjwt/blob/0.12.1/api/src/main/java/io/jsonwebtoken/JwtParser.java#L204-L205
This would be source compatible, but not binary compatible, because the bytecode generated refers to the String
method in the 0.11.5 jar, but this String
method does not exist anymore in the 0.12.5 jars.
Anway we can detect that and use reflection as last resort.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please, Matthias, promise that we won't do the same in main
branch 🙏 😄
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
By default in 3.0.x nothing changes, this just gives users the opportunity to upgrade to make use of latest jjwt features.
@Mergifyio backport 2.9.x |
✅ Backports have been created
|
Hi @mkurz Just saw the new release today, thank you so much for your efforts. I've tried it out, and put the dependency override in my build.sbt, just as advised. Unfortunately, I don't think it works, unless I messed something else up on my end. They changed some methods on 0.11.5: https://github.com/jwtk/jjwt/blob/0.11.5/api/src/main/java/io/jsonwebtoken/JwtBuilder.java#L260 I assume you were not aware of those changes while implementing this workaround? Or did I do something wrong? The play application starts successfuly, and works until Play tries to create the Play session cookie, then the app terminates with the following stacktrace. If the cookie already exists, everything works fine (i.e. the parsing works).
|
@hertg I will take a look |
@hertg Thanks for the report. The problem should be fixed with now. I published Play 3.0.4-M1 (https://github.com/playframework/playframework/releases/tag/3.0.4-M1), can you please upgrade and test? |
@mkurz I tested out |
@hertg Great! Actually you can use It would be great if you can keep testing this patch in May and eventually report any other problems. If everything is OK I can cut 3.0.4 in June (including other fixes and dependency upgrades then of courses). |
Users can put in their
build.sbt
, just like we do:/cc @hertg This one is for you, so you can upgrade jjwt in your Play 3.0.x project.