Migrate to Jakarta EE 10, Jersey 3.x, and Jetty 12 #570
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This comment was marked as outdated.
This comment was marked as outdated.
nscuro
added a commit
to nscuro/dependency-track
that referenced
this pull request
May 17, 2024
Depends on stevespringett/Alpine#570 Signed-off-by: nscuro <nscuro@protonmail.com>
nscuro
added a commit
to nscuro/dependency-track
that referenced
this pull request
May 17, 2024
Depends on stevespringett/Alpine#570 Signed-off-by: nscuro <nscuro@protonmail.com>
1 task
Migrates `javax` namespaces to their `jakarta` counterparts. Performs the following notable version bumps: * Jakarta Servlet API: `4.0.1` -> `6.0.0` (latest) * JAXB: `2.3.6` -> `4.0.5` (latest) * Jersey: `2.41` -> `3.1.6` (latest) * Jetty: `10.0.18` -> `12.0.9` (latest) The following changes were necessary due to compatibility issues with Jakarta EE 10: * `io.jsonwebtoken:jjwt`: `0.9.1` -> `0.12.5` * Signing and verifying of JWTs with Alpine's `SecretKey` no longer worked. I'm not sure why it worked before, but now the library complained about AES keys not being suitable for HMAC signing. I modified the `JsonWebToken` class to use Alpine's public/private key pair instead, which works. It changes the signature algorithm to `RS512`. I believe this change makes sense anyway. * The default implementation of `jakarta.json` is Eclipse Parsson. Replaced `org.glassfish:javax-json` with it. * The default implementation of `jakarta.mail-api` is Eclipse Angus. Added it. Signed-off-by: nscuro <nscuro@protonmail.com>
nscuro
added a commit
to nscuro/dependency-track
that referenced
this pull request
May 17, 2024
Depends on stevespringett/Alpine#570 Signed-off-by: nscuro <nscuro@protonmail.com>
|
@nscuro The SecretKey is a symmetrical key used to sign the JWT (e.g. HS512). The private/public key pair are asymmetrical keys for the encryption and decryption of data. Both key types are required. |
This comment was marked as outdated.
This comment was marked as outdated.
This comment was marked as outdated.
This comment was marked as outdated.
nscuro
added a commit
to nscuro/dependency-track
that referenced
this pull request
May 20, 2024
Depends on stevespringett/Alpine#570 Signed-off-by: nscuro <nscuro@protonmail.com>
nscuro
added a commit
to nscuro/dependency-track
that referenced
this pull request
May 20, 2024
Depends on stevespringett/Alpine#570 Signed-off-by: nscuro <nscuro@protonmail.com>
nscuro
added a commit
to nscuro/dependency-track
that referenced
this pull request
May 20, 2024
Depends on stevespringett/Alpine#570 Signed-off-by: nscuro <nscuro@protonmail.com>
|
Can you resolve the conflict? |
Instead of switching to public/private key pair, convert the secret key to the appropriate `HmacSHA*` algorithm instead. Switching the keys used for signing would have been a breaking change. Signed-off-by: nscuro <nscuro@protonmail.com>
This was referenced May 28, 2024
MM-msr
pushed a commit
to MM-msr/dependency-track
that referenced
this pull request
Jun 18, 2024
Depends on stevespringett/Alpine#570 Signed-off-by: nscuro <nscuro@protonmail.com>
netomi
pushed a commit
to netomi/dependency-track
that referenced
this pull request
Aug 8, 2024
Depends on stevespringett/Alpine#570 Signed-off-by: nscuro <nscuro@protonmail.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Migrates
javaxnamespaces to theirjakartacounterparts.Performs the following notable version bumps:
4.0.1->6.0.0(latest)2.3.6->4.0.5(latest)2.41->3.1.6(latest)10.0.18->12.0.9(latest)The following changes were necessary due to compatibility issues with Jakarta EE 10:
io.jsonwebtoken:jjwt:0.9.1->0.12.5Signing and verifying of JWTs with Alpine'sSecretKeyno longer worked. I'm not sure why it worked before, but now the library complained about AES keys not being suitable for HMAC signing. I modified theJsonWebTokenclass to use Alpine's public/private key pair instead, which works. It changes the signature algorithm toRS512. I believe this change makes sense anyway.SecretKeygenerated forAESto an appropriateHmacSHA*algorithm (a3687b4)jakarta.jsonis Eclipse Parsson. Replacedorg.glassfish:javax-jsonwith it.jakarta.mail-apiis Eclipse Angus. Added it.Closes #402
FTR, Dependency-Track has been migrated accordingly. The test suite passes locally, and manual testing of the running application did not yield any complications. Pending PR is here: DependencyTrack/dependency-track#3730