I have a Java project which has a dependency of SpringBoot version 2.3.6.RELEASE. However, I'm in trouble trying to upgrade to 2.4.0 version. In the project nothing else was changed, only version of SpringBoot. Since then the application throws the following error message:
Caused by: java.lang.ClassCastException: com.nimbusds.jose.shaded.json.JSONObject cannot be cast to net.minidev.json.JSONObject
I did some comparison of maven dependency tree (mvn dependency:tree) and found out that probably some significant changes have been done for nimbus-jose-jwt and json-smart libs.
2.3.6.RELEASE
[INFO] +- org.springframework.security:spring-security-oauth2-jose:jar:5.3.5.RELEASE:compile
[INFO] | +- com.nimbusds:nimbus-jose-jwt:jar:8.19:compile (version managed from 8.20.1)
[INFO] | | +- com.github.stephenc.jcip:jcip-annotations:jar:1.0-1:compile
[INFO] | | \- net.minidev:json-smart:jar:1.3.1:provided (scope managed from compile)
[INFO] | +- org.springframework.security:spring-security-core:jar:5.3.5.RELEASE:compile
2.4.0
[INFO] +- org.springframework.security:spring-security-oauth2-jose:jar:5.4.1:compile
[INFO] | +- com.nimbusds:nimbus-jose-jwt:jar:9.1.2:compile (version managed from 9.0.1)
[INFO] | | \- com.github.stephenc.jcip:jcip-annotations:jar:1.0-1:compile
[INFO] | +- org.springframework.security:spring-security-core:jar:5.4.1:compile
As can be seen above nimbus-jose-jwt has been updated from 8.19 to 9.1.2. Moreover, json-smart is not anymore part of nimbus-jose-jwt in 2.4.0.
The root cause is probably this change https://connect2id.com/blog/nimbus-jose-jwt-9 However, what should be done in order to prevent this exception?
You could override the default versions of jars nimbus-jose-jwt and json-smart, by adding the older version explicitly in your pom.