RuntimeClasspathDeserializerLocator fails when jackson is in the classpath, but jjwt-jackson isn't

[lestephane]

jackson is being pulled transitively by some other dependency in my project, but i did not add the jjwt-jackson dependency. The way the RuntimeClasspathDeserializerLocator works, just because it sees the jackson ObjectMapper, then the JacksonDeserializer must be there, which is not true.

@SuppressWarnings("WeakerAccess") //to allow testing override
    protected Deserializer<T> locate() {
        if (isAvailable("com.fasterxml.jackson.databind.ObjectMapper")) { <<<<<<<<<<< true
            return Classes.newInstance("io.jsonwebtoken.io.JacksonDeserializer"); <<<<<< BOOM
        } else if (isAvailable("org.json.JSONObject")) {
            return Classes.newInstance("io.jsonwebtoken.io.OrgJsonDeserializer");
        } else {
            throw new IllegalStateException("Unable to discover any JSON Deserializer implementations on the classpath.");
        }
}

I'm getting this error:

Unable to load class named [io.jsonwebtoken.io.JacksonDeserializer] from the thread context, current, or system/application ClassLoaders.  All heuristics have been exhausted.  Class could not be found.

[lhazlewood]

Thanks for reporting this.

I think the proper solution for this is to check for io.jsonwebtoken implementation classes instead.

The current conditional logic was leftover from old versions of this code that did something like "if Jackson is in the classpath, automatically use the Jackson implementation" before the JSON implementations were extracted to separate artifacts. Now that they're in separate artifacts for pluggability strategies, the underlying knowledge of the JSON provider classes are no longer important in this particular method.

A simple workaround in the meantime is to:

1. Add the jjwt-jackson artifact to your classpath, or, if you don't want to do that:
2. Explicitly configure Serializer and Deserializer instances on the builder and parser. The locator will not be used since you manually provided your own instances and JJWT has no need to execute the fallback lookup logic.

I hope that helps! If this doesn't work for any reason, or you have additional feedback, please feel free to add a comment.

[lestephane]

If I use:

final Jws<Claims> jws= Jwts.parser().deserializeJsonWith(new OrgJsonDeserializer())...

I get the compile error:

java: incompatible types: io.jsonwebtoken.io.OrgJsonDeserializer cannot be converted to io.jsonwebtoken.io.Deserializer<java.util.Map<java.lang.String,?>>

What is the right incantation?