Comments (10)
lehoule
commented on September 7, 2024
1
+1 this project is unuseable for me without this fix.
from java-jwt.
dhenry-fa
commented on September 7, 2024
Hi,
I ran into the same issue and had a hard time figuring out the race condition too. I worked around it by creating a new instance of a JWTVerifier every time I need to check a token instead of reusing one single instance. It must be quite CPU intensive but it's the best I could manage…
This pull request might be the solution but no progress has been made for about one year: #30
from java-jwt.
neg3ntropy
commented on September 7, 2024
commons codec is repackaged that's fine with me. But the version is way too old:
https://issues.apache.org/jira/browse/CODEC-96
from java-jwt.
neg3ntropy
commented on September 7, 2024
Also, what has really took me for a ride before finding this bug, is that commons-codec is also a transitive maven dependency and in my project it was already resolved to a later version, thus I initially excluded the above upstream bug as a possible cause.
In fact you end up with 2 commons-codecs and using the buggy one.
from java-jwt.
adrogon
commented on September 7, 2024
@hzalaz @arcseldon Any input on this subject?
The preferred solution would be to get rid of commons-codec entirely (like discussed in #30), but at least an upgrade of the dependency in the meantime would be welcome.
It shouldn't take too long to review #71 :) Thank you.
from java-jwt.
adrogon
commented on September 7, 2024
Pinging. This project needs to be maintained, and here is a quick fix to a major issue that is already provided by the community.
All you have to do is accept the pull request and bump the version, please help, thank you :)
from java-jwt.
lebels
commented on September 7, 2024
We need this fix too. Please accept the pull request.
from java-jwt.
adrogon
commented on September 7, 2024
Hello hello,
Please upgrade to latest commons-codec, there's a nice PR #71 for you to accept, and everyone will feel more comfortable.
Thanks in advance maintainers.
from java-jwt.
neg3ntropy
commented on September 7, 2024
We solved by building this manually and pushing to a local artifactory with a custom version suffix.
You've got here now an absolute proof of the bug and fix. I have been running this for while, it's really ok to merge. I here dare you to close this ASAP and show a sign to the community.
In the meantime other potential users beware: this version will work only in your local machine by yourself. In the real world it will randomly refuse auths and you will end up thinking it is some other bug or misconfiguration.
In case you use some particular apache commons in your project as well, it might even break your builds.
It's BAD.
Cheers
from java-jwt.
adrogon
commented on September 7, 2024
Thank you @hzalaz
from java-jwt.
Related Issues (20)
- Published license identifier is not compliant with the SPDX license list HOT 2
- com.auth0.jwt.exceptions.JWTDecodeException: The input is not a valid base 64 encoded string. HOT 6
- Allow configuration of Jackson ObjectMapper HOT 2
- token is still alive, when "exp" = NOW HOT 2
- Support for the absence of payload HOT 4
- Add Support for the EdDSA Signatures HOT 2
- Support for PS256 algorithm HOT 2
- Integrating java-jwt into OSS-Fuzz HOT 2
- Aud with empty string returns empty List HOT 7
- Allow using custom ObjectMapper for JWTParser HOT 2
- Does the lib have a feature to create jwt token from pem file? HOT 1
- From 3.19.4 to 4.4.0: IncorrectClaimException on verify() HOT 5
- KeyProvider-style API for signature schemes (HMAC) HOT 2
- NullPointerException when checking empty audience HOT 2
- Javadoc contains dead links to readme HOT 1
- JwkProviderBuilder doesn't allow us to load jwks from a file. Instead the only option available is to load it via a URL. HOT 1
- IncorrectClaimException
- Invalid Token: The token can't be used before 2024-04-29T04:27:39Z
- Wrong algorithm name matching between JWT and Algorithm HOT 1
- It is suspected that the interface definition is incorrect
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from java-jwt.