Deprecate Jackson 2 support

This commit does not cover webauthn which is a special case (uses jackson sub-package for Jackson 2 support) which will be handled in a distinct commit. See gh-17832 Signed-off-by: Sébastien Deleuze <sdeleuze@users.noreply.github.com>
2026-05-22 21:33:16 +00:00 · 2025-09-01 18:24:08 +02:00
parent 65a14d6c6d
commit 48854c3ac9
104 changed files with 381 additions and 22 deletions
@@ -38,7 +38,12 @@ import com.fasterxml.jackson.databind.node.ArrayNode;
 * @param <T> the type of the unmodifiable collection, such as {@link List} or
 * {@link Set}.
 * @author Hyunmin Choi
+ * @deprecated as of 7.0 in favor of
+ * {@code org.springframework.security.jackson.AbstractUnmodifiableCollectionDeserializer}
+ * based on Jackson 3
 */
+@SuppressWarnings("removal")
+@Deprecated(forRemoval = true)
 abstract class AbstractUnmodifiableCollectionDeserializer<T> extends JsonDeserializer<T> {

 	@Override
@@ -43,11 +43,16 @@ import org.springframework.security.core.GrantedAuthority;
 * @since 4.2
 * @see CoreJackson2Module
 * @see SecurityJackson2Modules
+ * @deprecated as of 7.0 in favor of
+ * {@code org.springframework.security.jackson.AnonymousAuthenticationTokenMixin} based on
+ * Jackson 3
 */
+@SuppressWarnings("removal")
@JsonTypeInfo(use = JsonTypeInfo.Id.CLASS, include = JsonTypeInfo.As.PROPERTY)
@JsonAutoDetect(fieldVisibility = JsonAutoDetect.Visibility.ANY, isGetterVisibility = JsonAutoDetect.Visibility.NONE,
 		getterVisibility = JsonAutoDetect.Visibility.NONE, creatorVisibility = JsonAutoDetect.Visibility.ANY)
@JsonIgnoreProperties(ignoreUnknown = true)
+@Deprecated(forRemoval = true)
 class AnonymousAuthenticationTokenMixin {

 	/**
@@ -38,9 +38,14 @@ import com.fasterxml.jackson.annotation.JsonTypeInfo;
 * @author Yannick Lombardi
 * @since 5.0
 * @see CoreJackson2Module
+ * @deprecated as of 7.0 in favor of
+ * {@code org.springframework.security.jackson.BadCredentialsExceptionMixin} based on
+ * Jackson 3
 */
+@SuppressWarnings("removal")
@JsonTypeInfo(use = JsonTypeInfo.Id.CLASS, include = JsonTypeInfo.As.PROPERTY)
@JsonIgnoreProperties(ignoreUnknown = true, value = { "cause", "stackTrace", "authenticationRequest" })
+@Deprecated(forRemoval = true)
 class BadCredentialsExceptionMixin {

 	/**
@@ -44,11 +44,14 @@ import org.springframework.security.core.userdetails.User;
 * </pre> <b>Note: use {@link SecurityJackson2Modules#getModules(ClassLoader)} to get list
 * of all security modules.</b>
 *
- * @author Jitendra Singh.
+ * @author Jitendra Singh
 * @since 4.2
 * @see SecurityJackson2Modules
+ * @deprecated as of 7.0 in favor of
+ * {@link org.springframework.security.jackson.CoreJacksonModule} based on Jackson 3
 */
-@SuppressWarnings("serial")
+@SuppressWarnings({ "serial", "removal" })
+@Deprecated(forRemoval = true)
 public class CoreJackson2Module extends SimpleModule {

 	public CoreJackson2Module() {
@@ -37,7 +37,13 @@ import com.fasterxml.jackson.annotation.JsonTypeInfo;
 * @since 7.0
 * @see CoreJackson2Module
 * @see SecurityJackson2Modules
+ * @deprecated as of 7.0 in favor of
+ * {@code org.springframework.security.jackson.FactorGrantedAuthorityMixin} based on
+ * Jackson 3
+ *
 */
+@SuppressWarnings("removal")
+@Deprecated(forRemoval = true)
@JsonTypeInfo(use = JsonTypeInfo.Id.CLASS, include = JsonTypeInfo.As.PROPERTY)
@JsonAutoDetect(fieldVisibility = JsonAutoDetect.Visibility.NONE,
 		getterVisibility = JsonAutoDetect.Visibility.PUBLIC_ONLY, isGetterVisibility = JsonAutoDetect.Visibility.NONE)
@@ -50,11 +50,16 @@ import org.springframework.security.core.GrantedAuthority;
 * @since 4.2
 * @see CoreJackson2Module
 * @see SecurityJackson2Modules
+ * @deprecated as of 7.0 in favor of
+ * {@code org.springframework.security.jackson.RememberMeAuthenticationTokenMixin} based
+ * on Jackson 3
 */
+@SuppressWarnings("removal")
@JsonTypeInfo(use = JsonTypeInfo.Id.CLASS, include = JsonTypeInfo.As.PROPERTY)
@JsonAutoDetect(fieldVisibility = JsonAutoDetect.Visibility.ANY, getterVisibility = JsonAutoDetect.Visibility.NONE,
 		isGetterVisibility = JsonAutoDetect.Visibility.NONE, creatorVisibility = JsonAutoDetect.Visibility.ANY)
@JsonIgnoreProperties(ignoreUnknown = true)
+@Deprecated(forRemoval = true)
 class RememberMeAuthenticationTokenMixin {

 	/**
@@ -67,9 +67,12 @@ import org.springframework.util.ClassUtils;
 *     mapper.registerModule(new Saml2Jackson2Module());
 * </pre>
 *
- * @author Jitendra Singh.
+ * @author Jitendra Singh
 * @since 4.2
+ * @deprecated as of 7.0 in favor of
+ * {@link org.springframework.security.jackson.SecurityJacksonModules} based on Jackson 3
 */
+@Deprecated(forRemoval = true)
 public final class SecurityJackson2Modules {

 	private static final Log logger = LogFactory.getLog(SecurityJackson2Modules.class);
@@ -35,11 +35,16 @@ import com.fasterxml.jackson.annotation.JsonTypeInfo;
 * @since 4.2
 * @see CoreJackson2Module
 * @see SecurityJackson2Modules
+ * @deprecated as of 7.0 in favor of
+ * {@code org.springframework.security.jackson.SimpleGrantedAuthorityMixin} based on
+ * Jackson 3
 */
+@SuppressWarnings("removal")
@JsonTypeInfo(use = JsonTypeInfo.Id.CLASS, include = JsonTypeInfo.As.PROPERTY)
@JsonAutoDetect(fieldVisibility = JsonAutoDetect.Visibility.NONE,
 		getterVisibility = JsonAutoDetect.Visibility.PUBLIC_ONLY, isGetterVisibility = JsonAutoDetect.Visibility.NONE)
@JsonIgnoreProperties(ignoreUnknown = true)
+@Deprecated(forRemoval = true)
 public abstract class SimpleGrantedAuthorityMixin {

 	/**
@@ -28,7 +28,10 @@ import java.util.List;
 * @author Hyunmin Choi
 * @since 5.0.2
 * @see UnmodifiableListMixin
+ * @deprecated as of 7.0
 */
+@SuppressWarnings("removal")
+@Deprecated(forRemoval = true)
 class UnmodifiableListDeserializer extends AbstractUnmodifiableCollectionDeserializer<List> {

 	@Override
@@ -36,9 +36,12 @@ import com.fasterxml.jackson.databind.annotation.JsonDeserialize;
 * @see UnmodifiableListDeserializer
 * @see CoreJackson2Module
 * @see SecurityJackson2Modules
+ * @deprecated as of 7.0
 */
+@SuppressWarnings("removal")
@JsonTypeInfo(use = JsonTypeInfo.Id.CLASS, include = JsonTypeInfo.As.PROPERTY)
@JsonDeserialize(using = UnmodifiableListDeserializer.class)
+@Deprecated(forRemoval = true)
 class UnmodifiableListMixin {

 	/**
@@ -33,7 +33,10 @@ import com.fasterxml.jackson.databind.ObjectMapper;
 * @author Ulrich Grave
 * @since 5.7
 * @see UnmodifiableMapMixin
+ * @deprecated as of 7.0
 */
+@SuppressWarnings("removal")
+@Deprecated(forRemoval = true)
 class UnmodifiableMapDeserializer extends JsonDeserializer<Map<?, ?>> {

 	@Override
@@ -36,9 +36,12 @@ import com.fasterxml.jackson.databind.annotation.JsonDeserialize;
 * @see UnmodifiableMapDeserializer
 * @see CoreJackson2Module
 * @see SecurityJackson2Modules
+ * @deprecated as of 7.0
 */
+@SuppressWarnings("removal")
@JsonTypeInfo(use = JsonTypeInfo.Id.CLASS)
@JsonDeserialize(using = UnmodifiableMapDeserializer.class)
+@Deprecated(forRemoval = true)
 class UnmodifiableMapMixin {

 	@JsonCreator
@@ -28,7 +28,10 @@ import java.util.Set;
 * @author Hyunmin Choi
 * @since 4.2
 * @see UnmodifiableSetMixin
+ * @deprecated as of 7.0
 */
+@SuppressWarnings("removal")
+@Deprecated(forRemoval = true)
 class UnmodifiableSetDeserializer extends AbstractUnmodifiableCollectionDeserializer<Set> {

 	@Override
@@ -36,9 +36,12 @@ import com.fasterxml.jackson.databind.annotation.JsonDeserialize;
 * @see UnmodifiableSetDeserializer
 * @see CoreJackson2Module
 * @see SecurityJackson2Modules
+ * @deprecated as of 7.0
 */
+@SuppressWarnings("removal")
@JsonTypeInfo(use = JsonTypeInfo.Id.CLASS, include = JsonTypeInfo.As.PROPERTY)
@JsonDeserialize(using = UnmodifiableSetDeserializer.class)
+@Deprecated(forRemoval = true)
 class UnmodifiableSetMixin {

 	/**
@@ -39,7 +39,11 @@ import org.springframework.security.core.userdetails.User;
 * @author Jitendra Singh
 * @since 4.2
 * @see UserMixin
+ * @deprecated as of 7.0 in favor of
+ * {@code org.springframework.security.jackson.UserDeserializer} based on Jackson 3
 */
+@SuppressWarnings("removal")
+@Deprecated(forRemoval = true)
 class UserDeserializer extends JsonDeserializer<User> {

 	private static final TypeReference<Set<SimpleGrantedAuthority>> SIMPLE_GRANTED_AUTHORITY_SET = new TypeReference<>() {
@@ -41,12 +41,16 @@ import com.fasterxml.jackson.databind.annotation.JsonDeserialize;
 * @see UserDeserializer
 * @see CoreJackson2Module
 * @see SecurityJackson2Modules
+ * @deprecated as of 7.0 in favor of
+ * {@code org.springframework.security.jackson.UserMixin} based on Jackson 3
 */
+@SuppressWarnings("removal")
@JsonTypeInfo(use = JsonTypeInfo.Id.CLASS, include = JsonTypeInfo.As.PROPERTY)
@JsonDeserialize(using = UserDeserializer.class)
@JsonAutoDetect(fieldVisibility = JsonAutoDetect.Visibility.ANY, getterVisibility = JsonAutoDetect.Visibility.NONE,
 		isGetterVisibility = JsonAutoDetect.Visibility.NONE)
@JsonIgnoreProperties(ignoreUnknown = true)
+@Deprecated(forRemoval = true)
 abstract class UserMixin {

 }
@@ -48,7 +48,12 @@ import org.springframework.security.core.GrantedAuthority;
 * @author Onur Kagan Ozcan
 * @since 4.2
 * @see UsernamePasswordAuthenticationTokenMixin
+ * @deprecated as of 7.0 in favor of
+ * {@code org.springframework.security.jackson.UsernamePasswordAuthenticationTokenDeserializer}
+ * based on Jackson 3
 */
+@SuppressWarnings("removal")
+@Deprecated(forRemoval = true)
 class UsernamePasswordAuthenticationTokenDeserializer extends JsonDeserializer<UsernamePasswordAuthenticationToken> {

 	private static final TypeReference<List<GrantedAuthority>> GRANTED_AUTHORITY_LIST = new TypeReference<>() {
@@ -42,11 +42,16 @@ import com.fasterxml.jackson.databind.annotation.JsonDeserialize;
 * @since 4.2
 * @see CoreJackson2Module
 * @see SecurityJackson2Modules
+ * @deprecated as of 7.0 in favor of
+ * {@code org.springframework.security.jackson.UsernamePasswordAuthenticationTokenDeserializer}
+ * based on Jackson 3
 */
+@SuppressWarnings("removal")
@JsonTypeInfo(use = JsonTypeInfo.Id.CLASS, include = JsonTypeInfo.As.PROPERTY, property = "@class")
@JsonAutoDetect(fieldVisibility = JsonAutoDetect.Visibility.ANY, getterVisibility = JsonAutoDetect.Visibility.NONE,
 		isGetterVisibility = JsonAutoDetect.Visibility.NONE)
@JsonDeserialize(using = UsernamePasswordAuthenticationTokenDeserializer.class)
+@Deprecated(forRemoval = true)
 abstract class UsernamePasswordAuthenticationTokenMixin {

 }
@@ -26,6 +26,7 @@ import org.springframework.security.core.userdetails.User;
 * @author Jitenra Singh
 * @since 4.2
 */
+@SuppressWarnings("removal")
 public abstract class AbstractMixinTests {

 	protected ObjectMapper mapper;
@@ -38,6 +38,7 @@ import static org.assertj.core.api.Assertions.assertThatExceptionOfType;
 * @author Rob Winch
 * @since 5.0
 */
+@SuppressWarnings("removal")
 public class SecurityJackson2ModulesTests {

 	private ObjectMapper mapper;