java.lang.NoSuchMethodError: org.json.JSONTokener.<init>(Ljava/io/Reader;)V

Question

java.lang.NoSuchMethodError: org.json.JSONTokener.<init>(Ljava/io/Reader;)V

ejoseca opened this issue 6 months ago · 15 comments

Description
JWS cannot be deserialized in Android devices.

Steps to reproduce

Add the required dependencies for an Android project as shown in the README.md

dependencies {
    api('io.jsonwebtoken:jjwt-api:0.12.3')
    runtimeOnly('io.jsonwebtoken:jjwt-impl:0.12.3') 
    runtimeOnly('io.jsonwebtoken:jjwt-orgjson:0.12.3') {
        exclude(group: 'org.json', module: 'json') //provided by Android natively
    }
}

Create a parser

Jwts.parser()
  .verifyWith(publicKey)
  .build()
  .parseSignedClaims(jwsString);

Try to deserialize a signed JWT in an Android device
An error is thrown: java.lang.NoSuchMethodError: org.json.JSONTokener.<init>(Ljava/io/Reader;)V

Cause
Since 0.12.0, the class io.jsonwebtoken.orgjson.io.OrgJsonDeserializer, in its parse() method, is trying to create a JSONTokener passing a Reader as argument to the constructor.
This constructor is not available in the Android implementation of JSONTokener: https://android.googlesource.com/platform/libcore/+/refs/heads/main/json/src/main/java/org/json/JSONTokener.java

Answer 1 · 2023-12-21T13:53:19.000Z

This appears to be duplicate of #867. Could you please try the workaround listed there and let us know if that doesn't work?

We'll need to change the implementation on a future release to detect if this method is available on Android and then fallback to older logic if not.

Answer 2 · 2024-01-04T22:59:56.000Z

@lhazlewood I ran into the same issue described. I tried the proposed solution (not excluding the org.json dependency), and I still run into the same issue. It looks like it might of worked for someone else in #867, but it didn't solve it for me.

Answer 3 · 2024-01-08T18:43:47.000Z

@DanielGalarza thanks for trying the proposed solution. What version of Android are you using?

@phamhongphong what version of Android are you using since it worked for you?

Answer 4 · 2024-01-08T18:55:31.000Z

@DanielGalarza just to confirm, your dependencies looked like this?

dependencies {
    api('io.jsonwebtoken:jjwt-api:0.12.3')
    runtimeOnly('io.jsonwebtoken:jjwt-impl:0.12.3') 
    runtimeOnly('io.jsonwebtoken:jjwt-orgjson:0.12.3')
}

Answer 5 · 2024-01-08T21:08:40.000Z

@lhazlewood Not excluding org.json works, but I don't want to include it in our project because of maintainability.
Overriding the Android's JSON implementation with a transitive dependency could lead to use methods that will not be available when it is removed.

For now, we are going to stay in version 0.11.5.

Answer 6 · 2024-01-08T22:14:15.000Z

@ejoseca that's helpful, thanks for the feedback. We'll use this issue to track the work for a fix.

Answer 7 · 2024-01-08T22:16:36.000Z

@ejoseca which version of Android are you using? I'd like to ensure a fix is compatible with at least that (and potentially others).

Answer 8 · 2024-01-08T22:21:51.000Z

Actually, Android version probably doesn't matter, it appears that even the latest only supports a String constructor:

https://developer.android.com/reference/org/json/JSONTokener#JSONTokener(java.lang.String)

Answer 9 · 2024-01-09T08:05:22.000Z

We support from Android 5 (SDK 21) onwards, but the JSON implementation is almost the same for all Android versions.

JSONTokener in Android 2.3: https://android.googlesource.com/platform/libcore/+/refs/tags/android-2.3_r1/json/src/main/java/org/json/JSONTokener.java

Answer 10 · 2024-01-09T16:48:30.000Z

@DanielGalarza just to confirm, your dependencies looked like this?

dependencies {
    api('io.jsonwebtoken:jjwt-api:0.12.3')
    runtimeOnly('io.jsonwebtoken:jjwt-impl:0.12.3') 
    runtimeOnly('io.jsonwebtoken:jjwt-orgjson:0.12.3')
}

@lhazlewood Correct, that's what I tried to use, but still ran into issues. As far as the Android versions we are running, It's Android 8 (API 26) and through Android 14 (API 34)

I will also be staying on v11.5 for now, but I am looking forward to a fix soon, so that I can migrate over to 12+

Answer 11 · 2024-01-10T02:51:44.000Z

As updated by the PR merge, I've fixed this issue AFAICT. If anyone in this thread has the ability to build the latest master from source and test, I'd appreciate it! Please report back if you experience any problems.

Answer 12 · 2024-01-10T02:52:12.000Z

This will be released in an upcoming 0.12.4 release.

Answer 13 · 2024-01-17T21:45:31.000Z

As updated by the PR merge, I've fixed this issue AFAICT. If anyone in this thread has the ability to build the latest master from source and test, I'd appreciate it! Please report back if you experience any problems.

@lhazlewood I'm happy to test this, but I'm not sure how to test you master branch. Is there a specific way I can do that from my Android project? Would this work:

    api("io.jsonwebtoken:jjwt-api:master-SNAPSHOT")
    runtimeOnly("io.jsonwebtoken:jjwt-impl:master-SNAPSHOT")
    runtimeOnly("io.jsonwebtoken:jjwt-orgjson:master-SNAPSHOT") {
        exclude group: "org.json", module: "json" //provided by Android natively
    }

Answer 14 · 2024-01-17T22:09:24.000Z

@DanielGalarza you'd have to git clone and then build JJWT yourself on your own machine, and then use the snapshots .jars created by the JJWT build in your Android project.

Answer 15 · 2024-01-18T01:00:50.000Z

@DanielGalarza I believe it would look something like this after building JJWT locally via mvn clean install:

    api("io.jsonwebtoken:jjwt-api:0.12.4-SNAPSHOT")
    runtimeOnly("io.jsonwebtoken:jjwt-impl:0.12.4-SNAPSHOT")
    runtimeOnly("io.jsonwebtoken:jjwt-orgjson:0.12.4-SNAPSHOT") {
        exclude group: "org.json", module: "json" //provided by Android natively
    }