You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: CHANGELOG.md
+53-1Lines changed: 53 additions & 1 deletion
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -2,8 +2,59 @@
2
2
3
3
### 0.12.4
4
4
5
-
This patch release:
5
+
This patch release includes various changes listed below.
6
+
7
+
#### Jackson Default Parsing Behavior
8
+
9
+
This release makes two behavioral changes to JJWT's default Jackson `ObjectMapper` parsing settings:
10
+
11
+
1. In the interest of having stronger standards to reject potentially malformed/malicious/accidental JSON that could
12
+
have undesirable effects on an application, JJWT's default `ObjectMapper `is now configured to explicitly reject/fail
13
+
parsing JSON (JWT headers and/or Claims) if/when that JSON contains duplicate JSON member names.
14
+
15
+
For example, now the following JSON, if parsed, would fail (be rejected) by default:
16
+
```json
17
+
{
18
+
"hello": "world",
19
+
"thisWillFail": 42,
20
+
"thisWillFail": "test"
21
+
}
22
+
```
23
+
24
+
Technically, the JWT RFCs _do allow_ duplicate named fields as long as the last parsed member is the one used
25
+
(see [JWS RFC 7515, Section 4](https://datatracker.ietf.org/doc/html/rfc7515#section-4)), so this is allowed.
26
+
However, because JWTs often reflect security concepts, it's usually better to be defensive and reject these
27
+
unexpected scenarios by default. The RFC later supports this position/preference in
could arise if the JSON parser used does not enforce the uniqueness
32
+
of member names or returns an unpredictable value for duplicate
33
+
member names.
34
+
35
+
Finally, this is just a default, and the RFC does indeed allow duplicate member names if the last value is used,
36
+
so applications that require duplicates to be allowed can simply configure their own `ObjectMapper` and use
37
+
that with JJWT instead of assuming this (new) JJWT default. See
38
+
[Issue #877](https://github.com/jwtk/jjwt/issues/877) for more.
39
+
2. If using JJWT's support to use Jackson to parse
40
+
[Custom Claim Types](https://github.com/jwtk/jjwt#json-jackson-custom-types) (for example, a Claim that should be
41
+
unmarshalled into a POJO), and the JSON for that POJO contained a member that is not represented in the specified
42
+
class, Jackson would fail parsing by default. Because POJOs and JSON data models can sometimes be out of sync
43
+
due to different class versions, the default behavior has been changed to ignore these unknown JSON members instead
44
+
of failing (i.e. the `ObjectMapper`'s `DeserializationFeature.FAIL_ON_UNKNOWN_PROPERTIES` is now set to `false`)
45
+
by default.
46
+
47
+
Again, if you prefer the stricter behavior of rejecting JSON with extra or unknown properties, you can configure
48
+
`true` on your own `ObjectMapper` instance and use that instance with the `Jwts.parser()` builder.
49
+
50
+
#### Additional Changes
51
+
52
+
This release also:
6
53
54
+
* Fixes a thread-safety issue when using `java.util.ServiceLoader` to dynamically lookup/instantiate pluggable
55
+
implementations of JJWT interfaces (e.g. JSON parsers, etc). See
56
+
[Issue #873](https://github.com/jwtk/jjwt/issues/873) and its documented fix in
0 commit comments