Add Jackson 3 support and deprecate Jackson 2 one

[sdeleuze]

This PR adds support for Jackson 3 which has the following major differences with the Jackson 2 one:

• jackson subpackage instead of jackson2
• Jackson type prefix instead of Jackson2
• JsonMapper instead of ObjectMapper
• For configuration, JsonMapper.Builder instead of ObjectMapper since the latter is now immutable
• AllowlistTypeResolverBuilder in new a public type in order to be used easily with the JsonMapper.Builder API

Jackson 3 changes compared to Jackson 2 are documented on FasterXML/jackson-future-ideas#72.

It also deprecates Jackson 2 support for removal.

[rwinch]

Thanks for the pull request. Generally, I think this is looking good. I've provided some feedback inline.

It also appears that there are still some classes that need migrated. Searching for jackson on main should give you a complete list of classes that are using jackson.

For example, webauthn has jackson support. I'm guessing this was missed because it is inconsistent with the rest of the jackson support in that it is in a jackson package rather than jackson2. It is also automatically registered because it does not use default types which would make it insecure.

There are also some tests that still use ObjectMapper or deprecated Spring Framework Jackson 2 classes (e.g. JwtDecodersTests.java#L388). Unless the test is specifically for the Jackson 2 support, we should update these to use non-deprecated classes (e.g. JsonMapper).

There are various Spring framework jackson based classes that have been deprecated that we should migrate away from. For example, MappingJackson2HttpMessageConverter usage (e.g. WebAuthnAuthenticationFilter.converter) should be migrated to JacksonJsonHttpMessageConverter if jackson 3 is on the classpath. Likely there could be a static factory method used that Spring Security uses to obtain the correct default json converter instance.

[sdeleuze]

@rwinch I have pushed additional commits:

• Upgrade to Jackson 3.0.0-rc9 and 2.20.0
• Change ObjectMapper to JsonMapper where relevant
• Add webauthn Jackson 3 support and deprecate Jackson 2 one

I will do another pass with your feedback to my questions in the comments.

[sdeleuze]

@rwinch I have removed the custom support for unmodifiable collections (seems to work fine with Jackson 3), reworked the commit for a cleaner git history, and rebased the commits on main.

[jvalkeal]

@sdeleuze @rwinch I was wondering if message converters in oauth2-core will also be part of this PR.

spring-security/oauth2/oauth2-core/src/main/java/org/springframework/security/oauth2/core/http/converter/HttpMessageConverters.java

Lines 41 to 47 in f3761af

	static {
	ClassLoader classLoader = HttpMessageConverters.class.getClassLoader();
	jackson2Present = ClassUtils.isPresent("com.fasterxml.jackson.databind.ObjectMapper", classLoader)
	&& ClassUtils.isPresent("com.fasterxml.jackson.core.JsonGenerator", classLoader);
	gsonPresent = ClassUtils.isPresent("com.google.gson.Gson", classLoader);
	jsonbPresent = ClassUtils.isPresent("jakarta.json.bind.Jsonb", classLoader);
	}

That's then causing NPE's i.e in OAuth2AccessTokenResponseHttpMessageConverter as jsonMessageConverter will always be null. Same with other classes in that same package if I only have jackson3 in a classpath.

[sdeleuze]

@jvalkeal Good catch, I will add a related commit.

[rwinch]

Thank you for all of your hard work on this @sdeleuze This, along with some changes, have been merged into main. You can see the commits on this PR for details around the changes that were applied. I've also created some tickets to resolve some remaining issues:

• Document Jackson 3 Migration #18078
• Jackson 3 Support Renders Proxy callbacks property #18077
• When possible use SmartHttpMessageConverter over GenericHttpMessageConverter #18073