Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
7 changes: 4 additions & 3 deletions .github/workflows/build-and-test.yml
Original file line number Diff line number Diff line change
Expand Up @@ -2,9 +2,10 @@ name: auth0/auth0-java-mvc-common/build-and-test

on:
pull_request:
branches: ["master", "v2"]
merge_group:
push:
branches: ["master", "main", "v1"]
branches: ["master"]

jobs:
gradle:
Expand All @@ -14,13 +15,13 @@ jobs:
- uses: actions/setup-java@v5
with:
distribution: temurin
java-version: 8
java-version: 17

- name: Set up Gradle
uses: gradle/actions/setup-gradle@50e97c2cd7a37755bbfafc9c5b7cafaece252f6e # v6.1.0

- name: Test and Assemble and ApiDiff with Gradle
run: ./gradlew assemble apiDiff check jacocoTestReport --continue --console=plain
run: ./gradlew assemble check jacocoTestReport --continue --console=plain

- uses: codecov/codecov-action@57e3a136b779b570ffcdbf80b3bdc90e7fab3de2
with:
Expand Down
9 changes: 7 additions & 2 deletions .github/workflows/codeql.yml
Original file line number Diff line number Diff line change
Expand Up @@ -2,9 +2,9 @@ name: "CodeQL"

on:
push:
branches: [ "master", "2.0.0-dev" ]
pull_request:
branches: [ "master" ]
pull_request:
branches: [ "master", "v2" ]
schedule:
- cron: "30 19 * * 6"

Expand All @@ -26,6 +26,11 @@ jobs:
- name: Checkout
uses: actions/checkout@v6

- uses: actions/setup-java@v5
with:
distribution: temurin
java-version: 17

- name: Initialize CodeQL
uses: github/codeql-action/init@v4
with:
Expand Down
4 changes: 2 additions & 2 deletions .github/workflows/release.yml
Original file line number Diff line number Diff line change
Expand Up @@ -18,7 +18,7 @@ jobs:
rl-scanner:
uses: ./.github/workflows/rl-secure.yml
with:
java-version: 8
java-version: 17
artifact-name: "auth0-java-mvc-common.tgz"
secrets:
RLSECURE_LICENSE: ${{ secrets.RLSECURE_LICENSE }}
Expand All @@ -32,7 +32,7 @@ jobs:
uses: ./.github/workflows/java-release.yml
needs: rl-scanner
with:
java-version: 8.0.382-tem
java-version: 17.0.19-tem
secrets:
ossr-username: ${{ secrets.OSSR_USERNAME }}
ossr-token: ${{ secrets.OSSR_TOKEN }}
Expand Down
4 changes: 2 additions & 2 deletions .github/workflows/rl-secure.yml
Original file line number Diff line number Diff line change
Expand Up @@ -45,8 +45,8 @@ jobs:
- name: Set up Gradle
uses: gradle/actions/setup-gradle@50e97c2cd7a37755bbfafc9c5b7cafaece252f6e # v6.1.0

- name: Test and Assemble and ApiDiff with Gradle
run: ./gradlew assemble apiDiff check jacocoTestReport --continue --console=plain
- name: Test and Assemble with Gradle
run: ./gradlew assemble check jacocoTestReport --continue --console=plain

- name: Get Artifact Version
id: get_version
Expand Down
4 changes: 2 additions & 2 deletions .github/workflows/sca_scan.yml
Original file line number Diff line number Diff line change
Expand Up @@ -4,12 +4,12 @@ on:
push:
branches: ["master"]
pull_request:
branches: ["master"]
branches: ["master", "v2"]

jobs:
snyk-cli:
uses: auth0/devsecops-tooling/.github/workflows/sca-scan.yml@main
with:
additional-arguments: "--exclude=README.md"
java-version: "8"
java-version: "17"
secrets: inherit
2 changes: 1 addition & 1 deletion .version
Original file line number Diff line number Diff line change
@@ -1 +1 @@
1.12.0
2.0.0-beta.0
33 changes: 33 additions & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
@@ -1,5 +1,38 @@
# Change Log

## [2.0.0-beta.0](https://github.com/auth0/auth0-java-mvc-common/tree/2.0.0-beta.0) (2026-05-29)

This is the first beta release of the v2 major version. See the [Migration Guide](MIGRATION_GUIDE.md) for full upgrade instructions.

**Added**
- Jakarta EE 10 / Jakarta Servlet 6.0 support (replaces `javax.servlet`) [\#154](https://github.com/auth0/auth0-java-mvc-common/pull/154) ([tanya732](https://github.com/tanya732))
- Transaction-keyed cookies to prevent multi-tab OAuth state race conditions [\#231](https://github.com/auth0/auth0-java-mvc-common/pull/231) ([tanya732](https://github.com/tanya732))
- `withHttpClient(Auth0HttpClient)` builder method for custom HTTP client configuration [\#234](https://github.com/auth0/auth0-java-mvc-common/pull/234) ([tanya732](https://github.com/tanya732))
- Algorithm auto-detection from token `alg` header (RS256/HS256) [\#154](https://github.com/auth0/auth0-java-mvc-common/pull/154) ([tanya732](https://github.com/tanya732))
- ID Token signature is now always verified — no code path allows unverified tokens [\#154](https://github.com/auth0/auth0-java-mvc-common/pull/154) ([tanya732](https://github.com/tanya732))
- MCD security fix: HMAC-signed origin domain cookies bound to state parameter [\#154](https://github.com/auth0/auth0-java-mvc-common/pull/154) ([tanya732](https://github.com/tanya732))
- JPMS module support (`com.auth0.mvc.commons`) [\#154](https://github.com/auth0/auth0-java-mvc-common/pull/154) ([tanya732](https://github.com/tanya732))
- ID Token validation delegated to auth0-java v3's `IdTokenVerifier` [\#154](https://github.com/auth0/auth0-java-mvc-common/pull/154) ([tanya732](https://github.com/tanya732))
- Migration guide for v1 to v2 upgrade [\#233](https://github.com/auth0/auth0-java-mvc-common/pull/233) ([tanya732](https://github.com/tanya732))

**Changed**
- Minimum Java version raised from 8 to 17 [\#154](https://github.com/auth0/auth0-java-mvc-common/pull/154) ([tanya732](https://github.com/tanya732))
- Upgraded auth0-java from v2 to v3.5.1 (`AuthAPI.newBuilder()` pattern) [\#154](https://github.com/auth0/auth0-java-mvc-common/pull/154) ([tanya732](https://github.com/tanya732))
- Upgraded java-jwt from v3 to v4.5.0 [\#154](https://github.com/auth0/auth0-java-mvc-common/pull/154) ([tanya732](https://github.com/tanya732))
- Upgraded jwks-rsa to v0.24.1 [\#154](https://github.com/auth0/auth0-java-mvc-common/pull/154) ([tanya732](https://github.com/tanya732))

**Removed**
- Deprecated `handle(HttpServletRequest)` — use `handle(HttpServletRequest, HttpServletResponse)` instead [\#154](https://github.com/auth0/auth0-java-mvc-common/pull/154) ([tanya732](https://github.com/tanya732))
- Deprecated `buildAuthorizeUrl(HttpServletRequest, String)` — use `buildAuthorizeUrl(HttpServletRequest, HttpServletResponse, String)` instead [\#154](https://github.com/auth0/auth0-java-mvc-common/pull/154) ([tanya732](https://github.com/tanya732))
- `withHttpOptions(HttpOptions)` on Builder — use `withHttpClient(Auth0HttpClient)` instead [\#154](https://github.com/auth0/auth0-java-mvc-common/pull/154) ([tanya732](https://github.com/tanya732))
- `InvalidRequestException.getDescription()` — use `getMessage()` instead [\#154](https://github.cm/auth0/auth0-java-mvc-common/pull/154) ([tanya732](https://github.com/tanya732))
- Custom signature verifier classes: `IdTokenVerifier`, `SignatureVerifier`, `AsymmetricSignatureVerifier`, `SymmetricSignatureVerifier`, `AlgorithmNameVerifier`, `TokenValidationException` [\#154](https://github.com/auth0/auth0-java-mvc-common/pull/154) ([tanya732](https://github.com/tanya732))
- Session-based storage classes: `RandomStorage`, `SessionUtils` [\#154](https://github.com/auth0/auth0-java-mvc-common/pull/154) ([tanya732](https://github.com/tanya732))

> **Note:** All deprecated endpoints from v1.x have been removed in this release. Session (HTTP Session) based state/nonce storage has been replaced with secure transient cookies — the library no longer uses `HttpSession` for OAuth state management.

---

## [1.12.0](https://github.com/auth0/auth0-java-mvc-common/tree/1.12.0) (2026-04-09)
[Full Changelog](https://github.com/auth0/auth0-java-mvc-common/compare/1.11.1...1.12.0)

Expand Down
Loading