Add Jackson 3 support

This commit adds support for Jackson 3 which has the following major differences with the Jackson 2 one: - jackson subpackage instead of jackson2 - Jackson type prefix instead of Jackson2 - JsonMapper instead of ObjectMapper - For configuration, JsonMapper.Builder instead of ObjectMapper since the latter is now immutable - Remove custom support for unmodifiable collections - Use safe default typing via a PolymorphicTypeValidator Jackson 3 changes compared to Jackson 2 are documented in https://cowtowncoder.medium.com/jackson-3-0-0-ga-released-1f669cda529a and https://github.com/FasterXML/jackson/blob/main/jackson3/MIGRATING_TO_JACKSON_3.md. This commit does not cover webauthn which is a special case (uses jackson sub-package for Jackson 2 support) which will be handled in a distinct commit. See gh-17832 Signed-off-by: Sébastien Deleuze <sdeleuze@users.noreply.github.com>
2026-05-22 21:33:16 +00:00 · 2025-09-01 18:23:31 +02:00
parent 916a687b29
commit 65a14d6c6d
156 changed files with 9052 additions and 146 deletions
@@ -15,6 +15,7 @@ dependencies {
 	api 'org.springframework:spring-web'

 	optional 'com.fasterxml.jackson.core:jackson-databind'
+	optional 'tools.jackson.core:jackson-databind'

 	provided 'jakarta.servlet:jakarta.servlet-api'

@@ -0,0 +1,60 @@
+/*
+ * Copyright 2004-present the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.security.cas.jackson;
+
+import java.util.Date;
+import java.util.Map;
+
+import com.fasterxml.jackson.annotation.JsonAutoDetect;
+import com.fasterxml.jackson.annotation.JsonCreator;
+import com.fasterxml.jackson.annotation.JsonProperty;
+import com.fasterxml.jackson.annotation.JsonTypeInfo;
+import org.apereo.cas.client.authentication.AttributePrincipal;
+
+/**
+ * Helps in jackson deserialization of class
+ * {@link org.apereo.cas.client.validation.AssertionImpl}, which is used with
+ * {@link org.springframework.security.cas.authentication.CasAuthenticationToken}.
+ *
+ * @author Sebastien Deleuze
+ * @author Jitendra Singh
+ * @since 7.0
+ * @see CasJacksonModule
+ * @see org.springframework.security.jackson.SecurityJacksonModules
+ */
+@JsonTypeInfo(use = JsonTypeInfo.Id.CLASS)
+@JsonAutoDetect(fieldVisibility = JsonAutoDetect.Visibility.ANY, getterVisibility = JsonAutoDetect.Visibility.NONE,
+		isGetterVisibility = JsonAutoDetect.Visibility.NONE)
+class AssertionImplMixin {
+
+	/**
+	 * Mixin Constructor helps in deserialize
+	 * {@link org.apereo.cas.client.validation.AssertionImpl}
+	 * @param principal the Principal to associate with the Assertion.
+	 * @param validFromDate when the assertion is valid from.
+	 * @param validUntilDate when the assertion is valid to.
+	 * @param authenticationDate when the assertion is authenticated.
+	 * @param attributes the key/value pairs for this attribute.
+	 */
+	@JsonCreator
+	AssertionImplMixin(@JsonProperty("principal") AttributePrincipal principal,
+			@JsonProperty("validFromDate") Date validFromDate, @JsonProperty("validUntilDate") Date validUntilDate,
+			@JsonProperty("authenticationDate") Date authenticationDate,
+			@JsonProperty("attributes") Map<String, Object> attributes) {
+	}
+
+}
@@ -0,0 +1,59 @@
+/*
+ * Copyright 2004-present the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.security.cas.jackson;
+
+import java.util.Map;
+
+import com.fasterxml.jackson.annotation.JsonAutoDetect;
+import com.fasterxml.jackson.annotation.JsonCreator;
+import com.fasterxml.jackson.annotation.JsonProperty;
+import com.fasterxml.jackson.annotation.JsonTypeInfo;
+import org.apereo.cas.client.proxy.ProxyRetriever;
+
+/**
+ * Helps in deserialize
+ * {@link org.apereo.cas.client.authentication.AttributePrincipalImpl} which is used with
+ * {@link org.springframework.security.cas.authentication.CasAuthenticationToken}.
+ *
+ * @author Sebastien Deleuze
+ * @author Jitendra Singh
+ * @since 7.0
+ * @see CasJacksonModule
+ * @see org.springframework.security.jackson.SecurityJacksonModules
+ */
+@JsonTypeInfo(use = JsonTypeInfo.Id.CLASS)
+@JsonAutoDetect(fieldVisibility = JsonAutoDetect.Visibility.ANY, getterVisibility = JsonAutoDetect.Visibility.NONE,
+		isGetterVisibility = JsonAutoDetect.Visibility.NONE)
+class AttributePrincipalImplMixin {
+
+	/**
+	 * Mixin Constructor helps in deserialize
+	 * {@link org.apereo.cas.client.authentication.AttributePrincipalImpl}
+	 * @param name the unique identifier for the principal.
+	 * @param attributes the key/value pairs for this principal.
+	 * @param proxyGrantingTicket the ticket associated with this principal.
+	 * @param proxyRetriever the ProxyRetriever implementation to call back to the CAS
+	 * server.
+	 */
+	@JsonCreator
+	AttributePrincipalImplMixin(@JsonProperty("name") String name,
+			@JsonProperty("attributes") Map<String, Object> attributes,
+			@JsonProperty("proxyGrantingTicket") String proxyGrantingTicket,
+			@JsonProperty("proxyRetriever") ProxyRetriever proxyRetriever) {
+	}
+
+}
@@ -0,0 +1,69 @@
+/*
+ * Copyright 2004-present the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.security.cas.jackson;
+
+import java.util.Collection;
+
+import com.fasterxml.jackson.annotation.JsonAutoDetect;
+import com.fasterxml.jackson.annotation.JsonCreator;
+import com.fasterxml.jackson.annotation.JsonProperty;
+import com.fasterxml.jackson.annotation.JsonTypeInfo;
+import org.apereo.cas.client.validation.Assertion;
+
+import org.springframework.security.cas.authentication.CasAuthenticationProvider;
+import org.springframework.security.cas.authentication.CasAuthenticationToken;
+import org.springframework.security.core.GrantedAuthority;
+import org.springframework.security.core.userdetails.UserDetails;
+
+/**
+ * Mixin class which helps in deserialize {@link CasAuthenticationToken} using jackson.
+ *
+ * @author Sebastien Deleuze
+ * @author Jitendra Singh
+ * @since 7.0
+ * @see CasJacksonModule
+ * @see org.springframework.security.jackson.SecurityJacksonModules
+ */
+@JsonTypeInfo(use = JsonTypeInfo.Id.CLASS)
+@JsonAutoDetect(fieldVisibility = JsonAutoDetect.Visibility.ANY, isGetterVisibility = JsonAutoDetect.Visibility.NONE,
+		getterVisibility = JsonAutoDetect.Visibility.NONE, creatorVisibility = JsonAutoDetect.Visibility.ANY)
+class CasAuthenticationTokenMixin {
+
+	/**
+	 * Mixin Constructor helps in deserialize {@link CasAuthenticationToken}
+	 * @param keyHash hashCode of provided key to identify if this object made by a given
+	 * {@link CasAuthenticationProvider}
+	 * @param principal typically the UserDetails object (cannot be <code>null</code>)
+	 * @param credentials the service/proxy ticket ID from CAS (cannot be
+	 * <code>null</code>)
+	 * @param authorities the authorities granted to the user (from the
+	 * {@link org.springframework.security.core.userdetails.UserDetailsService}) (cannot
+	 * be <code>null</code>)
+	 * @param userDetails the user details (from the
+	 * {@link org.springframework.security.core.userdetails.UserDetailsService}) (cannot
+	 * be <code>null</code>)
+	 * @param assertion the assertion returned from the CAS servers. It contains the
+	 * principal and how to obtain a proxy ticket for the user.
+	 */
+	@JsonCreator
+	CasAuthenticationTokenMixin(@JsonProperty("keyHash") Integer keyHash, @JsonProperty("principal") Object principal,
+			@JsonProperty("credentials") Object credentials,
+			@JsonProperty("authorities") Collection<? extends GrantedAuthority> authorities,
+			@JsonProperty("userDetails") UserDetails userDetails, @JsonProperty("assertion") Assertion assertion) {
+	}
+
+}
@@ -0,0 +1,71 @@
+/*
+ * Copyright 2004-present the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.security.cas.jackson;
+
+import org.apereo.cas.client.authentication.AttributePrincipalImpl;
+import org.apereo.cas.client.validation.AssertionImpl;
+import tools.jackson.core.Version;
+import tools.jackson.databind.jsontype.BasicPolymorphicTypeValidator;
+
+import org.springframework.security.cas.authentication.CasAuthenticationToken;
+import org.springframework.security.jackson.SecurityJacksonModule;
+import org.springframework.security.jackson.SecurityJacksonModules;
+
+/**
+ * Jackson module for spring-security-cas. This module register
+ * {@link AssertionImplMixin}, {@link AttributePrincipalImplMixin} and
+ * {@link CasAuthenticationTokenMixin}. If no default typing enabled by default then it'll
+ * enable it because typing info is needed to properly serialize/deserialize objects. In
+ * order to use this module just add this module into your JsonMapper configuration.
+ *
+ * <p>
+ * The recommended way to configure it is to use {@link SecurityJacksonModules} in order
+ * to enable properly automatic inclusion of type information with related validation.
+ *
+ * <pre>
+ *     ClassLoader loader = getClass().getClassLoader();
+ *     JsonMapper mapper = JsonMapper.builder()
+ * 				.addModules(SecurityJacksonModules.getModules(loader))
+ * 				.build();
+ * </pre>
+ *
+ * @author Sebastien Deleuze
+ * @author Jitendra Singh
+ * @since 7.0
+ * @see SecurityJacksonModules
+ */
+public class CasJacksonModule extends SecurityJacksonModule {
+
+	public CasJacksonModule() {
+		super(CasJacksonModule.class.getName(), new Version(1, 0, 0, null, null, null));
+	}
+
+	@Override
+	public void configurePolymorphicTypeValidator(BasicPolymorphicTypeValidator.Builder builder) {
+		builder.allowIfSubType(AssertionImpl.class)
+			.allowIfSubType(AttributePrincipalImpl.class)
+			.allowIfSubType(CasAuthenticationToken.class);
+	}
+
+	@Override
+	public void setupModule(SetupContext context) {
+		context.setMixIn(AssertionImpl.class, AssertionImplMixin.class);
+		context.setMixIn(AttributePrincipalImpl.class, AttributePrincipalImplMixin.class);
+		context.setMixIn(CasAuthenticationToken.class, CasAuthenticationTokenMixin.class);
+	}
+
+}
@@ -0,0 +1,20 @@
+/*
+ * Copyright 2004-present the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+/**
+ * Jackson 3+ serialization support for CAS.
+ */
+package org.springframework.security.cas.jackson;
@@ -15,7 +15,7 @@
 */

 /**
- * Jackson support for CAS.
+ * Jackson 2 support for CAS.
 */
@NullMarked
 package org.springframework.security.cas.jackson2;
@@ -0,0 +1,151 @@
+/*
+ * Copyright 2004-present the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.security.cas.jackson;
+
+import java.io.IOException;
+import java.util.Collection;
+import java.util.Collections;
+import java.util.Date;
+
+import org.apereo.cas.client.authentication.AttributePrincipalImpl;
+import org.apereo.cas.client.validation.Assertion;
+import org.apereo.cas.client.validation.AssertionImpl;
+import org.json.JSONException;
+import org.junit.jupiter.api.BeforeEach;
+import org.junit.jupiter.api.Test;
+import org.skyscreamer.jsonassert.JSONAssert;
+import tools.jackson.databind.json.JsonMapper;
+
+import org.springframework.security.cas.authentication.CasAuthenticationToken;
+import org.springframework.security.core.GrantedAuthority;
+import org.springframework.security.core.authority.SimpleGrantedAuthority;
+import org.springframework.security.core.userdetails.User;
+import org.springframework.security.core.userdetails.UserDetails;
+import org.springframework.security.jackson.SecurityJacksonModules;
+
+import static org.assertj.core.api.Assertions.assertThat;
+
+/**
+ * @author Jitendra Singh
+ * @since 4.2
+ */
+public class CasAuthenticationTokenMixinTests {
+
+	private static final String KEY = "casKey";
+
+	private static final String PASSWORD = "\"1234\"";
+
+	private static final Date START_DATE = new Date();
+
+	private static final Date END_DATE = new Date();
+
+	public static final String AUTHORITY_JSON = "{\"@class\": \"org.springframework.security.core.authority.SimpleGrantedAuthority\", \"authority\": \"ROLE_USER\"}";
+
+	public static final String AUTHORITIES_SET_JSON = "[\"java.util.Collections$UnmodifiableSet\", [" + AUTHORITY_JSON
+			+ "]]";
+
+	public static final String AUTHORITIES_ARRAYLIST_JSON = "[\"java.util.Collections$UnmodifiableRandomAccessList\", ["
+			+ AUTHORITY_JSON + "]]";
+
+	// @formatter:off
+	public static final String USER_JSON = "{"
+		+ "\"@class\": \"org.springframework.security.core.userdetails.User\", "
+		+ "\"username\": \"admin\","
+		+ " \"password\": " + PASSWORD + ", "
+		+ "\"accountNonExpired\": true, "
+		+ "\"accountNonLocked\": true, "
+		+ "\"credentialsNonExpired\": true, "
+		+ "\"enabled\": true, "
+		+ "\"authorities\": " + AUTHORITIES_SET_JSON
+	+ "}";
+	// @formatter:on
+	private static final String CAS_TOKEN_JSON = "{"
+			+ "\"@class\": \"org.springframework.security.cas.authentication.CasAuthenticationToken\", "
+			+ "\"keyHash\": " + KEY.hashCode() + "," + "\"principal\": " + USER_JSON + ", " + "\"credentials\": "
+			+ PASSWORD + ", " + "\"authorities\": " + AUTHORITIES_ARRAYLIST_JSON + "," + "\"userDetails\": " + USER_JSON
+			+ "," + "\"authenticated\": true, " + "\"details\": null," + "\"assertion\": {"
+			+ "\"@class\": \"org.apereo.cas.client.validation.AssertionImpl\", " + "\"principal\": {"
+			+ "\"@class\": \"org.apereo.cas.client.authentication.AttributePrincipalImpl\", "
+			+ "\"name\": \"assertName\", " + "\"attributes\": {\"@class\": \"java.util.Collections$EmptyMap\"}, "
+			+ "\"proxyGrantingTicket\": null, " + "\"proxyRetriever\": null" + "}, "
+			+ "\"validFromDate\": [\"java.util.Date\", " + START_DATE.getTime() + "], "
+			+ "\"validUntilDate\": [\"java.util.Date\", " + END_DATE.getTime() + "],"
+			+ "\"authenticationDate\": [\"java.util.Date\", " + START_DATE.getTime() + "], "
+			+ "\"attributes\": {\"@class\": \"java.util.Collections$EmptyMap\"},"
+			+ "\"context\": {\"@class\":\"java.util.HashMap\"}" + "}" + "}";
+
+	private static final String CAS_TOKEN_CLEARED_JSON = CAS_TOKEN_JSON.replaceFirst(PASSWORD, "null");
+
+	protected JsonMapper mapper;
+
+	@BeforeEach
+	public void setup() {
+		ClassLoader loader = getClass().getClassLoader();
+		this.mapper = JsonMapper.builder().addModules(SecurityJacksonModules.getModules(loader)).build();
+	}
+
+	@Test
+	public void serializeCasAuthenticationTest() throws JSONException {
+		CasAuthenticationToken token = createCasAuthenticationToken();
+		String actualJson = this.mapper.writeValueAsString(token);
+		JSONAssert.assertEquals(CAS_TOKEN_JSON, actualJson, true);
+	}
+
+	@Test
+	public void serializeCasAuthenticationTestAfterEraseCredentialInvoked() throws JSONException {
+		CasAuthenticationToken token = createCasAuthenticationToken();
+		token.eraseCredentials();
+		String actualJson = this.mapper.writeValueAsString(token);
+		JSONAssert.assertEquals(CAS_TOKEN_CLEARED_JSON, actualJson, true);
+	}
+
+	@Test
+	public void deserializeCasAuthenticationTestAfterEraseCredentialInvoked() {
+		CasAuthenticationToken token = this.mapper.readValue(CAS_TOKEN_CLEARED_JSON, CasAuthenticationToken.class);
+		assertThat(((UserDetails) token.getPrincipal()).getPassword()).isNull();
+	}
+
+	@Test
+	public void deserializeCasAuthenticationTest() throws IOException {
+		CasAuthenticationToken token = this.mapper.readValue(CAS_TOKEN_JSON, CasAuthenticationToken.class);
+		assertThat(token).isNotNull();
+		assertThat(token.getPrincipal()).isNotNull().isInstanceOf(User.class);
+		assertThat(((User) token.getPrincipal()).getUsername()).isEqualTo("admin");
+		assertThat(((User) token.getPrincipal()).getPassword()).isEqualTo("1234");
+		assertThat(token.getUserDetails()).isNotNull().isInstanceOf(User.class);
+		assertThat(token.getAssertion()).isNotNull().isInstanceOf(AssertionImpl.class);
+		assertThat(token.getKeyHash()).isEqualTo(KEY.hashCode());
+		assertThat(token.getUserDetails().getAuthorities()).extracting(GrantedAuthority::getAuthority)
+			.containsOnly("ROLE_USER");
+		assertThat(token.getAssertion().getAuthenticationDate()).isEqualTo(START_DATE);
+		assertThat(token.getAssertion().getValidFromDate()).isEqualTo(START_DATE);
+		assertThat(token.getAssertion().getValidUntilDate()).isEqualTo(END_DATE);
+		assertThat(token.getAssertion().getPrincipal().getName()).isEqualTo("assertName");
+		assertThat(token.getAssertion().getAttributes()).hasSize(0);
+	}
+
+	private CasAuthenticationToken createCasAuthenticationToken() {
+		User principal = new User("admin", "1234", Collections.singletonList(new SimpleGrantedAuthority("ROLE_USER")));
+		Collection<? extends GrantedAuthority> authorities = Collections
+			.singletonList(new SimpleGrantedAuthority("ROLE_USER"));
+		Assertion assertion = new AssertionImpl(new AttributePrincipalImpl("assertName"), START_DATE, END_DATE,
+				START_DATE, Collections.<String, Object>emptyMap());
+		return new CasAuthenticationToken(KEY, principal, principal.getPassword(), authorities,
+				new User("admin", "1234", authorities), assertion);
+	}
+
+}