Clean build on all available JDK versions (#729)

- POM and JavaDoc updates to get a clean (warning free) build, remove duplicates, etc
- Ensured CI uses the release build profile (i.e. 'ossrh') to ensure we can execute all things necessary for a release.  This will not deploy to ossrh however, as we do that manually during a release per https://github.com/jwtk/jjwt/wiki#release-instructions
- Fixing JavaDoc lint errors surfacing on JDK 14
- Enable html5 for JavaDoc on JDK >= 9
- Used version properties and Maven profiles to allow the japicmp-maven-plugin to work with JDK 7 through 18
- Minor CI job name fixes, added additional zulu JDK versions
- Fixed build to run on all JDKs, from 7 to 18 inclusive

.github/workflows/ci.yml

@@ -7,24 +7,27 @@ on:
       - master
 
 jobs:
-  hotspot:
+  temurin:
     strategy:
       matrix:
-        java: [ '8', '11' ]
+        java: [ '8', '11', '17', '18' ]
     runs-on: 'ubuntu-latest'
     env:
       MVN_CMD: ./mvnw --no-transfer-progress -B
-    name: java-${{ matrix.java }}
+    name: jdk-${{ matrix.java }}-temurin
     steps:
-      - uses: actions/checkout@v2.4.0
+      - uses: actions/checkout@v3
       - name: Set up JDK
-        uses: actions/setup-java@v2.4.0
+        uses: actions/setup-java@v3
         with:
           java-version: ${{ matrix.java }}
           distribution: 'temurin'
           cache: 'maven'
+          check-latest: true
       - name: Build
-        run: ${{env.MVN_CMD}} verify
+        # run a full build, just as we would for a release (i.e. the `ossrh` profile), but don't use gpg
+        # to sign artifacts, since we don't want to mess with storing signing credentials in CI:
+        run: ${{env.MVN_CMD}} verify -Possrh -Dgpg.skip=true
       - name: Code coverage
         if:  matrix.java == '8'
         run: |
@@ -37,34 +40,40 @@ jobs:
   zulu:
     strategy:
       matrix:
-        java: [ '9', '10', '14' ]
+        java: [ '7', '8', '9', '10', '11', '12', '13', '14', '15', '16', '17', '18' ]
     runs-on: 'ubuntu-latest'
     env:
       MVN_CMD: ./mvnw --no-transfer-progress -B
-    name: java-${{ matrix.java }}
+      JDK_MAJOR_VERSION: ${{ matrix.java }}
+    name: jdk-${{ matrix.java }}-zulu
     steps:
-      - uses: actions/checkout@v2.4.0
+      - uses: actions/checkout@v3
       - name: Set up JDK
-        uses: actions/setup-java@v2.4.0
+        uses: actions/setup-java@v3
         with:
           java-version: ${{ matrix.java }}
           distribution: 'zulu'
           cache: 'maven'
+          check-latest: true
       - name: Build
-        run: ${{env.MVN_CMD}} verify
+        # run a full build, just as we would for a release (i.e. the `ossrh` profile), but don't use gpg
+        # to sign artifacts, since we don't want to mess with storing signing credentials in CI:
+        run: |
+          if [ "$JDK_MAJOR_VERSION" == "7" ]; then export MAVEN_OPTS="-Xmx512m -XX:MaxPermSize=128m"; fi
+          ${{env.MVN_CMD}} verify -Possrh -Dgpg.skip=true
 
-  java-7:
+  jdk-7-oracle:
     runs-on: 'ubuntu-latest'
     env:
       MVN_CMD: ./mvnw --no-transfer-progress -B
       MAVEN_OPTS: "-Dhttps.protocols=TLSv1.2 -Xmx512m -XX:MaxPermSize=128m"
     steps:
-      - uses: actions/checkout@v2.4.0
+      - uses: actions/checkout@v3
       - run: |
           download_url="https://238dj3282as03k369.s3-us-west-1.amazonaws.com/jdk-7u80-linux-x64.tar.gz"
           wget -O $RUNNER_TEMP/java_package.tar.gz $download_url
       - name: Set up JDK
-        uses: actions/setup-java@v2.4.0
+        uses: actions/setup-java@v3
         with:
           distribution: 'jdkfile'
           jdkFile: ${{ runner.temp }}/java_package.tar.gz
@@ -77,4 +86,6 @@ jobs:
           unzip -oj -d "$JAVA_HOME/jre/lib/security" $RUNNER_TEMP/UnlimitedJCEPolicyJDK7.zip \*/\*.jar
           rm $RUNNER_TEMP/UnlimitedJCEPolicyJDK7.zip
       - name: Build
-        run: ${{env.MVN_CMD}} verify
+        # run a full build, just as we would for a release (i.e. the `ossrh` profile), but don't use gpg
+        # to sign artifacts, since we don't want to mess with storing signing credentials in CI:
+        run: ${{env.MVN_CMD}} verify -Possrh -Dgpg.skip=true

api/src/main/java/io/jsonwebtoken/Claims.java

@@ -31,7 +31,7 @@
  * claims.{@link Map#put(Object, Object) put}("someKey", "someValue");
  * </pre>
  *
- * <h3>Creation</h3>
+ * <h2>Creation</h2>
  *
  * <p>It is easiest to create a {@code Claims} instance by calling one of the
  * {@link Jwts#claims() JWTs.claims()} factory methods.</p>
@@ -177,7 +177,7 @@ public interface Claims extends Map<String, Object>, ClaimsMutator<Claims> {
      * complex is expected to be already converted to your desired type by the JSON
      * {@link io.jsonwebtoken.io.Deserializer Deserializer} implementation. You may specify a custom Deserializer for a
      * JwtParser with the desired conversion configuration via the {@link JwtParserBuilder#deserializeJsonWith} method.
-     * See <a href="https://github.com/jwtk/jjwt#custom-json-processor">custom JSON processor</a></a> for more
+     * See <a href="https://github.com/jwtk/jjwt#custom-json-processor">custom JSON processor</a> for more
      * information. If using Jackson, you can specify custom claim POJO types as described in
      * <a href="https://github.com/jwtk/jjwt#json-jackson-custom-types">custom claim types</a>.
      *

api/src/main/java/io/jsonwebtoken/CompressionCodecs.java

@@ -34,16 +34,19 @@ private CompressionCodecs() {
      * <a href="https://en.wikipedia.org/wiki/DEFLATE">deflate</a> compression algorithm
      */
     public static final CompressionCodec DEFLATE =
-        Classes.newInstance("io.jsonwebtoken.impl.compression.DeflateCompressionCodec");
+            Classes.newInstance("io.jsonwebtoken.impl.compression.DeflateCompressionCodec");
 
     /**
      * Codec implementing the <a href="https://en.wikipedia.org/wiki/Gzip">gzip</a> compression algorithm.
-     * <h3>Compatibility Warning</h3>
+     *
+     * <p><b>Compatibility Warning</b></p>
+     *
      * <p><b>This is not a standard JWA compression algorithm</b>.  Be sure to use this only when you are confident
      * that all parties accessing the token support the gzip algorithm.</p>
+     *
      * <p>If you're concerned about compatibility, the {@link #DEFLATE DEFLATE} code is JWA standards-compliant.</p>
      */
     public static final CompressionCodec GZIP =
-        Classes.newInstance("io.jsonwebtoken.impl.compression.GzipCompressionCodec");
+            Classes.newInstance("io.jsonwebtoken.impl.compression.GzipCompressionCodec");
 
 }

api/src/main/java/io/jsonwebtoken/Header.java

@@ -30,7 +30,7 @@
  * header.{@link Map#put(Object, Object) put}("headerParamName", "headerParamValue");
  * </pre>
  *
- * <h3>Creation</h3>
+ * <h2>Creation</h2>
  *
  * <p>It is easiest to create a {@code Header} instance by calling one of the
  * {@link Jwts#header() JWTs.header()} factory methods.</p>

api/src/main/java/io/jsonwebtoken/JwtBuilder.java

@@ -21,6 +21,7 @@
 import io.jsonwebtoken.io.Serializer;
 import io.jsonwebtoken.security.InvalidKeyException;
 import io.jsonwebtoken.security.Keys;
+
 import java.security.Key;
 import java.util.Date;
 import java.util.Map;
@@ -365,7 +366,7 @@ public interface JwtBuilder extends ClaimsMutator<JwtBuilder> {
     /**
      * Signs the constructed JWT using the specified algorithm with the specified key, producing a JWS.
      *
-     * <h4>Deprecation Notice: Deprecated as of 0.10.0</h4>
+     * <p><b>Deprecation Notice: Deprecated as of 0.10.0</b></p>
      *
      * <p>Use {@link Keys Keys}.{@link Keys#hmacShaKeyFor(byte[]) hmacShaKeyFor(bytes)} to
      * obtain the {@code Key} and then invoke {@link #signWith(Key)} or {@link #signWith(Key, SignatureAlgorithm)}.</p>
@@ -390,7 +391,7 @@ public interface JwtBuilder extends ClaimsMutator<JwtBuilder> {
      * <p>This is a convenience method: the string argument is first BASE64-decoded to a byte array and this resulting
      * byte array is used to invoke {@link #signWith(SignatureAlgorithm, byte[])}.</p>
      *
-     * <h4>Deprecation Notice: Deprecated as of 0.10.0, will be removed in the 1.0 release.</h4>
+     * <p><b>Deprecation Notice: Deprecated as of 0.10.0, will be removed in the 1.0 release.</b></p>
      *
      * <p>This method has been deprecated because the {@code key} argument for this method can be confusing: keys for
      * cryptographic operations are always binary (byte arrays), and many people were confused as to how bytes were
@@ -410,13 +411,12 @@ public interface JwtBuilder extends ClaimsMutator<JwtBuilder> {
      * StackOverflow answer</a> explaining why raw (non-base64-encoded) strings are almost always incorrect for
      * signature operations.</p>
      *
-     * <p>To perform the correct logic with base64EncodedSecretKey strings with JJWT >= 0.10.0, you may do this:
+     * <p>To perform the correct logic with base64EncodedSecretKey strings with JJWT &gt;= 0.10.0, you may do this:</p>
      * <pre><code>
      * byte[] keyBytes = {@link Decoders Decoders}.{@link Decoders#BASE64 BASE64}.{@link Decoder#decode(Object) decode(base64EncodedSecretKey)};
      * Key key = {@link Keys Keys}.{@link Keys#hmacShaKeyFor(byte[]) hmacShaKeyFor(keyBytes)};
      * jwtBuilder.signWith(key); //or {@link #signWith(Key, SignatureAlgorithm)}
      * </code></pre>
-     * </p>
      *
      * <p>This method will be removed in the 1.0 release.</p>
      *
@@ -475,7 +475,7 @@ public interface JwtBuilder extends ClaimsMutator<JwtBuilder> {
      * can be useful.  For example, when embedding JWTs  in URLs, some browsers may not support URLs longer than a
      * certain length.  Using compression can help ensure the compact JWT fits within that length.  However, NOTE:</p>
      *
-     * <h3>Compatibility Warning</h3>
+     * <p><b>Compatibility Warning</b></p>
      *
      * <p>The JWT family of specifications defines compression only for JWE (Json Web Encryption)
      * tokens.  Even so, JJWT will also support compression for JWS tokens as well if you choose to use it.