Merge pull request #105 from ochedru/upgrade_jjwt

Upgrade to jjwt 0.12.3

Author: ochedru

README.md

@@ -26,7 +26,7 @@ Add the dropwizard-jwt-cookie-authentication library as a dependency to your `po
 <dependency>
     <groupId>org.dhatim</groupId>
     <artifactId>dropwizard-jwt-cookie-authentication</artifactId>
-    <version>5.0.1</version>
+    <version>5.1.0</version>
 </dependency>
   ```
 
@@ -167,7 +167,7 @@ JwtCookieAuthBundle jwtCookieAuthBundle = new JwtCookieAuthBundle<>(
     MyJwtCookiePrincipal::toClaims,
     MyJwtCookiePrincipal::new);
 
-Key key = JwtCookieAuthBundle.generateKey(configuration.getJwtCookieAuth().getSecretSeed());
+SecretKey key = JwtCookieAuthBundle.generateKey(configuration.getJwtCookieAuth().getSecretSeed());
 
 environment.jersey().register(
         new PolymorphicAuthDynamicFeature<>(

pom.xml

@@ -35,7 +35,7 @@
         <maven.compiler.source>11</maven.compiler.source>
         <maven.compiler.target>11</maven.compiler.target>
         <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
-        <jjwt.version>0.11.5</jjwt.version>
+        <jjwt.version>0.12.3</jjwt.version>
         <enforcer.fail>false</enforcer.fail>
     </properties>
     <distributionManagement>

src/main/java/org/dhatim/dropwizard/jwt/cookie/authentication/DefaultJwtCookiePrincipal.java

@@ -1,12 +1,12 @@
 /**
  * Copyright 2023 Dhatim
- *
+ * <p>
  * Licensed under the Apache License, Version 2.0 (the "License"); you may not
  * use this file except in compliance with the License. You may obtain a copy of
  * the License at
- *
+ * <p>
  * http://www.apache.org/licenses/LICENSE-2.0
- *
+ * <p>
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
  * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
@@ -17,7 +17,9 @@
 
 import com.fasterxml.jackson.annotation.JsonProperty;
 import io.jsonwebtoken.Claims;
+import io.jsonwebtoken.ClaimsBuilder;
 import io.jsonwebtoken.Jwts;
+
 import java.util.Collection;
 import java.util.Collections;
 import java.util.Optional;
@@ -30,25 +32,26 @@ public class DefaultJwtCookiePrincipal implements JwtCookiePrincipal {
     private final static String PERSISTENT = "pst"; // long-term token == rememberme
     private final static String ROLES = "rls";
 
-    protected final Claims claims;
+    protected final ClaimsBuilder claimsBuilder;
 
     /**
      * Builds a new instance of DefaultJwtCookiePrincipal
      *
-     * @param name the principal name
+     * @param name       the principal name
      * @param persistent if the cookie must be persistent
-     * @param roles the roles the principal is in
-     * @param claims custom data associated with the principal
+     * @param roles      the roles the principal is in
+     * @param claims     custom data associated with the principal
      */
     public DefaultJwtCookiePrincipal(
             @JsonProperty("name") String name,
             @JsonProperty("persistent") boolean persistent,
             @JsonProperty("roles") Collection<String> roles,
             @JsonProperty("claims") Claims claims) {
-        this.claims = Optional.ofNullable(claims).orElseGet(Jwts::claims);
-        this.claims.setSubject(name);
-        this.claims.put(PERSISTENT, persistent);
-        this.claims.put(ROLES, roles);
+        this.claimsBuilder = Jwts.claims();
+        if (claims != null) {
+            claimsBuilder.add(claims);
+        }
+        claimsBuilder.subject(name).add(PERSISTENT, persistent).add(ROLES, roles);
     }
 
     /**
@@ -66,7 +69,10 @@ public DefaultJwtCookiePrincipal(String name) {
      * @param claims the JWT claims
      */
     public DefaultJwtCookiePrincipal(Claims claims) {
-        this.claims = claims;
+        this.claimsBuilder = Jwts.claims();
+        if (claims != null) {
+            claimsBuilder.add(claims);
+        }
     }
 
     /**
@@ -75,7 +81,7 @@ public DefaultJwtCookiePrincipal(Claims claims) {
      * @return the claims
      */
     public Claims getClaims() {
-        return claims;
+        return claimsBuilder.build();
     }
 
     /**
@@ -95,7 +101,7 @@ public boolean isInRole(String role) {
      * @return the roles
      */
     public Collection<String> getRoles() {
-        return Optional.ofNullable(claims.get(ROLES))
+        return Optional.ofNullable(getClaims().get(ROLES))
                 .map(Collection.class::cast)
                 .orElse(Collections.emptyList());
     }
@@ -106,7 +112,7 @@ public Collection<String> getRoles() {
      * @param roles the roles
      */
     public void setRoles(Collection<String> roles) {
-        claims.put(ROLES, roles);
+        claimsBuilder.add(ROLES, roles);
     }
 
     /**
@@ -116,18 +122,7 @@ public void setRoles(Collection<String> roles) {
      */
     @Override
     public boolean isPersistent() {
-        return claims.get(PERSISTENT) == Boolean.TRUE;
-    }
-
-    /**
-     * Set if the cookie must be persistent
-     *
-     * @param persistent if the cookie must be persistent
-     * @deprecated  Typo in method name. Replaced by {@link #setPersistent(boolean)}
-     */
-    @Deprecated
-    public void setPresistent(boolean persistent) {
-        setPersistent(persistent);
+        return getClaims().get(PERSISTENT) == Boolean.TRUE;
     }
 
     /**
@@ -136,7 +131,7 @@ public void setPresistent(boolean persistent) {
      * @param persistent if the cookie must be persistent
      */
     public void setPersistent(boolean persistent) {
-        claims.put(PERSISTENT, persistent);
+        claimsBuilder.add(PERSISTENT, persistent);
     }
 
     /**
@@ -146,7 +141,7 @@ public void setPersistent(boolean persistent) {
      */
     @Override
     public String getName() {
-        return (String) claims.getSubject();
+        return getClaims().getSubject();
     }
 
     /**
@@ -155,7 +150,7 @@ public String getName() {
      * @param name the name
      */
     public void setName(String name) {
-        claims.setSubject(name);
+        claimsBuilder.subject(name);
     }
 
 }

src/main/java/org/dhatim/dropwizard/jwt/cookie/authentication/JwtCookieAuthBundle.java

@@ -31,9 +31,9 @@
 import org.glassfish.jersey.server.filter.RolesAllowedDynamicFeature;
 
 import javax.crypto.KeyGenerator;
+import javax.crypto.SecretKey;
 import javax.crypto.spec.SecretKeySpec;
 import java.nio.charset.StandardCharsets;
-import java.security.Key;
 import java.security.NoSuchAlgorithmException;
 import java.time.Duration;
 import java.util.Optional;
@@ -55,7 +55,7 @@ public class JwtCookieAuthBundle<C extends Configuration, P extends JwtCookiePri
     private final Function<P, Claims> serializer;
     private final Function<Claims, P> deserializer;
     private Function<C, JwtCookieAuthConfiguration> configurationSupplier;
-    private BiFunction<C, Environment, Key> keySuppplier;
+    private BiFunction<C, Environment, SecretKey> keySuppplier;
     private UnauthorizedHandler unauthorizedHandler;
 
     /**
@@ -92,7 +92,7 @@ public JwtCookieAuthBundle(Class<P> principalType, Function<P, Claims> serialize
      * @param keySupplier a bi-function which will return the signing key from the configuration and environment
      * @return this
      */
-    public JwtCookieAuthBundle<C, P> withKeyProvider(BiFunction<C, Environment, Key> keySupplier) {
+    public JwtCookieAuthBundle<C, P> withKeyProvider(BiFunction<C, Environment, SecretKey> keySupplier) {
         this.keySuppplier = keySupplier;
         return this;
     }
@@ -131,7 +131,7 @@ public void run(C configuration, Environment environment) throws Exception {
         JwtCookieAuthConfiguration conf = configurationSupplier.apply(configuration);
 
         //build the key from the key factory if it was provided
-        Key key = Optional
+        SecretKey key = Optional
                 .ofNullable(keySuppplier)
                 .map(k -> k.apply(configuration, environment))
                 .orElseGet(() -> generateKey(conf.getSecretSeed()));
@@ -151,7 +151,7 @@ public void run(C configuration, Environment environment) throws Exception {
      * @param cookieName the name of the cookie holding the JWT
      * @return the request filter
      */
-    public AuthFilter<String, P> getAuthRequestFilter(Key key, String cookieName) {
+    public AuthFilter<String, P> getAuthRequestFilter(SecretKey key, String cookieName) {
         return new JwtCookieAuthRequestFilter.Builder()
                 .setCookieName(cookieName)
                 .setAuthenticator(new JwtCookiePrincipalAuthenticator(key, deserializer))
@@ -168,7 +168,7 @@ public AuthFilter<String, P> getAuthRequestFilter(Key key, String cookieName) {
      * @param key the key used to validate the JWT
      * @return the request filter
      */
-    public AuthFilter<String, P> getAuthRequestFilter(Key key) {
+    public AuthFilter<String, P> getAuthRequestFilter(SecretKey key) {
         return getAuthRequestFilter(key, JWT_COOKIE_DEFAULT_NAME);
     }
 
@@ -179,7 +179,7 @@ public AuthFilter<String, P> getAuthRequestFilter(Key key) {
      * @param configuration cookie configuration (secure, httpOnly, expiration...)
      * @return the response filter
      */
-    public ContainerResponseFilter getAuthResponseFilter(Key key, JwtCookieAuthConfiguration configuration) {
+    public ContainerResponseFilter getAuthResponseFilter(SecretKey key, JwtCookieAuthConfiguration configuration) {
         return new JwtCookieAuthResponseFilter<>(
                 principalType,
                 serializer,
@@ -201,11 +201,11 @@ public ContainerResponseFilter getAuthResponseFilter(Key key, JwtCookieAuthConfi
      *                   If null, a random key is returned.
      * @return a HMAC SHA256 Key
      */
-    public static Key generateKey(String secretSeed) {
+    public static SecretKey generateKey(String secretSeed) {
         // make a key from the seed if it was provided
         return Optional.ofNullable(secretSeed)
                 .map(seed -> Hashing.sha256().newHasher().putString(seed, StandardCharsets.UTF_8).hash().asBytes())
-                .map(k -> (Key) new SecretKeySpec(k, SignatureAlgorithm.HS256.getJcaName()))
+                .map(k -> (SecretKey) new SecretKeySpec(k, SignatureAlgorithm.HS256.getJcaName()))
                 //else generate a random key
                 .orElseGet(getHmacSha256KeyGenerator()::generateKey);
     }

src/main/java/org/dhatim/dropwizard/jwt/cookie/authentication/JwtCookiePrincipal.java

@@ -16,39 +16,41 @@
 package org.dhatim.dropwizard.jwt.cookie.authentication;
 
 import jakarta.ws.rs.container.ContainerRequestContext;
-import org.checkerframework.checker.nullness.qual.Nullable;
 
 import java.security.Principal;
 
 /**
  * A principal persisted in JWT cookies
  */
-public interface JwtCookiePrincipal extends Principal{
+public interface JwtCookiePrincipal extends Principal {
 
     /**
      * Indicates if the cookie will be persistent (aka 'remember me')
+     *
      * @return if the cookie must be persistent
      */
-   boolean isPersistent();
-
-   /**
-    * Indicates if this principal has the given role
-    * @param role the role
-    * @return true if the principal is in the given role, false otherwise
-    */
-   boolean isInRole(String role);
-
-   /**
-    * Add this principal in the request context.
-    * It will serialized in a JWT cookie and can be reused in subsequent queries
-    * @param context the request context
-    */
-   default void addInContext(ContainerRequestContext context){
+    boolean isPersistent();
+
+    /**
+     * Indicates if this principal has the given role
+     *
+     * @param role the role
+     * @return true if the principal is in the given role, false otherwise
+     */
+    boolean isInRole(String role);
+
+    /**
+     * Add this principal in the request context.
+     * It will serialized in a JWT cookie and can be reused in subsequent queries
+     *
+     * @param context the request context
+     */
+    default void addInContext(ContainerRequestContext context) {
         context.setSecurityContext(new JwtCookieSecurityContext(this, context.getSecurityContext().isSecure()));
     }
 
-   public static void removeFromContext(ContainerRequestContext context){
-       context.setSecurityContext(new JwtCookieSecurityContext(null, context.getSecurityContext().isSecure()));
-   }
+    public static void removeFromContext(ContainerRequestContext context) {
+        context.setSecurityContext(new JwtCookieSecurityContext(null, context.getSecurityContext().isSecure()));
+    }
 
 }

src/main/java/org/dhatim/dropwizard/jwt/cookie/authentication/JwtCookiePrincipalAuthenticator.java

@@ -22,24 +22,24 @@
 import io.jsonwebtoken.Jwts;
 import io.jsonwebtoken.security.SecurityException;
 
-import java.security.Key;
+import javax.crypto.SecretKey;
 import java.util.Optional;
 import java.util.function.Function;
 
 class JwtCookiePrincipalAuthenticator<P extends JwtCookiePrincipal> implements Authenticator<String, P> {
 
-    private final Key key;
+    private final SecretKey key;
     private final Function<Claims, P> deserializer;
 
-    public JwtCookiePrincipalAuthenticator(Key key, Function<Claims, P> deserializer) {
+    public JwtCookiePrincipalAuthenticator(SecretKey key, Function<Claims, P> deserializer) {
         this.key = key;
         this.deserializer = deserializer;
     }
 
     @Override
     public Optional<P> authenticate(String credentials) throws AuthenticationException {
         try {
-            return Optional.of(deserializer.apply(Jwts.parserBuilder().setSigningKey(key).build().parseClaimsJws(credentials).getBody()));
+            return Optional.of(deserializer.apply(Jwts.parser().verifyWith(key).build().parseClaimsJws(credentials).getBody()));
         } catch (ExpiredJwtException | SecurityException e) {
             return Optional.empty();
         }