From 4d9d40ead8fd612bb04b505987ea242f13a200cb Mon Sep 17 00:00:00 2001 From: Josh Cummings <3627351+jzheaux@users.noreply.github.com> Date: Tue, 9 Dec 2025 09:07:23 -0700 Subject: [PATCH] Update validateType JavaDoc Closes gh-18227 Signed-off-by: Josh Cummings <3627351+jzheaux@users.noreply.github.com> --- .../security/oauth2/jwt/NimbusJwtDecoder.java | 48 +++++++------------ 1 file changed, 18 insertions(+), 30 deletions(-) diff --git a/oauth2/oauth2-jose/src/main/java/org/springframework/security/oauth2/jwt/NimbusJwtDecoder.java b/oauth2/oauth2-jose/src/main/java/org/springframework/security/oauth2/jwt/NimbusJwtDecoder.java index 457084d905..8688791008 100644 --- a/oauth2/oauth2-jose/src/main/java/org/springframework/security/oauth2/jwt/NimbusJwtDecoder.java +++ b/oauth2/oauth2-jose/src/main/java/org/springframework/security/oauth2/jwt/NimbusJwtDecoder.java @@ -319,21 +319,17 @@ public final class NimbusJwtDecoder implements JwtDecoder { } /** - * Whether to use Nimbus's typ header verification. This is {@code true} by - * default, however it may change to {@code false} in a future major release. + * Whether to use Nimbus's {@code typ} header verification. This is {@code false} + * by default. * *

- * By turning off this feature, {@link NimbusJwtDecoder} expects applications to - * check the {@code typ} header themselves in order to determine what kind of - * validation is needed + * By turning on this feature, {@link NimbusJwtDecoder} will delegate checking the + * {@code typ} header to Nimbus by using Nimbus's default + * {@link JOSEObjectTypeVerifier}. *

* *

- * This is done for you when you use {@link JwtValidators} to construct a - * validator. - * - *

- * That means that this: + * When this is set to {@code false}, this: * NimbusJwtDecoder jwtDecoder = NimbusJwtDecoder.withIssuerLocation(issuer).build(); * jwtDecoder.setJwtValidator(JwtValidators.createDefaultWithIssuer(issuer); * @@ -600,21 +596,17 @@ public final class NimbusJwtDecoder implements JwtDecoder { } /** - * Whether to use Nimbus's typ header verification. This is {@code true} by - * default, however it may change to {@code false} in a future major release. + * Whether to use Nimbus's {@code typ} header verification. This is {@code false} + * by default. * *

- * By turning off this feature, {@link NimbusJwtDecoder} expects applications to - * check the {@code typ} header themselves in order to determine what kind of - * validation is needed + * By turning on this feature, {@link NimbusJwtDecoder} will delegate checking the + * {@code typ} header to Nimbus by using Nimbus's default + * {@link JOSEObjectTypeVerifier}. *

* *

- * This is done for you when you use {@link JwtValidators} to construct a - * validator. - * - *

- * That means that this: + * When this is set to {@code false}, this: * NimbusJwtDecoder jwtDecoder = NimbusJwtDecoder.withIssuerLocation(issuer).build(); * jwtDecoder.setJwtValidator(JwtValidators.createDefaultWithIssuer(issuer); * @@ -729,21 +721,17 @@ public final class NimbusJwtDecoder implements JwtDecoder { } /** - * Whether to use Nimbus's typ header verification. This is {@code true} by - * default, however it may change to {@code false} in a future major release. + * Whether to use Nimbus's {@code typ} header verification. This is {@code false} + * by default. * *

- * By turning off this feature, {@link NimbusJwtDecoder} expects applications to - * check the {@code typ} header themselves in order to determine what kind of - * validation is needed + * By turning on this feature, {@link NimbusJwtDecoder} will delegate checking the + * {@code typ} header to Nimbus by using Nimbus's default + * {@link JOSEObjectTypeVerifier}. *

* *

- * This is done for you when you use {@link JwtValidators} to construct a - * validator. - * - *

- * That means that this: + * When this is set to {@code false}, this: * NimbusJwtDecoder jwtDecoder = NimbusJwtDecoder.withIssuerLocation(issuer).build(); * jwtDecoder.setJwtValidator(JwtValidators.createDefaultWithIssuer(issuer); *