From e726c05e764faf23961bff7071f43b92ce78597c Mon Sep 17 00:00:00 2001 From: Ziqin Wang Date: Sun, 15 Mar 2026 12:33:28 +0800 Subject: [PATCH] Fix Jackson 2 deserializer for AuthenticationExtensionsClientOutputs The deserializer is updated to properly ignore unknown extensions. Closes gh-18643 Signed-off-by: Ziqin Wang --- ...enticationExtensionsClientOutputsDeserializer.java | 11 +++++------ 1 file changed, 5 insertions(+), 6 deletions(-) diff --git a/web/src/main/java/org/springframework/security/web/webauthn/jackson/AuthenticationExtensionsClientOutputsDeserializer.java b/web/src/main/java/org/springframework/security/web/webauthn/jackson/AuthenticationExtensionsClientOutputsDeserializer.java index f1d18e6f23..3a46fe9ddd 100644 --- a/web/src/main/java/org/springframework/security/web/webauthn/jackson/AuthenticationExtensionsClientOutputsDeserializer.java +++ b/web/src/main/java/org/springframework/security/web/webauthn/jackson/AuthenticationExtensionsClientOutputsDeserializer.java @@ -56,11 +56,8 @@ class AuthenticationExtensionsClientOutputsDeserializer extends StdDeserializer< throws IOException, JacksonException { List> outputs = new ArrayList<>(); for (String key = parser.nextFieldName(); key != null; key = parser.nextFieldName()) { - JsonToken startObject = parser.nextValue(); - if (startObject != JsonToken.START_OBJECT) { - break; - } - if (CredentialPropertiesOutput.EXTENSION_ID.equals(key)) { + JsonToken next = parser.nextToken(); + if (next == JsonToken.START_OBJECT && CredentialPropertiesOutput.EXTENSION_ID.equals(key)) { CredentialPropertiesOutput output = parser.readValueAs(CredentialPropertiesOutput.class); outputs.add(output); } @@ -68,7 +65,9 @@ class AuthenticationExtensionsClientOutputsDeserializer extends StdDeserializer< if (logger.isDebugEnabled()) { logger.debug("Skipping unknown extension with id " + key); } - parser.nextValue(); + if (next.isStructStart()) { + parser.skipChildren(); + } } }