diff --git a/cas/src/test/java/org/springframework/security/cas/jackson2/CasAuthenticationTokenMixinTests.java b/cas/src/test/java/org/springframework/security/cas/jackson2/CasAuthenticationTokenMixinTests.java index 5dbbd7e9ed..07407bbacd 100644 --- a/cas/src/test/java/org/springframework/security/cas/jackson2/CasAuthenticationTokenMixinTests.java +++ b/cas/src/test/java/org/springframework/security/cas/jackson2/CasAuthenticationTokenMixinTests.java @@ -16,6 +16,11 @@ package org.springframework.security.cas.jackson2; +import java.io.IOException; +import java.util.Collection; +import java.util.Collections; +import java.util.Date; + import com.fasterxml.jackson.core.JsonProcessingException; import com.fasterxml.jackson.databind.ObjectMapper; import org.jasig.cas.client.authentication.AttributePrincipalImpl; @@ -26,17 +31,14 @@ import org.junit.Test; import org.junit.runner.RunWith; import org.mockito.runners.MockitoJUnitRunner; import org.skyscreamer.jsonassert.JSONAssert; + import org.springframework.security.cas.authentication.CasAuthenticationToken; import org.springframework.security.core.GrantedAuthority; import org.springframework.security.core.authority.SimpleGrantedAuthority; import org.springframework.security.core.userdetails.User; +import org.springframework.security.core.userdetails.UserDetails; import org.springframework.security.jackson2.SecurityJacksonModules; -import java.io.IOException; -import java.util.Collection; -import java.util.Collections; -import java.util.Date; - import static org.assertj.core.api.Assertions.assertThat; /** @@ -92,6 +94,12 @@ public class CasAuthenticationTokenMixinTests { JSONAssert.assertEquals(String.format(expectedJson, "null"), actualJson, true); } + @Test + public void deserializeCasAuthenticationTestAfterEraseCredentialInvoked() throws Exception { + CasAuthenticationToken token = buildObjectMapper().readValue(String.format(expectedJson, "null"), CasAuthenticationToken.class); + assertThat(((UserDetails)token.getPrincipal()).getPassword()).isNull(); + } + @Test public void deserializeCasAuthenticationTest() throws IOException, JSONException { CasAuthenticationToken token = buildObjectMapper().readValue(String.format(expectedJson, "\"" + PASSWORD + "\""), CasAuthenticationToken.class); diff --git a/core/src/main/java/org/springframework/security/jackson2/UserDeserializer.java b/core/src/main/java/org/springframework/security/jackson2/UserDeserializer.java index c7cd3a2c59..0407214b7a 100644 --- a/core/src/main/java/org/springframework/security/jackson2/UserDeserializer.java +++ b/core/src/main/java/org/springframework/security/jackson2/UserDeserializer.java @@ -58,12 +58,18 @@ class UserDeserializer extends JsonDeserializer { JsonNode jsonNode = mapper.readTree(jp); Set authorities = mapper.convertValue(jsonNode.get("authorities"), new TypeReference>() { }); - return new User( - readJsonNode(jsonNode, "username").asText(), readJsonNode(jsonNode, "password").asText(""), + JsonNode password = readJsonNode(jsonNode, "password"); + User result = new User( + readJsonNode(jsonNode, "username").asText(), password.asText(""), readJsonNode(jsonNode, "enabled").asBoolean(), readJsonNode(jsonNode, "accountNonExpired").asBoolean(), readJsonNode(jsonNode, "credentialsNonExpired").asBoolean(), readJsonNode(jsonNode, "accountNonLocked").asBoolean(), authorities ); + + if(password.asText(null) == null) { + result.eraseCredentials(); + } + return result; } private JsonNode readJsonNode(JsonNode jsonNode, String field) { diff --git a/core/src/test/java/org/springframework/security/jackson2/UserDeserializerTests.java b/core/src/test/java/org/springframework/security/jackson2/UserDeserializerTests.java index ee9f05d9a6..1a7d88959a 100644 --- a/core/src/test/java/org/springframework/security/jackson2/UserDeserializerTests.java +++ b/core/src/test/java/org/springframework/security/jackson2/UserDeserializerTests.java @@ -80,8 +80,8 @@ public class UserDeserializerTests extends AbstractMixinTests { User user = mapper.readValue(userJsonWithoutPasswordString, User.class); assertThat(user).isNotNull(); assertThat(user.getUsername()).isEqualTo("admin"); - assertThat(user.getPassword()).isEqualTo(""); - assertThat(user.getAuthorities()).hasSize(0); + assertThat(user.getPassword()).isNull(); + assertThat(user.getAuthorities()).isEmpty(); assertThat(user.isEnabled()).isEqualTo(true); }