DefaultJWTClaimsVerifier can throw unexpected NullPointerException

This code in DefaultJWTClaimsVerifier NullPointerException if actualClaim is null. This can happen as ~~#519~~ introduced support for null valued JWT claims.

Object actualClaim = claimsSet.getClaim(exactMatch);
Object expectedClaim = exactMatchClaims.getClaim(exactMatch);
  if (! actualClaim.equals(expectedClaim)) {
    throw new BadJWTException("JWT " + exactMatch + " claim has value " + actualClaim + ", must be " + expectedClaim);
  }

Objects.equals() should be used to correctly handle null claims.

Since 9.38

Comments (3)