Fourth release candidate of Nimbus JOSE + JWT 4.0

The Nimbus JOSE + JWT library library makes another step towards the long-awaited 4.0 release, bringing a bag full of improvements, such as full coverage of the standard JWS / JWE algorithms and a robust framework for processing JWT / JOSE objects, based on the security recommendations for key selection, which developers tend to miss.

So what's in the new RC 4?

Immutable JWTClaimsSet

This makes it safer to pass the JWT claims set around your application, before the token is put together and signed, or after it's processed by the recipient. The ReadOnlyJWTClaimsSet interface intended to prevent modification is no longer needed and has been removed.

With all the setters gone now, a JWTClaimsSet constructed with the help of a builder:

JWTClaimsSet claimsSet = new JWTClaimsSet.Builder()
     .subject("joe")
     .expirationDate(new Date(1300819380 * 1000l)
     .claim("http://example.com/is_root", true)
     .build();

Simplified processing framework

The framework for processing objects and tokens secured by JOSE was simplified. The optional conversion of the payload or JWT claims set to an application-specific class was factored out to a separate interface called PayloadTransformer for generic JOSE and JWTClaimsSetTransformer for JWTs.

Example:

public class MyPayloadExtractor implements PayloadTransformer<MyClass>() {
    @Override
    public MyClass transform(Payload payload) {

        // Extract application specific object from payload data 
        // encoded as JSON, XML, base64, etc.
        return MyPayloadExtractor.parse(payload.toString());
    }
};

Then, every time you receive a JOSE-secured object that is successfully verified and / or decrypted, simply call the Payload.toType method with your transformer:

// Create payload extractor, should be thread-safe
PayloadTransformer myPayloadExtractor = new MyPayloadExtractor()


Payload payload;

try {
    payload = myJOSEProcessor.process(joseObject, securityCtx);
} catch (BadJOSEException e) {
    // JOSE object rejected due to bad signature or failed integrity check
}

MyClass obj = payload.toType(myPayloadExtractor);

Want to try out the 4.0 release before it becomes final?

The Maven Dependency for the 4.0 release candidate one:

<dependency>
    <groupId>com.nimbusds</groupId>
    <artifactId>nimbus-jose-jwt</artifactId>
    <version>4.0-rc4</version>
</dependency>

For other methods check out the downloads page.

Feedback

Comments or concerns? Just let us know, by dropping a note below or writing to us.