Skip to content

Feat: mvc-auth-commons v2.0.0, Jakarta EE 10, Java 17, Security Fixes#228

Open
tanya732 wants to merge 3 commits into
masterfrom
v2
Open

Feat: mvc-auth-commons v2.0.0, Jakarta EE 10, Java 17, Security Fixes#228
tanya732 wants to merge 3 commits into
masterfrom
v2

Conversation

@tanya732
Copy link
Copy Markdown
Contributor

@tanya732 tanya732 commented May 19, 2026

Summary

Major release of mvc-auth-commons with migration from Java 8 / javax.servlet to Java 17 and Jakarta Servlet 6.0. This release upgrades core Auth0 dependencies, removes deprecated APIs, migrates ID token validation to auth0-java v3, and adds security hardening.

Included PRs

PR Description
#152 Upgrade auth0-java to v3
#155 Upgrade java-jwt to v4.5.0
#207 Java 17 + Jakarta migration
#220 Remove deprecated APIs
#221 Migrate ID token validation to auth0-java v3
#223 Add transaction binding security fix
#225 Add JPMS module-info.java support

Key Changes

Platform & Dependency Upgrades

  • javax.servletjakarta.servlet
  • Java 17 minimum requirement
  • Upgraded:
    • auth0-java → v3.5.1
    • java-jwt → v4.5.0
    • Gradle 8.10
    • Spring Test 6
    • Mockito 4.11

Security Improvements

  • Added HMAC binding between origin-domain cookie and OAuth state parameter
  • Introduced SignedCookieUtils for HMAC-SHA256 sign/verify support

Deprecated API Removal

  • Removed deprecated APIs and legacy session utilities
  • handle(HttpServletRequest) → use handle(request, response)
  • buildAuthorizeUrl(request, uri) → use 3-parameter version
  • InvalidRequestException.getDescription() → use getMessage()

ID Token Validation Migration

  • Removed custom token verification classes
  • Delegated validation to com.auth0.utils.tokens.IdTokenVerifier
  • Added automatic RS256 / HS256 algorithm detection

JPMS Support

  • Added module-info.java
  • Declares com.auth0.mvc module

Breaking Changes

Change Migration
Java 17 required Upgrade JDK/runtime
jakarta.servlet namespace Update imports and use compatible servlet containers
handle(request) removed Use handle(request, response)
buildAuthorizeUrl(request, uri) removed Use buildAuthorizeUrl(request, response, uri)
InvalidRequestException.getDescription() removed Use getMessage()
auth0-java v3 migration Update direct integrations if applicable

Test Plan

  • All tests pass on Java 17
  • Verified:
    • Transaction binding security checks
    • ID token validation (RS256 / HS256)
    • JPMS module compilation
    • Spring Boot 3.x / Tomcat 10.1 integration
  • Confirmed v1 branch still builds on Java 8

@tanya732 @TareqK @kailash-b
Java-MVC-V2-Base-PR (#154)
75b664f 
Co-authored-by: Tareq Kirresh <kirreshtareq@gmail.com>
Co-authored-by: Kailash B <kaish95@gmail.com>
@tanya732 tanya732 requested a review from a team as a code owner May 19, 2026 03:54
tanya732 and others added 2 commits May 19, 2026 09:37
@tanya732 @TareqK @kailash-b
chore: Update CI/CD workflows for dual-version (v1/v2) support (#227)
cd48c86 
Co-authored-by: Tareq Kirresh <kirreshtareq@gmail.com>
Co-authored-by: Kailash B <kaish95@gmail.com>
@tanya732
chore: Update CI/CD workflows for v2 (#230)
98a02b6
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@tanya732