Skip to content

Remove javaxb dependency from HMACValidator #1802

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
jeandersonbc merged 2 commits into from
Mar 26, 2026
Merged

Remove javaxb dependency from HMACValidator #1802

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
38823ef
chore(deps): cleanup and standardized pom.xml
jeandersonbc Mar 25, 2026
429e98a
Use commons-codec instead of jaxb-api
jeandersonbc Mar 25, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
173 changes: 92 additions & 81 deletions pom.xml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -23,16 +23,45 @@
</developer>
</developers>
<properties>
<!-- Project Settings -->
<maven.compiler.source>11</maven.compiler.source>
<maven.compiler.target>11</maven.compiler.target>

<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
<project.reporting.outputEncoding>UTF-8</project.reporting.outputEncoding>
<swagger-core-version>1.6.16</swagger-core-version>
<sonar.organization>adyen</sonar.organization>
<sonar.host.url>https://sonarcloud.io</sonar.host.url>

<!-- Dependency Versions -->
<!-- Compile -->
<com.fasterxml.jackson-version>2.21.0</com.fasterxml.jackson-version>
Copy link
Copy Markdown
Contributor

@thomasc-adyen thomasc-adyen Mar 25, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

just noticing this, but why do we have gson and jackson in the same project?

Copy link
Copy Markdown
Contributor

@gcatanese gcatanese Mar 25, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

GSON only used by the TerminalAPI

Copy link
Copy Markdown
Contributor Author

@jeandersonbc jeandersonbc Mar 25, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah, I'm also curious about this. We do use it for serialization and deserialization in a few places (.toJson/.fromJson):

I think as part of the bigger migration, we want to stick with a single JSON library.

Copy link
Copy Markdown
Contributor

@thomasc-adyen thomasc-adyen Mar 25, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Answered my own question 😅

This library uses both serialization stacks for historical and compatibility reasons:
• Jackson is used broadly by the generated API models (com.adyen.model.*.JSON classes with ObjectMapper).
• Gson is still used in specific flows, especially Terminal API and webhook notification helpers (for example TerminalCloudAPI and NotificationRequest#fromJson/toJson).

Edit: forgot to refresh 😆

<gson-version>2.11.0</gson-version>
<commons-codec-version>1.18.0</commons-codec-version>
<gson-fire-version>1.9.0</gson-fire-version>
<swagger-core-version>1.6.16</swagger-core-version>
<swagger-annotations-v3-version>2.2.30</swagger-annotations-v3-version>
<jakarta.ws.rs-api-version>3.1.0</jakarta.ws.rs-api-version>
<jaxb-api-version>2.3.1</jaxb-api-version>
<httpclient5-version>5.5</httpclient5-version>

<!-- Test -->
<okio-version>3.16.4</okio-version>
<hamcrest-version>3.0</hamcrest-version>
<junit-jupiter-version>5.11.4</junit-jupiter-version>
<mockito-version>5.21.0</mockito-version>

<!-- Plugin Versions -->
<maven-compiler-plugin-version>3.14.1</maven-compiler-plugin-version>
<maven-jar-plugin-version>3.5.0</maven-jar-plugin-version>
<jacoco-maven-plugin-version>0.8.14</jacoco-maven-plugin-version>
<maven-source-plugin-version>3.3.1</maven-source-plugin-version>
<maven-javadoc-plugin-version>3.12.0</maven-javadoc-plugin-version>
<maven-gpg-plugin-version>3.2.8</maven-gpg-plugin-version>
<central-publishing-maven-plugin-version>0.7.0</central-publishing-maven-plugin-version>
<maven-checkstyle-plugin-version>3.6.0</maven-checkstyle-plugin-version>
<maven-bundle-plugin-version>5.1.9</maven-bundle-plugin-version>
<spotless-maven-plugin-version>3.2.1</spotless-maven-plugin-version>
<maven-surefire-plugin-version>3.5.2</maven-surefire-plugin-version>
<google-java-format-version>1.34.1</google-java-format-version>
</properties>
<scm>
<connection>scm:git:git@github.com:Adyen/adyen-java-api-library.git</connection>
Expand All @@ -44,34 +73,22 @@
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-compiler-plugin</artifactId>
<version>3.14.1</version>
<version>${maven-compiler-plugin-version}</version>
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-jar-plugin</artifactId>
<version>3.5.0</version>
<version>${maven-jar-plugin-version}</version>
<configuration>
<archive>
<manifestFile>${project.build.outputDirectory}/META-INF/MANIFEST.MF</manifestFile>
</archive>
</configuration>
</plugin>
<plugin>
<groupId>org.eluder.coveralls</groupId>
<artifactId>coveralls-maven-plugin</artifactId>
<version>4.3.0</version>
<dependencies>
<dependency>
<groupId>javax.xml.bind</groupId>
<artifactId>jaxb-api</artifactId>
<version>2.3.1</version>
</dependency>
</dependencies>
</plugin>
<plugin>
<groupId>org.jacoco</groupId>
<artifactId>jacoco-maven-plugin</artifactId>
<version>0.8.14</version>
<version>${jacoco-maven-plugin-version}</version>
<executions>
<execution>
<id>prepare-agent</id>
Expand All @@ -95,7 +112,7 @@
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-source-plugin</artifactId>
<version>3.3.1</version>
<version>${maven-source-plugin-version}</version>
<executions>
<execution>
<id>attach-sources</id>
Expand All @@ -108,7 +125,7 @@
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-javadoc-plugin</artifactId>
<version>3.12.0</version>
<version>${maven-javadoc-plugin-version}</version>
<executions>
<execution>
<id>attach-javadocs</id>
Expand All @@ -121,7 +138,7 @@
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-gpg-plugin</artifactId>
<version>3.2.8</version>
<version>${maven-gpg-plugin-version}</version>
<executions>
<execution>
<id>sign-artifacts</id>
Expand All @@ -136,7 +153,7 @@
<plugin>
<groupId>org.sonatype.central</groupId>
<artifactId>central-publishing-maven-plugin</artifactId>
<version>0.7.0</version>
<version>${central-publishing-maven-plugin-version}</version>
<extensions>true</extensions>
<configuration>
<publishingServerId>central</publishingServerId>
Expand All @@ -149,7 +166,7 @@
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-checkstyle-plugin</artifactId>
<version>3.6.0</version>
<version>${maven-checkstyle-plugin-version}</version>
<configuration>
<configLocation>checkstyle.xml</configLocation>
<suppressionsLocation>checkstyle-suppressions.xml</suppressionsLocation>
Expand All @@ -169,7 +186,7 @@
<plugin>
<groupId>org.apache.felix</groupId>
<artifactId>maven-bundle-plugin</artifactId>
<version>5.1.9</version>
<version>${maven-bundle-plugin-version}</version>
<executions>
<execution>
<id>bundle-manifest</id>
Expand All @@ -189,7 +206,7 @@
<plugin>
<groupId>com.diffplug.spotless</groupId>
<artifactId>spotless-maven-plugin</artifactId>
<version>3.2.1</version>
<version>${spotless-maven-plugin-version}</version>
<executions>
<execution>
<goals>
Expand All @@ -204,11 +221,11 @@
<include>src/test/java/**/*.java</include>
</includes>
<googleJavaFormat>
<version>1.34.1</version>
<version>${google-java-format-version}</version>
<style>GOOGLE</style>
<formatJavadoc>true</formatJavadoc>
</googleJavaFormat>
<importOrder /> <!-- standard import order -->
<importOrder/> <!-- standard import order -->
<removeUnusedImports>
<engine>google-java-format</engine>
</removeUnusedImports>
Expand All @@ -218,100 +235,94 @@
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-surefire-plugin</artifactId>
<version>3.5.2</version>
<version>${maven-surefire-plugin-version}</version>
</plugin>

</plugins>
</build>
<dependencies>
<dependency>
<groupId>com.fasterxml.jackson.datatype</groupId>
<artifactId>jackson-datatype-jsr310</artifactId>
<version>2.21.0</version>
</dependency>
<!-- Compile -->
<dependency>
<groupId>com.fasterxml.jackson.core</groupId>
<artifactId>jackson-databind</artifactId>
<version>2.21.0</version>
<version>${com.fasterxml.jackson-version}</version>
</dependency>
<dependency>
<groupId>com.fasterxml.jackson.datatype</groupId>
<artifactId>jackson-datatype-jsr310</artifactId>
<version>${com.fasterxml.jackson-version}</version>
</dependency>
<dependency>
<groupId>com.google.code.gson</groupId>
<artifactId>gson</artifactId>
<version>2.11.0</version>
<scope>compile</scope>
<version>${gson-version}</version>
</dependency>
<dependency>
<groupId>org.apache.httpcomponents.client5</groupId>
<artifactId>httpclient5</artifactId>
<version>5.5</version>
<scope>compile</scope>
<groupId>commons-codec</groupId>
<artifactId>commons-codec</artifactId>
<version>${commons-codec-version}</version>
</dependency>

<dependency>
<groupId>org.junit.jupiter</groupId>
<artifactId>junit-jupiter</artifactId>
<version>${junit-jupiter-version}</version>
<scope>test</scope>
<groupId>io.gsonfire</groupId>
<artifactId>gson-fire</artifactId>
<version>${gson-fire-version}</version>
</dependency>
<dependency>
<groupId>org.mockito</groupId>
<artifactId>mockito-junit-jupiter</artifactId>
<version>${mockito-version}</version>
<scope>test</scope>
<groupId>io.swagger</groupId>
<artifactId>swagger-annotations</artifactId>
<version>${swagger-core-version}</version>
</dependency>
<dependency>
<groupId>org.mockito</groupId>
<artifactId>mockito-core</artifactId>
<version>${mockito-version}</version>
<scope>test</scope>
<groupId>io.swagger.core.v3</groupId>
<artifactId>swagger-annotations</artifactId>
<version>${swagger-annotations-v3-version}</version>
</dependency>
<dependency>
<groupId>org.hamcrest</groupId>
<artifactId>hamcrest</artifactId>
<version>3.0</version>
<scope>test</scope>
<groupId>jakarta.ws.rs</groupId>
<artifactId>jakarta.ws.rs-api</artifactId>
<version>${jakarta.ws.rs-api-version}</version>
</dependency>
<dependency>
<groupId>javax.xml.bind</groupId>
<artifactId>jaxb-api</artifactId>
<version>2.3.1</version>
<scope>compile</scope>
<version>${jaxb-api-version}</version>
</dependency>
<dependency>
<groupId>io.swagger.core.v3</groupId>
<artifactId>swagger-annotations</artifactId>
<version>2.2.30</version>
<scope>compile</scope>
<groupId>org.apache.httpcomponents.client5</groupId>
<artifactId>httpclient5</artifactId>
<version>${httpclient5-version}</version>
</dependency>

<!-- Test -->
<dependency>
<groupId>jakarta.ws.rs</groupId>
<artifactId>jakarta.ws.rs-api</artifactId>
<version>3.1.0</version>
<scope>compile</scope>
<groupId>com.squareup.okio</groupId>
<artifactId>okio</artifactId>
<version>${okio-version}</version>
<scope>test</scope>
</dependency>
<dependency>
<groupId>io.gsonfire</groupId>
<artifactId>gson-fire</artifactId>
<version>1.9.0</version>
<scope>compile</scope>
<groupId>org.hamcrest</groupId>
<artifactId>hamcrest</artifactId>
<version>${hamcrest-version}</version>
<scope>test</scope>
</dependency>
<dependency>
<groupId>com.squareup.okio</groupId>
<artifactId>okio</artifactId>
<version>3.16.4</version>
<groupId>org.junit.jupiter</groupId>
<artifactId>junit-jupiter</artifactId>
<version>${junit-jupiter-version}</version>
<scope>test</scope>
</dependency>
<dependency>
<groupId>commons-codec</groupId>
<artifactId>commons-codec</artifactId>
<version>1.18.0</version> <!-- or the latest version -->
<groupId>org.mockito</groupId>
<artifactId>mockito-core</artifactId>
<version>${mockito-version}</version>
<scope>test</scope>
</dependency>
<!-- Generated model annotations -->
<dependency>
<groupId>io.swagger</groupId>
<artifactId>swagger-annotations</artifactId>
<version>${swagger-core-version}</version>
<scope>compile</scope>
<groupId>org.mockito</groupId>
<artifactId>mockito-junit-jupiter</artifactId>
<version>${mockito-version}</version>
<scope>test</scope>
</dependency>
</dependencies>
</project>
11 changes: 7 additions & 4 deletions src/main/java/com/adyen/util/HMACValidator.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,7 +14,7 @@
*
* Adyen Java API Library
*
* Copyright (c) 2017 Adyen B.V.
* Copyright (c) 2026 Adyen B.V.
* This file is open source and available under the MIT license.
* See the LICENSE file for more info.
*/
Expand All @@ -31,8 +31,9 @@
import java.util.List;
import javax.crypto.Mac;
import javax.crypto.spec.SecretKeySpec;
import javax.xml.bind.DatatypeConverter;
import org.apache.commons.codec.DecoderException;
import org.apache.commons.codec.binary.Base64;
import org.apache.commons.codec.binary.Hex;

/** Utility class for generating and validating HMAC signatures used in Adyen webhooks. */
public class HMACValidator {
Expand All @@ -48,7 +49,7 @@ public class HMACValidator {
* @param data the data to sign
* @param key the HMAC key in hexadecimal format
* @return the Base64-encoded HMAC signature
* @throws IllegalArgumentException if the data or key is null
* @throws IllegalArgumentException if the data or key is null or if key is invalid
* @throws SignatureException if signature generation fails
*/
public String calculateHMAC(String data, String key)
Expand All @@ -61,7 +62,7 @@ public String calculateHMAC(String data, String key)
throw new IllegalArgumentException("HMAC key is not provided");
}

byte[] rawKey = DatatypeConverter.parseHexBinary(key);
byte[] rawKey = Hex.decodeHex(key);
SecretKeySpec signingKey = new SecretKeySpec(rawKey, HMAC_SHA256_ALGORITHM);

Mac mac = Mac.getInstance(HMAC_SHA256_ALGORITHM);
Expand All @@ -71,6 +72,8 @@ public String calculateHMAC(String data, String key)
return new String(Base64.encodeBase64(rawHmac));
} catch (IllegalArgumentException e) {
throw new IllegalArgumentException("Missing data or key: " + e.getMessage());
} catch (DecoderException e) {
throw new IllegalArgumentException("Invalid Hex HMAC key: " + key);
Comment on lines +75 to +76
Copy link
Copy Markdown
Contributor Author

@jeandersonbc jeandersonbc Mar 26, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Added suggestion from @gcatanese

} catch (Exception e) {
throw new SignatureException("Failed to generate HMAC: " + e.getMessage());
}
Expand Down
Loading
Loading