Java 8 API compatibility changes (#1015)

- Upgraded dependencies and maven plugins to latest versions compatible with JDK 8+.
- Remove JDK 7 from CI build
- Consolidated `ci.yml` build matrix
- JDK 8 through 24 build testing
- Removed `io.jsonwebtoken.impl.lang.Function` in favor of `java.util.function.Function`
- Marked API interfaces as `@FunctionalInterface` where possible
- Migrated `io.jsonwebtoken.lang.Supplier` usages to `java.util.function.Supplier` where possible, except for `RedactedSupplier` usages.
- Breaking change: Renamed and moved `io.jsonwebtoken.lang.Supplier` to `io.jsonwebtoken.security.ConfidentialValue`
- Breaking change: Renamed `GsonSupplierSerializer` to `GsonConfidentialValueSerializer`
- Breaking change: Renamed `JacksonSupplierSerializer` to `JacksonConfidentialValueSerializer`

* Declared `@FunctionalInterface` / cleanup where feasible.

* Removing explicit Java 7 and Java 8 callouts/references now that 8 is the default/baseline.

* Removing explicit Java 7 and Java 8 callouts/references now that 8 is the default/baseline.

* Minor JavaDoc enhancement

Author: lhazlewood

.github/workflows/ci.yml

@@ -11,45 +11,20 @@ env:
   MVN_CMD: ./mvnw --no-transfer-progress -B
 
 jobs:
-  oracle:
+  build:
     strategy:
       matrix:
-        java: [ '17' ]
+        java: [ '8', '11', '17', '21', '24' ]
+        distribution: [ 'zulu', 'temurin', 'corretto' ]
     runs-on: 'ubuntu-latest'
-    name: jdk-${{ matrix.java }}-oracle
+    name: jdk-${{ matrix.java }}-${{ matrix.distribution }}
     steps:
       - uses: actions/checkout@v4
-      - name: Set up JDK
-        uses: actions/[email protected]
-        with:
-          distribution: oracle
-          java-version: ${{ matrix.java }}
-      - name: Install softhsm2
-        run: sudo apt-get install -y softhsm2
-      - name: Install opensc
-        run: sudo apt-get install -y opensc
-      - name: Ensure SoftHSM user configuration
-        run: impl/src/test/scripts/softhsm configure
-      - name: Populate SoftHSM with JJWT test keys
-        run: impl/src/test/scripts/softhsm import
-      - name: Build
-        # run a full build, just as we would for a release (i.e. the `ossrh` profile), but don't use gpg
-        # to sign artifacts, since we don't want to mess with storing signing credentials in CI:
-        run: ${{env.MVN_CMD}} verify -Possrh -Dgpg.skip=true
-
-  temurin:
-    strategy:
-      matrix:
-        java: [ '8', '11', '17', '18' ]
-    runs-on: 'ubuntu-latest'
-    name: jdk-${{ matrix.java }}-temurin
-    steps:
-      - uses: actions/checkout@v4
-      - name: Set up JDK
+      - name: Set up JDK ${{ matrix.java }}-${{ matrix.distribution }}
         uses: actions/setup-java@v4
         with:
           java-version: ${{ matrix.java }}
-          distribution: 'temurin'
+          distribution: ${{ matrix.distribution }}
           cache: 'maven'
           check-latest: true
       - name: Install softhsm2
@@ -65,38 +40,6 @@ jobs:
         # to sign artifacts, since we don't want to mess with storing signing credentials in CI:
         run: ${{env.MVN_CMD}} verify -Possrh -Dgpg.skip=true
 
-  zulu:
-    strategy:
-      matrix:
-        java: [ '7', '8', '9', '11', '12', '13', '14', '15', '16', '17', '18', '21' ]
-    runs-on: 'ubuntu-latest'
-    env:
-      JDK_MAJOR_VERSION: ${{ matrix.java }}
-    name: jdk-${{ matrix.java }}-zulu
-    steps:
-      - uses: actions/checkout@v4
-      - name: Set up JDK
-        uses: actions/setup-java@v4
-        with:
-          java-version: ${{ matrix.java }}
-          distribution: 'zulu'
-          cache: 'maven'
-          check-latest: true
-      - name: Install softhsm2
-        run: sudo apt-get install -y softhsm2
-      - name: Install opensc
-        run: sudo apt-get install -y opensc
-      - name: Ensure SoftHSM user configuration
-        run: impl/src/test/scripts/softhsm configure
-      - name: Populate SoftHSM with JJWT test keys
-        run: impl/src/test/scripts/softhsm import
-      - name: Build
-        # run a full build, just as we would for a release (i.e. the `ossrh` profile), but don't use gpg
-        # to sign artifacts, since we don't want to mess with storing signing credentials in CI:
-        run: |
-          if [ "$JDK_MAJOR_VERSION" == "7" ]; then export MAVEN_OPTS="-Xmx512m -XX:MaxPermSize=128m"; fi
-          ${{env.MVN_CMD}} verify -Possrh -Dgpg.skip=true
-
   # ensure all of our files have the correct/updated license header
   license-check:
     runs-on: 'ubuntu-latest'
@@ -117,9 +60,6 @@ jobs:
           ${{env.MVN_CMD}} license:check
 
   code-coverage:
-    # (commented out for now - see the comments in 'Wait to start' below for why.  Keeping this here as a placeholder
-    # as it may be better to use instead of an artificial delay once we no longer need to build on JDK 7):
-    #needs: zulu # wait until others finish so a coverage failure doesn't cancel others accidentally
     runs-on: 'ubuntu-latest'
     steps:
       - uses: actions/checkout@v4
@@ -139,14 +79,16 @@ jobs:
       - name: Populate SoftHSM with JJWT test keys
         run: impl/src/test/scripts/softhsm import
       - name: Wait to start
-        # wait a little to start: code coverage usually only takes about 1 1/2 minutes.  If coverage fails, it will
-        # cancel the other running builds, and we don't want that (because we want to see if jobs fail due to
-        # build issues, not due to the code-coverage job causing the others to cancel).  We could have used the
-        # 'need' property (commented out above), and that would wait until all the other jobs have finished before
-        # starting this one, but that introduces unnecessary (sometimes 2 1/2 minute) delay, whereas delaying the
-        # start of the code coverage checks a bit should allow everything to finish around the same time without having
-        # much of an adverse effect on the other jobs above.
-        run: sleep 90s
+        # wait a little to start: SoftHSM install and code coverage usually takes 3 1/2 minutes, and we don't want
+        # it fail before other jobs; we want to see if jobs fail due to build issues, not just due to the code-coverage
+        # job causing the others to cancel).
+        #
+        # We choose a sleep/delay approach here instead of using the GitHub Actions `needs` attribute
+        # because `needs` requires its dependency to fully finish before starting this one, and doing so
+        # would double the overall build time.  Instead we want to run this concurrently with the other builds for
+        # speed. The sleep should allow this to finish around the same time, or just slightly after, all the other
+        # jobs.
+        run: sleep 10s
         shell: bash
       - name: Code Coverage
         # run a full build, just as we would for a release (i.e. the `ossrh` profile), but don't use gpg

CHANGELOG.md

@@ -1,5 +1,22 @@
 ## Release Notes
 
+### 0.14.0
+
+The first JJWT release that uses Java 8+ features.  This release is not strictly backwards compatible and will also not work with Java 7.
+
+#### Backwards Compatibility Breaking Changes
+
+- The `io.jsonwebtoken.lang.Supplier` interface has been renamed and moved to `io.jsonwebtoken.security.ConfidentialValue` to avoid any potential risk of conflict or accidental use
+ with `java.util.function.Supplier`.  If you have explicitly configured a `Gson` instance to work with this type previously, you must update your usage to reference the new interface, for example:
+    ```java
+    new GsonBuilder()
+        .registerTypeHierarchyAdapter(io.jsonwebtoken.security.ConfidentialValue.class, GsonConfidentialValueSerializer.INSTANCE)
+        // ... etc ...
+        .create();
+    ```
+ - The `io.jsonwebtoken.gson.io.GsonSupplierSerializer` class has been renamed to `GsonConfidentialValueSerializer`
+ - The `io.jsonwebtoken.jackson.io.JacksonSupplierSerializer` has been renamed to `JacksonConfidentialValueSerializer`.`
+
 ### 0.13.0
 
 This is the last minor JJWT release branch that will support Java 7. Any necessary emergency bug fixes will be fixed in subsequent `0.13.x` patch releases, but all new development, including Java 8 compatible changes, will be in the next minor (`0.14.0`) release.
@@ -412,7 +429,7 @@ deprecate some concepts, or in some cases, completely break backwards compatibil
   `GsonSupplierSerializer` type adapter, for example:
   ```java
   new GsonBuilder()
-    .registerTypeHierarchyAdapter(io.jsonwebtoken.lang.Supplier.class, GsonSupplierSerializer.INSTANCE)    
+    .registerTypeHierarchyAdapter(io.jsonwebtoken.security.ConfidentialValue.class, GsonSupplierSerializer.INSTANCE)    
     .disableHtmlEscaping().create();
   ```
   This is to ensure JWKs have `toString()` and application log safety (do not print secure material), but still 

README.adoc

@@ -15,7 +15,6 @@ ifdef::env-github[]
 endif::[]
 
 // Macros
-:fn-require-java8-plus: Requires Java 8 or a compatible JCA Provider (like BouncyCastle) in the runtime classpath.
 :fn-require-java11-plus: Requires Java 11 or a compatible JCA Provider (like BouncyCastle) in the runtime classpath.
 :fn-require-java15-plus: Requires Java 15 or a compatible JCA Provider (like BouncyCastle) in the runtime classpath.
 
@@ -56,7 +55,7 @@ toc::[]
 
 == Features
 
-* Fully functional on all Java 7+ JDKs and Android
+* Fully functional on all Java 8+ JDKs and Android
 * Automatic security best practices and assertions
 * Easy to learn and read API
 * Convenient and readable http://en.wikipedia.org/wiki/Fluent_interface[fluent] interfaces, great for IDE
@@ -128,16 +127,15 @@ and conditional branch variant in the entire codebase is tested and required to
 | https://www.rfc-editor.org/rfc/rfc7518.html#section-5.2.5[AES_256_CBC_HMAC_SHA_512] authenticated encryption algorithm
 
 | `A128GCM`
-| AES GCM using 128-bit key^*1*^
+| AES GCM using 128-bit key
 
 | `A192GCM`
-| AES GCM using 192-bit key^*1*^
+| AES GCM using 192-bit key
 
 | `A256GCM`
-| AES GCM using 256-bit key^*1*^
+| AES GCM using 256-bit key
 |===
 +
-^*1*.{sp}{fn-require-java8-plus}^
 
 * All Key Management Algorithms for obtaining JWE encryption and decryption keys:
 +
@@ -178,25 +176,24 @@ and conditional branch variant in the entire codebase is tested and required to
 | ECDH-ES using Concat KDF and CEK wrapped with "A256KW"
 
 | `A128GCMKW`
-| Key wrapping with AES GCM using 128-bit key^*1*^
+| Key wrapping with AES GCM using 128-bit key
 
 | `A192GCMKW`
-| Key wrapping with AES GCM using 192-bit key^*1*^
+| Key wrapping with AES GCM using 192-bit key
 
 | `A256GCMKW`
-| Key wrapping with AES GCM using 256-bit key^*1*^
+| Key wrapping with AES GCM using 256-bit key
 
 | `PBES2-HS256+A128KW`
-| PBES2 with HMAC SHA-256 and "A128KW" wrapping^*1*^
+| PBES2 with HMAC SHA-256 and "A128KW" wrapping
 
 | `PBES2-HS384+A192KW`
-| PBES2 with HMAC SHA-384 and "A192KW" wrapping^*1*^
+| PBES2 with HMAC SHA-384 and "A192KW" wrapping
 
 | `PBES2‑HS512+A256KW`
-| PBES2 with HMAC SHA-512 and "A256KW" wrapping^*1*^
+| PBES2 with HMAC SHA-512 and "A256KW" wrapping
 |===
 +
-^*1*.{sp}{fn-require-java8-plus}^
 
 * Creating, parsing and verifying JSON Web Keys (JWKs) in all standard JWA key formats using native Java `Key` types:
 +
@@ -2217,19 +2214,17 @@ The JWT specification defines 6 standard Authenticated Encryption algorithms use
 
 | `A128GCM`
 | 128
-| AES GCM using 128-bit key^*1*^
+| AES GCM using 128-bit key
 
 | `A192GCM`
 | 192
-| AES GCM using 192-bit key^*1*^
+| AES GCM using 192-bit key
 
 | `A256GCM`
 | 256
-| AES GCM using 256-bit key^*1*^
+| AES GCM using 256-bit key
 |===
 
-^*1*.{sp}{fn-require-java8-plus}^
-
 These are all represented as constants in the `io.jsonwebtoken.Jwts.ENC` registry singleton as
 implementations of the `io.jsonwebtoken.security.AeadAlgorithm` interface.
 
@@ -2357,26 +2352,24 @@ Content Encryption Key (CEK):
 | ECDH-ES using Concat KDF and CEK wrapped with "A256KW"
 
 | `A128GCMKW`
-| Key wrapping with AES GCM using 128-bit key^*1*^
+| Key wrapping with AES GCM using 128-bit key
 
 | `A192GCMKW`
-| Key wrapping with AES GCM using 192-bit key^*1*^
+| Key wrapping with AES GCM using 192-bit key
 
 | `A256GCMKW`
-| Key wrapping with AES GCM using 256-bit key^*1*^
+| Key wrapping with AES GCM using 256-bit key
 
 | `PBES2-HS256+A128KW`
-| PBES2 with HMAC SHA-256 and "A128KW" wrapping^*1*^
+| PBES2 with HMAC SHA-256 and "A128KW" wrapping
 
 | `PBES2-HS384+A192KW`
-| PBES2 with HMAC SHA-384 and "A192KW" wrapping^*1*^
+| PBES2 with HMAC SHA-384 and "A192KW" wrapping
 
 | `PBES2‑HS512+A256KW`
-| PBES2 with HMAC SHA-512 and "A256KW" wrapping^*1*^
+| PBES2 with HMAC SHA-512 and "A256KW" wrapping
 |===
 
-^*1*.{sp}{fn-require-java8-plus}^
-
 These are all represented as constants in the `io.jsonwebtoken.Jwts.KEY` registry singleton as
 implementations of the `io.jsonwebtoken.security.KeyAlgorithm` interface.
 
@@ -3471,7 +3464,7 @@ If you're curious, JJWT will automatically create an internal default Gson insta
 [,java]
 ----
 new GsonBuilder()
-    .registerTypeHierarchyAdapter(io.jsonwebtoken.lang.Supplier.class, GsonSupplierSerializer.INSTANCE)
+    .registerTypeHierarchyAdapter(io.jsonwebtoken.security.ConfidentialValue.class, GsonConfidentialValueSerializer.INSTANCE)
     .setObjectToNumberStrategy(ToNumberPolicy.LONG_OR_DOUBLE)
     .setNumberToNumberStrategy(ToNumberPolicy.LONG_OR_DOUBLE)
     .disableHtmlEscaping()
@@ -3514,7 +3507,7 @@ And then you can specify the `GsonSerializer` using your own `Gson` instance on
 
 Gson gson = new GsonBuilder()
     // don't forget this line!:
-    .registerTypeHierarchyAdapter(io.jsonwebtoken.lang.Supplier.class, GsonSupplierSerializer.INSTANCE)
+    .registerTypeHierarchyAdapter(io.jsonwebtoken.security.ConfidentialValue.class, GsonConfidentialValueSerializer.INSTANCE)
     .setObjectToNumberStrategy(ToNumberPolicy.LONG_OR_DOUBLE)
     .setNumberToNumberStrategy(ToNumberPolicy.LONG_OR_DOUBLE)
     .disableHtmlEscaping().create();
@@ -3543,7 +3536,7 @@ Again, as shown above, it is critical to create your `Gson` instance using the `
 
 [,java]
 ----
-.registerTypeHierarchyAdapter(io.jsonwebtoken.lang.Supplier.class, GsonSupplierSerializer.INSTANCE)
+.registerTypeHierarchyAdapter(io.jsonwebtoken.security.ConfidentialValue.class, GsonConfidentialValueSerializer.INSTANCE)
 ----
 
 to ensure JWK serialization works as expected.

api/src/main/java/io/jsonwebtoken/Clock.java

@@ -22,6 +22,7 @@
  *
  * @since 0.7.0
  */
+@FunctionalInterface
 public interface Clock {
 
     /**

api/src/main/java/io/jsonwebtoken/Identifiable.java

@@ -81,6 +81,7 @@
  *
  * @since 0.12.0
  */
+@FunctionalInterface
 public interface Identifiable {
 
     /**

api/src/main/java/io/jsonwebtoken/Jwts.java

@@ -19,7 +19,6 @@
 import io.jsonwebtoken.lang.Builder;
 import io.jsonwebtoken.lang.Classes;
 import io.jsonwebtoken.lang.Registry;
-import io.jsonwebtoken.lang.Supplier;
 import io.jsonwebtoken.security.AeadAlgorithm;
 import io.jsonwebtoken.security.KeyAlgorithm;
 import io.jsonwebtoken.security.KeyPairBuilderSupplier;
@@ -35,6 +34,7 @@
 import java.security.PrivateKey;
 import java.security.PublicKey;
 import java.util.Map;
+import java.util.function.Supplier;
 
 /**
  * Factory class useful for creating instances of JWT interfaces.  Using this factory class can be a good
@@ -121,34 +121,22 @@ private ENC() {
 
         /**
          * "AES GCM using 128-bit key" as defined by
-         * <a href="https://tools.ietf.org/html/rfc7518#section-5.3">RFC 7518, Section 5.3</a><b><sup>1</sup></b>.  This
+         * <a href="https://tools.ietf.org/html/rfc7518#section-5.3">RFC 7518, Section 5.3</a>.  This
          * algorithm requires a 128-bit (16 byte) key.
-         *
-         * <p><b><sup>1</sup></b> Requires Java 8 or a compatible JCA Provider (like BouncyCastle) in the runtime
-         * classpath. If on Java 7 or earlier, BouncyCastle will be used automatically if found in the runtime
-         * classpath.</p>
          */
         public static final AeadAlgorithm A128GCM = get().forKey("A128GCM");
 
         /**
          * &quot;AES GCM using 192-bit key&quot; as defined by
-         * <a href="https://tools.ietf.org/html/rfc7518#section-5.3">RFC 7518, Section 5.3</a><b><sup>1</sup></b>.  This
+         * <a href="https://tools.ietf.org/html/rfc7518#section-5.3">RFC 7518, Section 5.3</a>.  This
          * algorithm requires a 192-bit (24 byte) key.
-         *
-         * <p><b><sup>1</sup></b> Requires Java 8 or a compatible JCA Provider (like BouncyCastle) in the runtime
-         * classpath. If on Java 7 or earlier, BouncyCastle will be used automatically if found in the runtime
-         * classpath.</p>
          */
         public static final AeadAlgorithm A192GCM = get().forKey("A192GCM");
 
         /**
          * &quot;AES GCM using 256-bit key&quot; as defined by
-         * <a href="https://tools.ietf.org/html/rfc7518#section-5.3">RFC 7518, Section 5.3</a><b><sup>1</sup></b>.  This
+         * <a href="https://tools.ietf.org/html/rfc7518#section-5.3">RFC 7518, Section 5.3</a>.  This
          * algorithm requires a 256-bit (32 byte) key.
-         *
-         * <p><b><sup>1</sup></b> Requires Java 8 or a compatible JCA Provider (like BouncyCastle) in the runtime
-         * classpath. If on Java 7 or earlier, BouncyCastle will be used automatically if found in the runtime
-         * classpath.</p>
          */
         public static final AeadAlgorithm A256GCM = get().forKey("A256GCM");
     }

api/src/main/java/io/jsonwebtoken/Locator.java

@@ -28,6 +28,7 @@
  * @param <T> the type of object that may be returned from the {@link #locate(Header)} method
  * @since 0.12.0
  */
+@FunctionalInterface
 public interface Locator<T> {
 
     /**

api/src/main/java/io/jsonwebtoken/io/Base64Decoder.java

@@ -19,7 +19,7 @@
 
 /**
  * Very fast <a href="https://datatracker.ietf.org/doc/html/rfc4648#section-4">Base64</a> decoder guaranteed to
- * work in all &gt;= Java 7 JDK and Android environments.
+ * work in all Java JDK and Android environments.
  *
  * @since 0.10.0
  */