From 8e6d5a8a4540321f19e28194779b41d59e654c62 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?S=C3=A9bastien=20Deleuze?= Date: Wed, 24 Sep 2025 11:24:13 +0200 Subject: [PATCH 01/14] Add .kotlin/ to .gitignore MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Sébastien Deleuze --- .gitignore | 1 + 1 file changed, 1 insertion(+) diff --git a/.gitignore b/.gitignore index 07ace14a1c..91b19aa1d2 100644 --- a/.gitignore +++ b/.gitignore @@ -25,6 +25,7 @@ atlassian-ide-plugin.xml s101plugin.state .attach_pid* .~lock.*# +.kotlin/ !.idea/checkstyle-idea.xml !.idea/externalDependencies.xml From 9e11ab9eb452de412abfaea432f2f776e7a1ac33 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?S=C3=A9bastien=20Deleuze?= Date: Tue, 26 Aug 2025 16:53:17 +0200 Subject: [PATCH 02/14] Add Jackson 3 BOM MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit See gh-17832 Signed-off-by: Sébastien Deleuze --- dependencies/spring-security-dependencies.gradle | 1 + gradle/libs.versions.toml | 3 ++- 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/dependencies/spring-security-dependencies.gradle b/dependencies/spring-security-dependencies.gradle index f14cbd3f34..513ec88747 100644 --- a/dependencies/spring-security-dependencies.gradle +++ b/dependencies/spring-security-dependencies.gradle @@ -25,6 +25,7 @@ dependencies { api platform(libs.org.jetbrains.kotlin.kotlin.bom) api platform(libs.org.jetbrains.kotlinx.kotlinx.coroutines.bom) api platform(libs.com.fasterxml.jackson.jackson.bom) + api platform(libs.tools.jackson.jackson.bom) constraints { api libs.ch.qos.logback.logback.classic api libs.com.google.inject.guice diff --git a/gradle/libs.versions.toml b/gradle/libs.versions.toml index e27683067b..de5e36304b 100644 --- a/gradle/libs.versions.toml +++ b/gradle/libs.versions.toml @@ -17,7 +17,7 @@ com-password4j = "1.8.4" [libraries] ch-qos-logback-logback-classic = "ch.qos.logback:logback-classic:1.5.19" -com-fasterxml-jackson-jackson-bom = "com.fasterxml.jackson:jackson-bom:2.19.2" +com-fasterxml-jackson-jackson-bom = "com.fasterxml.jackson:jackson-bom:2.20.0" com-google-inject-guice = "com.google.inject:guice:3.0" com-netflix-nebula-nebula-project-plugin = "com.netflix.nebula:nebula-project-plugin:8.2.0" com-nimbusds-nimbus-jose-jwt = "com.nimbusds:nimbus-jose-jwt:10.4" @@ -85,6 +85,7 @@ org-springframework-data-spring-data-bom = "org.springframework.data:spring-data org-springframework-ldap-spring-ldap-core = "org.springframework.ldap:spring-ldap-core:3.2.15" org-springframework-spring-framework-bom = { module = "org.springframework:spring-framework-bom", version.ref = "org-springframework" } org-synchronoss-cloud-nio-multipart-parser = "org.synchronoss.cloud:nio-multipart-parser:1.1.0" +tools-jackson-jackson-bom = "tools.jackson:jackson-bom:3.0.0" com-google-code-gson-gson = "com.google.code.gson:gson:2.13.2" com-thaiopensource-trag = "com.thaiopensource:trang:20091111" From d77c977393c198b761f7c84e11d2746695b4d2e4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?S=C3=A9bastien=20Deleuze?= Date: Mon, 1 Sep 2025 18:23:31 +0200 Subject: [PATCH 03/14] Add Jackson 3 support MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This commit adds support for Jackson 3 which has the following major differences with the Jackson 2 one: - jackson subpackage instead of jackson2 - Jackson type prefix instead of Jackson2 - JsonMapper instead of ObjectMapper - For configuration, JsonMapper.Builder instead of ObjectMapper since the latter is now immutable - Remove custom support for unmodifiable collections - Use safe default typing via a PolymorphicTypeValidator Jackson 3 changes compared to Jackson 2 are documented in https://cowtowncoder.medium.com/jackson-3-0-0-ga-released-1f669cda529a and https://github.com/FasterXML/jackson/blob/main/jackson3/MIGRATING_TO_JACKSON_3.md. This commit does not cover webauthn which is a special case (uses jackson sub-package for Jackson 2 support) which will be handled in a distinct commit. See gh-17832 Signed-off-by: Sébastien Deleuze --- cas/spring-security-cas.gradle | 1 + .../cas/jackson/AssertionImplMixin.java | 60 +++ .../jackson/AttributePrincipalImplMixin.java | 59 +++ .../jackson/CasAuthenticationTokenMixin.java | 69 +++ .../cas/jackson/CasJacksonModule.java | 71 ++++ .../security/cas/jackson/package-info.java | 20 + .../security/cas/jackson2/package-info.java | 2 +- .../CasAuthenticationTokenMixinTests.java | 151 +++++++ .../server/authorization/JwkSetTests.java | 7 +- .../OAuth2AuthorizationCodeGrantTests.java | 7 +- .../OAuth2ClientCredentialsGrantTests.java | 7 +- .../OAuth2RefreshTokenGrantTests.java | 7 +- .../OAuth2TokenIntrospectionTests.java | 7 +- .../OAuth2TokenRevocationTests.java | 7 +- .../server/authorization/OidcTests.java | 7 +- core/spring-security-core.gradle | 1 + .../AnonymousAuthenticationTokenMixin.java | 57 +++ .../jackson/BadCredentialsExceptionMixin.java | 46 ++ .../security/jackson/CoreJacksonModule.java | 113 +++++ .../jackson/FactorGrantedAuthorityMixin.java | 50 +++ .../RememberMeAuthenticationTokenMixin.java | 60 +++ .../jackson/SecurityJacksonModule.java | 42 ++ .../jackson/SecurityJacksonModules.java | 203 +++++++++ .../jackson/SimpleGrantedAuthorityMixin.java | 47 +++ .../security/jackson/UserDeserializer.java | 81 ++++ .../security/jackson/UserMixin.java | 41 ++ ...sswordAuthenticationTokenDeserializer.java | 105 +++++ ...rnamePasswordAuthenticationTokenMixin.java | 41 ++ .../security/jackson/package-info.java | 23 + ...sswordAuthenticationTokenDeserializer.java | 2 +- .../security/jackson2/package-info.java | 5 +- ...AuthorizationAdvisorProxyFactoryTests.java | 11 +- .../security/jackson/AbstractMixinTests.java | 51 +++ ...nonymousAuthenticationTokenMixinTests.java | 83 ++++ .../BadCredentialsExceptionMixinTests.java | 60 +++ .../FactorGrantedAuthorityMixinTests.java | 60 +++ ...memberMeAuthenticationTokenMixinTests.java | 128 ++++++ .../jackson/SecurityContextMixinTests.java | 69 +++ .../jackson/SecurityJacksonModulesTests.java | 85 ++++ .../SimpleGrantedAuthorityMixinTests.java | 67 +++ .../jackson/UnmodifiableMapTests.java | 54 +++ .../jackson/UserDeserializerTests.java | 129 ++++++ ...PasswordAuthenticationTokenMixinTests.java | 221 ++++++++++ .../pages/features/integrations/jackson.adoc | 26 +- .../pages/servlet/integrations/jackson.adoc | 18 +- ldap/spring-security-ldap.gradle | 1 + .../ldap/jackson/InetOrgPersonMixin.java | 38 ++ .../ldap/jackson/LdapAuthorityMixin.java | 47 +++ .../ldap/jackson/LdapJacksonModule.java | 71 ++++ .../jackson/LdapUserDetailsImplMixin.java | 38 ++ .../security/ldap/jackson/PersonMixin.java | 38 ++ .../security/ldap/jackson/package-info.java | 20 + .../security/ldap/jackson2/package-info.java | 20 + .../ldap/jackson/InetOrgPersonMixinTests.java | 194 +++++++++ .../LdapUserDetailsImplMixinTests.java | 124 ++++++ .../ldap/jackson/PersonMixinTests.java | 137 ++++++ ...ecurity-oauth2-authorization-server.gradle | 3 +- .../JdbcOAuth2AuthorizationService.java | 115 +++-- .../authorization/jackson/JsonNodeUtils.java | 66 +++ .../jackson/JwsAlgorithmMixin.java | 36 ++ ...Auth2AuthorizationRequestDeserializer.java | 77 ++++ .../OAuth2AuthorizationRequestMixin.java | 40 ++ ...Auth2AuthorizationServerJacksonModule.java | 95 +++++ .../OAuth2TokenExchangeActorMixin.java | 44 ++ ...angeCompositeAuthenticationTokenMixin.java | 47 +++ .../jackson/OAuth2TokenFormatMixin.java | 42 ++ .../JdbcOAuth2AuthorizationServiceTests.java | 6 +- .../JdbcRegisteredClientRepositoryTests.java | 1 + ...AuthorizationServerJacksonModuleTests.java | 112 +++++ .../TestingAuthenticationTokenMixin.java | 49 +++ .../spring-security-oauth2-client.gradle | 1 + .../ClientRegistrationDeserializer.java | 76 ++++ .../jackson/ClientRegistrationMixin.java | 42 ++ .../jackson/DefaultOAuth2UserMixin.java | 50 +++ .../client/jackson/DefaultOidcUserMixin.java | 53 +++ .../oauth2/client/jackson/JsonNodeUtils.java | 67 +++ .../jackson/OAuth2AccessTokenMixin.java | 52 +++ .../OAuth2AuthenticationExceptionMixin.java | 56 +++ .../OAuth2AuthenticationTokenMixin.java | 52 +++ ...Auth2AuthorizationRequestDeserializer.java | 72 ++++ .../OAuth2AuthorizationRequestMixin.java | 42 ++ .../jackson/OAuth2AuthorizedClientMixin.java | 50 +++ .../jackson/OAuth2ClientJacksonModule.java | 118 ++++++ .../client/jackson/OAuth2ErrorMixin.java | 47 +++ .../jackson/OAuth2RefreshTokenMixin.java | 46 ++ .../jackson/OAuth2UserAuthorityMixin.java | 47 +++ .../client/jackson/OidcIdTokenMixin.java | 48 +++ .../jackson/OidcUserAuthorityMixin.java | 49 +++ .../client/jackson/OidcUserInfoMixin.java | 46 ++ .../oauth2/client/jackson/StdConverters.java | 94 +++++ .../oauth2/client/jackson/package-info.java | 20 + .../oauth2/client/jackson2/package-info.java | 20 + ...uth2AuthenticationExceptionMixinTests.java | 129 ++++++ .../OAuth2AuthenticationTokenMixinTests.java | 339 +++++++++++++++ .../OAuth2AuthorizationRequestMixinTests.java | 199 +++++++++ .../OAuth2AuthorizedClientMixinTests.java | 395 ++++++++++++++++++ .../client/jackson/StdConvertersTests.java | 53 +++ .../ClientRegistrationsTests.java | 6 +- .../spring-security-oauth2-jose.gradle | 2 +- .../security/oauth2/jwt/JwtDecodersTests.java | 19 +- ...ecoderProviderConfigurationUtilsTests.java | 16 +- .../oauth2/jwt/ReactiveJwtDecodersTests.java | 19 +- ...ing-security-oauth2-resource-server.gradle | 2 +- ...OAuth2ProtectedResourceMetadataFilter.java | 1 + ...gReactiveOpaqueTokenIntrospectorTests.java | 4 +- ...ing-security-saml2-service-provider.gradle | 1 + ...faultSaml2AuthenticatedPrincipalMixin.java | 52 +++ .../Saml2AssertionAuthenticationMixin.java | 53 +++ .../Saml2AuthenticationExceptionMixin.java | 54 +++ .../jackson/Saml2AuthenticationMixin.java | 52 +++ .../saml2/jackson/Saml2ErrorMixin.java | 44 ++ .../saml2/jackson/Saml2JacksonModule.java | 91 ++++ .../jackson/Saml2LogoutRequestMixin.java | 55 +++ .../Saml2PostAuthenticationRequestMixin.java | 49 +++ ...ml2RedirectAuthenticationRequestMixin.java | 50 +++ ...leSaml2ResponseAssertionAccessorMixin.java | 52 +++ .../security/saml2/jackson/package-info.java | 20 + .../security/saml2/jackson2/package-info.java | 20 + .../OpenSaml5AuthenticationProviderTests.java | 7 +- ...Saml2AuthenticatedPrincipalMixinTests.java | 105 +++++ ...aml2AuthenticationExceptionMixinTests.java | 61 +++ .../Saml2AuthenticationMixinTests.java | 64 +++ .../jackson/Saml2LogoutRequestMixinTests.java | 90 ++++ ...l2PostAuthenticationRequestMixinTests.java | 97 +++++ ...directAuthenticationRequestMixinTests.java | 84 ++++ .../saml2/jackson/TestSaml2JsonPayloads.java | 257 ++++++++++++ web/spring-security-web.gradle | 1 + .../web/jackson/CookieDeserializer.java | 65 +++ .../security/web/jackson/CookieMixin.java | 37 ++ .../web/jackson/DefaultCsrfTokenMixin.java | 48 +++ .../web/jackson/DefaultSavedRequestMixin.java | 45 ++ ...icatedAuthenticationTokenDeserializer.java | 79 ++++ ...AuthenticatedAuthenticationTokenMixin.java | 43 ++ .../web/jackson/SavedCookieMixin.java | 45 ++ .../SwitchUserGrantedAuthorityMixIn.java | 46 ++ .../WebAuthenticationDetailsMixin.java | 44 ++ .../web/jackson/WebJacksonModule.java | 76 ++++ .../web/jackson/WebServletJacksonModule.java | 73 ++++ .../security/web/jackson/package-info.java | 20 + .../security/web/jackson2/package-info.java | 5 +- .../jackson/DefaultCsrfServerTokenMixin.java | 48 +++ .../jackson/WebServerJacksonModule.java | 65 +++ .../web/server/jackson/package-info.java | 23 + .../web/server/jackson2/package-info.java | 2 +- .../web/jackson/AbstractMixinTests.java | 38 ++ .../web/jackson/CookieMixinTests.java | 95 +++++ .../jackson/DefaultCsrfTokenMixinTests.java | 73 ++++ .../DefaultSavedRequestMixinTests.java | 172 ++++++++ ...nticatedAuthenticationTokenMixinTests.java | 70 ++++ .../web/jackson/SavedCookieMixinTests.java | 98 +++++ .../SwitchUserGrantedAuthorityMixInTests.java | 82 ++++ .../WebAuthenticationDetailsMixinTests.java | 81 ++++ .../DefaultCsrfServerTokenMixinTests.java | 76 ++++ .../AuthenticatorAttachmentDeserializer.java | 12 +- .../AuthenticatorTransportDeserializer.java | 12 +- .../COSEAlgorithmIdentifierDeserializer.java | 12 +- 156 files changed, 9052 insertions(+), 146 deletions(-) create mode 100644 cas/src/main/java/org/springframework/security/cas/jackson/AssertionImplMixin.java create mode 100644 cas/src/main/java/org/springframework/security/cas/jackson/AttributePrincipalImplMixin.java create mode 100644 cas/src/main/java/org/springframework/security/cas/jackson/CasAuthenticationTokenMixin.java create mode 100644 cas/src/main/java/org/springframework/security/cas/jackson/CasJacksonModule.java create mode 100644 cas/src/main/java/org/springframework/security/cas/jackson/package-info.java create mode 100644 cas/src/test/java/org/springframework/security/cas/jackson/CasAuthenticationTokenMixinTests.java create mode 100644 core/src/main/java/org/springframework/security/jackson/AnonymousAuthenticationTokenMixin.java create mode 100644 core/src/main/java/org/springframework/security/jackson/BadCredentialsExceptionMixin.java create mode 100644 core/src/main/java/org/springframework/security/jackson/CoreJacksonModule.java create mode 100644 core/src/main/java/org/springframework/security/jackson/FactorGrantedAuthorityMixin.java create mode 100644 core/src/main/java/org/springframework/security/jackson/RememberMeAuthenticationTokenMixin.java create mode 100644 core/src/main/java/org/springframework/security/jackson/SecurityJacksonModule.java create mode 100644 core/src/main/java/org/springframework/security/jackson/SecurityJacksonModules.java create mode 100644 core/src/main/java/org/springframework/security/jackson/SimpleGrantedAuthorityMixin.java create mode 100644 core/src/main/java/org/springframework/security/jackson/UserDeserializer.java create mode 100644 core/src/main/java/org/springframework/security/jackson/UserMixin.java create mode 100644 core/src/main/java/org/springframework/security/jackson/UsernamePasswordAuthenticationTokenDeserializer.java create mode 100644 core/src/main/java/org/springframework/security/jackson/UsernamePasswordAuthenticationTokenMixin.java create mode 100644 core/src/main/java/org/springframework/security/jackson/package-info.java create mode 100644 core/src/test/java/org/springframework/security/jackson/AbstractMixinTests.java create mode 100644 core/src/test/java/org/springframework/security/jackson/AnonymousAuthenticationTokenMixinTests.java create mode 100644 core/src/test/java/org/springframework/security/jackson/BadCredentialsExceptionMixinTests.java create mode 100644 core/src/test/java/org/springframework/security/jackson/FactorGrantedAuthorityMixinTests.java create mode 100644 core/src/test/java/org/springframework/security/jackson/RememberMeAuthenticationTokenMixinTests.java create mode 100644 core/src/test/java/org/springframework/security/jackson/SecurityContextMixinTests.java create mode 100644 core/src/test/java/org/springframework/security/jackson/SecurityJacksonModulesTests.java create mode 100644 core/src/test/java/org/springframework/security/jackson/SimpleGrantedAuthorityMixinTests.java create mode 100644 core/src/test/java/org/springframework/security/jackson/UnmodifiableMapTests.java create mode 100644 core/src/test/java/org/springframework/security/jackson/UserDeserializerTests.java create mode 100644 core/src/test/java/org/springframework/security/jackson/UsernamePasswordAuthenticationTokenMixinTests.java create mode 100644 ldap/src/main/java/org/springframework/security/ldap/jackson/InetOrgPersonMixin.java create mode 100644 ldap/src/main/java/org/springframework/security/ldap/jackson/LdapAuthorityMixin.java create mode 100644 ldap/src/main/java/org/springframework/security/ldap/jackson/LdapJacksonModule.java create mode 100644 ldap/src/main/java/org/springframework/security/ldap/jackson/LdapUserDetailsImplMixin.java create mode 100644 ldap/src/main/java/org/springframework/security/ldap/jackson/PersonMixin.java create mode 100644 ldap/src/main/java/org/springframework/security/ldap/jackson/package-info.java create mode 100644 ldap/src/main/java/org/springframework/security/ldap/jackson2/package-info.java create mode 100644 ldap/src/test/java/org/springframework/security/ldap/jackson/InetOrgPersonMixinTests.java create mode 100644 ldap/src/test/java/org/springframework/security/ldap/jackson/LdapUserDetailsImplMixinTests.java create mode 100644 ldap/src/test/java/org/springframework/security/ldap/jackson/PersonMixinTests.java create mode 100644 oauth2/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/jackson/JsonNodeUtils.java create mode 100644 oauth2/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/jackson/JwsAlgorithmMixin.java create mode 100644 oauth2/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/jackson/OAuth2AuthorizationRequestDeserializer.java create mode 100644 oauth2/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/jackson/OAuth2AuthorizationRequestMixin.java create mode 100644 oauth2/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/jackson/OAuth2AuthorizationServerJacksonModule.java create mode 100644 oauth2/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/jackson/OAuth2TokenExchangeActorMixin.java create mode 100644 oauth2/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/jackson/OAuth2TokenExchangeCompositeAuthenticationTokenMixin.java create mode 100644 oauth2/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/jackson/OAuth2TokenFormatMixin.java create mode 100644 oauth2/oauth2-authorization-server/src/test/java/org/springframework/security/oauth2/server/authorization/jackson/OAuth2AuthorizationServerJacksonModuleTests.java create mode 100644 oauth2/oauth2-authorization-server/src/test/java/org/springframework/security/oauth2/server/authorization/jackson/TestingAuthenticationTokenMixin.java create mode 100644 oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/jackson/ClientRegistrationDeserializer.java create mode 100644 oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/jackson/ClientRegistrationMixin.java create mode 100644 oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/jackson/DefaultOAuth2UserMixin.java create mode 100644 oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/jackson/DefaultOidcUserMixin.java create mode 100644 oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/jackson/JsonNodeUtils.java create mode 100644 oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/jackson/OAuth2AccessTokenMixin.java create mode 100644 oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/jackson/OAuth2AuthenticationExceptionMixin.java create mode 100644 oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/jackson/OAuth2AuthenticationTokenMixin.java create mode 100644 oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/jackson/OAuth2AuthorizationRequestDeserializer.java create mode 100644 oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/jackson/OAuth2AuthorizationRequestMixin.java create mode 100644 oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/jackson/OAuth2AuthorizedClientMixin.java create mode 100644 oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/jackson/OAuth2ClientJacksonModule.java create mode 100644 oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/jackson/OAuth2ErrorMixin.java create mode 100644 oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/jackson/OAuth2RefreshTokenMixin.java create mode 100644 oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/jackson/OAuth2UserAuthorityMixin.java create mode 100644 oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/jackson/OidcIdTokenMixin.java create mode 100644 oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/jackson/OidcUserAuthorityMixin.java create mode 100644 oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/jackson/OidcUserInfoMixin.java create mode 100644 oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/jackson/StdConverters.java create mode 100644 oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/jackson/package-info.java create mode 100644 oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/jackson2/package-info.java create mode 100644 oauth2/oauth2-client/src/test/java/org/springframework/security/oauth2/client/jackson/OAuth2AuthenticationExceptionMixinTests.java create mode 100644 oauth2/oauth2-client/src/test/java/org/springframework/security/oauth2/client/jackson/OAuth2AuthenticationTokenMixinTests.java create mode 100644 oauth2/oauth2-client/src/test/java/org/springframework/security/oauth2/client/jackson/OAuth2AuthorizationRequestMixinTests.java create mode 100644 oauth2/oauth2-client/src/test/java/org/springframework/security/oauth2/client/jackson/OAuth2AuthorizedClientMixinTests.java create mode 100644 oauth2/oauth2-client/src/test/java/org/springframework/security/oauth2/client/jackson/StdConvertersTests.java create mode 100644 saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/jackson/DefaultSaml2AuthenticatedPrincipalMixin.java create mode 100644 saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/jackson/Saml2AssertionAuthenticationMixin.java create mode 100644 saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/jackson/Saml2AuthenticationExceptionMixin.java create mode 100644 saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/jackson/Saml2AuthenticationMixin.java create mode 100644 saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/jackson/Saml2ErrorMixin.java create mode 100644 saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/jackson/Saml2JacksonModule.java create mode 100644 saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/jackson/Saml2LogoutRequestMixin.java create mode 100644 saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/jackson/Saml2PostAuthenticationRequestMixin.java create mode 100644 saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/jackson/Saml2RedirectAuthenticationRequestMixin.java create mode 100644 saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/jackson/SimpleSaml2ResponseAssertionAccessorMixin.java create mode 100644 saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/jackson/package-info.java create mode 100644 saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/jackson2/package-info.java create mode 100644 saml2/saml2-service-provider/src/test/java/org/springframework/security/saml2/jackson/DefaultSaml2AuthenticatedPrincipalMixinTests.java create mode 100644 saml2/saml2-service-provider/src/test/java/org/springframework/security/saml2/jackson/Saml2AuthenticationExceptionMixinTests.java create mode 100644 saml2/saml2-service-provider/src/test/java/org/springframework/security/saml2/jackson/Saml2AuthenticationMixinTests.java create mode 100644 saml2/saml2-service-provider/src/test/java/org/springframework/security/saml2/jackson/Saml2LogoutRequestMixinTests.java create mode 100644 saml2/saml2-service-provider/src/test/java/org/springframework/security/saml2/jackson/Saml2PostAuthenticationRequestMixinTests.java create mode 100644 saml2/saml2-service-provider/src/test/java/org/springframework/security/saml2/jackson/Saml2RedirectAuthenticationRequestMixinTests.java create mode 100644 saml2/saml2-service-provider/src/test/java/org/springframework/security/saml2/jackson/TestSaml2JsonPayloads.java create mode 100644 web/src/main/java/org/springframework/security/web/jackson/CookieDeserializer.java create mode 100644 web/src/main/java/org/springframework/security/web/jackson/CookieMixin.java create mode 100644 web/src/main/java/org/springframework/security/web/jackson/DefaultCsrfTokenMixin.java create mode 100644 web/src/main/java/org/springframework/security/web/jackson/DefaultSavedRequestMixin.java create mode 100644 web/src/main/java/org/springframework/security/web/jackson/PreAuthenticatedAuthenticationTokenDeserializer.java create mode 100644 web/src/main/java/org/springframework/security/web/jackson/PreAuthenticatedAuthenticationTokenMixin.java create mode 100644 web/src/main/java/org/springframework/security/web/jackson/SavedCookieMixin.java create mode 100644 web/src/main/java/org/springframework/security/web/jackson/SwitchUserGrantedAuthorityMixIn.java create mode 100644 web/src/main/java/org/springframework/security/web/jackson/WebAuthenticationDetailsMixin.java create mode 100644 web/src/main/java/org/springframework/security/web/jackson/WebJacksonModule.java create mode 100644 web/src/main/java/org/springframework/security/web/jackson/WebServletJacksonModule.java create mode 100644 web/src/main/java/org/springframework/security/web/jackson/package-info.java create mode 100644 web/src/main/java/org/springframework/security/web/server/jackson/DefaultCsrfServerTokenMixin.java create mode 100644 web/src/main/java/org/springframework/security/web/server/jackson/WebServerJacksonModule.java create mode 100644 web/src/main/java/org/springframework/security/web/server/jackson/package-info.java create mode 100644 web/src/test/java/org/springframework/security/web/jackson/AbstractMixinTests.java create mode 100644 web/src/test/java/org/springframework/security/web/jackson/CookieMixinTests.java create mode 100644 web/src/test/java/org/springframework/security/web/jackson/DefaultCsrfTokenMixinTests.java create mode 100644 web/src/test/java/org/springframework/security/web/jackson/DefaultSavedRequestMixinTests.java create mode 100644 web/src/test/java/org/springframework/security/web/jackson/PreAuthenticatedAuthenticationTokenMixinTests.java create mode 100644 web/src/test/java/org/springframework/security/web/jackson/SavedCookieMixinTests.java create mode 100644 web/src/test/java/org/springframework/security/web/jackson/SwitchUserGrantedAuthorityMixInTests.java create mode 100644 web/src/test/java/org/springframework/security/web/jackson/WebAuthenticationDetailsMixinTests.java create mode 100644 web/src/test/java/org/springframework/security/web/server/jackson/DefaultCsrfServerTokenMixinTests.java diff --git a/cas/spring-security-cas.gradle b/cas/spring-security-cas.gradle index a475013057..23c5f04a56 100644 --- a/cas/spring-security-cas.gradle +++ b/cas/spring-security-cas.gradle @@ -15,6 +15,7 @@ dependencies { api 'org.springframework:spring-web' optional 'com.fasterxml.jackson.core:jackson-databind' + optional 'tools.jackson.core:jackson-databind' provided 'jakarta.servlet:jakarta.servlet-api' diff --git a/cas/src/main/java/org/springframework/security/cas/jackson/AssertionImplMixin.java b/cas/src/main/java/org/springframework/security/cas/jackson/AssertionImplMixin.java new file mode 100644 index 0000000000..6191108cb1 --- /dev/null +++ b/cas/src/main/java/org/springframework/security/cas/jackson/AssertionImplMixin.java @@ -0,0 +1,60 @@ +/* + * Copyright 2004-present the original author or authors. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * https://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.springframework.security.cas.jackson; + +import java.util.Date; +import java.util.Map; + +import com.fasterxml.jackson.annotation.JsonAutoDetect; +import com.fasterxml.jackson.annotation.JsonCreator; +import com.fasterxml.jackson.annotation.JsonProperty; +import com.fasterxml.jackson.annotation.JsonTypeInfo; +import org.apereo.cas.client.authentication.AttributePrincipal; + +/** + * Helps in jackson deserialization of class + * {@link org.apereo.cas.client.validation.AssertionImpl}, which is used with + * {@link org.springframework.security.cas.authentication.CasAuthenticationToken}. + * + * @author Sebastien Deleuze + * @author Jitendra Singh + * @since 7.0 + * @see CasJacksonModule + * @see org.springframework.security.jackson.SecurityJacksonModules + */ +@JsonTypeInfo(use = JsonTypeInfo.Id.CLASS) +@JsonAutoDetect(fieldVisibility = JsonAutoDetect.Visibility.ANY, getterVisibility = JsonAutoDetect.Visibility.NONE, + isGetterVisibility = JsonAutoDetect.Visibility.NONE) +class AssertionImplMixin { + + /** + * Mixin Constructor helps in deserialize + * {@link org.apereo.cas.client.validation.AssertionImpl} + * @param principal the Principal to associate with the Assertion. + * @param validFromDate when the assertion is valid from. + * @param validUntilDate when the assertion is valid to. + * @param authenticationDate when the assertion is authenticated. + * @param attributes the key/value pairs for this attribute. + */ + @JsonCreator + AssertionImplMixin(@JsonProperty("principal") AttributePrincipal principal, + @JsonProperty("validFromDate") Date validFromDate, @JsonProperty("validUntilDate") Date validUntilDate, + @JsonProperty("authenticationDate") Date authenticationDate, + @JsonProperty("attributes") Map attributes) { + } + +} diff --git a/cas/src/main/java/org/springframework/security/cas/jackson/AttributePrincipalImplMixin.java b/cas/src/main/java/org/springframework/security/cas/jackson/AttributePrincipalImplMixin.java new file mode 100644 index 0000000000..f5d88a6051 --- /dev/null +++ b/cas/src/main/java/org/springframework/security/cas/jackson/AttributePrincipalImplMixin.java @@ -0,0 +1,59 @@ +/* + * Copyright 2004-present the original author or authors. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * https://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.springframework.security.cas.jackson; + +import java.util.Map; + +import com.fasterxml.jackson.annotation.JsonAutoDetect; +import com.fasterxml.jackson.annotation.JsonCreator; +import com.fasterxml.jackson.annotation.JsonProperty; +import com.fasterxml.jackson.annotation.JsonTypeInfo; +import org.apereo.cas.client.proxy.ProxyRetriever; + +/** + * Helps in deserialize + * {@link org.apereo.cas.client.authentication.AttributePrincipalImpl} which is used with + * {@link org.springframework.security.cas.authentication.CasAuthenticationToken}. + * + * @author Sebastien Deleuze + * @author Jitendra Singh + * @since 7.0 + * @see CasJacksonModule + * @see org.springframework.security.jackson.SecurityJacksonModules + */ +@JsonTypeInfo(use = JsonTypeInfo.Id.CLASS) +@JsonAutoDetect(fieldVisibility = JsonAutoDetect.Visibility.ANY, getterVisibility = JsonAutoDetect.Visibility.NONE, + isGetterVisibility = JsonAutoDetect.Visibility.NONE) +class AttributePrincipalImplMixin { + + /** + * Mixin Constructor helps in deserialize + * {@link org.apereo.cas.client.authentication.AttributePrincipalImpl} + * @param name the unique identifier for the principal. + * @param attributes the key/value pairs for this principal. + * @param proxyGrantingTicket the ticket associated with this principal. + * @param proxyRetriever the ProxyRetriever implementation to call back to the CAS + * server. + */ + @JsonCreator + AttributePrincipalImplMixin(@JsonProperty("name") String name, + @JsonProperty("attributes") Map attributes, + @JsonProperty("proxyGrantingTicket") String proxyGrantingTicket, + @JsonProperty("proxyRetriever") ProxyRetriever proxyRetriever) { + } + +} diff --git a/cas/src/main/java/org/springframework/security/cas/jackson/CasAuthenticationTokenMixin.java b/cas/src/main/java/org/springframework/security/cas/jackson/CasAuthenticationTokenMixin.java new file mode 100644 index 0000000000..adfc583810 --- /dev/null +++ b/cas/src/main/java/org/springframework/security/cas/jackson/CasAuthenticationTokenMixin.java @@ -0,0 +1,69 @@ +/* + * Copyright 2004-present the original author or authors. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * https://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.springframework.security.cas.jackson; + +import java.util.Collection; + +import com.fasterxml.jackson.annotation.JsonAutoDetect; +import com.fasterxml.jackson.annotation.JsonCreator; +import com.fasterxml.jackson.annotation.JsonProperty; +import com.fasterxml.jackson.annotation.JsonTypeInfo; +import org.apereo.cas.client.validation.Assertion; + +import org.springframework.security.cas.authentication.CasAuthenticationProvider; +import org.springframework.security.cas.authentication.CasAuthenticationToken; +import org.springframework.security.core.GrantedAuthority; +import org.springframework.security.core.userdetails.UserDetails; + +/** + * Mixin class which helps in deserialize {@link CasAuthenticationToken} using jackson. + * + * @author Sebastien Deleuze + * @author Jitendra Singh + * @since 7.0 + * @see CasJacksonModule + * @see org.springframework.security.jackson.SecurityJacksonModules + */ +@JsonTypeInfo(use = JsonTypeInfo.Id.CLASS) +@JsonAutoDetect(fieldVisibility = JsonAutoDetect.Visibility.ANY, isGetterVisibility = JsonAutoDetect.Visibility.NONE, + getterVisibility = JsonAutoDetect.Visibility.NONE, creatorVisibility = JsonAutoDetect.Visibility.ANY) +class CasAuthenticationTokenMixin { + + /** + * Mixin Constructor helps in deserialize {@link CasAuthenticationToken} + * @param keyHash hashCode of provided key to identify if this object made by a given + * {@link CasAuthenticationProvider} + * @param principal typically the UserDetails object (cannot be null) + * @param credentials the service/proxy ticket ID from CAS (cannot be + * null) + * @param authorities the authorities granted to the user (from the + * {@link org.springframework.security.core.userdetails.UserDetailsService}) (cannot + * be null) + * @param userDetails the user details (from the + * {@link org.springframework.security.core.userdetails.UserDetailsService}) (cannot + * be null) + * @param assertion the assertion returned from the CAS servers. It contains the + * principal and how to obtain a proxy ticket for the user. + */ + @JsonCreator + CasAuthenticationTokenMixin(@JsonProperty("keyHash") Integer keyHash, @JsonProperty("principal") Object principal, + @JsonProperty("credentials") Object credentials, + @JsonProperty("authorities") Collection authorities, + @JsonProperty("userDetails") UserDetails userDetails, @JsonProperty("assertion") Assertion assertion) { + } + +} diff --git a/cas/src/main/java/org/springframework/security/cas/jackson/CasJacksonModule.java b/cas/src/main/java/org/springframework/security/cas/jackson/CasJacksonModule.java new file mode 100644 index 0000000000..0e5e2cc4d1 --- /dev/null +++ b/cas/src/main/java/org/springframework/security/cas/jackson/CasJacksonModule.java @@ -0,0 +1,71 @@ +/* + * Copyright 2004-present the original author or authors. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * https://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.springframework.security.cas.jackson; + +import org.apereo.cas.client.authentication.AttributePrincipalImpl; +import org.apereo.cas.client.validation.AssertionImpl; +import tools.jackson.core.Version; +import tools.jackson.databind.jsontype.BasicPolymorphicTypeValidator; + +import org.springframework.security.cas.authentication.CasAuthenticationToken; +import org.springframework.security.jackson.SecurityJacksonModule; +import org.springframework.security.jackson.SecurityJacksonModules; + +/** + * Jackson module for spring-security-cas. This module register + * {@link AssertionImplMixin}, {@link AttributePrincipalImplMixin} and + * {@link CasAuthenticationTokenMixin}. If no default typing enabled by default then it'll + * enable it because typing info is needed to properly serialize/deserialize objects. In + * order to use this module just add this module into your JsonMapper configuration. + * + *

+ * The recommended way to configure it is to use {@link SecurityJacksonModules} in order + * to enable properly automatic inclusion of type information with related validation. + * + * 

+ *     ClassLoader loader = getClass().getClassLoader();
+ *     JsonMapper mapper = JsonMapper.builder()
+ * 				.addModules(SecurityJacksonModules.getModules(loader))
+ * 				.build();
+ *
+ * + * @author Sebastien Deleuze + * @author Jitendra Singh + * @since 7.0 + * @see SecurityJacksonModules + */ +public class CasJacksonModule extends SecurityJacksonModule { + + public CasJacksonModule() { + super(CasJacksonModule.class.getName(), new Version(1, 0, 0, null, null, null)); + } + + @Override + public void configurePolymorphicTypeValidator(BasicPolymorphicTypeValidator.Builder builder) { + builder.allowIfSubType(AssertionImpl.class) + .allowIfSubType(AttributePrincipalImpl.class) + .allowIfSubType(CasAuthenticationToken.class); + } + + @Override + public void setupModule(SetupContext context) { + context.setMixIn(AssertionImpl.class, AssertionImplMixin.class); + context.setMixIn(AttributePrincipalImpl.class, AttributePrincipalImplMixin.class); + context.setMixIn(CasAuthenticationToken.class, CasAuthenticationTokenMixin.class); + } + +} diff --git a/cas/src/main/java/org/springframework/security/cas/jackson/package-info.java b/cas/src/main/java/org/springframework/security/cas/jackson/package-info.java new file mode 100644 index 0000000000..261d47c9b5 --- /dev/null +++ b/cas/src/main/java/org/springframework/security/cas/jackson/package-info.java @@ -0,0 +1,20 @@ +/* + * Copyright 2004-present the original author or authors. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * https://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +/** + * Jackson 3+ serialization support for CAS. + */ +package org.springframework.security.cas.jackson; diff --git a/cas/src/main/java/org/springframework/security/cas/jackson2/package-info.java b/cas/src/main/java/org/springframework/security/cas/jackson2/package-info.java index dae1c1502d..86000c1c2c 100644 --- a/cas/src/main/java/org/springframework/security/cas/jackson2/package-info.java +++ b/cas/src/main/java/org/springframework/security/cas/jackson2/package-info.java @@ -15,7 +15,7 @@ */ /** - * Jackson support for CAS. + * Jackson 2 support for CAS. */ @NullMarked package org.springframework.security.cas.jackson2; diff --git a/cas/src/test/java/org/springframework/security/cas/jackson/CasAuthenticationTokenMixinTests.java b/cas/src/test/java/org/springframework/security/cas/jackson/CasAuthenticationTokenMixinTests.java new file mode 100644 index 0000000000..9eefc0fd89 --- /dev/null +++ b/cas/src/test/java/org/springframework/security/cas/jackson/CasAuthenticationTokenMixinTests.java @@ -0,0 +1,151 @@ +/* + * Copyright 2004-present the original author or authors. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * https://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.springframework.security.cas.jackson; + +import java.io.IOException; +import java.util.Collection; +import java.util.Collections; +import java.util.Date; + +import org.apereo.cas.client.authentication.AttributePrincipalImpl; +import org.apereo.cas.client.validation.Assertion; +import org.apereo.cas.client.validation.AssertionImpl; +import org.json.JSONException; +import org.junit.jupiter.api.BeforeEach; +import org.junit.jupiter.api.Test; +import org.skyscreamer.jsonassert.JSONAssert; +import tools.jackson.databind.json.JsonMapper; + +import org.springframework.security.cas.authentication.CasAuthenticationToken; +import org.springframework.security.core.GrantedAuthority; +import org.springframework.security.core.authority.SimpleGrantedAuthority; +import org.springframework.security.core.userdetails.User; +import org.springframework.security.core.userdetails.UserDetails; +import org.springframework.security.jackson.SecurityJacksonModules; + +import static org.assertj.core.api.Assertions.assertThat; + +/** + * @author Jitendra Singh + * @since 4.2 + */ +public class CasAuthenticationTokenMixinTests { + + private static final String KEY = "casKey"; + + private static final String PASSWORD = "\"1234\""; + + private static final Date START_DATE = new Date(); + + private static final Date END_DATE = new Date(); + + public static final String AUTHORITY_JSON = "{\"@class\": \"org.springframework.security.core.authority.SimpleGrantedAuthority\", \"authority\": \"ROLE_USER\"}"; + + public static final String AUTHORITIES_SET_JSON = "[\"java.util.Collections$UnmodifiableSet\", [" + AUTHORITY_JSON + + "]]"; + + public static final String AUTHORITIES_ARRAYLIST_JSON = "[\"java.util.Collections$UnmodifiableRandomAccessList\", [" + + AUTHORITY_JSON + "]]"; + + // @formatter:off + public static final String USER_JSON = "{" + + "\"@class\": \"org.springframework.security.core.userdetails.User\", " + + "\"username\": \"admin\"," + + " \"password\": " + PASSWORD + ", " + + "\"accountNonExpired\": true, " + + "\"accountNonLocked\": true, " + + "\"credentialsNonExpired\": true, " + + "\"enabled\": true, " + + "\"authorities\": " + AUTHORITIES_SET_JSON + + "}"; + // @formatter:on + private static final String CAS_TOKEN_JSON = "{" + + "\"@class\": \"org.springframework.security.cas.authentication.CasAuthenticationToken\", " + + "\"keyHash\": " + KEY.hashCode() + "," + "\"principal\": " + USER_JSON + ", " + "\"credentials\": " + + PASSWORD + ", " + "\"authorities\": " + AUTHORITIES_ARRAYLIST_JSON + "," + "\"userDetails\": " + USER_JSON + + "," + "\"authenticated\": true, " + "\"details\": null," + "\"assertion\": {" + + "\"@class\": \"org.apereo.cas.client.validation.AssertionImpl\", " + "\"principal\": {" + + "\"@class\": \"org.apereo.cas.client.authentication.AttributePrincipalImpl\", " + + "\"name\": \"assertName\", " + "\"attributes\": {\"@class\": \"java.util.Collections$EmptyMap\"}, " + + "\"proxyGrantingTicket\": null, " + "\"proxyRetriever\": null" + "}, " + + "\"validFromDate\": [\"java.util.Date\", " + START_DATE.getTime() + "], " + + "\"validUntilDate\": [\"java.util.Date\", " + END_DATE.getTime() + "]," + + "\"authenticationDate\": [\"java.util.Date\", " + START_DATE.getTime() + "], " + + "\"attributes\": {\"@class\": \"java.util.Collections$EmptyMap\"}," + + "\"context\": {\"@class\":\"java.util.HashMap\"}" + "}" + "}"; + + private static final String CAS_TOKEN_CLEARED_JSON = CAS_TOKEN_JSON.replaceFirst(PASSWORD, "null"); + + protected JsonMapper mapper; + + @BeforeEach + public void setup() { + ClassLoader loader = getClass().getClassLoader(); + this.mapper = JsonMapper.builder().addModules(SecurityJacksonModules.getModules(loader)).build(); + } + + @Test + public void serializeCasAuthenticationTest() throws JSONException { + CasAuthenticationToken token = createCasAuthenticationToken(); + String actualJson = this.mapper.writeValueAsString(token); + JSONAssert.assertEquals(CAS_TOKEN_JSON, actualJson, true); + } + + @Test + public void serializeCasAuthenticationTestAfterEraseCredentialInvoked() throws JSONException { + CasAuthenticationToken token = createCasAuthenticationToken(); + token.eraseCredentials(); + String actualJson = this.mapper.writeValueAsString(token); + JSONAssert.assertEquals(CAS_TOKEN_CLEARED_JSON, actualJson, true); + } + + @Test + public void deserializeCasAuthenticationTestAfterEraseCredentialInvoked() { + CasAuthenticationToken token = this.mapper.readValue(CAS_TOKEN_CLEARED_JSON, CasAuthenticationToken.class); + assertThat(((UserDetails) token.getPrincipal()).getPassword()).isNull(); + } + + @Test + public void deserializeCasAuthenticationTest() throws IOException { + CasAuthenticationToken token = this.mapper.readValue(CAS_TOKEN_JSON, CasAuthenticationToken.class); + assertThat(token).isNotNull(); + assertThat(token.getPrincipal()).isNotNull().isInstanceOf(User.class); + assertThat(((User) token.getPrincipal()).getUsername()).isEqualTo("admin"); + assertThat(((User) token.getPrincipal()).getPassword()).isEqualTo("1234"); + assertThat(token.getUserDetails()).isNotNull().isInstanceOf(User.class); + assertThat(token.getAssertion()).isNotNull().isInstanceOf(AssertionImpl.class); + assertThat(token.getKeyHash()).isEqualTo(KEY.hashCode()); + assertThat(token.getUserDetails().getAuthorities()).extracting(GrantedAuthority::getAuthority) + .containsOnly("ROLE_USER"); + assertThat(token.getAssertion().getAuthenticationDate()).isEqualTo(START_DATE); + assertThat(token.getAssertion().getValidFromDate()).isEqualTo(START_DATE); + assertThat(token.getAssertion().getValidUntilDate()).isEqualTo(END_DATE); + assertThat(token.getAssertion().getPrincipal().getName()).isEqualTo("assertName"); + assertThat(token.getAssertion().getAttributes()).hasSize(0); + } + + private CasAuthenticationToken createCasAuthenticationToken() { + User principal = new User("admin", "1234", Collections.singletonList(new SimpleGrantedAuthority("ROLE_USER"))); + Collection authorities = Collections + .singletonList(new SimpleGrantedAuthority("ROLE_USER")); + Assertion assertion = new AssertionImpl(new AttributePrincipalImpl("assertName"), START_DATE, END_DATE, + START_DATE, Collections.emptyMap()); + return new CasAuthenticationToken(KEY, principal, principal.getPassword(), authorities, + new User("admin", "1234", authorities), assertion); + } + +} diff --git a/config/src/test/java/org/springframework/security/config/annotation/web/configurers/oauth2/server/authorization/JwkSetTests.java b/config/src/test/java/org/springframework/security/config/annotation/web/configurers/oauth2/server/authorization/JwkSetTests.java index ac36914000..663b279c00 100644 --- a/config/src/test/java/org/springframework/security/config/annotation/web/configurers/oauth2/server/authorization/JwkSetTests.java +++ b/config/src/test/java/org/springframework/security/config/annotation/web/configurers/oauth2/server/authorization/JwkSetTests.java @@ -24,6 +24,7 @@ import org.junit.jupiter.api.BeforeAll; import org.junit.jupiter.api.Test; import org.junit.jupiter.api.extension.ExtendWith; +import tools.jackson.databind.json.JsonMapper; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.context.annotation.Bean; @@ -167,7 +168,8 @@ static class RowMapper extends JdbcOAuth2AuthorizationService.OAuth2Authorizatio RowMapper(RegisteredClientRepository registeredClientRepository) { super(registeredClientRepository); - getObjectMapper().addMixIn(TestingAuthenticationToken.class, TestingAuthenticationTokenMixin.class); + setMapper(new JdbcOAuth2AuthorizationService.JacksonDelegate(JsonMapper.builder() + .addMixIn(TestingAuthenticationToken.class, TestingAuthenticationTokenMixin.class))); } } @@ -176,7 +178,8 @@ static class ParametersMapper extends JdbcOAuth2AuthorizationService.OAuth2Autho ParametersMapper() { super(); - getObjectMapper().addMixIn(TestingAuthenticationToken.class, TestingAuthenticationTokenMixin.class); + setMapper(new JdbcOAuth2AuthorizationService.JacksonDelegate(JsonMapper.builder() + .addMixIn(TestingAuthenticationToken.class, TestingAuthenticationTokenMixin.class))); } } diff --git a/config/src/test/java/org/springframework/security/config/annotation/web/configurers/oauth2/server/authorization/OAuth2AuthorizationCodeGrantTests.java b/config/src/test/java/org/springframework/security/config/annotation/web/configurers/oauth2/server/authorization/OAuth2AuthorizationCodeGrantTests.java index fc9ef1c7a2..83d2b98250 100644 --- a/config/src/test/java/org/springframework/security/config/annotation/web/configurers/oauth2/server/authorization/OAuth2AuthorizationCodeGrantTests.java +++ b/config/src/test/java/org/springframework/security/config/annotation/web/configurers/oauth2/server/authorization/OAuth2AuthorizationCodeGrantTests.java @@ -46,6 +46,7 @@ import org.junit.jupiter.api.Test; import org.junit.jupiter.api.extension.ExtendWith; import org.mockito.ArgumentCaptor; +import tools.jackson.databind.json.JsonMapper; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.context.annotation.Bean; @@ -1300,7 +1301,8 @@ static class RowMapper extends JdbcOAuth2AuthorizationService.OAuth2Authorizatio RowMapper(RegisteredClientRepository registeredClientRepository) { super(registeredClientRepository); - getObjectMapper().addMixIn(TestingAuthenticationToken.class, TestingAuthenticationTokenMixin.class); + setMapper(new JdbcOAuth2AuthorizationService.JacksonDelegate(JsonMapper.builder() + .addMixIn(TestingAuthenticationToken.class, TestingAuthenticationTokenMixin.class))); } } @@ -1309,7 +1311,8 @@ static class ParametersMapper extends JdbcOAuth2AuthorizationService.OAuth2Autho ParametersMapper() { super(); - getObjectMapper().addMixIn(TestingAuthenticationToken.class, TestingAuthenticationTokenMixin.class); + setMapper(new JdbcOAuth2AuthorizationService.JacksonDelegate(JsonMapper.builder() + .addMixIn(TestingAuthenticationToken.class, TestingAuthenticationTokenMixin.class))); } } diff --git a/config/src/test/java/org/springframework/security/config/annotation/web/configurers/oauth2/server/authorization/OAuth2ClientCredentialsGrantTests.java b/config/src/test/java/org/springframework/security/config/annotation/web/configurers/oauth2/server/authorization/OAuth2ClientCredentialsGrantTests.java index 98e277bbff..f60511156b 100644 --- a/config/src/test/java/org/springframework/security/config/annotation/web/configurers/oauth2/server/authorization/OAuth2ClientCredentialsGrantTests.java +++ b/config/src/test/java/org/springframework/security/config/annotation/web/configurers/oauth2/server/authorization/OAuth2ClientCredentialsGrantTests.java @@ -40,6 +40,7 @@ import org.junit.jupiter.api.Test; import org.junit.jupiter.api.extension.ExtendWith; import org.mockito.ArgumentCaptor; +import tools.jackson.databind.json.JsonMapper; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.context.annotation.Bean; @@ -573,7 +574,8 @@ static class RowMapper extends JdbcOAuth2AuthorizationService.OAuth2Authorizatio RowMapper(RegisteredClientRepository registeredClientRepository) { super(registeredClientRepository); - getObjectMapper().addMixIn(TestingAuthenticationToken.class, TestingAuthenticationTokenMixin.class); + setMapper(new JdbcOAuth2AuthorizationService.JacksonDelegate(JsonMapper.builder() + .addMixIn(TestingAuthenticationToken.class, TestingAuthenticationTokenMixin.class))); } } @@ -582,7 +584,8 @@ static class ParametersMapper extends JdbcOAuth2AuthorizationService.OAuth2Autho ParametersMapper() { super(); - getObjectMapper().addMixIn(TestingAuthenticationToken.class, TestingAuthenticationTokenMixin.class); + setMapper(new JdbcOAuth2AuthorizationService.JacksonDelegate(JsonMapper.builder() + .addMixIn(TestingAuthenticationToken.class, TestingAuthenticationTokenMixin.class))); } } diff --git a/config/src/test/java/org/springframework/security/config/annotation/web/configurers/oauth2/server/authorization/OAuth2RefreshTokenGrantTests.java b/config/src/test/java/org/springframework/security/config/annotation/web/configurers/oauth2/server/authorization/OAuth2RefreshTokenGrantTests.java index b785ded4dc..5f01cea6c2 100644 --- a/config/src/test/java/org/springframework/security/config/annotation/web/configurers/oauth2/server/authorization/OAuth2RefreshTokenGrantTests.java +++ b/config/src/test/java/org/springframework/security/config/annotation/web/configurers/oauth2/server/authorization/OAuth2RefreshTokenGrantTests.java @@ -39,6 +39,7 @@ import org.junit.jupiter.api.BeforeAll; import org.junit.jupiter.api.Test; import org.junit.jupiter.api.extension.ExtendWith; +import tools.jackson.databind.json.JsonMapper; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.context.annotation.Bean; @@ -516,7 +517,8 @@ static class RowMapper extends JdbcOAuth2AuthorizationService.OAuth2Authorizatio RowMapper(RegisteredClientRepository registeredClientRepository) { super(registeredClientRepository); - getObjectMapper().addMixIn(TestingAuthenticationToken.class, TestingAuthenticationTokenMixin.class); + setMapper(new JdbcOAuth2AuthorizationService.JacksonDelegate(JsonMapper.builder() + .addMixIn(TestingAuthenticationToken.class, TestingAuthenticationTokenMixin.class))); } } @@ -525,7 +527,8 @@ static class ParametersMapper extends JdbcOAuth2AuthorizationService.OAuth2Autho ParametersMapper() { super(); - getObjectMapper().addMixIn(TestingAuthenticationToken.class, TestingAuthenticationTokenMixin.class); + setMapper(new JdbcOAuth2AuthorizationService.JacksonDelegate(JsonMapper.builder() + .addMixIn(TestingAuthenticationToken.class, TestingAuthenticationTokenMixin.class))); } } diff --git a/config/src/test/java/org/springframework/security/config/annotation/web/configurers/oauth2/server/authorization/OAuth2TokenIntrospectionTests.java b/config/src/test/java/org/springframework/security/config/annotation/web/configurers/oauth2/server/authorization/OAuth2TokenIntrospectionTests.java index c01a8bd3e0..018ca4ad36 100644 --- a/config/src/test/java/org/springframework/security/config/annotation/web/configurers/oauth2/server/authorization/OAuth2TokenIntrospectionTests.java +++ b/config/src/test/java/org/springframework/security/config/annotation/web/configurers/oauth2/server/authorization/OAuth2TokenIntrospectionTests.java @@ -35,6 +35,7 @@ import org.junit.jupiter.api.Test; import org.junit.jupiter.api.extension.ExtendWith; import org.mockito.ArgumentCaptor; +import tools.jackson.databind.json.JsonMapper; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.context.annotation.Bean; @@ -553,7 +554,8 @@ static class RowMapper extends JdbcOAuth2AuthorizationService.OAuth2Authorizatio RowMapper(RegisteredClientRepository registeredClientRepository) { super(registeredClientRepository); - getObjectMapper().addMixIn(TestingAuthenticationToken.class, TestingAuthenticationTokenMixin.class); + setMapper(new JdbcOAuth2AuthorizationService.JacksonDelegate(JsonMapper.builder() + .addMixIn(TestingAuthenticationToken.class, TestingAuthenticationTokenMixin.class))); } } @@ -562,7 +564,8 @@ static class ParametersMapper extends JdbcOAuth2AuthorizationService.OAuth2Autho ParametersMapper() { super(); - getObjectMapper().addMixIn(TestingAuthenticationToken.class, TestingAuthenticationTokenMixin.class); + setMapper(new JdbcOAuth2AuthorizationService.JacksonDelegate(JsonMapper.builder() + .addMixIn(TestingAuthenticationToken.class, TestingAuthenticationTokenMixin.class))); } } diff --git a/config/src/test/java/org/springframework/security/config/annotation/web/configurers/oauth2/server/authorization/OAuth2TokenRevocationTests.java b/config/src/test/java/org/springframework/security/config/annotation/web/configurers/oauth2/server/authorization/OAuth2TokenRevocationTests.java index 5a910c2b0f..5506c81607 100644 --- a/config/src/test/java/org/springframework/security/config/annotation/web/configurers/oauth2/server/authorization/OAuth2TokenRevocationTests.java +++ b/config/src/test/java/org/springframework/security/config/annotation/web/configurers/oauth2/server/authorization/OAuth2TokenRevocationTests.java @@ -31,6 +31,7 @@ import org.junit.jupiter.api.Test; import org.junit.jupiter.api.extension.ExtendWith; import org.mockito.ArgumentCaptor; +import tools.jackson.databind.json.JsonMapper; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.context.annotation.Bean; @@ -351,7 +352,8 @@ static class RowMapper extends JdbcOAuth2AuthorizationService.OAuth2Authorizatio RowMapper(RegisteredClientRepository registeredClientRepository) { super(registeredClientRepository); - getObjectMapper().addMixIn(TestingAuthenticationToken.class, TestingAuthenticationTokenMixin.class); + setMapper(new JdbcOAuth2AuthorizationService.JacksonDelegate(JsonMapper.builder() + .addMixIn(TestingAuthenticationToken.class, TestingAuthenticationTokenMixin.class))); } } @@ -360,7 +362,8 @@ static class ParametersMapper extends JdbcOAuth2AuthorizationService.OAuth2Autho ParametersMapper() { super(); - getObjectMapper().addMixIn(TestingAuthenticationToken.class, TestingAuthenticationTokenMixin.class); + setMapper(new JdbcOAuth2AuthorizationService.JacksonDelegate(JsonMapper.builder() + .addMixIn(TestingAuthenticationToken.class, TestingAuthenticationTokenMixin.class))); } } diff --git a/config/src/test/java/org/springframework/security/config/annotation/web/configurers/oauth2/server/authorization/OidcTests.java b/config/src/test/java/org/springframework/security/config/annotation/web/configurers/oauth2/server/authorization/OidcTests.java index e9109cec34..354c3a3926 100644 --- a/config/src/test/java/org/springframework/security/config/annotation/web/configurers/oauth2/server/authorization/OidcTests.java +++ b/config/src/test/java/org/springframework/security/config/annotation/web/configurers/oauth2/server/authorization/OidcTests.java @@ -36,6 +36,7 @@ import org.junit.jupiter.api.BeforeAll; import org.junit.jupiter.api.Test; import org.junit.jupiter.api.extension.ExtendWith; +import tools.jackson.databind.json.JsonMapper; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.context.annotation.Bean; @@ -695,7 +696,8 @@ static class RowMapper extends JdbcOAuth2AuthorizationService.OAuth2Authorizatio RowMapper(RegisteredClientRepository registeredClientRepository) { super(registeredClientRepository); - getObjectMapper().addMixIn(TestingAuthenticationToken.class, TestingAuthenticationTokenMixin.class); + setMapper(new JdbcOAuth2AuthorizationService.JacksonDelegate(JsonMapper.builder() + .addMixIn(TestingAuthenticationToken.class, TestingAuthenticationTokenMixin.class))); } } @@ -704,7 +706,8 @@ static class ParametersMapper extends JdbcOAuth2AuthorizationService.OAuth2Autho ParametersMapper() { super(); - getObjectMapper().addMixIn(TestingAuthenticationToken.class, TestingAuthenticationTokenMixin.class); + setMapper(new JdbcOAuth2AuthorizationService.JacksonDelegate(JsonMapper.builder() + .addMixIn(TestingAuthenticationToken.class, TestingAuthenticationTokenMixin.class))); } } diff --git a/core/spring-security-core.gradle b/core/spring-security-core.gradle index bc28ffe604..23fe149d7d 100644 --- a/core/spring-security-core.gradle +++ b/core/spring-security-core.gradle @@ -25,6 +25,7 @@ dependencies { optional 'org.springframework:spring-jdbc' optional 'org.springframework:spring-tx' optional 'org.jetbrains.kotlinx:kotlinx-coroutines-reactor' + optional 'tools.jackson.core:jackson-databind' testImplementation 'commons-collections:commons-collections' testImplementation 'com.fasterxml.jackson.datatype:jackson-datatype-jsr310' diff --git a/core/src/main/java/org/springframework/security/jackson/AnonymousAuthenticationTokenMixin.java b/core/src/main/java/org/springframework/security/jackson/AnonymousAuthenticationTokenMixin.java new file mode 100644 index 0000000000..98044d5e42 --- /dev/null +++ b/core/src/main/java/org/springframework/security/jackson/AnonymousAuthenticationTokenMixin.java @@ -0,0 +1,57 @@ +/* + * Copyright 2004-present the original author or authors. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * https://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.springframework.security.jackson; + +import java.util.Collection; + +import com.fasterxml.jackson.annotation.JsonAutoDetect; +import com.fasterxml.jackson.annotation.JsonCreator; +import com.fasterxml.jackson.annotation.JsonProperty; +import com.fasterxml.jackson.annotation.JsonTypeInfo; + +import org.springframework.security.core.GrantedAuthority; + +/** + * This is a Jackson mixin class helps in serialize/deserialize + * {@link org.springframework.security.authentication.AnonymousAuthenticationToken} class. + * + * @author Sebastien Deleuze + * @author Jitendra Singh + * @since 7.0 + * @see CoreJacksonModule + * @see SecurityJacksonModules + */ +@JsonTypeInfo(use = JsonTypeInfo.Id.CLASS) +@JsonAutoDetect(fieldVisibility = JsonAutoDetect.Visibility.ANY, isGetterVisibility = JsonAutoDetect.Visibility.NONE, + getterVisibility = JsonAutoDetect.Visibility.NONE, creatorVisibility = JsonAutoDetect.Visibility.ANY) +class AnonymousAuthenticationTokenMixin { + + /** + * Constructor used by Jackson to create object of + * {@link org.springframework.security.authentication.AnonymousAuthenticationToken}. + * @param keyHash hashCode of key provided at the time of token creation by using + * {@link org.springframework.security.authentication.AnonymousAuthenticationToken#AnonymousAuthenticationToken(String, Object, Collection)} + * @param principal the principal (typically a UserDetails) + * @param authorities the authorities granted to the principal + */ + @JsonCreator + AnonymousAuthenticationTokenMixin(@JsonProperty("keyHash") Integer keyHash, + @JsonProperty("principal") Object principal, + @JsonProperty("authorities") Collection authorities) { + } + +} diff --git a/core/src/main/java/org/springframework/security/jackson/BadCredentialsExceptionMixin.java b/core/src/main/java/org/springframework/security/jackson/BadCredentialsExceptionMixin.java new file mode 100644 index 0000000000..2b64bed3ed --- /dev/null +++ b/core/src/main/java/org/springframework/security/jackson/BadCredentialsExceptionMixin.java @@ -0,0 +1,46 @@ +/* + * Copyright 2004-present the original author or authors. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * https://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.springframework.security.jackson; + +import com.fasterxml.jackson.annotation.JsonCreator; +import com.fasterxml.jackson.annotation.JsonIgnoreProperties; +import com.fasterxml.jackson.annotation.JsonProperty; +import com.fasterxml.jackson.annotation.JsonTypeInfo; + +/** + * This mixin class helps in serialize/deserialize + * {@link org.springframework.security.authentication.BadCredentialsException} class. + * + * @author Sebastien Deleuze + * @author Yannick Lombardi + * @since 7.0 + * @see CoreJacksonModule + */ +@JsonTypeInfo(use = JsonTypeInfo.Id.CLASS) +@JsonIgnoreProperties({ "cause", "stackTrace", "authenticationRequest" }) +class BadCredentialsExceptionMixin { + + /** + * Constructor used by Jackson to create + * {@link org.springframework.security.authentication.BadCredentialsException} object. + * @param message the detail message + */ + @JsonCreator + BadCredentialsExceptionMixin(@JsonProperty("message") String message) { + } + +} diff --git a/core/src/main/java/org/springframework/security/jackson/CoreJacksonModule.java b/core/src/main/java/org/springframework/security/jackson/CoreJacksonModule.java new file mode 100644 index 0000000000..58293a1797 --- /dev/null +++ b/core/src/main/java/org/springframework/security/jackson/CoreJacksonModule.java @@ -0,0 +1,113 @@ +/* + * Copyright 2004-present the original author or authors. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * https://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.springframework.security.jackson; + +import java.time.Duration; +import java.time.Instant; + +import tools.jackson.core.Version; +import tools.jackson.databind.cfg.DateTimeFeature; +import tools.jackson.databind.cfg.MapperBuilder; +import tools.jackson.databind.jsontype.BasicPolymorphicTypeValidator; + +import org.springframework.security.authentication.AnonymousAuthenticationToken; +import org.springframework.security.authentication.BadCredentialsException; +import org.springframework.security.authentication.RememberMeAuthenticationToken; +import org.springframework.security.authentication.TestingAuthenticationToken; +import org.springframework.security.authentication.UsernamePasswordAuthenticationToken; +import org.springframework.security.core.authority.FactorGrantedAuthority; +import org.springframework.security.core.authority.SimpleGrantedAuthority; +import org.springframework.security.core.context.SecurityContextImpl; +import org.springframework.security.core.userdetails.User; + +/** + * Jackson module for spring-security-core. This module register + * {@link AnonymousAuthenticationTokenMixin}, {@link RememberMeAuthenticationTokenMixin}, + * {@link SimpleGrantedAuthorityMixin}, {@link FactorGrantedAuthorityMixin}, + * {{@link UserMixin}, {@link UsernamePasswordAuthenticationTokenMixin} and + * {@link UsernamePasswordAuthenticationTokenMixin}. + * + *

+ * The recommended way to configure it is to use {@link SecurityJacksonModules} in order + * to enable properly automatic inclusion of type information with related validation. + * + * 

+ *     ClassLoader loader = getClass().getClassLoader();
+ *     JsonMapper mapper = JsonMapper.builder()
+ * 				.addModules(SecurityJacksonModules.getModules(loader))
+ * 				.build();
+ *
+ * + * @author Sebastien Deleuze + * @author Jitendra Singh + * @since 7.O + * @see SecurityJacksonModules + */ +@SuppressWarnings("serial") + +public class CoreJacksonModule extends SecurityJacksonModule { + + public CoreJacksonModule() { + super(CoreJacksonModule.class.getName(), new Version(1, 0, 0, null, null, null)); + } + + protected CoreJacksonModule(String name, Version version) { + super(name, version); + } + + @Override + public void configurePolymorphicTypeValidator(BasicPolymorphicTypeValidator.Builder builder) { + builder.allowIfSubType(Instant.class) + .allowIfSubType(Duration.class) + .allowIfSubType(SimpleGrantedAuthority.class) + .allowIfSubType(FactorGrantedAuthority.class) + .allowIfSubType(UsernamePasswordAuthenticationToken.class) + .allowIfSubType(RememberMeAuthenticationToken.class) + .allowIfSubType(AnonymousAuthenticationToken.class) + .allowIfSubType(User.class) + .allowIfSubType(BadCredentialsException.class) + .allowIfSubType(SecurityContextImpl.class) + .allowIfSubType(TestingAuthenticationToken.class) + .allowIfSubType("java.util.Collections$UnmodifiableSet") + .allowIfSubType("java.util.Collections$UnmodifiableRandomAccessList") + .allowIfSubType("java.util.Collections$EmptyList") + .allowIfSubType("java.util.ArrayList") + .allowIfSubType("java.util.HashMap") + .allowIfSubType("java.util.Collections$EmptyMap") + .allowIfSubType("java.util.Date") + .allowIfSubType("java.util.Arrays$ArrayList") + .allowIfSubType("java.util.Collections$UnmodifiableMap") + .allowIfSubType("java.util.LinkedHashMap") + .allowIfSubType("java.util.Collections$SingletonList") + .allowIfSubType("java.util.TreeMap") + .allowIfSubType("java.util.HashSet") + .allowIfSubType("java.util.LinkedHashSet"); + } + + @Override + public void setupModule(SetupContext context) { + ((MapperBuilder) context.getOwner()).enable(DateTimeFeature.WRITE_DATES_AS_TIMESTAMPS); + context.setMixIn(AnonymousAuthenticationToken.class, AnonymousAuthenticationTokenMixin.class); + context.setMixIn(RememberMeAuthenticationToken.class, RememberMeAuthenticationTokenMixin.class); + context.setMixIn(SimpleGrantedAuthority.class, SimpleGrantedAuthorityMixin.class); + context.setMixIn(FactorGrantedAuthority.class, FactorGrantedAuthorityMixin.class); + context.setMixIn(User.class, UserMixin.class); + context.setMixIn(UsernamePasswordAuthenticationToken.class, UsernamePasswordAuthenticationTokenMixin.class); + context.setMixIn(BadCredentialsException.class, BadCredentialsExceptionMixin.class); + } + +} diff --git a/core/src/main/java/org/springframework/security/jackson/FactorGrantedAuthorityMixin.java b/core/src/main/java/org/springframework/security/jackson/FactorGrantedAuthorityMixin.java new file mode 100644 index 0000000000..3e1db9cc6a --- /dev/null +++ b/core/src/main/java/org/springframework/security/jackson/FactorGrantedAuthorityMixin.java @@ -0,0 +1,50 @@ +/* + * Copyright 2004-present the original author or authors. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * https://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.springframework.security.jackson; + +import java.time.Instant; + +import com.fasterxml.jackson.annotation.JsonAutoDetect; +import com.fasterxml.jackson.annotation.JsonCreator; +import com.fasterxml.jackson.annotation.JsonProperty; +import com.fasterxml.jackson.annotation.JsonTypeInfo; + +/** + * Jackson Mixin class helps in serialize/deserialize + * {@link org.springframework.security.core.authority.SimpleGrantedAuthority}. + * + * @author Sebastien Deleuze + * @author Rob Winch + * @since 7.0 + * @see CoreJacksonModule + * @see SecurityJacksonModules + */ +@JsonTypeInfo(use = JsonTypeInfo.Id.CLASS) +@JsonAutoDetect(fieldVisibility = JsonAutoDetect.Visibility.NONE, + getterVisibility = JsonAutoDetect.Visibility.PUBLIC_ONLY, isGetterVisibility = JsonAutoDetect.Visibility.NONE) +abstract class FactorGrantedAuthorityMixin { + + /** + * Mixin Constructor. + * @param authority the authority + */ + @JsonCreator + FactorGrantedAuthorityMixin(@JsonProperty("authority") String authority, + @JsonProperty("issuedAt") Instant issuedAt) { + } + +} diff --git a/core/src/main/java/org/springframework/security/jackson/RememberMeAuthenticationTokenMixin.java b/core/src/main/java/org/springframework/security/jackson/RememberMeAuthenticationTokenMixin.java new file mode 100644 index 0000000000..7def13e632 --- /dev/null +++ b/core/src/main/java/org/springframework/security/jackson/RememberMeAuthenticationTokenMixin.java @@ -0,0 +1,60 @@ +/* + * Copyright 2004-present the original author or authors. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * https://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.springframework.security.jackson; + +import java.util.Collection; + +import com.fasterxml.jackson.annotation.JsonAutoDetect; +import com.fasterxml.jackson.annotation.JsonCreator; +import com.fasterxml.jackson.annotation.JsonIgnoreProperties; +import com.fasterxml.jackson.annotation.JsonProperty; +import com.fasterxml.jackson.annotation.JsonTypeInfo; + +import org.springframework.security.core.GrantedAuthority; + +/** + * This mixin class helps in serialize/deserialize + * {@link org.springframework.security.authentication.RememberMeAuthenticationToken} + * class. + * + * @author Sebastien Deleuze + * @author Jitendra Singh + * @since 7.0 + * @see CoreJacksonModule + * @see SecurityJacksonModules + */ +@JsonTypeInfo(use = JsonTypeInfo.Id.CLASS, include = JsonTypeInfo.As.PROPERTY) +@JsonAutoDetect(fieldVisibility = JsonAutoDetect.Visibility.ANY, getterVisibility = JsonAutoDetect.Visibility.NONE, + isGetterVisibility = JsonAutoDetect.Visibility.NONE, creatorVisibility = JsonAutoDetect.Visibility.ANY) +@JsonIgnoreProperties(ignoreUnknown = true) +class RememberMeAuthenticationTokenMixin { + + /** + * Constructor used by Jackson to create + * {@link org.springframework.security.authentication.RememberMeAuthenticationToken} + * object. + * @param keyHash hashCode of above given key. + * @param principal the principal (typically a UserDetails) + * @param authorities the authorities granted to the principal + */ + @JsonCreator + RememberMeAuthenticationTokenMixin(@JsonProperty("keyHash") Integer keyHash, + @JsonProperty("principal") Object principal, + @JsonProperty("authorities") Collection authorities) { + } + +} diff --git a/core/src/main/java/org/springframework/security/jackson/SecurityJacksonModule.java b/core/src/main/java/org/springframework/security/jackson/SecurityJacksonModule.java new file mode 100644 index 0000000000..d2504a872d --- /dev/null +++ b/core/src/main/java/org/springframework/security/jackson/SecurityJacksonModule.java @@ -0,0 +1,42 @@ +/* + * Copyright 2004-present the original author or authors. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * https://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.springframework.security.jackson; + +import tools.jackson.core.Version; +import tools.jackson.databind.jsontype.BasicPolymorphicTypeValidator; +import tools.jackson.databind.jsontype.PolymorphicTypeValidator; +import tools.jackson.databind.module.SimpleModule; + +/** + * Jackson module allowing to contribute {@link PolymorphicTypeValidator} configuration. + * + * @author Sebastien Deleuze + * @since 7.0 + */ +public abstract class SecurityJacksonModule extends SimpleModule { + + public SecurityJacksonModule() { + super(); + } + + public SecurityJacksonModule(String name, Version version) { + super(name, version, null); + } + + public abstract void configurePolymorphicTypeValidator(BasicPolymorphicTypeValidator.Builder builder); + +} diff --git a/core/src/main/java/org/springframework/security/jackson/SecurityJacksonModules.java b/core/src/main/java/org/springframework/security/jackson/SecurityJacksonModules.java new file mode 100644 index 0000000000..4c5b484b65 --- /dev/null +++ b/core/src/main/java/org/springframework/security/jackson/SecurityJacksonModules.java @@ -0,0 +1,203 @@ +/* + * Copyright 2004-present the original author or authors. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * https://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.springframework.security.jackson; + +import java.util.ArrayList; +import java.util.Arrays; +import java.util.List; + +import com.fasterxml.jackson.annotation.JsonTypeInfo; +import org.apache.commons.logging.Log; +import org.apache.commons.logging.LogFactory; +import org.jspecify.annotations.Nullable; +import tools.jackson.databind.DefaultTyping; +import tools.jackson.databind.JacksonModule; +import tools.jackson.databind.cfg.MapperBuilder; +import tools.jackson.databind.jsontype.BasicPolymorphicTypeValidator; +import tools.jackson.databind.jsontype.PolymorphicTypeValidator; +import tools.jackson.databind.module.SimpleModule; + +import org.springframework.core.log.LogMessage; +import org.springframework.util.ClassUtils; + +/** + * This utility class will find all the Jackson modules contributed by Spring Security in + * the classpath (except {@code OAuth2AuthorizationServerJacksonModule} and + * {@code WebauthnJacksonModule}), enable automatic inclusion of type information and + * configure a {@link PolymorphicTypeValidator} that handles the validation of class + * names. + * + *

+ * 

+ *     ClassLoader loader = getClass().getClassLoader();
+ *     JsonMapper mapper = JsonMapper.builder()
+ * 				.addModules(SecurityJacksonModules.getModules(loader))
+ * 				.build();
+ *
+ * + * If needed, you can add custom classes to the validation handling. + *

+ * 

+ *     ClassLoader loader = getClass().getClassLoader();
+ *     BasicPolymorphicTypeValidator.Builder builder = BasicPolymorphicTypeValidator.builder()
+ *     			.allowIfSubType(MyCustomType.class);
+ *     JsonMapper mapper = JsonMapper.builder()
+ * 				.addModules(SecurityJacksonModules.getModules(loader, builder))
+ * 	   			.build();
+ *
+ * + * @author Sebastien Deleuze + * @author Jitendra Singh + * @since 7.0 + */ +public final class SecurityJacksonModules { + + private static final Log logger = LogFactory.getLog(SecurityJacksonModules.class); + + private static final List securityJacksonModuleClasses = Arrays.asList( + "org.springframework.security.jackson.CoreJacksonModule", + "org.springframework.security.web.jackson.WebJacksonModule", + "org.springframework.security.web.server.jackson.WebServerJacksonModule"); + + private static final String webServletJacksonModuleClass = "org.springframework.security.web.jackson.WebServletJacksonModule"; + + private static final String oauth2ClientJacksonModuleClass = "org.springframework.security.oauth2.client.jackson.OAuth2ClientJacksonModule"; + + private static final String ldapJacksonModuleClass = "org.springframework.security.ldap.jackson.LdapJacksonModule"; + + private static final String saml2JacksonModuleClass = "org.springframework.security.saml2.jackson.Saml2JacksonModule"; + + private static final String casJacksonModuleClass = "org.springframework.security.cas.jackson.CasJacksonModule"; + + private static final boolean webServletPresent; + + private static final boolean oauth2ClientPresent; + + private static final boolean ldapJacksonPresent; + + private static final boolean saml2JacksonPresent; + + private static final boolean casJacksonPresent; + + static { + + ClassLoader classLoader = SecurityJacksonModules.class.getClassLoader(); + webServletPresent = ClassUtils.isPresent("jakarta.servlet.http.Cookie", classLoader); + oauth2ClientPresent = ClassUtils.isPresent("org.springframework.security.oauth2.client.OAuth2AuthorizedClient", + classLoader); + ldapJacksonPresent = ClassUtils.isPresent(ldapJacksonModuleClass, classLoader); + saml2JacksonPresent = ClassUtils.isPresent(saml2JacksonModuleClass, classLoader); + casJacksonPresent = ClassUtils.isPresent(casJacksonModuleClass, classLoader); + } + + private SecurityJacksonModules() { + } + + @SuppressWarnings("unchecked") + private static @Nullable SecurityJacksonModule loadAndGetInstance(String className, ClassLoader loader) { + try { + Class securityModule = (Class) ClassUtils + .forName(className, loader); + logger.debug(LogMessage.format("Loaded module %s, now registering", className)); + return securityModule.getConstructor().newInstance(); + } + catch (Exception ex) { + logger.debug(LogMessage.format("Cannot load module %s", className), ex); + } + return null; + } + + /** + * Return the list of available security modules in classpath, enable automatic + * inclusion of type information and configure a default + * {@link PolymorphicTypeValidator} that handles the validation of class names. + * @param loader the ClassLoader to use + * @return List of available security modules in classpath + * @see #getModules(ClassLoader, BasicPolymorphicTypeValidator.Builder) + */ + public static List getModules(ClassLoader loader) { + return getModules(loader, null); + } + + /** + * Return the list of available security modules in classpath, enable automatic + * inclusion of type information and configure a default + * {@link PolymorphicTypeValidator} customizable with the provided builder that + * handles the validation of class names. + * @param loader the ClassLoader to use + * @param typeValidatorBuilder the builder to configure custom types allowed in + * addition to Spring Security ones + * @return List of available security modules in classpath. + */ + public static List getModules(ClassLoader loader, + BasicPolymorphicTypeValidator.@Nullable Builder typeValidatorBuilder) { + + List modules = new ArrayList<>(); + for (String className : securityJacksonModuleClasses) { + addToModulesList(loader, modules, className); + } + if (webServletPresent) { + addToModulesList(loader, modules, webServletJacksonModuleClass); + } + if (oauth2ClientPresent) { + addToModulesList(loader, modules, oauth2ClientJacksonModuleClass); + } + if (ldapJacksonPresent) { + addToModulesList(loader, modules, ldapJacksonModuleClass); + } + if (saml2JacksonPresent) { + addToModulesList(loader, modules, saml2JacksonModuleClass); + } + if (casJacksonPresent) { + addToModulesList(loader, modules, casJacksonModuleClass); + } + applyPolymorphicTypeValidator(modules, typeValidatorBuilder); + return modules; + } + + private static void applyPolymorphicTypeValidator(List modules, + BasicPolymorphicTypeValidator.@Nullable Builder typeValidatorBuilder) { + + BasicPolymorphicTypeValidator.Builder builder = (typeValidatorBuilder != null) ? typeValidatorBuilder + : BasicPolymorphicTypeValidator.builder(); + for (JacksonModule module : modules) { + if (module instanceof SecurityJacksonModule securityModule) { + securityModule.configurePolymorphicTypeValidator(builder); + } + } + modules.add(new SimpleModule() { + @Override + public void setupModule(SetupContext context) { + ((MapperBuilder) context.getOwner()).activateDefaultTyping(builder.build(), + DefaultTyping.NON_FINAL, JsonTypeInfo.As.PROPERTY); + } + }); + } + + /** + * @param loader the ClassLoader to use + * @param modules list of the modules to add + * @param className name of the class to instantiate + */ + private static void addToModulesList(ClassLoader loader, List modules, String className) { + SecurityJacksonModule module = loadAndGetInstance(className, loader); + if (module != null) { + modules.add(module); + } + } + +} diff --git a/core/src/main/java/org/springframework/security/jackson/SimpleGrantedAuthorityMixin.java b/core/src/main/java/org/springframework/security/jackson/SimpleGrantedAuthorityMixin.java new file mode 100644 index 0000000000..17434689ba --- /dev/null +++ b/core/src/main/java/org/springframework/security/jackson/SimpleGrantedAuthorityMixin.java @@ -0,0 +1,47 @@ +/* + * Copyright 2004-present the original author or authors. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * https://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.springframework.security.jackson; + +import com.fasterxml.jackson.annotation.JsonAutoDetect; +import com.fasterxml.jackson.annotation.JsonCreator; +import com.fasterxml.jackson.annotation.JsonProperty; +import com.fasterxml.jackson.annotation.JsonTypeInfo; + +/** + * Jackson Mixin class helps in serialize/deserialize + * {@link org.springframework.security.core.authority.SimpleGrantedAuthority}. + * + * @author Sebastien Deleuze + * @author Jitendra Singh + * @since 7.0 + * @see CoreJacksonModule + * @see SecurityJacksonModules + */ +@JsonTypeInfo(use = JsonTypeInfo.Id.CLASS) +@JsonAutoDetect(fieldVisibility = JsonAutoDetect.Visibility.NONE, + getterVisibility = JsonAutoDetect.Visibility.PUBLIC_ONLY, isGetterVisibility = JsonAutoDetect.Visibility.NONE) +public abstract class SimpleGrantedAuthorityMixin { + + /** + * Mixin Constructor. + * @param role the role + */ + @JsonCreator + public SimpleGrantedAuthorityMixin(@JsonProperty("authority") String role) { + } + +} diff --git a/core/src/main/java/org/springframework/security/jackson/UserDeserializer.java b/core/src/main/java/org/springframework/security/jackson/UserDeserializer.java new file mode 100644 index 0000000000..daf267ee13 --- /dev/null +++ b/core/src/main/java/org/springframework/security/jackson/UserDeserializer.java @@ -0,0 +1,81 @@ +/* + * Copyright 2004-present the original author or authors. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * https://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.springframework.security.jackson; + +import java.util.Set; + +import tools.jackson.core.JacksonException; +import tools.jackson.core.JsonParser; +import tools.jackson.core.type.TypeReference; +import tools.jackson.databind.DeserializationContext; +import tools.jackson.databind.JsonNode; +import tools.jackson.databind.ValueDeserializer; +import tools.jackson.databind.node.MissingNode; + +import org.springframework.security.core.GrantedAuthority; +import org.springframework.security.core.userdetails.User; + +/** + * Custom Deserializer for {@link User} class. This is already registered with + * {@link UserMixin}. You can also use it directly with your mixin class. + * + * @author Sebastien Deleuze + * @author Jitendra Singh + * @since 7.0 + * @see UserMixin + */ +class UserDeserializer extends ValueDeserializer { + + private static final TypeReference> GRANTED_AUTHORITY_SET = new TypeReference<>() { + }; + + /** + * This method will create {@link User} object. It will ensure successful object + * creation even if password key is null in serialized json, because credentials may + * be removed from the {@link User} by invoking {@link User#eraseCredentials()}. In + * that case there won't be any password key in serialized json. + * @param jp the JsonParser + * @param ctxt the DeserializationContext + * @return the user + * @throws JacksonException if an error during JSON processing occurs + */ + @Override + public User deserialize(JsonParser jp, DeserializationContext ctxt) throws JacksonException { + JsonNode jsonNode = ctxt.readTree(jp); + JsonNode authoritiesNode = readJsonNode(jsonNode, "authorities"); + Set authorities = ctxt.readTreeAsValue(authoritiesNode, + ctxt.getTypeFactory().constructType(GRANTED_AUTHORITY_SET)); + JsonNode passwordNode = readJsonNode(jsonNode, "password"); + String username = readJsonNode(jsonNode, "username").asString(); + String password = (passwordNode.isMissingNode()) ? null : passwordNode.stringValue(); + boolean enabled = readJsonNode(jsonNode, "enabled").asBoolean(); + boolean accountNonExpired = readJsonNode(jsonNode, "accountNonExpired").asBoolean(); + boolean credentialsNonExpired = readJsonNode(jsonNode, "credentialsNonExpired").asBoolean(); + boolean accountNonLocked = readJsonNode(jsonNode, "accountNonLocked").asBoolean(); + User result = new User(username, password, enabled, accountNonExpired, credentialsNonExpired, accountNonLocked, + authorities); + if (passwordNode.asString(null) == null) { + result.eraseCredentials(); + } + return result; + } + + private JsonNode readJsonNode(JsonNode jsonNode, String field) { + return jsonNode.has(field) ? jsonNode.get(field) : MissingNode.getInstance(); + } + +} diff --git a/core/src/main/java/org/springframework/security/jackson/UserMixin.java b/core/src/main/java/org/springframework/security/jackson/UserMixin.java new file mode 100644 index 0000000000..f0bede4e2d --- /dev/null +++ b/core/src/main/java/org/springframework/security/jackson/UserMixin.java @@ -0,0 +1,41 @@ +/* + * Copyright 2004-present the original author or authors. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * https://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.springframework.security.jackson; + +import com.fasterxml.jackson.annotation.JsonAutoDetect; +import com.fasterxml.jackson.annotation.JsonTypeInfo; +import tools.jackson.databind.annotation.JsonDeserialize; + +/** + * This mixin class helps in serialize/deserialize + * {@link org.springframework.security.core.userdetails.User}. This class also register a + * custom deserializer {@link UserDeserializer} to deserialize User object successfully. + * + * @author Sebastien Deleuze + * @author Jitendra Singh + * @since 7.0 + * @see UserDeserializer + * @see CoreJacksonModule + * @see SecurityJacksonModules + */ +@JsonTypeInfo(use = JsonTypeInfo.Id.CLASS) +@JsonDeserialize(using = UserDeserializer.class) +@JsonAutoDetect(fieldVisibility = JsonAutoDetect.Visibility.ANY, getterVisibility = JsonAutoDetect.Visibility.NONE, + isGetterVisibility = JsonAutoDetect.Visibility.NONE) +abstract class UserMixin { + +} diff --git a/core/src/main/java/org/springframework/security/jackson/UsernamePasswordAuthenticationTokenDeserializer.java b/core/src/main/java/org/springframework/security/jackson/UsernamePasswordAuthenticationTokenDeserializer.java new file mode 100644 index 0000000000..618099d551 --- /dev/null +++ b/core/src/main/java/org/springframework/security/jackson/UsernamePasswordAuthenticationTokenDeserializer.java @@ -0,0 +1,105 @@ +/* + * Copyright 2004-present the original author or authors. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * https://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.springframework.security.jackson; + +import java.util.List; + +import org.jspecify.annotations.Nullable; +import tools.jackson.core.JacksonException; +import tools.jackson.core.JsonParser; +import tools.jackson.core.exc.StreamReadException; +import tools.jackson.core.type.TypeReference; +import tools.jackson.databind.DatabindException; +import tools.jackson.databind.DeserializationContext; +import tools.jackson.databind.JsonNode; +import tools.jackson.databind.ValueDeserializer; +import tools.jackson.databind.node.MissingNode; + +import org.springframework.security.authentication.UsernamePasswordAuthenticationToken; +import org.springframework.security.core.GrantedAuthority; + +/** + * Custom deserializer for {@link UsernamePasswordAuthenticationToken}. At the time of + * deserialization it will invoke suitable constructor depending on the value of + * authenticated property. It will ensure that the token's state must not change. + * + * @author Sebastien Deleuze + * @author Jitendra Singh + * @author Greg Turnquist + * @author Onur Kagan Ozcan + * @since 7.0 + * @see UsernamePasswordAuthenticationTokenMixin + */ +class UsernamePasswordAuthenticationTokenDeserializer extends ValueDeserializer { + + private static final TypeReference> GRANTED_AUTHORITY_LIST = new TypeReference<>() { + }; + + /** + * This method construct {@link UsernamePasswordAuthenticationToken} object from + * serialized json. + * @param jp the JsonParser + * @param ctxt the DeserializationContext + * @return the user + * @throws JacksonException if an error during JSON processing occurs + */ + @Override + public UsernamePasswordAuthenticationToken deserialize(JsonParser jp, DeserializationContext ctxt) + throws JacksonException { + JsonNode jsonNode = ctxt.readTree(jp); + boolean authenticated = readJsonNode(jsonNode, "authenticated").asBoolean(); + JsonNode principalNode = readJsonNode(jsonNode, "principal"); + Object principal = getPrincipal(ctxt, principalNode); + JsonNode credentialsNode = readJsonNode(jsonNode, "credentials"); + Object credentials = getCredentials(credentialsNode); + JsonNode authoritiesNode = readJsonNode(jsonNode, "authorities"); + List authorities = ctxt.readTreeAsValue(authoritiesNode, + ctxt.getTypeFactory().constructType(GRANTED_AUTHORITY_LIST)); + UsernamePasswordAuthenticationToken token = (!authenticated) + ? UsernamePasswordAuthenticationToken.unauthenticated(principal, credentials) + : UsernamePasswordAuthenticationToken.authenticated(principal, credentials, authorities); + JsonNode detailsNode = readJsonNode(jsonNode, "details"); + if (detailsNode.isNull() || detailsNode.isMissingNode()) { + token.setDetails(null); + } + else { + Object details = ctxt.readTreeAsValue(detailsNode, Object.class); + token.setDetails(details); + } + return token; + } + + private @Nullable Object getCredentials(JsonNode credentialsNode) { + if (credentialsNode.isNull() || credentialsNode.isMissingNode()) { + return null; + } + return credentialsNode.asString(); + } + + private Object getPrincipal(DeserializationContext ctxt, JsonNode principalNode) + throws StreamReadException, DatabindException { + if (principalNode.isObject()) { + return ctxt.readTreeAsValue(principalNode, Object.class); + } + return principalNode.asString(); + } + + private JsonNode readJsonNode(JsonNode jsonNode, String field) { + return jsonNode.has(field) ? jsonNode.get(field) : MissingNode.getInstance(); + } + +} diff --git a/core/src/main/java/org/springframework/security/jackson/UsernamePasswordAuthenticationTokenMixin.java b/core/src/main/java/org/springframework/security/jackson/UsernamePasswordAuthenticationTokenMixin.java new file mode 100644 index 0000000000..92b79eaac3 --- /dev/null +++ b/core/src/main/java/org/springframework/security/jackson/UsernamePasswordAuthenticationTokenMixin.java @@ -0,0 +1,41 @@ +/* + * Copyright 2004-present the original author or authors. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * https://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.springframework.security.jackson; + +import com.fasterxml.jackson.annotation.JsonAutoDetect; +import com.fasterxml.jackson.annotation.JsonTypeInfo; +import tools.jackson.databind.annotation.JsonDeserialize; + +/** + * This mixin class is used to serialize / deserialize + * {@link org.springframework.security.authentication.UsernamePasswordAuthenticationToken}. + * This class register a custom deserializer + * {@link UsernamePasswordAuthenticationTokenDeserializer}. + * + * @author Sebastien Deleuze + * @author Jitendra Singh + * @since 7.0 + * @see CoreJacksonModule + * @see SecurityJacksonModules + */ +@JsonTypeInfo(use = JsonTypeInfo.Id.CLASS) +@JsonAutoDetect(fieldVisibility = JsonAutoDetect.Visibility.ANY, getterVisibility = JsonAutoDetect.Visibility.NONE, + isGetterVisibility = JsonAutoDetect.Visibility.NONE) +@JsonDeserialize(using = UsernamePasswordAuthenticationTokenDeserializer.class) +abstract class UsernamePasswordAuthenticationTokenMixin { + +} diff --git a/core/src/main/java/org/springframework/security/jackson/package-info.java b/core/src/main/java/org/springframework/security/jackson/package-info.java new file mode 100644 index 0000000000..ede43c2eda --- /dev/null +++ b/core/src/main/java/org/springframework/security/jackson/package-info.java @@ -0,0 +1,23 @@ +/* + * Copyright 2004-present the original author or authors. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * https://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +/** + * Jackson 3+ serialization support. + */ +@NullMarked +package org.springframework.security.jackson; + +import org.jspecify.annotations.NullMarked; diff --git a/core/src/main/java/org/springframework/security/jackson2/UsernamePasswordAuthenticationTokenDeserializer.java b/core/src/main/java/org/springframework/security/jackson2/UsernamePasswordAuthenticationTokenDeserializer.java index b67d82ca19..fe10b1e703 100644 --- a/core/src/main/java/org/springframework/security/jackson2/UsernamePasswordAuthenticationTokenDeserializer.java +++ b/core/src/main/java/org/springframework/security/jackson2/UsernamePasswordAuthenticationTokenDeserializer.java @@ -71,7 +71,7 @@ public UsernamePasswordAuthenticationToken deserialize(JsonParser jp, Deserializ throws IOException, JsonProcessingException { ObjectMapper mapper = (ObjectMapper) jp.getCodec(); JsonNode jsonNode = mapper.readTree(jp); - Boolean authenticated = readJsonNode(jsonNode, "authenticated").asBoolean(); + boolean authenticated = readJsonNode(jsonNode, "authenticated").asBoolean(); JsonNode principalNode = readJsonNode(jsonNode, "principal"); Object principal = getPrincipal(mapper, principalNode); JsonNode credentialsNode = readJsonNode(jsonNode, "credentials"); diff --git a/core/src/main/java/org/springframework/security/jackson2/package-info.java b/core/src/main/java/org/springframework/security/jackson2/package-info.java index 2f2f55eae5..3909d479d3 100644 --- a/core/src/main/java/org/springframework/security/jackson2/package-info.java +++ b/core/src/main/java/org/springframework/security/jackson2/package-info.java @@ -15,10 +15,7 @@ */ /** - * Mix-in classes to add Jackson serialization support. - * - * @author Jitendra Singh - * @since 4.2 + * Jackson 2 serialization support. */ @NullMarked package org.springframework.security.jackson2; diff --git a/core/src/test/java/org/springframework/security/authorization/AuthorizationAdvisorProxyFactoryTests.java b/core/src/test/java/org/springframework/security/authorization/AuthorizationAdvisorProxyFactoryTests.java index 430b5dc720..2cdcee0a4b 100644 --- a/core/src/test/java/org/springframework/security/authorization/AuthorizationAdvisorProxyFactoryTests.java +++ b/core/src/test/java/org/springframework/security/authorization/AuthorizationAdvisorProxyFactoryTests.java @@ -34,9 +34,9 @@ import java.util.function.Supplier; import java.util.stream.Stream; -import com.fasterxml.jackson.core.JsonProcessingException; -import com.fasterxml.jackson.databind.ObjectMapper; +import org.junit.jupiter.api.Disabled; import org.junit.jupiter.api.Test; +import tools.jackson.databind.json.JsonMapper; import org.springframework.aop.Pointcut; import org.springframework.core.annotation.AnnotationAwareOrderComparator; @@ -340,13 +340,14 @@ public void setTargetVisitorIgnoreValueTypesThenIgnores() { assertThat(factory.proxy(35)).isEqualTo(35); } + // TODO Find why callbacks property is serialized with Jackson 3, not with Jackson 2 + @Disabled("callbacks property is serialized with Jackson 3, not with Jackson 2") @Test - public void serializeWhenAuthorizationProxyObjectThenOnlyIncludesProxiedProperties() - throws JsonProcessingException { + public void serializeWhenAuthorizationProxyObjectThenOnlyIncludesProxiedProperties() { SecurityContextHolder.getContext().setAuthentication(this.admin); AuthorizationAdvisorProxyFactory factory = AuthorizationAdvisorProxyFactory.withDefaults(); User user = proxy(factory, this.alan); - ObjectMapper mapper = new ObjectMapper(); + JsonMapper mapper = new JsonMapper(); String serialized = mapper.writeValueAsString(user); Map properties = mapper.readValue(serialized, Map.class); assertThat(properties).hasSize(3).containsKeys("id", "firstName", "lastName"); diff --git a/core/src/test/java/org/springframework/security/jackson/AbstractMixinTests.java b/core/src/test/java/org/springframework/security/jackson/AbstractMixinTests.java new file mode 100644 index 0000000000..e763f35eab --- /dev/null +++ b/core/src/test/java/org/springframework/security/jackson/AbstractMixinTests.java @@ -0,0 +1,51 @@ +/* + * Copyright 2004-present the original author or authors. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * https://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.springframework.security.jackson; + +import org.junit.jupiter.api.BeforeEach; +import tools.jackson.databind.json.JsonMapper; +import tools.jackson.databind.jsontype.BasicPolymorphicTypeValidator; + +import org.springframework.security.core.authority.AuthorityUtils; +import org.springframework.security.core.userdetails.User; + +/** + * @author Jitenra Singh + * @since 4.2 + */ +public abstract class AbstractMixinTests { + + protected JsonMapper mapper; + + @BeforeEach + public void setup() { + ClassLoader loader = getClass().getClassLoader(); + BasicPolymorphicTypeValidator.Builder builder = BasicPolymorphicTypeValidator.builder() + .allowIfSubType( + "org.springframework.security.jackson.UsernamePasswordAuthenticationTokenMixinTests$NonUserPrincipal"); + this.mapper = JsonMapper.builder().addModules(SecurityJacksonModules.getModules(loader, builder)).build(); + } + + User createDefaultUser() { + return createUser("admin", "1234", "ROLE_USER"); + } + + User createUser(String username, String password, String authority) { + return new User(username, password, AuthorityUtils.createAuthorityList(authority)); + } + +} diff --git a/core/src/test/java/org/springframework/security/jackson/AnonymousAuthenticationTokenMixinTests.java b/core/src/test/java/org/springframework/security/jackson/AnonymousAuthenticationTokenMixinTests.java new file mode 100644 index 0000000000..b084c8e6e9 --- /dev/null +++ b/core/src/test/java/org/springframework/security/jackson/AnonymousAuthenticationTokenMixinTests.java @@ -0,0 +1,83 @@ +/* + * Copyright 2004-present the original author or authors. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * https://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.springframework.security.jackson; + +import org.json.JSONException; +import org.junit.jupiter.api.Test; +import org.skyscreamer.jsonassert.JSONAssert; +import tools.jackson.databind.exc.ValueInstantiationException; + +import org.springframework.security.authentication.AnonymousAuthenticationToken; +import org.springframework.security.core.authority.SimpleGrantedAuthority; +import org.springframework.security.core.userdetails.User; + +import static org.assertj.core.api.Assertions.assertThat; +import static org.assertj.core.api.Assertions.assertThatExceptionOfType; + +/** + * @author Jitendra Singh + * @since 4.2 + */ +public class AnonymousAuthenticationTokenMixinTests extends AbstractMixinTests { + + private static final String HASH_KEY = "key"; + + // @formatter:off + private static final String ANONYMOUS_JSON = "{" + + "\"@class\": \"org.springframework.security.authentication.AnonymousAuthenticationToken\", " + + "\"details\": null," + + "\"principal\": " + UserDeserializerTests.USER_JSON + "," + + "\"authenticated\": true, " + + "\"keyHash\": " + HASH_KEY.hashCode() + "," + + "\"authorities\": " + SimpleGrantedAuthorityMixinTests.AUTHORITIES_ARRAYLIST_JSON + + "}"; + // @formatter:on + @Test + public void serializeAnonymousAuthenticationTokenTest() throws JSONException { + User user = createDefaultUser(); + AnonymousAuthenticationToken token = new AnonymousAuthenticationToken(HASH_KEY, user, user.getAuthorities()); + String actualJson = this.mapper.writeValueAsString(token); + JSONAssert.assertEquals(ANONYMOUS_JSON, actualJson, true); + } + + @Test + public void deserializeAnonymousAuthenticationTokenTest() { + AnonymousAuthenticationToken token = this.mapper.readValue(ANONYMOUS_JSON, AnonymousAuthenticationToken.class); + assertThat(token).isNotNull(); + assertThat(token.getKeyHash()).isEqualTo(HASH_KEY.hashCode()); + assertThat(token.getAuthorities()).isNotNull().hasSize(1).contains(new SimpleGrantedAuthority("ROLE_USER")); + } + + @Test + public void deserializeAnonymousAuthenticationTokenWithoutAuthoritiesTest() { + String jsonString = "{\"@class\": \"org.springframework.security.authentication.AnonymousAuthenticationToken\", \"details\": null," + + "\"principal\": \"user\", \"authenticated\": true, \"keyHash\": " + HASH_KEY.hashCode() + "," + + "\"authorities\": [\"java.util.ArrayList\", []]}"; + assertThatExceptionOfType(ValueInstantiationException.class) + .isThrownBy(() -> this.mapper.readValue(jsonString, AnonymousAuthenticationToken.class)); + } + + @Test + public void serializeAnonymousAuthenticationTokenMixinAfterEraseCredentialTest() throws JSONException { + User user = createDefaultUser(); + AnonymousAuthenticationToken token = new AnonymousAuthenticationToken(HASH_KEY, user, user.getAuthorities()); + token.eraseCredentials(); + String actualJson = this.mapper.writeValueAsString(token); + JSONAssert.assertEquals(ANONYMOUS_JSON.replace(UserDeserializerTests.USER_PASSWORD, "null"), actualJson, true); + } + +} diff --git a/core/src/test/java/org/springframework/security/jackson/BadCredentialsExceptionMixinTests.java b/core/src/test/java/org/springframework/security/jackson/BadCredentialsExceptionMixinTests.java new file mode 100644 index 0000000000..88636d4609 --- /dev/null +++ b/core/src/test/java/org/springframework/security/jackson/BadCredentialsExceptionMixinTests.java @@ -0,0 +1,60 @@ +/* + * Copyright 2004-present the original author or authors. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * https://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.springframework.security.jackson; + +import java.io.IOException; + +import com.fasterxml.jackson.core.JsonProcessingException; +import org.json.JSONException; +import org.junit.jupiter.api.Test; +import org.skyscreamer.jsonassert.JSONAssert; + +import org.springframework.security.authentication.BadCredentialsException; + +import static org.assertj.core.api.Assertions.assertThat; + +/** + * @author Yannick Lombardi + * @since 5.0 + */ +public class BadCredentialsExceptionMixinTests extends AbstractMixinTests { + + // @formatter:off + private static final String EXCEPTION_JSON = "{" + + "\"@class\": \"org.springframework.security.authentication.BadCredentialsException\"," + + "\"localizedMessage\": \"message\", " + + "\"message\": \"message\", " + + "\"suppressed\": [\"[Ljava.lang.Throwable;\",[]]" + + "}"; + // @formatter:on + @Test + public void serializeBadCredentialsExceptionMixinTest() throws JsonProcessingException, JSONException { + BadCredentialsException exception = new BadCredentialsException("message"); + String serializedJson = this.mapper.writeValueAsString(exception); + JSONAssert.assertEquals(EXCEPTION_JSON, serializedJson, true); + } + + @Test + public void deserializeBadCredentialsExceptionMixinTest() throws IOException { + BadCredentialsException exception = this.mapper.readValue(EXCEPTION_JSON, BadCredentialsException.class); + assertThat(exception).isNotNull(); + assertThat(exception.getCause()).isNull(); + assertThat(exception.getMessage()).isEqualTo("message"); + assertThat(exception.getLocalizedMessage()).isEqualTo("message"); + } + +} diff --git a/core/src/test/java/org/springframework/security/jackson/FactorGrantedAuthorityMixinTests.java b/core/src/test/java/org/springframework/security/jackson/FactorGrantedAuthorityMixinTests.java new file mode 100644 index 0000000000..865a1be9a7 --- /dev/null +++ b/core/src/test/java/org/springframework/security/jackson/FactorGrantedAuthorityMixinTests.java @@ -0,0 +1,60 @@ +/* + * Copyright 2004-present the original author or authors. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * https://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.springframework.security.jackson; + +import java.time.Instant; + +import org.json.JSONException; +import org.junit.jupiter.api.Test; +import org.skyscreamer.jsonassert.JSONAssert; + +import org.springframework.security.core.GrantedAuthority; +import org.springframework.security.core.authority.FactorGrantedAuthority; + +import static org.assertj.core.api.Assertions.assertThat; + +/** + * @author Rob Winch + * @since 7.0 + */ +class FactorGrantedAuthorityMixinTests extends AbstractMixinTests { + + // @formatter:off + public static final String AUTHORITY_JSON = "{\"@class\": \"org.springframework.security.core.authority.FactorGrantedAuthority\", \"authority\": \"FACTOR_PASSWORD\", \"issuedAt\": 1759177143.043000000 }"; + + private Instant issuedAt = Instant.ofEpochMilli(1759177143043L); + + // @formatter:on + + @Test + void serializeSimpleGrantedAuthorityTest() throws JSONException { + GrantedAuthority authority = FactorGrantedAuthority.withAuthority("FACTOR_PASSWORD") + .issuedAt(this.issuedAt) + .build(); + String serializeJson = this.mapper.writeValueAsString(authority); + JSONAssert.assertEquals(AUTHORITY_JSON, serializeJson, true); + } + + @Test + void deserializeGrantedAuthorityTest() { + FactorGrantedAuthority authority = (FactorGrantedAuthority) this.mapper.readValue(AUTHORITY_JSON, Object.class); + assertThat(authority).isNotNull(); + assertThat(authority.getAuthority()).isEqualTo("FACTOR_PASSWORD"); + assertThat(authority.getIssuedAt()).isEqualTo(this.issuedAt); + } + +} diff --git a/core/src/test/java/org/springframework/security/jackson/RememberMeAuthenticationTokenMixinTests.java b/core/src/test/java/org/springframework/security/jackson/RememberMeAuthenticationTokenMixinTests.java new file mode 100644 index 0000000000..0957e30fa3 --- /dev/null +++ b/core/src/test/java/org/springframework/security/jackson/RememberMeAuthenticationTokenMixinTests.java @@ -0,0 +1,128 @@ +/* + * Copyright 2004-present the original author or authors. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * https://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.springframework.security.jackson; + +import java.io.IOException; +import java.util.Collections; + +import com.fasterxml.jackson.core.JsonProcessingException; +import org.json.JSONException; +import org.junit.jupiter.api.Test; +import org.skyscreamer.jsonassert.JSONAssert; + +import org.springframework.security.authentication.RememberMeAuthenticationToken; +import org.springframework.security.core.GrantedAuthority; +import org.springframework.security.core.authority.SimpleGrantedAuthority; +import org.springframework.security.core.userdetails.User; + +import static org.assertj.core.api.Assertions.assertThat; +import static org.assertj.core.api.Assertions.assertThatIllegalArgumentException; + +/** + * @author Jitendra Singh + * @since 4.2 + */ +public class RememberMeAuthenticationTokenMixinTests extends AbstractMixinTests { + + private static final String REMEMBERME_KEY = "rememberMe"; + + // @formatter:off + private static final String REMEMBERME_AUTH_JSON = "{" + + "\"@class\": \"org.springframework.security.authentication.RememberMeAuthenticationToken\", " + + "\"keyHash\": " + REMEMBERME_KEY.hashCode() + ", " + + "\"authenticated\": true, \"details\": null" + ", " + + "\"principal\": " + UserDeserializerTests.USER_JSON + ", " + + "\"authorities\": " + SimpleGrantedAuthorityMixinTests.AUTHORITIES_ARRAYLIST_JSON + + "}"; + // @formatter:on + + // @formatter:off + private static final String REMEMBERME_AUTH_STRINGPRINCIPAL_JSON = "{" + + "\"@class\": \"org.springframework.security.authentication.RememberMeAuthenticationToken\"," + + "\"keyHash\": " + REMEMBERME_KEY.hashCode() + ", " + + "\"authenticated\": true, " + + "\"details\": null," + + "\"principal\": \"admin\", " + + "\"authorities\": " + SimpleGrantedAuthorityMixinTests.AUTHORITIES_ARRAYLIST_JSON + + "}"; + // @formatter:on + + @Test + public void testWithNullPrincipal() { + assertThatIllegalArgumentException().isThrownBy( + () -> new RememberMeAuthenticationToken("key", null, Collections.emptyList())); + } + + @Test + public void testWithNullKey() { + assertThatIllegalArgumentException().isThrownBy( + () -> new RememberMeAuthenticationToken(null, "principal", Collections.emptyList())); + } + + @Test + public void serializeRememberMeAuthenticationToken() throws JsonProcessingException, JSONException { + RememberMeAuthenticationToken token = new RememberMeAuthenticationToken(REMEMBERME_KEY, "admin", + Collections.singleton(new SimpleGrantedAuthority("ROLE_USER"))); + String actualJson = this.mapper.writeValueAsString(token); + JSONAssert.assertEquals(REMEMBERME_AUTH_STRINGPRINCIPAL_JSON, actualJson, true); + } + + @Test + public void serializeRememberMeAuthenticationWithUserToken() throws JsonProcessingException, JSONException { + User user = createDefaultUser(); + RememberMeAuthenticationToken token = new RememberMeAuthenticationToken(REMEMBERME_KEY, user, + user.getAuthorities()); + String actualJson = this.mapper.writeValueAsString(token); + JSONAssert.assertEquals(String.format(REMEMBERME_AUTH_JSON, "\"password\""), actualJson, true); + } + + @Test + public void serializeRememberMeAuthenticationWithUserTokenAfterEraseCredential() + throws JsonProcessingException, JSONException { + User user = createDefaultUser(); + RememberMeAuthenticationToken token = new RememberMeAuthenticationToken(REMEMBERME_KEY, user, + user.getAuthorities()); + token.eraseCredentials(); + String actualJson = this.mapper.writeValueAsString(token); + JSONAssert.assertEquals(REMEMBERME_AUTH_JSON.replace(UserDeserializerTests.USER_PASSWORD, "null"), actualJson, + true); + } + + @Test + public void deserializeRememberMeAuthenticationToken() throws IOException { + RememberMeAuthenticationToken token = this.mapper.readValue(REMEMBERME_AUTH_STRINGPRINCIPAL_JSON, + RememberMeAuthenticationToken.class); + assertThat(token).isNotNull(); + assertThat(token.getPrincipal()).isNotNull().isEqualTo("admin").isEqualTo(token.getName()); + assertThat(token.getAuthorities()).hasSize(1).contains(new SimpleGrantedAuthority("ROLE_USER")); + } + + @Test + public void deserializeRememberMeAuthenticationTokenWithUserTest() throws IOException { + RememberMeAuthenticationToken token = this.mapper.readValue(String.format(REMEMBERME_AUTH_JSON, "\"password\""), + RememberMeAuthenticationToken.class); + assertThat(token).isNotNull(); + assertThat(token.getPrincipal()).isNotNull().isInstanceOf(User.class); + assertThat(((User) token.getPrincipal()).getUsername()).isEqualTo("admin"); + assertThat(((User) token.getPrincipal()).getPassword()).isEqualTo("1234"); + assertThat(((User) token.getPrincipal()).getAuthorities()).hasSize(1) + .contains(new SimpleGrantedAuthority("ROLE_USER")); + assertThat(token.getAuthorities()).hasSize(1).contains(new SimpleGrantedAuthority("ROLE_USER")); + assertThat(((User) token.getPrincipal()).isEnabled()).isEqualTo(true); + } + +} diff --git a/core/src/test/java/org/springframework/security/jackson/SecurityContextMixinTests.java b/core/src/test/java/org/springframework/security/jackson/SecurityContextMixinTests.java new file mode 100644 index 0000000000..a782ecdedf --- /dev/null +++ b/core/src/test/java/org/springframework/security/jackson/SecurityContextMixinTests.java @@ -0,0 +1,69 @@ +/* + * Copyright 2004-present the original author or authors. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * https://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.springframework.security.jackson; + +import java.io.IOException; +import java.util.Collection; +import java.util.Collections; + +import com.fasterxml.jackson.core.JsonProcessingException; +import org.json.JSONException; +import org.junit.jupiter.api.Test; +import org.skyscreamer.jsonassert.JSONAssert; + +import org.springframework.security.authentication.UsernamePasswordAuthenticationToken; +import org.springframework.security.core.authority.SimpleGrantedAuthority; +import org.springframework.security.core.context.SecurityContext; +import org.springframework.security.core.context.SecurityContextImpl; + +import static org.assertj.core.api.Assertions.assertThat; + +/** + * @author Jitendra Singh + * @since 4.2 + */ +public class SecurityContextMixinTests extends AbstractMixinTests { + + // @formatter:off + public static final String SECURITY_CONTEXT_JSON = "{" + + "\"@class\": \"org.springframework.security.core.context.SecurityContextImpl\", " + + "\"authentication\": " + UsernamePasswordAuthenticationTokenMixinTests.AUTHENTICATED_STRINGPRINCIPAL_JSON + + "}"; + // @formatter:on + @Test + public void securityContextSerializeTest() throws JsonProcessingException, JSONException { + SecurityContext context = new SecurityContextImpl(); + context.setAuthentication(UsernamePasswordAuthenticationToken.authenticated("admin", "1234", + Collections.singleton(new SimpleGrantedAuthority("ROLE_USER")))); + String actualJson = this.mapper.writeValueAsString(context); + JSONAssert.assertEquals(SECURITY_CONTEXT_JSON, actualJson, true); + } + + @Test + public void securityContextDeserializeTest() throws IOException { + SecurityContext context = this.mapper.readValue(SECURITY_CONTEXT_JSON, SecurityContextImpl.class); + assertThat(context).isNotNull(); + assertThat(context.getAuthentication()).isNotNull().isInstanceOf(UsernamePasswordAuthenticationToken.class); + assertThat(context.getAuthentication().getPrincipal()).isEqualTo("admin"); + assertThat(context.getAuthentication().getCredentials()).isEqualTo("1234"); + assertThat(context.getAuthentication().isAuthenticated()).isTrue(); + Collection authorities = context.getAuthentication().getAuthorities(); + assertThat(authorities).hasSize(1); + assertThat(authorities).contains(new SimpleGrantedAuthority("ROLE_USER")); + } + +} diff --git a/core/src/test/java/org/springframework/security/jackson/SecurityJacksonModulesTests.java b/core/src/test/java/org/springframework/security/jackson/SecurityJacksonModulesTests.java new file mode 100644 index 0000000000..b8cf960588 --- /dev/null +++ b/core/src/test/java/org/springframework/security/jackson/SecurityJacksonModulesTests.java @@ -0,0 +1,85 @@ +/* + * Copyright 2004-present the original author or authors. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * https://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.springframework.security.jackson; + +import java.util.List; + +import com.fasterxml.jackson.annotation.JsonTypeInfo; +import org.junit.jupiter.api.Test; +import tools.jackson.databind.JacksonModule; +import tools.jackson.databind.json.JsonMapper; +import tools.jackson.databind.jsontype.BasicPolymorphicTypeValidator; + +import org.springframework.security.core.GrantedAuthority; +import org.springframework.security.core.authority.SimpleGrantedAuthority; +import org.springframework.security.core.userdetails.User; + +import static org.assertj.core.api.Assertions.assertThat; + +/** + * @author Rob Winch + * @since 5.0 + */ +public class SecurityJacksonModulesTests { + + @Test + public void addModulesWithNoTypeValidatorBuilder() { + ClassLoader loader = getClass().getClassLoader(); + List modules = SecurityJacksonModules.getModules(loader); + JsonMapper mapper = JsonMapper.builder().addModules(modules).build(); + User user = new User("user", null, List.of(new SimpleGrantedAuthority("SCOPE_message:read"))); + String json = mapper.writeValueAsString(user); + User deserializedUer = mapper.readerFor(User.class).readValue(json); + assertThat(deserializedUer).isEqualTo(user); + } + + @Test + public void addModulesWithDefaultTypeValidatorBuilder() { + ClassLoader loader = getClass().getClassLoader(); + List modules = SecurityJacksonModules.getModules(loader, + BasicPolymorphicTypeValidator.builder()); + JsonMapper mapper = JsonMapper.builder().addModules(modules).build(); + User user = new User("user", null, List.of(new SimpleGrantedAuthority("SCOPE_message:read"))); + String json = mapper.writeValueAsString(user); + User deserializedUer = mapper.readerFor(User.class).readValue(json); + assertThat(deserializedUer).isEqualTo(user); + } + + @Test + public void addModulesWithCustomTypeValidator() { + ClassLoader loader = getClass().getClassLoader(); + BasicPolymorphicTypeValidator.Builder builder = BasicPolymorphicTypeValidator.builder() + .allowIfSubType(TestGrantedAuthority.class); + List modules = SecurityJacksonModules.getModules(loader, builder); + JsonMapper mapper = JsonMapper.builder().addModules(modules).build(); + User user = new User("user", null, List.of(new TestGrantedAuthority())); + String json = mapper.writeValueAsString(user); + User deserializedUer = mapper.readerFor(User.class).readValue(json); + assertThat(deserializedUer).isEqualTo(user); + } + + @JsonTypeInfo(use = JsonTypeInfo.Id.CLASS) + private static class TestGrantedAuthority implements GrantedAuthority { + + @Override + public String getAuthority() { + return "test"; + } + + } + +} diff --git a/core/src/test/java/org/springframework/security/jackson/SimpleGrantedAuthorityMixinTests.java b/core/src/test/java/org/springframework/security/jackson/SimpleGrantedAuthorityMixinTests.java new file mode 100644 index 0000000000..f6db6ade98 --- /dev/null +++ b/core/src/test/java/org/springframework/security/jackson/SimpleGrantedAuthorityMixinTests.java @@ -0,0 +1,67 @@ +/* + * Copyright 2004-present the original author or authors. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * https://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.springframework.security.jackson; + +import java.io.IOException; + +import com.fasterxml.jackson.core.JsonProcessingException; +import org.json.JSONException; +import org.junit.jupiter.api.Test; +import org.skyscreamer.jsonassert.JSONAssert; +import tools.jackson.databind.exc.ValueInstantiationException; + +import org.springframework.security.core.authority.SimpleGrantedAuthority; + +import static org.assertj.core.api.Assertions.assertThat; +import static org.assertj.core.api.Assertions.assertThatExceptionOfType; + +/** + * @author Jitendra Singh + * @since 4.2 + */ +public class SimpleGrantedAuthorityMixinTests extends AbstractMixinTests { + + // @formatter:off + public static final String AUTHORITY_JSON = "{\"@class\": \"org.springframework.security.core.authority.SimpleGrantedAuthority\", \"authority\": \"ROLE_USER\"}"; + public static final String AUTHORITIES_ARRAYLIST_JSON = "[\"java.util.Collections$UnmodifiableRandomAccessList\", [" + AUTHORITY_JSON + "]]"; + public static final String AUTHORITIES_SET_JSON = "[\"java.util.Collections$UnmodifiableSet\", [" + AUTHORITY_JSON + "]]"; + public static final String NO_AUTHORITIES_ARRAYLIST_JSON = "[\"java.util.Collections$UnmodifiableRandomAccessList\", []]"; + public static final String EMPTY_AUTHORITIES_ARRAYLIST_JSON = "[\"java.util.Collections$EmptyList\", []]"; + public static final String NO_AUTHORITIES_SET_JSON = "[\"java.util.Collections$UnmodifiableSet\", []]"; + // @formatter:on + @Test + public void serializeSimpleGrantedAuthorityTest() throws JsonProcessingException, JSONException { + SimpleGrantedAuthority authority = new SimpleGrantedAuthority("ROLE_USER"); + String serializeJson = this.mapper.writeValueAsString(authority); + JSONAssert.assertEquals(AUTHORITY_JSON, serializeJson, true); + } + + @Test + public void deserializeGrantedAuthorityTest() throws IOException { + SimpleGrantedAuthority authority = this.mapper.readValue(AUTHORITY_JSON, SimpleGrantedAuthority.class); + assertThat(authority).isNotNull(); + assertThat(authority.getAuthority()).isNotNull().isEqualTo("ROLE_USER"); + } + + @Test + public void deserializeGrantedAuthorityWithoutRoleTest() throws IOException { + String json = "{\"@class\": \"org.springframework.security.core.authority.SimpleGrantedAuthority\"}"; + assertThatExceptionOfType(ValueInstantiationException.class) + .isThrownBy(() -> this.mapper.readValue(json, SimpleGrantedAuthority.class)); + } + +} diff --git a/core/src/test/java/org/springframework/security/jackson/UnmodifiableMapTests.java b/core/src/test/java/org/springframework/security/jackson/UnmodifiableMapTests.java new file mode 100644 index 0000000000..046b5aebf8 --- /dev/null +++ b/core/src/test/java/org/springframework/security/jackson/UnmodifiableMapTests.java @@ -0,0 +1,54 @@ +/* + * Copyright 2004-present the original author or authors. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * https://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.springframework.security.jackson; + +import java.util.Collections; +import java.util.Map; + +import org.junit.jupiter.api.Test; +import org.skyscreamer.jsonassert.JSONAssert; + +import static org.assertj.core.api.Assertions.assertThat; + +class UnmodifiableMapTests extends AbstractMixinTests { + + // @formatter:off + private static final String DEFAULT_MAP_JSON = "{" + + "\"@class\": \"java.util.Collections$UnmodifiableMap\"," + + "\"Key\": \"Value\"" + + "}"; + // @formatter:on + + @Test + void shouldSerialize() throws Exception { + String mapJson = mapper + .writeValueAsString(Collections.unmodifiableMap(Collections.singletonMap("Key", "Value"))); + + JSONAssert.assertEquals(DEFAULT_MAP_JSON, mapJson, true); + } + + @Test + void shouldDeserialize() throws Exception { + Map map = mapper.readValue(DEFAULT_MAP_JSON, + Collections.unmodifiableMap(Collections.emptyMap()).getClass()); + + assertThat(map).isNotNull() + .isInstanceOf(Collections.unmodifiableMap(Collections.emptyMap()).getClass()) + .containsAllEntriesOf(Collections.singletonMap("Key", "Value")); + } + +} diff --git a/core/src/test/java/org/springframework/security/jackson/UserDeserializerTests.java b/core/src/test/java/org/springframework/security/jackson/UserDeserializerTests.java new file mode 100644 index 0000000000..634e5e0e1e --- /dev/null +++ b/core/src/test/java/org/springframework/security/jackson/UserDeserializerTests.java @@ -0,0 +1,129 @@ +/* + * Copyright 2004-present the original author or authors. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * https://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.springframework.security.jackson; + +import java.io.IOException; +import java.util.Collections; +import java.util.regex.Pattern; + +import com.fasterxml.jackson.core.JsonProcessingException; +import org.json.JSONException; +import org.junit.jupiter.api.Test; +import org.skyscreamer.jsonassert.JSONAssert; +import tools.jackson.databind.exc.MismatchedInputException; +import tools.jackson.databind.json.JsonMapper; +import tools.jackson.databind.node.ObjectNode; + +import org.springframework.security.core.GrantedAuthority; +import org.springframework.security.core.authority.SimpleGrantedAuthority; +import org.springframework.security.core.userdetails.User; + +import static org.assertj.core.api.Assertions.assertThat; +import static org.assertj.core.api.Assertions.assertThatExceptionOfType; + +/** + * @author Jitendra Singh + * @since 4.2 + */ +public class UserDeserializerTests extends AbstractMixinTests { + + public static final String USER_PASSWORD = "\"1234\""; + + // @formatter:off + public static final String USER_JSON = "{" + + "\"@class\": \"org.springframework.security.core.userdetails.User\", " + + "\"username\": \"admin\"," + + " \"password\": " + USER_PASSWORD + ", " + + "\"accountNonExpired\": true, " + + "\"accountNonLocked\": true, " + + "\"credentialsNonExpired\": true, " + + "\"enabled\": true, " + + "\"authorities\": " + SimpleGrantedAuthorityMixinTests.AUTHORITIES_SET_JSON + + "}"; + // @formatter:on + @Test + public void serializeUserTest() throws JsonProcessingException, JSONException { + User user = createDefaultUser(); + String userJson = this.mapper.writeValueAsString(user); + JSONAssert.assertEquals(userWithPasswordJson(user.getPassword()), userJson, true); + } + + @Test + public void serializeUserWithoutAuthority() throws JsonProcessingException, JSONException { + User user = new User("admin", "1234", Collections.emptyList()); + String userJson = this.mapper.writeValueAsString(user); + JSONAssert.assertEquals(userWithNoAuthoritiesJson(), userJson, true); + } + + @Test + public void deserializeUserWithNullPasswordEmptyAuthorityTest() throws IOException { + String userJsonWithoutPasswordString = USER_JSON.replace(SimpleGrantedAuthorityMixinTests.AUTHORITIES_SET_JSON, + "[]"); + assertThatExceptionOfType(MismatchedInputException.class) + .isThrownBy(() -> this.mapper.readValue(userJsonWithoutPasswordString, User.class)); + } + + @Test + public void deserializeUserWithNullPasswordNoAuthorityTest() throws Exception { + String userJsonWithoutPasswordString = removeNode(userWithNoAuthoritiesJson(), this.mapper, "password"); + User user = this.mapper.readValue(userJsonWithoutPasswordString, User.class); + assertThat(user).isNotNull(); + assertThat(user.getUsername()).isEqualTo("admin"); + assertThat(user.getPassword()).isNull(); + assertThat(user.getAuthorities()).isEmpty(); + assertThat(user.isEnabled()).isEqualTo(true); + } + + @Test + public void deserializeUserWithNoClassIdInAuthoritiesTest() throws Exception { + String userJson = USER_JSON.replace(SimpleGrantedAuthorityMixinTests.AUTHORITIES_SET_JSON, + "[{\"authority\": \"ROLE_USER\"}]"); + assertThatExceptionOfType(MismatchedInputException.class) + .isThrownBy(() -> this.mapper.readValue(userJson, User.class)); + } + + @Test + public void deserializeUserWithClassIdInAuthoritiesTest() { + User user = this.mapper.readValue(userJson(), User.class); + assertThat(user).isNotNull(); + assertThat(user.getUsername()).isEqualTo("admin"); + assertThat(user.getPassword()).isEqualTo("1234"); + assertThat(user.getAuthorities()).hasSize(1).contains(new SimpleGrantedAuthority("ROLE_USER")); + } + + private String removeNode(String json, JsonMapper mapper, String toRemove) throws Exception { + ObjectNode node = mapper.createParser(json).readValueAsTree(); + node.remove(toRemove); + String result = mapper.writeValueAsString(node); + JSONAssert.assertNotEquals(json, result, false); + return result; + } + + public static String userJson() { + return USER_JSON; + } + + public static String userWithPasswordJson(String password) { + return userJson().replaceAll(Pattern.quote(USER_PASSWORD), "\"" + password + "\""); + } + + public static String userWithNoAuthoritiesJson() { + return userJson().replace(SimpleGrantedAuthorityMixinTests.AUTHORITIES_SET_JSON, + SimpleGrantedAuthorityMixinTests.NO_AUTHORITIES_SET_JSON); + } + +} diff --git a/core/src/test/java/org/springframework/security/jackson/UsernamePasswordAuthenticationTokenMixinTests.java b/core/src/test/java/org/springframework/security/jackson/UsernamePasswordAuthenticationTokenMixinTests.java new file mode 100644 index 0000000000..ae9228087d --- /dev/null +++ b/core/src/test/java/org/springframework/security/jackson/UsernamePasswordAuthenticationTokenMixinTests.java @@ -0,0 +1,221 @@ +/* + * Copyright 2004-present the original author or authors. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * https://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.springframework.security.jackson; + +import java.io.IOException; +import java.util.ArrayList; + +import com.fasterxml.jackson.annotation.JsonClassDescription; +import com.fasterxml.jackson.annotation.JsonInclude.Include; +import com.fasterxml.jackson.annotation.JsonInclude.Value; +import com.fasterxml.jackson.core.JsonProcessingException; +import org.json.JSONException; +import org.junit.jupiter.api.Test; +import org.skyscreamer.jsonassert.JSONAssert; +import tools.jackson.databind.json.JsonMapper; + +import org.springframework.security.authentication.UsernamePasswordAuthenticationToken; +import org.springframework.security.core.authority.SimpleGrantedAuthority; +import org.springframework.security.core.userdetails.User; + +import static org.assertj.core.api.Assertions.assertThat; + +/** + * @author Jitendra Singh + * @author Greg Turnquist + * @author Onur Kagan Ozcan + * @since 4.2 + */ +public class UsernamePasswordAuthenticationTokenMixinTests extends AbstractMixinTests { + + private static final String AUTHENTICATED_JSON = "{" + + "\"@class\": \"org.springframework.security.authentication.UsernamePasswordAuthenticationToken\"," + + "\"principal\": " + UserDeserializerTests.USER_JSON + ", " + "\"credentials\": \"1234\", " + + "\"authenticated\": true, " + "\"details\": null, " + "\"authorities\": " + + SimpleGrantedAuthorityMixinTests.AUTHORITIES_ARRAYLIST_JSON + "}"; + + public static final String AUTHENTICATED_STRINGPRINCIPAL_JSON = AUTHENTICATED_JSON + .replace(UserDeserializerTests.USER_JSON, "\"admin\""); + + private static final String NON_USER_PRINCIPAL_JSON = "{" + + "\"@class\": \"org.springframework.security.jackson.UsernamePasswordAuthenticationTokenMixinTests$NonUserPrincipal\", " + + "\"username\": \"admin\"" + "}"; + + private static final String AUTHENTICATED_STRINGDETAILS_JSON = AUTHENTICATED_JSON.replace("\"details\": null, ", + "\"details\": \"details\", "); + + private static final String AUTHENTICATED_NON_USER_PRINCIPAL_JSON = AUTHENTICATED_JSON + .replace(UserDeserializerTests.USER_JSON, NON_USER_PRINCIPAL_JSON) + .replaceAll(UserDeserializerTests.USER_PASSWORD, "null") + .replace(SimpleGrantedAuthorityMixinTests.AUTHORITIES_ARRAYLIST_JSON, + SimpleGrantedAuthorityMixinTests.NO_AUTHORITIES_ARRAYLIST_JSON); + + private static final String UNAUTHENTICATED_STRINGPRINCIPAL_JSON = AUTHENTICATED_STRINGPRINCIPAL_JSON + .replace("\"authenticated\": true, ", "\"authenticated\": false, ") + .replace(SimpleGrantedAuthorityMixinTests.AUTHORITIES_ARRAYLIST_JSON, + SimpleGrantedAuthorityMixinTests.EMPTY_AUTHORITIES_ARRAYLIST_JSON); + + @Test + public void serializeUnauthenticatedUsernamePasswordAuthenticationTokenMixinTest() + throws JsonProcessingException, JSONException { + UsernamePasswordAuthenticationToken token = UsernamePasswordAuthenticationToken.unauthenticated("admin", + "1234"); + String serializedJson = this.mapper.writeValueAsString(token); + JSONAssert.assertEquals(UNAUTHENTICATED_STRINGPRINCIPAL_JSON, serializedJson, true); + } + + @Test + public void serializeAuthenticatedUsernamePasswordAuthenticationTokenMixinTest() + throws JsonProcessingException, JSONException { + User user = createDefaultUser(); + UsernamePasswordAuthenticationToken token = UsernamePasswordAuthenticationToken + .authenticated(user.getUsername(), user.getPassword(), user.getAuthorities()); + String serializedJson = this.mapper.writeValueAsString(token); + JSONAssert.assertEquals(AUTHENTICATED_STRINGPRINCIPAL_JSON, serializedJson, true); + } + + @Test + public void deserializeUnauthenticatedUsernamePasswordAuthenticationTokenMixinTest() { + UsernamePasswordAuthenticationToken token = this.mapper.readValue(UNAUTHENTICATED_STRINGPRINCIPAL_JSON, + UsernamePasswordAuthenticationToken.class); + assertThat(token).isNotNull(); + assertThat(token.isAuthenticated()).isEqualTo(false); + assertThat(token.getAuthorities()).isNotNull().hasSize(0); + } + + @Test + public void deserializeAuthenticatedUsernamePasswordAuthenticationTokenMixinTest() { + UsernamePasswordAuthenticationToken expectedToken = createToken(); + UsernamePasswordAuthenticationToken token = this.mapper.readValue(AUTHENTICATED_STRINGPRINCIPAL_JSON, + UsernamePasswordAuthenticationToken.class); + assertThat(token).isNotNull(); + assertThat(token.isAuthenticated()).isTrue(); + assertThat(token.getAuthorities()).isEqualTo(expectedToken.getAuthorities()); + } + + @Test + public void serializeAuthenticatedUsernamePasswordAuthenticationTokenMixinWithUserTest() + throws JsonProcessingException, JSONException { + UsernamePasswordAuthenticationToken token = createToken(); + String actualJson = this.mapper.writeValueAsString(token); + JSONAssert.assertEquals(AUTHENTICATED_JSON, actualJson, true); + } + + @Test + public void deserializeAuthenticatedUsernamePasswordAuthenticationTokenWithUserTest() throws IOException { + UsernamePasswordAuthenticationToken token = this.mapper.readValue(AUTHENTICATED_JSON, + UsernamePasswordAuthenticationToken.class); + assertThat(token).isNotNull(); + assertThat(token.getPrincipal()).isNotNull().isInstanceOf(User.class); + assertThat(((User) token.getPrincipal()).getAuthorities()).isNotNull() + .hasSize(1) + .contains(new SimpleGrantedAuthority("ROLE_USER")); + assertThat(token.isAuthenticated()).isEqualTo(true); + assertThat(token.getAuthorities()).hasSize(1).contains(new SimpleGrantedAuthority("ROLE_USER")); + } + + @Test + public void serializeAuthenticatedUsernamePasswordAuthenticationTokenMixinAfterEraseCredentialInvoked() + throws JsonProcessingException, JSONException { + UsernamePasswordAuthenticationToken token = createToken(); + token.eraseCredentials(); + String actualJson = this.mapper.writeValueAsString(token); + JSONAssert.assertEquals(AUTHENTICATED_JSON.replaceAll(UserDeserializerTests.USER_PASSWORD, "null"), actualJson, + true); + } + + @Test + public void serializeAuthenticatedUsernamePasswordAuthenticationTokenMixinWithNonUserPrincipalTest() + throws JsonProcessingException, JSONException { + NonUserPrincipal principal = new NonUserPrincipal(); + principal.setUsername("admin"); + UsernamePasswordAuthenticationToken token = UsernamePasswordAuthenticationToken.authenticated(principal, null, + new ArrayList<>()); + String actualJson = this.mapper.writeValueAsString(token); + JSONAssert.assertEquals(AUTHENTICATED_NON_USER_PRINCIPAL_JSON, actualJson, true); + } + + @Test + public void deserializeAuthenticatedUsernamePasswordAuthenticationTokenWithNonUserPrincipalTest() + throws IOException { + UsernamePasswordAuthenticationToken token = this.mapper.readValue(AUTHENTICATED_NON_USER_PRINCIPAL_JSON, + UsernamePasswordAuthenticationToken.class); + assertThat(token).isNotNull(); + assertThat(token.getPrincipal()).isNotNull().isInstanceOf(NonUserPrincipal.class); + } + + @Test + public void deserializeAuthenticatedUsernamePasswordAuthenticationTokenWithDetailsTest() { + UsernamePasswordAuthenticationToken token = this.mapper.readValue(AUTHENTICATED_STRINGDETAILS_JSON, + UsernamePasswordAuthenticationToken.class); + assertThat(token).isNotNull(); + assertThat(token.getPrincipal()).isNotNull().isInstanceOf(User.class); + assertThat(((User) token.getPrincipal()).getAuthorities()).isNotNull() + .hasSize(1) + .contains(new SimpleGrantedAuthority("ROLE_USER")); + assertThat(token.isAuthenticated()).isEqualTo(true); + assertThat(token.getAuthorities()).hasSize(1).contains(new SimpleGrantedAuthority("ROLE_USER")); + assertThat(token.getDetails()).isExactlyInstanceOf(String.class).isEqualTo("details"); + } + + @Test + public void serializingThenDeserializingWithNoCredentialsOrDetailsShouldWork() { + UsernamePasswordAuthenticationToken original = UsernamePasswordAuthenticationToken.unauthenticated("Frodo", + null); + String serialized = this.mapper.writeValueAsString(original); + UsernamePasswordAuthenticationToken deserialized = this.mapper.readValue(serialized, + UsernamePasswordAuthenticationToken.class); + assertThat(deserialized).isEqualTo(original); + } + + @Test + public void serializingThenDeserializingWithConfiguredJsontMapperShouldWork() { + JsonMapper jsonMapper = this.mapper.rebuild() + .changeDefaultPropertyInclusion((p) -> Value.construct(Include.NON_ABSENT, Include.NON_ABSENT)) + .build(); + + UsernamePasswordAuthenticationToken original = UsernamePasswordAuthenticationToken.unauthenticated("Frodo", + null); + String serialized = jsonMapper.writeValueAsString(original); + UsernamePasswordAuthenticationToken deserialized = jsonMapper.readValue(serialized, + UsernamePasswordAuthenticationToken.class); + assertThat(deserialized).isEqualTo(original); + } + + private UsernamePasswordAuthenticationToken createToken() { + User user = createDefaultUser(); + UsernamePasswordAuthenticationToken token = UsernamePasswordAuthenticationToken.authenticated(user, + user.getPassword(), user.getAuthorities()); + return token; + } + + @JsonClassDescription + public static class NonUserPrincipal { + + private String username; + + public String getUsername() { + return this.username; + } + + public void setUsername(String username) { + this.username = username; + } + + } + +} diff --git a/docs/modules/ROOT/pages/features/integrations/jackson.adoc b/docs/modules/ROOT/pages/features/integrations/jackson.adoc index 561d23ec6d..d9cfbe6e75 100644 --- a/docs/modules/ROOT/pages/features/integrations/jackson.adoc +++ b/docs/modules/ROOT/pages/features/integrations/jackson.adoc @@ -4,7 +4,7 @@ Spring Security provides Jackson support for persisting Spring Security related classes. This can improve the performance of serializing Spring Security related classes when working with distributed sessions (i.e. session replication, Spring Session, etc). -To use it, register the `SecurityJackson2Modules.getModules(ClassLoader)` with `ObjectMapper` (https://github.com/FasterXML/jackson-databind[jackson-databind]): +To use it, register the `SecurityJacksonModules.getModules(ClassLoader)` with `JsonMapper.Builder` (https://github.com/FasterXML/jackson-databind[jackson-databind]): [tabs] ====== @@ -12,12 +12,12 @@ Java:: + [source,java,role="primary"] ---- -ObjectMapper mapper = new ObjectMapper(); ClassLoader loader = getClass().getClassLoader(); -List modules = SecurityJackson2Modules.getModules(loader); -mapper.registerModules(modules); +JsonMapper mapper = JsonMapper.builder() + .addModules(SecurityJacksonModules.getModules(loader)) + .build(); -// ... use ObjectMapper as normally ... +// ... use JsonMapper as normally ... SecurityContext context = new SecurityContextImpl(); // ... String json = mapper.writeValueAsString(context); @@ -27,12 +27,12 @@ Kotlin:: + [source,kotlin,role="secondary"] ---- -val mapper = ObjectMapper() val loader = javaClass.classLoader -val modules: MutableList = SecurityJackson2Modules.getModules(loader) -mapper.registerModules(modules) +val mapper = JsonMapper.builder() + .addModules(SecurityJacksonModules.getModules(loader)) + .build() -// ... use ObjectMapper as normally ... +// ... use JsonMapper as normally ... val context: SecurityContext = SecurityContextImpl() // ... val json: String = mapper.writeValueAsString(context) @@ -43,8 +43,8 @@ val json: String = mapper.writeValueAsString(context) ==== The following Spring Security modules provide Jackson support: -- spring-security-core (`CoreJackson2Module`) -- spring-security-web (`WebJackson2Module`, `WebServletJackson2Module`, `WebServerJackson2Module`) -- xref:servlet/oauth2/client/index.adoc#oauth2client[ spring-security-oauth2-client] (`OAuth2ClientJackson2Module`) -- spring-security-cas (`CasJackson2Module`) +- spring-security-core (`CoreJacksonModule`) +- spring-security-web (`WebJacksonModule`, `WebServletJacksonModule`, `WebServerJacksonModule`) +- xref:servlet/oauth2/client/index.adoc#oauth2client[ spring-security-oauth2-client] (`OAuth2ClientJacksonModule`) +- spring-security-cas (`CasJacksonModule`) ==== diff --git a/docs/modules/ROOT/pages/servlet/integrations/jackson.adoc b/docs/modules/ROOT/pages/servlet/integrations/jackson.adoc index d8f7eabd52..dc7016edc0 100644 --- a/docs/modules/ROOT/pages/servlet/integrations/jackson.adoc +++ b/docs/modules/ROOT/pages/servlet/integrations/jackson.adoc @@ -4,16 +4,16 @@ Spring Security provides Jackson support for persisting Spring Security-related classes. This can improve the performance of serializing Spring Security-related classes when working with distributed sessions (session replication, Spring Session, and so on). -To use it, register the `SecurityJackson2Modules.getModules(ClassLoader)` with `ObjectMapper` (https://github.com/FasterXML/jackson-databind[jackson-databind]): +To use it, register the `SecurityJacksonModules.getModules(ClassLoader)` with `JsonMapper.Builder` (https://github.com/FasterXML/jackson-databind[jackson-databind]): [source,java] ---- -ObjectMapper mapper = new ObjectMapper(); ClassLoader loader = getClass().getClassLoader(); -List modules = SecurityJackson2Modules.getModules(loader); -mapper.registerModules(modules); +JsonMapper mapper = JsonMapper.builder() + .addModules(SecurityJacksonModules.getModules(loader)) + .build(); -// ... use ObjectMapper as normally ... +// ... use JsonMapper as normally ... SecurityContext context = new SecurityContextImpl(); // ... String json = mapper.writeValueAsString(context); @@ -23,8 +23,8 @@ String json = mapper.writeValueAsString(context); ==== The following Spring Security modules provide Jackson support: -- spring-security-core (javadoc:org.springframework.security.jackson2.CoreJackson2Module[]) -- spring-security-web (javadoc:org.springframework.security.web.jackson2.WebJackson2Module[], javadoc:org.springframework.security.web.jackson2.WebServletJackson2Module[], javadoc:org.springframework.security.web.server.jackson2.WebServerJackson2Module[]) -- <> (javadoc:org.springframework.security.oauth2.client.jackson2.OAuth2ClientJackson2Module[]) -- spring-security-cas (javadoc:org.springframework.security.cas.jackson2.CasJackson2Module[]) +- spring-security-core (javadoc:org.springframework.security.jackson.CoreJacksonModule[]) +- spring-security-web (javadoc:org.springframework.security.web.jackson.WebJacksonModule[], javadoc:org.springframework.security.web.jackson.WebServletJacksonModule[], javadoc:org.springframework.security.web.server.jackson.WebServerJacksonModule[]) +- <> (javadoc:org.springframework.security.oauth2.client.jackson.OAuth2ClientJacksonModule[]) +- spring-security-cas (javadoc:org.springframework.security.cas.jackson.CasJacksonModule[]) ==== diff --git a/ldap/spring-security-ldap.gradle b/ldap/spring-security-ldap.gradle index f4d6abfb32..8c9b39ce81 100644 --- a/ldap/spring-security-ldap.gradle +++ b/ldap/spring-security-ldap.gradle @@ -11,6 +11,7 @@ dependencies { optional 'com.fasterxml.jackson.core:jackson-databind' optional 'ldapsdk:ldapsdk' optional "com.unboundid:unboundid-ldapsdk" + optional 'tools.jackson.core:jackson-databind' api ('org.springframework.ldap:spring-ldap-core') { exclude(group: 'commons-logging', module: 'commons-logging') exclude(group: 'org.springframework', module: 'spring-beans') diff --git a/ldap/src/main/java/org/springframework/security/ldap/jackson/InetOrgPersonMixin.java b/ldap/src/main/java/org/springframework/security/ldap/jackson/InetOrgPersonMixin.java new file mode 100644 index 0000000000..2de4a6db90 --- /dev/null +++ b/ldap/src/main/java/org/springframework/security/ldap/jackson/InetOrgPersonMixin.java @@ -0,0 +1,38 @@ +/* + * Copyright 2004-present the original author or authors. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * https://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.springframework.security.ldap.jackson; + +import com.fasterxml.jackson.annotation.JsonAutoDetect; +import com.fasterxml.jackson.annotation.JsonTypeInfo; + +import org.springframework.security.jackson.SecurityJacksonModules; +import org.springframework.security.ldap.userdetails.InetOrgPerson; + +/** + * This Jackson mixin is used to serialize/deserialize {@link InetOrgPerson}. + * + * @author Sebastien Deleuze + * @since 7.0 + * @see LdapJacksonModule + * @see SecurityJacksonModules + */ +@JsonTypeInfo(use = JsonTypeInfo.Id.CLASS) +@JsonAutoDetect(fieldVisibility = JsonAutoDetect.Visibility.ANY, getterVisibility = JsonAutoDetect.Visibility.NONE, + isGetterVisibility = JsonAutoDetect.Visibility.NONE) +abstract class InetOrgPersonMixin { + +} diff --git a/ldap/src/main/java/org/springframework/security/ldap/jackson/LdapAuthorityMixin.java b/ldap/src/main/java/org/springframework/security/ldap/jackson/LdapAuthorityMixin.java new file mode 100644 index 0000000000..6ec3a3d477 --- /dev/null +++ b/ldap/src/main/java/org/springframework/security/ldap/jackson/LdapAuthorityMixin.java @@ -0,0 +1,47 @@ +/* + * Copyright 2004-present the original author or authors. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * https://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.springframework.security.ldap.jackson; + +import java.util.List; +import java.util.Map; + +import com.fasterxml.jackson.annotation.JsonAutoDetect; +import com.fasterxml.jackson.annotation.JsonCreator; +import com.fasterxml.jackson.annotation.JsonProperty; +import com.fasterxml.jackson.annotation.JsonTypeInfo; + +import org.springframework.security.jackson.SecurityJacksonModules; +import org.springframework.security.ldap.userdetails.LdapAuthority; + +/** + * This Jackson mixin is used to serialize/deserialize {@link LdapAuthority}. + * + * @author Sebastien Deleuze + * @since 7.0 + * @see LdapJacksonModule + * @see SecurityJacksonModules + */ +@JsonTypeInfo(use = JsonTypeInfo.Id.CLASS) +@JsonAutoDetect(fieldVisibility = JsonAutoDetect.Visibility.ANY, getterVisibility = JsonAutoDetect.Visibility.NONE) +abstract class LdapAuthorityMixin { + + @JsonCreator + LdapAuthorityMixin(@JsonProperty("role") String role, @JsonProperty("dn") String dn, + @JsonProperty("attributes") Map> attributes) { + } + +} diff --git a/ldap/src/main/java/org/springframework/security/ldap/jackson/LdapJacksonModule.java b/ldap/src/main/java/org/springframework/security/ldap/jackson/LdapJacksonModule.java new file mode 100644 index 0000000000..b157733f7e --- /dev/null +++ b/ldap/src/main/java/org/springframework/security/ldap/jackson/LdapJacksonModule.java @@ -0,0 +1,71 @@ +/* + * Copyright 2004-present the original author or authors. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * https://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.springframework.security.ldap.jackson; + +import tools.jackson.core.Version; +import tools.jackson.databind.jsontype.BasicPolymorphicTypeValidator; + +import org.springframework.security.jackson.SecurityJacksonModule; +import org.springframework.security.jackson.SecurityJacksonModules; +import org.springframework.security.ldap.userdetails.InetOrgPerson; +import org.springframework.security.ldap.userdetails.LdapAuthority; +import org.springframework.security.ldap.userdetails.LdapUserDetailsImpl; +import org.springframework.security.ldap.userdetails.Person; + +/** + * Jackson module for {@code spring-security-ldap}. This module registers + * {@link LdapAuthorityMixin}, {@link LdapUserDetailsImplMixin}, {@link PersonMixin}, + * {@link InetOrgPersonMixin}. + * + *

+ * The recommended way to configure it is to use {@link SecurityJacksonModules} in order + * to enable properly automatic inclusion of type information with related validation. + * + * 

+ *     ClassLoader loader = getClass().getClassLoader();
+ *     JsonMapper mapper = JsonMapper.builder()
+ * 				.addModules(SecurityJacksonModules.getModules(loader))
+ * 				.build();
+ *
+ * + * @author Sebastien Deleuze + * @since 7.0 + * @see SecurityJacksonModules + */ +@SuppressWarnings("serial") +public class LdapJacksonModule extends SecurityJacksonModule { + + public LdapJacksonModule() { + super(LdapJacksonModule.class.getName(), new Version(1, 0, 0, null, null, null)); + } + + @Override + public void configurePolymorphicTypeValidator(BasicPolymorphicTypeValidator.Builder builder) { + builder.allowIfSubType(InetOrgPerson.class) + .allowIfSubType(LdapUserDetailsImpl.class) + .allowIfSubType(Person.class); + } + + @Override + public void setupModule(SetupContext context) { + context.setMixIn(LdapAuthority.class, LdapAuthorityMixin.class); + context.setMixIn(LdapUserDetailsImpl.class, LdapUserDetailsImplMixin.class); + context.setMixIn(Person.class, PersonMixin.class); + context.setMixIn(InetOrgPerson.class, InetOrgPersonMixin.class); + } + +} diff --git a/ldap/src/main/java/org/springframework/security/ldap/jackson/LdapUserDetailsImplMixin.java b/ldap/src/main/java/org/springframework/security/ldap/jackson/LdapUserDetailsImplMixin.java new file mode 100644 index 0000000000..9fb799dca3 --- /dev/null +++ b/ldap/src/main/java/org/springframework/security/ldap/jackson/LdapUserDetailsImplMixin.java @@ -0,0 +1,38 @@ +/* + * Copyright 2004-present the original author or authors. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * https://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.springframework.security.ldap.jackson; + +import com.fasterxml.jackson.annotation.JsonAutoDetect; +import com.fasterxml.jackson.annotation.JsonTypeInfo; + +import org.springframework.security.jackson.SecurityJacksonModules; +import org.springframework.security.ldap.userdetails.LdapUserDetailsImpl; + +/** + * This Jackson mixin is used to serialize/deserialize {@link LdapUserDetailsImpl}. + * + * @author Sebastien Deleuze + * @since 7.0 + * @see LdapJacksonModule + * @see SecurityJacksonModules + */ +@JsonTypeInfo(use = JsonTypeInfo.Id.CLASS) +@JsonAutoDetect(fieldVisibility = JsonAutoDetect.Visibility.ANY, getterVisibility = JsonAutoDetect.Visibility.NONE, + isGetterVisibility = JsonAutoDetect.Visibility.NONE) +abstract class LdapUserDetailsImplMixin { + +} diff --git a/ldap/src/main/java/org/springframework/security/ldap/jackson/PersonMixin.java b/ldap/src/main/java/org/springframework/security/ldap/jackson/PersonMixin.java new file mode 100644 index 0000000000..8f1e1976ca --- /dev/null +++ b/ldap/src/main/java/org/springframework/security/ldap/jackson/PersonMixin.java @@ -0,0 +1,38 @@ +/* + * Copyright 2004-present the original author or authors. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * https://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.springframework.security.ldap.jackson; + +import com.fasterxml.jackson.annotation.JsonAutoDetect; +import com.fasterxml.jackson.annotation.JsonTypeInfo; + +import org.springframework.security.jackson.SecurityJacksonModules; +import org.springframework.security.ldap.userdetails.Person; + +/** + * This Jackson mixin is used to serialize/deserialize {@link Person}. + * + * @author Sebastien Deleuze + * @since 7.0 + * @see LdapJacksonModule + * @see SecurityJacksonModules + */ +@JsonTypeInfo(use = JsonTypeInfo.Id.CLASS) +@JsonAutoDetect(fieldVisibility = JsonAutoDetect.Visibility.ANY, getterVisibility = JsonAutoDetect.Visibility.NONE, + isGetterVisibility = JsonAutoDetect.Visibility.NONE) +abstract class PersonMixin { + +} diff --git a/ldap/src/main/java/org/springframework/security/ldap/jackson/package-info.java b/ldap/src/main/java/org/springframework/security/ldap/jackson/package-info.java new file mode 100644 index 0000000000..1bab3f9573 --- /dev/null +++ b/ldap/src/main/java/org/springframework/security/ldap/jackson/package-info.java @@ -0,0 +1,20 @@ +/* + * Copyright 2004-present the original author or authors. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * https://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +/** + * Jackson 3+ serialization support for LDAP. + */ +package org.springframework.security.ldap.jackson; diff --git a/ldap/src/main/java/org/springframework/security/ldap/jackson2/package-info.java b/ldap/src/main/java/org/springframework/security/ldap/jackson2/package-info.java new file mode 100644 index 0000000000..e8a67d9694 --- /dev/null +++ b/ldap/src/main/java/org/springframework/security/ldap/jackson2/package-info.java @@ -0,0 +1,20 @@ +/* + * Copyright 2004-present the original author or authors. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * https://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +/** + * Jackson 2 serialization support for LDAP. + */ +package org.springframework.security.ldap.jackson2; diff --git a/ldap/src/test/java/org/springframework/security/ldap/jackson/InetOrgPersonMixinTests.java b/ldap/src/test/java/org/springframework/security/ldap/jackson/InetOrgPersonMixinTests.java new file mode 100644 index 0000000000..cbde962dd3 --- /dev/null +++ b/ldap/src/test/java/org/springframework/security/ldap/jackson/InetOrgPersonMixinTests.java @@ -0,0 +1,194 @@ +/* + * Copyright 2004-present the original author or authors. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * https://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.springframework.security.ldap.jackson; + +import org.json.JSONException; +import org.junit.jupiter.api.BeforeEach; +import org.junit.jupiter.api.Test; +import org.skyscreamer.jsonassert.JSONAssert; +import tools.jackson.core.JacksonException; +import tools.jackson.databind.json.JsonMapper; + +import org.springframework.ldap.core.DirContextAdapter; +import org.springframework.ldap.support.LdapNameBuilder; +import org.springframework.security.core.authority.AuthorityUtils; +import org.springframework.security.jackson.SecurityJacksonModules; +import org.springframework.security.ldap.userdetails.InetOrgPerson; +import org.springframework.security.ldap.userdetails.InetOrgPersonContextMapper; + +import static org.assertj.core.api.Assertions.assertThat; +import static org.assertj.core.api.Assertions.assertThatExceptionOfType; + +/** + * Tests for {@link org.springframework.security.ldap.jackson.InetOrgPersonMixin}. + */ +public class InetOrgPersonMixinTests { + + private static final String USER_PASSWORD = "Password1234"; + + private static final String AUTHORITIES_ARRAYLIST_JSON = "[\"java.util.Collections$UnmodifiableRandomAccessList\", []]"; + + // @formatter:off + private static final String INET_ORG_PERSON_JSON = "{\n" + + "\"@class\": \"org.springframework.security.ldap.userdetails.InetOrgPerson\"," + + "\"dn\": \"ignored=ignored\"," + + "\"uid\": \"ghengis\"," + + "\"username\": \"ghengis\"," + + "\"password\": \"" + USER_PASSWORD + "\"," + + "\"carLicense\": \"HORS1\"," + + "\"givenName\": \"Ghengis\"," + + "\"destinationIndicator\": \"West\"," + + "\"displayName\": \"Ghengis McCann\"," + + "\"givenName\": \"Ghengis\"," + + "\"homePhone\": \"+467575436521\"," + + "\"initials\": \"G\"," + + "\"employeeNumber\": \"00001\"," + + "\"homePostalAddress\": \"Steppes\"," + + "\"mail\": \"ghengis@mongolia\"," + + "\"mobile\": \"always\"," + + "\"o\": \"Hordes\"," + + "\"ou\": \"Horde1\"," + + "\"postalAddress\": \"On the Move\"," + + "\"postalCode\": \"Changes Frequently\"," + + "\"roomNumber\": \"Yurt 1\"," + + "\"sn\": \"Khan\"," + + "\"street\": \"Westward Avenue\"," + + "\"telephoneNumber\": \"+442075436521\"," + + "\"departmentNumber\": \"5679\"," + + "\"title\": \"T\"," + + "\"cn\": [\"java.util.Arrays$ArrayList\",[\"Ghengis Khan\"]]," + + "\"description\": \"Scary\"," + + "\"accountNonExpired\": true, " + + "\"accountNonLocked\": true, " + + "\"credentialsNonExpired\": true, " + + "\"enabled\": true, " + + "\"authorities\": " + AUTHORITIES_ARRAYLIST_JSON + "," + + "\"graceLoginsRemaining\": " + Integer.MAX_VALUE + "," + + "\"timeBeforeExpiration\": " + Integer.MAX_VALUE + + "}"; + // @formatter:on + + private JsonMapper mapper; + + @BeforeEach + public void setup() { + ClassLoader loader = getClass().getClassLoader(); + this.mapper = JsonMapper.builder().addModules(SecurityJacksonModules.getModules(loader)).build(); + } + + @Test + public void serializeWhenMixinRegisteredThenSerializes() throws Exception { + InetOrgPersonContextMapper mapper = new InetOrgPersonContextMapper(); + InetOrgPerson p = (InetOrgPerson) mapper.mapUserFromContext(createUserContext(), "ghengis", + AuthorityUtils.NO_AUTHORITIES); + + String json = this.mapper.writeValueAsString(p); + JSONAssert.assertEquals(INET_ORG_PERSON_JSON, json, true); + } + + @Test + public void serializeWhenEraseCredentialInvokedThenUserPasswordIsNull() throws JacksonException, JSONException { + InetOrgPersonContextMapper mapper = new InetOrgPersonContextMapper(); + InetOrgPerson p = (InetOrgPerson) mapper.mapUserFromContext(createUserContext(), "ghengis", + AuthorityUtils.NO_AUTHORITIES); + p.eraseCredentials(); + String actualJson = this.mapper.writeValueAsString(p); + JSONAssert.assertEquals(INET_ORG_PERSON_JSON.replaceAll("\"" + USER_PASSWORD + "\"", "null"), actualJson, true); + } + + @Test + public void deserializeWhenMixinNotRegisteredThenThrowJsonProcessingException() { + assertThatExceptionOfType(JacksonException.class) + .isThrownBy(() -> new JsonMapper().readValue(INET_ORG_PERSON_JSON, InetOrgPerson.class)); + } + + @Test + public void deserializeWhenMixinRegisteredThenDeserializes() throws Exception { + InetOrgPersonContextMapper mapper = new InetOrgPersonContextMapper(); + InetOrgPerson expectedAuthentication = (InetOrgPerson) mapper.mapUserFromContext(createUserContext(), "ghengis", + AuthorityUtils.NO_AUTHORITIES); + + InetOrgPerson authentication = this.mapper.readValue(INET_ORG_PERSON_JSON, InetOrgPerson.class); + assertThat(authentication.getAuthorities()).containsExactlyElementsOf(expectedAuthentication.getAuthorities()); + assertThat(authentication.getCarLicense()).isEqualTo(expectedAuthentication.getCarLicense()); + assertThat(authentication.getDepartmentNumber()).isEqualTo(expectedAuthentication.getDepartmentNumber()); + assertThat(authentication.getDestinationIndicator()) + .isEqualTo(expectedAuthentication.getDestinationIndicator()); + assertThat(authentication.getDn()).isEqualTo(expectedAuthentication.getDn()); + assertThat(authentication.getDescription()).isEqualTo(expectedAuthentication.getDescription()); + assertThat(authentication.getDisplayName()).isEqualTo(expectedAuthentication.getDisplayName()); + assertThat(authentication.getUid()).isEqualTo(expectedAuthentication.getUid()); + assertThat(authentication.getUsername()).isEqualTo(expectedAuthentication.getUsername()); + assertThat(authentication.getPassword()).isEqualTo(expectedAuthentication.getPassword()); + assertThat(authentication.getHomePhone()).isEqualTo(expectedAuthentication.getHomePhone()); + assertThat(authentication.getEmployeeNumber()).isEqualTo(expectedAuthentication.getEmployeeNumber()); + assertThat(authentication.getHomePostalAddress()).isEqualTo(expectedAuthentication.getHomePostalAddress()); + assertThat(authentication.getInitials()).isEqualTo(expectedAuthentication.getInitials()); + assertThat(authentication.getMail()).isEqualTo(expectedAuthentication.getMail()); + assertThat(authentication.getMobile()).isEqualTo(expectedAuthentication.getMobile()); + assertThat(authentication.getO()).isEqualTo(expectedAuthentication.getO()); + assertThat(authentication.getOu()).isEqualTo(expectedAuthentication.getOu()); + assertThat(authentication.getPostalAddress()).isEqualTo(expectedAuthentication.getPostalAddress()); + assertThat(authentication.getPostalCode()).isEqualTo(expectedAuthentication.getPostalCode()); + assertThat(authentication.getRoomNumber()).isEqualTo(expectedAuthentication.getRoomNumber()); + assertThat(authentication.getStreet()).isEqualTo(expectedAuthentication.getStreet()); + assertThat(authentication.getSn()).isEqualTo(expectedAuthentication.getSn()); + assertThat(authentication.getTitle()).isEqualTo(expectedAuthentication.getTitle()); + assertThat(authentication.getGivenName()).isEqualTo(expectedAuthentication.getGivenName()); + assertThat(authentication.getTelephoneNumber()).isEqualTo(expectedAuthentication.getTelephoneNumber()); + assertThat(authentication.getGraceLoginsRemaining()) + .isEqualTo(expectedAuthentication.getGraceLoginsRemaining()); + assertThat(authentication.getTimeBeforeExpiration()) + .isEqualTo(expectedAuthentication.getTimeBeforeExpiration()); + assertThat(authentication.isAccountNonExpired()).isEqualTo(expectedAuthentication.isAccountNonExpired()); + assertThat(authentication.isAccountNonLocked()).isEqualTo(expectedAuthentication.isAccountNonLocked()); + assertThat(authentication.isEnabled()).isEqualTo(expectedAuthentication.isEnabled()); + assertThat(authentication.isCredentialsNonExpired()) + .isEqualTo(expectedAuthentication.isCredentialsNonExpired()); + } + + private DirContextAdapter createUserContext() { + DirContextAdapter ctx = new DirContextAdapter(); + ctx.setDn(LdapNameBuilder.newInstance("ignored=ignored").build()); + ctx.setAttributeValue("uid", "ghengis"); + ctx.setAttributeValue("userPassword", USER_PASSWORD); + ctx.setAttributeValue("carLicense", "HORS1"); + ctx.setAttributeValue("cn", "Ghengis Khan"); + ctx.setAttributeValue("description", "Scary"); + ctx.setAttributeValue("destinationIndicator", "West"); + ctx.setAttributeValue("displayName", "Ghengis McCann"); + ctx.setAttributeValue("givenName", "Ghengis"); + ctx.setAttributeValue("homePhone", "+467575436521"); + ctx.setAttributeValue("initials", "G"); + ctx.setAttributeValue("employeeNumber", "00001"); + ctx.setAttributeValue("homePostalAddress", "Steppes"); + ctx.setAttributeValue("mail", "ghengis@mongolia"); + ctx.setAttributeValue("mobile", "always"); + ctx.setAttributeValue("o", "Hordes"); + ctx.setAttributeValue("ou", "Horde1"); + ctx.setAttributeValue("postalAddress", "On the Move"); + ctx.setAttributeValue("postalCode", "Changes Frequently"); + ctx.setAttributeValue("roomNumber", "Yurt 1"); + ctx.setAttributeValue("sn", "Khan"); + ctx.setAttributeValue("street", "Westward Avenue"); + ctx.setAttributeValue("telephoneNumber", "+442075436521"); + ctx.setAttributeValue("departmentNumber", "5679"); + ctx.setAttributeValue("title", "T"); + return ctx; + } + +} diff --git a/ldap/src/test/java/org/springframework/security/ldap/jackson/LdapUserDetailsImplMixinTests.java b/ldap/src/test/java/org/springframework/security/ldap/jackson/LdapUserDetailsImplMixinTests.java new file mode 100644 index 0000000000..26cd4b3f3a --- /dev/null +++ b/ldap/src/test/java/org/springframework/security/ldap/jackson/LdapUserDetailsImplMixinTests.java @@ -0,0 +1,124 @@ +/* + * Copyright 2004-present the original author or authors. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * https://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.springframework.security.ldap.jackson; + +import org.json.JSONException; +import org.junit.jupiter.api.BeforeEach; +import org.junit.jupiter.api.Test; +import org.skyscreamer.jsonassert.JSONAssert; +import tools.jackson.core.JacksonException; +import tools.jackson.databind.json.JsonMapper; + +import org.springframework.ldap.core.DirContextAdapter; +import org.springframework.ldap.support.LdapNameBuilder; +import org.springframework.security.core.authority.AuthorityUtils; +import org.springframework.security.jackson.SecurityJacksonModules; +import org.springframework.security.ldap.userdetails.LdapUserDetailsImpl; +import org.springframework.security.ldap.userdetails.LdapUserDetailsMapper; + +import static org.assertj.core.api.Assertions.assertThat; +import static org.assertj.core.api.Assertions.assertThatExceptionOfType; + +/** + * Tests for {@link org.springframework.security.ldap.jackson.LdapUserDetailsImplMixin}. + */ +public class LdapUserDetailsImplMixinTests { + + private static final String USER_PASSWORD = "Password1234"; + + private static final String AUTHORITIES_ARRAYLIST_JSON = "[\"java.util.Collections$UnmodifiableRandomAccessList\", []]"; + + // @formatter:off + private static final String USER_JSON = "{" + + "\"@class\": \"org.springframework.security.ldap.userdetails.LdapUserDetailsImpl\", " + + "\"dn\": \"ignored=ignored\"," + + "\"username\": \"ghengis\"," + + "\"password\": \"" + USER_PASSWORD + "\"," + + "\"accountNonExpired\": true, " + + "\"accountNonLocked\": true, " + + "\"credentialsNonExpired\": true, " + + "\"enabled\": true, " + + "\"authorities\": " + AUTHORITIES_ARRAYLIST_JSON + "," + + "\"graceLoginsRemaining\": " + Integer.MAX_VALUE + "," + + "\"timeBeforeExpiration\": " + Integer.MAX_VALUE + + "}"; + // @formatter:on + + private JsonMapper mapper; + + @BeforeEach + public void setup() { + ClassLoader loader = getClass().getClassLoader(); + this.mapper = JsonMapper.builder().addModules(SecurityJacksonModules.getModules(loader)).build(); + } + + @Test + public void serializeWhenMixinRegisteredThenSerializes() throws Exception { + LdapUserDetailsMapper mapper = new LdapUserDetailsMapper(); + LdapUserDetailsImpl p = (LdapUserDetailsImpl) mapper.mapUserFromContext(createUserContext(), "ghengis", + AuthorityUtils.NO_AUTHORITIES); + + String json = this.mapper.writeValueAsString(p); + JSONAssert.assertEquals(USER_JSON, json, true); + } + + @Test + public void serializeWhenEraseCredentialInvokedThenUserPasswordIsNull() throws JacksonException, JSONException { + LdapUserDetailsMapper mapper = new LdapUserDetailsMapper(); + LdapUserDetailsImpl p = (LdapUserDetailsImpl) mapper.mapUserFromContext(createUserContext(), "ghengis", + AuthorityUtils.NO_AUTHORITIES); + p.eraseCredentials(); + String actualJson = this.mapper.writeValueAsString(p); + JSONAssert.assertEquals(USER_JSON.replaceAll("\"" + USER_PASSWORD + "\"", "null"), actualJson, true); + } + + @Test + public void deserializeWhenMixinNotRegisteredThenThrowJsonProcessingException() { + assertThatExceptionOfType(JacksonException.class) + .isThrownBy(() -> new JsonMapper().readValue(USER_JSON, LdapUserDetailsImpl.class)); + } + + @Test + public void deserializeWhenMixinRegisteredThenDeserializes() throws Exception { + LdapUserDetailsMapper mapper = new LdapUserDetailsMapper(); + LdapUserDetailsImpl expectedAuthentication = (LdapUserDetailsImpl) mapper + .mapUserFromContext(createUserContext(), "ghengis", AuthorityUtils.NO_AUTHORITIES); + + LdapUserDetailsImpl authentication = this.mapper.readValue(USER_JSON, LdapUserDetailsImpl.class); + assertThat(authentication.getAuthorities()).containsExactlyElementsOf(expectedAuthentication.getAuthorities()); + assertThat(authentication.getDn()).isEqualTo(expectedAuthentication.getDn()); + assertThat(authentication.getUsername()).isEqualTo(expectedAuthentication.getUsername()); + assertThat(authentication.getPassword()).isEqualTo(expectedAuthentication.getPassword()); + assertThat(authentication.getGraceLoginsRemaining()) + .isEqualTo(expectedAuthentication.getGraceLoginsRemaining()); + assertThat(authentication.getTimeBeforeExpiration()) + .isEqualTo(expectedAuthentication.getTimeBeforeExpiration()); + assertThat(authentication.isAccountNonExpired()).isEqualTo(expectedAuthentication.isAccountNonExpired()); + assertThat(authentication.isAccountNonLocked()).isEqualTo(expectedAuthentication.isAccountNonLocked()); + assertThat(authentication.isEnabled()).isEqualTo(expectedAuthentication.isEnabled()); + assertThat(authentication.isCredentialsNonExpired()) + .isEqualTo(expectedAuthentication.isCredentialsNonExpired()); + } + + private DirContextAdapter createUserContext() { + DirContextAdapter ctx = new DirContextAdapter(); + ctx.setDn(LdapNameBuilder.newInstance("ignored=ignored").build()); + ctx.setAttributeValue("userPassword", USER_PASSWORD); + return ctx; + } + +} diff --git a/ldap/src/test/java/org/springframework/security/ldap/jackson/PersonMixinTests.java b/ldap/src/test/java/org/springframework/security/ldap/jackson/PersonMixinTests.java new file mode 100644 index 0000000000..48ccf940a7 --- /dev/null +++ b/ldap/src/test/java/org/springframework/security/ldap/jackson/PersonMixinTests.java @@ -0,0 +1,137 @@ +/* + * Copyright 2004-present the original author or authors. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * https://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.springframework.security.ldap.jackson; + +import org.json.JSONException; +import org.junit.jupiter.api.BeforeEach; +import org.junit.jupiter.api.Test; +import org.skyscreamer.jsonassert.JSONAssert; +import tools.jackson.core.JacksonException; +import tools.jackson.databind.json.JsonMapper; + +import org.springframework.ldap.core.DirContextAdapter; +import org.springframework.ldap.support.LdapNameBuilder; +import org.springframework.security.core.authority.AuthorityUtils; +import org.springframework.security.jackson.SecurityJacksonModules; +import org.springframework.security.ldap.userdetails.Person; +import org.springframework.security.ldap.userdetails.PersonContextMapper; + +import static org.assertj.core.api.Assertions.assertThat; +import static org.assertj.core.api.Assertions.assertThatExceptionOfType; + +/** + * Tests for {@link org.springframework.security.ldap.jackson.PersonMixin}. + */ +@SuppressWarnings("removal") +public class PersonMixinTests { + + private static final String USER_PASSWORD = "Password1234"; + + private static final String AUTHORITIES_ARRAYLIST_JSON = "[\"java.util.Collections$UnmodifiableRandomAccessList\", []]"; + + // @formatter:off + private static final String PERSON_JSON = "{" + + "\"@class\": \"org.springframework.security.ldap.userdetails.Person\", " + + "\"dn\": \"ignored=ignored\"," + + "\"username\": \"ghengis\"," + + "\"password\": \"" + USER_PASSWORD + "\"," + + "\"givenName\": \"Ghengis\"," + + "\"sn\": \"Khan\"," + + "\"cn\": [\"java.util.Arrays$ArrayList\",[\"Ghengis Khan\"]]," + + "\"description\": \"Scary\"," + + "\"telephoneNumber\": \"+442075436521\"," + + "\"accountNonExpired\": true, " + + "\"accountNonLocked\": true, " + + "\"credentialsNonExpired\": true, " + + "\"enabled\": true, " + + "\"authorities\": " + AUTHORITIES_ARRAYLIST_JSON + "," + + "\"graceLoginsRemaining\": " + Integer.MAX_VALUE + "," + + "\"timeBeforeExpiration\": " + Integer.MAX_VALUE + + "}"; + // @formatter:on + + private JsonMapper mapper; + + @BeforeEach + public void setup() { + ClassLoader loader = getClass().getClassLoader(); + this.mapper = JsonMapper.builder().addModules(SecurityJacksonModules.getModules(loader)).build(); + } + + @Test + public void serializeWhenMixinRegisteredThenSerializes() throws Exception { + PersonContextMapper mapper = new PersonContextMapper(); + Person p = (Person) mapper.mapUserFromContext(createUserContext(), "ghengis", AuthorityUtils.NO_AUTHORITIES); + + String json = this.mapper.writeValueAsString(p); + JSONAssert.assertEquals(PERSON_JSON, json, true); + } + + @Test + public void serializeWhenEraseCredentialInvokedThenUserPasswordIsNull() throws JacksonException, JSONException { + PersonContextMapper mapper = new PersonContextMapper(); + Person p = (Person) mapper.mapUserFromContext(createUserContext(), "ghengis", AuthorityUtils.NO_AUTHORITIES); + p.eraseCredentials(); + String actualJson = this.mapper.writeValueAsString(p); + JSONAssert.assertEquals(PERSON_JSON.replaceAll("\"" + USER_PASSWORD + "\"", "null"), actualJson, true); + } + + @Test + public void deserializeWhenMixinNotRegisteredThenThrowJsonProcessingException() { + assertThatExceptionOfType(JacksonException.class) + .isThrownBy(() -> new JsonMapper().readValue(PERSON_JSON, Person.class)); + } + + @Test + public void deserializeWhenMixinRegisteredThenDeserializes() throws Exception { + PersonContextMapper mapper = new PersonContextMapper(); + Person expectedAuthentication = (Person) mapper.mapUserFromContext(createUserContext(), "ghengis", + AuthorityUtils.NO_AUTHORITIES); + + Person authentication = this.mapper.readValue(PERSON_JSON, Person.class); + assertThat(authentication.getAuthorities()).containsExactlyElementsOf(expectedAuthentication.getAuthorities()); + assertThat(authentication.getDn()).isEqualTo(expectedAuthentication.getDn()); + assertThat(authentication.getDescription()).isEqualTo(expectedAuthentication.getDescription()); + assertThat(authentication.getUsername()).isEqualTo(expectedAuthentication.getUsername()); + assertThat(authentication.getPassword()).isEqualTo(expectedAuthentication.getPassword()); + assertThat(authentication.getSn()).isEqualTo(expectedAuthentication.getSn()); + assertThat(authentication.getGivenName()).isEqualTo(expectedAuthentication.getGivenName()); + assertThat(authentication.getTelephoneNumber()).isEqualTo(expectedAuthentication.getTelephoneNumber()); + assertThat(authentication.getGraceLoginsRemaining()) + .isEqualTo(expectedAuthentication.getGraceLoginsRemaining()); + assertThat(authentication.getTimeBeforeExpiration()) + .isEqualTo(expectedAuthentication.getTimeBeforeExpiration()); + assertThat(authentication.isAccountNonExpired()).isEqualTo(expectedAuthentication.isAccountNonExpired()); + assertThat(authentication.isAccountNonLocked()).isEqualTo(expectedAuthentication.isAccountNonLocked()); + assertThat(authentication.isEnabled()).isEqualTo(expectedAuthentication.isEnabled()); + assertThat(authentication.isCredentialsNonExpired()) + .isEqualTo(expectedAuthentication.isCredentialsNonExpired()); + } + + private DirContextAdapter createUserContext() { + DirContextAdapter ctx = new DirContextAdapter(); + ctx.setDn(LdapNameBuilder.newInstance("ignored=ignored").build()); + ctx.setAttributeValue("userPassword", USER_PASSWORD); + ctx.setAttributeValue("cn", "Ghengis Khan"); + ctx.setAttributeValue("description", "Scary"); + ctx.setAttributeValue("givenName", "Ghengis"); + ctx.setAttributeValue("sn", "Khan"); + ctx.setAttributeValue("telephoneNumber", "+442075436521"); + return ctx; + } + +} diff --git a/oauth2/oauth2-authorization-server/spring-security-oauth2-authorization-server.gradle b/oauth2/oauth2-authorization-server/spring-security-oauth2-authorization-server.gradle index ba2da37a3c..beb19bd536 100644 --- a/oauth2/oauth2-authorization-server/spring-security-oauth2-authorization-server.gradle +++ b/oauth2/oauth2-authorization-server/spring-security-oauth2-authorization-server.gradle @@ -11,10 +11,11 @@ dependencies { exclude group: "commons-logging", module: "commons-logging" } api "com.nimbusds:nimbus-jose-jwt" - api "com.fasterxml.jackson.core:jackson-databind" + api 'tools.jackson.core:jackson-databind' optional "com.fasterxml.jackson.datatype:jackson-datatype-jsr310" optional "org.springframework:spring-jdbc" + optional "com.fasterxml.jackson.core:jackson-databind" testImplementation project(":spring-security-test") testImplementation project(path : ':spring-security-oauth2-jose', configuration : 'tests') diff --git a/oauth2/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/JdbcOAuth2AuthorizationService.java b/oauth2/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/JdbcOAuth2AuthorizationService.java index f23b1ff147..eb0aa4f531 100644 --- a/oauth2/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/JdbcOAuth2AuthorizationService.java +++ b/oauth2/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/JdbcOAuth2AuthorizationService.java @@ -33,13 +33,15 @@ import java.util.Set; import java.util.function.Function; -import com.fasterxml.jackson.core.type.TypeReference; +import com.fasterxml.jackson.core.JsonProcessingException; import com.fasterxml.jackson.databind.Module; import com.fasterxml.jackson.databind.ObjectMapper; +import tools.jackson.databind.json.JsonMapper; import org.springframework.aot.hint.RuntimeHints; import org.springframework.aot.hint.RuntimeHintsRegistrar; import org.springframework.context.annotation.ImportRuntimeHints; +import org.springframework.core.ParameterizedTypeReference; import org.springframework.core.io.ClassPathResource; import org.springframework.dao.DataRetrievalFailureException; import org.springframework.jdbc.core.ArgumentPreparedStatementSetter; @@ -64,8 +66,10 @@ import org.springframework.security.oauth2.core.oidc.endpoint.OidcParameterNames; import org.springframework.security.oauth2.server.authorization.client.RegisteredClient; import org.springframework.security.oauth2.server.authorization.client.RegisteredClientRepository; +import org.springframework.security.oauth2.server.authorization.jackson.OAuth2AuthorizationServerJacksonModule; import org.springframework.security.oauth2.server.authorization.jackson2.OAuth2AuthorizationServerJackson2Module; import org.springframework.util.Assert; +import org.springframework.util.ClassUtils; import org.springframework.util.CollectionUtils; import org.springframework.util.StringUtils; @@ -469,16 +473,12 @@ public static class OAuth2AuthorizationRowMapper implements RowMapper securityModules = SecurityJackson2Modules.getModules(classLoader); - this.objectMapper.registerModules(securityModules); - this.objectMapper.registerModule(new OAuth2AuthorizationServerJackson2Module()); } @Override @@ -623,9 +623,9 @@ public final void setLobHandler(LobHandler lobHandler) { this.lobHandler = lobHandler; } - public final void setObjectMapper(ObjectMapper objectMapper) { - Assert.notNull(objectMapper, "objectMapper cannot be null"); - this.objectMapper = objectMapper; + public final void setMapper(Mapper mapper) { + Assert.notNull(mapper, "objectMapper cannot be null"); + this.mapper = mapper; } protected final RegisteredClientRepository getRegisteredClientRepository() { @@ -636,13 +636,13 @@ protected final LobHandler getLobHandler() { return this.lobHandler; } - protected final ObjectMapper getObjectMapper() { - return this.objectMapper; + protected final Mapper getMapper() { + return this.mapper; } private Map parseMap(String data) { try { - return this.objectMapper.readValue(data, new TypeReference<>() { + return this.mapper.readValue(data, new ParameterizedTypeReference<>() { }); } catch (Exception ex) { @@ -659,13 +659,10 @@ private Map parseMap(String data) { public static class OAuth2AuthorizationParametersMapper implements Function> { - private ObjectMapper objectMapper = new ObjectMapper(); + private Mapper mapper = (ClassUtils.isPresent("tools.jackson.databind.json.JsonMapper", + OAuth2AuthorizationRowMapper.class.getClassLoader())) ? new JacksonDelegate() : new Jackson2Delegate(); public OAuth2AuthorizationParametersMapper() { - ClassLoader classLoader = JdbcOAuth2AuthorizationService.class.getClassLoader(); - List securityModules = SecurityJackson2Modules.getModules(classLoader); - this.objectMapper.registerModules(securityModules); - this.objectMapper.registerModule(new OAuth2AuthorizationServerJackson2Module()); } @Override @@ -737,13 +734,13 @@ public List apply(OAuth2Authorization authorization) { return parameters; } - public final void setObjectMapper(ObjectMapper objectMapper) { - Assert.notNull(objectMapper, "objectMapper cannot be null"); - this.objectMapper = objectMapper; + public final void setMapper(Mapper mapper) { + Assert.notNull(mapper, "mapper cannot be null"); + this.mapper = mapper; } - protected final ObjectMapper getObjectMapper() { - return this.objectMapper; + protected final Mapper getMapper() { + return this.mapper; } private List toSqlParameterList(String tokenColumnName, @@ -774,7 +771,7 @@ private List toSqlParameterList(Strin private String writeMap(Map data) { try { - return this.objectMapper.writeValueAsString(data); + return this.mapper.writeValueAsString(data); } catch (Exception ex) { throw new IllegalArgumentException(ex.getMessage(), ex); @@ -851,4 +848,74 @@ public void registerHints(RuntimeHints hints, ClassLoader classLoader) { } + public interface Mapper { + + String writeValueAsString(Object data); + + T readValue(String value, ParameterizedTypeReference typeReference); + + } + + @SuppressWarnings("removal") + public static class Jackson2Delegate implements Mapper { + + private final ObjectMapper objectMapper = new ObjectMapper(); + + public Jackson2Delegate() { + ClassLoader classLoader = Jackson2Delegate.class.getClassLoader(); + List securityModules = SecurityJackson2Modules.getModules(classLoader); + this.objectMapper.registerModules(securityModules); + this.objectMapper.registerModule(new OAuth2AuthorizationServerJackson2Module()); + } + + @Override + public String writeValueAsString(Object data) { + try { + return this.objectMapper.writeValueAsString(data); + } + catch (JsonProcessingException ex) { + throw new IllegalArgumentException(ex.getMessage(), ex); + } + } + + @Override + public T readValue(String value, ParameterizedTypeReference typeReference) { + try { + com.fasterxml.jackson.databind.JavaType javaType = this.objectMapper.getTypeFactory() + .constructType(typeReference.getType()); + return this.objectMapper.readValue(value, javaType); + } + catch (JsonProcessingException ex) { + throw new IllegalArgumentException(ex.getMessage(), ex); + } + } + + } + + public static class JacksonDelegate implements Mapper { + + private final JsonMapper jsonMapper; + + public JacksonDelegate() { + this.jsonMapper = JsonMapper.builder().addModules(new OAuth2AuthorizationServerJacksonModule()).build(); + } + + public JacksonDelegate(JsonMapper.Builder builder) { + this.jsonMapper = builder.addModules(new OAuth2AuthorizationServerJacksonModule()).build(); + } + + @Override + public String writeValueAsString(Object data) { + return this.jsonMapper.writeValueAsString(data); + } + + @Override + public T readValue(String value, ParameterizedTypeReference typeReference) { + tools.jackson.databind.JavaType javaType = this.jsonMapper.getTypeFactory() + .constructType(typeReference.getType()); + return this.jsonMapper.readValue(value, javaType); + } + + } + } diff --git a/oauth2/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/jackson/JsonNodeUtils.java b/oauth2/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/jackson/JsonNodeUtils.java new file mode 100644 index 0000000000..84301d1e01 --- /dev/null +++ b/oauth2/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/jackson/JsonNodeUtils.java @@ -0,0 +1,66 @@ +/* + * Copyright 2004-present the original author or authors. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * https://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.springframework.security.oauth2.server.authorization.jackson; + +import java.util.Map; +import java.util.Set; + +import tools.jackson.core.type.TypeReference; +import tools.jackson.databind.DeserializationContext; +import tools.jackson.databind.JsonNode; + +/** + * Utility class for {@code JsonNode}. + * + * @author Joe Grandja + * @since 7.0 + */ +abstract class JsonNodeUtils { + + static final TypeReference> STRING_SET = new TypeReference<>() { + }; + + static final TypeReference> STRING_OBJECT_MAP = new TypeReference<>() { + }; + + static String findStringValue(JsonNode jsonNode, String fieldName) { + if (jsonNode == null) { + return null; + } + JsonNode value = jsonNode.findValue(fieldName); + return (value != null && value.isString()) ? value.stringValue() : null; + } + + static T findValue(JsonNode jsonNode, String fieldName, TypeReference valueTypeReference, + DeserializationContext context) { + if (jsonNode == null) { + return null; + } + JsonNode value = jsonNode.findValue(fieldName); + return (value != null && value.isContainer()) + ? context.readTreeAsValue(value, context.getTypeFactory().constructType(valueTypeReference)) : null; + } + + static JsonNode findObjectNode(JsonNode jsonNode, String fieldName) { + if (jsonNode == null) { + return null; + } + JsonNode value = jsonNode.findValue(fieldName); + return (value != null && value.isObject()) ? value : null; + } + +} diff --git a/oauth2/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/jackson/JwsAlgorithmMixin.java b/oauth2/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/jackson/JwsAlgorithmMixin.java new file mode 100644 index 0000000000..610ff73a77 --- /dev/null +++ b/oauth2/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/jackson/JwsAlgorithmMixin.java @@ -0,0 +1,36 @@ +/* + * Copyright 2004-present the original author or authors. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * https://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.springframework.security.oauth2.server.authorization.jackson; + +import com.fasterxml.jackson.annotation.JsonAutoDetect; +import com.fasterxml.jackson.annotation.JsonTypeInfo; + +import org.springframework.security.oauth2.jose.jws.SignatureAlgorithm; + +/** + * This mixin class is used to serialize/deserialize {@link SignatureAlgorithm}. + * + * @author Joe Grandja + * @since 7.0 + * @see SignatureAlgorithm + */ +@JsonTypeInfo(use = JsonTypeInfo.Id.CLASS) +@JsonAutoDetect(fieldVisibility = JsonAutoDetect.Visibility.ANY, getterVisibility = JsonAutoDetect.Visibility.NONE, + isGetterVisibility = JsonAutoDetect.Visibility.NONE) +abstract class JwsAlgorithmMixin { + +} diff --git a/oauth2/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/jackson/OAuth2AuthorizationRequestDeserializer.java b/oauth2/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/jackson/OAuth2AuthorizationRequestDeserializer.java new file mode 100644 index 0000000000..ce1e55df80 --- /dev/null +++ b/oauth2/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/jackson/OAuth2AuthorizationRequestDeserializer.java @@ -0,0 +1,77 @@ +/* + * Copyright 2004-present the original author or authors. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * https://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.springframework.security.oauth2.server.authorization.jackson; + +import tools.jackson.core.JsonParser; +import tools.jackson.databind.DeserializationContext; +import tools.jackson.databind.JsonNode; +import tools.jackson.databind.ValueDeserializer; +import tools.jackson.databind.exc.InvalidFormatException; + +import org.springframework.security.oauth2.core.AuthorizationGrantType; +import org.springframework.security.oauth2.core.endpoint.OAuth2AuthorizationRequest; +import org.springframework.security.oauth2.core.endpoint.OAuth2AuthorizationRequest.Builder; + +/** + * A {@code JsonDeserializer} for {@link OAuth2AuthorizationRequest}. + * + * @author Joe Grandja + * @since 7.0 + * @see OAuth2AuthorizationRequest + * @see OAuth2AuthorizationRequestMixin + */ +final class OAuth2AuthorizationRequestDeserializer extends ValueDeserializer { + + @Override + public OAuth2AuthorizationRequest deserialize(JsonParser parser, DeserializationContext context) { + JsonNode root = context.readTree(parser); + return deserialize(parser, context, root); + } + + private OAuth2AuthorizationRequest deserialize(JsonParser parser, DeserializationContext context, JsonNode root) { + AuthorizationGrantType authorizationGrantType = convertAuthorizationGrantType( + JsonNodeUtils.findObjectNode(root, "authorizationGrantType")); + Builder builder = getBuilder(parser, authorizationGrantType); + builder.authorizationUri(JsonNodeUtils.findStringValue(root, "authorizationUri")); + builder.clientId(JsonNodeUtils.findStringValue(root, "clientId")); + builder.redirectUri(JsonNodeUtils.findStringValue(root, "redirectUri")); + builder.scopes(JsonNodeUtils.findValue(root, "scopes", JsonNodeUtils.STRING_SET, context)); + builder.state(JsonNodeUtils.findStringValue(root, "state")); + builder.additionalParameters( + JsonNodeUtils.findValue(root, "additionalParameters", JsonNodeUtils.STRING_OBJECT_MAP, context)); + builder.authorizationRequestUri(JsonNodeUtils.findStringValue(root, "authorizationRequestUri")); + builder.attributes(JsonNodeUtils.findValue(root, "attributes", JsonNodeUtils.STRING_OBJECT_MAP, context)); + return builder.build(); + } + + private Builder getBuilder(JsonParser parser, AuthorizationGrantType authorizationGrantType) { + if (AuthorizationGrantType.AUTHORIZATION_CODE.equals(authorizationGrantType)) { + return OAuth2AuthorizationRequest.authorizationCode(); + } + throw new InvalidFormatException(parser, "Invalid authorizationGrantType", authorizationGrantType, + AuthorizationGrantType.class); + } + + private static AuthorizationGrantType convertAuthorizationGrantType(JsonNode jsonNode) { + String value = JsonNodeUtils.findStringValue(jsonNode, "value"); + if (AuthorizationGrantType.AUTHORIZATION_CODE.getValue().equalsIgnoreCase(value)) { + return AuthorizationGrantType.AUTHORIZATION_CODE; + } + return null; + } + +} diff --git a/oauth2/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/jackson/OAuth2AuthorizationRequestMixin.java b/oauth2/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/jackson/OAuth2AuthorizationRequestMixin.java new file mode 100644 index 0000000000..c451f8cf2d --- /dev/null +++ b/oauth2/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/jackson/OAuth2AuthorizationRequestMixin.java @@ -0,0 +1,40 @@ +/* + * Copyright 2004-present the original author or authors. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * https://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.springframework.security.oauth2.server.authorization.jackson; + +import com.fasterxml.jackson.annotation.JsonAutoDetect; +import com.fasterxml.jackson.annotation.JsonTypeInfo; +import tools.jackson.databind.annotation.JsonDeserialize; + +import org.springframework.security.oauth2.core.endpoint.OAuth2AuthorizationRequest; + +/** + * This mixin class is used to serialize/deserialize {@link OAuth2AuthorizationRequest}. + * It also registers a custom deserializer {@link OAuth2AuthorizationRequestDeserializer}. + * + * @author Joe Grandja + * @since 7.0 + * @see OAuth2AuthorizationRequest + * @see OAuth2AuthorizationRequestDeserializer + */ +@JsonTypeInfo(use = JsonTypeInfo.Id.CLASS) +@JsonDeserialize(using = OAuth2AuthorizationRequestDeserializer.class) +@JsonAutoDetect(fieldVisibility = JsonAutoDetect.Visibility.ANY, getterVisibility = JsonAutoDetect.Visibility.NONE, + isGetterVisibility = JsonAutoDetect.Visibility.NONE) +abstract class OAuth2AuthorizationRequestMixin { + +} diff --git a/oauth2/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/jackson/OAuth2AuthorizationServerJacksonModule.java b/oauth2/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/jackson/OAuth2AuthorizationServerJacksonModule.java new file mode 100644 index 0000000000..fd8b1b8d6a --- /dev/null +++ b/oauth2/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/jackson/OAuth2AuthorizationServerJacksonModule.java @@ -0,0 +1,95 @@ +/* + * Copyright 2004-present the original author or authors. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * https://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.springframework.security.oauth2.server.authorization.jackson; + +import java.net.URL; + +import com.fasterxml.jackson.annotation.JsonTypeInfo; +import tools.jackson.core.Version; +import tools.jackson.databind.DefaultTyping; +import tools.jackson.databind.cfg.MapperBuilder; +import tools.jackson.databind.jsontype.BasicPolymorphicTypeValidator; + +import org.springframework.security.jackson.CoreJacksonModule; +import org.springframework.security.oauth2.core.endpoint.OAuth2AuthorizationRequest; +import org.springframework.security.oauth2.jose.jws.MacAlgorithm; +import org.springframework.security.oauth2.jose.jws.SignatureAlgorithm; +import org.springframework.security.oauth2.server.authorization.authentication.OAuth2TokenExchangeActor; +import org.springframework.security.oauth2.server.authorization.authentication.OAuth2TokenExchangeCompositeAuthenticationToken; +import org.springframework.security.oauth2.server.authorization.settings.OAuth2TokenFormat; + +/** + * Jackson {@code Module} for {@code spring-security-oauth2-authorization-server}, that + * registers the following mix-in annotations: + * + *
    + *
  • {@link OAuth2TokenExchangeActor}
    • + *
  • {@link OAuth2AuthorizationRequestMixin}
    • + *
  • {@link OAuth2TokenExchangeCompositeAuthenticationTokenMixin}
    • + *
  • {@link JwsAlgorithmMixin}
    • + *
  • {@link OAuth2TokenFormatMixin}
    • + *
+ * + * If not already enabled, default typing will be automatically enabled as type info is + * required to properly serialize/deserialize objects. In order to use this module just + * add it to your {@code JsonMapper.Builder} configuration. + * + * 
+ *     JsonMapper mapper = JsonMapper.builder()
+ *             .addModules(new OAuth2AuthorizationServerJacksonModule()).build;
+ *
+ * + * @author Sebastien Deleuze + * @author Steve Riesenberg + * @since 7.0 + */ +@SuppressWarnings("serial") +public class OAuth2AuthorizationServerJacksonModule extends CoreJacksonModule { + + public OAuth2AuthorizationServerJacksonModule() { + super(OAuth2AuthorizationServerJacksonModule.class.getName(), new Version(1, 0, 0, null, null, null)); + } + + @Override + public void configurePolymorphicTypeValidator(BasicPolymorphicTypeValidator.Builder builder) { + super.configurePolymorphicTypeValidator(builder); + builder.allowIfSubType(OAuth2TokenFormat.class) + .allowIfSubType(OAuth2TokenExchangeActor.class) + .allowIfSubType(OAuth2TokenExchangeCompositeAuthenticationToken.class) + .allowIfSubType(SignatureAlgorithm.class) + .allowIfSubType(MacAlgorithm.class) + .allowIfSubType(OAuth2AuthorizationRequest.class) + .allowIfSubType(URL.class); + } + + @Override + public void setupModule(SetupContext context) { + super.setupModule(context); + BasicPolymorphicTypeValidator.Builder builder = BasicPolymorphicTypeValidator.builder(); + this.configurePolymorphicTypeValidator(builder); + ((MapperBuilder) context.getOwner()).activateDefaultTyping(builder.build(), DefaultTyping.NON_FINAL, + JsonTypeInfo.As.PROPERTY); + context.setMixIn(OAuth2TokenExchangeActor.class, OAuth2TokenExchangeActorMixin.class); + context.setMixIn(OAuth2AuthorizationRequest.class, OAuth2AuthorizationRequestMixin.class); + context.setMixIn(OAuth2TokenExchangeCompositeAuthenticationToken.class, + OAuth2TokenExchangeCompositeAuthenticationTokenMixin.class); + context.setMixIn(SignatureAlgorithm.class, JwsAlgorithmMixin.class); + context.setMixIn(MacAlgorithm.class, JwsAlgorithmMixin.class); + context.setMixIn(OAuth2TokenFormat.class, OAuth2TokenFormatMixin.class); + } + +} diff --git a/oauth2/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/jackson/OAuth2TokenExchangeActorMixin.java b/oauth2/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/jackson/OAuth2TokenExchangeActorMixin.java new file mode 100644 index 0000000000..0e81cd1060 --- /dev/null +++ b/oauth2/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/jackson/OAuth2TokenExchangeActorMixin.java @@ -0,0 +1,44 @@ +/* + * Copyright 2004-present the original author or authors. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * https://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.springframework.security.oauth2.server.authorization.jackson; + +import java.util.Map; + +import com.fasterxml.jackson.annotation.JsonAutoDetect; +import com.fasterxml.jackson.annotation.JsonCreator; +import com.fasterxml.jackson.annotation.JsonProperty; +import com.fasterxml.jackson.annotation.JsonTypeInfo; + +import org.springframework.security.oauth2.server.authorization.authentication.OAuth2TokenExchangeActor; + +/** + * This mixin class is used to serialize/deserialize {@link OAuth2TokenExchangeActor}. + * + * @author Steve Riesenberg + * @since 7.0 + * @see OAuth2TokenExchangeActor + */ +@JsonTypeInfo(use = JsonTypeInfo.Id.CLASS) +@JsonAutoDetect(fieldVisibility = JsonAutoDetect.Visibility.ANY, getterVisibility = JsonAutoDetect.Visibility.NONE, + isGetterVisibility = JsonAutoDetect.Visibility.NONE, creatorVisibility = JsonAutoDetect.Visibility.NONE) +abstract class OAuth2TokenExchangeActorMixin { + + @JsonCreator + OAuth2TokenExchangeActorMixin(@JsonProperty("claims") Map claims) { + } + +} diff --git a/oauth2/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/jackson/OAuth2TokenExchangeCompositeAuthenticationTokenMixin.java b/oauth2/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/jackson/OAuth2TokenExchangeCompositeAuthenticationTokenMixin.java new file mode 100644 index 0000000000..a9d802ce77 --- /dev/null +++ b/oauth2/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/jackson/OAuth2TokenExchangeCompositeAuthenticationTokenMixin.java @@ -0,0 +1,47 @@ +/* + * Copyright 2004-present the original author or authors. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * https://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.springframework.security.oauth2.server.authorization.jackson; + +import java.util.List; + +import com.fasterxml.jackson.annotation.JsonAutoDetect; +import com.fasterxml.jackson.annotation.JsonCreator; +import com.fasterxml.jackson.annotation.JsonProperty; +import com.fasterxml.jackson.annotation.JsonTypeInfo; + +import org.springframework.security.core.Authentication; +import org.springframework.security.oauth2.server.authorization.authentication.OAuth2TokenExchangeCompositeAuthenticationToken; + +/** + * This mixin class is used to serialize/deserialize + * {@link OAuth2TokenExchangeCompositeAuthenticationToken}. + * + * @author Steve Riesenberg + * @since 7.0 + * @see OAuth2TokenExchangeCompositeAuthenticationToken + */ +@JsonTypeInfo(use = JsonTypeInfo.Id.CLASS) +@JsonAutoDetect(fieldVisibility = JsonAutoDetect.Visibility.ANY, getterVisibility = JsonAutoDetect.Visibility.NONE, + isGetterVisibility = JsonAutoDetect.Visibility.NONE, creatorVisibility = JsonAutoDetect.Visibility.NONE) +abstract class OAuth2TokenExchangeCompositeAuthenticationTokenMixin { + + @JsonCreator + OAuth2TokenExchangeCompositeAuthenticationTokenMixin(@JsonProperty("subject") Authentication subject, + @JsonProperty("actors") List actors) { + } + +} diff --git a/oauth2/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/jackson/OAuth2TokenFormatMixin.java b/oauth2/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/jackson/OAuth2TokenFormatMixin.java new file mode 100644 index 0000000000..6a21ce580d --- /dev/null +++ b/oauth2/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/jackson/OAuth2TokenFormatMixin.java @@ -0,0 +1,42 @@ +/* + * Copyright 2004-present the original author or authors. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * https://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.springframework.security.oauth2.server.authorization.jackson; + +import com.fasterxml.jackson.annotation.JsonAutoDetect; +import com.fasterxml.jackson.annotation.JsonCreator; +import com.fasterxml.jackson.annotation.JsonProperty; +import com.fasterxml.jackson.annotation.JsonTypeInfo; + +import org.springframework.security.oauth2.server.authorization.settings.OAuth2TokenFormat; + +/** + * This mixin class is used to serialize/deserialize {@link OAuth2TokenFormat}. + * + * @author Joe Grandja + * @since 7.0 + * @see OAuth2TokenFormat + */ +@JsonTypeInfo(use = JsonTypeInfo.Id.CLASS) +@JsonAutoDetect(fieldVisibility = JsonAutoDetect.Visibility.ANY, getterVisibility = JsonAutoDetect.Visibility.NONE, + isGetterVisibility = JsonAutoDetect.Visibility.NONE) +abstract class OAuth2TokenFormatMixin { + + @JsonCreator + OAuth2TokenFormatMixin(@JsonProperty("value") String value) { + } + +} diff --git a/oauth2/oauth2-authorization-server/src/test/java/org/springframework/security/oauth2/server/authorization/JdbcOAuth2AuthorizationServiceTests.java b/oauth2/oauth2-authorization-server/src/test/java/org/springframework/security/oauth2/server/authorization/JdbcOAuth2AuthorizationServiceTests.java index d56518e0dd..1f83dfc0f0 100644 --- a/oauth2/oauth2-authorization-server/src/test/java/org/springframework/security/oauth2/server/authorization/JdbcOAuth2AuthorizationServiceTests.java +++ b/oauth2/oauth2-authorization-server/src/test/java/org/springframework/security/oauth2/server/authorization/JdbcOAuth2AuthorizationServiceTests.java @@ -29,11 +29,11 @@ import java.util.Set; import java.util.function.Function; -import com.fasterxml.jackson.core.type.TypeReference; import org.junit.jupiter.api.AfterEach; import org.junit.jupiter.api.BeforeEach; import org.junit.jupiter.api.Test; +import org.springframework.core.ParameterizedTypeReference; import org.springframework.dao.DataRetrievalFailureException; import org.springframework.jdbc.core.ArgumentPreparedStatementSetter; import org.springframework.jdbc.core.JdbcOperations; @@ -747,7 +747,7 @@ public OAuth2Authorization mapRow(ResultSet rs, int rowNum) throws SQLException private Map parseMap(String data) { try { - return getObjectMapper().readValue(data, new TypeReference<>() { + return getMapper().readValue(data, new ParameterizedTypeReference<>() { }); } catch (Exception ex) { @@ -852,7 +852,7 @@ private List toSqlParameterList( private String writeMap(Map data) { try { - return getObjectMapper().writeValueAsString(data); + return getMapper().writeValueAsString(data); } catch (Exception ex) { throw new IllegalArgumentException(ex.getMessage(), ex); diff --git a/oauth2/oauth2-authorization-server/src/test/java/org/springframework/security/oauth2/server/authorization/client/JdbcRegisteredClientRepositoryTests.java b/oauth2/oauth2-authorization-server/src/test/java/org/springframework/security/oauth2/server/authorization/client/JdbcRegisteredClientRepositoryTests.java index cbd30b6079..922c0c4e0a 100644 --- a/oauth2/oauth2-authorization-server/src/test/java/org/springframework/security/oauth2/server/authorization/client/JdbcRegisteredClientRepositoryTests.java +++ b/oauth2/oauth2-authorization-server/src/test/java/org/springframework/security/oauth2/server/authorization/client/JdbcRegisteredClientRepositoryTests.java @@ -365,6 +365,7 @@ private RegisteredClient findBy(String filter, Object... args) { return !result.isEmpty() ? result.get(0) : null; } + @SuppressWarnings("removal") private static final class CustomRegisteredClientRowMapper implements RowMapper { private final ObjectMapper objectMapper = new ObjectMapper(); diff --git a/oauth2/oauth2-authorization-server/src/test/java/org/springframework/security/oauth2/server/authorization/jackson/OAuth2AuthorizationServerJacksonModuleTests.java b/oauth2/oauth2-authorization-server/src/test/java/org/springframework/security/oauth2/server/authorization/jackson/OAuth2AuthorizationServerJacksonModuleTests.java new file mode 100644 index 0000000000..00b3cb8662 --- /dev/null +++ b/oauth2/oauth2-authorization-server/src/test/java/org/springframework/security/oauth2/server/authorization/jackson/OAuth2AuthorizationServerJacksonModuleTests.java @@ -0,0 +1,112 @@ +/* + * Copyright 2004-present the original author or authors. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * https://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.springframework.security.oauth2.server.authorization.jackson; + +import java.security.Principal; +import java.util.List; +import java.util.Map; + +import org.junit.jupiter.api.BeforeEach; +import org.junit.jupiter.api.Test; +import tools.jackson.core.type.TypeReference; +import tools.jackson.databind.json.JsonMapper; + +import org.springframework.security.authentication.UsernamePasswordAuthenticationToken; +import org.springframework.security.core.Authentication; +import org.springframework.security.oauth2.jose.jws.MacAlgorithm; +import org.springframework.security.oauth2.jwt.JwtClaimNames; +import org.springframework.security.oauth2.server.authorization.OAuth2Authorization; +import org.springframework.security.oauth2.server.authorization.TestOAuth2Authorizations; +import org.springframework.security.oauth2.server.authorization.authentication.OAuth2TokenExchangeActor; +import org.springframework.security.oauth2.server.authorization.authentication.OAuth2TokenExchangeCompositeAuthenticationToken; +import org.springframework.security.oauth2.server.authorization.jackson2.OAuth2AuthorizationServerJackson2Module; +import org.springframework.security.oauth2.server.authorization.settings.ClientSettings; +import org.springframework.security.oauth2.server.authorization.settings.TokenSettings; + +import static org.assertj.core.api.Assertions.assertThat; + +/** + * Tests for {@link OAuth2AuthorizationServerJackson2Module}. + * + * @author Steve Riesenberg + * @author Joe Grandja + */ +@SuppressWarnings("removal") +public class OAuth2AuthorizationServerJacksonModuleTests { + + private static final TypeReference> STRING_OBJECT_MAP = new TypeReference<>() { + }; + + private JsonMapper mapper; + + @BeforeEach + public void setup() { + this.mapper = JsonMapper.builder().addModules(new OAuth2AuthorizationServerJacksonModule()).build(); + } + + @Test + public void readValueWhenOAuth2AuthorizationAttributesThenSuccess() { + Authentication principal = new UsernamePasswordAuthenticationToken("principal", "credentials"); + OAuth2Authorization authorization = TestOAuth2Authorizations.authorization() + .attributes((attrs) -> attrs.put(Principal.class.getName(), principal)) + .build(); + Map attributes = authorization.getAttributes(); + String json = this.mapper.writeValueAsString(attributes); + assertThat(this.mapper.readValue(json, STRING_OBJECT_MAP)).isEqualTo(attributes); + } + + @Test + public void readValueWhenOAuth2AccessTokenMetadataThenSuccess() { + OAuth2Authorization authorization = TestOAuth2Authorizations.authorization().build(); + Map metadata = authorization.getAccessToken().getMetadata(); + String json = this.mapper.writeValueAsString(metadata); + assertThat(this.mapper.readValue(json, STRING_OBJECT_MAP)).isEqualTo(metadata); + } + + @Test + public void readValueWhenClientSettingsThenSuccess() { + ClientSettings clientSettings = ClientSettings.builder() + .tokenEndpointAuthenticationSigningAlgorithm(MacAlgorithm.HS256) + .build(); + Map clientSettingsMap = clientSettings.getSettings(); + String json = this.mapper.writeValueAsString(clientSettingsMap); + assertThat(this.mapper.readValue(json, STRING_OBJECT_MAP)).isEqualTo(clientSettingsMap); + } + + @Test + public void readValueWhenTokenSettingsThenSuccess() { + TokenSettings tokenSettings = TokenSettings.builder().build(); + Map tokenSettingsMap = tokenSettings.getSettings(); + String json = this.mapper.writeValueAsString(tokenSettingsMap); + assertThat(this.mapper.readValue(json, STRING_OBJECT_MAP)).isEqualTo(tokenSettingsMap); + } + + @Test + public void readValueWhenOAuth2TokenExchangeCompositeAuthenticationTokenThenSuccess() { + Authentication subject = new UsernamePasswordAuthenticationToken("principal", "credentials"); + OAuth2TokenExchangeActor actor1 = new OAuth2TokenExchangeActor( + Map.of(JwtClaimNames.ISS, "issuer-1", JwtClaimNames.SUB, "actor1")); + OAuth2TokenExchangeActor actor2 = new OAuth2TokenExchangeActor( + Map.of(JwtClaimNames.ISS, "issuer-2", JwtClaimNames.SUB, "actor2")); + OAuth2TokenExchangeCompositeAuthenticationToken authentication = new OAuth2TokenExchangeCompositeAuthenticationToken( + subject, List.of(actor1, actor2)); + String json = this.mapper.writeValueAsString(authentication); + assertThat(this.mapper.readValue(json, OAuth2TokenExchangeCompositeAuthenticationToken.class)) + .isEqualTo(authentication); + } + +} diff --git a/oauth2/oauth2-authorization-server/src/test/java/org/springframework/security/oauth2/server/authorization/jackson/TestingAuthenticationTokenMixin.java b/oauth2/oauth2-authorization-server/src/test/java/org/springframework/security/oauth2/server/authorization/jackson/TestingAuthenticationTokenMixin.java new file mode 100644 index 0000000000..bc0a70212a --- /dev/null +++ b/oauth2/oauth2-authorization-server/src/test/java/org/springframework/security/oauth2/server/authorization/jackson/TestingAuthenticationTokenMixin.java @@ -0,0 +1,49 @@ +/* + * Copyright 2004-present the original author or authors. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * https://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.springframework.security.oauth2.server.authorization.jackson; + +import java.util.List; + +import com.fasterxml.jackson.annotation.JsonAutoDetect; +import com.fasterxml.jackson.annotation.JsonCreator; +import com.fasterxml.jackson.annotation.JsonIgnoreProperties; +import com.fasterxml.jackson.annotation.JsonProperty; +import com.fasterxml.jackson.annotation.JsonTypeInfo; + +import org.springframework.security.authentication.TestingAuthenticationToken; +import org.springframework.security.core.GrantedAuthority; + +/** + * This mixin class is used to serialize/deserialize {@link TestingAuthenticationToken}. + * + * @author Steve Riesenberg + * @since 7.0 + * @see TestingAuthenticationToken + */ +@JsonTypeInfo(use = JsonTypeInfo.Id.CLASS) +@JsonAutoDetect(fieldVisibility = JsonAutoDetect.Visibility.ANY, getterVisibility = JsonAutoDetect.Visibility.NONE, + isGetterVisibility = JsonAutoDetect.Visibility.NONE) +@JsonIgnoreProperties(value = { "authenticated" }, ignoreUnknown = true) +public class TestingAuthenticationTokenMixin { + + @JsonCreator + TestingAuthenticationTokenMixin(@JsonProperty("principal") Object principal, + @JsonProperty("credentials") Object credentials, + @JsonProperty("authorities") List authorities) { + } + +} diff --git a/oauth2/oauth2-client/spring-security-oauth2-client.gradle b/oauth2/oauth2-client/spring-security-oauth2-client.gradle index 11b6c91f0a..1d0dcc6f79 100644 --- a/oauth2/oauth2-client/spring-security-oauth2-client.gradle +++ b/oauth2/oauth2-client/spring-security-oauth2-client.gradle @@ -15,6 +15,7 @@ dependencies { optional 'com.fasterxml.jackson.datatype:jackson-datatype-jsr310' optional 'org.springframework:spring-jdbc' optional 'org.springframework:spring-r2dbc' + optional 'tools.jackson.core:jackson-databind' testImplementation project(path: ':spring-security-oauth2-core', configuration: 'tests') testImplementation project(path: ':spring-security-oauth2-jose', configuration: 'tests') diff --git a/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/jackson/ClientRegistrationDeserializer.java b/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/jackson/ClientRegistrationDeserializer.java new file mode 100644 index 0000000000..cabe8ac870 --- /dev/null +++ b/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/jackson/ClientRegistrationDeserializer.java @@ -0,0 +1,76 @@ +/* + * Copyright 2004-present the original author or authors. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * https://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.springframework.security.oauth2.client.jackson; + +import tools.jackson.core.JsonParser; +import tools.jackson.databind.DeserializationContext; +import tools.jackson.databind.JsonNode; +import tools.jackson.databind.ValueDeserializer; +import tools.jackson.databind.util.StdConverter; + +import org.springframework.security.oauth2.client.registration.ClientRegistration; +import org.springframework.security.oauth2.core.AuthenticationMethod; +import org.springframework.security.oauth2.core.AuthorizationGrantType; +import org.springframework.security.oauth2.core.ClientAuthenticationMethod; + +/** + * A {@code JsonDeserializer} for {@link ClientRegistration}. + * + * @author Sebastien Deleuze + * @author Joe Grandja + * @since 7.0 + * @see ClientRegistration + * @see ClientRegistrationMixin + */ +final class ClientRegistrationDeserializer extends ValueDeserializer { + + private static final StdConverter CLIENT_AUTHENTICATION_METHOD_CONVERTER = new StdConverters.ClientAuthenticationMethodConverter(); + + private static final StdConverter AUTHORIZATION_GRANT_TYPE_CONVERTER = new StdConverters.AuthorizationGrantTypeConverter(); + + private static final StdConverter AUTHENTICATION_METHOD_CONVERTER = new StdConverters.AuthenticationMethodConverter(); + + @Override + public ClientRegistration deserialize(JsonParser parser, DeserializationContext context) { + JsonNode clientRegistrationNode = context.readTree(parser); + JsonNode providerDetailsNode = JsonNodeUtils.findObjectNode(clientRegistrationNode, "providerDetails"); + JsonNode userInfoEndpointNode = JsonNodeUtils.findObjectNode(providerDetailsNode, "userInfoEndpoint"); + return ClientRegistration + .withRegistrationId(JsonNodeUtils.findStringValue(clientRegistrationNode, "registrationId")) + .clientId(JsonNodeUtils.findStringValue(clientRegistrationNode, "clientId")) + .clientSecret(JsonNodeUtils.findStringValue(clientRegistrationNode, "clientSecret")) + .clientAuthenticationMethod(CLIENT_AUTHENTICATION_METHOD_CONVERTER + .convert(JsonNodeUtils.findObjectNode(clientRegistrationNode, "clientAuthenticationMethod"))) + .authorizationGrantType(AUTHORIZATION_GRANT_TYPE_CONVERTER + .convert(JsonNodeUtils.findObjectNode(clientRegistrationNode, "authorizationGrantType"))) + .redirectUri(JsonNodeUtils.findStringValue(clientRegistrationNode, "redirectUri")) + .scope(JsonNodeUtils.findValue(clientRegistrationNode, "scopes", JsonNodeUtils.STRING_SET, context)) + .clientName(JsonNodeUtils.findStringValue(clientRegistrationNode, "clientName")) + .authorizationUri(JsonNodeUtils.findStringValue(providerDetailsNode, "authorizationUri")) + .tokenUri(JsonNodeUtils.findStringValue(providerDetailsNode, "tokenUri")) + .userInfoUri(JsonNodeUtils.findStringValue(userInfoEndpointNode, "uri")) + .userInfoAuthenticationMethod(AUTHENTICATION_METHOD_CONVERTER + .convert(JsonNodeUtils.findObjectNode(userInfoEndpointNode, "authenticationMethod"))) + .userNameAttributeName(JsonNodeUtils.findStringValue(userInfoEndpointNode, "userNameAttributeName")) + .jwkSetUri(JsonNodeUtils.findStringValue(providerDetailsNode, "jwkSetUri")) + .issuerUri(JsonNodeUtils.findStringValue(providerDetailsNode, "issuerUri")) + .providerConfigurationMetadata(JsonNodeUtils.findValue(providerDetailsNode, "configurationMetadata", + JsonNodeUtils.STRING_OBJECT_MAP, context)) + .build(); + } + +} diff --git a/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/jackson/ClientRegistrationMixin.java b/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/jackson/ClientRegistrationMixin.java new file mode 100644 index 0000000000..01a92682d2 --- /dev/null +++ b/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/jackson/ClientRegistrationMixin.java @@ -0,0 +1,42 @@ +/* + * Copyright 2004-present the original author or authors. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * https://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.springframework.security.oauth2.client.jackson; + +import com.fasterxml.jackson.annotation.JsonAutoDetect; +import com.fasterxml.jackson.annotation.JsonTypeInfo; +import tools.jackson.databind.annotation.JsonDeserialize; + +import org.springframework.security.oauth2.client.registration.ClientRegistration; + +/** + * This mixin class is used to serialize/deserialize {@link ClientRegistration}. It also + * registers a custom deserializer {@link ClientRegistrationDeserializer}. + * + * @author Sebastien Deleuze + * @author Joe Grandja + * @since 7.0 + * @see ClientRegistration + * @see ClientRegistrationDeserializer + * @see OAuth2ClientJacksonModule + */ +@JsonTypeInfo(use = JsonTypeInfo.Id.CLASS) +@JsonDeserialize(using = ClientRegistrationDeserializer.class) +@JsonAutoDetect(fieldVisibility = JsonAutoDetect.Visibility.ANY, getterVisibility = JsonAutoDetect.Visibility.NONE, + isGetterVisibility = JsonAutoDetect.Visibility.NONE) +abstract class ClientRegistrationMixin { + +} diff --git a/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/jackson/DefaultOAuth2UserMixin.java b/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/jackson/DefaultOAuth2UserMixin.java new file mode 100644 index 0000000000..e02a6514d7 --- /dev/null +++ b/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/jackson/DefaultOAuth2UserMixin.java @@ -0,0 +1,50 @@ +/* + * Copyright 2004-present the original author or authors. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * https://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.springframework.security.oauth2.client.jackson; + +import java.util.Collection; +import java.util.Map; + +import com.fasterxml.jackson.annotation.JsonAutoDetect; +import com.fasterxml.jackson.annotation.JsonCreator; +import com.fasterxml.jackson.annotation.JsonProperty; +import com.fasterxml.jackson.annotation.JsonTypeInfo; + +import org.springframework.security.core.GrantedAuthority; +import org.springframework.security.oauth2.core.user.DefaultOAuth2User; + +/** + * This mixin class is used to serialize/deserialize {@link DefaultOAuth2User}. + * + * @author Sebastien Deleuze + * @author Joe Grandja + * @since 7.0 + * @see DefaultOAuth2User + * @see OAuth2ClientJacksonModule + */ +@JsonTypeInfo(use = JsonTypeInfo.Id.CLASS) +@JsonAutoDetect(fieldVisibility = JsonAutoDetect.Visibility.ANY, getterVisibility = JsonAutoDetect.Visibility.NONE, + isGetterVisibility = JsonAutoDetect.Visibility.NONE) +abstract class DefaultOAuth2UserMixin { + + @JsonCreator + DefaultOAuth2UserMixin(@JsonProperty("authorities") Collection authorities, + @JsonProperty("attributes") Map attributes, + @JsonProperty("nameAttributeKey") String nameAttributeKey) { + } + +} diff --git a/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/jackson/DefaultOidcUserMixin.java b/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/jackson/DefaultOidcUserMixin.java new file mode 100644 index 0000000000..173f3d20d8 --- /dev/null +++ b/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/jackson/DefaultOidcUserMixin.java @@ -0,0 +1,53 @@ +/* + * Copyright 2004-present the original author or authors. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * https://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.springframework.security.oauth2.client.jackson; + +import java.util.Collection; + +import com.fasterxml.jackson.annotation.JsonAutoDetect; +import com.fasterxml.jackson.annotation.JsonCreator; +import com.fasterxml.jackson.annotation.JsonIgnoreProperties; +import com.fasterxml.jackson.annotation.JsonProperty; +import com.fasterxml.jackson.annotation.JsonTypeInfo; + +import org.springframework.security.core.GrantedAuthority; +import org.springframework.security.oauth2.core.oidc.OidcIdToken; +import org.springframework.security.oauth2.core.oidc.OidcUserInfo; +import org.springframework.security.oauth2.core.oidc.user.DefaultOidcUser; + +/** + * This mixin class is used to serialize/deserialize {@link DefaultOidcUser}. + * + * @author Sebastien Deleuze + * @author Joe Grandja + * @since 7.0 + * @see DefaultOidcUser + * @see OAuth2ClientJacksonModule + */ +@JsonTypeInfo(use = JsonTypeInfo.Id.CLASS) +@JsonAutoDetect(fieldVisibility = JsonAutoDetect.Visibility.ANY, getterVisibility = JsonAutoDetect.Visibility.NONE, + isGetterVisibility = JsonAutoDetect.Visibility.NONE) +@JsonIgnoreProperties({ "attributes" }) +abstract class DefaultOidcUserMixin { + + @JsonCreator + DefaultOidcUserMixin(@JsonProperty("authorities") Collection authorities, + @JsonProperty("idToken") OidcIdToken idToken, @JsonProperty("userInfo") OidcUserInfo userInfo, + @JsonProperty("nameAttributeKey") String nameAttributeKey) { + } + +} diff --git a/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/jackson/JsonNodeUtils.java b/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/jackson/JsonNodeUtils.java new file mode 100644 index 0000000000..4f181aabb1 --- /dev/null +++ b/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/jackson/JsonNodeUtils.java @@ -0,0 +1,67 @@ +/* + * Copyright 2004-present the original author or authors. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * https://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.springframework.security.oauth2.client.jackson; + +import java.util.Map; +import java.util.Set; + +import tools.jackson.core.type.TypeReference; +import tools.jackson.databind.DeserializationContext; +import tools.jackson.databind.JsonNode; + +/** + * Utility class for {@code JsonNode}. + * + * @author Sebastien Deleuze + * @author Joe Grandja + * @since 7.0 + */ +abstract class JsonNodeUtils { + + static final TypeReference> STRING_SET = new TypeReference<>() { + }; + + static final TypeReference> STRING_OBJECT_MAP = new TypeReference<>() { + }; + + static String findStringValue(JsonNode jsonNode, String fieldName) { + if (jsonNode == null) { + return null; + } + JsonNode value = jsonNode.findValue(fieldName); + return (value != null && value.isString()) ? value.stringValue() : null; + } + + static T findValue(JsonNode jsonNode, String fieldName, TypeReference valueTypeReference, + DeserializationContext context) { + if (jsonNode == null) { + return null; + } + JsonNode value = jsonNode.findValue(fieldName); + return (value != null && value.isContainer()) + ? context.readTreeAsValue(value, context.getTypeFactory().constructType(valueTypeReference)) : null; + } + + static JsonNode findObjectNode(JsonNode jsonNode, String fieldName) { + if (jsonNode == null) { + return null; + } + JsonNode value = jsonNode.findValue(fieldName); + return (value != null && value.isObject()) ? value : null; + } + +} diff --git a/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/jackson/OAuth2AccessTokenMixin.java b/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/jackson/OAuth2AccessTokenMixin.java new file mode 100644 index 0000000000..1f91943f5b --- /dev/null +++ b/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/jackson/OAuth2AccessTokenMixin.java @@ -0,0 +1,52 @@ +/* + * Copyright 2004-present the original author or authors. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * https://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.springframework.security.oauth2.client.jackson; + +import java.time.Instant; +import java.util.Set; + +import com.fasterxml.jackson.annotation.JsonAutoDetect; +import com.fasterxml.jackson.annotation.JsonCreator; +import com.fasterxml.jackson.annotation.JsonProperty; +import com.fasterxml.jackson.annotation.JsonTypeInfo; +import tools.jackson.databind.annotation.JsonDeserialize; + +import org.springframework.security.oauth2.core.OAuth2AccessToken; + +/** + * This mixin class is used to serialize/deserialize {@link OAuth2AccessToken}. + * + * @author Sebastien Deleuze + * @author Joe Grandja + * @since 7.0 + * @see OAuth2AccessToken + * @see OAuth2ClientJacksonModule + */ +@JsonTypeInfo(use = JsonTypeInfo.Id.CLASS) +@JsonAutoDetect(fieldVisibility = JsonAutoDetect.Visibility.ANY, getterVisibility = JsonAutoDetect.Visibility.NONE, + isGetterVisibility = JsonAutoDetect.Visibility.NONE) +abstract class OAuth2AccessTokenMixin { + + @JsonCreator + OAuth2AccessTokenMixin( + @JsonProperty("tokenType") @JsonDeserialize( + converter = StdConverters.AccessTokenTypeConverter.class) OAuth2AccessToken.TokenType tokenType, + @JsonProperty("tokenValue") String tokenValue, @JsonProperty("issuedAt") Instant issuedAt, + @JsonProperty("expiresAt") Instant expiresAt, @JsonProperty("scopes") Set scopes) { + } + +} diff --git a/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/jackson/OAuth2AuthenticationExceptionMixin.java b/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/jackson/OAuth2AuthenticationExceptionMixin.java new file mode 100644 index 0000000000..1da1259f62 --- /dev/null +++ b/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/jackson/OAuth2AuthenticationExceptionMixin.java @@ -0,0 +1,56 @@ +/* + * Copyright 2004-present the original author or authors. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * https://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.springframework.security.oauth2.client.jackson; + +import com.fasterxml.jackson.annotation.JsonAutoDetect; +import com.fasterxml.jackson.annotation.JsonCreator; +import com.fasterxml.jackson.annotation.JsonIgnoreProperties; +import com.fasterxml.jackson.annotation.JsonProperty; +import com.fasterxml.jackson.annotation.JsonTypeInfo; + +import org.springframework.security.oauth2.core.OAuth2AuthenticationException; +import org.springframework.security.oauth2.core.OAuth2Error; + +/** + * This mixin class is used to serialize/deserialize + * {@link OAuth2AuthenticationException}. + * + * @author Sebastien Deleuze + * @author Dennis Neufeld + * @author Steve Riesenberg + * @since 7.0 + * @see OAuth2AuthenticationException + * @see OAuth2ClientJacksonModule + */ +@JsonTypeInfo(use = JsonTypeInfo.Id.CLASS) +@JsonAutoDetect(fieldVisibility = JsonAutoDetect.Visibility.NONE, getterVisibility = JsonAutoDetect.Visibility.NONE, + isGetterVisibility = JsonAutoDetect.Visibility.NONE) +@JsonIgnoreProperties({ "cause", "stackTrace", "suppressedExceptions" }) +abstract class OAuth2AuthenticationExceptionMixin { + + @JsonProperty("error") + abstract OAuth2Error getError(); + + @JsonProperty("detailMessage") + abstract String getMessage(); + + @JsonCreator + OAuth2AuthenticationExceptionMixin(@JsonProperty("error") OAuth2Error error, + @JsonProperty("detailMessage") String message) { + } + +} diff --git a/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/jackson/OAuth2AuthenticationTokenMixin.java b/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/jackson/OAuth2AuthenticationTokenMixin.java new file mode 100644 index 0000000000..51f3333263 --- /dev/null +++ b/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/jackson/OAuth2AuthenticationTokenMixin.java @@ -0,0 +1,52 @@ +/* + * Copyright 2004-present the original author or authors. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * https://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.springframework.security.oauth2.client.jackson; + +import java.util.Collection; + +import com.fasterxml.jackson.annotation.JsonAutoDetect; +import com.fasterxml.jackson.annotation.JsonCreator; +import com.fasterxml.jackson.annotation.JsonIgnoreProperties; +import com.fasterxml.jackson.annotation.JsonProperty; +import com.fasterxml.jackson.annotation.JsonTypeInfo; + +import org.springframework.security.core.GrantedAuthority; +import org.springframework.security.oauth2.client.authentication.OAuth2AuthenticationToken; +import org.springframework.security.oauth2.core.user.OAuth2User; + +/** + * This mixin class is used to serialize/deserialize {@link OAuth2AuthenticationToken}. + * + * @author Sebastien Deleuze + * @author Joe Grandja + * @since 7.0O + * @see OAuth2AuthenticationToken + * @see OAuth2ClientJacksonModule + */ +@JsonTypeInfo(use = JsonTypeInfo.Id.CLASS) +@JsonAutoDetect(fieldVisibility = JsonAutoDetect.Visibility.ANY, getterVisibility = JsonAutoDetect.Visibility.NONE, + isGetterVisibility = JsonAutoDetect.Visibility.NONE) +@JsonIgnoreProperties({ "authenticated" }) +abstract class OAuth2AuthenticationTokenMixin { + + @JsonCreator + OAuth2AuthenticationTokenMixin(@JsonProperty("principal") OAuth2User principal, + @JsonProperty("authorities") Collection authorities, + @JsonProperty("authorizedClientRegistrationId") String authorizedClientRegistrationId) { + } + +} diff --git a/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/jackson/OAuth2AuthorizationRequestDeserializer.java b/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/jackson/OAuth2AuthorizationRequestDeserializer.java new file mode 100644 index 0000000000..786207e68e --- /dev/null +++ b/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/jackson/OAuth2AuthorizationRequestDeserializer.java @@ -0,0 +1,72 @@ +/* + * Copyright 2004-present the original author or authors. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * https://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.springframework.security.oauth2.client.jackson; + +import tools.jackson.core.JsonParser; +import tools.jackson.core.exc.StreamReadException; +import tools.jackson.databind.DeserializationContext; +import tools.jackson.databind.JsonNode; +import tools.jackson.databind.ValueDeserializer; +import tools.jackson.databind.util.StdConverter; + +import org.springframework.security.oauth2.core.AuthorizationGrantType; +import org.springframework.security.oauth2.core.endpoint.OAuth2AuthorizationRequest; +import org.springframework.security.oauth2.core.endpoint.OAuth2AuthorizationRequest.Builder; + +/** + * A {@code JsonDeserializer} for {@link OAuth2AuthorizationRequest}. + * + * @author Sebastien Deleuze + * @author Joe Grandja + * @since 7.0 + * @see OAuth2AuthorizationRequest + * @see OAuth2AuthorizationRequestMixin + */ +final class OAuth2AuthorizationRequestDeserializer extends ValueDeserializer { + + private static final StdConverter AUTHORIZATION_GRANT_TYPE_CONVERTER = new StdConverters.AuthorizationGrantTypeConverter(); + + @Override + public OAuth2AuthorizationRequest deserialize(JsonParser parser, DeserializationContext context) { + JsonNode root = context.readTree(parser); + return deserialize(parser, context, root); + } + + private OAuth2AuthorizationRequest deserialize(JsonParser parser, DeserializationContext context, JsonNode root) { + AuthorizationGrantType authorizationGrantType = AUTHORIZATION_GRANT_TYPE_CONVERTER + .convert(JsonNodeUtils.findObjectNode(root, "authorizationGrantType")); + Builder builder = getBuilder(parser, authorizationGrantType); + builder.authorizationUri(JsonNodeUtils.findStringValue(root, "authorizationUri")); + builder.clientId(JsonNodeUtils.findStringValue(root, "clientId")); + builder.redirectUri(JsonNodeUtils.findStringValue(root, "redirectUri")); + builder.scopes(JsonNodeUtils.findValue(root, "scopes", JsonNodeUtils.STRING_SET, context)); + builder.state(JsonNodeUtils.findStringValue(root, "state")); + builder.additionalParameters( + JsonNodeUtils.findValue(root, "additionalParameters", JsonNodeUtils.STRING_OBJECT_MAP, context)); + builder.authorizationRequestUri(JsonNodeUtils.findStringValue(root, "authorizationRequestUri")); + builder.attributes(JsonNodeUtils.findValue(root, "attributes", JsonNodeUtils.STRING_OBJECT_MAP, context)); + return builder.build(); + } + + private Builder getBuilder(JsonParser parser, AuthorizationGrantType authorizationGrantType) { + if (AuthorizationGrantType.AUTHORIZATION_CODE.equals(authorizationGrantType)) { + return OAuth2AuthorizationRequest.authorizationCode(); + } + throw new StreamReadException(parser, "Invalid authorizationGrantType"); + } + +} diff --git a/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/jackson/OAuth2AuthorizationRequestMixin.java b/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/jackson/OAuth2AuthorizationRequestMixin.java new file mode 100644 index 0000000000..cfb52f3fdc --- /dev/null +++ b/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/jackson/OAuth2AuthorizationRequestMixin.java @@ -0,0 +1,42 @@ +/* + * Copyright 2004-present the original author or authors. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * https://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.springframework.security.oauth2.client.jackson; + +import com.fasterxml.jackson.annotation.JsonAutoDetect; +import com.fasterxml.jackson.annotation.JsonTypeInfo; +import tools.jackson.databind.annotation.JsonDeserialize; + +import org.springframework.security.oauth2.core.endpoint.OAuth2AuthorizationRequest; + +/** + * This mixin class is used to serialize/deserialize {@link OAuth2AuthorizationRequest}. + * It also registers a custom deserializer {@link OAuth2AuthorizationRequestDeserializer}. + * + * @author Sebastien Deleuze + * @author Joe Grandja + * @since 7.0 + * @see OAuth2AuthorizationRequest + * @see OAuth2AuthorizationRequestDeserializer + * @see OAuth2ClientJacksonModule + */ +@JsonTypeInfo(use = JsonTypeInfo.Id.CLASS) +@JsonDeserialize(using = OAuth2AuthorizationRequestDeserializer.class) +@JsonAutoDetect(fieldVisibility = JsonAutoDetect.Visibility.ANY, getterVisibility = JsonAutoDetect.Visibility.NONE, + isGetterVisibility = JsonAutoDetect.Visibility.NONE) +abstract class OAuth2AuthorizationRequestMixin { + +} diff --git a/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/jackson/OAuth2AuthorizedClientMixin.java b/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/jackson/OAuth2AuthorizedClientMixin.java new file mode 100644 index 0000000000..d1dba7a6d7 --- /dev/null +++ b/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/jackson/OAuth2AuthorizedClientMixin.java @@ -0,0 +1,50 @@ +/* + * Copyright 2004-present the original author or authors. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * https://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.springframework.security.oauth2.client.jackson; + +import com.fasterxml.jackson.annotation.JsonAutoDetect; +import com.fasterxml.jackson.annotation.JsonCreator; +import com.fasterxml.jackson.annotation.JsonProperty; +import com.fasterxml.jackson.annotation.JsonTypeInfo; + +import org.springframework.security.oauth2.client.OAuth2AuthorizedClient; +import org.springframework.security.oauth2.client.registration.ClientRegistration; +import org.springframework.security.oauth2.core.OAuth2AccessToken; +import org.springframework.security.oauth2.core.OAuth2RefreshToken; + +/** + * This mixin class is used to serialize/deserialize {@link OAuth2AuthorizedClient}. + * + * @author Sebastien Deleuze + * @author Joe Grandja + * @since 7.0 + * @see OAuth2AuthorizedClient + * @see OAuth2ClientJacksonModule + */ +@JsonTypeInfo(use = JsonTypeInfo.Id.CLASS) +@JsonAutoDetect(fieldVisibility = JsonAutoDetect.Visibility.ANY, getterVisibility = JsonAutoDetect.Visibility.NONE, + isGetterVisibility = JsonAutoDetect.Visibility.NONE) +abstract class OAuth2AuthorizedClientMixin { + + @JsonCreator + OAuth2AuthorizedClientMixin(@JsonProperty("clientRegistration") ClientRegistration clientRegistration, + @JsonProperty("principalName") String principalName, + @JsonProperty("accessToken") OAuth2AccessToken accessToken, + @JsonProperty("refreshToken") OAuth2RefreshToken refreshToken) { + } + +} diff --git a/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/jackson/OAuth2ClientJacksonModule.java b/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/jackson/OAuth2ClientJacksonModule.java new file mode 100644 index 0000000000..0d27b4eec1 --- /dev/null +++ b/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/jackson/OAuth2ClientJacksonModule.java @@ -0,0 +1,118 @@ +/* + * Copyright 2004-present the original author or authors. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * https://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.springframework.security.oauth2.client.jackson; + +import tools.jackson.core.Version; +import tools.jackson.databind.jsontype.BasicPolymorphicTypeValidator; + +import org.springframework.security.jackson.SecurityJacksonModule; +import org.springframework.security.jackson.SecurityJacksonModules; +import org.springframework.security.oauth2.client.OAuth2AuthorizedClient; +import org.springframework.security.oauth2.client.authentication.OAuth2AuthenticationToken; +import org.springframework.security.oauth2.client.registration.ClientRegistration; +import org.springframework.security.oauth2.core.OAuth2AccessToken; +import org.springframework.security.oauth2.core.OAuth2AuthenticationException; +import org.springframework.security.oauth2.core.OAuth2Error; +import org.springframework.security.oauth2.core.OAuth2RefreshToken; +import org.springframework.security.oauth2.core.endpoint.OAuth2AuthorizationRequest; +import org.springframework.security.oauth2.core.oidc.OidcIdToken; +import org.springframework.security.oauth2.core.oidc.OidcUserInfo; +import org.springframework.security.oauth2.core.oidc.user.DefaultOidcUser; +import org.springframework.security.oauth2.core.oidc.user.OidcUserAuthority; +import org.springframework.security.oauth2.core.user.DefaultOAuth2User; +import org.springframework.security.oauth2.core.user.OAuth2UserAuthority; + +/** + * Jackson {@code Module} for {@code spring-security-oauth2-client}, that registers the + * following mix-in annotations: + * + *
    + *
  • {@link OAuth2AuthorizationRequestMixin}
    • + *
  • {@link ClientRegistrationMixin}
    • + *
  • {@link OAuth2AccessTokenMixin}
    • + *
  • {@link OAuth2RefreshTokenMixin}
    • + *
  • {@link OAuth2AuthorizedClientMixin}
    • + *
  • {@link OAuth2UserAuthorityMixin}
    • + *
  • {@link DefaultOAuth2UserMixin}
    • + *
  • {@link OidcIdTokenMixin}
    • + *
  • {@link OidcUserInfoMixin}
    • + *
  • {@link OidcUserAuthorityMixin}
    • + *
  • {@link DefaultOidcUserMixin}
    • + *
  • {@link OAuth2AuthenticationTokenMixin}
    • + *
  • {@link OAuth2AuthenticationExceptionMixin}
    • + *
  • {@link OAuth2ErrorMixin}
    • + *
+ * + *

+ * The recommended way to configure it is to use {@link SecurityJacksonModules} in order + * to enable properly automatic inclusion of type information with related validation. + * + * 

+ *     ClassLoader loader = getClass().getClassLoader();
+ *     JsonMapper mapper = JsonMapper.builder()
+ * 				.addModules(SecurityJacksonModules.getModules(loader))
+ * 				.build();
+ *
+ * + * @author Sebastien Deleuze + * @author Joe Grandja + * @since 7.0 + */ +@SuppressWarnings("serial") +public class OAuth2ClientJacksonModule extends SecurityJacksonModule { + + public OAuth2ClientJacksonModule() { + super(OAuth2ClientJacksonModule.class.getName(), new Version(1, 0, 0, null, null, null)); + } + + @Override + public void configurePolymorphicTypeValidator(BasicPolymorphicTypeValidator.Builder builder) { + builder.allowIfSubType(OAuth2AuthenticationException.class) + .allowIfSubType(DefaultOidcUser.class) + .allowIfSubType(OAuth2AuthorizationRequest.class) + .allowIfSubType(OAuth2Error.class) + .allowIfSubType(OAuth2AuthorizedClient.class) + .allowIfSubType(OidcIdToken.class) + .allowIfSubType(OidcUserInfo.class) + .allowIfSubType(DefaultOAuth2User.class) + .allowIfSubType(ClientRegistration.class) + .allowIfSubType(OAuth2AccessToken.class) + .allowIfSubType(OAuth2RefreshToken.class) + .allowIfSubType(OAuth2AuthenticationToken.class) + .allowIfSubType(OidcUserAuthority.class) + .allowIfSubType(OAuth2UserAuthority.class); + } + + @Override + public void setupModule(SetupContext context) { + context.setMixIn(OAuth2AuthorizationRequest.class, OAuth2AuthorizationRequestMixin.class); + context.setMixIn(ClientRegistration.class, ClientRegistrationMixin.class); + context.setMixIn(OAuth2AccessToken.class, OAuth2AccessTokenMixin.class); + context.setMixIn(OAuth2RefreshToken.class, OAuth2RefreshTokenMixin.class); + context.setMixIn(OAuth2AuthorizedClient.class, OAuth2AuthorizedClientMixin.class); + context.setMixIn(OAuth2UserAuthority.class, OAuth2UserAuthorityMixin.class); + context.setMixIn(DefaultOAuth2User.class, DefaultOAuth2UserMixin.class); + context.setMixIn(OidcIdToken.class, OidcIdTokenMixin.class); + context.setMixIn(OidcUserInfo.class, OidcUserInfoMixin.class); + context.setMixIn(OidcUserAuthority.class, OidcUserAuthorityMixin.class); + context.setMixIn(DefaultOidcUser.class, DefaultOidcUserMixin.class); + context.setMixIn(OAuth2AuthenticationToken.class, OAuth2AuthenticationTokenMixin.class); + context.setMixIn(OAuth2AuthenticationException.class, OAuth2AuthenticationExceptionMixin.class); + context.setMixIn(OAuth2Error.class, OAuth2ErrorMixin.class); + } + +} diff --git a/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/jackson/OAuth2ErrorMixin.java b/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/jackson/OAuth2ErrorMixin.java new file mode 100644 index 0000000000..53c07c7f97 --- /dev/null +++ b/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/jackson/OAuth2ErrorMixin.java @@ -0,0 +1,47 @@ +/* + * Copyright 2004-present the original author or authors. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * https://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.springframework.security.oauth2.client.jackson; + +import com.fasterxml.jackson.annotation.JsonAutoDetect; +import com.fasterxml.jackson.annotation.JsonCreator; +import com.fasterxml.jackson.annotation.JsonProperty; +import com.fasterxml.jackson.annotation.JsonTypeInfo; + +import org.springframework.security.oauth2.core.OAuth2Error; + +/** + * This mixin class is used to serialize/deserialize {@link OAuth2Error} as part of + * {@link org.springframework.security.oauth2.core.OAuth2AuthenticationException}. + * + * @author Sebastien Deleuze + * @author Dennis Neufeld + * @since 7.0 + * @see OAuth2Error + * @see OAuth2AuthenticationExceptionMixin + * @see OAuth2ClientJacksonModule + */ +@JsonTypeInfo(use = JsonTypeInfo.Id.CLASS) +@JsonAutoDetect(fieldVisibility = JsonAutoDetect.Visibility.ANY, getterVisibility = JsonAutoDetect.Visibility.NONE, + isGetterVisibility = JsonAutoDetect.Visibility.NONE) +abstract class OAuth2ErrorMixin { + + @JsonCreator + OAuth2ErrorMixin(@JsonProperty("errorCode") String errorCode, @JsonProperty("description") String description, + @JsonProperty("uri") String uri) { + } + +} diff --git a/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/jackson/OAuth2RefreshTokenMixin.java b/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/jackson/OAuth2RefreshTokenMixin.java new file mode 100644 index 0000000000..a4a9085ee4 --- /dev/null +++ b/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/jackson/OAuth2RefreshTokenMixin.java @@ -0,0 +1,46 @@ +/* + * Copyright 2004-present the original author or authors. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * https://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.springframework.security.oauth2.client.jackson; + +import java.time.Instant; + +import com.fasterxml.jackson.annotation.JsonAutoDetect; +import com.fasterxml.jackson.annotation.JsonCreator; +import com.fasterxml.jackson.annotation.JsonProperty; +import com.fasterxml.jackson.annotation.JsonTypeInfo; + +import org.springframework.security.oauth2.core.OAuth2RefreshToken; + +/** + * This mixin class is used to serialize/deserialize {@link OAuth2RefreshToken}. + * + * @author Sebastien Deleuze + * @author Joe Grandja + * @since 7.0 + * @see OAuth2RefreshToken + * @see OAuth2ClientJacksonModule + */ +@JsonTypeInfo(use = JsonTypeInfo.Id.CLASS) +@JsonAutoDetect(fieldVisibility = JsonAutoDetect.Visibility.ANY, getterVisibility = JsonAutoDetect.Visibility.NONE, + isGetterVisibility = JsonAutoDetect.Visibility.NONE) +abstract class OAuth2RefreshTokenMixin { + + @JsonCreator + OAuth2RefreshTokenMixin(@JsonProperty("tokenValue") String tokenValue, @JsonProperty("issuedAt") Instant issuedAt) { + } + +} diff --git a/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/jackson/OAuth2UserAuthorityMixin.java b/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/jackson/OAuth2UserAuthorityMixin.java new file mode 100644 index 0000000000..3a4095b50d --- /dev/null +++ b/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/jackson/OAuth2UserAuthorityMixin.java @@ -0,0 +1,47 @@ +/* + * Copyright 2004-present the original author or authors. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * https://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.springframework.security.oauth2.client.jackson; + +import java.util.Map; + +import com.fasterxml.jackson.annotation.JsonAutoDetect; +import com.fasterxml.jackson.annotation.JsonCreator; +import com.fasterxml.jackson.annotation.JsonProperty; +import com.fasterxml.jackson.annotation.JsonTypeInfo; + +import org.springframework.security.oauth2.core.user.OAuth2UserAuthority; + +/** + * This mixin class is used to serialize/deserialize {@link OAuth2UserAuthority}. + * + * @author Sebastien Deleuze + * @author Joe Grandja + * @since 7.0 + * @see OAuth2UserAuthority + * @see OAuth2ClientJacksonModule + */ +@JsonTypeInfo(use = JsonTypeInfo.Id.CLASS) +@JsonAutoDetect(fieldVisibility = JsonAutoDetect.Visibility.ANY, getterVisibility = JsonAutoDetect.Visibility.NONE, + isGetterVisibility = JsonAutoDetect.Visibility.NONE) +abstract class OAuth2UserAuthorityMixin { + + @JsonCreator + OAuth2UserAuthorityMixin(@JsonProperty("authority") String authority, + @JsonProperty("attributes") Map attributes) { + } + +} diff --git a/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/jackson/OidcIdTokenMixin.java b/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/jackson/OidcIdTokenMixin.java new file mode 100644 index 0000000000..14ed972340 --- /dev/null +++ b/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/jackson/OidcIdTokenMixin.java @@ -0,0 +1,48 @@ +/* + * Copyright 2004-present the original author or authors. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * https://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.springframework.security.oauth2.client.jackson; + +import java.time.Instant; +import java.util.Map; + +import com.fasterxml.jackson.annotation.JsonAutoDetect; +import com.fasterxml.jackson.annotation.JsonCreator; +import com.fasterxml.jackson.annotation.JsonProperty; +import com.fasterxml.jackson.annotation.JsonTypeInfo; + +import org.springframework.security.oauth2.core.oidc.OidcIdToken; + +/** + * This mixin class is used to serialize/deserialize {@link OidcIdToken}. + * + * @author Sebastien Deleuze + * @author Joe Grandja + * @since 7.0 + * @see OidcIdToken + * @see OAuth2ClientJacksonModule + */ +@JsonTypeInfo(use = JsonTypeInfo.Id.CLASS) +@JsonAutoDetect(fieldVisibility = JsonAutoDetect.Visibility.ANY, getterVisibility = JsonAutoDetect.Visibility.NONE, + isGetterVisibility = JsonAutoDetect.Visibility.NONE) +abstract class OidcIdTokenMixin { + + @JsonCreator + OidcIdTokenMixin(@JsonProperty("tokenValue") String tokenValue, @JsonProperty("issuedAt") Instant issuedAt, + @JsonProperty("expiresAt") Instant expiresAt, @JsonProperty("claims") Map claims) { + } + +} diff --git a/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/jackson/OidcUserAuthorityMixin.java b/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/jackson/OidcUserAuthorityMixin.java new file mode 100644 index 0000000000..fa31b76ae3 --- /dev/null +++ b/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/jackson/OidcUserAuthorityMixin.java @@ -0,0 +1,49 @@ +/* + * Copyright 2004-present the original author or authors. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * https://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.springframework.security.oauth2.client.jackson; + +import com.fasterxml.jackson.annotation.JsonAutoDetect; +import com.fasterxml.jackson.annotation.JsonCreator; +import com.fasterxml.jackson.annotation.JsonIgnoreProperties; +import com.fasterxml.jackson.annotation.JsonProperty; +import com.fasterxml.jackson.annotation.JsonTypeInfo; + +import org.springframework.security.oauth2.core.oidc.OidcIdToken; +import org.springframework.security.oauth2.core.oidc.OidcUserInfo; +import org.springframework.security.oauth2.core.oidc.user.OidcUserAuthority; + +/** + * This mixin class is used to serialize/deserialize {@link OidcUserAuthority}. + * + * @author Sebastien Deleuze + * @author Joe Grandja + * @since 7.0 + * @see OidcUserAuthority + * @see OAuth2ClientJacksonModule + */ +@JsonTypeInfo(use = JsonTypeInfo.Id.CLASS) +@JsonAutoDetect(fieldVisibility = JsonAutoDetect.Visibility.ANY, getterVisibility = JsonAutoDetect.Visibility.NONE, + isGetterVisibility = JsonAutoDetect.Visibility.NONE) +@JsonIgnoreProperties({ "attributes" }) +abstract class OidcUserAuthorityMixin { + + @JsonCreator + OidcUserAuthorityMixin(@JsonProperty("authority") String authority, @JsonProperty("idToken") OidcIdToken idToken, + @JsonProperty("userInfo") OidcUserInfo userInfo) { + } + +} diff --git a/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/jackson/OidcUserInfoMixin.java b/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/jackson/OidcUserInfoMixin.java new file mode 100644 index 0000000000..96dc41ca1c --- /dev/null +++ b/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/jackson/OidcUserInfoMixin.java @@ -0,0 +1,46 @@ +/* + * Copyright 2004-present the original author or authors. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * https://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.springframework.security.oauth2.client.jackson; + +import java.util.Map; + +import com.fasterxml.jackson.annotation.JsonAutoDetect; +import com.fasterxml.jackson.annotation.JsonCreator; +import com.fasterxml.jackson.annotation.JsonProperty; +import com.fasterxml.jackson.annotation.JsonTypeInfo; + +import org.springframework.security.oauth2.core.oidc.OidcUserInfo; + +/** + * This mixin class is used to serialize/deserialize {@link OidcUserInfo}. + * + * @author Sebastien Deleuze + * @author Joe Grandja + * @since 7.0 + * @see OidcUserInfo + * @see OAuth2ClientJacksonModule + */ +@JsonTypeInfo(use = JsonTypeInfo.Id.CLASS) +@JsonAutoDetect(fieldVisibility = JsonAutoDetect.Visibility.ANY, getterVisibility = JsonAutoDetect.Visibility.NONE, + isGetterVisibility = JsonAutoDetect.Visibility.NONE) +abstract class OidcUserInfoMixin { + + @JsonCreator + OidcUserInfoMixin(@JsonProperty("claims") Map claims) { + } + +} diff --git a/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/jackson/StdConverters.java b/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/jackson/StdConverters.java new file mode 100644 index 0000000000..c9fafcdd6e --- /dev/null +++ b/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/jackson/StdConverters.java @@ -0,0 +1,94 @@ +/* + * Copyright 2004-present the original author or authors. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * https://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.springframework.security.oauth2.client.jackson; + +import tools.jackson.databind.JsonNode; +import tools.jackson.databind.util.StdConverter; + +import org.springframework.security.oauth2.core.AuthenticationMethod; +import org.springframework.security.oauth2.core.AuthorizationGrantType; +import org.springframework.security.oauth2.core.ClientAuthenticationMethod; +import org.springframework.security.oauth2.core.OAuth2AccessToken; + +/** + * {@code StdConverter} implementations. + * + * @author Sebastien Deleuze + * @author Joe Grandja + * @since 7.0 + */ +abstract class StdConverters { + + static final class AccessTokenTypeConverter extends StdConverter { + + @Override + public OAuth2AccessToken.TokenType convert(JsonNode jsonNode) { + String value = JsonNodeUtils.findStringValue(jsonNode, "value"); + if (OAuth2AccessToken.TokenType.BEARER.getValue().equalsIgnoreCase(value)) { + return OAuth2AccessToken.TokenType.BEARER; + } + return null; + } + + } + + static final class ClientAuthenticationMethodConverter extends StdConverter { + + @Override + public ClientAuthenticationMethod convert(JsonNode jsonNode) { + String value = JsonNodeUtils.findStringValue(jsonNode, "value"); + return ClientAuthenticationMethod.valueOf(value); + } + + } + + static final class AuthorizationGrantTypeConverter extends StdConverter { + + @Override + public AuthorizationGrantType convert(JsonNode jsonNode) { + String value = JsonNodeUtils.findStringValue(jsonNode, "value"); + if (AuthorizationGrantType.AUTHORIZATION_CODE.getValue().equalsIgnoreCase(value)) { + return AuthorizationGrantType.AUTHORIZATION_CODE; + } + if (AuthorizationGrantType.CLIENT_CREDENTIALS.getValue().equalsIgnoreCase(value)) { + return AuthorizationGrantType.CLIENT_CREDENTIALS; + } + return new AuthorizationGrantType(value); + } + + } + + static final class AuthenticationMethodConverter extends StdConverter { + + @Override + public AuthenticationMethod convert(JsonNode jsonNode) { + String value = JsonNodeUtils.findStringValue(jsonNode, "value"); + if (AuthenticationMethod.HEADER.getValue().equalsIgnoreCase(value)) { + return AuthenticationMethod.HEADER; + } + if (AuthenticationMethod.FORM.getValue().equalsIgnoreCase(value)) { + return AuthenticationMethod.FORM; + } + if (AuthenticationMethod.QUERY.getValue().equalsIgnoreCase(value)) { + return AuthenticationMethod.QUERY; + } + return null; + } + + } + +} diff --git a/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/jackson/package-info.java b/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/jackson/package-info.java new file mode 100644 index 0000000000..3ac4da65bb --- /dev/null +++ b/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/jackson/package-info.java @@ -0,0 +1,20 @@ +/* + * Copyright 2004-present the original author or authors. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * https://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +/** + * Jackson 3+ serialization support for OAuth2 client. + */ +package org.springframework.security.oauth2.client.jackson; diff --git a/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/jackson2/package-info.java b/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/jackson2/package-info.java new file mode 100644 index 0000000000..5477db1b36 --- /dev/null +++ b/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/jackson2/package-info.java @@ -0,0 +1,20 @@ +/* + * Copyright 2004-present the original author or authors. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * https://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +/** + * Jackson 2 serialization support for OAuth2 client. + */ +package org.springframework.security.oauth2.client.jackson2; diff --git a/oauth2/oauth2-client/src/test/java/org/springframework/security/oauth2/client/jackson/OAuth2AuthenticationExceptionMixinTests.java b/oauth2/oauth2-client/src/test/java/org/springframework/security/oauth2/client/jackson/OAuth2AuthenticationExceptionMixinTests.java new file mode 100644 index 0000000000..e7d25bc710 --- /dev/null +++ b/oauth2/oauth2-client/src/test/java/org/springframework/security/oauth2/client/jackson/OAuth2AuthenticationExceptionMixinTests.java @@ -0,0 +1,129 @@ +/* + * Copyright 2004-present the original author or authors. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * https://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.springframework.security.oauth2.client.jackson; + +import org.junit.jupiter.api.BeforeEach; +import org.junit.jupiter.api.Test; +import org.skyscreamer.jsonassert.JSONAssert; +import tools.jackson.databind.exc.ValueInstantiationException; +import tools.jackson.databind.json.JsonMapper; + +import org.springframework.security.jackson.SecurityJacksonModules; +import org.springframework.security.oauth2.core.OAuth2AuthenticationException; +import org.springframework.security.oauth2.core.OAuth2Error; + +import static org.assertj.core.api.Assertions.assertThat; +import static org.assertj.core.api.Assertions.assertThatExceptionOfType; + +/** + * Tests for + * {@link org.springframework.security.oauth2.client.jackson.OAuth2AuthenticationExceptionMixin}. + * + * @author Dennis Neufeld + * @since 5.3.4 + */ +public class OAuth2AuthenticationExceptionMixinTests { + + private JsonMapper mapper; + + @BeforeEach + public void setup() { + ClassLoader loader = getClass().getClassLoader(); + this.mapper = JsonMapper.builder().addModules(SecurityJacksonModules.getModules(loader)).build(); + } + + @Test + public void serializeWhenMixinRegisteredThenSerializes() throws Exception { + OAuth2AuthenticationException exception = new OAuth2AuthenticationException( + new OAuth2Error("[authorization_request_not_found]", "Authorization Request Not Found", "/foo/bar"), + "Authorization Request Not Found"); + String serializedJson = this.mapper.writeValueAsString(exception); + String expected = asJson(exception); + JSONAssert.assertEquals(expected, serializedJson, true); + } + + @Test + public void serializeWhenRequiredAttributesOnlyThenSerializes() throws Exception { + OAuth2AuthenticationException exception = new OAuth2AuthenticationException( + new OAuth2Error("[authorization_request_not_found]")); + String serializedJson = this.mapper.writeValueAsString(exception); + String expected = asJson(exception); + JSONAssert.assertEquals(expected, serializedJson, true); + } + + @Test + public void deserializeWhenMixinNotRegisteredThenThrowJsonProcessingException() { + String json = asJson(new OAuth2AuthenticationException(new OAuth2Error("[authorization_request_not_found]"))); + assertThatExceptionOfType(ValueInstantiationException.class) + .isThrownBy(() -> new JsonMapper().readValue(json, OAuth2AuthenticationException.class)); + } + + @Test + public void deserializeWhenMixinRegisteredThenDeserializes() throws Exception { + OAuth2AuthenticationException expected = new OAuth2AuthenticationException( + new OAuth2Error("[authorization_request_not_found]", "Authorization Request Not Found", "/foo/bar"), + "Authorization Request Not Found"); + OAuth2AuthenticationException exception = this.mapper.readValue(asJson(expected), + OAuth2AuthenticationException.class); + assertThat(exception).isNotNull(); + assertThat(exception.getCause()).isNull(); + assertThat(exception.getMessage()).isEqualTo(expected.getMessage()); + OAuth2Error oauth2Error = exception.getError(); + assertThat(oauth2Error).isNotNull(); + assertThat(oauth2Error.getErrorCode()).isEqualTo(expected.getError().getErrorCode()); + assertThat(oauth2Error.getDescription()).isEqualTo(expected.getError().getDescription()); + assertThat(oauth2Error.getUri()).isEqualTo(expected.getError().getUri()); + } + + @Test + public void deserializeWhenRequiredAttributesOnlyThenDeserializes() throws Exception { + OAuth2AuthenticationException expected = new OAuth2AuthenticationException( + new OAuth2Error("[authorization_request_not_found]")); + OAuth2AuthenticationException exception = this.mapper.readValue(asJson(expected), + OAuth2AuthenticationException.class); + assertThat(exception).isNotNull(); + assertThat(exception.getCause()).isNull(); + assertThat(exception.getMessage()).isNull(); + OAuth2Error oauth2Error = exception.getError(); + assertThat(oauth2Error).isNotNull(); + assertThat(oauth2Error.getErrorCode()).isEqualTo(expected.getError().getErrorCode()); + assertThat(oauth2Error.getDescription()).isNull(); + assertThat(oauth2Error.getUri()).isNull(); + } + + private String asJson(OAuth2AuthenticationException exception) { + OAuth2Error error = exception.getError(); + // @formatter:off + return "\n{" + + "\n \"@class\": \"org.springframework.security.oauth2.core.OAuth2AuthenticationException\"," + + "\n \"error\":" + + "\n {" + + "\n \"@class\":\"org.springframework.security.oauth2.core.OAuth2Error\"," + + "\n \"errorCode\":\"" + error.getErrorCode() + "\"," + + "\n \"description\":" + jsonStringOrNull(error.getDescription()) + "," + + "\n \"uri\":" + jsonStringOrNull(error.getUri()) + + "\n }," + + "\n \"detailMessage\":" + jsonStringOrNull(exception.getMessage()) + + "\n}"; + // @formatter:on + } + + private String jsonStringOrNull(String input) { + return (input != null) ? "\"" + input + "\"" : "null"; + } + +} diff --git a/oauth2/oauth2-client/src/test/java/org/springframework/security/oauth2/client/jackson/OAuth2AuthenticationTokenMixinTests.java b/oauth2/oauth2-client/src/test/java/org/springframework/security/oauth2/client/jackson/OAuth2AuthenticationTokenMixinTests.java new file mode 100644 index 0000000000..d24cf351f8 --- /dev/null +++ b/oauth2/oauth2-client/src/test/java/org/springframework/security/oauth2/client/jackson/OAuth2AuthenticationTokenMixinTests.java @@ -0,0 +1,339 @@ +/* + * Copyright 2004-present the original author or authors. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * https://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.springframework.security.oauth2.client.jackson; + +import java.time.Instant; +import java.util.ArrayList; +import java.util.Collection; +import java.util.Collections; +import java.util.List; +import java.util.stream.Collectors; + +import com.fasterxml.jackson.datatype.jsr310.DecimalUtils; +import org.junit.jupiter.api.BeforeEach; +import org.junit.jupiter.api.Test; +import org.skyscreamer.jsonassert.JSONAssert; +import tools.jackson.core.JacksonException; +import tools.jackson.databind.DeserializationFeature; +import tools.jackson.databind.json.JsonMapper; + +import org.springframework.security.core.GrantedAuthority; +import org.springframework.security.core.authority.SimpleGrantedAuthority; +import org.springframework.security.jackson.SecurityJacksonModules; +import org.springframework.security.oauth2.client.authentication.OAuth2AuthenticationToken; +import org.springframework.security.oauth2.client.authentication.TestOAuth2AuthenticationTokens; +import org.springframework.security.oauth2.core.oidc.IdTokenClaimNames; +import org.springframework.security.oauth2.core.oidc.OidcIdToken; +import org.springframework.security.oauth2.core.oidc.OidcUserInfo; +import org.springframework.security.oauth2.core.oidc.StandardClaimNames; +import org.springframework.security.oauth2.core.oidc.user.DefaultOidcUser; +import org.springframework.security.oauth2.core.oidc.user.OidcUserAuthority; +import org.springframework.security.oauth2.core.oidc.user.TestOidcUsers; +import org.springframework.security.oauth2.core.user.DefaultOAuth2User; +import org.springframework.security.oauth2.core.user.OAuth2UserAuthority; +import org.springframework.util.CollectionUtils; +import org.springframework.util.StringUtils; + +import static org.assertj.core.api.Assertions.assertThat; +import static org.assertj.core.api.Assertions.assertThatExceptionOfType; + +/** + * Tests for + * {@link org.springframework.security.oauth2.client.jackson.OAuth2AuthenticationTokenMixin}. + * + * @author Joe Grandja + */ +public class OAuth2AuthenticationTokenMixinTests { + + private JsonMapper mapper; + + @BeforeEach + public void setup() { + ClassLoader loader = getClass().getClassLoader(); + this.mapper = JsonMapper.builder() + .addModules(SecurityJacksonModules.getModules(loader)) + // see https://github.com/FasterXML/jackson-databind/issues/3052 for details + .enable(DeserializationFeature.USE_BIG_DECIMAL_FOR_FLOATS) + .build(); + } + + @Test + public void serializeWhenMixinRegisteredThenSerializes() throws Exception { + // OidcUser + OAuth2AuthenticationToken authentication = TestOAuth2AuthenticationTokens.oidcAuthenticated(); + String expectedJson = asJson(authentication); + String json = this.mapper.writeValueAsString(authentication); + JSONAssert.assertEquals(expectedJson, json, true); + // OAuth2User + authentication = TestOAuth2AuthenticationTokens.authenticated(); + expectedJson = asJson(authentication); + json = this.mapper.writeValueAsString(authentication); + JSONAssert.assertEquals(expectedJson, json, true); + } + + @Test + public void serializeWhenRequiredAttributesOnlyThenSerializes() throws Exception { + DefaultOidcUser principal = TestOidcUsers.create(); + principal = new DefaultOidcUser(principal.getAuthorities(), principal.getIdToken()); + OAuth2AuthenticationToken authentication = new OAuth2AuthenticationToken(principal, Collections.emptyList(), + "registration-id"); + String expectedJson = asJson(authentication); + String json = this.mapper.writeValueAsString(authentication); + JSONAssert.assertEquals(expectedJson, json, true); + } + + @Test + public void deserializeWhenMixinNotRegisteredThenThrowJsonProcessingException() { + OAuth2AuthenticationToken authentication = TestOAuth2AuthenticationTokens.oidcAuthenticated(); + String json = asJson(authentication); + assertThatExceptionOfType(JacksonException.class) + .isThrownBy(() -> new JsonMapper().readValue(json, OAuth2AuthenticationToken.class)); + } + + @Test + public void deserializeWhenMixinRegisteredThenDeserializes() throws Exception { + // OidcUser + OAuth2AuthenticationToken expectedAuthentication = TestOAuth2AuthenticationTokens.oidcAuthenticated(); + String json = asJson(expectedAuthentication); + OAuth2AuthenticationToken authentication = this.mapper.readValue(json, OAuth2AuthenticationToken.class); + assertThat(authentication.getAuthorities()).containsExactlyElementsOf(expectedAuthentication.getAuthorities()); + assertThat(authentication.getDetails()).isEqualTo(expectedAuthentication.getDetails()); + assertThat(authentication.isAuthenticated()).isEqualTo(expectedAuthentication.isAuthenticated()); + assertThat(authentication.getAuthorizedClientRegistrationId()) + .isEqualTo(expectedAuthentication.getAuthorizedClientRegistrationId()); + DefaultOidcUser expectedOidcUser = (DefaultOidcUser) expectedAuthentication.getPrincipal(); + DefaultOidcUser oidcUser = (DefaultOidcUser) authentication.getPrincipal(); + assertThat(oidcUser.getAuthorities().containsAll(expectedOidcUser.getAuthorities())).isTrue(); + assertThat(oidcUser.getAttributes()).containsExactlyEntriesOf(expectedOidcUser.getAttributes()); + assertThat(oidcUser.getName()).isEqualTo(expectedOidcUser.getName()); + OidcIdToken expectedIdToken = expectedOidcUser.getIdToken(); + OidcIdToken idToken = oidcUser.getIdToken(); + assertThat(idToken.getTokenValue()).isEqualTo(expectedIdToken.getTokenValue()); + assertThat(idToken.getIssuedAt()).isEqualTo(expectedIdToken.getIssuedAt()); + assertThat(idToken.getExpiresAt()).isEqualTo(expectedIdToken.getExpiresAt()); + assertThat(idToken.getClaims()).containsExactlyEntriesOf(expectedIdToken.getClaims()); + OidcUserInfo expectedUserInfo = expectedOidcUser.getUserInfo(); + OidcUserInfo userInfo = oidcUser.getUserInfo(); + assertThat(userInfo.getClaims()).containsExactlyEntriesOf(expectedUserInfo.getClaims()); + // OAuth2User + expectedAuthentication = TestOAuth2AuthenticationTokens.authenticated(); + json = asJson(expectedAuthentication); + authentication = this.mapper.readValue(json, OAuth2AuthenticationToken.class); + assertThat(authentication.getAuthorities()).containsExactlyElementsOf(expectedAuthentication.getAuthorities()); + assertThat(authentication.getDetails()).isEqualTo(expectedAuthentication.getDetails()); + assertThat(authentication.isAuthenticated()).isEqualTo(expectedAuthentication.isAuthenticated()); + assertThat(authentication.getAuthorizedClientRegistrationId()) + .isEqualTo(expectedAuthentication.getAuthorizedClientRegistrationId()); + DefaultOAuth2User expectedOauth2User = (DefaultOAuth2User) expectedAuthentication.getPrincipal(); + DefaultOAuth2User oauth2User = (DefaultOAuth2User) authentication.getPrincipal(); + assertThat(oauth2User.getAuthorities().containsAll(expectedOauth2User.getAuthorities())).isTrue(); + assertThat(oauth2User.getAttributes()).containsExactlyEntriesOf(expectedOauth2User.getAttributes()); + assertThat(oauth2User.getName()).isEqualTo(expectedOauth2User.getName()); + } + + @Test + public void deserializeWhenRequiredAttributesOnlyThenDeserializes() throws Exception { + DefaultOidcUser expectedPrincipal = TestOidcUsers.create(); + expectedPrincipal = new DefaultOidcUser(expectedPrincipal.getAuthorities(), expectedPrincipal.getIdToken()); + OAuth2AuthenticationToken expectedAuthentication = new OAuth2AuthenticationToken(expectedPrincipal, + Collections.emptyList(), "registration-id"); + String json = asJson(expectedAuthentication); + OAuth2AuthenticationToken authentication = this.mapper.readValue(json, OAuth2AuthenticationToken.class); + assertThat(authentication.getAuthorities()).isEmpty(); + assertThat(authentication.getDetails()).isEqualTo(expectedAuthentication.getDetails()); + assertThat(authentication.isAuthenticated()).isEqualTo(expectedAuthentication.isAuthenticated()); + assertThat(authentication.getAuthorizedClientRegistrationId()) + .isEqualTo(expectedAuthentication.getAuthorizedClientRegistrationId()); + DefaultOidcUser principal = (DefaultOidcUser) authentication.getPrincipal(); + assertThat(principal.getAuthorities().containsAll(expectedPrincipal.getAuthorities())).isTrue(); + assertThat(principal.getAttributes()).containsExactlyEntriesOf(expectedPrincipal.getAttributes()); + assertThat(principal.getName()).isEqualTo(expectedPrincipal.getName()); + OidcIdToken expectedIdToken = expectedPrincipal.getIdToken(); + OidcIdToken idToken = principal.getIdToken(); + assertThat(idToken.getTokenValue()).isEqualTo(expectedIdToken.getTokenValue()); + assertThat(idToken.getIssuedAt()).isEqualTo(expectedIdToken.getIssuedAt()); + assertThat(idToken.getExpiresAt()).isEqualTo(expectedIdToken.getExpiresAt()); + assertThat(idToken.getClaims()).containsExactlyEntriesOf(expectedIdToken.getClaims()); + assertThat(principal.getUserInfo()).isNull(); + } + + private static String asJson(OAuth2AuthenticationToken authentication) { + String principalJson = (authentication.getPrincipal() instanceof DefaultOidcUser) + ? asJson((DefaultOidcUser) authentication.getPrincipal()) + : asJson((DefaultOAuth2User) authentication.getPrincipal()); + // @formatter:off + return "{\n" + + " \"@class\": \"org.springframework.security.oauth2.client.authentication.OAuth2AuthenticationToken\",\n" + + " \"principal\": " + principalJson + ",\n" + + " \"authorities\": " + asJson(authentication.getAuthorities(), "java.util.Collections$UnmodifiableRandomAccessList") + ",\n" + + " \"authorizedClientRegistrationId\": \"" + authentication.getAuthorizedClientRegistrationId() + "\",\n" + + " \"details\": null\n" + + "}"; + // @formatter:on + } + + private static String asJson(DefaultOAuth2User oauth2User) { + // @formatter:off + return "{\n" + + " \"@class\": \"org.springframework.security.oauth2.core.user.DefaultOAuth2User\",\n" + + " \"authorities\": " + asJson(oauth2User.getAuthorities(), "java.util.Collections$UnmodifiableSet") + ",\n" + + " \"attributes\": {\n" + + " \"@class\": \"java.util.Collections$UnmodifiableMap\",\n" + + " \"username\": \"user\"\n" + + " },\n" + + " \"nameAttributeKey\": \"username\"\n" + + " }"; + // @formatter:on + } + + private static String asJson(DefaultOidcUser oidcUser) { + // @formatter:off + return "{\n" + + " \"@class\": \"org.springframework.security.oauth2.core.oidc.user.DefaultOidcUser\",\n" + + " \"authorities\": " + asJson(oidcUser.getAuthorities(), "java.util.Collections$UnmodifiableSet") + ",\n" + + " \"idToken\": " + asJson(oidcUser.getIdToken()) + ",\n" + + " \"userInfo\": " + asJson(oidcUser.getUserInfo()) + ",\n" + + " \"nameAttributeKey\": \"" + IdTokenClaimNames.SUB + "\"\n" + + " }"; + // @formatter:on + } + + private static String asJson(Collection authorities, String classTypeInfo) { + OAuth2UserAuthority oauth2UserAuthority = null; + OidcUserAuthority oidcUserAuthority = null; + List simpleAuthorities = new ArrayList<>(); + for (GrantedAuthority authority : authorities) { + if (authority instanceof OidcUserAuthority) { + oidcUserAuthority = (OidcUserAuthority) authority; + } + else if (authority instanceof OAuth2UserAuthority) { + oauth2UserAuthority = (OAuth2UserAuthority) authority; + } + else if (authority instanceof SimpleGrantedAuthority) { + simpleAuthorities.add((SimpleGrantedAuthority) authority); + } + } + String authoritiesJson = (oidcUserAuthority != null) ? asJson(oidcUserAuthority) + : (oauth2UserAuthority != null) ? asJson(oauth2UserAuthority) : ""; + if (!simpleAuthorities.isEmpty()) { + if (StringUtils.hasLength(authoritiesJson)) { + authoritiesJson += ","; + } + authoritiesJson += asJson(simpleAuthorities); + } + // @formatter:off + return "[\n" + + " \"" + classTypeInfo + "\",\n" + + " [" + authoritiesJson + "]\n" + + " ]"; + // @formatter:on + } + + private static String asJson(OAuth2UserAuthority oauth2UserAuthority) { + // @formatter:off + return "{\n" + + " \"@class\": \"org.springframework.security.oauth2.core.user.OAuth2UserAuthority\",\n" + + " \"authority\": \"" + oauth2UserAuthority.getAuthority() + "\",\n" + + " \"userNameAttributeName\": \"username\",\n" + + " \"attributes\": {\n" + + " \"@class\": \"java.util.Collections$UnmodifiableMap\",\n" + + " \"username\": \"user\"\n" + + " }\n" + + " }"; + // @formatter:on + } + + private static String asJson(OidcUserAuthority oidcUserAuthority) { + // @formatter:off + return "{\n" + + " \"@class\": \"org.springframework.security.oauth2.core.oidc.user.OidcUserAuthority\",\n" + + " \"authority\": \"" + oidcUserAuthority.getAuthority() + "\",\n" + + " \"userNameAttributeName\": \"" + oidcUserAuthority.getUserNameAttributeName() + "\",\n" + + " \"idToken\": " + asJson(oidcUserAuthority.getIdToken()) + ",\n" + + " \"userInfo\": " + asJson(oidcUserAuthority.getUserInfo()) + "\n" + + " }"; + // @formatter:on + } + + private static String asJson(List simpleAuthorities) { + // @formatter:off + return simpleAuthorities.stream() + .map((authority) -> "{\n" + + " \"@class\": \"org.springframework.security.core.authority.SimpleGrantedAuthority\",\n" + + " \"authority\": \"" + authority.getAuthority() + "\"\n" + + " }") + .collect(Collectors.joining(",")); + // @formatter:on + } + + private static String asJson(OidcIdToken idToken) { + String aud = ""; + if (!CollectionUtils.isEmpty(idToken.getAudience())) { + aud = StringUtils.collectionToDelimitedString(idToken.getAudience(), ",", "\"", "\""); + } + // @formatter:off + return "{\n" + + " \"@class\": \"org.springframework.security.oauth2.core.oidc.OidcIdToken\",\n" + + " \"tokenValue\": \"" + idToken.getTokenValue() + "\",\n" + + " \"issuedAt\": " + toString(idToken.getIssuedAt()) + ",\n" + + " \"expiresAt\": " + toString(idToken.getExpiresAt()) + ",\n" + + " \"claims\": {\n" + + " \"@class\": \"java.util.Collections$UnmodifiableMap\",\n" + + " \"iat\": [\n" + + " \"java.time.Instant\",\n" + + " " + toString(idToken.getIssuedAt()) + "\n" + + " ],\n" + + " \"exp\": [\n" + + " \"java.time.Instant\",\n" + + " " + toString(idToken.getExpiresAt()) + "\n" + + " ],\n" + + " \"sub\": \"" + idToken.getSubject() + "\",\n" + + " \"iss\": \"" + idToken.getIssuer() + "\",\n" + + " \"aud\": [\n" + + " \"java.util.Collections$UnmodifiableSet\",\n" + + " [" + aud + "]\n" + + " ],\n" + + " \"azp\": \"" + idToken.getAuthorizedParty() + "\"\n" + + " }\n" + + " }"; + // @formatter:on + } + + private static String asJson(OidcUserInfo userInfo) { + if (userInfo == null) { + return null; + } + // @formatter:off + return "{\n" + + " \"@class\": \"org.springframework.security.oauth2.core.oidc.OidcUserInfo\",\n" + + " \"claims\": {\n" + + " \"@class\": \"java.util.Collections$UnmodifiableMap\",\n" + + " \"sub\": \"" + userInfo.getSubject() + "\",\n" + + " \"name\": \"" + userInfo.getClaim(StandardClaimNames.NAME) + "\"\n" + + " }\n" + + " }"; + // @formatter:on + } + + private static String toString(Instant instant) { + if (instant == null) { + return null; + } + return DecimalUtils.toBigDecimal(instant.getEpochSecond(), instant.getNano()).toString(); + } + +} diff --git a/oauth2/oauth2-client/src/test/java/org/springframework/security/oauth2/client/jackson/OAuth2AuthorizationRequestMixinTests.java b/oauth2/oauth2-client/src/test/java/org/springframework/security/oauth2/client/jackson/OAuth2AuthorizationRequestMixinTests.java new file mode 100644 index 0000000000..597f78947a --- /dev/null +++ b/oauth2/oauth2-client/src/test/java/org/springframework/security/oauth2/client/jackson/OAuth2AuthorizationRequestMixinTests.java @@ -0,0 +1,199 @@ +/* + * Copyright 2004-present the original author or authors. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * https://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.springframework.security.oauth2.client.jackson; + +import java.util.LinkedHashMap; +import java.util.Map; +import java.util.stream.Collectors; + +import org.junit.jupiter.api.BeforeEach; +import org.junit.jupiter.api.Test; +import org.skyscreamer.jsonassert.JSONAssert; +import tools.jackson.core.JacksonException; +import tools.jackson.core.exc.StreamReadException; +import tools.jackson.databind.json.JsonMapper; + +import org.springframework.security.jackson.SecurityJacksonModules; +import org.springframework.security.oauth2.core.endpoint.OAuth2AuthorizationRequest; +import org.springframework.security.oauth2.core.endpoint.TestOAuth2AuthorizationRequests; +import org.springframework.util.CollectionUtils; +import org.springframework.util.StringUtils; + +import static org.assertj.core.api.Assertions.assertThat; +import static org.assertj.core.api.Assertions.assertThatExceptionOfType; + +/** + * Tests for + * {@link org.springframework.security.oauth2.client.jackson.OAuth2AuthorizationRequestMixin}. + * + * @author Joe Grandja + */ +public class OAuth2AuthorizationRequestMixinTests { + + private JsonMapper mapper; + + private OAuth2AuthorizationRequest.Builder authorizationRequestBuilder; + + @BeforeEach + public void setup() { + ClassLoader loader = getClass().getClassLoader(); + this.mapper = JsonMapper.builder().addModules(SecurityJacksonModules.getModules(loader)).build(); + Map additionalParameters = new LinkedHashMap<>(); + additionalParameters.put("param1", "value1"); + additionalParameters.put("param2", "value2"); + // @formatter:off + this.authorizationRequestBuilder = TestOAuth2AuthorizationRequests.request() + .scope("read", "write") + .additionalParameters(additionalParameters); + // @formatter:on + } + + @Test + public void serializeWhenMixinRegisteredThenSerializes() throws Exception { + OAuth2AuthorizationRequest authorizationRequest = this.authorizationRequestBuilder.build(); + String expectedJson = asJson(authorizationRequest); + String json = this.mapper.writeValueAsString(authorizationRequest); + JSONAssert.assertEquals(expectedJson, json, true); + } + + @Test + public void serializeWhenRequiredAttributesOnlyThenSerializes() throws Exception { + // @formatter:off + OAuth2AuthorizationRequest authorizationRequest = this.authorizationRequestBuilder + .scopes(null) + .state(null) + .additionalParameters(Map::clear) + .attributes(Map::clear) + .build(); + // @formatter:on + String expectedJson = asJson(authorizationRequest); + String json = this.mapper.writeValueAsString(authorizationRequest); + JSONAssert.assertEquals(expectedJson, json, true); + } + + @Test + public void deserializeWhenMixinNotRegisteredThenThrowJsonProcessingException() { + String json = asJson(this.authorizationRequestBuilder.build()); + assertThatExceptionOfType(JacksonException.class) + .isThrownBy(() -> new JsonMapper().readValue(json, OAuth2AuthorizationRequest.class)); + } + + @Test + public void deserializeWhenMixinRegisteredThenDeserializes() throws Exception { + OAuth2AuthorizationRequest expectedAuthorizationRequest = this.authorizationRequestBuilder.build(); + String json = asJson(expectedAuthorizationRequest); + OAuth2AuthorizationRequest authorizationRequest = this.mapper.readValue(json, OAuth2AuthorizationRequest.class); + assertThat(authorizationRequest.getAuthorizationUri()) + .isEqualTo(expectedAuthorizationRequest.getAuthorizationUri()); + assertThat(authorizationRequest.getGrantType()).isEqualTo(expectedAuthorizationRequest.getGrantType()); + assertThat(authorizationRequest.getResponseType()).isEqualTo(expectedAuthorizationRequest.getResponseType()); + assertThat(authorizationRequest.getClientId()).isEqualTo(expectedAuthorizationRequest.getClientId()); + assertThat(authorizationRequest.getRedirectUri()).isEqualTo(expectedAuthorizationRequest.getRedirectUri()); + assertThat(authorizationRequest.getScopes()).isEqualTo(expectedAuthorizationRequest.getScopes()); + assertThat(authorizationRequest.getState()).isEqualTo(expectedAuthorizationRequest.getState()); + assertThat(authorizationRequest.getAdditionalParameters()) + .containsExactlyEntriesOf(expectedAuthorizationRequest.getAdditionalParameters()); + assertThat(authorizationRequest.getAuthorizationRequestUri()) + .isEqualTo(expectedAuthorizationRequest.getAuthorizationRequestUri()); + assertThat(authorizationRequest.getAttributes()) + .containsExactlyEntriesOf(expectedAuthorizationRequest.getAttributes()); + } + + @Test + public void deserializeWhenRequiredAttributesOnlyThenDeserializes() throws Exception { + // @formatter:off + OAuth2AuthorizationRequest expectedAuthorizationRequest = this.authorizationRequestBuilder.scopes(null) + .state(null) + .additionalParameters(Map::clear) + .attributes(Map::clear) + .build(); + // @formatter:on + String json = asJson(expectedAuthorizationRequest); + OAuth2AuthorizationRequest authorizationRequest = this.mapper.readValue(json, OAuth2AuthorizationRequest.class); + assertThat(authorizationRequest.getAuthorizationUri()) + .isEqualTo(expectedAuthorizationRequest.getAuthorizationUri()); + assertThat(authorizationRequest.getGrantType()).isEqualTo(expectedAuthorizationRequest.getGrantType()); + assertThat(authorizationRequest.getResponseType()).isEqualTo(expectedAuthorizationRequest.getResponseType()); + assertThat(authorizationRequest.getClientId()).isEqualTo(expectedAuthorizationRequest.getClientId()); + assertThat(authorizationRequest.getRedirectUri()).isEqualTo(expectedAuthorizationRequest.getRedirectUri()); + assertThat(authorizationRequest.getScopes()).isEmpty(); + assertThat(authorizationRequest.getState()).isNull(); + assertThat(authorizationRequest.getAdditionalParameters()).isEmpty(); + assertThat(authorizationRequest.getAuthorizationRequestUri()) + .isEqualTo(expectedAuthorizationRequest.getAuthorizationRequestUri()); + assertThat(authorizationRequest.getAttributes()).isEmpty(); + } + + @Test + public void deserializeWhenInvalidAuthorizationGrantTypeThenThrowJsonParseException() { + OAuth2AuthorizationRequest authorizationRequest = this.authorizationRequestBuilder.build(); + String json = asJson(authorizationRequest).replace("authorization_code", "client_credentials"); + assertThatExceptionOfType(StreamReadException.class) + .isThrownBy(() -> this.mapper.readValue(json, OAuth2AuthorizationRequest.class)) + .withMessageContaining("Invalid authorizationGrantType"); + } + + private static String asJson(OAuth2AuthorizationRequest authorizationRequest) { + String scopes = ""; + if (!CollectionUtils.isEmpty(authorizationRequest.getScopes())) { + scopes = StringUtils.collectionToDelimitedString(authorizationRequest.getScopes(), ",", "\"", "\""); + } + String additionalParameters = "\"@class\": \"java.util.Collections$UnmodifiableMap\""; + if (!CollectionUtils.isEmpty(authorizationRequest.getAdditionalParameters())) { + additionalParameters += "," + authorizationRequest.getAdditionalParameters() + .keySet() + .stream() + .map((key) -> "\"" + key + "\": \"" + authorizationRequest.getAdditionalParameters().get(key) + "\"") + .collect(Collectors.joining(",")); + } + String attributes = "\"@class\": \"java.util.Collections$UnmodifiableMap\""; + if (!CollectionUtils.isEmpty(authorizationRequest.getAttributes())) { + attributes += "," + authorizationRequest.getAttributes() + .keySet() + .stream() + .map((key) -> "\"" + key + "\": \"" + authorizationRequest.getAttributes().get(key) + "\"") + .collect(Collectors.joining(",")); + } + // @formatter:off + return "{\n" + + " \"@class\": \"org.springframework.security.oauth2.core.endpoint.OAuth2AuthorizationRequest\",\n" + + " \"authorizationUri\": \"" + authorizationRequest.getAuthorizationUri() + "\",\n" + + " \"authorizationGrantType\": {\n" + + " \"value\": \"" + authorizationRequest.getGrantType().getValue() + "\"\n" + + " },\n" + + " \"responseType\": {\n" + + " \"value\": \"" + authorizationRequest.getResponseType().getValue() + "\"\n" + + " },\n" + + " \"clientId\": \"" + authorizationRequest.getClientId() + "\",\n" + + " \"redirectUri\": \"" + authorizationRequest.getRedirectUri() + "\",\n" + + " \"scopes\": [\n" + + " \"java.util.Collections$UnmodifiableSet\",\n" + + " [" + scopes + "]\n" + + " ],\n" + + " \"state\": " + ((authorizationRequest.getState() != null) ? "\"" + authorizationRequest.getState() + "\"" : "null") + ",\n" + + " \"additionalParameters\": {\n" + + " " + additionalParameters + "\n" + + " },\n" + + " \"authorizationRequestUri\": \"" + authorizationRequest.getAuthorizationRequestUri() + "\",\n" + + " \"attributes\": {\n" + + " " + attributes + "\n" + + " }\n" + + "}"; + // @formatter:on + } + +} diff --git a/oauth2/oauth2-client/src/test/java/org/springframework/security/oauth2/client/jackson/OAuth2AuthorizedClientMixinTests.java b/oauth2/oauth2-client/src/test/java/org/springframework/security/oauth2/client/jackson/OAuth2AuthorizedClientMixinTests.java new file mode 100644 index 0000000000..7d1ff8cf4e --- /dev/null +++ b/oauth2/oauth2-client/src/test/java/org/springframework/security/oauth2/client/jackson/OAuth2AuthorizedClientMixinTests.java @@ -0,0 +1,395 @@ +/* + * Copyright 2004-present the original author or authors. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * https://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.springframework.security.oauth2.client.jackson; + +import java.time.Instant; +import java.util.LinkedHashMap; +import java.util.Map; +import java.util.stream.Collectors; + +import com.fasterxml.jackson.datatype.jsr310.DecimalUtils; +import org.junit.jupiter.api.BeforeEach; +import org.junit.jupiter.api.Test; +import org.skyscreamer.jsonassert.JSONAssert; +import tools.jackson.core.JacksonException; +import tools.jackson.databind.json.JsonMapper; + +import org.springframework.security.jackson.SecurityJacksonModules; +import org.springframework.security.oauth2.client.OAuth2AuthorizedClient; +import org.springframework.security.oauth2.client.registration.ClientRegistration; +import org.springframework.security.oauth2.client.registration.TestClientRegistrations; +import org.springframework.security.oauth2.core.AuthorizationGrantType; +import org.springframework.security.oauth2.core.OAuth2AccessToken; +import org.springframework.security.oauth2.core.OAuth2RefreshToken; +import org.springframework.security.oauth2.core.TestOAuth2AccessTokens; +import org.springframework.security.oauth2.core.TestOAuth2RefreshTokens; +import org.springframework.util.CollectionUtils; +import org.springframework.util.StringUtils; + +import static org.assertj.core.api.Assertions.assertThat; +import static org.assertj.core.api.Assertions.assertThatExceptionOfType; + +/** + * Tests for + * {@link org.springframework.security.oauth2.client.jackson.OAuth2AuthorizedClientMixin}. + * + * @author Joe Grandja + */ +public class OAuth2AuthorizedClientMixinTests { + + private JsonMapper mapper; + + private ClientRegistration.Builder clientRegistrationBuilder; + + private OAuth2AccessToken accessToken; + + private OAuth2RefreshToken refreshToken; + + private String principalName; + + @BeforeEach + public void setup() { + ClassLoader loader = getClass().getClassLoader(); + this.mapper = JsonMapper.builder().addModules(SecurityJacksonModules.getModules(loader)).build(); + Map providerConfigurationMetadata = new LinkedHashMap<>(); + providerConfigurationMetadata.put("config1", "value1"); + providerConfigurationMetadata.put("config2", "value2"); + // @formatter:off + this.clientRegistrationBuilder = TestClientRegistrations.clientRegistration() + .authorizationGrantType(new AuthorizationGrantType("custom-grant")) + .scope("read", "write") + .providerConfigurationMetadata(providerConfigurationMetadata); + // @formatter:on + this.accessToken = TestOAuth2AccessTokens.scopes("read", "write"); + this.refreshToken = TestOAuth2RefreshTokens.refreshToken(); + this.principalName = "principal-name"; + } + + @Test + public void serializeWhenMixinRegisteredThenSerializes() throws Exception { + OAuth2AuthorizedClient authorizedClient = new OAuth2AuthorizedClient(this.clientRegistrationBuilder.build(), + this.principalName, this.accessToken, this.refreshToken); + String expectedJson = asJson(authorizedClient); + String json = this.mapper.writeValueAsString(authorizedClient); + JSONAssert.assertEquals(expectedJson, json, true); + } + + @Test + public void serializeWhenRequiredAttributesOnlyThenSerializes() throws Exception { + // @formatter:off + ClientRegistration clientRegistration = TestClientRegistrations.clientRegistration() + .clientSecret(null) + .clientName(null) + .userInfoUri(null) + .userNameAttributeName(null) + .jwkSetUri(null) + .issuerUri(null) + .build(); + // @formatter:on + OAuth2AuthorizedClient authorizedClient = new OAuth2AuthorizedClient(clientRegistration, this.principalName, + TestOAuth2AccessTokens.noScopes()); + String expectedJson = asJson(authorizedClient); + String json = this.mapper.writeValueAsString(authorizedClient); + JSONAssert.assertEquals(expectedJson, json, true); + } + + @Test + public void deserializeWhenMixinNotRegisteredThenThrowJsonProcessingException() { + OAuth2AuthorizedClient authorizedClient = new OAuth2AuthorizedClient(this.clientRegistrationBuilder.build(), + this.principalName, this.accessToken); + String json = asJson(authorizedClient); + assertThatExceptionOfType(JacksonException.class) + .isThrownBy(() -> new JsonMapper().readValue(json, OAuth2AuthorizedClient.class)); + } + + @Test + public void deserializeWhenMixinRegisteredThenDeserializes() throws Exception { + ClientRegistration expectedClientRegistration = this.clientRegistrationBuilder.build(); + OAuth2AccessToken expectedAccessToken = this.accessToken; + OAuth2RefreshToken expectedRefreshToken = this.refreshToken; + OAuth2AuthorizedClient expectedAuthorizedClient = new OAuth2AuthorizedClient(expectedClientRegistration, + this.principalName, expectedAccessToken, expectedRefreshToken); + String json = asJson(expectedAuthorizedClient); + OAuth2AuthorizedClient authorizedClient = this.mapper.readValue(json, OAuth2AuthorizedClient.class); + ClientRegistration clientRegistration = authorizedClient.getClientRegistration(); + assertThat(clientRegistration.getRegistrationId()).isEqualTo(expectedClientRegistration.getRegistrationId()); + assertThat(clientRegistration.getClientId()).isEqualTo(expectedClientRegistration.getClientId()); + assertThat(clientRegistration.getClientSecret()).isEqualTo(expectedClientRegistration.getClientSecret()); + assertThat(clientRegistration.getClientAuthenticationMethod()) + .isEqualTo(expectedClientRegistration.getClientAuthenticationMethod()); + assertThat(clientRegistration.getAuthorizationGrantType()) + .isEqualTo(expectedClientRegistration.getAuthorizationGrantType()); + assertThat(clientRegistration.getRedirectUri()).isEqualTo(expectedClientRegistration.getRedirectUri()); + assertThat(clientRegistration.getScopes()).isEqualTo(expectedClientRegistration.getScopes()); + assertThat(clientRegistration.getProviderDetails().getAuthorizationUri()) + .isEqualTo(expectedClientRegistration.getProviderDetails().getAuthorizationUri()); + assertThat(clientRegistration.getProviderDetails().getTokenUri()) + .isEqualTo(expectedClientRegistration.getProviderDetails().getTokenUri()); + assertThat(clientRegistration.getProviderDetails().getUserInfoEndpoint().getUri()) + .isEqualTo(expectedClientRegistration.getProviderDetails().getUserInfoEndpoint().getUri()); + assertThat(clientRegistration.getProviderDetails().getUserInfoEndpoint().getAuthenticationMethod()) + .isEqualTo(expectedClientRegistration.getProviderDetails().getUserInfoEndpoint().getAuthenticationMethod()); + assertThat(clientRegistration.getProviderDetails().getUserInfoEndpoint().getUserNameAttributeName()).isEqualTo( + expectedClientRegistration.getProviderDetails().getUserInfoEndpoint().getUserNameAttributeName()); + assertThat(clientRegistration.getProviderDetails().getJwkSetUri()) + .isEqualTo(expectedClientRegistration.getProviderDetails().getJwkSetUri()); + assertThat(clientRegistration.getProviderDetails().getIssuerUri()) + .isEqualTo(expectedClientRegistration.getProviderDetails().getIssuerUri()); + assertThat(clientRegistration.getProviderDetails().getConfigurationMetadata()) + .containsExactlyEntriesOf(clientRegistration.getProviderDetails().getConfigurationMetadata()); + assertThat(clientRegistration.getClientName()).isEqualTo(expectedClientRegistration.getClientName()); + assertThat(authorizedClient.getPrincipalName()).isEqualTo(expectedAuthorizedClient.getPrincipalName()); + OAuth2AccessToken accessToken = authorizedClient.getAccessToken(); + assertThat(accessToken.getTokenType()).isEqualTo(expectedAccessToken.getTokenType()); + assertThat(accessToken.getScopes()).isEqualTo(expectedAccessToken.getScopes()); + assertThat(accessToken.getTokenValue()).isEqualTo(expectedAccessToken.getTokenValue()); + assertThat(accessToken.getIssuedAt()).isEqualTo(expectedAccessToken.getIssuedAt()); + assertThat(accessToken.getExpiresAt()).isEqualTo(expectedAccessToken.getExpiresAt()); + OAuth2RefreshToken refreshToken = authorizedClient.getRefreshToken(); + assertThat(refreshToken.getTokenValue()).isEqualTo(expectedRefreshToken.getTokenValue()); + assertThat(refreshToken.getIssuedAt()).isEqualTo(expectedRefreshToken.getIssuedAt()); + assertThat(refreshToken.getExpiresAt()).isEqualTo(expectedRefreshToken.getExpiresAt()); + } + + @Test + public void deserializeWhenRequiredAttributesOnlyThenDeserializes() throws Exception { + // @formatter:off + ClientRegistration expectedClientRegistration = TestClientRegistrations.clientRegistration() + .clientSecret(null) + .clientName(null) + .userInfoUri(null) + .userNameAttributeName(null) + .jwkSetUri(null) + .issuerUri(null) + .build(); + // @formatter:on + OAuth2AccessToken expectedAccessToken = TestOAuth2AccessTokens.noScopes(); + OAuth2AuthorizedClient expectedAuthorizedClient = new OAuth2AuthorizedClient(expectedClientRegistration, + this.principalName, expectedAccessToken); + String json = asJson(expectedAuthorizedClient); + OAuth2AuthorizedClient authorizedClient = this.mapper.readValue(json, OAuth2AuthorizedClient.class); + ClientRegistration clientRegistration = authorizedClient.getClientRegistration(); + assertThat(clientRegistration.getRegistrationId()).isEqualTo(expectedClientRegistration.getRegistrationId()); + assertThat(clientRegistration.getClientId()).isEqualTo(expectedClientRegistration.getClientId()); + assertThat(clientRegistration.getClientSecret()).isEmpty(); + assertThat(clientRegistration.getClientAuthenticationMethod()) + .isEqualTo(expectedClientRegistration.getClientAuthenticationMethod()); + assertThat(clientRegistration.getAuthorizationGrantType()) + .isEqualTo(expectedClientRegistration.getAuthorizationGrantType()); + assertThat(clientRegistration.getRedirectUri()).isEqualTo(expectedClientRegistration.getRedirectUri()); + assertThat(clientRegistration.getScopes()).isEqualTo(expectedClientRegistration.getScopes()); + assertThat(clientRegistration.getProviderDetails().getAuthorizationUri()) + .isEqualTo(expectedClientRegistration.getProviderDetails().getAuthorizationUri()); + assertThat(clientRegistration.getProviderDetails().getTokenUri()) + .isEqualTo(expectedClientRegistration.getProviderDetails().getTokenUri()); + assertThat(clientRegistration.getProviderDetails().getUserInfoEndpoint().getUri()).isNull(); + assertThat(clientRegistration.getProviderDetails().getUserInfoEndpoint().getAuthenticationMethod()) + .isEqualTo(expectedClientRegistration.getProviderDetails().getUserInfoEndpoint().getAuthenticationMethod()); + assertThat(clientRegistration.getProviderDetails().getUserInfoEndpoint().getUserNameAttributeName()).isNull(); + assertThat(clientRegistration.getProviderDetails().getJwkSetUri()).isNull(); + assertThat(clientRegistration.getProviderDetails().getIssuerUri()).isNull(); + assertThat(clientRegistration.getProviderDetails().getConfigurationMetadata()).isEmpty(); + assertThat(clientRegistration.getClientName()).isEqualTo(clientRegistration.getRegistrationId()); + assertThat(authorizedClient.getPrincipalName()).isEqualTo(expectedAuthorizedClient.getPrincipalName()); + OAuth2AccessToken accessToken = authorizedClient.getAccessToken(); + assertThat(accessToken.getTokenType()).isEqualTo(expectedAccessToken.getTokenType()); + assertThat(accessToken.getScopes()).isEmpty(); + assertThat(accessToken.getTokenValue()).isEqualTo(expectedAccessToken.getTokenValue()); + assertThat(accessToken.getIssuedAt()).isEqualTo(expectedAccessToken.getIssuedAt()); + assertThat(accessToken.getExpiresAt()).isEqualTo(expectedAccessToken.getExpiresAt()); + assertThat(authorizedClient.getRefreshToken()).isNull(); + } + + @Test + void deserializeWhenClientSettingsPropertyDoesNotExistThenDefaulted() throws JacksonException { + // ClientRegistration.clientSettings was added later, so old values will be + // serialized without that property + // this test checks for passivity + ClientRegistration clientRegistration = this.clientRegistrationBuilder.build(); + ClientRegistration.ProviderDetails providerDetails = clientRegistration.getProviderDetails(); + ClientRegistration.ProviderDetails.UserInfoEndpoint userInfoEndpoint = providerDetails.getUserInfoEndpoint(); + String scopes = ""; + if (!CollectionUtils.isEmpty(clientRegistration.getScopes())) { + scopes = StringUtils.collectionToDelimitedString(clientRegistration.getScopes(), ",", "\"", "\""); + } + String configurationMetadata = "\"@class\": \"java.util.Collections$UnmodifiableMap\""; + if (!CollectionUtils.isEmpty(providerDetails.getConfigurationMetadata())) { + configurationMetadata += "," + providerDetails.getConfigurationMetadata() + .keySet() + .stream() + .map((key) -> "\"" + key + "\": \"" + providerDetails.getConfigurationMetadata().get(key) + "\"") + .collect(Collectors.joining(",")); + } + // @formatter:off + String json = "{\n" + + " \"@class\": \"org.springframework.security.oauth2.client.registration.ClientRegistration\",\n" + + " \"registrationId\": \"" + clientRegistration.getRegistrationId() + "\",\n" + + " \"clientId\": \"" + clientRegistration.getClientId() + "\",\n" + + " \"clientSecret\": \"" + clientRegistration.getClientSecret() + "\",\n" + + " \"clientAuthenticationMethod\": {\n" + + " \"value\": \"" + clientRegistration.getClientAuthenticationMethod().getValue() + "\"\n" + + " },\n" + + " \"authorizationGrantType\": {\n" + + " \"value\": \"" + clientRegistration.getAuthorizationGrantType().getValue() + "\"\n" + + " },\n" + + " \"redirectUri\": \"" + clientRegistration.getRedirectUri() + "\",\n" + + " \"scopes\": [\n" + + " \"java.util.Collections$UnmodifiableSet\",\n" + + " [" + scopes + "]\n" + + " ],\n" + + " \"providerDetails\": {\n" + + " \"@class\": \"org.springframework.security.oauth2.client.registration.ClientRegistration$ProviderDetails\",\n" + + " \"authorizationUri\": \"" + providerDetails.getAuthorizationUri() + "\",\n" + + " \"tokenUri\": \"" + providerDetails.getTokenUri() + "\",\n" + + " \"userInfoEndpoint\": {\n" + + " \"@class\": \"org.springframework.security.oauth2.client.registration.ClientRegistration$ProviderDetails$UserInfoEndpoint\",\n" + + " \"uri\": " + ((userInfoEndpoint.getUri() != null) ? "\"" + userInfoEndpoint.getUri() + "\"" : null) + ",\n" + + " \"authenticationMethod\": {\n" + + " \"value\": \"" + userInfoEndpoint.getAuthenticationMethod().getValue() + "\"\n" + + " },\n" + + " \"userNameAttributeName\": " + ((userInfoEndpoint.getUserNameAttributeName() != null) ? "\"" + userInfoEndpoint.getUserNameAttributeName() + "\"" : null) + "\n" + + " },\n" + + " \"jwkSetUri\": " + ((providerDetails.getJwkSetUri() != null) ? "\"" + providerDetails.getJwkSetUri() + "\"" : null) + ",\n" + + " \"issuerUri\": " + ((providerDetails.getIssuerUri() != null) ? "\"" + providerDetails.getIssuerUri() + "\"" : null) + ",\n" + + " \"configurationMetadata\": {\n" + + " " + configurationMetadata + "\n" + + " }\n" + + " },\n" + + " \"clientName\": \"" + clientRegistration.getClientName() + "\"\n" + + "}"; + // @formatter:on + // validate the test input + assertThat(json).doesNotContain("clientSettings"); + ClientRegistration registration = this.mapper.readValue(json, ClientRegistration.class); + // the default value of requireProofKey is false + assertThat(registration.getClientSettings().isRequireProofKey()).isFalse(); + } + + private static String asJson(OAuth2AuthorizedClient authorizedClient) { + // @formatter:off + return "{\n" + + " \"@class\": \"org.springframework.security.oauth2.client.OAuth2AuthorizedClient\",\n" + + " \"clientRegistration\": " + asJson(authorizedClient.getClientRegistration()) + ",\n" + + " \"principalName\": \"" + authorizedClient.getPrincipalName() + "\",\n" + + " \"accessToken\": " + asJson(authorizedClient.getAccessToken()) + ",\n" + + " \"refreshToken\": " + asJson(authorizedClient.getRefreshToken()) + "\n" + + "}"; + // @formatter:on + } + + private static String asJson(ClientRegistration clientRegistration) { + ClientRegistration.ProviderDetails providerDetails = clientRegistration.getProviderDetails(); + ClientRegistration.ProviderDetails.UserInfoEndpoint userInfoEndpoint = providerDetails.getUserInfoEndpoint(); + String scopes = ""; + if (!CollectionUtils.isEmpty(clientRegistration.getScopes())) { + scopes = StringUtils.collectionToDelimitedString(clientRegistration.getScopes(), ",", "\"", "\""); + } + String configurationMetadata = "\"@class\": \"java.util.Collections$UnmodifiableMap\""; + if (!CollectionUtils.isEmpty(providerDetails.getConfigurationMetadata())) { + configurationMetadata += "," + providerDetails.getConfigurationMetadata() + .keySet() + .stream() + .map((key) -> "\"" + key + "\": \"" + providerDetails.getConfigurationMetadata().get(key) + "\"") + .collect(Collectors.joining(",")); + } + // @formatter:off + return "{\n" + + " \"@class\": \"org.springframework.security.oauth2.client.registration.ClientRegistration\",\n" + + " \"registrationId\": \"" + clientRegistration.getRegistrationId() + "\",\n" + + " \"clientId\": \"" + clientRegistration.getClientId() + "\",\n" + + " \"clientSecret\": \"" + clientRegistration.getClientSecret() + "\",\n" + + " \"clientAuthenticationMethod\": {\n" + + " \"value\": \"" + clientRegistration.getClientAuthenticationMethod().getValue() + "\"\n" + + " },\n" + + " \"authorizationGrantType\": {\n" + + " \"value\": \"" + clientRegistration.getAuthorizationGrantType().getValue() + "\"\n" + + " },\n" + + " \"redirectUri\": \"" + clientRegistration.getRedirectUri() + "\",\n" + + " \"scopes\": [\n" + + " \"java.util.Collections$UnmodifiableSet\",\n" + + " [" + scopes + "]\n" + + " ],\n" + + " \"providerDetails\": {\n" + + " \"@class\": \"org.springframework.security.oauth2.client.registration.ClientRegistration$ProviderDetails\",\n" + + " \"authorizationUri\": \"" + providerDetails.getAuthorizationUri() + "\",\n" + + " \"tokenUri\": \"" + providerDetails.getTokenUri() + "\",\n" + + " \"userInfoEndpoint\": {\n" + + " \"@class\": \"org.springframework.security.oauth2.client.registration.ClientRegistration$ProviderDetails$UserInfoEndpoint\",\n" + + " \"uri\": " + ((userInfoEndpoint.getUri() != null) ? "\"" + userInfoEndpoint.getUri() + "\"" : null) + ",\n" + + " \"authenticationMethod\": {\n" + + " \"value\": \"" + userInfoEndpoint.getAuthenticationMethod().getValue() + "\"\n" + + " },\n" + + " \"userNameAttributeName\": " + ((userInfoEndpoint.getUserNameAttributeName() != null) ? "\"" + userInfoEndpoint.getUserNameAttributeName() + "\"" : null) + "\n" + + " },\n" + + " \"jwkSetUri\": " + ((providerDetails.getJwkSetUri() != null) ? "\"" + providerDetails.getJwkSetUri() + "\"" : null) + ",\n" + + " \"issuerUri\": " + ((providerDetails.getIssuerUri() != null) ? "\"" + providerDetails.getIssuerUri() + "\"" : null) + ",\n" + + " \"configurationMetadata\": {\n" + + " " + configurationMetadata + "\n" + + " }\n" + + " },\n" + + " \"clientName\": \"" + clientRegistration.getClientName() + "\",\n" + + " \"clientSettings\": {\n" + + " \"requireProofKey\": " + clientRegistration.getClientSettings().isRequireProofKey() + "\n" + + " }\n" + + "}"; + // @formatter:on + } + + private static String asJson(OAuth2AccessToken accessToken) { + String scopes = ""; + if (!CollectionUtils.isEmpty(accessToken.getScopes())) { + scopes = StringUtils.collectionToDelimitedString(accessToken.getScopes(), ",", "\"", "\""); + } + // @formatter:off + return "{\n" + + " \"@class\": \"org.springframework.security.oauth2.core.OAuth2AccessToken\",\n" + + " \"tokenType\": {\n" + + " \"value\": \"" + accessToken.getTokenType().getValue() + "\"\n" + + " },\n" + + " \"tokenValue\": \"" + accessToken.getTokenValue() + "\",\n" + + " \"issuedAt\": " + toString(accessToken.getIssuedAt()) + ",\n" + + " \"expiresAt\": " + toString(accessToken.getExpiresAt()) + ",\n" + + " \"scopes\": [\n" + + " \"java.util.Collections$UnmodifiableSet\",\n" + + " [" + scopes + "]\n" + + " ]\n" + + "}"; + // @formatter:on + } + + private static String asJson(OAuth2RefreshToken refreshToken) { + if (refreshToken == null) { + return null; + } + // @formatter:off + return "{\n" + + " \"@class\": \"org.springframework.security.oauth2.core.OAuth2RefreshToken\",\n" + + " \"tokenValue\": \"" + refreshToken.getTokenValue() + "\",\n" + + " \"issuedAt\": " + toString(refreshToken.getIssuedAt()) + ",\n" + + " \"expiresAt\": " + toString(refreshToken.getExpiresAt()) + "\n" + + "}"; + // @formatter:on + } + + private static String toString(Instant instant) { + if (instant == null) { + return null; + } + return DecimalUtils.toBigDecimal(instant.getEpochSecond(), instant.getNano()).toString(); + } + +} diff --git a/oauth2/oauth2-client/src/test/java/org/springframework/security/oauth2/client/jackson/StdConvertersTests.java b/oauth2/oauth2-client/src/test/java/org/springframework/security/oauth2/client/jackson/StdConvertersTests.java new file mode 100644 index 0000000000..cbd95c63a3 --- /dev/null +++ b/oauth2/oauth2-client/src/test/java/org/springframework/security/oauth2/client/jackson/StdConvertersTests.java @@ -0,0 +1,53 @@ +/* + * Copyright 2004-present the original author or authors. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * https://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.springframework.security.oauth2.client.jackson; + +import java.util.stream.Stream; + +import org.junit.jupiter.params.ParameterizedTest; +import org.junit.jupiter.params.provider.Arguments; +import org.junit.jupiter.params.provider.MethodSource; +import tools.jackson.databind.JsonNode; +import tools.jackson.databind.node.JsonNodeFactory; +import tools.jackson.databind.node.ObjectNode; +import tools.jackson.databind.util.StdConverter; + +import org.springframework.security.oauth2.core.ClientAuthenticationMethod; + +import static org.assertj.core.api.Assertions.assertThat; + +public class StdConvertersTests { + + private final StdConverter clientAuthenticationMethodConverter = new org.springframework.security.oauth2.client.jackson.StdConverters.ClientAuthenticationMethodConverter(); + + @ParameterizedTest + @MethodSource("convertWhenClientAuthenticationMethodConvertedThenDeserializes") + void convertWhenClientAuthenticationMethodConvertedThenDeserializes(String clientAuthenticationMethod) { + ObjectNode jsonNode = JsonNodeFactory.instance.objectNode(); + jsonNode.put("value", clientAuthenticationMethod); + ClientAuthenticationMethod actual = this.clientAuthenticationMethodConverter.convert(jsonNode); + assertThat(actual.getValue()).isEqualTo(clientAuthenticationMethod); + } + + static Stream convertWhenClientAuthenticationMethodConvertedThenDeserializes() { + return Stream.of(Arguments.of(ClientAuthenticationMethod.CLIENT_SECRET_BASIC.getValue()), + Arguments.of(ClientAuthenticationMethod.CLIENT_SECRET_POST.getValue()), + Arguments.of(ClientAuthenticationMethod.PRIVATE_KEY_JWT.getValue()), + Arguments.of(ClientAuthenticationMethod.NONE.getValue()), Arguments.of("custom_method")); + } + +} diff --git a/oauth2/oauth2-client/src/test/java/org/springframework/security/oauth2/client/registration/ClientRegistrationsTests.java b/oauth2/oauth2-client/src/test/java/org/springframework/security/oauth2/client/registration/ClientRegistrationsTests.java index bf7dba4718..0cf1002d56 100644 --- a/oauth2/oauth2-client/src/test/java/org/springframework/security/oauth2/client/registration/ClientRegistrationsTests.java +++ b/oauth2/oauth2-client/src/test/java/org/springframework/security/oauth2/client/registration/ClientRegistrationsTests.java @@ -20,8 +20,6 @@ import java.util.Arrays; import java.util.Map; -import com.fasterxml.jackson.core.type.TypeReference; -import com.fasterxml.jackson.databind.ObjectMapper; import okhttp3.mockwebserver.Dispatcher; import okhttp3.mockwebserver.MockResponse; import okhttp3.mockwebserver.MockWebServer; @@ -29,6 +27,8 @@ import org.junit.jupiter.api.AfterEach; import org.junit.jupiter.api.BeforeEach; import org.junit.jupiter.api.Test; +import tools.jackson.core.type.TypeReference; +import tools.jackson.databind.json.JsonMapper; import org.springframework.http.HttpHeaders; import org.springframework.http.MediaType; @@ -111,7 +111,7 @@ public class ClientRegistrationsTests { private MockWebServer server; - private ObjectMapper mapper = new ObjectMapper(); + private JsonMapper mapper = new JsonMapper(); private Map response; diff --git a/oauth2/oauth2-jose/spring-security-oauth2-jose.gradle b/oauth2/oauth2-jose/spring-security-oauth2-jose.gradle index 0397cfafd9..8af3d4d30b 100644 --- a/oauth2/oauth2-jose/spring-security-oauth2-jose.gradle +++ b/oauth2/oauth2-jose/spring-security-oauth2-jose.gradle @@ -15,7 +15,7 @@ dependencies { testImplementation "jakarta.servlet:jakarta.servlet-api" testImplementation 'com.squareup.okhttp3:mockwebserver' testImplementation 'io.projectreactor.netty:reactor-netty' - testImplementation 'com.fasterxml.jackson.core:jackson-databind' + testImplementation 'tools.jackson.core:jackson-databind' testImplementation "org.assertj:assertj-core" testImplementation "org.junit.jupiter:junit-jupiter-api" testImplementation "org.junit.jupiter:junit-jupiter-params" diff --git a/oauth2/oauth2-jose/src/test/java/org/springframework/security/oauth2/jwt/JwtDecodersTests.java b/oauth2/oauth2-jose/src/test/java/org/springframework/security/oauth2/jwt/JwtDecodersTests.java index ebbd50f9a0..ac78e0d9e2 100644 --- a/oauth2/oauth2-jose/src/test/java/org/springframework/security/oauth2/jwt/JwtDecodersTests.java +++ b/oauth2/oauth2-jose/src/test/java/org/springframework/security/oauth2/jwt/JwtDecodersTests.java @@ -21,10 +21,6 @@ import java.util.Map; import java.util.Optional; -import com.fasterxml.jackson.core.JsonProcessingException; -import com.fasterxml.jackson.core.type.TypeReference; -import com.fasterxml.jackson.databind.JsonMappingException; -import com.fasterxml.jackson.databind.ObjectMapper; import okhttp3.HttpUrl; import okhttp3.mockwebserver.Dispatcher; import okhttp3.mockwebserver.MockResponse; @@ -33,6 +29,8 @@ import org.junit.jupiter.api.AfterEach; import org.junit.jupiter.api.BeforeEach; import org.junit.jupiter.api.Test; +import tools.jackson.core.type.TypeReference; +import tools.jackson.databind.json.JsonMapper; import org.springframework.http.HttpHeaders; import org.springframework.http.MediaType; @@ -191,8 +189,7 @@ public void issuerWhenOAuth2ResponseIsNonCompliantThenThrowsRuntimeException() { // gh-7512 @Test - public void issuerWhenResponseDoesNotContainJwksUriThenThrowsIllegalArgumentException() - throws JsonMappingException, JsonProcessingException { + public void issuerWhenResponseDoesNotContainJwksUriThenThrowsIllegalArgumentException() { prepareConfigurationResponse(this.buildResponseWithMissingJwksUri()); // @formatter:off assertThatIllegalArgumentException() @@ -203,8 +200,7 @@ public void issuerWhenResponseDoesNotContainJwksUriThenThrowsIllegalArgumentExce // gh-7512 @Test - public void issuerWhenOidcFallbackResponseDoesNotContainJwksUriThenThrowsIllegalArgumentException() - throws JsonMappingException, JsonProcessingException { + public void issuerWhenOidcFallbackResponseDoesNotContainJwksUriThenThrowsIllegalArgumentException() { prepareConfigurationResponseOidc(this.buildResponseWithMissingJwksUri()); // @formatter:off assertThatIllegalArgumentException() @@ -216,8 +212,7 @@ public void issuerWhenOidcFallbackResponseDoesNotContainJwksUriThenThrowsIllegal // gh-7512 @Test - public void issuerWhenOAuth2ResponseDoesNotContainJwksUriThenThrowsIllegalArgumentException() - throws JsonMappingException, JsonProcessingException { + public void issuerWhenOAuth2ResponseDoesNotContainJwksUriThenThrowsIllegalArgumentException() { prepareConfigurationResponseOAuth2(this.buildResponseWithMissingJwksUri()); // @formatter:off assertThatIllegalArgumentException() @@ -384,8 +379,8 @@ private MockResponse response(String body) { // @formatter:on } - public String buildResponseWithMissingJwksUri() throws JsonMappingException, JsonProcessingException { - ObjectMapper mapper = new ObjectMapper(); + public String buildResponseWithMissingJwksUri() { + JsonMapper mapper = new JsonMapper(); Map response = mapper.readValue(DEFAULT_RESPONSE_TEMPLATE, new TypeReference>() { }); diff --git a/oauth2/oauth2-jose/src/test/java/org/springframework/security/oauth2/jwt/ReactiveJwtDecoderProviderConfigurationUtilsTests.java b/oauth2/oauth2-jose/src/test/java/org/springframework/security/oauth2/jwt/ReactiveJwtDecoderProviderConfigurationUtilsTests.java index fbaccad175..228518ae51 100644 --- a/oauth2/oauth2-jose/src/test/java/org/springframework/security/oauth2/jwt/ReactiveJwtDecoderProviderConfigurationUtilsTests.java +++ b/oauth2/oauth2-jose/src/test/java/org/springframework/security/oauth2/jwt/ReactiveJwtDecoderProviderConfigurationUtilsTests.java @@ -21,10 +21,6 @@ import java.util.Map; import java.util.Optional; -import com.fasterxml.jackson.core.JsonProcessingException; -import com.fasterxml.jackson.core.type.TypeReference; -import com.fasterxml.jackson.databind.JsonMappingException; -import com.fasterxml.jackson.databind.ObjectMapper; import okhttp3.HttpUrl; import okhttp3.mockwebserver.Dispatcher; import okhttp3.mockwebserver.MockResponse; @@ -33,6 +29,8 @@ import org.junit.jupiter.api.AfterEach; import org.junit.jupiter.api.BeforeEach; import org.junit.jupiter.api.Test; +import tools.jackson.core.type.TypeReference; +import tools.jackson.databind.json.JsonMapper; import org.springframework.http.HttpHeaders; import org.springframework.http.MediaType; @@ -153,8 +151,7 @@ public void issuerWhenOAuth2ResponseIsNonCompliantThenThrowsRuntimeException() { // gh-7512 @Test - public void issuerWhenOidcFallbackResponseDoesNotContainJwksUriThenThrowsIllegalArgumentException() - throws JsonMappingException, JsonProcessingException { + public void issuerWhenOidcFallbackResponseDoesNotContainJwksUriThenThrowsIllegalArgumentException() { prepareConfigurationResponseOidc(this.buildResponseWithMissingJwksUri()); // @formatter:off assertThatIllegalArgumentException() @@ -165,8 +162,7 @@ public void issuerWhenOidcFallbackResponseDoesNotContainJwksUriThenThrowsIllegal // gh-7512 @Test - public void issuerWhenOAuth2ResponseDoesNotContainJwksUriThenThrowsIllegalArgumentException() - throws JsonMappingException, JsonProcessingException { + public void issuerWhenOAuth2ResponseDoesNotContainJwksUriThenThrowsIllegalArgumentException() { prepareConfigurationResponseOAuth2(this.buildResponseWithMissingJwksUri()); // @formatter:off assertThatIllegalArgumentException() @@ -323,8 +319,8 @@ private MockResponse response(String body) { // @formatter:on } - public String buildResponseWithMissingJwksUri() throws JsonMappingException, JsonProcessingException { - ObjectMapper mapper = new ObjectMapper(); + public String buildResponseWithMissingJwksUri() { + JsonMapper mapper = new JsonMapper(); Map response = mapper.readValue(DEFAULT_RESPONSE_TEMPLATE, new TypeReference>() { }); diff --git a/oauth2/oauth2-jose/src/test/java/org/springframework/security/oauth2/jwt/ReactiveJwtDecodersTests.java b/oauth2/oauth2-jose/src/test/java/org/springframework/security/oauth2/jwt/ReactiveJwtDecodersTests.java index c3384ef6f1..704014b0a3 100644 --- a/oauth2/oauth2-jose/src/test/java/org/springframework/security/oauth2/jwt/ReactiveJwtDecodersTests.java +++ b/oauth2/oauth2-jose/src/test/java/org/springframework/security/oauth2/jwt/ReactiveJwtDecodersTests.java @@ -21,10 +21,6 @@ import java.util.Map; import java.util.Optional; -import com.fasterxml.jackson.core.JsonProcessingException; -import com.fasterxml.jackson.core.type.TypeReference; -import com.fasterxml.jackson.databind.JsonMappingException; -import com.fasterxml.jackson.databind.ObjectMapper; import okhttp3.HttpUrl; import okhttp3.mockwebserver.Dispatcher; import okhttp3.mockwebserver.MockResponse; @@ -33,6 +29,8 @@ import org.junit.jupiter.api.AfterEach; import org.junit.jupiter.api.BeforeEach; import org.junit.jupiter.api.Test; +import tools.jackson.core.type.TypeReference; +import tools.jackson.databind.json.JsonMapper; import org.springframework.http.HttpHeaders; import org.springframework.http.MediaType; @@ -166,8 +164,7 @@ public void issuerWhenOAuth2ResponseIsNonCompliantThenThrowsRuntimeException() { // gh-7512 @Test - public void issuerWhenResponseDoesNotContainJwksUriThenThrowsIllegalArgumentException() - throws JsonMappingException, JsonProcessingException { + public void issuerWhenResponseDoesNotContainJwksUriThenThrowsIllegalArgumentException() { prepareConfigurationResponse(this.buildResponseWithMissingJwksUri()); // @formatter:off assertThatIllegalArgumentException() @@ -178,8 +175,7 @@ public void issuerWhenResponseDoesNotContainJwksUriThenThrowsIllegalArgumentExce // gh-7512 @Test - public void issuerWhenOidcFallbackResponseDoesNotContainJwksUriThenThrowsIllegalArgumentException() - throws JsonMappingException, JsonProcessingException { + public void issuerWhenOidcFallbackResponseDoesNotContainJwksUriThenThrowsIllegalArgumentException() { prepareConfigurationResponseOidc(this.buildResponseWithMissingJwksUri()); // @formatter:off assertThatIllegalArgumentException() @@ -190,8 +186,7 @@ public void issuerWhenOidcFallbackResponseDoesNotContainJwksUriThenThrowsIllegal // gh-7512 @Test - public void issuerWhenOAuth2ResponseDoesNotContainJwksUriThenThrowsIllegalArgumentException() - throws JsonMappingException, JsonProcessingException { + public void issuerWhenOAuth2ResponseDoesNotContainJwksUriThenThrowsIllegalArgumentException() { prepareConfigurationResponseOAuth2(this.buildResponseWithMissingJwksUri()); // @formatter:off assertThatIllegalArgumentException() @@ -357,8 +352,8 @@ private MockResponse response(String body) { // @formatter:on } - public String buildResponseWithMissingJwksUri() throws JsonMappingException, JsonProcessingException { - ObjectMapper mapper = new ObjectMapper(); + public String buildResponseWithMissingJwksUri() { + JsonMapper mapper = new JsonMapper(); Map response = mapper.readValue(DEFAULT_RESPONSE_TEMPLATE, new TypeReference>() { }); diff --git a/oauth2/oauth2-resource-server/spring-security-oauth2-resource-server.gradle b/oauth2/oauth2-resource-server/spring-security-oauth2-resource-server.gradle index fbed03dcb3..5a0fb73311 100644 --- a/oauth2/oauth2-resource-server/spring-security-oauth2-resource-server.gradle +++ b/oauth2/oauth2-resource-server/spring-security-oauth2-resource-server.gradle @@ -17,7 +17,7 @@ dependencies { testImplementation project(path : ':spring-security-core', configuration : 'tests') testImplementation project(path: ':spring-security-oauth2-jose', configuration: 'tests') testImplementation 'com.squareup.okhttp3:mockwebserver' - testImplementation 'com.fasterxml.jackson.core:jackson-databind' + testImplementation 'tools.jackson.core:jackson-databind' testImplementation 'io.projectreactor.netty:reactor-netty' testImplementation 'io.projectreactor:reactor-test' testImplementation "org.assertj:assertj-core" diff --git a/oauth2/oauth2-resource-server/src/main/java/org/springframework/security/oauth2/server/resource/web/OAuth2ProtectedResourceMetadataFilter.java b/oauth2/oauth2-resource-server/src/main/java/org/springframework/security/oauth2/server/resource/web/OAuth2ProtectedResourceMetadataFilter.java index 66948bccf6..df74af6a7b 100644 --- a/oauth2/oauth2-resource-server/src/main/java/org/springframework/security/oauth2/server/resource/web/OAuth2ProtectedResourceMetadataFilter.java +++ b/oauth2/oauth2-resource-server/src/main/java/org/springframework/security/oauth2/server/resource/web/OAuth2ProtectedResourceMetadataFilter.java @@ -156,6 +156,7 @@ private static final class HttpMessageConverters { private HttpMessageConverters() { } + @SuppressWarnings("removal") private static GenericHttpMessageConverter getJsonMessageConverter() { if (jackson2Present) { return new MappingJackson2HttpMessageConverter(); diff --git a/oauth2/oauth2-resource-server/src/test/java/org/springframework/security/oauth2/server/resource/introspection/SpringReactiveOpaqueTokenIntrospectorTests.java b/oauth2/oauth2-resource-server/src/test/java/org/springframework/security/oauth2/server/resource/introspection/SpringReactiveOpaqueTokenIntrospectorTests.java index a5a2d2c050..5d9b2f7223 100644 --- a/oauth2/oauth2-resource-server/src/test/java/org/springframework/security/oauth2/server/resource/introspection/SpringReactiveOpaqueTokenIntrospectorTests.java +++ b/oauth2/oauth2-resource-server/src/test/java/org/springframework/security/oauth2/server/resource/introspection/SpringReactiveOpaqueTokenIntrospectorTests.java @@ -26,13 +26,13 @@ import java.util.Optional; import java.util.function.Function; -import com.fasterxml.jackson.databind.ObjectMapper; import okhttp3.mockwebserver.Dispatcher; import okhttp3.mockwebserver.MockResponse; import okhttp3.mockwebserver.MockWebServer; import okhttp3.mockwebserver.RecordedRequest; import org.junit.jupiter.api.Test; import reactor.core.publisher.Mono; +import tools.jackson.databind.json.JsonMapper; import org.springframework.core.ParameterizedTypeReference; import org.springframework.core.convert.converter.Converter; @@ -104,7 +104,7 @@ public class SpringReactiveOpaqueTokenIntrospectorTests { + " }"; // @formatter:on - private final ObjectMapper mapper = new ObjectMapper(); + private final JsonMapper mapper = new JsonMapper(); @Test public void authenticateWhenActiveTokenThenOk() throws Exception { diff --git a/saml2/saml2-service-provider/spring-security-saml2-service-provider.gradle b/saml2/saml2-service-provider/spring-security-saml2-service-provider.gradle index f1b68b259b..140f8a91e7 100644 --- a/saml2/saml2-service-provider/spring-security-saml2-service-provider.gradle +++ b/saml2/saml2-service-provider/spring-security-saml2-service-provider.gradle @@ -94,6 +94,7 @@ dependencies { optional 'com.fasterxml.jackson.core:jackson-databind' optional 'org.springframework:spring-jdbc' + optional 'tools.jackson.core:jackson-databind' testImplementation project(path: ':spring-security-web', configuration: 'tests') testImplementation 'com.squareup.okhttp3:mockwebserver' diff --git a/saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/jackson/DefaultSaml2AuthenticatedPrincipalMixin.java b/saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/jackson/DefaultSaml2AuthenticatedPrincipalMixin.java new file mode 100644 index 0000000000..cde3d898e0 --- /dev/null +++ b/saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/jackson/DefaultSaml2AuthenticatedPrincipalMixin.java @@ -0,0 +1,52 @@ +/* + * Copyright 2004-present the original author or authors. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * https://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.springframework.security.saml2.jackson; + +import java.util.List; +import java.util.Map; + +import com.fasterxml.jackson.annotation.JsonAutoDetect; +import com.fasterxml.jackson.annotation.JsonProperty; +import com.fasterxml.jackson.annotation.JsonTypeInfo; + +import org.springframework.security.jackson.SecurityJacksonModules; +import org.springframework.security.saml2.provider.service.authentication.DefaultSaml2AuthenticatedPrincipal; + +/** + * Jackson Mixin class helps in serialize/deserialize + * {@link DefaultSaml2AuthenticatedPrincipal}. + * + * @author Sebastien Deleuze + * @author Ulrich Grave + * @since 7.0 + * @see Saml2JacksonModule + * @see SecurityJacksonModules + */ +@JsonTypeInfo(use = JsonTypeInfo.Id.CLASS) +@JsonAutoDetect(fieldVisibility = JsonAutoDetect.Visibility.ANY, getterVisibility = JsonAutoDetect.Visibility.NONE) +class DefaultSaml2AuthenticatedPrincipalMixin { + + @JsonProperty("registrationId") + String registrationId; + + DefaultSaml2AuthenticatedPrincipalMixin(@JsonProperty("name") String name, + @JsonProperty("attributes") Map> attributes, + @JsonProperty("sessionIndexes") List sessionIndexes) { + + } + +} diff --git a/saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/jackson/Saml2AssertionAuthenticationMixin.java b/saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/jackson/Saml2AssertionAuthenticationMixin.java new file mode 100644 index 0000000000..8d1a71ad2d --- /dev/null +++ b/saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/jackson/Saml2AssertionAuthenticationMixin.java @@ -0,0 +1,53 @@ +/* + * Copyright 2004-present the original author or authors. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * https://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.springframework.security.saml2.jackson; + +import java.util.Collection; + +import com.fasterxml.jackson.annotation.JsonAutoDetect; +import com.fasterxml.jackson.annotation.JsonCreator; +import com.fasterxml.jackson.annotation.JsonProperty; +import com.fasterxml.jackson.annotation.JsonTypeInfo; + +import org.springframework.security.core.GrantedAuthority; +import org.springframework.security.jackson.SecurityJacksonModules; +import org.springframework.security.saml2.provider.service.authentication.Saml2AssertionAuthentication; +import org.springframework.security.saml2.provider.service.authentication.Saml2ResponseAssertionAccessor; + +/** + * Jackson Mixin class helps in serialize/deserialize + * {@link Saml2AssertionAuthentication}. + * + * @author Sebastien Deleuze + * @author Josh Cummings + * @since 7.0 + * @see Saml2JacksonModule + * @see SecurityJacksonModules + */ +@JsonTypeInfo(use = JsonTypeInfo.Id.CLASS) +@JsonAutoDetect(fieldVisibility = JsonAutoDetect.Visibility.ANY, getterVisibility = JsonAutoDetect.Visibility.NONE, + isGetterVisibility = JsonAutoDetect.Visibility.NONE) +class Saml2AssertionAuthenticationMixin { + + @JsonCreator + Saml2AssertionAuthenticationMixin(@JsonProperty("principal") Object principal, + @JsonProperty("assertion") Saml2ResponseAssertionAccessor assertion, + @JsonProperty("authorities") Collection authorities, + @JsonProperty("relyingPartyRegistrationId") String relyingPartyRegistrationId) { + } + +} diff --git a/saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/jackson/Saml2AuthenticationExceptionMixin.java b/saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/jackson/Saml2AuthenticationExceptionMixin.java new file mode 100644 index 0000000000..1293a2d30d --- /dev/null +++ b/saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/jackson/Saml2AuthenticationExceptionMixin.java @@ -0,0 +1,54 @@ +/* + * Copyright 2004-present the original author or authors. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * https://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.springframework.security.saml2.jackson; + +import com.fasterxml.jackson.annotation.JsonAutoDetect; +import com.fasterxml.jackson.annotation.JsonCreator; +import com.fasterxml.jackson.annotation.JsonIgnoreProperties; +import com.fasterxml.jackson.annotation.JsonProperty; +import com.fasterxml.jackson.annotation.JsonTypeInfo; + +import org.springframework.security.saml2.core.Saml2Error; +import org.springframework.security.saml2.provider.service.authentication.Saml2AuthenticationException; + +/** + * This mixin class is used to serialize/deserialize {@link Saml2AuthenticationException}. + * + * @author Sebastien Deleuze + * @author Ulrich Grave + * @since 7.0 + * @see Saml2AuthenticationException + * @see Saml2JacksonModule + */ +@JsonTypeInfo(use = JsonTypeInfo.Id.CLASS) +@JsonAutoDetect(fieldVisibility = JsonAutoDetect.Visibility.NONE, getterVisibility = JsonAutoDetect.Visibility.NONE, + isGetterVisibility = JsonAutoDetect.Visibility.NONE) +@JsonIgnoreProperties({ "cause", "stackTrace", "suppressedExceptions" }) +abstract class Saml2AuthenticationExceptionMixin { + + @JsonProperty("error") + abstract Saml2Error getSaml2Error(); + + @JsonProperty("detailMessage") + abstract String getMessage(); + + @JsonCreator + Saml2AuthenticationExceptionMixin(@JsonProperty("error") Saml2Error error, + @JsonProperty("detailMessage") String message) { + } + +} diff --git a/saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/jackson/Saml2AuthenticationMixin.java b/saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/jackson/Saml2AuthenticationMixin.java new file mode 100644 index 0000000000..39cd0b4638 --- /dev/null +++ b/saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/jackson/Saml2AuthenticationMixin.java @@ -0,0 +1,52 @@ +/* + * Copyright 2004-present the original author or authors. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * https://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.springframework.security.saml2.jackson; + +import java.util.Collection; + +import com.fasterxml.jackson.annotation.JsonAutoDetect; +import com.fasterxml.jackson.annotation.JsonCreator; +import com.fasterxml.jackson.annotation.JsonIgnoreProperties; +import com.fasterxml.jackson.annotation.JsonProperty; +import com.fasterxml.jackson.annotation.JsonTypeInfo; + +import org.springframework.security.core.AuthenticatedPrincipal; +import org.springframework.security.core.GrantedAuthority; +import org.springframework.security.jackson.SecurityJacksonModules; +import org.springframework.security.saml2.provider.service.authentication.Saml2Authentication; + +/** + * Jackson Mixin class helps in serialize/deserialize {@link Saml2Authentication}. + * + * @author Sebastien Deleuze + * @since 7.0 + * @see Saml2JacksonModule + * @see SecurityJacksonModules + */ +@JsonTypeInfo(use = JsonTypeInfo.Id.CLASS) +@JsonAutoDetect(fieldVisibility = JsonAutoDetect.Visibility.ANY, getterVisibility = JsonAutoDetect.Visibility.NONE, + isGetterVisibility = JsonAutoDetect.Visibility.NONE) +@JsonIgnoreProperties({ "authenticated" }) +class Saml2AuthenticationMixin { + + @JsonCreator + Saml2AuthenticationMixin(@JsonProperty("principal") AuthenticatedPrincipal principal, + @JsonProperty("saml2Response") String saml2Response, + @JsonProperty("authorities") Collection authorities) { + } + +} diff --git a/saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/jackson/Saml2ErrorMixin.java b/saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/jackson/Saml2ErrorMixin.java new file mode 100644 index 0000000000..c252cc968e --- /dev/null +++ b/saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/jackson/Saml2ErrorMixin.java @@ -0,0 +1,44 @@ +/* + * Copyright 2004-present the original author or authors. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * https://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.springframework.security.saml2.jackson; + +import com.fasterxml.jackson.annotation.JsonAutoDetect; +import com.fasterxml.jackson.annotation.JsonCreator; +import com.fasterxml.jackson.annotation.JsonProperty; +import com.fasterxml.jackson.annotation.JsonTypeInfo; + +import org.springframework.security.saml2.core.Saml2Error; + +/** + * This mixin class is used to serialize/deserialize {@link Saml2Error}. + * + * @author Sebastien Deleuze + * @author Ulrich Grave + * @since 7.0 + * @see Saml2Error + * @see Saml2JacksonModule + */ +@JsonTypeInfo(use = JsonTypeInfo.Id.CLASS) +@JsonAutoDetect(fieldVisibility = JsonAutoDetect.Visibility.ANY, getterVisibility = JsonAutoDetect.Visibility.NONE, + isGetterVisibility = JsonAutoDetect.Visibility.NONE) +class Saml2ErrorMixin { + + @JsonCreator + Saml2ErrorMixin(@JsonProperty("errorCode") String errorCode, @JsonProperty("description") String description) { + } + +} diff --git a/saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/jackson/Saml2JacksonModule.java b/saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/jackson/Saml2JacksonModule.java new file mode 100644 index 0000000000..c58536b0c5 --- /dev/null +++ b/saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/jackson/Saml2JacksonModule.java @@ -0,0 +1,91 @@ +/* + * Copyright 2004-present the original author or authors. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * https://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.springframework.security.saml2.jackson; + +import tools.jackson.core.Version; +import tools.jackson.databind.jsontype.BasicPolymorphicTypeValidator; + +import org.springframework.security.jackson.SecurityJacksonModule; +import org.springframework.security.jackson.SecurityJacksonModules; +import org.springframework.security.saml2.core.Saml2Error; +import org.springframework.security.saml2.provider.service.authentication.DefaultSaml2AuthenticatedPrincipal; +import org.springframework.security.saml2.provider.service.authentication.Saml2AssertionAuthentication; +import org.springframework.security.saml2.provider.service.authentication.Saml2Authentication; +import org.springframework.security.saml2.provider.service.authentication.Saml2AuthenticationException; +import org.springframework.security.saml2.provider.service.authentication.Saml2PostAuthenticationRequest; +import org.springframework.security.saml2.provider.service.authentication.Saml2RedirectAuthenticationRequest; +import org.springframework.security.saml2.provider.service.authentication.Saml2ResponseAssertion; +import org.springframework.security.saml2.provider.service.authentication.logout.Saml2LogoutRequest; + +/** + * Jackson module for saml2-service-provider. This module register + * {@link Saml2AuthenticationMixin}, {@link Saml2AssertionAuthenticationMixin}, + * {@link SimpleSaml2ResponseAssertionAccessorMixin}, + * {@link DefaultSaml2AuthenticatedPrincipalMixin}, {@link Saml2LogoutRequestMixin}, + * {@link Saml2RedirectAuthenticationRequestMixin}, + * {@link Saml2PostAuthenticationRequestMixin}, {@link Saml2ErrorMixin} and + * {@link Saml2AuthenticationExceptionMixin}. + * + *

+ * The recommended way to configure it is to use {@link SecurityJacksonModules} in order + * to enable properly automatic inclusion of type information with related validation. + * + * 

+ *     ClassLoader loader = getClass().getClassLoader();
+ *     JsonMapper mapper = JsonMapper.builder()
+ * 				.addModules(SecurityJacksonModules.getModules(loader))
+ * 				.build();
+ *
+ * + * @author Sebastien Deleuze + * @since 7.0 + * @see SecurityJacksonModules + */ +@SuppressWarnings("serial") +public class Saml2JacksonModule extends SecurityJacksonModule { + + public Saml2JacksonModule() { + super(Saml2JacksonModule.class.getName(), new Version(1, 0, 0, null, null, null)); + } + + @Override + public void configurePolymorphicTypeValidator(BasicPolymorphicTypeValidator.Builder builder) { + builder.allowIfSubType(Saml2ResponseAssertion.class) + .allowIfSubType(DefaultSaml2AuthenticatedPrincipal.class) + .allowIfSubType(Saml2PostAuthenticationRequest.class) + .allowIfSubType(Saml2LogoutRequest.class) + .allowIfSubType(Saml2RedirectAuthenticationRequest.class) + .allowIfSubType(Saml2AuthenticationException.class) + .allowIfSubType(Saml2Error.class) + .allowIfSubType(Saml2AssertionAuthentication.class) + .allowIfSubType(Saml2Authentication.class); + } + + @Override + public void setupModule(SetupContext context) { + context.setMixIn(Saml2Authentication.class, Saml2AuthenticationMixin.class); + context.setMixIn(Saml2AssertionAuthentication.class, Saml2AssertionAuthenticationMixin.class); + context.setMixIn(Saml2ResponseAssertion.class, SimpleSaml2ResponseAssertionAccessorMixin.class); + context.setMixIn(DefaultSaml2AuthenticatedPrincipal.class, DefaultSaml2AuthenticatedPrincipalMixin.class); + context.setMixIn(Saml2LogoutRequest.class, Saml2LogoutRequestMixin.class); + context.setMixIn(Saml2RedirectAuthenticationRequest.class, Saml2RedirectAuthenticationRequestMixin.class); + context.setMixIn(Saml2PostAuthenticationRequest.class, Saml2PostAuthenticationRequestMixin.class); + context.setMixIn(Saml2Error.class, Saml2ErrorMixin.class); + context.setMixIn(Saml2AuthenticationException.class, Saml2AuthenticationExceptionMixin.class); + } + +} diff --git a/saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/jackson/Saml2LogoutRequestMixin.java b/saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/jackson/Saml2LogoutRequestMixin.java new file mode 100644 index 0000000000..48af334db2 --- /dev/null +++ b/saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/jackson/Saml2LogoutRequestMixin.java @@ -0,0 +1,55 @@ +/* + * Copyright 2004-present the original author or authors. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * https://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.springframework.security.saml2.jackson; + +import java.util.Map; +import java.util.function.Function; + +import com.fasterxml.jackson.annotation.JsonAutoDetect; +import com.fasterxml.jackson.annotation.JsonCreator; +import com.fasterxml.jackson.annotation.JsonIgnore; +import com.fasterxml.jackson.annotation.JsonProperty; +import com.fasterxml.jackson.annotation.JsonTypeInfo; + +import org.springframework.security.jackson.SecurityJacksonModules; +import org.springframework.security.saml2.provider.service.authentication.logout.Saml2LogoutRequest; +import org.springframework.security.saml2.provider.service.registration.Saml2MessageBinding; + +/** + * Jackson Mixin class helps in serialize/deserialize {@link Saml2LogoutRequest}. + * + * @author Sebastien Deleuze + * @author Ulrich Grave + * @since 7.0 + * @see Saml2JacksonModule + * @see SecurityJacksonModules + */ +@JsonTypeInfo(use = JsonTypeInfo.Id.CLASS) +@JsonAutoDetect(fieldVisibility = JsonAutoDetect.Visibility.ANY, getterVisibility = JsonAutoDetect.Visibility.NONE) +class Saml2LogoutRequestMixin { + + @JsonIgnore + Function, String> encoder; + + @JsonCreator + Saml2LogoutRequestMixin(@JsonProperty("location") String location, + @JsonProperty("binding") Saml2MessageBinding binding, + @JsonProperty("parameters") Map parameters, @JsonProperty("id") String id, + @JsonProperty("relyingPartyRegistrationId") String relyingPartyRegistrationId) { + } + +} diff --git a/saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/jackson/Saml2PostAuthenticationRequestMixin.java b/saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/jackson/Saml2PostAuthenticationRequestMixin.java new file mode 100644 index 0000000000..ab3afe6e67 --- /dev/null +++ b/saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/jackson/Saml2PostAuthenticationRequestMixin.java @@ -0,0 +1,49 @@ +/* + * Copyright 2004-present the original author or authors. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * https://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.springframework.security.saml2.jackson; + +import com.fasterxml.jackson.annotation.JsonAutoDetect; +import com.fasterxml.jackson.annotation.JsonCreator; +import com.fasterxml.jackson.annotation.JsonProperty; +import com.fasterxml.jackson.annotation.JsonTypeInfo; + +import org.springframework.security.jackson.SecurityJacksonModules; +import org.springframework.security.saml2.provider.service.authentication.Saml2PostAuthenticationRequest; + +/** + * Jackson Mixin class helps in serialize/deserialize + * {@link Saml2PostAuthenticationRequest}. + * + * @author Sebastien Deleuze + * @author Ulrich Grave + * @since 7.0 + * @see Saml2JacksonModule + * @see SecurityJacksonModules + */ +@JsonTypeInfo(use = JsonTypeInfo.Id.CLASS) +@JsonAutoDetect(fieldVisibility = JsonAutoDetect.Visibility.ANY, getterVisibility = JsonAutoDetect.Visibility.NONE) +class Saml2PostAuthenticationRequestMixin { + + @JsonCreator + Saml2PostAuthenticationRequestMixin(@JsonProperty("samlRequest") String samlRequest, + @JsonProperty("relayState") String relayState, + @JsonProperty("authenticationRequestUri") String authenticationRequestUri, + @JsonProperty("relyingPartyRegistrationId") String relyingPartyRegistrationId, + @JsonProperty("id") String id) { + } + +} diff --git a/saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/jackson/Saml2RedirectAuthenticationRequestMixin.java b/saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/jackson/Saml2RedirectAuthenticationRequestMixin.java new file mode 100644 index 0000000000..fc17707741 --- /dev/null +++ b/saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/jackson/Saml2RedirectAuthenticationRequestMixin.java @@ -0,0 +1,50 @@ +/* + * Copyright 2004-present the original author or authors. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * https://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.springframework.security.saml2.jackson; + +import com.fasterxml.jackson.annotation.JsonAutoDetect; +import com.fasterxml.jackson.annotation.JsonCreator; +import com.fasterxml.jackson.annotation.JsonProperty; +import com.fasterxml.jackson.annotation.JsonTypeInfo; + +import org.springframework.security.jackson.SecurityJacksonModules; +import org.springframework.security.saml2.provider.service.authentication.Saml2RedirectAuthenticationRequest; + +/** + * Jackson Mixin class helps in serialize/deserialize + * {@link Saml2RedirectAuthenticationRequest}. + * + * @author Sebastien Deleuze + * @author Ulrich Grave + * @since 7.0 + * @see Saml2JacksonModule + * @see SecurityJacksonModules + */ +@JsonTypeInfo(use = JsonTypeInfo.Id.CLASS) +@JsonAutoDetect(fieldVisibility = JsonAutoDetect.Visibility.ANY, getterVisibility = JsonAutoDetect.Visibility.NONE) +class Saml2RedirectAuthenticationRequestMixin { + + @JsonCreator + Saml2RedirectAuthenticationRequestMixin(@JsonProperty("samlRequest") String samlRequest, + @JsonProperty("sigAlg") String sigAlg, @JsonProperty("signature") String signature, + @JsonProperty("relayState") String relayState, + @JsonProperty("authenticationRequestUri") String authenticationRequestUri, + @JsonProperty("relyingPartyRegistrationId") String relyingPartyRegistrationId, + @JsonProperty("id") String id) { + } + +} diff --git a/saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/jackson/SimpleSaml2ResponseAssertionAccessorMixin.java b/saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/jackson/SimpleSaml2ResponseAssertionAccessorMixin.java new file mode 100644 index 0000000000..949b06a2ec --- /dev/null +++ b/saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/jackson/SimpleSaml2ResponseAssertionAccessorMixin.java @@ -0,0 +1,52 @@ +/* + * Copyright 2004-present the original author or authors. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * https://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.springframework.security.saml2.jackson; + +import java.util.List; +import java.util.Map; + +import com.fasterxml.jackson.annotation.JsonAutoDetect; +import com.fasterxml.jackson.annotation.JsonCreator; +import com.fasterxml.jackson.annotation.JsonIgnoreProperties; +import com.fasterxml.jackson.annotation.JsonProperty; +import com.fasterxml.jackson.annotation.JsonTypeInfo; + +import org.springframework.security.jackson.SecurityJacksonModules; +import org.springframework.security.saml2.provider.service.authentication.Saml2ResponseAssertion; + +/** + * Jackson Mixin class helps in serialize/deserialize {@link Saml2ResponseAssertion}. + * + * @author Sebastien Deleuze + * @author Josh Cummings + * @since 7.0 + * @see Saml2JacksonModule + * @see SecurityJacksonModules + */ +@JsonTypeInfo(use = JsonTypeInfo.Id.CLASS) +@JsonAutoDetect(fieldVisibility = JsonAutoDetect.Visibility.ANY, getterVisibility = JsonAutoDetect.Visibility.NONE, + isGetterVisibility = JsonAutoDetect.Visibility.NONE) +@JsonIgnoreProperties({ "authenticated" }) +class SimpleSaml2ResponseAssertionAccessorMixin { + + @JsonCreator + SimpleSaml2ResponseAssertionAccessorMixin(@JsonProperty("responseValue") String responseValue, + @JsonProperty("nameId") String nameId, @JsonProperty("sessionIndexes") List sessionIndexes, + @JsonProperty("attributes") Map> attributes) { + } + +} diff --git a/saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/jackson/package-info.java b/saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/jackson/package-info.java new file mode 100644 index 0000000000..061f69b005 --- /dev/null +++ b/saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/jackson/package-info.java @@ -0,0 +1,20 @@ +/* + * Copyright 2004-present the original author or authors. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * https://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +/** + * Jackson 3+ serialization support for SAML2. + */ +package org.springframework.security.saml2.jackson; diff --git a/saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/jackson2/package-info.java b/saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/jackson2/package-info.java new file mode 100644 index 0000000000..eef3717f17 --- /dev/null +++ b/saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/jackson2/package-info.java @@ -0,0 +1,20 @@ +/* + * Copyright 2004-present the original author or authors. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * https://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +/** + * Jackson 2 serialization support for SAML2. + */ +package org.springframework.security.saml2.jackson2; diff --git a/saml2/saml2-service-provider/src/opensaml5Test/java/org/springframework/security/saml2/provider/service/authentication/OpenSaml5AuthenticationProviderTests.java b/saml2/saml2-service-provider/src/opensaml5Test/java/org/springframework/security/saml2/provider/service/authentication/OpenSaml5AuthenticationProviderTests.java index 35510564ca..01eeafbe16 100644 --- a/saml2/saml2-service-provider/src/opensaml5Test/java/org/springframework/security/saml2/provider/service/authentication/OpenSaml5AuthenticationProviderTests.java +++ b/saml2/saml2-service-provider/src/opensaml5Test/java/org/springframework/security/saml2/provider/service/authentication/OpenSaml5AuthenticationProviderTests.java @@ -32,7 +32,6 @@ import javax.xml.namespace.QName; -import com.fasterxml.jackson.databind.ObjectMapper; import org.junit.jupiter.api.Test; import org.opensaml.core.xml.XMLObject; import org.opensaml.core.xml.config.XMLObjectProviderRegistrySupport; @@ -69,6 +68,7 @@ import org.opensaml.saml.saml2.core.impl.StatusCodeBuilder; import org.opensaml.xmlsec.encryption.impl.EncryptedDataBuilder; import org.opensaml.xmlsec.signature.support.SignatureConstants; +import tools.jackson.databind.json.JsonMapper; import org.springframework.core.convert.converter.Converter; import org.springframework.security.authentication.SecurityAssertions; @@ -76,7 +76,7 @@ import org.springframework.security.core.GrantedAuthority; import org.springframework.security.core.authority.AuthorityUtils; import org.springframework.security.core.authority.FactorGrantedAuthority; -import org.springframework.security.jackson2.SecurityJackson2Modules; +import org.springframework.security.jackson.SecurityJacksonModules; import org.springframework.security.saml2.core.Saml2Error; import org.springframework.security.saml2.core.Saml2ErrorCodes; import org.springframework.security.saml2.core.Saml2ResponseValidatorResult; @@ -342,9 +342,8 @@ public void authenticateWhenAssertionContainsAttributesThenItSucceeds() { // gh-11785 @Test public void deserializeWhenAssertionContainsAttributesThenWorks() throws Exception { - ObjectMapper mapper = new ObjectMapper(); ClassLoader loader = getClass().getClassLoader(); - mapper.registerModules(SecurityJackson2Modules.getModules(loader)); + JsonMapper mapper = JsonMapper.builder().addModules(SecurityJacksonModules.getModules(loader)).build(); Response response = response(); Assertion assertion = assertion(); List attributes = TestOpenSamlObjects.attributeStatements(); diff --git a/saml2/saml2-service-provider/src/test/java/org/springframework/security/saml2/jackson/DefaultSaml2AuthenticatedPrincipalMixinTests.java b/saml2/saml2-service-provider/src/test/java/org/springframework/security/saml2/jackson/DefaultSaml2AuthenticatedPrincipalMixinTests.java new file mode 100644 index 0000000000..39c64c0962 --- /dev/null +++ b/saml2/saml2-service-provider/src/test/java/org/springframework/security/saml2/jackson/DefaultSaml2AuthenticatedPrincipalMixinTests.java @@ -0,0 +1,105 @@ +/* + * Copyright 2004-present the original author or authors. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * https://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.springframework.security.saml2.jackson; + +import org.junit.jupiter.api.BeforeEach; +import org.junit.jupiter.api.Test; +import org.skyscreamer.jsonassert.JSONAssert; +import tools.jackson.databind.json.JsonMapper; + +import org.springframework.security.jackson.SecurityJacksonModules; +import org.springframework.security.saml2.provider.service.authentication.DefaultSaml2AuthenticatedPrincipal; + +import static org.assertj.core.api.Assertions.assertThat; + +@SuppressWarnings("removal") +class DefaultSaml2AuthenticatedPrincipalMixinTests { + + private JsonMapper mapper; + + @BeforeEach + void setUp() { + ClassLoader loader = getClass().getClassLoader(); + this.mapper = JsonMapper.builder().addModules(SecurityJacksonModules.getModules(loader)).build(); + } + + @Test + void shouldSerialize() throws Exception { + DefaultSaml2AuthenticatedPrincipal principal = TestSaml2JsonPayloads.createDefaultPrincipal(); + + String principalJson = this.mapper.writeValueAsString(principal); + + JSONAssert.assertEquals(TestSaml2JsonPayloads.DEFAULT_AUTHENTICATED_PRINCIPAL_JSON, principalJson, true); + } + + @Test + void shouldSerializeWithoutRegistrationId() throws Exception { + DefaultSaml2AuthenticatedPrincipal principal = new DefaultSaml2AuthenticatedPrincipal( + TestSaml2JsonPayloads.PRINCIPAL_NAME, TestSaml2JsonPayloads.ATTRIBUTES, + TestSaml2JsonPayloads.SESSION_INDEXES); + + String principalJson = this.mapper.writeValueAsString(principal); + + JSONAssert.assertEquals(principalWithoutRegId(), principalJson, true); + } + + @Test + void shouldSerializeWithoutIndices() throws Exception { + DefaultSaml2AuthenticatedPrincipal principal = new DefaultSaml2AuthenticatedPrincipal( + TestSaml2JsonPayloads.PRINCIPAL_NAME, TestSaml2JsonPayloads.ATTRIBUTES); + principal.setRelyingPartyRegistrationId(TestSaml2JsonPayloads.REG_ID); + + String principalJson = this.mapper.writeValueAsString(principal); + + JSONAssert.assertEquals(principalWithoutIndices(), principalJson, true); + } + + @Test + void shouldDeserialize() throws Exception { + DefaultSaml2AuthenticatedPrincipal principal = this.mapper.readValue( + TestSaml2JsonPayloads.DEFAULT_AUTHENTICATED_PRINCIPAL_JSON, DefaultSaml2AuthenticatedPrincipal.class); + + assertThat(principal).isNotNull(); + assertThat(principal.getName()).isEqualTo(TestSaml2JsonPayloads.PRINCIPAL_NAME); + assertThat(principal.getRelyingPartyRegistrationId()).isEqualTo(TestSaml2JsonPayloads.REG_ID); + assertThat(principal.getAttributes()).isEqualTo(TestSaml2JsonPayloads.ATTRIBUTES); + assertThat(principal.getSessionIndexes()).isEqualTo(TestSaml2JsonPayloads.SESSION_INDEXES); + } + + @Test + void shouldDeserializeWithoutRegistrationId() throws Exception { + DefaultSaml2AuthenticatedPrincipal principal = this.mapper.readValue(principalWithoutRegId(), + DefaultSaml2AuthenticatedPrincipal.class); + + assertThat(principal).isNotNull(); + assertThat(principal.getName()).isEqualTo(TestSaml2JsonPayloads.PRINCIPAL_NAME); + assertThat(principal.getRelyingPartyRegistrationId()).isNull(); + assertThat(principal.getAttributes()).isEqualTo(TestSaml2JsonPayloads.ATTRIBUTES); + assertThat(principal.getSessionIndexes()).isEqualTo(TestSaml2JsonPayloads.SESSION_INDEXES); + } + + private static String principalWithoutRegId() { + return TestSaml2JsonPayloads.DEFAULT_AUTHENTICATED_PRINCIPAL_JSON.replace(TestSaml2JsonPayloads.REG_ID_JSON, + "null"); + } + + private static String principalWithoutIndices() { + return TestSaml2JsonPayloads.DEFAULT_AUTHENTICATED_PRINCIPAL_JSON + .replace(TestSaml2JsonPayloads.SESSION_INDEXES_JSON, "[\"java.util.Collections$EmptyList\", []]"); + } + +} diff --git a/saml2/saml2-service-provider/src/test/java/org/springframework/security/saml2/jackson/Saml2AuthenticationExceptionMixinTests.java b/saml2/saml2-service-provider/src/test/java/org/springframework/security/saml2/jackson/Saml2AuthenticationExceptionMixinTests.java new file mode 100644 index 0000000000..9f64913e49 --- /dev/null +++ b/saml2/saml2-service-provider/src/test/java/org/springframework/security/saml2/jackson/Saml2AuthenticationExceptionMixinTests.java @@ -0,0 +1,61 @@ +/* + * Copyright 2004-present the original author or authors. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * https://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.springframework.security.saml2.jackson; + +import org.junit.jupiter.api.BeforeEach; +import org.junit.jupiter.api.Test; +import org.skyscreamer.jsonassert.JSONAssert; +import tools.jackson.databind.json.JsonMapper; + +import org.springframework.security.jackson.SecurityJacksonModules; +import org.springframework.security.saml2.core.Saml2Error; +import org.springframework.security.saml2.provider.service.authentication.Saml2AuthenticationException; + +import static org.assertj.core.api.Assertions.assertThat; + +@SuppressWarnings("removal") +class Saml2AuthenticationExceptionMixinTests { + + private JsonMapper mapper; + + @BeforeEach + void setUp() { + ClassLoader loader = getClass().getClassLoader(); + this.mapper = JsonMapper.builder().addModules(SecurityJacksonModules.getModules(loader)).build(); + } + + @Test + void shouldSerialize() throws Exception { + Saml2AuthenticationException exception = TestSaml2JsonPayloads.createDefaultSaml2AuthenticationException(); + + String exceptionJson = this.mapper.writeValueAsString(exception); + + JSONAssert.assertEquals(TestSaml2JsonPayloads.DEFAULT_SAML_AUTH_EXCEPTION_JSON, exceptionJson, true); + } + + @Test + void shouldDeserialize() throws Exception { + Saml2AuthenticationException exception = this.mapper + .readValue(TestSaml2JsonPayloads.DEFAULT_SAML_AUTH_EXCEPTION_JSON, Saml2AuthenticationException.class); + + assertThat(exception).isNotNull(); + assertThat(exception.getMessage()).isEqualTo("exceptionMessage"); + assertThat(exception.getSaml2Error()).extracting(Saml2Error::getErrorCode, Saml2Error::getDescription) + .contains("errorCode", "errorDescription"); + } + +} diff --git a/saml2/saml2-service-provider/src/test/java/org/springframework/security/saml2/jackson/Saml2AuthenticationMixinTests.java b/saml2/saml2-service-provider/src/test/java/org/springframework/security/saml2/jackson/Saml2AuthenticationMixinTests.java new file mode 100644 index 0000000000..eee63b4d0a --- /dev/null +++ b/saml2/saml2-service-provider/src/test/java/org/springframework/security/saml2/jackson/Saml2AuthenticationMixinTests.java @@ -0,0 +1,64 @@ +/* + * Copyright 2004-present the original author or authors. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * https://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.springframework.security.saml2.jackson; + +import org.junit.jupiter.api.BeforeEach; +import org.junit.jupiter.api.Test; +import org.skyscreamer.jsonassert.JSONAssert; +import tools.jackson.databind.json.JsonMapper; + +import org.springframework.security.jackson.SecurityJacksonModules; +import org.springframework.security.saml2.provider.service.authentication.Saml2Authentication; + +import static org.assertj.core.api.Assertions.assertThat; + +@SuppressWarnings("removal") +class Saml2AuthenticationMixinTests { + + private JsonMapper mapper; + + @BeforeEach + void setUp() { + ClassLoader loader = getClass().getClassLoader(); + this.mapper = JsonMapper.builder().addModules(SecurityJacksonModules.getModules(loader)).build(); + } + + @Test + void shouldSerialize() throws Exception { + Saml2Authentication authentication = TestSaml2JsonPayloads.createDefaultAuthentication(); + + String authenticationJson = this.mapper.writeValueAsString(authentication); + + JSONAssert.assertEquals(TestSaml2JsonPayloads.DEFAULT_SAML2AUTHENTICATION_JSON, authenticationJson, true); + } + + @Test + void shouldDeserialize() throws Exception { + Saml2Authentication authentication = this.mapper + .readValue(TestSaml2JsonPayloads.DEFAULT_SAML2AUTHENTICATION_JSON, Saml2Authentication.class); + + assertThat(authentication).isNotNull(); + assertThat(authentication.getDetails()).isEqualTo(TestSaml2JsonPayloads.DETAILS); + assertThat(authentication.getCredentials()).isEqualTo(TestSaml2JsonPayloads.SAML_RESPONSE); + assertThat(authentication.getSaml2Response()).isEqualTo(TestSaml2JsonPayloads.SAML_RESPONSE); + assertThat(authentication.getAuthorities()).isEqualTo(TestSaml2JsonPayloads.AUTHORITIES); + assertThat(authentication.getPrincipal()).usingRecursiveComparison() + .isEqualTo(TestSaml2JsonPayloads.createDefaultPrincipal()); + assertThat(authentication.getDetails()).usingRecursiveComparison().isEqualTo(TestSaml2JsonPayloads.DETAILS); + } + +} diff --git a/saml2/saml2-service-provider/src/test/java/org/springframework/security/saml2/jackson/Saml2LogoutRequestMixinTests.java b/saml2/saml2-service-provider/src/test/java/org/springframework/security/saml2/jackson/Saml2LogoutRequestMixinTests.java new file mode 100644 index 0000000000..d71e1269b7 --- /dev/null +++ b/saml2/saml2-service-provider/src/test/java/org/springframework/security/saml2/jackson/Saml2LogoutRequestMixinTests.java @@ -0,0 +1,90 @@ +/* + * Copyright 2004-present the original author or authors. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * https://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.springframework.security.saml2.jackson; + +import java.util.HashMap; +import java.util.Map; + +import org.junit.jupiter.api.BeforeEach; +import org.junit.jupiter.api.Test; +import org.skyscreamer.jsonassert.JSONAssert; +import tools.jackson.core.JacksonException; +import tools.jackson.databind.DeserializationFeature; +import tools.jackson.databind.json.JsonMapper; + +import org.springframework.security.jackson.SecurityJacksonModules; +import org.springframework.security.saml2.provider.service.authentication.logout.Saml2LogoutRequest; +import org.springframework.security.saml2.provider.service.registration.Saml2MessageBinding; + +import static org.assertj.core.api.Assertions.assertThat; + +@SuppressWarnings("removal") +class Saml2LogoutRequestMixinTests { + + private JsonMapper mapper; + + @BeforeEach + void setUp() { + ClassLoader loader = getClass().getClassLoader(); + this.mapper = JsonMapper.builder().addModules(SecurityJacksonModules.getModules(loader)).build(); + } + + @Test + void shouldSerialize() throws Exception { + Saml2LogoutRequest request = TestSaml2JsonPayloads.createDefaultSaml2LogoutRequest(); + + String requestJson = this.mapper.writeValueAsString(request); + + JSONAssert.assertEquals(TestSaml2JsonPayloads.DEFAULT_LOGOUT_REQUEST_JSON, requestJson, true); + } + + @Test + void shouldDeserialize() { + deserializeAndAssertRequest(); + } + + // gh-12539 + @Test + void shouldDeserializeWhenFailOnMissingCreatorPropertiesEnabled() { + // Jackson will use reflection to initialize the binding property if this is not + // enabled + JsonMapper customizedMapper = this.mapper.rebuild() + .enable(DeserializationFeature.FAIL_ON_MISSING_CREATOR_PROPERTIES) + .build(); + deserializeAndAssertRequest(); + } + + private void deserializeAndAssertRequest() throws JacksonException { + Saml2LogoutRequest logoutRequest = this.mapper.readValue(TestSaml2JsonPayloads.DEFAULT_LOGOUT_REQUEST_JSON, + Saml2LogoutRequest.class); + + assertThat(logoutRequest).isNotNull(); + assertThat(logoutRequest.getId()).isEqualTo(TestSaml2JsonPayloads.ID); + assertThat(logoutRequest.getRelyingPartyRegistrationId()) + .isEqualTo(TestSaml2JsonPayloads.RELYINGPARTY_REGISTRATION_ID); + assertThat(logoutRequest.getSamlRequest()).isEqualTo(TestSaml2JsonPayloads.SAML_REQUEST); + assertThat(logoutRequest.getRelayState()).isEqualTo(TestSaml2JsonPayloads.RELAY_STATE); + assertThat(logoutRequest.getLocation()).isEqualTo(TestSaml2JsonPayloads.LOCATION); + assertThat(logoutRequest.getBinding()).isEqualTo(Saml2MessageBinding.REDIRECT); + Map expectedParams = new HashMap<>(); + expectedParams.put("SAMLRequest", TestSaml2JsonPayloads.SAML_REQUEST); + expectedParams.put("RelayState", TestSaml2JsonPayloads.RELAY_STATE); + expectedParams.put("AdditionalParam", TestSaml2JsonPayloads.ADDITIONAL_PARAM); + assertThat(logoutRequest.getParameters()).containsAllEntriesOf(expectedParams); + } + +} diff --git a/saml2/saml2-service-provider/src/test/java/org/springframework/security/saml2/jackson/Saml2PostAuthenticationRequestMixinTests.java b/saml2/saml2-service-provider/src/test/java/org/springframework/security/saml2/jackson/Saml2PostAuthenticationRequestMixinTests.java new file mode 100644 index 0000000000..673984566a --- /dev/null +++ b/saml2/saml2-service-provider/src/test/java/org/springframework/security/saml2/jackson/Saml2PostAuthenticationRequestMixinTests.java @@ -0,0 +1,97 @@ +/* + * Copyright 2004-present the original author or authors. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * https://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.springframework.security.saml2.jackson; + +import org.junit.jupiter.api.BeforeEach; +import org.junit.jupiter.api.Test; +import org.skyscreamer.jsonassert.JSONAssert; +import tools.jackson.databind.json.JsonMapper; + +import org.springframework.security.jackson.SecurityJacksonModules; +import org.springframework.security.saml2.provider.service.authentication.Saml2PostAuthenticationRequest; + +import static org.assertj.core.api.Assertions.assertThat; + +@SuppressWarnings("removal") +class Saml2PostAuthenticationRequestMixinTests { + + private JsonMapper mapper; + + @BeforeEach + void setUp() { + ClassLoader loader = getClass().getClassLoader(); + this.mapper = JsonMapper.builder().addModules(SecurityJacksonModules.getModules(loader)).build(); + } + + @Test + void shouldSerialize() throws Exception { + Saml2PostAuthenticationRequest request = TestSaml2JsonPayloads.createDefaultSaml2PostAuthenticationRequest(); + + String requestJson = this.mapper.writeValueAsString(request); + + JSONAssert.assertEquals(TestSaml2JsonPayloads.DEFAULT_POST_AUTH_REQUEST_JSON, requestJson, true); + } + + @Test + void shouldDeserialize() { + Saml2PostAuthenticationRequest authRequest = this.mapper + .readValue(TestSaml2JsonPayloads.DEFAULT_POST_AUTH_REQUEST_JSON, Saml2PostAuthenticationRequest.class); + + assertThat(authRequest).isNotNull(); + assertThat(authRequest.getSamlRequest()).isEqualTo(TestSaml2JsonPayloads.SAML_REQUEST); + assertThat(authRequest.getRelayState()).isEqualTo(TestSaml2JsonPayloads.RELAY_STATE); + assertThat(authRequest.getAuthenticationRequestUri()) + .isEqualTo(TestSaml2JsonPayloads.AUTHENTICATION_REQUEST_URI); + assertThat(authRequest.getRelyingPartyRegistrationId()) + .isEqualTo(TestSaml2JsonPayloads.RELYINGPARTY_REGISTRATION_ID); + assertThat(authRequest.getId()).isEqualTo(TestSaml2JsonPayloads.ID); + } + + @Test + void shouldDeserializeWithNoRegistrationId() { + String json = TestSaml2JsonPayloads.DEFAULT_POST_AUTH_REQUEST_JSON.replace( + "\"relyingPartyRegistrationId\": \"" + TestSaml2JsonPayloads.RELYINGPARTY_REGISTRATION_ID + "\",", ""); + + Saml2PostAuthenticationRequest authRequest = this.mapper.readValue(json, Saml2PostAuthenticationRequest.class); + + assertThat(authRequest).isNotNull(); + assertThat(authRequest.getSamlRequest()).isEqualTo(TestSaml2JsonPayloads.SAML_REQUEST); + assertThat(authRequest.getRelayState()).isEqualTo(TestSaml2JsonPayloads.RELAY_STATE); + assertThat(authRequest.getAuthenticationRequestUri()) + .isEqualTo(TestSaml2JsonPayloads.AUTHENTICATION_REQUEST_URI); + assertThat(authRequest.getRelyingPartyRegistrationId()).isNull(); + assertThat(authRequest.getId()).isEqualTo(TestSaml2JsonPayloads.ID); + } + + @Test + void shouldDeserializeWithNoId() { + String json = TestSaml2JsonPayloads.DEFAULT_POST_AUTH_REQUEST_JSON + .replace(", \"id\": \"" + TestSaml2JsonPayloads.ID + "\"", ""); + + Saml2PostAuthenticationRequest authRequest = this.mapper.readValue(json, Saml2PostAuthenticationRequest.class); + + assertThat(authRequest).isNotNull(); + assertThat(authRequest.getSamlRequest()).isEqualTo(TestSaml2JsonPayloads.SAML_REQUEST); + assertThat(authRequest.getRelayState()).isEqualTo(TestSaml2JsonPayloads.RELAY_STATE); + assertThat(authRequest.getAuthenticationRequestUri()) + .isEqualTo(TestSaml2JsonPayloads.AUTHENTICATION_REQUEST_URI); + assertThat(authRequest.getRelyingPartyRegistrationId()) + .isEqualTo(TestSaml2JsonPayloads.RELYINGPARTY_REGISTRATION_ID); + assertThat(authRequest.getId()).isNull(); + } + +} diff --git a/saml2/saml2-service-provider/src/test/java/org/springframework/security/saml2/jackson/Saml2RedirectAuthenticationRequestMixinTests.java b/saml2/saml2-service-provider/src/test/java/org/springframework/security/saml2/jackson/Saml2RedirectAuthenticationRequestMixinTests.java new file mode 100644 index 0000000000..c61ad0b7c6 --- /dev/null +++ b/saml2/saml2-service-provider/src/test/java/org/springframework/security/saml2/jackson/Saml2RedirectAuthenticationRequestMixinTests.java @@ -0,0 +1,84 @@ +/* + * Copyright 2004-present the original author or authors. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * https://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.springframework.security.saml2.jackson; + +import org.junit.jupiter.api.BeforeEach; +import org.junit.jupiter.api.Test; +import org.skyscreamer.jsonassert.JSONAssert; +import tools.jackson.databind.json.JsonMapper; + +import org.springframework.security.jackson.SecurityJacksonModules; +import org.springframework.security.saml2.provider.service.authentication.Saml2RedirectAuthenticationRequest; + +import static org.assertj.core.api.Assertions.assertThat; + +@SuppressWarnings("removal") +class Saml2RedirectAuthenticationRequestMixinTests { + + private JsonMapper mapper; + + @BeforeEach + void setUp() { + ClassLoader loader = getClass().getClassLoader(); + this.mapper = JsonMapper.builder().addModules(SecurityJacksonModules.getModules(loader)).build(); + } + + @Test + void shouldSerialize() throws Exception { + Saml2RedirectAuthenticationRequest request = TestSaml2JsonPayloads + .createDefaultSaml2RedirectAuthenticationRequest(); + + String requestJson = this.mapper.writeValueAsString(request); + + JSONAssert.assertEquals(TestSaml2JsonPayloads.DEFAULT_REDIRECT_AUTH_REQUEST_JSON, requestJson, true); + } + + @Test + void shouldDeserialize() throws Exception { + Saml2RedirectAuthenticationRequest authRequest = this.mapper.readValue( + TestSaml2JsonPayloads.DEFAULT_REDIRECT_AUTH_REQUEST_JSON, Saml2RedirectAuthenticationRequest.class); + + assertThat(authRequest).isNotNull(); + assertThat(authRequest.getSamlRequest()).isEqualTo(TestSaml2JsonPayloads.SAML_REQUEST); + assertThat(authRequest.getRelayState()).isEqualTo(TestSaml2JsonPayloads.RELAY_STATE); + assertThat(authRequest.getAuthenticationRequestUri()) + .isEqualTo(TestSaml2JsonPayloads.AUTHENTICATION_REQUEST_URI); + assertThat(authRequest.getSigAlg()).isEqualTo(TestSaml2JsonPayloads.SIG_ALG); + assertThat(authRequest.getSignature()).isEqualTo(TestSaml2JsonPayloads.SIGNATURE); + assertThat(authRequest.getRelyingPartyRegistrationId()) + .isEqualTo(TestSaml2JsonPayloads.RELYINGPARTY_REGISTRATION_ID); + } + + @Test + void shouldDeserializeWithNoRegistrationId() throws Exception { + String json = TestSaml2JsonPayloads.DEFAULT_REDIRECT_AUTH_REQUEST_JSON.replace( + "\"relyingPartyRegistrationId\": \"" + TestSaml2JsonPayloads.RELYINGPARTY_REGISTRATION_ID + "\",", ""); + + Saml2RedirectAuthenticationRequest authRequest = this.mapper.readValue(json, + Saml2RedirectAuthenticationRequest.class); + + assertThat(authRequest).isNotNull(); + assertThat(authRequest.getSamlRequest()).isEqualTo(TestSaml2JsonPayloads.SAML_REQUEST); + assertThat(authRequest.getRelayState()).isEqualTo(TestSaml2JsonPayloads.RELAY_STATE); + assertThat(authRequest.getAuthenticationRequestUri()) + .isEqualTo(TestSaml2JsonPayloads.AUTHENTICATION_REQUEST_URI); + assertThat(authRequest.getSigAlg()).isEqualTo(TestSaml2JsonPayloads.SIG_ALG); + assertThat(authRequest.getSignature()).isEqualTo(TestSaml2JsonPayloads.SIGNATURE); + assertThat(authRequest.getRelyingPartyRegistrationId()).isNull(); + } + +} diff --git a/saml2/saml2-service-provider/src/test/java/org/springframework/security/saml2/jackson/TestSaml2JsonPayloads.java b/saml2/saml2-service-provider/src/test/java/org/springframework/security/saml2/jackson/TestSaml2JsonPayloads.java new file mode 100644 index 0000000000..40e7d90e6c --- /dev/null +++ b/saml2/saml2-service-provider/src/test/java/org/springframework/security/saml2/jackson/TestSaml2JsonPayloads.java @@ -0,0 +1,257 @@ +/* + * Copyright 2004-present the original author or authors. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * https://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.springframework.security.saml2.jackson; + +import java.util.Arrays; +import java.util.Collection; +import java.util.Collections; +import java.util.HashMap; +import java.util.List; +import java.util.Map; + +import org.springframework.security.core.GrantedAuthority; +import org.springframework.security.core.authority.SimpleGrantedAuthority; +import org.springframework.security.core.userdetails.User; +import org.springframework.security.saml2.core.Saml2Error; +import org.springframework.security.saml2.provider.service.authentication.DefaultSaml2AuthenticatedPrincipal; +import org.springframework.security.saml2.provider.service.authentication.Saml2Authentication; +import org.springframework.security.saml2.provider.service.authentication.Saml2AuthenticationException; +import org.springframework.security.saml2.provider.service.authentication.Saml2PostAuthenticationRequest; +import org.springframework.security.saml2.provider.service.authentication.Saml2RedirectAuthenticationRequest; +import org.springframework.security.saml2.provider.service.authentication.logout.Saml2LogoutRequest; +import org.springframework.security.saml2.provider.service.registration.Saml2MessageBinding; +import org.springframework.security.saml2.provider.service.registration.TestRelyingPartyRegistrations; + +@SuppressWarnings("removal") +final class TestSaml2JsonPayloads { + + private TestSaml2JsonPayloads() { + } + + static final Map> ATTRIBUTES; + + static { + Map> tmpAttributes = new HashMap<>(); + tmpAttributes.put("name", Collections.singletonList("attr_name")); + tmpAttributes.put("email", Collections.singletonList("attr_email")); + tmpAttributes.put("listOf", Collections.unmodifiableList(Arrays.asList("Element1", "Element2", 4, true))); + ATTRIBUTES = Collections.unmodifiableMap(tmpAttributes); + } + + static final String REG_ID = "REG_ID_TEST"; + static final String REG_ID_JSON = "\"" + REG_ID + "\""; + + static final String SESSION_INDEXES_JSON = "[" + " \"java.util.Collections$UnmodifiableRandomAccessList\"," + + " [ \"Index 1\", \"Index 2\" ]" + "]"; + static final List SESSION_INDEXES = Collections.unmodifiableList(Arrays.asList("Index 1", "Index 2")); + + static final String PRINCIPAL_NAME = "principalName"; + + // @formatter:off + static final String DEFAULT_AUTHENTICATED_PRINCIPAL_JSON = "{" + + " \"@class\": \"org.springframework.security.saml2.provider.service.authentication.DefaultSaml2AuthenticatedPrincipal\"," + + " \"name\": \"" + PRINCIPAL_NAME + "\"," + + " \"attributes\": {" + + " \"@class\": \"java.util.Collections$UnmodifiableMap\"," + + " \"listOf\": [" + + " \"java.util.Collections$UnmodifiableRandomAccessList\"," + + " [ \"Element1\", \"Element2\", 4, true ]" + + " ]," + + " \"email\": [" + + " \"java.util.Collections$SingletonList\"," + + " [ \"attr_email\" ]" + + " ]," + + " \"name\": [" + + " \"java.util.Collections$SingletonList\"," + + " [ \"attr_name\" ]" + + " ]" + + " }," + + " \"sessionIndexes\": " + SESSION_INDEXES_JSON + "," + + " \"registrationId\": " + REG_ID_JSON + "" + + "}"; + // @formatter:on + + static DefaultSaml2AuthenticatedPrincipal createDefaultPrincipal() { + DefaultSaml2AuthenticatedPrincipal principal = new DefaultSaml2AuthenticatedPrincipal(PRINCIPAL_NAME, + ATTRIBUTES, SESSION_INDEXES); + principal.setRelyingPartyRegistrationId(REG_ID); + return principal; + } + + static final String SAML_REQUEST = "samlRequestValue"; + static final String RELAY_STATE = "relayStateValue"; + static final String AUTHENTICATION_REQUEST_URI = "authenticationRequestUriValue"; + static final String RELYINGPARTY_REGISTRATION_ID = "registrationIdValue"; + static final String SIG_ALG = "sigAlgValue"; + static final String SIGNATURE = "signatureValue"; + static final String ID = "idValue"; + + // @formatter:off + static final String DEFAULT_REDIRECT_AUTH_REQUEST_JSON = "{" + + " \"@class\": \"org.springframework.security.saml2.provider.service.authentication.Saml2RedirectAuthenticationRequest\"," + + " \"samlRequest\": \"" + SAML_REQUEST + "\"," + + " \"relayState\": \"" + RELAY_STATE + "\"," + + " \"authenticationRequestUri\": \"" + AUTHENTICATION_REQUEST_URI + "\"," + + " \"relyingPartyRegistrationId\": \"" + RELYINGPARTY_REGISTRATION_ID + "\"," + + " \"sigAlg\": \"" + SIG_ALG + "\"," + + " \"signature\": \"" + SIGNATURE + "\"," + + " \"id\": \"" + ID + "\"" + + "}"; + // @formatter:on + + // @formatter:off + static final String DEFAULT_POST_AUTH_REQUEST_JSON = "{" + + " \"@class\": \"org.springframework.security.saml2.provider.service.authentication.Saml2PostAuthenticationRequest\"," + + " \"samlRequest\": \"" + SAML_REQUEST + "\"," + + " \"relayState\": \"" + RELAY_STATE + "\"," + + " \"relyingPartyRegistrationId\": \"" + RELYINGPARTY_REGISTRATION_ID + "\"," + + " \"authenticationRequestUri\": \"" + AUTHENTICATION_REQUEST_URI + "\"," + + " \"id\": \"" + ID + "\"" + + "}"; + // @formatter:on + + static final String LOCATION = "locationValue"; + static final String BINDNG = "REDIRECT"; + static final String ADDITIONAL_PARAM = "additionalParamValue"; + + // @formatter:off + static final String DEFAULT_LOGOUT_REQUEST_JSON = "{" + + " \"@class\": \"org.springframework.security.saml2.provider.service.authentication.logout.Saml2LogoutRequest\"," + + " \"id\": \"" + ID + "\"," + + " \"location\": \"" + LOCATION + "\"," + + " \"binding\": \"" + BINDNG + "\"," + + " \"relyingPartyRegistrationId\": \"" + RELYINGPARTY_REGISTRATION_ID + "\"," + + " \"parameters\": { " + + " \"@class\": \"java.util.Collections$UnmodifiableMap\"," + + " \"SAMLRequest\": \"" + SAML_REQUEST + "\"," + + " \"RelayState\": \"" + RELAY_STATE + "\"," + + " \"AdditionalParam\": \"" + ADDITIONAL_PARAM + "\"" + + " }" + + "}"; + // @formatter:on + + static Saml2PostAuthenticationRequest createDefaultSaml2PostAuthenticationRequest() { + return Saml2PostAuthenticationRequest + .withRelyingPartyRegistration(TestRelyingPartyRegistrations.full() + .registrationId(RELYINGPARTY_REGISTRATION_ID) + .assertingPartyMetadata((party) -> party.singleSignOnServiceLocation(AUTHENTICATION_REQUEST_URI)) + .build()) + .samlRequest(SAML_REQUEST) + .relayState(RELAY_STATE) + .id(ID) + .build(); + } + + static Saml2RedirectAuthenticationRequest createDefaultSaml2RedirectAuthenticationRequest() { + return Saml2RedirectAuthenticationRequest + .withRelyingPartyRegistration(TestRelyingPartyRegistrations.full() + .registrationId(RELYINGPARTY_REGISTRATION_ID) + .assertingPartyMetadata((party) -> party.singleSignOnServiceLocation(AUTHENTICATION_REQUEST_URI)) + .build()) + .samlRequest(SAML_REQUEST) + .relayState(RELAY_STATE) + .sigAlg(SIG_ALG) + .signature(SIGNATURE) + .id(ID) + .build(); + } + + static Saml2LogoutRequest createDefaultSaml2LogoutRequest() { + return Saml2LogoutRequest + .withRelyingPartyRegistration(TestRelyingPartyRegistrations.full() + .registrationId(RELYINGPARTY_REGISTRATION_ID) + .assertingPartyMetadata((party) -> party.singleLogoutServiceLocation(LOCATION) + .singleLogoutServiceBinding(Saml2MessageBinding.REDIRECT)) + .build()) + .id(ID) + .samlRequest(SAML_REQUEST) + .relayState(RELAY_STATE) + .parameters((params) -> params.put("AdditionalParam", ADDITIONAL_PARAM)) + .build(); + } + + static final Collection AUTHORITIES = Collections + .unmodifiableList(Arrays.asList(new SimpleGrantedAuthority("Role1"), new SimpleGrantedAuthority("Role2"))); + + static final Object DETAILS = User.withUsername("username").password("empty").authorities("A", "B").build(); + static final String SAML_RESPONSE = "samlResponseValue"; + + // @formatter:off + static final String DEFAULT_SAML2AUTHENTICATION_JSON = "{" + + " \"@class\": \"org.springframework.security.saml2.provider.service.authentication.Saml2Authentication\"," + + " \"authorities\": [" + + " \"java.util.Collections$UnmodifiableRandomAccessList\"," + + " [" + + " {" + + " \"@class\": \"org.springframework.security.core.authority.SimpleGrantedAuthority\"," + + " \"authority\": \"Role1\"" + + " }," + + " {" + + " \"@class\": \"org.springframework.security.core.authority.SimpleGrantedAuthority\"," + + " \"authority\": \"Role2\"" + + " }" + + " ]" + + " ]," + + " \"details\": {" + + " \"@class\": \"org.springframework.security.core.userdetails.User\"," + + " \"password\": \"empty\"," + + " \"username\": \"username\"," + + " \"authorities\": [" + + " \"java.util.Collections$UnmodifiableSet\", [" + + " {" + + " \"@class\":\"org.springframework.security.core.authority.SimpleGrantedAuthority\"," + + " \"authority\":\"A\"" + + " }," + + " {" + + " \"@class\":\"org.springframework.security.core.authority.SimpleGrantedAuthority\"," + + " \"authority\":\"B\"" + + " }" + + " ]]," + + " \"accountNonExpired\": true," + + " \"accountNonLocked\": true," + + " \"credentialsNonExpired\": true," + + " \"enabled\": true" + + " }," + + " \"principal\": " + DEFAULT_AUTHENTICATED_PRINCIPAL_JSON + "," + + " \"saml2Response\": \"" + SAML_RESPONSE + "\"" + + "}"; + // @formatter:on + + static Saml2Authentication createDefaultAuthentication() { + DefaultSaml2AuthenticatedPrincipal principal = createDefaultPrincipal(); + Saml2Authentication authentication = new Saml2Authentication(principal, SAML_RESPONSE, AUTHORITIES); + authentication.setDetails(DETAILS); + return authentication; + } + + // @formatter:off + static final String DEFAULT_SAML_AUTH_EXCEPTION_JSON = "{" + + " \"@class\": \"org.springframework.security.saml2.provider.service.authentication.Saml2AuthenticationException\"," + + " \"detailMessage\": \"exceptionMessage\"," + + " \"error\": {" + + " \"@class\": \"org.springframework.security.saml2.core.Saml2Error\"," + + " \"errorCode\": \"errorCode\"," + + " \"description\": \"errorDescription\"" + + " }" + + "}"; + // @formatter:on + + static Saml2AuthenticationException createDefaultSaml2AuthenticationException() { + return new Saml2AuthenticationException(new Saml2Error("errorCode", "errorDescription"), "exceptionMessage"); + } + +} diff --git a/web/spring-security-web.gradle b/web/spring-security-web.gradle index 87ce691e0c..40604b1a30 100644 --- a/web/spring-security-web.gradle +++ b/web/spring-security-web.gradle @@ -46,6 +46,7 @@ dependencies { optional 'org.springframework:spring-tx' optional 'org.springframework:spring-webflux' optional 'org.springframework:spring-webmvc' + optional 'tools.jackson.core:jackson-databind' optional libs.webauthn4j.core provided 'jakarta.servlet:jakarta.servlet-api' diff --git a/web/src/main/java/org/springframework/security/web/jackson/CookieDeserializer.java b/web/src/main/java/org/springframework/security/web/jackson/CookieDeserializer.java new file mode 100644 index 0000000000..53faf16d72 --- /dev/null +++ b/web/src/main/java/org/springframework/security/web/jackson/CookieDeserializer.java @@ -0,0 +1,65 @@ +/* + * Copyright 2004-present the original author or authors. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * https://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.springframework.security.web.jackson; + +import jakarta.servlet.http.Cookie; +import tools.jackson.core.JacksonException; +import tools.jackson.core.JsonParser; +import tools.jackson.databind.DeserializationContext; +import tools.jackson.databind.JsonNode; +import tools.jackson.databind.ValueDeserializer; +import tools.jackson.databind.node.MissingNode; +import tools.jackson.databind.node.NullNode; + +/** + * Jackson deserializer for {@link Cookie}. This is needed because in most cases we don't + * set {@link Cookie#getDomain()} property. So when jackson deserialize that json + * {@link Cookie#setDomain(String)} throws {@link NullPointerException}. This is + * registered with {@link CookieMixin} but you can also use it with your own mixin. + * + * @author Sebastien Deleuze + * @author Jitendra Singh + * @since 7.0 + * @see CookieMixin + */ +class CookieDeserializer extends ValueDeserializer { + + @Override + public Cookie deserialize(JsonParser jp, DeserializationContext ctxt) throws JacksonException { + JsonNode jsonNode = ctxt.readTree(jp); + Cookie cookie = new Cookie(readJsonNode(jsonNode, "name").stringValue(), + readJsonNode(jsonNode, "value").stringValue()); + JsonNode domainNode = readJsonNode(jsonNode, "domain"); + cookie.setDomain((domainNode.isMissingNode()) ? null : domainNode.stringValue()); + cookie.setMaxAge(readJsonNode(jsonNode, "maxAge").asInt(-1)); + cookie.setSecure(readJsonNode(jsonNode, "secure").asBoolean()); + JsonNode pathNode = readJsonNode(jsonNode, "path"); + cookie.setPath((pathNode.isMissingNode()) ? null : pathNode.stringValue()); + JsonNode attributes = readJsonNode(jsonNode, "attributes"); + cookie.setHttpOnly(readJsonNode(attributes, "HttpOnly") != null); + return cookie; + } + + private JsonNode readJsonNode(JsonNode jsonNode, String field) { + return hasNonNullField(jsonNode, field) ? jsonNode.get(field) : MissingNode.getInstance(); + } + + private boolean hasNonNullField(JsonNode jsonNode, String field) { + return jsonNode.has(field) && !(jsonNode.get(field) instanceof NullNode); + } + +} diff --git a/web/src/main/java/org/springframework/security/web/jackson/CookieMixin.java b/web/src/main/java/org/springframework/security/web/jackson/CookieMixin.java new file mode 100644 index 0000000000..1256bec6ff --- /dev/null +++ b/web/src/main/java/org/springframework/security/web/jackson/CookieMixin.java @@ -0,0 +1,37 @@ +/* + * Copyright 2004-present the original author or authors. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * https://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.springframework.security.web.jackson; + +import com.fasterxml.jackson.annotation.JsonAutoDetect; +import com.fasterxml.jackson.annotation.JsonTypeInfo; +import tools.jackson.databind.annotation.JsonDeserialize; + +/** + * Mixin class to serialize/deserialize {@link jakarta.servlet.http.Cookie} + * + * @author Sebastien Deleuze + * @author Jitendra Singh + * @since 7.0 + * @see WebServletJacksonModule + * @see org.springframework.security.jackson.SecurityJacksonModules + */ +@JsonTypeInfo(use = JsonTypeInfo.Id.CLASS) +@JsonDeserialize(using = CookieDeserializer.class) +@JsonAutoDetect(fieldVisibility = JsonAutoDetect.Visibility.ANY, isGetterVisibility = JsonAutoDetect.Visibility.NONE) +abstract class CookieMixin { + +} diff --git a/web/src/main/java/org/springframework/security/web/jackson/DefaultCsrfTokenMixin.java b/web/src/main/java/org/springframework/security/web/jackson/DefaultCsrfTokenMixin.java new file mode 100644 index 0000000000..c7606a1ede --- /dev/null +++ b/web/src/main/java/org/springframework/security/web/jackson/DefaultCsrfTokenMixin.java @@ -0,0 +1,48 @@ +/* + * Copyright 2004-present the original author or authors. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * https://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.springframework.security.web.jackson; + +import com.fasterxml.jackson.annotation.JsonCreator; +import com.fasterxml.jackson.annotation.JsonProperty; +import com.fasterxml.jackson.annotation.JsonTypeInfo; + +/** + * Jackson mixin class to serialize/deserialize + * {@link org.springframework.security.web.csrf.DefaultCsrfToken} serialization support. + * + * @author Sebastien Deleuze + * @author Jitendra Singh + * @since 7.0 + * @see WebJacksonModule + * @see org.springframework.security.jackson.SecurityJacksonModules + */ +@JsonTypeInfo(use = JsonTypeInfo.Id.CLASS) +class DefaultCsrfTokenMixin { + + /** + * JsonCreator constructor needed by Jackson to create + * {@link org.springframework.security.web.csrf.DefaultCsrfToken} object. + * @param headerName the name of the header + * @param parameterName the parameter name + * @param token the CSRF token value + */ + @JsonCreator + DefaultCsrfTokenMixin(@JsonProperty("headerName") String headerName, + @JsonProperty("parameterName") String parameterName, @JsonProperty("token") String token) { + } + +} diff --git a/web/src/main/java/org/springframework/security/web/jackson/DefaultSavedRequestMixin.java b/web/src/main/java/org/springframework/security/web/jackson/DefaultSavedRequestMixin.java new file mode 100644 index 0000000000..f9eee79ee3 --- /dev/null +++ b/web/src/main/java/org/springframework/security/web/jackson/DefaultSavedRequestMixin.java @@ -0,0 +1,45 @@ +/* + * Copyright 2004-present the original author or authors. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * https://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.springframework.security.web.jackson; + +import com.fasterxml.jackson.annotation.JsonAutoDetect; +import com.fasterxml.jackson.annotation.JsonInclude; +import com.fasterxml.jackson.annotation.JsonTypeInfo; +import tools.jackson.databind.annotation.JsonDeserialize; + +import org.springframework.security.web.savedrequest.DefaultSavedRequest; + +/** + * Jackson mixin class to serialize/deserialize {@link DefaultSavedRequest}. This mixin + * use {@link DefaultSavedRequest.Builder} to deserialized json.In order to use this mixin + * class you also need to register {@link CookieMixin}. + * + * @author Sebastien Deleuze + * @author Jitendra Singh + * @since 7.0 + * @see WebServletJacksonModule + * @see org.springframework.security.jackson.SecurityJacksonModules + */ +@JsonTypeInfo(use = JsonTypeInfo.Id.CLASS) +@JsonDeserialize(builder = DefaultSavedRequest.Builder.class) +@JsonAutoDetect(fieldVisibility = JsonAutoDetect.Visibility.ANY, getterVisibility = JsonAutoDetect.Visibility.NONE) +abstract class DefaultSavedRequestMixin { + + @JsonInclude(JsonInclude.Include.NON_NULL) + String matchingRequestParameterName; + +} diff --git a/web/src/main/java/org/springframework/security/web/jackson/PreAuthenticatedAuthenticationTokenDeserializer.java b/web/src/main/java/org/springframework/security/web/jackson/PreAuthenticatedAuthenticationTokenDeserializer.java new file mode 100644 index 0000000000..e9913ad220 --- /dev/null +++ b/web/src/main/java/org/springframework/security/web/jackson/PreAuthenticatedAuthenticationTokenDeserializer.java @@ -0,0 +1,79 @@ +/* + * Copyright 2004-present the original author or authors. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * https://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.springframework.security.web.jackson; + +import java.util.List; + +import tools.jackson.core.JacksonException; +import tools.jackson.core.JsonParser; +import tools.jackson.core.type.TypeReference; +import tools.jackson.databind.DeserializationContext; +import tools.jackson.databind.JsonNode; +import tools.jackson.databind.ValueDeserializer; +import tools.jackson.databind.node.MissingNode; + +import org.springframework.security.core.GrantedAuthority; +import org.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationToken; + +/** + * Custom deserializer for {@link PreAuthenticatedAuthenticationToken}. At the time of + * deserialization it will invoke suitable constructor depending on the value of + * authenticated property. It will ensure that the token's state must not change. + * + * @author Sebastien Deleuze + * @author Jitendra Singh + * @since 7.0 + * @see PreAuthenticatedAuthenticationTokenMixin + */ +class PreAuthenticatedAuthenticationTokenDeserializer extends ValueDeserializer { + + private static final TypeReference> GRANTED_AUTHORITY_LIST = new TypeReference<>() { + }; + + /** + * This method construct {@link PreAuthenticatedAuthenticationToken} object from + * serialized json. + * @param jp the JsonParser + * @param ctxt the DeserializationContext + * @return the user + * @throws tools.jackson.core.JacksonException if an error during JSON processing + * occurs + */ + @Override + public PreAuthenticatedAuthenticationToken deserialize(JsonParser jp, DeserializationContext ctxt) + throws JacksonException { + JsonNode jsonNode = ctxt.readTree(jp); + boolean authenticated = readJsonNode(jsonNode, "authenticated").asBoolean(); + JsonNode principalNode = readJsonNode(jsonNode, "principal"); + Object principal = (!principalNode.isObject()) ? principalNode.stringValue() + : ctxt.readTreeAsValue(principalNode, Object.class); + Object credentials = readJsonNode(jsonNode, "credentials").stringValue(); + JsonNode authoritiesNode = readJsonNode(jsonNode, "authorities"); + List authorities = ctxt.readTreeAsValue(authoritiesNode, + ctxt.getTypeFactory().constructType(GRANTED_AUTHORITY_LIST)); + PreAuthenticatedAuthenticationToken token = (!authenticated) + ? new PreAuthenticatedAuthenticationToken(principal, credentials) + : new PreAuthenticatedAuthenticationToken(principal, credentials, authorities); + token.setDetails(readJsonNode(jsonNode, "details")); + return token; + } + + private JsonNode readJsonNode(JsonNode jsonNode, String field) { + return jsonNode.has(field) ? jsonNode.get(field) : MissingNode.getInstance(); + } + +} diff --git a/web/src/main/java/org/springframework/security/web/jackson/PreAuthenticatedAuthenticationTokenMixin.java b/web/src/main/java/org/springframework/security/web/jackson/PreAuthenticatedAuthenticationTokenMixin.java new file mode 100644 index 0000000000..6c12158d50 --- /dev/null +++ b/web/src/main/java/org/springframework/security/web/jackson/PreAuthenticatedAuthenticationTokenMixin.java @@ -0,0 +1,43 @@ +/* + * Copyright 2004-present the original author or authors. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * https://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.springframework.security.web.jackson; + +import com.fasterxml.jackson.annotation.JsonAutoDetect; +import com.fasterxml.jackson.annotation.JsonTypeInfo; +import tools.jackson.databind.annotation.JsonDeserialize; + +import org.springframework.security.jackson.SecurityJacksonModules; + +/** + * This mixin class is used to serialize / deserialize + * {@link org.springframework.security.authentication.UsernamePasswordAuthenticationToken}. + * This class register a custom deserializer + * {@link PreAuthenticatedAuthenticationTokenDeserializer}. + * + * @author Sebastien Deleuze + * @author Jitendra Singh + * @since 7.0 + * @see WebJacksonModule + * @see SecurityJacksonModules + */ +@JsonTypeInfo(use = JsonTypeInfo.Id.CLASS) +@JsonAutoDetect(fieldVisibility = JsonAutoDetect.Visibility.ANY, getterVisibility = JsonAutoDetect.Visibility.NONE, + isGetterVisibility = JsonAutoDetect.Visibility.NONE) +@JsonDeserialize(using = PreAuthenticatedAuthenticationTokenDeserializer.class) +abstract class PreAuthenticatedAuthenticationTokenMixin { + +} diff --git a/web/src/main/java/org/springframework/security/web/jackson/SavedCookieMixin.java b/web/src/main/java/org/springframework/security/web/jackson/SavedCookieMixin.java new file mode 100644 index 0000000000..68b375d96d --- /dev/null +++ b/web/src/main/java/org/springframework/security/web/jackson/SavedCookieMixin.java @@ -0,0 +1,45 @@ +/* + * Copyright 2004-present the original author or authors. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * https://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.springframework.security.web.jackson; + +import com.fasterxml.jackson.annotation.JsonAutoDetect; +import com.fasterxml.jackson.annotation.JsonCreator; +import com.fasterxml.jackson.annotation.JsonProperty; +import com.fasterxml.jackson.annotation.JsonTypeInfo; + +/** + * Jackson mixin class to serialize/deserialize + * {@link org.springframework.security.web.savedrequest.SavedCookie} serialization + * support. + * + * @author Sebastien Deleuze + * @author Jitendra Singh + * @since 7.0 + * @see WebServletJacksonModule + * @see org.springframework.security.jackson.SecurityJacksonModules + */ +@JsonTypeInfo(use = JsonTypeInfo.Id.CLASS) +@JsonAutoDetect(fieldVisibility = JsonAutoDetect.Visibility.ANY, getterVisibility = JsonAutoDetect.Visibility.NONE) +abstract class SavedCookieMixin { + + @JsonCreator + SavedCookieMixin(@JsonProperty("name") String name, @JsonProperty("value") String value, + @JsonProperty("domain") String domain, @JsonProperty("maxAge") int maxAge, + @JsonProperty("path") String path, @JsonProperty("secure") boolean secure) { + } + +} diff --git a/web/src/main/java/org/springframework/security/web/jackson/SwitchUserGrantedAuthorityMixIn.java b/web/src/main/java/org/springframework/security/web/jackson/SwitchUserGrantedAuthorityMixIn.java new file mode 100644 index 0000000000..122de53b2b --- /dev/null +++ b/web/src/main/java/org/springframework/security/web/jackson/SwitchUserGrantedAuthorityMixIn.java @@ -0,0 +1,46 @@ +/* + * Copyright 2004-present the original author or authors. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * https://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.springframework.security.web.jackson; + +import com.fasterxml.jackson.annotation.JsonAutoDetect; +import com.fasterxml.jackson.annotation.JsonCreator; +import com.fasterxml.jackson.annotation.JsonProperty; +import com.fasterxml.jackson.annotation.JsonTypeInfo; + +import org.springframework.security.core.Authentication; +import org.springframework.security.web.authentication.switchuser.SwitchUserGrantedAuthority; + +/** + * Jackson mixin class to serialize/deserialize {@link SwitchUserGrantedAuthority}. + * + * @author Sebastien Deleuze + * @author Markus Heiden + * @since 7.0 + * @see WebJacksonModule + * @see WebServletJacksonModule + * @see org.springframework.security.jackson.SecurityJacksonModules + */ +@JsonTypeInfo(use = JsonTypeInfo.Id.CLASS) +@JsonAutoDetect(fieldVisibility = JsonAutoDetect.Visibility.ANY, getterVisibility = JsonAutoDetect.Visibility.NONE, + isGetterVisibility = JsonAutoDetect.Visibility.NONE) +abstract class SwitchUserGrantedAuthorityMixIn { + + @JsonCreator + SwitchUserGrantedAuthorityMixIn(@JsonProperty("role") String role, @JsonProperty("source") Authentication source) { + } + +} diff --git a/web/src/main/java/org/springframework/security/web/jackson/WebAuthenticationDetailsMixin.java b/web/src/main/java/org/springframework/security/web/jackson/WebAuthenticationDetailsMixin.java new file mode 100644 index 0000000000..32b28381a9 --- /dev/null +++ b/web/src/main/java/org/springframework/security/web/jackson/WebAuthenticationDetailsMixin.java @@ -0,0 +1,44 @@ +/* + * Copyright 2004-present the original author or authors. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * https://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.springframework.security.web.jackson; + +import com.fasterxml.jackson.annotation.JsonAutoDetect; +import com.fasterxml.jackson.annotation.JsonCreator; +import com.fasterxml.jackson.annotation.JsonProperty; +import com.fasterxml.jackson.annotation.JsonTypeInfo; + +/** + * Jackson mixin class to serialize/deserialize + * {@link org.springframework.security.web.authentication.WebAuthenticationDetails}. + * + * @author Sebastien Deleuze + * @author Jitendra Singh + * @since 7.0 + * @see WebServletJacksonModule + * @see org.springframework.security.jackson.SecurityJacksonModules + */ +@JsonTypeInfo(use = JsonTypeInfo.Id.CLASS, include = JsonTypeInfo.As.PROPERTY) +@JsonAutoDetect(fieldVisibility = JsonAutoDetect.Visibility.ANY, getterVisibility = JsonAutoDetect.Visibility.NONE, + isGetterVisibility = JsonAutoDetect.Visibility.NONE, creatorVisibility = JsonAutoDetect.Visibility.ANY) +class WebAuthenticationDetailsMixin { + + @JsonCreator + WebAuthenticationDetailsMixin(@JsonProperty("remoteAddress") String remoteAddress, + @JsonProperty("sessionId") String sessionId) { + } + +} diff --git a/web/src/main/java/org/springframework/security/web/jackson/WebJacksonModule.java b/web/src/main/java/org/springframework/security/web/jackson/WebJacksonModule.java new file mode 100644 index 0000000000..ecd4d8942e --- /dev/null +++ b/web/src/main/java/org/springframework/security/web/jackson/WebJacksonModule.java @@ -0,0 +1,76 @@ +/* + * Copyright 2004-present the original author or authors. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * https://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.springframework.security.web.jackson; + +import tools.jackson.core.Version; +import tools.jackson.databind.jsontype.BasicPolymorphicTypeValidator; + +import org.springframework.security.jackson.SecurityJacksonModule; +import org.springframework.security.jackson.SecurityJacksonModules; +import org.springframework.security.web.authentication.WebAuthenticationDetails; +import org.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationToken; +import org.springframework.security.web.authentication.switchuser.SwitchUserGrantedAuthority; +import org.springframework.security.web.csrf.DefaultCsrfToken; +import org.springframework.security.web.savedrequest.DefaultSavedRequest; +import org.springframework.security.web.savedrequest.SavedCookie; + +/** + * Jackson module for spring-security-web. This module register + * {@link DefaultCsrfTokenMixin}, {@link PreAuthenticatedAuthenticationTokenMixin} and + * {@link SwitchUserGrantedAuthorityMixIn}. + * + *

+ * The recommended way to configure it is to use {@link SecurityJacksonModules} in order + * to enable properly automatic inclusion of type information with related validation. + * + * 

+ *     ClassLoader loader = getClass().getClassLoader();
+ *     JsonMapper mapper = JsonMapper.builder()
+ * 				.addModules(SecurityJacksonModules.getModules(loader))
+ * 				.build();
+ *
+ * + * @author Sebastien Deleuze + * @author Jitendra Singh + * @since 7.0 + * @see SecurityJacksonModules + */ +@SuppressWarnings("serial") +public class WebJacksonModule extends SecurityJacksonModule { + + public WebJacksonModule() { + super(WebJacksonModule.class.getName(), new Version(1, 0, 0, null, null, null)); + } + + @Override + public void configurePolymorphicTypeValidator(BasicPolymorphicTypeValidator.Builder builder) { + builder.allowIfSubType(DefaultCsrfToken.class) + .allowIfSubType(SavedCookie.class) + .allowIfSubType(DefaultSavedRequest.class) + .allowIfSubType(WebAuthenticationDetails.class) + .allowIfSubType(PreAuthenticatedAuthenticationToken.class) + .allowIfSubType(SwitchUserGrantedAuthority.class); + } + + @Override + public void setupModule(SetupContext context) { + context.setMixIn(DefaultCsrfToken.class, DefaultCsrfTokenMixin.class); + context.setMixIn(PreAuthenticatedAuthenticationToken.class, PreAuthenticatedAuthenticationTokenMixin.class); + context.setMixIn(SwitchUserGrantedAuthority.class, SwitchUserGrantedAuthorityMixIn.class); + } + +} diff --git a/web/src/main/java/org/springframework/security/web/jackson/WebServletJacksonModule.java b/web/src/main/java/org/springframework/security/web/jackson/WebServletJacksonModule.java new file mode 100644 index 0000000000..4d716a43d8 --- /dev/null +++ b/web/src/main/java/org/springframework/security/web/jackson/WebServletJacksonModule.java @@ -0,0 +1,73 @@ +/* + * Copyright 2004-present the original author or authors. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * https://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.springframework.security.web.jackson; + +import jakarta.servlet.http.Cookie; +import tools.jackson.core.Version; +import tools.jackson.databind.jsontype.BasicPolymorphicTypeValidator; + +import org.springframework.security.jackson.SecurityJacksonModule; +import org.springframework.security.jackson.SecurityJacksonModules; +import org.springframework.security.web.authentication.WebAuthenticationDetails; +import org.springframework.security.web.authentication.switchuser.SwitchUserGrantedAuthority; +import org.springframework.security.web.savedrequest.DefaultSavedRequest; +import org.springframework.security.web.savedrequest.SavedCookie; +import org.springframework.security.web.server.csrf.DefaultCsrfToken; + +/** + * Jackson module for spring-security-web related to servlet. This module registers + * {@link CookieMixin}, {@link SavedCookieMixin}, {@link DefaultSavedRequestMixin}, + * {@link WebAuthenticationDetailsMixin}, and {@link SwitchUserGrantedAuthorityMixIn}. + * + *

+ * The recommended way to configure it is to use {@link SecurityJacksonModules} in order + * to enable properly automatic inclusion of type information with related validation. + * + * 

+ *     ClassLoader loader = getClass().getClassLoader();
+ *     JsonMapper mapper = JsonMapper.builder()
+ * 				.addModules(SecurityJacksonModules.getModules(loader))
+ * 				.build();
+ *
+ * + * @author Sebastien Deleuze + * @author Boris Finkelshteyn + * @since 7.0 + * @see SecurityJacksonModules + */ +@SuppressWarnings("serial") +public class WebServletJacksonModule extends SecurityJacksonModule { + + public WebServletJacksonModule() { + super(WebServletJacksonModule.class.getName(), new Version(1, 0, 0, null, null, null)); + } + + @Override + public void configurePolymorphicTypeValidator(BasicPolymorphicTypeValidator.Builder builder) { + builder.allowIfSubType(Cookie.class).allowIfSubType(DefaultCsrfToken.class); + } + + @Override + public void setupModule(SetupContext context) { + context.setMixIn(Cookie.class, CookieMixin.class); + context.setMixIn(SavedCookie.class, SavedCookieMixin.class); + context.setMixIn(DefaultSavedRequest.class, DefaultSavedRequestMixin.class); + context.setMixIn(WebAuthenticationDetails.class, WebAuthenticationDetailsMixin.class); + context.setMixIn(SwitchUserGrantedAuthority.class, SwitchUserGrantedAuthorityMixIn.class); + } + +} diff --git a/web/src/main/java/org/springframework/security/web/jackson/package-info.java b/web/src/main/java/org/springframework/security/web/jackson/package-info.java new file mode 100644 index 0000000000..1e5c3c1d49 --- /dev/null +++ b/web/src/main/java/org/springframework/security/web/jackson/package-info.java @@ -0,0 +1,20 @@ +/* + * Copyright 2004-present the original author or authors. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * https://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +/** + * Jackson 3+ serialization support for web. + */ +package org.springframework.security.web.jackson; diff --git a/web/src/main/java/org/springframework/security/web/jackson2/package-info.java b/web/src/main/java/org/springframework/security/web/jackson2/package-info.java index 92dbfadf4f..5137100387 100644 --- a/web/src/main/java/org/springframework/security/web/jackson2/package-info.java +++ b/web/src/main/java/org/springframework/security/web/jackson2/package-info.java @@ -15,10 +15,7 @@ */ /** - * Mix-in classes to provide Jackson serialization support. - * - * @author Jitendra Singh - * @since 4.2 + * Jackson 2 serialization support for web. */ @NullMarked package org.springframework.security.web.jackson2; diff --git a/web/src/main/java/org/springframework/security/web/server/jackson/DefaultCsrfServerTokenMixin.java b/web/src/main/java/org/springframework/security/web/server/jackson/DefaultCsrfServerTokenMixin.java new file mode 100644 index 0000000000..be1a2251af --- /dev/null +++ b/web/src/main/java/org/springframework/security/web/server/jackson/DefaultCsrfServerTokenMixin.java @@ -0,0 +1,48 @@ +/* + * Copyright 2004-present the original author or authors. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * https://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.springframework.security.web.server.jackson; + +import com.fasterxml.jackson.annotation.JsonCreator; +import com.fasterxml.jackson.annotation.JsonProperty; +import com.fasterxml.jackson.annotation.JsonTypeInfo; + +/** + * Jackson mixin class to serialize/deserialize + * {@link org.springframework.security.web.server.csrf.DefaultCsrfToken} serialization + * support. + * + * @author Sebastien Deleuze + * @author Boris Finkelshteyn + * @since 7.0 + * @see WebServerJacksonModule + */ +@JsonTypeInfo(use = JsonTypeInfo.Id.CLASS) +class DefaultCsrfServerTokenMixin { + + /** + * JsonCreator constructor needed by Jackson to create + * {@link org.springframework.security.web.server.csrf.DefaultCsrfToken} object. + * @param headerName the name of the header + * @param parameterName the parameter name + * @param token the CSRF token value + */ + @JsonCreator + DefaultCsrfServerTokenMixin(@JsonProperty("headerName") String headerName, + @JsonProperty("parameterName") String parameterName, @JsonProperty("token") String token) { + } + +} diff --git a/web/src/main/java/org/springframework/security/web/server/jackson/WebServerJacksonModule.java b/web/src/main/java/org/springframework/security/web/server/jackson/WebServerJacksonModule.java new file mode 100644 index 0000000000..985b86dee0 --- /dev/null +++ b/web/src/main/java/org/springframework/security/web/server/jackson/WebServerJacksonModule.java @@ -0,0 +1,65 @@ +/* + * Copyright 2004-present the original author or authors. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * https://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.springframework.security.web.server.jackson; + +import tools.jackson.core.Version; +import tools.jackson.databind.jsontype.BasicPolymorphicTypeValidator; + +import org.springframework.security.jackson.SecurityJacksonModule; +import org.springframework.security.jackson.SecurityJacksonModules; +import org.springframework.security.web.server.csrf.DefaultCsrfToken; + +/** + * Jackson module for spring-security-web-flux. This module register + * {@link DefaultCsrfServerTokenMixin}. + * + *

+ * The recommended way to configure it is to use {@link SecurityJacksonModules} in order + * to enable properly automatic inclusion of type information with related validation. + * + * 

+ *     ClassLoader loader = getClass().getClassLoader();
+ *     JsonMapper mapper = JsonMapper.builder()
+ * 				.addModules(SecurityJacksonModules.getModules(loader))
+ * 				.build();
+ *
+ * + * @author Boris Finkelshteyn + * @since 5.1 + * @see SecurityJacksonModules + */ +@SuppressWarnings("serial") +public class WebServerJacksonModule extends SecurityJacksonModule { + + private static final String NAME = WebServerJacksonModule.class.getName(); + + private static final Version VERSION = new Version(1, 0, 0, null, null, null); + + public WebServerJacksonModule() { + super(NAME, VERSION); + } + + @Override + public void configurePolymorphicTypeValidator(BasicPolymorphicTypeValidator.Builder builder) { + } + + @Override + public void setupModule(SetupContext context) { + context.setMixIn(DefaultCsrfToken.class, DefaultCsrfServerTokenMixin.class); + } + +} diff --git a/web/src/main/java/org/springframework/security/web/server/jackson/package-info.java b/web/src/main/java/org/springframework/security/web/server/jackson/package-info.java new file mode 100644 index 0000000000..2427f318c6 --- /dev/null +++ b/web/src/main/java/org/springframework/security/web/server/jackson/package-info.java @@ -0,0 +1,23 @@ +/* + * Copyright 2004-present the original author or authors. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * https://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +/** + * Jackson 3+ serialization support for reactive web server. + */ +@NullMarked +package org.springframework.security.web.server.jackson; + +import org.jspecify.annotations.NullMarked; diff --git a/web/src/main/java/org/springframework/security/web/server/jackson2/package-info.java b/web/src/main/java/org/springframework/security/web/server/jackson2/package-info.java index 30c26db3ea..db2a9e0ac5 100644 --- a/web/src/main/java/org/springframework/security/web/server/jackson2/package-info.java +++ b/web/src/main/java/org/springframework/security/web/server/jackson2/package-info.java @@ -15,7 +15,7 @@ */ /** - * Reactive web jackson2 integration. + * Jackson 2 serialization support for reactive web server. */ @NullMarked package org.springframework.security.web.server.jackson2; diff --git a/web/src/test/java/org/springframework/security/web/jackson/AbstractMixinTests.java b/web/src/test/java/org/springframework/security/web/jackson/AbstractMixinTests.java new file mode 100644 index 0000000000..3ee641b98d --- /dev/null +++ b/web/src/test/java/org/springframework/security/web/jackson/AbstractMixinTests.java @@ -0,0 +1,38 @@ +/* + * Copyright 2004-present the original author or authors. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * https://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.springframework.security.web.jackson; + +import org.junit.jupiter.api.BeforeEach; +import tools.jackson.databind.json.JsonMapper; + +import org.springframework.security.jackson.SecurityJacksonModules; + +/** + * @author Sebastien Deleuze + * @author Jitenra Singh + */ +public abstract class AbstractMixinTests { + + protected JsonMapper mapper; + + @BeforeEach + public void setup() { + ClassLoader loader = getClass().getClassLoader(); + this.mapper = JsonMapper.builder().addModules(SecurityJacksonModules.getModules(loader)).build(); + } + +} diff --git a/web/src/test/java/org/springframework/security/web/jackson/CookieMixinTests.java b/web/src/test/java/org/springframework/security/web/jackson/CookieMixinTests.java new file mode 100644 index 0000000000..ffc69702a3 --- /dev/null +++ b/web/src/test/java/org/springframework/security/web/jackson/CookieMixinTests.java @@ -0,0 +1,95 @@ +/* + * Copyright 2004-present the original author or authors. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * https://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.springframework.security.web.jackson; + +import jakarta.servlet.http.Cookie; +import org.json.JSONException; +import org.junit.jupiter.api.Test; +import org.skyscreamer.jsonassert.JSONAssert; +import tools.jackson.core.JacksonException; + +import static org.assertj.core.api.Assertions.assertThat; + +/** + * @author Jitendra Singh + * @since 4.2 + */ +public class CookieMixinTests extends AbstractMixinTests { + + // @formatter:off + private static final String COOKIE_JSON = "{" + + " \"@class\": \"jakarta.servlet.http.Cookie\"," + + " \"name\": \"demo\"," + + " \"value\": \"cookie1\"," + + " \"attributes\":{\"@class\":\"java.util.Collections$EmptyMap\"}," + + " \"comment\": null," + + " \"maxAge\": -1," + + " \"path\": null," + + " \"secure\": false," + + " \"version\": 0," + + " \"domain\": null" + + "}"; + // @formatter:on + + // @formatter:off + private static final String COOKIE_HTTP_ONLY_JSON = "{" + + " \"@class\": \"jakarta.servlet.http.Cookie\"," + + " \"name\": \"demo\"," + + " \"value\": \"cookie1\"," + + " \"attributes\":{\"@class\":\"java.util.Collections$UnmodifiableMap\", \"HttpOnly\": \"\"}," + + " \"comment\": null," + + " \"maxAge\": -1," + + " \"path\": null," + + " \"secure\": false," + + " \"version\": 0," + + " \"domain\": null" + + "}"; + // @formatter:on + + @Test + public void serializeCookie() throws JacksonException, JSONException { + Cookie cookie = new Cookie("demo", "cookie1"); + String actualString = this.mapper.writeValueAsString(cookie); + JSONAssert.assertEquals(COOKIE_JSON, actualString, true); + } + + @Test + public void deserializeCookie() { + Cookie cookie = this.mapper.readValue(COOKIE_JSON, Cookie.class); + assertThat(cookie).isNotNull(); + assertThat(cookie.getName()).isEqualTo("demo"); + assertThat(cookie.getDomain()).isNull(); + } + + @Test + public void serializeCookieWithHttpOnly() throws JacksonException, JSONException { + Cookie cookie = new Cookie("demo", "cookie1"); + cookie.setHttpOnly(true); + String actualString = this.mapper.writeValueAsString(cookie); + JSONAssert.assertEquals(COOKIE_HTTP_ONLY_JSON, actualString, true); + } + + @Test + public void deserializeCookieWithHttpOnly() { + Cookie cookie = this.mapper.readValue(COOKIE_HTTP_ONLY_JSON, Cookie.class); + assertThat(cookie).isNotNull(); + assertThat(cookie.getName()).isEqualTo("demo"); + assertThat(cookie.getDomain()).isNull(); + assertThat(cookie.isHttpOnly()).isEqualTo(true); + } + +} diff --git a/web/src/test/java/org/springframework/security/web/jackson/DefaultCsrfTokenMixinTests.java b/web/src/test/java/org/springframework/security/web/jackson/DefaultCsrfTokenMixinTests.java new file mode 100644 index 0000000000..035a32107e --- /dev/null +++ b/web/src/test/java/org/springframework/security/web/jackson/DefaultCsrfTokenMixinTests.java @@ -0,0 +1,73 @@ +/* + * Copyright 2004-present the original author or authors. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * https://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.springframework.security.web.jackson; + +import org.json.JSONException; +import org.junit.jupiter.api.Test; +import org.skyscreamer.jsonassert.JSONAssert; +import tools.jackson.core.JacksonException; + +import org.springframework.security.web.csrf.DefaultCsrfToken; + +import static org.assertj.core.api.Assertions.assertThat; +import static org.assertj.core.api.Assertions.assertThatExceptionOfType; + +/** + * @author Jitendra Singh + * @since 4.2 + */ +public class DefaultCsrfTokenMixinTests extends AbstractMixinTests { + + // @formatter:off + public static final String CSRF_JSON = "{" + + "\"@class\": \"org.springframework.security.web.csrf.DefaultCsrfToken\", " + + "\"headerName\": \"csrf-header\", " + + "\"parameterName\": \"_csrf\", " + + "\"token\": \"1\"" + + "}"; + // @formatter:on + @Test + public void defaultCsrfTokenSerializedTest() throws JacksonException, JSONException { + DefaultCsrfToken token = new DefaultCsrfToken("csrf-header", "_csrf", "1"); + String serializedJson = this.mapper.writeValueAsString(token); + JSONAssert.assertEquals(CSRF_JSON, serializedJson, true); + } + + @Test + public void defaultCsrfTokenDeserializeTest() { + DefaultCsrfToken token = this.mapper.readValue(CSRF_JSON, DefaultCsrfToken.class); + assertThat(token).isNotNull(); + assertThat(token.getHeaderName()).isEqualTo("csrf-header"); + assertThat(token.getParameterName()).isEqualTo("_csrf"); + assertThat(token.getToken()).isEqualTo("1"); + } + + @Test + public void defaultCsrfTokenDeserializeWithoutClassTest() { + String tokenJson = "{\"headerName\": \"csrf-header\", \"parameterName\": \"_csrf\", \"token\": \"1\"}"; + assertThatExceptionOfType(JacksonException.class) + .isThrownBy(() -> this.mapper.readValue(tokenJson, DefaultCsrfToken.class)); + } + + @Test + public void defaultCsrfTokenDeserializeNullValuesTest() { + String tokenJson = "{\"@class\": \"org.springframework.security.web.csrf.DefaultCsrfToken\", \"headerName\": \"\", \"parameterName\": null, \"token\": \"1\"}"; + assertThatExceptionOfType(JacksonException.class) + .isThrownBy(() -> this.mapper.readValue(tokenJson, DefaultCsrfToken.class)); + } + +} diff --git a/web/src/test/java/org/springframework/security/web/jackson/DefaultSavedRequestMixinTests.java b/web/src/test/java/org/springframework/security/web/jackson/DefaultSavedRequestMixinTests.java new file mode 100644 index 0000000000..fd1e3df743 --- /dev/null +++ b/web/src/test/java/org/springframework/security/web/jackson/DefaultSavedRequestMixinTests.java @@ -0,0 +1,172 @@ +/* + * Copyright 2004-present the original author or authors. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * https://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.springframework.security.web.jackson; + +import java.io.IOException; +import java.util.Collections; +import java.util.Locale; + +import jakarta.servlet.http.Cookie; +import jakarta.servlet.http.HttpServletRequest; +import jakarta.servlet.http.HttpServletRequestWrapper; +import org.json.JSONException; +import org.junit.jupiter.api.Test; +import org.skyscreamer.jsonassert.JSONAssert; + +import org.springframework.mock.web.MockHttpServletRequest; +import org.springframework.security.web.savedrequest.DefaultSavedRequest; +import org.springframework.security.web.savedrequest.SavedCookie; +import org.springframework.security.web.util.UrlUtils; + +import static org.assertj.core.api.Assertions.assertThat; + +/** + * @author Jitendra Singh + * @since 4.2 + */ +public class DefaultSavedRequestMixinTests extends AbstractMixinTests { + + // @formatter:off + private static final String COOKIES_JSON = "[\"java.util.ArrayList\", [{" + + "\"@class\": \"org.springframework.security.web.savedrequest.SavedCookie\", " + + "\"name\": \"SESSION\", " + + "\"value\": \"123456789\", " + + "\"maxAge\": -1, " + + "\"path\": null, " + + "\"secure\":false, " + + "\"domain\": null" + + "}]]"; + // @formatter:on + // @formatter:off + private static final String REQUEST_JSON = "{" + + "\"@class\": \"org.springframework.security.web.savedrequest.DefaultSavedRequest\", " + + "\"cookies\": " + COOKIES_JSON + "," + + "\"locales\": [\"java.util.ArrayList\", [\"en\"]], " + + "\"headers\": {\"@class\": \"java.util.TreeMap\", \"x-auth-token\": [\"java.util.ArrayList\", [\"12\"]]}, " + + "\"parameters\": {\"@class\": \"java.util.TreeMap\"}," + + "\"contextPath\": \"\", " + + "\"method\": \"\", " + + "\"pathInfo\": null, " + + "\"queryString\": null, " + + "\"requestURI\": \"\", " + + "\"requestURL\": \"http://localhost\", " + + "\"scheme\": \"http\", " + + "\"serverName\": \"localhost\", " + + "\"servletPath\": \"\", " + + "\"serverPort\": 80" + + "}"; + // @formatter:on + // @formatter:off + private static final String REQUEST_WITH_MATCHING_REQUEST_PARAM_NAME_JSON = "{" + + "\"@class\": \"org.springframework.security.web.savedrequest.DefaultSavedRequest\", " + + "\"cookies\": " + COOKIES_JSON + "," + + "\"locales\": [\"java.util.ArrayList\", [\"en\"]], " + + "\"headers\": {\"@class\": \"java.util.TreeMap\", \"x-auth-token\": [\"java.util.ArrayList\", [\"12\"]]}, " + + "\"parameters\": {\"@class\": \"java.util.TreeMap\"}," + + "\"contextPath\": \"\", " + + "\"method\": \"\", " + + "\"pathInfo\": null, " + + "\"queryString\": null, " + + "\"requestURI\": \"\", " + + "\"requestURL\": \"http://localhost\", " + + "\"scheme\": \"http\", " + + "\"serverName\": \"localhost\", " + + "\"servletPath\": \"\", " + + "\"serverPort\": 80, " + + "\"matchingRequestParameterName\": \"success\"" + + "}"; + // @formatter:on + @Test + public void matchRequestBuildWithConstructorAndBuilder() { + DefaultSavedRequest request = new DefaultSavedRequest.Builder() + .setCookies(Collections.singletonList(new SavedCookie(new Cookie("SESSION", "123456789")))) + .setHeaders(Collections.singletonMap("x-auth-token", Collections.singletonList("12"))) + .setScheme("http") + .setRequestURL("http://localhost") + .setServerName("localhost") + .setRequestURI("") + .setLocales(Collections.singletonList(new Locale("en"))) + .setContextPath("") + .setMethod("") + .setServletPath("") + .build(); + MockHttpServletRequest mockRequest = new MockHttpServletRequest(); + mockRequest.setCookies(new Cookie("SESSION", "123456789")); + mockRequest.addHeader("x-auth-token", "12"); + String currentUrl = UrlUtils.buildFullRequestUrl(mockRequest); + assertThat(request.getRedirectUrl().equals(currentUrl)).isTrue(); + } + + @Test + public void serializeDefaultRequestBuildWithConstructorTest() throws IOException, JSONException { + MockHttpServletRequest request = new MockHttpServletRequest(); + request.addHeader("x-auth-token", "12"); + // Spring 5 MockHttpServletRequest automatically adds a header when the cookies + // are set. To get consistency we override the request. + HttpServletRequest requestToWrite = new HttpServletRequestWrapper(request) { + @Override + public Cookie[] getCookies() { + return new Cookie[] { new Cookie("SESSION", "123456789") }; + } + }; + String actualString = this.mapper.writerWithDefaultPrettyPrinter() + .writeValueAsString(new DefaultSavedRequest(requestToWrite)); + JSONAssert.assertEquals(REQUEST_JSON, actualString, true); + } + + @Test + public void serializeDefaultRequestBuildWithBuilderTest() throws IOException, JSONException { + DefaultSavedRequest request = new DefaultSavedRequest.Builder() + .setCookies(Collections.singletonList(new SavedCookie(new Cookie("SESSION", "123456789")))) + .setHeaders(Collections.singletonMap("x-auth-token", Collections.singletonList("12"))) + .setScheme("http") + .setRequestURL("http://localhost") + .setServerName("localhost") + .setRequestURI("") + .setLocales(Collections.singletonList(new Locale("en"))) + .setContextPath("") + .setMethod("") + .setServletPath("") + .build(); + String actualString = this.mapper.writerWithDefaultPrettyPrinter().writeValueAsString(request); + JSONAssert.assertEquals(REQUEST_JSON, actualString, true); + } + + @Test + public void deserializeDefaultSavedRequest() { + DefaultSavedRequest request = (DefaultSavedRequest) this.mapper.readValue(REQUEST_JSON, Object.class); + assertThat(request).isNotNull(); + assertThat(request.getCookies()).hasSize(1); + assertThat(request.getLocales()).hasSize(1).contains(new Locale("en")); + assertThat(request.getHeaderNames()).hasSize(1).contains("x-auth-token"); + assertThat(request.getHeaderValues("x-auth-token")).hasSize(1).contains("12"); + } + + @Test + public void deserializeWhenMatchingRequestParameterNameThenRedirectUrlContainsParam() { + DefaultSavedRequest request = (DefaultSavedRequest) this.mapper + .readValue(REQUEST_WITH_MATCHING_REQUEST_PARAM_NAME_JSON, Object.class); + assertThat(request.getRedirectUrl()).isEqualTo("http://localhost?success"); + } + + @Test + public void deserializeWhenNullMatchingRequestParameterNameThenRedirectUrlDoesNotContainParam() { + DefaultSavedRequest request = (DefaultSavedRequest) this.mapper.readValue(REQUEST_JSON, Object.class); + assertThat(request.getRedirectUrl()).isEqualTo("http://localhost"); + } + +} diff --git a/web/src/test/java/org/springframework/security/web/jackson/PreAuthenticatedAuthenticationTokenMixinTests.java b/web/src/test/java/org/springframework/security/web/jackson/PreAuthenticatedAuthenticationTokenMixinTests.java new file mode 100644 index 0000000000..b04646db11 --- /dev/null +++ b/web/src/test/java/org/springframework/security/web/jackson/PreAuthenticatedAuthenticationTokenMixinTests.java @@ -0,0 +1,70 @@ +/* + * Copyright 2004-present the original author or authors. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * https://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.springframework.security.web.jackson; + +import org.json.JSONException; +import org.junit.jupiter.api.BeforeEach; +import org.junit.jupiter.api.Test; +import org.skyscreamer.jsonassert.JSONAssert; +import tools.jackson.core.JacksonException; + +import org.springframework.security.core.authority.AuthorityUtils; +import org.springframework.security.jackson2.SimpleGrantedAuthorityMixinTests; +import org.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationToken; + +import static org.assertj.core.api.Assertions.assertThat; + +/** + * @author Rob Winch + * @since 4.2 + */ +public class PreAuthenticatedAuthenticationTokenMixinTests extends AbstractMixinTests { + + // @formatter:off + private static final String PREAUTH_JSON = "{" + + "\"@class\": \"org.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationToken\"," + + "\"principal\": \"principal\", " + + "\"credentials\": \"credentials\", " + + "\"authenticated\": true, " + + "\"details\": null, " + + "\"authorities\": " + SimpleGrantedAuthorityMixinTests.AUTHORITIES_ARRAYLIST_JSON + + "}"; + // @formatter:on + PreAuthenticatedAuthenticationToken expected; + + @BeforeEach + public void setupExpected() { + this.expected = new PreAuthenticatedAuthenticationToken("principal", "credentials", + AuthorityUtils.createAuthorityList("ROLE_USER")); + } + + @Test + public void serializeWhenPrincipalCredentialsAuthoritiesThenSuccess() throws JacksonException, JSONException { + String serializedJson = this.mapper.writeValueAsString(this.expected); + JSONAssert.assertEquals(PREAUTH_JSON, serializedJson, true); + } + + @Test + public void deserializeAuthenticatedUsernamePasswordAuthenticationTokenMixinTest() { + PreAuthenticatedAuthenticationToken deserialized = this.mapper.readValue(PREAUTH_JSON, + PreAuthenticatedAuthenticationToken.class); + assertThat(deserialized).isNotNull(); + assertThat(deserialized.isAuthenticated()).isTrue(); + assertThat(deserialized.getAuthorities()).isEqualTo(this.expected.getAuthorities()); + } + +} diff --git a/web/src/test/java/org/springframework/security/web/jackson/SavedCookieMixinTests.java b/web/src/test/java/org/springframework/security/web/jackson/SavedCookieMixinTests.java new file mode 100644 index 0000000000..efa7fc8bf1 --- /dev/null +++ b/web/src/test/java/org/springframework/security/web/jackson/SavedCookieMixinTests.java @@ -0,0 +1,98 @@ +/* + * Copyright 2004-present the original author or authors. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * https://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.springframework.security.web.jackson; + +import java.util.ArrayList; +import java.util.List; + +import jakarta.servlet.http.Cookie; +import org.json.JSONException; +import org.junit.jupiter.api.Disabled; +import org.junit.jupiter.api.Test; +import org.skyscreamer.jsonassert.JSONAssert; +import tools.jackson.core.JacksonException; + +import org.springframework.security.web.savedrequest.SavedCookie; + +import static org.assertj.core.api.Assertions.assertThat; + +/** + * @author Jitendra Singh + */ +public class SavedCookieMixinTests extends AbstractMixinTests { + + // @formatter:off + private static final String COOKIE_JSON = "{" + + "\"@class\": \"org.springframework.security.web.savedrequest.SavedCookie\", " + + "\"name\": \"SESSION\", " + + "\"value\": \"123456789\", " + + "\"maxAge\": -1, " + + "\"path\": null, " + + "\"secure\":false, " + + "\"domain\": null" + + "}"; + // @formatter:on + // @formatter:off + private static final String COOKIES_JSON = "[\"java.util.ArrayList\", [" + + COOKIE_JSON + + "]]"; + // @formatter:on + @Test + public void serializeWithDefaultConfigurationTest() throws JacksonException, JSONException { + SavedCookie savedCookie = new SavedCookie(new Cookie("SESSION", "123456789")); + String actualJson = this.mapper.writeValueAsString(savedCookie); + JSONAssert.assertEquals(COOKIE_JSON, actualJson, true); + } + + @Test + @Disabled("No supported by Jackson 3 as ObjectMapper/JsonMapper is immutable") + public void serializeWithOverrideConfigurationTest() throws JacksonException, JSONException { + SavedCookie savedCookie = new SavedCookie(new Cookie("SESSION", "123456789")); + // this.mapper.setVisibility(PropertyAccessor.FIELD, + // JsonAutoDetect.Visibility.PUBLIC_ONLY) + // .setVisibility(PropertyAccessor.GETTER, JsonAutoDetect.Visibility.ANY); + String actualJson = this.mapper.writeValueAsString(savedCookie); + JSONAssert.assertEquals(COOKIE_JSON, actualJson, true); + } + + @Test + public void serializeSavedCookieWithList() throws JacksonException, JSONException { + List savedCookies = new ArrayList<>(); + savedCookies.add(new SavedCookie(new Cookie("SESSION", "123456789"))); + String actualJson = this.mapper.writeValueAsString(savedCookies); + JSONAssert.assertEquals(COOKIES_JSON, actualJson, true); + } + + @Test + @SuppressWarnings("unchecked") + public void deserializeSavedCookieWithList() { + List savedCookies = (List) this.mapper.readValue(COOKIES_JSON, Object.class); + assertThat(savedCookies).isNotNull().hasSize(1); + assertThat(savedCookies.get(0).getName()).isEqualTo("SESSION"); + assertThat(savedCookies.get(0).getValue()).isEqualTo("123456789"); + } + + @Test + public void deserializeSavedCookieJsonTest() { + SavedCookie savedCookie = (SavedCookie) this.mapper.readValue(COOKIE_JSON, Object.class); + assertThat(savedCookie).isNotNull(); + assertThat(savedCookie.getName()).isEqualTo("SESSION"); + assertThat(savedCookie.getValue()).isEqualTo("123456789"); + assertThat(savedCookie.isSecure()).isEqualTo(false); + } + +} diff --git a/web/src/test/java/org/springframework/security/web/jackson/SwitchUserGrantedAuthorityMixInTests.java b/web/src/test/java/org/springframework/security/web/jackson/SwitchUserGrantedAuthorityMixInTests.java new file mode 100644 index 0000000000..445e39e5f5 --- /dev/null +++ b/web/src/test/java/org/springframework/security/web/jackson/SwitchUserGrantedAuthorityMixInTests.java @@ -0,0 +1,82 @@ +/* + * Copyright 2004-present the original author or authors. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * https://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.springframework.security.web.jackson; + +import org.junit.jupiter.api.BeforeEach; +import org.junit.jupiter.api.Test; +import org.skyscreamer.jsonassert.JSONAssert; +import tools.jackson.databind.json.JsonMapper; + +import org.springframework.security.authentication.UsernamePasswordAuthenticationToken; +import org.springframework.security.core.Authentication; +import org.springframework.security.core.authority.AuthorityUtils; +import org.springframework.security.jackson.SecurityJacksonModules; +import org.springframework.security.jackson.SimpleGrantedAuthorityMixinTests; +import org.springframework.security.web.authentication.switchuser.SwitchUserGrantedAuthority; + +import static org.assertj.core.api.Assertions.assertThat; + +/** + * @author Markus Heiden + * @since 6.3 + */ +public class SwitchUserGrantedAuthorityMixInTests { + + // language=JSON + private static final String SWITCH_JSON = """ + { + "@class": "org.springframework.security.web.authentication.switchuser.SwitchUserGrantedAuthority", + "role": "switched", + "source": { + "@class": "org.springframework.security.authentication.UsernamePasswordAuthenticationToken", + "principal": "principal", + "credentials": "credentials", + "authenticated": true, + "details": null, + "authorities": %s + } + } + """.formatted(SimpleGrantedAuthorityMixinTests.AUTHORITIES_ARRAYLIST_JSON); + + private Authentication source; + + private JsonMapper mapper; + + @BeforeEach + public void setUp() { + this.source = new UsernamePasswordAuthenticationToken("principal", "credentials", + AuthorityUtils.createAuthorityList("ROLE_USER")); + ClassLoader classLoader = SwitchUserGrantedAuthorityMixInTests.class.getClassLoader(); + this.mapper = JsonMapper.builder().addModules(SecurityJacksonModules.getModules(classLoader)).build(); + } + + @Test + public void serializeWhenPrincipalCredentialsAuthoritiesThenSuccess() throws Exception { + SwitchUserGrantedAuthority expected = new SwitchUserGrantedAuthority("switched", this.source); + String serializedJson = this.mapper.writeValueAsString(expected); + JSONAssert.assertEquals(SWITCH_JSON, serializedJson, true); + } + + @Test + public void deserializeWhenSourceIsUsernamePasswordAuthenticationTokenThenSuccess() { + SwitchUserGrantedAuthority deserialized = this.mapper.readValue(SWITCH_JSON, SwitchUserGrantedAuthority.class); + assertThat(deserialized).isNotNull(); + assertThat(deserialized.getAuthority()).isEqualTo("switched"); + assertThat(deserialized.getSource()).isEqualTo(this.source); + } + +} diff --git a/web/src/test/java/org/springframework/security/web/jackson/WebAuthenticationDetailsMixinTests.java b/web/src/test/java/org/springframework/security/web/jackson/WebAuthenticationDetailsMixinTests.java new file mode 100644 index 0000000000..f4f14b5492 --- /dev/null +++ b/web/src/test/java/org/springframework/security/web/jackson/WebAuthenticationDetailsMixinTests.java @@ -0,0 +1,81 @@ +/* + * Copyright 2004-present the original author or authors. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * https://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.springframework.security.web.jackson; + +import org.json.JSONException; +import org.junit.jupiter.api.Test; +import org.skyscreamer.jsonassert.JSONAssert; +import tools.jackson.core.JacksonException; + +import org.springframework.mock.web.MockHttpServletRequest; +import org.springframework.mock.web.MockHttpSession; +import org.springframework.security.web.authentication.WebAuthenticationDetails; + +import static org.assertj.core.api.Assertions.assertThat; + +/** + * @author Jitendra Singh + * @since 4.2 + */ +public class WebAuthenticationDetailsMixinTests extends AbstractMixinTests { + + // @formatter:off + private static final String AUTHENTICATION_DETAILS_JSON = "{" + + "\"@class\": \"org.springframework.security.web.authentication.WebAuthenticationDetails\"," + + "\"sessionId\": \"1\", " + + "\"remoteAddress\": " + + "\"/localhost\"" + + "}"; + // @formatter:on + @Test + public void buildWebAuthenticationDetailsUsingDifferentConstructors() { + MockHttpServletRequest request = new MockHttpServletRequest(); + request.setRemoteAddr("localhost"); + request.setSession(new MockHttpSession(null, "1")); + WebAuthenticationDetails details = new WebAuthenticationDetails(request); + WebAuthenticationDetails authenticationDetails = this.mapper.readValue(AUTHENTICATION_DETAILS_JSON, + WebAuthenticationDetails.class); + assertThat(details.equals(authenticationDetails)); + } + + @Test + public void webAuthenticationDetailsSerializeTest() throws JacksonException, JSONException { + MockHttpServletRequest request = new MockHttpServletRequest(); + request.setRemoteAddr("/localhost"); + request.setSession(new MockHttpSession(null, "1")); + WebAuthenticationDetails details = new WebAuthenticationDetails(request); + String actualJson = this.mapper.writeValueAsString(details); + JSONAssert.assertEquals(AUTHENTICATION_DETAILS_JSON, actualJson, true); + } + + @Test + public void webAuthenticationDetailsJackson2SerializeTest() throws JacksonException, JSONException { + WebAuthenticationDetails details = new WebAuthenticationDetails("/localhost", "1"); + String actualJson = this.mapper.writeValueAsString(details); + JSONAssert.assertEquals(AUTHENTICATION_DETAILS_JSON, actualJson, true); + } + + @Test + public void webAuthenticationDetailsDeserializeTest() { + WebAuthenticationDetails details = this.mapper.readValue(AUTHENTICATION_DETAILS_JSON, + WebAuthenticationDetails.class); + assertThat(details).isNotNull(); + assertThat(details.getRemoteAddress()).isEqualTo("/localhost"); + assertThat(details.getSessionId()).isEqualTo("1"); + } + +} diff --git a/web/src/test/java/org/springframework/security/web/server/jackson/DefaultCsrfServerTokenMixinTests.java b/web/src/test/java/org/springframework/security/web/server/jackson/DefaultCsrfServerTokenMixinTests.java new file mode 100644 index 0000000000..177cf7d924 --- /dev/null +++ b/web/src/test/java/org/springframework/security/web/server/jackson/DefaultCsrfServerTokenMixinTests.java @@ -0,0 +1,76 @@ +/* + * Copyright 2004-present the original author or authors. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * https://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.springframework.security.web.server.jackson; + +import java.io.IOException; + +import org.json.JSONException; +import org.junit.jupiter.api.Test; +import org.skyscreamer.jsonassert.JSONAssert; +import tools.jackson.core.JacksonException; + +import org.springframework.security.web.jackson.AbstractMixinTests; +import org.springframework.security.web.server.csrf.DefaultCsrfToken; + +import static org.assertj.core.api.Assertions.assertThat; +import static org.assertj.core.api.Assertions.assertThatExceptionOfType; + +/** + * @author Sebastien Deleuze + * @author Boris Finkelshteyn + */ +public class DefaultCsrfServerTokenMixinTests extends AbstractMixinTests { + + // @formatter:off + private static final String CSRF_JSON = "{" + + "\"@class\": \"org.springframework.security.web.server.csrf.DefaultCsrfToken\", " + + "\"headerName\": \"csrf-header\", " + + "\"parameterName\": \"_csrf\", " + + "\"token\": \"1\"" + + "}"; + // @formatter:on + @Test + public void defaultCsrfTokenSerializedTest() throws JacksonException, JSONException { + DefaultCsrfToken token = new DefaultCsrfToken("csrf-header", "_csrf", "1"); + String serializedJson = this.mapper.writeValueAsString(token); + JSONAssert.assertEquals(CSRF_JSON, serializedJson, true); + } + + @Test + public void defaultCsrfTokenDeserializeTest() throws IOException { + DefaultCsrfToken token = this.mapper.readValue(CSRF_JSON, DefaultCsrfToken.class); + assertThat(token).isNotNull(); + assertThat(token.getHeaderName()).isEqualTo("csrf-header"); + assertThat(token.getParameterName()).isEqualTo("_csrf"); + assertThat(token.getToken()).isEqualTo("1"); + } + + @Test + public void defaultCsrfTokenDeserializeWithoutClassTest() throws IOException { + String tokenJson = "{\"headerName\": \"csrf-header\", \"parameterName\": \"_csrf\", \"token\": \"1\"}"; + assertThatExceptionOfType(JacksonException.class) + .isThrownBy(() -> this.mapper.readValue(tokenJson, DefaultCsrfToken.class)); + } + + @Test + public void defaultCsrfTokenDeserializeNullValuesTest() throws IOException { + String tokenJson = "{\"@class\": \"org.springframework.security.web.server.csrf.DefaultCsrfToken\", \"headerName\": \"\", \"parameterName\": null, \"token\": \"1\"}"; + assertThatExceptionOfType(JacksonException.class) + .isThrownBy(() -> this.mapper.readValue(tokenJson, DefaultCsrfToken.class)); + } + +} diff --git a/webauthn/src/main/java/org/springframework/security/web/webauthn/jackson/AuthenticatorAttachmentDeserializer.java b/webauthn/src/main/java/org/springframework/security/web/webauthn/jackson/AuthenticatorAttachmentDeserializer.java index 895b594af6..46965fe508 100644 --- a/webauthn/src/main/java/org/springframework/security/web/webauthn/jackson/AuthenticatorAttachmentDeserializer.java +++ b/webauthn/src/main/java/org/springframework/security/web/webauthn/jackson/AuthenticatorAttachmentDeserializer.java @@ -16,13 +16,11 @@ package org.springframework.security.web.webauthn.jackson; -import java.io.IOException; - -import com.fasterxml.jackson.core.JacksonException; -import com.fasterxml.jackson.core.JsonParser; -import com.fasterxml.jackson.databind.DeserializationContext; -import com.fasterxml.jackson.databind.deser.std.StdDeserializer; import org.jspecify.annotations.Nullable; +import tools.jackson.core.JacksonException; +import tools.jackson.core.JsonParser; +import tools.jackson.databind.DeserializationContext; +import tools.jackson.databind.deser.std.StdDeserializer; import org.springframework.security.web.webauthn.api.AuthenticatorAttachment; @@ -41,7 +39,7 @@ class AuthenticatorAttachmentDeserializer extends StdDeserializer Date: Mon, 1 Sep 2025 18:24:08 +0200 Subject: [PATCH 04/14] Deprecate Jackson 2 support MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This commit does not cover webauthn which is a special case (uses jackson sub-package for Jackson 2 support) which will be handled in a distinct commit. See gh-17832 Signed-off-by: Sébastien Deleuze --- .../security/cas/jackson2/AssertionImplMixin.java | 5 +++++ .../cas/jackson2/AttributePrincipalImplMixin.java | 6 ++++++ .../cas/jackson2/CasAuthenticationTokenMixin.java | 6 +++++- .../security/cas/jackson2/CasJackson2Module.java | 7 +++++-- .../jackson2/CasAuthenticationTokenMixinTests.java | 1 + .../AbstractUnmodifiableCollectionDeserializer.java | 5 +++++ .../jackson2/AnonymousAuthenticationTokenMixin.java | 5 +++++ .../jackson2/BadCredentialsExceptionMixin.java | 5 +++++ .../security/jackson2/CoreJackson2Module.java | 7 +++++-- .../jackson2/FactorGrantedAuthorityMixin.java | 6 ++++++ .../jackson2/RememberMeAuthenticationTokenMixin.java | 5 +++++ .../security/jackson2/SecurityJackson2Modules.java | 5 ++++- .../jackson2/SimpleGrantedAuthorityMixin.java | 5 +++++ .../jackson2/UnmodifiableListDeserializer.java | 3 +++ .../security/jackson2/UnmodifiableListMixin.java | 3 +++ .../jackson2/UnmodifiableMapDeserializer.java | 3 +++ .../security/jackson2/UnmodifiableMapMixin.java | 3 +++ .../jackson2/UnmodifiableSetDeserializer.java | 3 +++ .../security/jackson2/UnmodifiableSetMixin.java | 3 +++ .../security/jackson2/UserDeserializer.java | 4 ++++ .../springframework/security/jackson2/UserMixin.java | 4 ++++ ...ernamePasswordAuthenticationTokenDeserializer.java | 5 +++++ .../UsernamePasswordAuthenticationTokenMixin.java | 5 +++++ .../security/jackson2/AbstractMixinTests.java | 1 + .../jackson2/SecurityJackson2ModulesTests.java | 1 + .../security/ldap/jackson2/InetOrgPersonMixin.java | 4 ++++ .../security/ldap/jackson2/LdapAuthorityMixin.java | 4 ++++ .../security/ldap/jackson2/LdapJackson2Module.java | 5 ++++- .../ldap/jackson2/LdapUserDetailsImplMixin.java | 5 +++++ .../security/ldap/jackson2/PersonMixin.java | 4 ++++ .../ldap/jackson2/InetOrgPersonMixinTests.java | 1 + .../ldap/jackson2/LdapUserDetailsImplMixinTests.java | 1 + .../security/ldap/jackson2/PersonMixinTests.java | 1 + .../server/authorization/jackson2/DurationMixin.java | 2 ++ .../server/authorization/jackson2/HashSetMixin.java | 2 ++ .../server/authorization/jackson2/JsonNodeUtils.java | 4 ++++ .../authorization/jackson2/JwsAlgorithmMixin.java | 4 ++++ .../OAuth2AuthorizationRequestDeserializer.java | 5 +++++ .../jackson2/OAuth2AuthorizationRequestMixin.java | 5 +++++ .../OAuth2AuthorizationServerJackson2Module.java | 6 +++++- .../jackson2/OAuth2TokenExchangeActorMixin.java | 4 ++++ ...okenExchangeCompositeAuthenticationTokenMixin.java | 4 ++++ .../jackson2/OAuth2TokenFormatMixin.java | 4 ++++ .../authorization/jackson2/StringArrayMixin.java | 2 ++ .../jackson2/UnmodifiableMapDeserializer.java | 3 +++ .../authorization/jackson2/UnmodifiableMapMixin.java | 3 +++ .../OAuth2AuthorizationServerJackson2ModuleTests.java | 1 + .../jackson2/ClientRegistrationDeserializer.java | 4 ++++ .../client/jackson2/ClientRegistrationMixin.java | 4 ++++ .../client/jackson2/DefaultOAuth2UserMixin.java | 4 ++++ .../oauth2/client/jackson2/DefaultOidcUserMixin.java | 4 ++++ .../oauth2/client/jackson2/JsonNodeUtils.java | 4 ++++ .../client/jackson2/OAuth2AccessTokenMixin.java | 4 ++++ .../jackson2/OAuth2AuthenticationExceptionMixin.java | 4 ++++ .../jackson2/OAuth2AuthenticationTokenMixin.java | 4 ++++ .../OAuth2AuthorizationRequestDeserializer.java | 4 ++++ .../jackson2/OAuth2AuthorizationRequestMixin.java | 4 ++++ .../client/jackson2/OAuth2AuthorizedClientMixin.java | 4 ++++ .../client/jackson2/OAuth2ClientJackson2Module.java | 6 +++++- .../oauth2/client/jackson2/OAuth2ErrorMixin.java | 4 ++++ .../client/jackson2/OAuth2RefreshTokenMixin.java | 4 ++++ .../client/jackson2/OAuth2UserAuthorityMixin.java | 4 ++++ .../oauth2/client/jackson2/OidcIdTokenMixin.java | 4 ++++ .../client/jackson2/OidcUserAuthorityMixin.java | 4 ++++ .../oauth2/client/jackson2/OidcUserInfoMixin.java | 4 ++++ .../oauth2/client/jackson2/StdConverters.java | 4 ++++ .../OAuth2AuthenticationExceptionMixinTests.java | 1 + .../jackson2/OAuth2AuthenticationTokenMixinTests.java | 1 + .../OAuth2AuthorizationRequestMixinTests.java | 1 + .../jackson2/OAuth2AuthorizedClientMixinTests.java | 1 + .../oauth2/client/jackson2/StdConvertersTests.java | 1 + .../DefaultSaml2AuthenticatedPrincipalMixin.java | 5 +++++ .../jackson2/Saml2AssertionAuthenticationMixin.java | 5 +++++ .../jackson2/Saml2AuthenticationExceptionMixin.java | 5 +++++ .../saml2/jackson2/Saml2AuthenticationMixin.java | 5 +++++ .../security/saml2/jackson2/Saml2ErrorMixin.java | 4 ++++ .../security/saml2/jackson2/Saml2Jackson2Module.java | 7 ++++++- .../saml2/jackson2/Saml2LogoutRequestMixin.java | 5 +++++ .../jackson2/Saml2PostAuthenticationRequestMixin.java | 5 +++++ .../Saml2RedirectAuthenticationRequestMixin.java | 5 +++++ .../SimpleSaml2ResponseAssertionAccessorMixin.java | 5 +++++ .../DefaultSaml2AuthenticatedPrincipalMixinTests.java | 1 + .../Saml2AuthenticationExceptionMixinTests.java | 1 + .../saml2/jackson2/Saml2AuthenticationMixinTests.java | 1 + .../saml2/jackson2/Saml2LogoutRequestMixinTests.java | 1 + .../Saml2PostAuthenticationRequestMixinTests.java | 1 + .../Saml2RedirectAuthenticationRequestMixinTests.java | 1 + .../security/web/jackson2/CookieDeserializer.java | 4 ++++ .../security/web/jackson2/CookieMixin.java | 4 ++++ .../security/web/jackson2/DefaultCsrfTokenMixin.java | 5 +++++ .../web/jackson2/DefaultSavedRequestMixin.java | 5 +++++ ...eAuthenticatedAuthenticationTokenDeserializer.java | 5 +++++ .../PreAuthenticatedAuthenticationTokenMixin.java | 8 +++++--- .../security/web/jackson2/SavedCookieMixin.java | 6 +++++- .../web/jackson2/SwitchUserGrantedAuthorityMixIn.java | 5 +++++ .../web/jackson2/WebAuthenticationDetailsMixin.java | 5 +++++ .../security/web/jackson2/WebJackson2Module.java | 11 ++++++++--- .../web/jackson2/WebServletJackson2Module.java | 6 +++++- .../web/savedrequest/DefaultSavedRequest.java | 4 ++-- .../server/jackson2/DefaultCsrfServerTokenMixin.java | 5 +++++ .../web/server/jackson2/WebServerJackson2Module.java | 6 +++++- .../security/web/jackson2/AbstractMixinTests.java | 1 + .../security/web/jackson2/SavedCookieMixinTests.java | 2 +- .../SwitchUserGrantedAuthorityMixInTests.java | 1 + 104 files changed, 381 insertions(+), 22 deletions(-) diff --git a/cas/src/main/java/org/springframework/security/cas/jackson2/AssertionImplMixin.java b/cas/src/main/java/org/springframework/security/cas/jackson2/AssertionImplMixin.java index 66fd0c77d5..6bbd918781 100644 --- a/cas/src/main/java/org/springframework/security/cas/jackson2/AssertionImplMixin.java +++ b/cas/src/main/java/org/springframework/security/cas/jackson2/AssertionImplMixin.java @@ -33,6 +33,7 @@ * this class we need to register with * {@link com.fasterxml.jackson.databind.ObjectMapper}. Type information will be stored * in @class property. + * *

* 

  *     ObjectMapper mapper = new ObjectMapper();
@@ -43,7 +44,11 @@
  * @since 4.2
  * @see CasJackson2Module
  * @see org.springframework.security.jackson2.SecurityJackson2Modules
+ * @deprecated as of 7.0 in favor of
+ * {@code org.springframework.security.cas.jackson.AssertionImplMixin} based on Jackson 3
  */
+@SuppressWarnings("removal")
+@Deprecated(forRemoval = true)
 @JsonTypeInfo(use = JsonTypeInfo.Id.CLASS, include = JsonTypeInfo.As.PROPERTY)
 @JsonAutoDetect(fieldVisibility = JsonAutoDetect.Visibility.ANY, getterVisibility = JsonAutoDetect.Visibility.NONE,
 		isGetterVisibility = JsonAutoDetect.Visibility.NONE)
diff --git a/cas/src/main/java/org/springframework/security/cas/jackson2/AttributePrincipalImplMixin.java b/cas/src/main/java/org/springframework/security/cas/jackson2/AttributePrincipalImplMixin.java
index 591aea37f6..5fc85372d8 100644
--- a/cas/src/main/java/org/springframework/security/cas/jackson2/AttributePrincipalImplMixin.java
+++ b/cas/src/main/java/org/springframework/security/cas/jackson2/AttributePrincipalImplMixin.java
@@ -30,6 +30,7 @@
  * {@link org.apereo.cas.client.authentication.AttributePrincipalImpl} which is used with
  * {@link org.springframework.security.cas.authentication.CasAuthenticationToken}. Type
  * information will be stored in property named @class.
+ *
  * 

  * 
  *     ObjectMapper mapper = new ObjectMapper();
@@ -40,7 +41,12 @@
  * @since 4.2
  * @see CasJackson2Module
  * @see org.springframework.security.jackson2.SecurityJackson2Modules
+ * @deprecated as of 7.0 in favor of
+ * {@code org.springframework.security.cas.jackson.AttributePrincipalImplMixin} based on
+ * Jackson 3
  */
+@SuppressWarnings("removal")
+@Deprecated(forRemoval = true)
 @JsonTypeInfo(use = JsonTypeInfo.Id.CLASS, include = JsonTypeInfo.As.PROPERTY)
 @JsonAutoDetect(fieldVisibility = JsonAutoDetect.Visibility.ANY, getterVisibility = JsonAutoDetect.Visibility.NONE,
 		isGetterVisibility = JsonAutoDetect.Visibility.NONE)
diff --git a/cas/src/main/java/org/springframework/security/cas/jackson2/CasAuthenticationTokenMixin.java b/cas/src/main/java/org/springframework/security/cas/jackson2/CasAuthenticationTokenMixin.java
index dd44c8e285..d8f472ffba 100644
--- a/cas/src/main/java/org/springframework/security/cas/jackson2/CasAuthenticationTokenMixin.java
+++ b/cas/src/main/java/org/springframework/security/cas/jackson2/CasAuthenticationTokenMixin.java
@@ -40,7 +40,6 @@
  * 
  *
  * 

- *
  * 
  *     ObjectMapper mapper = new ObjectMapper();
  *     mapper.registerModule(new CasJackson2Module());
@@ -50,7 +49,12 @@
  * @since 4.2
  * @see CasJackson2Module
  * @see org.springframework.security.jackson2.SecurityJackson2Modules
+ * @deprecated as of 7.0 in favor of
+ * {@code org.springframework.security.cas.jackson.CasAuthenticationTokenMixin} based on
+ * Jackson 3
  */
+@SuppressWarnings("removal")
+@Deprecated(forRemoval = true)
 @JsonTypeInfo(use = JsonTypeInfo.Id.CLASS, include = JsonTypeInfo.As.PROPERTY)
 @JsonAutoDetect(fieldVisibility = JsonAutoDetect.Visibility.ANY, isGetterVisibility = JsonAutoDetect.Visibility.NONE,
 		getterVisibility = JsonAutoDetect.Visibility.NONE, creatorVisibility = JsonAutoDetect.Visibility.ANY)
diff --git a/cas/src/main/java/org/springframework/security/cas/jackson2/CasJackson2Module.java b/cas/src/main/java/org/springframework/security/cas/jackson2/CasJackson2Module.java
index 8acf7e2e96..f04b18ce8d 100644
--- a/cas/src/main/java/org/springframework/security/cas/jackson2/CasJackson2Module.java
+++ b/cas/src/main/java/org/springframework/security/cas/jackson2/CasJackson2Module.java
@@ -37,11 +37,14 @@
  * 
 Note: use {@link SecurityJackson2Modules#getModules(ClassLoader)} to get list
  * of all security modules on the classpath.
  *
- * @author Jitendra Singh.
+ * @author Jitendra Singh
  * @since 4.2
  * @see org.springframework.security.jackson2.SecurityJackson2Modules
+ * @deprecated as of 7.0 in favor of
+ * {@link org.springframework.security.cas.jackson.CasJacksonModule} based on Jackson 3
  */
-@SuppressWarnings("serial")
+@Deprecated(forRemoval = true)
+@SuppressWarnings({ "serial", "removal" })
 public class CasJackson2Module extends SimpleModule {
 
 	public CasJackson2Module() {
diff --git a/cas/src/test/java/org/springframework/security/cas/jackson2/CasAuthenticationTokenMixinTests.java b/cas/src/test/java/org/springframework/security/cas/jackson2/CasAuthenticationTokenMixinTests.java
index 98ddf8a4bc..85aaeb211c 100644
--- a/cas/src/test/java/org/springframework/security/cas/jackson2/CasAuthenticationTokenMixinTests.java
+++ b/cas/src/test/java/org/springframework/security/cas/jackson2/CasAuthenticationTokenMixinTests.java
@@ -44,6 +44,7 @@
  * @author Jitendra Singh
  * @since 4.2
  */
+@SuppressWarnings("removal")
 public class CasAuthenticationTokenMixinTests {
 
 	private static final String KEY = "casKey";
diff --git a/core/src/main/java/org/springframework/security/jackson2/AbstractUnmodifiableCollectionDeserializer.java b/core/src/main/java/org/springframework/security/jackson2/AbstractUnmodifiableCollectionDeserializer.java
index c91000cf04..a985bfbf33 100644
--- a/core/src/main/java/org/springframework/security/jackson2/AbstractUnmodifiableCollectionDeserializer.java
+++ b/core/src/main/java/org/springframework/security/jackson2/AbstractUnmodifiableCollectionDeserializer.java
@@ -38,7 +38,12 @@
  * @param  the type of the unmodifiable collection, such as {@link List} or
  * {@link Set}.
  * @author Hyunmin Choi
+ * @deprecated as of 7.0 in favor of
+ * {@code org.springframework.security.jackson.AbstractUnmodifiableCollectionDeserializer}
+ * based on Jackson 3
  */
+@SuppressWarnings("removal")
+@Deprecated(forRemoval = true)
 abstract class AbstractUnmodifiableCollectionDeserializer extends JsonDeserializer {
 
 	@Override
diff --git a/core/src/main/java/org/springframework/security/jackson2/AnonymousAuthenticationTokenMixin.java b/core/src/main/java/org/springframework/security/jackson2/AnonymousAuthenticationTokenMixin.java
index fd2d6e0382..fbb29afa3c 100644
--- a/core/src/main/java/org/springframework/security/jackson2/AnonymousAuthenticationTokenMixin.java
+++ b/core/src/main/java/org/springframework/security/jackson2/AnonymousAuthenticationTokenMixin.java
@@ -43,11 +43,16 @@
  * @since 4.2
  * @see CoreJackson2Module
  * @see SecurityJackson2Modules
+ * @deprecated as of 7.0 in favor of
+ * {@code org.springframework.security.jackson.AnonymousAuthenticationTokenMixin} based on
+ * Jackson 3
  */
+@SuppressWarnings("removal")
 @JsonTypeInfo(use = JsonTypeInfo.Id.CLASS, include = JsonTypeInfo.As.PROPERTY)
 @JsonAutoDetect(fieldVisibility = JsonAutoDetect.Visibility.ANY, isGetterVisibility = JsonAutoDetect.Visibility.NONE,
 		getterVisibility = JsonAutoDetect.Visibility.NONE, creatorVisibility = JsonAutoDetect.Visibility.ANY)
 @JsonIgnoreProperties(ignoreUnknown = true)
+@Deprecated(forRemoval = true)
 class AnonymousAuthenticationTokenMixin {
 
 	/**
diff --git a/core/src/main/java/org/springframework/security/jackson2/BadCredentialsExceptionMixin.java b/core/src/main/java/org/springframework/security/jackson2/BadCredentialsExceptionMixin.java
index 9cf885a362..ff02e33f9f 100644
--- a/core/src/main/java/org/springframework/security/jackson2/BadCredentialsExceptionMixin.java
+++ b/core/src/main/java/org/springframework/security/jackson2/BadCredentialsExceptionMixin.java
@@ -38,9 +38,14 @@
  * @author Yannick Lombardi
  * @since 5.0
  * @see CoreJackson2Module
+ * @deprecated as of 7.0 in favor of
+ * {@code org.springframework.security.jackson.BadCredentialsExceptionMixin} based on
+ * Jackson 3
  */
+@SuppressWarnings("removal")
 @JsonTypeInfo(use = JsonTypeInfo.Id.CLASS, include = JsonTypeInfo.As.PROPERTY)
 @JsonIgnoreProperties(ignoreUnknown = true, value = { "cause", "stackTrace", "authenticationRequest" })
+@Deprecated(forRemoval = true)
 class BadCredentialsExceptionMixin {
 
 	/**
diff --git a/core/src/main/java/org/springframework/security/jackson2/CoreJackson2Module.java b/core/src/main/java/org/springframework/security/jackson2/CoreJackson2Module.java
index e131e96853..6a31787449 100644
--- a/core/src/main/java/org/springframework/security/jackson2/CoreJackson2Module.java
+++ b/core/src/main/java/org/springframework/security/jackson2/CoreJackson2Module.java
@@ -44,11 +44,14 @@
  * 
 Note: use {@link SecurityJackson2Modules#getModules(ClassLoader)} to get list
  * of all security modules.
  *
- * @author Jitendra Singh.
+ * @author Jitendra Singh
  * @since 4.2
  * @see SecurityJackson2Modules
+ * @deprecated as of 7.0 in favor of
+ * {@link org.springframework.security.jackson.CoreJacksonModule} based on Jackson 3
  */
-@SuppressWarnings("serial")
+@SuppressWarnings({ "serial", "removal" })
+@Deprecated(forRemoval = true)
 public class CoreJackson2Module extends SimpleModule {
 
 	public CoreJackson2Module() {
diff --git a/core/src/main/java/org/springframework/security/jackson2/FactorGrantedAuthorityMixin.java b/core/src/main/java/org/springframework/security/jackson2/FactorGrantedAuthorityMixin.java
index c5268327c2..42227d0e49 100644
--- a/core/src/main/java/org/springframework/security/jackson2/FactorGrantedAuthorityMixin.java
+++ b/core/src/main/java/org/springframework/security/jackson2/FactorGrantedAuthorityMixin.java
@@ -37,7 +37,13 @@
  * @since 7.0
  * @see CoreJackson2Module
  * @see SecurityJackson2Modules
+ * @deprecated as of 7.0 in favor of
+ * {@code org.springframework.security.jackson.FactorGrantedAuthorityMixin} based on
+ * Jackson 3
+ *
  */
+@SuppressWarnings("removal")
+@Deprecated(forRemoval = true)
 @JsonTypeInfo(use = JsonTypeInfo.Id.CLASS, include = JsonTypeInfo.As.PROPERTY)
 @JsonAutoDetect(fieldVisibility = JsonAutoDetect.Visibility.NONE,
 		getterVisibility = JsonAutoDetect.Visibility.PUBLIC_ONLY, isGetterVisibility = JsonAutoDetect.Visibility.NONE)
diff --git a/core/src/main/java/org/springframework/security/jackson2/RememberMeAuthenticationTokenMixin.java b/core/src/main/java/org/springframework/security/jackson2/RememberMeAuthenticationTokenMixin.java
index b69fe11393..c3ec6a231a 100644
--- a/core/src/main/java/org/springframework/security/jackson2/RememberMeAuthenticationTokenMixin.java
+++ b/core/src/main/java/org/springframework/security/jackson2/RememberMeAuthenticationTokenMixin.java
@@ -50,11 +50,16 @@
  * @since 4.2
  * @see CoreJackson2Module
  * @see SecurityJackson2Modules
+ * @deprecated as of 7.0 in favor of
+ * {@code org.springframework.security.jackson.RememberMeAuthenticationTokenMixin} based
+ * on Jackson 3
  */
+@SuppressWarnings("removal")
 @JsonTypeInfo(use = JsonTypeInfo.Id.CLASS, include = JsonTypeInfo.As.PROPERTY)
 @JsonAutoDetect(fieldVisibility = JsonAutoDetect.Visibility.ANY, getterVisibility = JsonAutoDetect.Visibility.NONE,
 		isGetterVisibility = JsonAutoDetect.Visibility.NONE, creatorVisibility = JsonAutoDetect.Visibility.ANY)
 @JsonIgnoreProperties(ignoreUnknown = true)
+@Deprecated(forRemoval = true)
 class RememberMeAuthenticationTokenMixin {
 
 	/**
diff --git a/core/src/main/java/org/springframework/security/jackson2/SecurityJackson2Modules.java b/core/src/main/java/org/springframework/security/jackson2/SecurityJackson2Modules.java
index 5072028973..d9b16e997d 100644
--- a/core/src/main/java/org/springframework/security/jackson2/SecurityJackson2Modules.java
+++ b/core/src/main/java/org/springframework/security/jackson2/SecurityJackson2Modules.java
@@ -67,9 +67,12 @@
  *     mapper.registerModule(new Saml2Jackson2Module());
  *
* - * @author Jitendra Singh. + * @author Jitendra Singh * @since 4.2 + * @deprecated as of 7.0 in favor of + * {@link org.springframework.security.jackson.SecurityJacksonModules} based on Jackson 3 */ +@Deprecated(forRemoval = true) public final class SecurityJackson2Modules { private static final Log logger = LogFactory.getLog(SecurityJackson2Modules.class); diff --git a/core/src/main/java/org/springframework/security/jackson2/SimpleGrantedAuthorityMixin.java b/core/src/main/java/org/springframework/security/jackson2/SimpleGrantedAuthorityMixin.java index 4424e6fca4..a0c6a010bb 100644 --- a/core/src/main/java/org/springframework/security/jackson2/SimpleGrantedAuthorityMixin.java +++ b/core/src/main/java/org/springframework/security/jackson2/SimpleGrantedAuthorityMixin.java @@ -35,11 +35,16 @@ * @since 4.2 * @see CoreJackson2Module * @see SecurityJackson2Modules + * @deprecated as of 7.0 in favor of + * {@code org.springframework.security.jackson.SimpleGrantedAuthorityMixin} based on + * Jackson 3 */ +@SuppressWarnings("removal") @JsonTypeInfo(use = JsonTypeInfo.Id.CLASS, include = JsonTypeInfo.As.PROPERTY) @JsonAutoDetect(fieldVisibility = JsonAutoDetect.Visibility.NONE, getterVisibility = JsonAutoDetect.Visibility.PUBLIC_ONLY, isGetterVisibility = JsonAutoDetect.Visibility.NONE) @JsonIgnoreProperties(ignoreUnknown = true) +@Deprecated(forRemoval = true) public abstract class SimpleGrantedAuthorityMixin { /** diff --git a/core/src/main/java/org/springframework/security/jackson2/UnmodifiableListDeserializer.java b/core/src/main/java/org/springframework/security/jackson2/UnmodifiableListDeserializer.java index bd62265c7d..770d1bbbfe 100644 --- a/core/src/main/java/org/springframework/security/jackson2/UnmodifiableListDeserializer.java +++ b/core/src/main/java/org/springframework/security/jackson2/UnmodifiableListDeserializer.java @@ -28,7 +28,10 @@ * @author Hyunmin Choi * @since 5.0.2 * @see UnmodifiableListMixin + * @deprecated as of 7.0 */ +@SuppressWarnings("removal") +@Deprecated(forRemoval = true) class UnmodifiableListDeserializer extends AbstractUnmodifiableCollectionDeserializer { @Override diff --git a/core/src/main/java/org/springframework/security/jackson2/UnmodifiableListMixin.java b/core/src/main/java/org/springframework/security/jackson2/UnmodifiableListMixin.java index a4b7336115..34572e98b0 100644 --- a/core/src/main/java/org/springframework/security/jackson2/UnmodifiableListMixin.java +++ b/core/src/main/java/org/springframework/security/jackson2/UnmodifiableListMixin.java @@ -36,9 +36,12 @@ * @see UnmodifiableListDeserializer * @see CoreJackson2Module * @see SecurityJackson2Modules + * @deprecated as of 7.0 */ +@SuppressWarnings("removal") @JsonTypeInfo(use = JsonTypeInfo.Id.CLASS, include = JsonTypeInfo.As.PROPERTY) @JsonDeserialize(using = UnmodifiableListDeserializer.class) +@Deprecated(forRemoval = true) class UnmodifiableListMixin { /** diff --git a/core/src/main/java/org/springframework/security/jackson2/UnmodifiableMapDeserializer.java b/core/src/main/java/org/springframework/security/jackson2/UnmodifiableMapDeserializer.java index bf9002863b..94719c365d 100644 --- a/core/src/main/java/org/springframework/security/jackson2/UnmodifiableMapDeserializer.java +++ b/core/src/main/java/org/springframework/security/jackson2/UnmodifiableMapDeserializer.java @@ -33,7 +33,10 @@ * @author Ulrich Grave * @since 5.7 * @see UnmodifiableMapMixin + * @deprecated as of 7.0 */ +@SuppressWarnings("removal") +@Deprecated(forRemoval = true) class UnmodifiableMapDeserializer extends JsonDeserializer> { @Override diff --git a/core/src/main/java/org/springframework/security/jackson2/UnmodifiableMapMixin.java b/core/src/main/java/org/springframework/security/jackson2/UnmodifiableMapMixin.java index fe123ff2f0..8292ed2cc5 100644 --- a/core/src/main/java/org/springframework/security/jackson2/UnmodifiableMapMixin.java +++ b/core/src/main/java/org/springframework/security/jackson2/UnmodifiableMapMixin.java @@ -36,9 +36,12 @@ * @see UnmodifiableMapDeserializer * @see CoreJackson2Module * @see SecurityJackson2Modules + * @deprecated as of 7.0 */ +@SuppressWarnings("removal") @JsonTypeInfo(use = JsonTypeInfo.Id.CLASS) @JsonDeserialize(using = UnmodifiableMapDeserializer.class) +@Deprecated(forRemoval = true) class UnmodifiableMapMixin { @JsonCreator diff --git a/core/src/main/java/org/springframework/security/jackson2/UnmodifiableSetDeserializer.java b/core/src/main/java/org/springframework/security/jackson2/UnmodifiableSetDeserializer.java index 81047c99b0..dda53126e8 100644 --- a/core/src/main/java/org/springframework/security/jackson2/UnmodifiableSetDeserializer.java +++ b/core/src/main/java/org/springframework/security/jackson2/UnmodifiableSetDeserializer.java @@ -28,7 +28,10 @@ * @author Hyunmin Choi * @since 4.2 * @see UnmodifiableSetMixin + * @deprecated as of 7.0 */ +@SuppressWarnings("removal") +@Deprecated(forRemoval = true) class UnmodifiableSetDeserializer extends AbstractUnmodifiableCollectionDeserializer { @Override diff --git a/core/src/main/java/org/springframework/security/jackson2/UnmodifiableSetMixin.java b/core/src/main/java/org/springframework/security/jackson2/UnmodifiableSetMixin.java index c3a93432e7..a6e75c0cca 100644 --- a/core/src/main/java/org/springframework/security/jackson2/UnmodifiableSetMixin.java +++ b/core/src/main/java/org/springframework/security/jackson2/UnmodifiableSetMixin.java @@ -36,9 +36,12 @@ * @see UnmodifiableSetDeserializer * @see CoreJackson2Module * @see SecurityJackson2Modules + * @deprecated as of 7.0 */ +@SuppressWarnings("removal") @JsonTypeInfo(use = JsonTypeInfo.Id.CLASS, include = JsonTypeInfo.As.PROPERTY) @JsonDeserialize(using = UnmodifiableSetDeserializer.class) +@Deprecated(forRemoval = true) class UnmodifiableSetMixin { /** diff --git a/core/src/main/java/org/springframework/security/jackson2/UserDeserializer.java b/core/src/main/java/org/springframework/security/jackson2/UserDeserializer.java index d9a5fe7d79..bc628e6797 100644 --- a/core/src/main/java/org/springframework/security/jackson2/UserDeserializer.java +++ b/core/src/main/java/org/springframework/security/jackson2/UserDeserializer.java @@ -39,7 +39,11 @@ * @author Jitendra Singh * @since 4.2 * @see UserMixin + * @deprecated as of 7.0 in favor of + * {@code org.springframework.security.jackson.UserDeserializer} based on Jackson 3 */ +@SuppressWarnings("removal") +@Deprecated(forRemoval = true) class UserDeserializer extends JsonDeserializer { private static final TypeReference> SIMPLE_GRANTED_AUTHORITY_SET = new TypeReference<>() { diff --git a/core/src/main/java/org/springframework/security/jackson2/UserMixin.java b/core/src/main/java/org/springframework/security/jackson2/UserMixin.java index bef444fd11..fbf6bede1d 100644 --- a/core/src/main/java/org/springframework/security/jackson2/UserMixin.java +++ b/core/src/main/java/org/springframework/security/jackson2/UserMixin.java @@ -41,12 +41,16 @@ * @see UserDeserializer * @see CoreJackson2Module * @see SecurityJackson2Modules + * @deprecated as of 7.0 in favor of + * {@code org.springframework.security.jackson.UserMixin} based on Jackson 3 */ +@SuppressWarnings("removal") @JsonTypeInfo(use = JsonTypeInfo.Id.CLASS, include = JsonTypeInfo.As.PROPERTY) @JsonDeserialize(using = UserDeserializer.class) @JsonAutoDetect(fieldVisibility = JsonAutoDetect.Visibility.ANY, getterVisibility = JsonAutoDetect.Visibility.NONE, isGetterVisibility = JsonAutoDetect.Visibility.NONE) @JsonIgnoreProperties(ignoreUnknown = true) +@Deprecated(forRemoval = true) abstract class UserMixin { } diff --git a/core/src/main/java/org/springframework/security/jackson2/UsernamePasswordAuthenticationTokenDeserializer.java b/core/src/main/java/org/springframework/security/jackson2/UsernamePasswordAuthenticationTokenDeserializer.java index fe10b1e703..94c6661915 100644 --- a/core/src/main/java/org/springframework/security/jackson2/UsernamePasswordAuthenticationTokenDeserializer.java +++ b/core/src/main/java/org/springframework/security/jackson2/UsernamePasswordAuthenticationTokenDeserializer.java @@ -48,7 +48,12 @@ * @author Onur Kagan Ozcan * @since 4.2 * @see UsernamePasswordAuthenticationTokenMixin + * @deprecated as of 7.0 in favor of + * {@code org.springframework.security.jackson.UsernamePasswordAuthenticationTokenDeserializer} + * based on Jackson 3 */ +@SuppressWarnings("removal") +@Deprecated(forRemoval = true) class UsernamePasswordAuthenticationTokenDeserializer extends JsonDeserializer { private static final TypeReference> GRANTED_AUTHORITY_LIST = new TypeReference<>() { diff --git a/core/src/main/java/org/springframework/security/jackson2/UsernamePasswordAuthenticationTokenMixin.java b/core/src/main/java/org/springframework/security/jackson2/UsernamePasswordAuthenticationTokenMixin.java index c97924d195..acc0316b2f 100644 --- a/core/src/main/java/org/springframework/security/jackson2/UsernamePasswordAuthenticationTokenMixin.java +++ b/core/src/main/java/org/springframework/security/jackson2/UsernamePasswordAuthenticationTokenMixin.java @@ -42,11 +42,16 @@ * @since 4.2 * @see CoreJackson2Module * @see SecurityJackson2Modules + * @deprecated as of 7.0 in favor of + * {@code org.springframework.security.jackson.UsernamePasswordAuthenticationTokenDeserializer} + * based on Jackson 3 */ +@SuppressWarnings("removal") @JsonTypeInfo(use = JsonTypeInfo.Id.CLASS, include = JsonTypeInfo.As.PROPERTY, property = "@class") @JsonAutoDetect(fieldVisibility = JsonAutoDetect.Visibility.ANY, getterVisibility = JsonAutoDetect.Visibility.NONE, isGetterVisibility = JsonAutoDetect.Visibility.NONE) @JsonDeserialize(using = UsernamePasswordAuthenticationTokenDeserializer.class) +@Deprecated(forRemoval = true) abstract class UsernamePasswordAuthenticationTokenMixin { } diff --git a/core/src/test/java/org/springframework/security/jackson2/AbstractMixinTests.java b/core/src/test/java/org/springframework/security/jackson2/AbstractMixinTests.java index 23d1f036b4..e594dd01ae 100644 --- a/core/src/test/java/org/springframework/security/jackson2/AbstractMixinTests.java +++ b/core/src/test/java/org/springframework/security/jackson2/AbstractMixinTests.java @@ -26,6 +26,7 @@ * @author Jitenra Singh * @since 4.2 */ +@SuppressWarnings("removal") public abstract class AbstractMixinTests { protected ObjectMapper mapper; diff --git a/core/src/test/java/org/springframework/security/jackson2/SecurityJackson2ModulesTests.java b/core/src/test/java/org/springframework/security/jackson2/SecurityJackson2ModulesTests.java index 24e9b05fd1..f5e6f65a8b 100644 --- a/core/src/test/java/org/springframework/security/jackson2/SecurityJackson2ModulesTests.java +++ b/core/src/test/java/org/springframework/security/jackson2/SecurityJackson2ModulesTests.java @@ -38,6 +38,7 @@ * @author Rob Winch * @since 5.0 */ +@SuppressWarnings("removal") public class SecurityJackson2ModulesTests { private ObjectMapper mapper; diff --git a/ldap/src/main/java/org/springframework/security/ldap/jackson2/InetOrgPersonMixin.java b/ldap/src/main/java/org/springframework/security/ldap/jackson2/InetOrgPersonMixin.java index 470903d9fa..88c094778b 100644 --- a/ldap/src/main/java/org/springframework/security/ldap/jackson2/InetOrgPersonMixin.java +++ b/ldap/src/main/java/org/springframework/security/ldap/jackson2/InetOrgPersonMixin.java @@ -29,7 +29,11 @@ * @since 5.7 * @see LdapJackson2Module * @see SecurityJackson2Modules + * @deprecated as of 7.0 in favor of + * {@code org.springframework.security.ldap.jackson.InetOrgPersonMixin} based on Jackson 3 */ +@SuppressWarnings("removal") +@Deprecated(forRemoval = true) @JsonTypeInfo(use = JsonTypeInfo.Id.CLASS) @JsonAutoDetect(fieldVisibility = JsonAutoDetect.Visibility.ANY, getterVisibility = JsonAutoDetect.Visibility.NONE, isGetterVisibility = JsonAutoDetect.Visibility.NONE) diff --git a/ldap/src/main/java/org/springframework/security/ldap/jackson2/LdapAuthorityMixin.java b/ldap/src/main/java/org/springframework/security/ldap/jackson2/LdapAuthorityMixin.java index 278dffecf1..553ceb162e 100644 --- a/ldap/src/main/java/org/springframework/security/ldap/jackson2/LdapAuthorityMixin.java +++ b/ldap/src/main/java/org/springframework/security/ldap/jackson2/LdapAuthorityMixin.java @@ -34,7 +34,11 @@ * @since 5.7 * @see LdapJackson2Module * @see SecurityJackson2Modules + * @deprecated as of 7.0 in favor of + * {@code org.springframework.security.ldap.jackson.LdapAuthorityMixin} based on Jackson 3 */ +@SuppressWarnings("removal") +@Deprecated(forRemoval = true) @JsonTypeInfo(use = JsonTypeInfo.Id.CLASS) @JsonAutoDetect(fieldVisibility = JsonAutoDetect.Visibility.ANY, getterVisibility = JsonAutoDetect.Visibility.NONE) @JsonIgnoreProperties(ignoreUnknown = true) diff --git a/ldap/src/main/java/org/springframework/security/ldap/jackson2/LdapJackson2Module.java b/ldap/src/main/java/org/springframework/security/ldap/jackson2/LdapJackson2Module.java index 6a7adeb5e7..c3d3685caf 100644 --- a/ldap/src/main/java/org/springframework/security/ldap/jackson2/LdapJackson2Module.java +++ b/ldap/src/main/java/org/springframework/security/ldap/jackson2/LdapJackson2Module.java @@ -45,8 +45,11 @@ * * @since 5.7 * @see SecurityJackson2Modules + * @deprecated as of 7.0 in favor of + * {@link org.springframework.security.ldap.jackson.LdapJacksonModule} based on Jackson 3 */ -@SuppressWarnings("serial") +@Deprecated(forRemoval = true) +@SuppressWarnings({ "serial", "removal" }) public class LdapJackson2Module extends SimpleModule { public LdapJackson2Module() { diff --git a/ldap/src/main/java/org/springframework/security/ldap/jackson2/LdapUserDetailsImplMixin.java b/ldap/src/main/java/org/springframework/security/ldap/jackson2/LdapUserDetailsImplMixin.java index d9a459ad69..eb848e326e 100644 --- a/ldap/src/main/java/org/springframework/security/ldap/jackson2/LdapUserDetailsImplMixin.java +++ b/ldap/src/main/java/org/springframework/security/ldap/jackson2/LdapUserDetailsImplMixin.java @@ -29,7 +29,12 @@ * @since 5.7 * @see LdapJackson2Module * @see SecurityJackson2Modules + * @deprecated as of 7.0 in favor of + * {@code org.springframework.security.ldap.jackson.LdapUserDetailsImplMixin} based on + * Jackson 3 */ +@SuppressWarnings("removal") +@Deprecated(forRemoval = true) @JsonTypeInfo(use = JsonTypeInfo.Id.CLASS) @JsonAutoDetect(fieldVisibility = JsonAutoDetect.Visibility.ANY, getterVisibility = JsonAutoDetect.Visibility.NONE, isGetterVisibility = JsonAutoDetect.Visibility.NONE) diff --git a/ldap/src/main/java/org/springframework/security/ldap/jackson2/PersonMixin.java b/ldap/src/main/java/org/springframework/security/ldap/jackson2/PersonMixin.java index 1f308caf15..5fd33b2465 100644 --- a/ldap/src/main/java/org/springframework/security/ldap/jackson2/PersonMixin.java +++ b/ldap/src/main/java/org/springframework/security/ldap/jackson2/PersonMixin.java @@ -29,7 +29,11 @@ * @since 5.7 * @see LdapJackson2Module * @see SecurityJackson2Modules + * @deprecated as of 7.0 in favor of + * {@code org.springframework.security.ldap.jackson.PersonMixin} based on Jackson 3 */ +@SuppressWarnings("removal") +@Deprecated(forRemoval = true) @JsonTypeInfo(use = JsonTypeInfo.Id.CLASS) @JsonAutoDetect(fieldVisibility = JsonAutoDetect.Visibility.ANY, getterVisibility = JsonAutoDetect.Visibility.NONE, isGetterVisibility = JsonAutoDetect.Visibility.NONE) diff --git a/ldap/src/test/java/org/springframework/security/ldap/jackson2/InetOrgPersonMixinTests.java b/ldap/src/test/java/org/springframework/security/ldap/jackson2/InetOrgPersonMixinTests.java index cd9129683b..ea0ba81b37 100644 --- a/ldap/src/test/java/org/springframework/security/ldap/jackson2/InetOrgPersonMixinTests.java +++ b/ldap/src/test/java/org/springframework/security/ldap/jackson2/InetOrgPersonMixinTests.java @@ -36,6 +36,7 @@ /** * Tests for {@link InetOrgPersonMixin}. */ +@SuppressWarnings("removal") public class InetOrgPersonMixinTests { private static final String USER_PASSWORD = "Password1234"; diff --git a/ldap/src/test/java/org/springframework/security/ldap/jackson2/LdapUserDetailsImplMixinTests.java b/ldap/src/test/java/org/springframework/security/ldap/jackson2/LdapUserDetailsImplMixinTests.java index bd91eb8199..88dcb8bdcb 100644 --- a/ldap/src/test/java/org/springframework/security/ldap/jackson2/LdapUserDetailsImplMixinTests.java +++ b/ldap/src/test/java/org/springframework/security/ldap/jackson2/LdapUserDetailsImplMixinTests.java @@ -36,6 +36,7 @@ /** * Tests for {@link LdapUserDetailsImplMixin}. */ +@SuppressWarnings("removal") public class LdapUserDetailsImplMixinTests { private static final String USER_PASSWORD = "Password1234"; diff --git a/ldap/src/test/java/org/springframework/security/ldap/jackson2/PersonMixinTests.java b/ldap/src/test/java/org/springframework/security/ldap/jackson2/PersonMixinTests.java index abdece1f79..865d986fb8 100644 --- a/ldap/src/test/java/org/springframework/security/ldap/jackson2/PersonMixinTests.java +++ b/ldap/src/test/java/org/springframework/security/ldap/jackson2/PersonMixinTests.java @@ -36,6 +36,7 @@ /** * Tests for {@link PersonMixin}. */ +@SuppressWarnings("removal") public class PersonMixinTests { private static final String USER_PASSWORD = "Password1234"; diff --git a/oauth2/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/jackson2/DurationMixin.java b/oauth2/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/jackson2/DurationMixin.java index 0825283190..3b801dfd72 100644 --- a/oauth2/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/jackson2/DurationMixin.java +++ b/oauth2/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/jackson2/DurationMixin.java @@ -30,11 +30,13 @@ * @author Joe Grandja * @since 7.0 * @see Duration + * @deprecated as of 7.0 */ @JsonTypeInfo(use = JsonTypeInfo.Id.CLASS) @JsonAutoDetect(fieldVisibility = JsonAutoDetect.Visibility.NONE, getterVisibility = JsonAutoDetect.Visibility.NONE, isGetterVisibility = JsonAutoDetect.Visibility.NONE, setterVisibility = JsonAutoDetect.Visibility.NONE, creatorVisibility = JsonAutoDetect.Visibility.NONE) +@Deprecated(forRemoval = true) abstract class DurationMixin { @JsonCreator diff --git a/oauth2/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/jackson2/HashSetMixin.java b/oauth2/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/jackson2/HashSetMixin.java index 55a45ed516..629c15c97d 100644 --- a/oauth2/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/jackson2/HashSetMixin.java +++ b/oauth2/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/jackson2/HashSetMixin.java @@ -28,8 +28,10 @@ * @author Steve Riesenberg * @since 7.0 * @see HashSet + * @deprecated as of 7.0 */ @JsonTypeInfo(use = JsonTypeInfo.Id.CLASS) +@Deprecated(forRemoval = true) abstract class HashSetMixin { @JsonCreator diff --git a/oauth2/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/jackson2/JsonNodeUtils.java b/oauth2/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/jackson2/JsonNodeUtils.java index b2ffb6b7a0..1adfab8795 100644 --- a/oauth2/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/jackson2/JsonNodeUtils.java +++ b/oauth2/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/jackson2/JsonNodeUtils.java @@ -28,7 +28,11 @@ * * @author Joe Grandja * @since 7.0 + * @deprecated as of 7.0 in favor of + * {@code org.springframework.security.oauth2.server.authorization.jackson.JsonNodeUtils} + * based on Jackson 3 */ +@Deprecated(forRemoval = true) abstract class JsonNodeUtils { static final TypeReference> STRING_SET = new TypeReference<>() { diff --git a/oauth2/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/jackson2/JwsAlgorithmMixin.java b/oauth2/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/jackson2/JwsAlgorithmMixin.java index 360cdcd2c6..b9d1f3769e 100644 --- a/oauth2/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/jackson2/JwsAlgorithmMixin.java +++ b/oauth2/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/jackson2/JwsAlgorithmMixin.java @@ -27,7 +27,11 @@ * @author Joe Grandja * @since 7.0 * @see SignatureAlgorithm + * @deprecated as of 7.0 in favor of + * {@code org.springframework.security.oauth2.server.authorization.jackson.JwsAlgorithmMixin} + * based on Jackson 3 */ +@Deprecated(forRemoval = true) @JsonTypeInfo(use = JsonTypeInfo.Id.CLASS) @JsonAutoDetect(fieldVisibility = JsonAutoDetect.Visibility.ANY, getterVisibility = JsonAutoDetect.Visibility.NONE, isGetterVisibility = JsonAutoDetect.Visibility.NONE) diff --git a/oauth2/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/jackson2/OAuth2AuthorizationRequestDeserializer.java b/oauth2/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/jackson2/OAuth2AuthorizationRequestDeserializer.java index 9cb47faf82..3bad21fe2c 100644 --- a/oauth2/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/jackson2/OAuth2AuthorizationRequestDeserializer.java +++ b/oauth2/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/jackson2/OAuth2AuthorizationRequestDeserializer.java @@ -36,7 +36,12 @@ * @since 7.0 * @see OAuth2AuthorizationRequest * @see OAuth2AuthorizationRequestMixin + * @deprecated as of 7.0 in favor of + * {@code org.springframework.security.oauth2.server.authorization.jackson.OAuth2AuthorizationRequestDeserializer} + * based on Jackson 3 */ +@SuppressWarnings("removal") +@Deprecated(forRemoval = true) final class OAuth2AuthorizationRequestDeserializer extends JsonDeserializer { @Override diff --git a/oauth2/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/jackson2/OAuth2AuthorizationRequestMixin.java b/oauth2/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/jackson2/OAuth2AuthorizationRequestMixin.java index 3cabb43c53..1370788776 100644 --- a/oauth2/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/jackson2/OAuth2AuthorizationRequestMixin.java +++ b/oauth2/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/jackson2/OAuth2AuthorizationRequestMixin.java @@ -31,7 +31,12 @@ * @since 7.0 * @see OAuth2AuthorizationRequest * @see OAuth2AuthorizationRequestDeserializer + * @deprecated as of 7.0 in favor of + * {@code org.springframework.security.oauth2.server.authorization.jackson.OAuth2AuthorizationRequestMixin} + * based on Jackson 3 */ +@SuppressWarnings("removal") +@Deprecated(forRemoval = true) @JsonTypeInfo(use = JsonTypeInfo.Id.CLASS) @JsonDeserialize(using = OAuth2AuthorizationRequestDeserializer.class) @JsonAutoDetect(fieldVisibility = JsonAutoDetect.Visibility.ANY, getterVisibility = JsonAutoDetect.Visibility.NONE, diff --git a/oauth2/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/jackson2/OAuth2AuthorizationServerJackson2Module.java b/oauth2/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/jackson2/OAuth2AuthorizationServerJackson2Module.java index afd8ba2544..6e6358600b 100644 --- a/oauth2/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/jackson2/OAuth2AuthorizationServerJackson2Module.java +++ b/oauth2/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/jackson2/OAuth2AuthorizationServerJackson2Module.java @@ -69,8 +69,12 @@ * @see JwsAlgorithmMixin * @see OAuth2TokenFormatMixin * @see StringArrayMixin + * @deprecated as of 7.0 in favor of + * {@code org.springframework.security.oauth2.server.authorization.jackson.OAuth2AuthorizationServerJacksonModule} + * based on Jackson 3 */ -@SuppressWarnings("serial") +@SuppressWarnings({ "serial", "removal" }) +@Deprecated(forRemoval = true) public class OAuth2AuthorizationServerJackson2Module extends SimpleModule { public OAuth2AuthorizationServerJackson2Module() { diff --git a/oauth2/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/jackson2/OAuth2TokenExchangeActorMixin.java b/oauth2/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/jackson2/OAuth2TokenExchangeActorMixin.java index 28efca7d92..e163318af3 100644 --- a/oauth2/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/jackson2/OAuth2TokenExchangeActorMixin.java +++ b/oauth2/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/jackson2/OAuth2TokenExchangeActorMixin.java @@ -32,7 +32,11 @@ * @author Steve Riesenberg * @since 7.0 * @see OAuth2TokenExchangeActor + * @deprecated as of 7.0 in favor of + * {@code org.springframework.security.oauth2.server.authorization.jackson.OAuth2TokenExchangeActorMixin} + * based on Jackson 3 */ +@Deprecated(forRemoval = true) @JsonTypeInfo(use = JsonTypeInfo.Id.CLASS) @JsonAutoDetect(fieldVisibility = JsonAutoDetect.Visibility.ANY, getterVisibility = JsonAutoDetect.Visibility.NONE, isGetterVisibility = JsonAutoDetect.Visibility.NONE, creatorVisibility = JsonAutoDetect.Visibility.NONE) diff --git a/oauth2/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/jackson2/OAuth2TokenExchangeCompositeAuthenticationTokenMixin.java b/oauth2/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/jackson2/OAuth2TokenExchangeCompositeAuthenticationTokenMixin.java index 1659f2c109..c7ba8b407c 100644 --- a/oauth2/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/jackson2/OAuth2TokenExchangeCompositeAuthenticationTokenMixin.java +++ b/oauth2/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/jackson2/OAuth2TokenExchangeCompositeAuthenticationTokenMixin.java @@ -34,7 +34,11 @@ * @author Steve Riesenberg * @since 7.0 * @see OAuth2TokenExchangeCompositeAuthenticationToken + * @deprecated as of 7.0 in favor of + * {@code org.springframework.security.oauth2.server.authorization.jackson.OAuth2TokenExchangeCompositeAuthenticationTokenMixin} + * based on Jackson 3 */ +@Deprecated(forRemoval = true) @JsonTypeInfo(use = JsonTypeInfo.Id.CLASS) @JsonAutoDetect(fieldVisibility = JsonAutoDetect.Visibility.ANY, getterVisibility = JsonAutoDetect.Visibility.NONE, isGetterVisibility = JsonAutoDetect.Visibility.NONE, creatorVisibility = JsonAutoDetect.Visibility.NONE) diff --git a/oauth2/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/jackson2/OAuth2TokenFormatMixin.java b/oauth2/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/jackson2/OAuth2TokenFormatMixin.java index 12b9223e9e..b275c5c487 100644 --- a/oauth2/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/jackson2/OAuth2TokenFormatMixin.java +++ b/oauth2/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/jackson2/OAuth2TokenFormatMixin.java @@ -29,7 +29,11 @@ * @author Joe Grandja * @since 7.0 * @see OAuth2TokenFormat + * @deprecated as of 7.0 in favor of + * {@code org.springframework.security.oauth2.server.authorization.jackson.OAuth2TokenFormatMixin} + * based on Jackson 3 */ +@Deprecated(forRemoval = true) @JsonTypeInfo(use = JsonTypeInfo.Id.CLASS) @JsonAutoDetect(fieldVisibility = JsonAutoDetect.Visibility.ANY, getterVisibility = JsonAutoDetect.Visibility.NONE, isGetterVisibility = JsonAutoDetect.Visibility.NONE) diff --git a/oauth2/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/jackson2/StringArrayMixin.java b/oauth2/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/jackson2/StringArrayMixin.java index 0ff5272666..8f2ec97fa4 100644 --- a/oauth2/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/jackson2/StringArrayMixin.java +++ b/oauth2/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/jackson2/StringArrayMixin.java @@ -25,7 +25,9 @@ * @author Nikola Jovanovic * @since 7.0 * @see String + * @deprecated as of 7.0 */ +@Deprecated(forRemoval = true) @JsonTypeInfo(use = JsonTypeInfo.Id.CLASS) abstract class StringArrayMixin { diff --git a/oauth2/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/jackson2/UnmodifiableMapDeserializer.java b/oauth2/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/jackson2/UnmodifiableMapDeserializer.java index 33dcf91290..2fca721f0e 100644 --- a/oauth2/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/jackson2/UnmodifiableMapDeserializer.java +++ b/oauth2/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/jackson2/UnmodifiableMapDeserializer.java @@ -34,7 +34,10 @@ * @since 7.0 * @see Collections#unmodifiableMap(Map) * @see UnmodifiableMapMixin + * @deprecated as of 7.0 */ +@SuppressWarnings("removal") +@Deprecated(forRemoval = true) final class UnmodifiableMapDeserializer extends JsonDeserializer> { @Override diff --git a/oauth2/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/jackson2/UnmodifiableMapMixin.java b/oauth2/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/jackson2/UnmodifiableMapMixin.java index fabe1d3a99..e9c6d29585 100644 --- a/oauth2/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/jackson2/UnmodifiableMapMixin.java +++ b/oauth2/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/jackson2/UnmodifiableMapMixin.java @@ -32,7 +32,10 @@ * @since 7.0 * @see Collections#unmodifiableMap(Map) * @see UnmodifiableMapDeserializer + * @deprecated as of 7.0 */ +@SuppressWarnings("removal") +@Deprecated(forRemoval = true) @JsonTypeInfo(use = JsonTypeInfo.Id.CLASS) @JsonDeserialize(using = UnmodifiableMapDeserializer.class) abstract class UnmodifiableMapMixin { diff --git a/oauth2/oauth2-authorization-server/src/test/java/org/springframework/security/oauth2/server/authorization/jackson2/OAuth2AuthorizationServerJackson2ModuleTests.java b/oauth2/oauth2-authorization-server/src/test/java/org/springframework/security/oauth2/server/authorization/jackson2/OAuth2AuthorizationServerJackson2ModuleTests.java index 340bfddd54..f06d3f81f1 100644 --- a/oauth2/oauth2-authorization-server/src/test/java/org/springframework/security/oauth2/server/authorization/jackson2/OAuth2AuthorizationServerJackson2ModuleTests.java +++ b/oauth2/oauth2-authorization-server/src/test/java/org/springframework/security/oauth2/server/authorization/jackson2/OAuth2AuthorizationServerJackson2ModuleTests.java @@ -46,6 +46,7 @@ * @author Steve Riesenberg * @author Joe Grandja */ +@SuppressWarnings("removal") public class OAuth2AuthorizationServerJackson2ModuleTests { private static final TypeReference> STRING_OBJECT_MAP = new TypeReference<>() { diff --git a/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/jackson2/ClientRegistrationDeserializer.java b/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/jackson2/ClientRegistrationDeserializer.java index 14c3d3d3ba..d9b8eedaf4 100644 --- a/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/jackson2/ClientRegistrationDeserializer.java +++ b/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/jackson2/ClientRegistrationDeserializer.java @@ -37,7 +37,11 @@ * @since 5.3 * @see ClientRegistration * @see ClientRegistrationMixin + * @deprecated as of 7.0 in favor of + * {@code org.springframework.security.oauth2.client.jackson.ClientRegistrationDeserializer} + * based on Jackson 3 */ +@Deprecated(forRemoval = true) final class ClientRegistrationDeserializer extends JsonDeserializer { private static final StdConverter CLIENT_AUTHENTICATION_METHOD_CONVERTER = new StdConverters.ClientAuthenticationMethodConverter(); diff --git a/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/jackson2/ClientRegistrationMixin.java b/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/jackson2/ClientRegistrationMixin.java index 27f2157fe1..c8af80b1fb 100644 --- a/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/jackson2/ClientRegistrationMixin.java +++ b/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/jackson2/ClientRegistrationMixin.java @@ -32,7 +32,11 @@ * @see ClientRegistration * @see ClientRegistrationDeserializer * @see OAuth2ClientJackson2Module + * @deprecated as of 7.0 in favor of + * {@code org.springframework.security.oauth2.client.jackson.ClientRegistrationMixin} + * based on Jackson 3 */ +@Deprecated(forRemoval = true) @JsonTypeInfo(use = JsonTypeInfo.Id.CLASS) @JsonDeserialize(using = ClientRegistrationDeserializer.class) @JsonAutoDetect(fieldVisibility = JsonAutoDetect.Visibility.ANY, getterVisibility = JsonAutoDetect.Visibility.NONE, diff --git a/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/jackson2/DefaultOAuth2UserMixin.java b/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/jackson2/DefaultOAuth2UserMixin.java index ffe5bfae30..b3f221d5b5 100644 --- a/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/jackson2/DefaultOAuth2UserMixin.java +++ b/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/jackson2/DefaultOAuth2UserMixin.java @@ -35,7 +35,11 @@ * @since 5.3 * @see DefaultOAuth2User * @see OAuth2ClientJackson2Module + * @deprecated as of 7.0 in favor of + * {@code org.springframework.security.oauth2.client.jackson.DefaultOAuth2UserMixin} based + * on Jackson 3 */ +@Deprecated(forRemoval = true) @JsonTypeInfo(use = JsonTypeInfo.Id.CLASS) @JsonAutoDetect(fieldVisibility = JsonAutoDetect.Visibility.ANY, getterVisibility = JsonAutoDetect.Visibility.NONE, isGetterVisibility = JsonAutoDetect.Visibility.NONE) diff --git a/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/jackson2/DefaultOidcUserMixin.java b/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/jackson2/DefaultOidcUserMixin.java index da2136b0ce..0a0dfdaf28 100644 --- a/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/jackson2/DefaultOidcUserMixin.java +++ b/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/jackson2/DefaultOidcUserMixin.java @@ -36,7 +36,11 @@ * @since 5.3 * @see DefaultOidcUser * @see OAuth2ClientJackson2Module + * @deprecated as of 7.0 in favor of + * {@code org.springframework.security.oauth2.client.jackson.DefaultOidcUserMixin} based + * on Jackson 3 */ +@Deprecated(forRemoval = true) @JsonTypeInfo(use = JsonTypeInfo.Id.CLASS) @JsonAutoDetect(fieldVisibility = JsonAutoDetect.Visibility.ANY, getterVisibility = JsonAutoDetect.Visibility.NONE, isGetterVisibility = JsonAutoDetect.Visibility.NONE) diff --git a/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/jackson2/JsonNodeUtils.java b/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/jackson2/JsonNodeUtils.java index 2ed56d7030..1bfdbfa21a 100644 --- a/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/jackson2/JsonNodeUtils.java +++ b/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/jackson2/JsonNodeUtils.java @@ -28,7 +28,11 @@ * * @author Joe Grandja * @since 5.3 + * @deprecated as of 7.0 in favor of + * {@code org.springframework.security.oauth2.client.jackson.JsonNodeUtils} based on + * Jackson 3 */ +@Deprecated(forRemoval = true) abstract class JsonNodeUtils { static final TypeReference> STRING_SET = new TypeReference<>() { diff --git a/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/jackson2/OAuth2AccessTokenMixin.java b/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/jackson2/OAuth2AccessTokenMixin.java index c4d6608f63..6f86af534e 100644 --- a/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/jackson2/OAuth2AccessTokenMixin.java +++ b/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/jackson2/OAuth2AccessTokenMixin.java @@ -35,7 +35,11 @@ * @since 5.3 * @see OAuth2AccessToken * @see OAuth2ClientJackson2Module + * @deprecated as of 7.0 in favor of + * {@code org.springframework.security.oauth2.client.jackson.OAuth2AccessTokenMixin} based + * on Jackson 3 */ +@Deprecated(forRemoval = true) @JsonTypeInfo(use = JsonTypeInfo.Id.CLASS) @JsonAutoDetect(fieldVisibility = JsonAutoDetect.Visibility.ANY, getterVisibility = JsonAutoDetect.Visibility.NONE, isGetterVisibility = JsonAutoDetect.Visibility.NONE) diff --git a/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/jackson2/OAuth2AuthenticationExceptionMixin.java b/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/jackson2/OAuth2AuthenticationExceptionMixin.java index 051cbe36df..7ac2561592 100644 --- a/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/jackson2/OAuth2AuthenticationExceptionMixin.java +++ b/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/jackson2/OAuth2AuthenticationExceptionMixin.java @@ -34,7 +34,11 @@ * @since 5.3.4 * @see OAuth2AuthenticationException * @see OAuth2ClientJackson2Module + * @deprecated as of 7.0 in favor of + * {@code org.springframework.security.oauth2.client.jackson.OAuth2AuthenticationExceptionMixin} + * based on Jackson 3 */ +@Deprecated(forRemoval = true) @JsonTypeInfo(use = JsonTypeInfo.Id.CLASS) @JsonAutoDetect(fieldVisibility = JsonAutoDetect.Visibility.NONE, getterVisibility = JsonAutoDetect.Visibility.NONE, isGetterVisibility = JsonAutoDetect.Visibility.NONE) diff --git a/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/jackson2/OAuth2AuthenticationTokenMixin.java b/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/jackson2/OAuth2AuthenticationTokenMixin.java index d771f8f642..a89ad61155 100644 --- a/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/jackson2/OAuth2AuthenticationTokenMixin.java +++ b/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/jackson2/OAuth2AuthenticationTokenMixin.java @@ -35,7 +35,11 @@ * @since 5.3 * @see OAuth2AuthenticationToken * @see OAuth2ClientJackson2Module + * @deprecated as of 7.0 in favor of + * {@code org.springframework.security.oauth2.client.jackson.OAuth2AuthenticationTokenMixin} + * based on Jackson 3 */ +@Deprecated(forRemoval = true) @JsonTypeInfo(use = JsonTypeInfo.Id.CLASS) @JsonAutoDetect(fieldVisibility = JsonAutoDetect.Visibility.ANY, getterVisibility = JsonAutoDetect.Visibility.NONE, isGetterVisibility = JsonAutoDetect.Visibility.NONE) diff --git a/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/jackson2/OAuth2AuthorizationRequestDeserializer.java b/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/jackson2/OAuth2AuthorizationRequestDeserializer.java index 4125124e0c..1296a5b783 100644 --- a/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/jackson2/OAuth2AuthorizationRequestDeserializer.java +++ b/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/jackson2/OAuth2AuthorizationRequestDeserializer.java @@ -37,7 +37,11 @@ * @since 5.3 * @see OAuth2AuthorizationRequest * @see OAuth2AuthorizationRequestMixin + * @deprecated as of 7.0 in favor of + * {@code org.springframework.security.oauth2.client.jackson.OAuth2AuthorizationRequestDeserializer} + * based on Jackson 3 */ +@Deprecated(forRemoval = true) final class OAuth2AuthorizationRequestDeserializer extends JsonDeserializer { private static final StdConverter AUTHORIZATION_GRANT_TYPE_CONVERTER = new StdConverters.AuthorizationGrantTypeConverter(); diff --git a/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/jackson2/OAuth2AuthorizationRequestMixin.java b/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/jackson2/OAuth2AuthorizationRequestMixin.java index 4a0fea8728..ea91168d2d 100644 --- a/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/jackson2/OAuth2AuthorizationRequestMixin.java +++ b/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/jackson2/OAuth2AuthorizationRequestMixin.java @@ -32,7 +32,11 @@ * @see OAuth2AuthorizationRequest * @see OAuth2AuthorizationRequestDeserializer * @see OAuth2ClientJackson2Module + * @deprecated as of 7.0 in favor of + * {@code org.springframework.security.oauth2.client.jackson.OAuth2AuthorizationRequestMixin} + * based on Jackson 3 */ +@Deprecated(forRemoval = true) @JsonTypeInfo(use = JsonTypeInfo.Id.CLASS) @JsonDeserialize(using = OAuth2AuthorizationRequestDeserializer.class) @JsonAutoDetect(fieldVisibility = JsonAutoDetect.Visibility.ANY, getterVisibility = JsonAutoDetect.Visibility.NONE, diff --git a/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/jackson2/OAuth2AuthorizedClientMixin.java b/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/jackson2/OAuth2AuthorizedClientMixin.java index 52c4258968..4afc7a7d74 100644 --- a/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/jackson2/OAuth2AuthorizedClientMixin.java +++ b/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/jackson2/OAuth2AuthorizedClientMixin.java @@ -34,7 +34,11 @@ * @since 5.3 * @see OAuth2AuthorizedClient * @see OAuth2ClientJackson2Module + * @deprecated as of 7.0 in favor of + * {@code org.springframework.security.oauth2.client.jackson.OAuth2AuthorizedClientMixin} + * based on Jackson 3 */ +@Deprecated(forRemoval = true) @JsonTypeInfo(use = JsonTypeInfo.Id.CLASS) @JsonAutoDetect(fieldVisibility = JsonAutoDetect.Visibility.ANY, getterVisibility = JsonAutoDetect.Visibility.NONE, isGetterVisibility = JsonAutoDetect.Visibility.NONE) diff --git a/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/jackson2/OAuth2ClientJackson2Module.java b/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/jackson2/OAuth2ClientJackson2Module.java index bd804a7ed5..3290d28428 100644 --- a/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/jackson2/OAuth2ClientJackson2Module.java +++ b/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/jackson2/OAuth2ClientJackson2Module.java @@ -85,8 +85,12 @@ * @see OAuth2AuthenticationTokenMixin * @see OAuth2AuthenticationExceptionMixin * @see OAuth2ErrorMixin + * @deprecated as of 7.0 in favor of + * {@link org.springframework.security.oauth2.client.jackson.OAuth2ClientJacksonModule} + * based on Jackson 3 */ -@SuppressWarnings("serial") +@Deprecated(forRemoval = true) +@SuppressWarnings({ "serial", "removal" }) public class OAuth2ClientJackson2Module extends SimpleModule { public OAuth2ClientJackson2Module() { diff --git a/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/jackson2/OAuth2ErrorMixin.java b/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/jackson2/OAuth2ErrorMixin.java index 2e752f207d..69f25d9525 100644 --- a/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/jackson2/OAuth2ErrorMixin.java +++ b/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/jackson2/OAuth2ErrorMixin.java @@ -33,7 +33,11 @@ * @see OAuth2Error * @see OAuth2AuthenticationExceptionMixin * @see OAuth2ClientJackson2Module + * @deprecated as of 7.0 in favor of + * {@code org.springframework.security.oauth2.client.jackson.OAuth2ErrorMixin} based on + * Jackson 3 */ +@Deprecated(forRemoval = true) @JsonTypeInfo(use = JsonTypeInfo.Id.CLASS) @JsonAutoDetect(fieldVisibility = JsonAutoDetect.Visibility.ANY, getterVisibility = JsonAutoDetect.Visibility.NONE, isGetterVisibility = JsonAutoDetect.Visibility.NONE) diff --git a/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/jackson2/OAuth2RefreshTokenMixin.java b/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/jackson2/OAuth2RefreshTokenMixin.java index bdda9dac44..2a3eaac28c 100644 --- a/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/jackson2/OAuth2RefreshTokenMixin.java +++ b/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/jackson2/OAuth2RefreshTokenMixin.java @@ -33,7 +33,11 @@ * @since 5.3 * @see OAuth2RefreshToken * @see OAuth2ClientJackson2Module + * @deprecated as of 7.0 in favor of + * {@code org.springframework.security.oauth2.client.jackson.OAuth2RefreshTokenMixin} + * based on Jackson 3 */ +@Deprecated(forRemoval = true) @JsonTypeInfo(use = JsonTypeInfo.Id.CLASS) @JsonAutoDetect(fieldVisibility = JsonAutoDetect.Visibility.ANY, getterVisibility = JsonAutoDetect.Visibility.NONE, isGetterVisibility = JsonAutoDetect.Visibility.NONE) diff --git a/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/jackson2/OAuth2UserAuthorityMixin.java b/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/jackson2/OAuth2UserAuthorityMixin.java index 009c4d96fe..d334c4abfe 100644 --- a/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/jackson2/OAuth2UserAuthorityMixin.java +++ b/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/jackson2/OAuth2UserAuthorityMixin.java @@ -33,7 +33,11 @@ * @since 5.3 * @see OAuth2UserAuthority * @see OAuth2ClientJackson2Module + * @deprecated as of 7.0 in favor of + * {@code org.springframework.security.oauth2.client.jackson.OAuth2UserAuthorityMixin} + * based on Jackson 3 */ +@Deprecated(forRemoval = true) @JsonTypeInfo(use = JsonTypeInfo.Id.CLASS) @JsonAutoDetect(fieldVisibility = JsonAutoDetect.Visibility.ANY, getterVisibility = JsonAutoDetect.Visibility.NONE, isGetterVisibility = JsonAutoDetect.Visibility.NONE) diff --git a/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/jackson2/OidcIdTokenMixin.java b/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/jackson2/OidcIdTokenMixin.java index 50bb276504..6eba4cd315 100644 --- a/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/jackson2/OidcIdTokenMixin.java +++ b/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/jackson2/OidcIdTokenMixin.java @@ -34,7 +34,11 @@ * @since 5.3 * @see OidcIdToken * @see OAuth2ClientJackson2Module + * @deprecated as of 7.0 in favor of + * {@code org.springframework.security.oauth2.client.jackson.OidcIdTokenMixin} based on + * Jackson 3 */ +@Deprecated(forRemoval = true) @JsonTypeInfo(use = JsonTypeInfo.Id.CLASS) @JsonAutoDetect(fieldVisibility = JsonAutoDetect.Visibility.ANY, getterVisibility = JsonAutoDetect.Visibility.NONE, isGetterVisibility = JsonAutoDetect.Visibility.NONE) diff --git a/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/jackson2/OidcUserAuthorityMixin.java b/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/jackson2/OidcUserAuthorityMixin.java index bf847e165c..36769c238b 100644 --- a/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/jackson2/OidcUserAuthorityMixin.java +++ b/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/jackson2/OidcUserAuthorityMixin.java @@ -33,7 +33,11 @@ * @since 5.3 * @see OidcUserAuthority * @see OAuth2ClientJackson2Module + * @deprecated as of 7.0 in favor of + * {@code org.springframework.security.oauth2.client.jackson.OidcUserAuthorityMixin} based + * on Jackson 3 */ +@Deprecated(forRemoval = true) @JsonTypeInfo(use = JsonTypeInfo.Id.CLASS) @JsonAutoDetect(fieldVisibility = JsonAutoDetect.Visibility.ANY, getterVisibility = JsonAutoDetect.Visibility.NONE, isGetterVisibility = JsonAutoDetect.Visibility.NONE) diff --git a/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/jackson2/OidcUserInfoMixin.java b/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/jackson2/OidcUserInfoMixin.java index 4916bb0818..22538a5450 100644 --- a/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/jackson2/OidcUserInfoMixin.java +++ b/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/jackson2/OidcUserInfoMixin.java @@ -33,7 +33,11 @@ * @since 5.3 * @see OidcUserInfo * @see OAuth2ClientJackson2Module + * @deprecated as of 7.0 in favor of + * {@code org.springframework.security.oauth2.client.jackson.OidcUserInfoMixin} based on + * Jackson 3 */ +@Deprecated(forRemoval = true) @JsonTypeInfo(use = JsonTypeInfo.Id.CLASS) @JsonAutoDetect(fieldVisibility = JsonAutoDetect.Visibility.ANY, getterVisibility = JsonAutoDetect.Visibility.NONE, isGetterVisibility = JsonAutoDetect.Visibility.NONE) diff --git a/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/jackson2/StdConverters.java b/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/jackson2/StdConverters.java index ebcf5a0bd4..2bceb429e3 100644 --- a/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/jackson2/StdConverters.java +++ b/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/jackson2/StdConverters.java @@ -29,7 +29,11 @@ * * @author Joe Grandja * @since 5.3 + * @deprecated as of 7.0 in favor of + * {@code org.springframework.security.oauth2.client.jackson.StdConverters} based on + * Jackson 3 */ +@Deprecated(forRemoval = true) abstract class StdConverters { static final class AccessTokenTypeConverter extends StdConverter { diff --git a/oauth2/oauth2-client/src/test/java/org/springframework/security/oauth2/client/jackson2/OAuth2AuthenticationExceptionMixinTests.java b/oauth2/oauth2-client/src/test/java/org/springframework/security/oauth2/client/jackson2/OAuth2AuthenticationExceptionMixinTests.java index 1440bae1e2..b0949e87dd 100644 --- a/oauth2/oauth2-client/src/test/java/org/springframework/security/oauth2/client/jackson2/OAuth2AuthenticationExceptionMixinTests.java +++ b/oauth2/oauth2-client/src/test/java/org/springframework/security/oauth2/client/jackson2/OAuth2AuthenticationExceptionMixinTests.java @@ -35,6 +35,7 @@ * @author Dennis Neufeld * @since 5.3.4 */ +@SuppressWarnings("removal") public class OAuth2AuthenticationExceptionMixinTests { private ObjectMapper mapper; diff --git a/oauth2/oauth2-client/src/test/java/org/springframework/security/oauth2/client/jackson2/OAuth2AuthenticationTokenMixinTests.java b/oauth2/oauth2-client/src/test/java/org/springframework/security/oauth2/client/jackson2/OAuth2AuthenticationTokenMixinTests.java index 8b25c5a559..3c30106f4f 100644 --- a/oauth2/oauth2-client/src/test/java/org/springframework/security/oauth2/client/jackson2/OAuth2AuthenticationTokenMixinTests.java +++ b/oauth2/oauth2-client/src/test/java/org/springframework/security/oauth2/client/jackson2/OAuth2AuthenticationTokenMixinTests.java @@ -56,6 +56,7 @@ * * @author Joe Grandja */ +@SuppressWarnings("removal") public class OAuth2AuthenticationTokenMixinTests { private ObjectMapper mapper; diff --git a/oauth2/oauth2-client/src/test/java/org/springframework/security/oauth2/client/jackson2/OAuth2AuthorizationRequestMixinTests.java b/oauth2/oauth2-client/src/test/java/org/springframework/security/oauth2/client/jackson2/OAuth2AuthorizationRequestMixinTests.java index 1725cb447f..90c42ff325 100644 --- a/oauth2/oauth2-client/src/test/java/org/springframework/security/oauth2/client/jackson2/OAuth2AuthorizationRequestMixinTests.java +++ b/oauth2/oauth2-client/src/test/java/org/springframework/security/oauth2/client/jackson2/OAuth2AuthorizationRequestMixinTests.java @@ -41,6 +41,7 @@ * * @author Joe Grandja */ +@SuppressWarnings("removal") public class OAuth2AuthorizationRequestMixinTests { private ObjectMapper mapper; diff --git a/oauth2/oauth2-client/src/test/java/org/springframework/security/oauth2/client/jackson2/OAuth2AuthorizedClientMixinTests.java b/oauth2/oauth2-client/src/test/java/org/springframework/security/oauth2/client/jackson2/OAuth2AuthorizedClientMixinTests.java index 0c511a6805..a57a072788 100644 --- a/oauth2/oauth2-client/src/test/java/org/springframework/security/oauth2/client/jackson2/OAuth2AuthorizedClientMixinTests.java +++ b/oauth2/oauth2-client/src/test/java/org/springframework/security/oauth2/client/jackson2/OAuth2AuthorizedClientMixinTests.java @@ -48,6 +48,7 @@ * * @author Joe Grandja */ +@SuppressWarnings("removal") public class OAuth2AuthorizedClientMixinTests { private ObjectMapper mapper; diff --git a/oauth2/oauth2-client/src/test/java/org/springframework/security/oauth2/client/jackson2/StdConvertersTests.java b/oauth2/oauth2-client/src/test/java/org/springframework/security/oauth2/client/jackson2/StdConvertersTests.java index 90f173611a..8b16e75673 100644 --- a/oauth2/oauth2-client/src/test/java/org/springframework/security/oauth2/client/jackson2/StdConvertersTests.java +++ b/oauth2/oauth2-client/src/test/java/org/springframework/security/oauth2/client/jackson2/StdConvertersTests.java @@ -30,6 +30,7 @@ import static org.assertj.core.api.Assertions.assertThat; +@SuppressWarnings("removal") public class StdConvertersTests { private final StdConverter clientAuthenticationMethodConverter = new StdConverters.ClientAuthenticationMethodConverter(); diff --git a/saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/jackson2/DefaultSaml2AuthenticatedPrincipalMixin.java b/saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/jackson2/DefaultSaml2AuthenticatedPrincipalMixin.java index 39bd3880cc..db1850a8e4 100644 --- a/saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/jackson2/DefaultSaml2AuthenticatedPrincipalMixin.java +++ b/saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/jackson2/DefaultSaml2AuthenticatedPrincipalMixin.java @@ -40,7 +40,12 @@ * @since 5.7 * @see Saml2Jackson2Module * @see SecurityJackson2Modules + * @deprecated as of 7.0 in favor of + * {@code org.springframework.security.saml2.jackson.DefaultSaml2AuthenticatedPrincipalMixin} + * based on Jackson 3 */ +@SuppressWarnings("removal") +@Deprecated(forRemoval = true) @JsonTypeInfo(use = JsonTypeInfo.Id.CLASS) @JsonAutoDetect(fieldVisibility = JsonAutoDetect.Visibility.ANY, getterVisibility = JsonAutoDetect.Visibility.NONE) @JsonIgnoreProperties(ignoreUnknown = true) diff --git a/saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/jackson2/Saml2AssertionAuthenticationMixin.java b/saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/jackson2/Saml2AssertionAuthenticationMixin.java index e21df4fe13..ccd7841783 100644 --- a/saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/jackson2/Saml2AssertionAuthenticationMixin.java +++ b/saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/jackson2/Saml2AssertionAuthenticationMixin.java @@ -42,7 +42,12 @@ * @since 7.0 * @see Saml2Jackson2Module * @see SecurityJackson2Modules + * @deprecated as of 7.0 in favor of + * {@code org.springframework.security.saml2.jackson.Saml2AssertionAuthenticationMixin} + * based on Jackson 3 */ +@SuppressWarnings("removal") +@Deprecated(forRemoval = true) @JsonTypeInfo(use = JsonTypeInfo.Id.CLASS) @JsonAutoDetect(fieldVisibility = JsonAutoDetect.Visibility.ANY, getterVisibility = JsonAutoDetect.Visibility.NONE, isGetterVisibility = JsonAutoDetect.Visibility.NONE) diff --git a/saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/jackson2/Saml2AuthenticationExceptionMixin.java b/saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/jackson2/Saml2AuthenticationExceptionMixin.java index 037f9521cd..be9e78b062 100644 --- a/saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/jackson2/Saml2AuthenticationExceptionMixin.java +++ b/saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/jackson2/Saml2AuthenticationExceptionMixin.java @@ -32,7 +32,12 @@ * @since 5.7 * @see Saml2AuthenticationException * @see Saml2Jackson2Module + * @deprecated as of 7.0 in favor of + * {@code org.springframework.security.saml2.jackson.Saml2AuthenticationExceptionMixin} + * based on Jackson 3 */ +@SuppressWarnings("removal") +@Deprecated(forRemoval = true) @JsonTypeInfo(use = JsonTypeInfo.Id.CLASS) @JsonAutoDetect(fieldVisibility = JsonAutoDetect.Visibility.NONE, getterVisibility = JsonAutoDetect.Visibility.NONE, isGetterVisibility = JsonAutoDetect.Visibility.NONE) diff --git a/saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/jackson2/Saml2AuthenticationMixin.java b/saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/jackson2/Saml2AuthenticationMixin.java index 4f7dbb2578..efb0a1943f 100644 --- a/saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/jackson2/Saml2AuthenticationMixin.java +++ b/saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/jackson2/Saml2AuthenticationMixin.java @@ -41,7 +41,12 @@ * @since 5.7 * @see Saml2Jackson2Module * @see SecurityJackson2Modules + * @deprecated as of 7.0 in favor of + * {@code org.springframework.security.saml2.jackson.Saml2AuthenticationMixin} based on + * Jackson 3 */ +@SuppressWarnings("removal") +@Deprecated(forRemoval = true) @JsonTypeInfo(use = JsonTypeInfo.Id.CLASS) @JsonAutoDetect(fieldVisibility = JsonAutoDetect.Visibility.ANY, getterVisibility = JsonAutoDetect.Visibility.NONE, isGetterVisibility = JsonAutoDetect.Visibility.NONE) diff --git a/saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/jackson2/Saml2ErrorMixin.java b/saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/jackson2/Saml2ErrorMixin.java index 8f0449e9a7..361550b29b 100644 --- a/saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/jackson2/Saml2ErrorMixin.java +++ b/saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/jackson2/Saml2ErrorMixin.java @@ -31,7 +31,11 @@ * @since 5.7 * @see Saml2Error * @see Saml2Jackson2Module + * @deprecated as of 7.0 in favor of + * {@code org.springframework.security.saml2.jackson.Saml2ErrorMixin} based on Jackson 3 */ +@SuppressWarnings("removal") +@Deprecated(forRemoval = true) @JsonTypeInfo(use = JsonTypeInfo.Id.CLASS) @JsonAutoDetect(fieldVisibility = JsonAutoDetect.Visibility.ANY, getterVisibility = JsonAutoDetect.Visibility.NONE, isGetterVisibility = JsonAutoDetect.Visibility.NONE) diff --git a/saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/jackson2/Saml2Jackson2Module.java b/saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/jackson2/Saml2Jackson2Module.java index 0620842430..16b65ca70d 100644 --- a/saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/jackson2/Saml2Jackson2Module.java +++ b/saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/jackson2/Saml2Jackson2Module.java @@ -40,8 +40,12 @@ * @author Ulrich Grave * @since 5.7 * @see SecurityJackson2Modules + * @deprecated as of 7.0 in favor of + * {@link org.springframework.security.saml2.jackson.Saml2JacksonModule} based on Jackson + * 3 */ -@SuppressWarnings("serial") +@Deprecated(forRemoval = true) +@SuppressWarnings({ "serial", "removal" }) public class Saml2Jackson2Module extends SimpleModule { public Saml2Jackson2Module() { @@ -50,6 +54,7 @@ public Saml2Jackson2Module() { @Override public void setupModule(SetupContext context) { + // TODO Is it expected that default typing in not configured here? context.setMixInAnnotations(Saml2Authentication.class, Saml2AuthenticationMixin.class); context.setMixInAnnotations(Saml2AssertionAuthentication.class, Saml2AssertionAuthenticationMixin.class); context.setMixInAnnotations(Saml2ResponseAssertion.class, SimpleSaml2ResponseAssertionAccessorMixin.class); diff --git a/saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/jackson2/Saml2LogoutRequestMixin.java b/saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/jackson2/Saml2LogoutRequestMixin.java index 011fe08d6f..034a3f95e9 100644 --- a/saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/jackson2/Saml2LogoutRequestMixin.java +++ b/saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/jackson2/Saml2LogoutRequestMixin.java @@ -42,7 +42,12 @@ * @since 5.7 * @see Saml2Jackson2Module * @see SecurityJackson2Modules + * @deprecated as of 7.0 in favor of + * {@code org.springframework.security.saml2.jackson.Saml2LogoutRequestMixin} based on + * Jackson 3 */ +@SuppressWarnings("removal") +@Deprecated(forRemoval = true) @JsonTypeInfo(use = JsonTypeInfo.Id.CLASS) @JsonAutoDetect(fieldVisibility = JsonAutoDetect.Visibility.ANY, getterVisibility = JsonAutoDetect.Visibility.NONE) @JsonIgnoreProperties(ignoreUnknown = true) diff --git a/saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/jackson2/Saml2PostAuthenticationRequestMixin.java b/saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/jackson2/Saml2PostAuthenticationRequestMixin.java index 87b50acca7..a381e3105c 100644 --- a/saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/jackson2/Saml2PostAuthenticationRequestMixin.java +++ b/saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/jackson2/Saml2PostAuthenticationRequestMixin.java @@ -38,7 +38,12 @@ * @since 5.7 * @see Saml2Jackson2Module * @see SecurityJackson2Modules + * @deprecated as of 7.0 in favor of + * {@code org.springframework.security.saml2.jackson.Saml2PostAuthenticationRequestMixin} + * based on Jackson 3 */ +@SuppressWarnings("removal") +@Deprecated(forRemoval = true) @JsonTypeInfo(use = JsonTypeInfo.Id.CLASS) @JsonAutoDetect(fieldVisibility = JsonAutoDetect.Visibility.ANY, getterVisibility = JsonAutoDetect.Visibility.NONE) @JsonIgnoreProperties(ignoreUnknown = true) diff --git a/saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/jackson2/Saml2RedirectAuthenticationRequestMixin.java b/saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/jackson2/Saml2RedirectAuthenticationRequestMixin.java index 12e56aea4e..29acb08277 100644 --- a/saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/jackson2/Saml2RedirectAuthenticationRequestMixin.java +++ b/saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/jackson2/Saml2RedirectAuthenticationRequestMixin.java @@ -38,7 +38,12 @@ * @since 5.7 * @see Saml2Jackson2Module * @see SecurityJackson2Modules + * @deprecated as of 7.0 in favor of + * {@code org.springframework.security.saml2.jackson.Saml2RedirectAuthenticationRequestMixin} + * based on Jackson 3 */ +@SuppressWarnings("removal") +@Deprecated(forRemoval = true) @JsonTypeInfo(use = JsonTypeInfo.Id.CLASS) @JsonAutoDetect(fieldVisibility = JsonAutoDetect.Visibility.ANY, getterVisibility = JsonAutoDetect.Visibility.NONE) @JsonIgnoreProperties(ignoreUnknown = true) diff --git a/saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/jackson2/SimpleSaml2ResponseAssertionAccessorMixin.java b/saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/jackson2/SimpleSaml2ResponseAssertionAccessorMixin.java index ea8e5a4ed1..592f9963db 100644 --- a/saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/jackson2/SimpleSaml2ResponseAssertionAccessorMixin.java +++ b/saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/jackson2/SimpleSaml2ResponseAssertionAccessorMixin.java @@ -40,7 +40,12 @@ * @since 7.0 * @see Saml2Jackson2Module * @see SecurityJackson2Modules + * @deprecated as of 7.0 in favor of + * {@code org.springframework.security.saml2.jackson.SimpleSaml2ResponseAssertionAccessorMixin} + * based on Jackson 3 */ +@SuppressWarnings("removal") +@Deprecated(forRemoval = true) @JsonTypeInfo(use = JsonTypeInfo.Id.CLASS) @JsonAutoDetect(fieldVisibility = JsonAutoDetect.Visibility.ANY, getterVisibility = JsonAutoDetect.Visibility.NONE, isGetterVisibility = JsonAutoDetect.Visibility.NONE) diff --git a/saml2/saml2-service-provider/src/test/java/org/springframework/security/saml2/jackson2/DefaultSaml2AuthenticatedPrincipalMixinTests.java b/saml2/saml2-service-provider/src/test/java/org/springframework/security/saml2/jackson2/DefaultSaml2AuthenticatedPrincipalMixinTests.java index addc4fa5b7..d989dc6366 100644 --- a/saml2/saml2-service-provider/src/test/java/org/springframework/security/saml2/jackson2/DefaultSaml2AuthenticatedPrincipalMixinTests.java +++ b/saml2/saml2-service-provider/src/test/java/org/springframework/security/saml2/jackson2/DefaultSaml2AuthenticatedPrincipalMixinTests.java @@ -26,6 +26,7 @@ import static org.assertj.core.api.Assertions.assertThat; +@SuppressWarnings("removal") class DefaultSaml2AuthenticatedPrincipalMixinTests { private ObjectMapper mapper; diff --git a/saml2/saml2-service-provider/src/test/java/org/springframework/security/saml2/jackson2/Saml2AuthenticationExceptionMixinTests.java b/saml2/saml2-service-provider/src/test/java/org/springframework/security/saml2/jackson2/Saml2AuthenticationExceptionMixinTests.java index 7aadf36b63..c80f7aebed 100644 --- a/saml2/saml2-service-provider/src/test/java/org/springframework/security/saml2/jackson2/Saml2AuthenticationExceptionMixinTests.java +++ b/saml2/saml2-service-provider/src/test/java/org/springframework/security/saml2/jackson2/Saml2AuthenticationExceptionMixinTests.java @@ -27,6 +27,7 @@ import static org.assertj.core.api.Assertions.assertThat; +@SuppressWarnings("removal") class Saml2AuthenticationExceptionMixinTests { private ObjectMapper mapper; diff --git a/saml2/saml2-service-provider/src/test/java/org/springframework/security/saml2/jackson2/Saml2AuthenticationMixinTests.java b/saml2/saml2-service-provider/src/test/java/org/springframework/security/saml2/jackson2/Saml2AuthenticationMixinTests.java index 2f16bfd960..545b8516ce 100644 --- a/saml2/saml2-service-provider/src/test/java/org/springframework/security/saml2/jackson2/Saml2AuthenticationMixinTests.java +++ b/saml2/saml2-service-provider/src/test/java/org/springframework/security/saml2/jackson2/Saml2AuthenticationMixinTests.java @@ -26,6 +26,7 @@ import static org.assertj.core.api.Assertions.assertThat; +@SuppressWarnings("removal") class Saml2AuthenticationMixinTests { private ObjectMapper mapper; diff --git a/saml2/saml2-service-provider/src/test/java/org/springframework/security/saml2/jackson2/Saml2LogoutRequestMixinTests.java b/saml2/saml2-service-provider/src/test/java/org/springframework/security/saml2/jackson2/Saml2LogoutRequestMixinTests.java index c3792aab64..7d23344332 100644 --- a/saml2/saml2-service-provider/src/test/java/org/springframework/security/saml2/jackson2/Saml2LogoutRequestMixinTests.java +++ b/saml2/saml2-service-provider/src/test/java/org/springframework/security/saml2/jackson2/Saml2LogoutRequestMixinTests.java @@ -32,6 +32,7 @@ import static org.assertj.core.api.Assertions.assertThat; +@SuppressWarnings("removal") class Saml2LogoutRequestMixinTests { private ObjectMapper mapper; diff --git a/saml2/saml2-service-provider/src/test/java/org/springframework/security/saml2/jackson2/Saml2PostAuthenticationRequestMixinTests.java b/saml2/saml2-service-provider/src/test/java/org/springframework/security/saml2/jackson2/Saml2PostAuthenticationRequestMixinTests.java index 197f1ba172..3166e8a723 100644 --- a/saml2/saml2-service-provider/src/test/java/org/springframework/security/saml2/jackson2/Saml2PostAuthenticationRequestMixinTests.java +++ b/saml2/saml2-service-provider/src/test/java/org/springframework/security/saml2/jackson2/Saml2PostAuthenticationRequestMixinTests.java @@ -26,6 +26,7 @@ import static org.assertj.core.api.Assertions.assertThat; +@SuppressWarnings("removal") class Saml2PostAuthenticationRequestMixinTests { private ObjectMapper mapper; diff --git a/saml2/saml2-service-provider/src/test/java/org/springframework/security/saml2/jackson2/Saml2RedirectAuthenticationRequestMixinTests.java b/saml2/saml2-service-provider/src/test/java/org/springframework/security/saml2/jackson2/Saml2RedirectAuthenticationRequestMixinTests.java index 068cf65f7d..281babe09d 100644 --- a/saml2/saml2-service-provider/src/test/java/org/springframework/security/saml2/jackson2/Saml2RedirectAuthenticationRequestMixinTests.java +++ b/saml2/saml2-service-provider/src/test/java/org/springframework/security/saml2/jackson2/Saml2RedirectAuthenticationRequestMixinTests.java @@ -26,6 +26,7 @@ import static org.assertj.core.api.Assertions.assertThat; +@SuppressWarnings("removal") class Saml2RedirectAuthenticationRequestMixinTests { private ObjectMapper mapper; diff --git a/web/src/main/java/org/springframework/security/web/jackson2/CookieDeserializer.java b/web/src/main/java/org/springframework/security/web/jackson2/CookieDeserializer.java index 9db087e173..013a99c71a 100644 --- a/web/src/main/java/org/springframework/security/web/jackson2/CookieDeserializer.java +++ b/web/src/main/java/org/springframework/security/web/jackson2/CookieDeserializer.java @@ -37,7 +37,11 @@ * @author Jitendra Singh * @since 4.2 * @see CookieMixin + * @deprecated as of 7.0 in favor of + * {@code org.springframework.security.web.jackson.CookieDeserializer} based on Jackson 3 */ +@SuppressWarnings("removal") +@Deprecated(forRemoval = true) class CookieDeserializer extends JsonDeserializer { @Override diff --git a/web/src/main/java/org/springframework/security/web/jackson2/CookieMixin.java b/web/src/main/java/org/springframework/security/web/jackson2/CookieMixin.java index c2cb62bf9a..47f928b91e 100644 --- a/web/src/main/java/org/springframework/security/web/jackson2/CookieMixin.java +++ b/web/src/main/java/org/springframework/security/web/jackson2/CookieMixin.java @@ -32,7 +32,11 @@ * @since 4.2 * @see WebServletJackson2Module * @see org.springframework.security.jackson2.SecurityJackson2Modules + * @deprecated as of 7.0 in favor of + * {@code org.springframework.security.web.jackson.CookieMixin} based on Jackson 3 */ +@SuppressWarnings("removal") +@Deprecated(forRemoval = true) @JsonTypeInfo(use = JsonTypeInfo.Id.CLASS, include = JsonTypeInfo.As.PROPERTY) @JsonDeserialize(using = CookieDeserializer.class) @JsonAutoDetect(fieldVisibility = JsonAutoDetect.Visibility.ANY, isGetterVisibility = JsonAutoDetect.Visibility.NONE) diff --git a/web/src/main/java/org/springframework/security/web/jackson2/DefaultCsrfTokenMixin.java b/web/src/main/java/org/springframework/security/web/jackson2/DefaultCsrfTokenMixin.java index e18dfeb828..07daf872cf 100644 --- a/web/src/main/java/org/springframework/security/web/jackson2/DefaultCsrfTokenMixin.java +++ b/web/src/main/java/org/springframework/security/web/jackson2/DefaultCsrfTokenMixin.java @@ -34,7 +34,12 @@ * @since 4.2 * @see WebJackson2Module * @see org.springframework.security.jackson2.SecurityJackson2Modules + * @deprecated as of 7.0 in favor of + * {@code org.springframework.security.web.jackson.DefaultCsrfTokenMixin} based on Jackson + * 3 */ +@SuppressWarnings("removal") +@Deprecated(forRemoval = true) @JsonTypeInfo(use = JsonTypeInfo.Id.CLASS, include = JsonTypeInfo.As.PROPERTY, property = "@class") @JsonIgnoreProperties(ignoreUnknown = true) class DefaultCsrfTokenMixin { diff --git a/web/src/main/java/org/springframework/security/web/jackson2/DefaultSavedRequestMixin.java b/web/src/main/java/org/springframework/security/web/jackson2/DefaultSavedRequestMixin.java index b69c130d7c..8f4c001b48 100644 --- a/web/src/main/java/org/springframework/security/web/jackson2/DefaultSavedRequestMixin.java +++ b/web/src/main/java/org/springframework/security/web/jackson2/DefaultSavedRequestMixin.java @@ -39,7 +39,12 @@ * @since 4.2 * @see WebServletJackson2Module * @see org.springframework.security.jackson2.SecurityJackson2Modules + * @deprecated as of 7.0 in favor of + * {@code org.springframework.security.web.jackson.DefaultCsrfTokenMixin} based on Jackson + * 3 */ +@SuppressWarnings("removal") +@Deprecated(forRemoval = true) @JsonTypeInfo(use = JsonTypeInfo.Id.CLASS, include = JsonTypeInfo.As.PROPERTY) @JsonDeserialize(builder = DefaultSavedRequest.Builder.class) @JsonAutoDetect(fieldVisibility = JsonAutoDetect.Visibility.ANY, getterVisibility = JsonAutoDetect.Visibility.NONE) diff --git a/web/src/main/java/org/springframework/security/web/jackson2/PreAuthenticatedAuthenticationTokenDeserializer.java b/web/src/main/java/org/springframework/security/web/jackson2/PreAuthenticatedAuthenticationTokenDeserializer.java index 983cfb6d9a..8f47470818 100644 --- a/web/src/main/java/org/springframework/security/web/jackson2/PreAuthenticatedAuthenticationTokenDeserializer.java +++ b/web/src/main/java/org/springframework/security/web/jackson2/PreAuthenticatedAuthenticationTokenDeserializer.java @@ -43,7 +43,12 @@ * @author Jitendra Singh * @since 4.2 * @see PreAuthenticatedAuthenticationTokenMixin + * @deprecated as of 7.0 in favor of + * {@code org.springframework.security.web.jackson.PreAuthenticatedAuthenticationTokenDeserializer} + * based on Jackson 3 */ +@SuppressWarnings("removal") +@Deprecated(forRemoval = true) class PreAuthenticatedAuthenticationTokenDeserializer extends JsonDeserializer { private static final TypeReference> GRANTED_AUTHORITY_LIST = new TypeReference<>() { diff --git a/web/src/main/java/org/springframework/security/web/jackson2/PreAuthenticatedAuthenticationTokenMixin.java b/web/src/main/java/org/springframework/security/web/jackson2/PreAuthenticatedAuthenticationTokenMixin.java index 47ba2a4765..4e281df34b 100644 --- a/web/src/main/java/org/springframework/security/web/jackson2/PreAuthenticatedAuthenticationTokenMixin.java +++ b/web/src/main/java/org/springframework/security/web/jackson2/PreAuthenticatedAuthenticationTokenMixin.java @@ -31,9 +31,7 @@ * * In order to use this mixin you'll need to add 3 more mixin classes. *
    - *
  1. {@link UnmodifiableSetMixin}
    2. *
  2. {@link SimpleGrantedAuthorityMixin}
    3. - *
  3. {@link UserMixin}
    4. *
* * 
@@ -43,9 +41,13 @@
  *
  * @author Jitendra Singh
  * @since 4.2
- * @see Webackson2Module
  * @see SecurityJackson2Modules
+ * @deprecated as of 7.0 in favor of
+ * {@code org.springframework.security.web.jackson.PreAuthenticatedAuthenticationTokenMixin}
+ * based on Jackson 3
  */
+@SuppressWarnings("removal")
+@Deprecated(forRemoval = true)
 @JsonTypeInfo(use = JsonTypeInfo.Id.CLASS, include = JsonTypeInfo.As.PROPERTY, property = "@class")
 @JsonAutoDetect(fieldVisibility = JsonAutoDetect.Visibility.ANY, getterVisibility = JsonAutoDetect.Visibility.NONE,
 		isGetterVisibility = JsonAutoDetect.Visibility.NONE)
diff --git a/web/src/main/java/org/springframework/security/web/jackson2/SavedCookieMixin.java b/web/src/main/java/org/springframework/security/web/jackson2/SavedCookieMixin.java
index 7d5adcb116..71f35bb99b 100644
--- a/web/src/main/java/org/springframework/security/web/jackson2/SavedCookieMixin.java
+++ b/web/src/main/java/org/springframework/security/web/jackson2/SavedCookieMixin.java
@@ -32,11 +32,15 @@
  *		mapper.registerModule(new WebServletJackson2Module());
  *
* - * @author Jitendra Singh. + * @author Jitendra Singh * @since 4.2 * @see WebServletJackson2Module * @see org.springframework.security.jackson2.SecurityJackson2Modules + * @deprecated as of 7.0 in favor of + * {@code org.springframework.security.web.jackson.SavedCookieMixin} based on Jackson 3 */ +@SuppressWarnings("removal") +@Deprecated(forRemoval = true) @JsonTypeInfo(use = JsonTypeInfo.Id.CLASS, include = JsonTypeInfo.As.PROPERTY) @JsonAutoDetect(fieldVisibility = JsonAutoDetect.Visibility.ANY, getterVisibility = JsonAutoDetect.Visibility.NONE) @JsonIgnoreProperties(ignoreUnknown = true) diff --git a/web/src/main/java/org/springframework/security/web/jackson2/SwitchUserGrantedAuthorityMixIn.java b/web/src/main/java/org/springframework/security/web/jackson2/SwitchUserGrantedAuthorityMixIn.java index 0dff42ceef..0bdfb32509 100644 --- a/web/src/main/java/org/springframework/security/web/jackson2/SwitchUserGrantedAuthorityMixIn.java +++ b/web/src/main/java/org/springframework/security/web/jackson2/SwitchUserGrantedAuthorityMixIn.java @@ -33,7 +33,12 @@ * @see WebJackson2Module * @see WebServletJackson2Module * @see org.springframework.security.jackson2.SecurityJackson2Modules + * @deprecated as of 7.0 in favor of + * {@code org.springframework.security.web.jackson.SwitchUserGrantedAuthorityMixIn} based + * on Jackson 3 */ +@SuppressWarnings("removal") +@Deprecated(forRemoval = true) @JsonTypeInfo(use = JsonTypeInfo.Id.CLASS) @JsonAutoDetect(fieldVisibility = JsonAutoDetect.Visibility.ANY, getterVisibility = JsonAutoDetect.Visibility.NONE, isGetterVisibility = JsonAutoDetect.Visibility.NONE) diff --git a/web/src/main/java/org/springframework/security/web/jackson2/WebAuthenticationDetailsMixin.java b/web/src/main/java/org/springframework/security/web/jackson2/WebAuthenticationDetailsMixin.java index bf2aaf4e3e..cecbcafd68 100644 --- a/web/src/main/java/org/springframework/security/web/jackson2/WebAuthenticationDetailsMixin.java +++ b/web/src/main/java/org/springframework/security/web/jackson2/WebAuthenticationDetailsMixin.java @@ -35,7 +35,12 @@ * @since 4.2 * @see WebServletJackson2Module * @see org.springframework.security.jackson2.SecurityJackson2Modules + * @deprecated as of 7.0 in favor of + * {@code org.springframework.security.web.jackson.SwitchUserGrantedAuthorityMixIn} based + * on Jackson 3 */ +@SuppressWarnings("removal") +@Deprecated(forRemoval = true) @JsonTypeInfo(use = JsonTypeInfo.Id.CLASS, include = JsonTypeInfo.As.PROPERTY) @JsonIgnoreProperties(ignoreUnknown = true) @JsonAutoDetect(fieldVisibility = JsonAutoDetect.Visibility.ANY, getterVisibility = JsonAutoDetect.Visibility.NONE, diff --git a/web/src/main/java/org/springframework/security/web/jackson2/WebJackson2Module.java b/web/src/main/java/org/springframework/security/web/jackson2/WebJackson2Module.java index 0c2f98263d..8857baa835 100644 --- a/web/src/main/java/org/springframework/security/web/jackson2/WebJackson2Module.java +++ b/web/src/main/java/org/springframework/security/web/jackson2/WebJackson2Module.java @@ -35,14 +35,19 @@ * 
  *     ObjectMapper mapper = new ObjectMapper();
  *     mapper.registerModule(new WebJackson2Module());
- *
Note: use {@link SecurityJackson2Modules#getModules(ClassLoader)} to get list - * of all security modules. + * + * + * Note: use {@link SecurityJackson2Modules#getModules(ClassLoader)} to get list of all + * security modules. * * @author Jitendra Singh * @since 4.2 * @see SecurityJackson2Modules + * @deprecated as of 7.0 in favor of + * {@link org.springframework.security.web.jackson.WebJacksonModule} based on Jackson 3 */ -@SuppressWarnings("serial") +@Deprecated(forRemoval = true) +@SuppressWarnings({ "serial", "removal" }) public class WebJackson2Module extends SimpleModule { public WebJackson2Module() { diff --git a/web/src/main/java/org/springframework/security/web/jackson2/WebServletJackson2Module.java b/web/src/main/java/org/springframework/security/web/jackson2/WebServletJackson2Module.java index 70e4d62b0b..2bd87792b5 100644 --- a/web/src/main/java/org/springframework/security/web/jackson2/WebServletJackson2Module.java +++ b/web/src/main/java/org/springframework/security/web/jackson2/WebServletJackson2Module.java @@ -43,8 +43,12 @@ * @author Boris Finkelshteyn * @since 5.1 * @see SecurityJackson2Modules + * @deprecated as of 7.0 in favor of + * {@link org.springframework.security.web.jackson.WebServletJacksonModule} based on + * Jackson 3 */ -@SuppressWarnings("serial") +@Deprecated(forRemoval = true) +@SuppressWarnings({ "serial", "removal" }) public class WebServletJackson2Module extends SimpleModule { public WebServletJackson2Module() { diff --git a/web/src/main/java/org/springframework/security/web/savedrequest/DefaultSavedRequest.java b/web/src/main/java/org/springframework/security/web/savedrequest/DefaultSavedRequest.java index 426ca4a009..a20ade9de3 100644 --- a/web/src/main/java/org/springframework/security/web/savedrequest/DefaultSavedRequest.java +++ b/web/src/main/java/org/springframework/security/web/savedrequest/DefaultSavedRequest.java @@ -27,7 +27,6 @@ import java.util.TreeMap; import com.fasterxml.jackson.annotation.JsonIgnoreProperties; -import com.fasterxml.jackson.databind.annotation.JsonPOJOBuilder; import jakarta.servlet.http.Cookie; import jakarta.servlet.http.HttpServletRequest; import org.apache.commons.logging.Log; @@ -337,7 +336,8 @@ public String toString() { * @since 4.2 */ @JsonIgnoreProperties(ignoreUnknown = true) - @JsonPOJOBuilder(withPrefix = "set") + @com.fasterxml.jackson.databind.annotation.JsonPOJOBuilder(withPrefix = "set") + @tools.jackson.databind.annotation.JsonPOJOBuilder(withPrefix = "set") public static class Builder { private @Nullable List cookies = null; diff --git a/web/src/main/java/org/springframework/security/web/server/jackson2/DefaultCsrfServerTokenMixin.java b/web/src/main/java/org/springframework/security/web/server/jackson2/DefaultCsrfServerTokenMixin.java index 18ce72aadd..33ce393cab 100644 --- a/web/src/main/java/org/springframework/security/web/server/jackson2/DefaultCsrfServerTokenMixin.java +++ b/web/src/main/java/org/springframework/security/web/server/jackson2/DefaultCsrfServerTokenMixin.java @@ -34,7 +34,12 @@ * @author Boris Finkelshteyn * @since 5.1 * @see WebServerJackson2Module + * @deprecated as of 7.0 in favor of + * {@code org.springframework.security.web.server.jackson.DefaultCsrfServerTokenMixin} + * based on Jackson 3 */ +@SuppressWarnings("removal") +@Deprecated(forRemoval = true) @JsonTypeInfo(use = JsonTypeInfo.Id.CLASS, include = JsonTypeInfo.As.PROPERTY, property = "@class") @JsonIgnoreProperties(ignoreUnknown = true) class DefaultCsrfServerTokenMixin { diff --git a/web/src/main/java/org/springframework/security/web/server/jackson2/WebServerJackson2Module.java b/web/src/main/java/org/springframework/security/web/server/jackson2/WebServerJackson2Module.java index 39bac183c9..294b3673c2 100644 --- a/web/src/main/java/org/springframework/security/web/server/jackson2/WebServerJackson2Module.java +++ b/web/src/main/java/org/springframework/security/web/server/jackson2/WebServerJackson2Module.java @@ -37,8 +37,12 @@ * @author Boris Finkelshteyn * @since 5.1 * @see SecurityJackson2Modules + * @deprecated as of 7.0 in favor of + * {@link org.springframework.security.web.server.jackson.WebServerJacksonModule} based on + * Jackson 3 */ -@SuppressWarnings("serial") +@Deprecated(forRemoval = true) +@SuppressWarnings({ "serial", "removal" }) public class WebServerJackson2Module extends SimpleModule { private static final String NAME = WebServerJackson2Module.class.getName(); diff --git a/web/src/test/java/org/springframework/security/web/jackson2/AbstractMixinTests.java b/web/src/test/java/org/springframework/security/web/jackson2/AbstractMixinTests.java index 7cbcf1a434..af5bec615d 100644 --- a/web/src/test/java/org/springframework/security/web/jackson2/AbstractMixinTests.java +++ b/web/src/test/java/org/springframework/security/web/jackson2/AbstractMixinTests.java @@ -25,6 +25,7 @@ * @author Jitenra Singh * @since 4.2 */ +@SuppressWarnings("removal") public abstract class AbstractMixinTests { protected ObjectMapper mapper; diff --git a/web/src/test/java/org/springframework/security/web/jackson2/SavedCookieMixinTests.java b/web/src/test/java/org/springframework/security/web/jackson2/SavedCookieMixinTests.java index 1b2b93a6cf..cd614bfffc 100644 --- a/web/src/test/java/org/springframework/security/web/jackson2/SavedCookieMixinTests.java +++ b/web/src/test/java/org/springframework/security/web/jackson2/SavedCookieMixinTests.java @@ -33,7 +33,7 @@ import static org.assertj.core.api.Assertions.assertThat; /** - * @author Jitendra Singh. + * @author Jitendra Singh */ public class SavedCookieMixinTests extends AbstractMixinTests { diff --git a/web/src/test/java/org/springframework/security/web/jackson2/SwitchUserGrantedAuthorityMixInTests.java b/web/src/test/java/org/springframework/security/web/jackson2/SwitchUserGrantedAuthorityMixInTests.java index 1de775e79c..8be1fd62f0 100644 --- a/web/src/test/java/org/springframework/security/web/jackson2/SwitchUserGrantedAuthorityMixInTests.java +++ b/web/src/test/java/org/springframework/security/web/jackson2/SwitchUserGrantedAuthorityMixInTests.java @@ -39,6 +39,7 @@ * @author Markus Heiden * @since 6.3 */ +@SuppressWarnings("removal") public class SwitchUserGrantedAuthorityMixInTests { // language=JSON From cd5545657e2b53e72b39cece35ba5125bd1dcc40 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?S=C3=A9bastien=20Deleuze?= Date: Wed, 10 Sep 2025 22:15:07 +0200 Subject: [PATCH 05/14] Add webauthn Jackson 3 support and deprecate Jackson 2 one MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Since this module was already using the jackson sub-package for Jackson 2 support, both Jackson 2 and Jackson 3 support lives in the same subpackage and the former package-private classes has been renamed with a Jackson2 qualifier. See gh-17832 Signed-off-by: Sébastien Deleuze --- webauthn/spring-security-webauthn.gradle | 1 + ...blicKeyCredentialRequestOptionsFilter.java | 10 +- .../WebAuthnAuthenticationFilter.java | 21 +- ...tionConveyancePreferenceJackson2Mixin.java | 37 ++ ...onveyancePreferenceJackson2Serializer.java | 50 +++ .../AttestationConveyancePreferenceMixin.java | 2 +- ...stationConveyancePreferenceSerializer.java | 13 +- ...ionExtensionsClientInputJackson2Mixin.java | 37 ++ ...tensionsClientInputJackson2Serializer.java | 53 +++ ...henticationExtensionsClientInputMixin.java | 2 +- ...cationExtensionsClientInputSerializer.java | 15 +- ...onExtensionsClientInputsJackson2Mixin.java | 37 ++ ...ensionsClientInputsJackson2Serializer.java | 59 +++ ...enticationExtensionsClientInputsMixin.java | 2 +- ...ationExtensionsClientInputsSerializer.java | 15 +- ...onExtensionsClientOutputsDeserializer.java | 15 +- ...ionsClientOutputsJackson2Deserializer.java | 84 ++++ ...nExtensionsClientOutputsJackson2Mixin.java | 37 ++ ...nticationExtensionsClientOutputsMixin.java | 2 +- ...ticatorAssertionResponseJackson2Mixin.java | 42 ++ .../AuthenticatorAssertionResponseMixin.java | 4 +- ...ticatorAttachmentJackson2Deserializer.java | 58 +++ .../AuthenticatorAttachmentJackson2Mixin.java | 39 ++ ...enticatorAttachmentJackson2Serializer.java | 50 +++ .../jackson/AuthenticatorAttachmentMixin.java | 4 +- .../AuthenticatorAttachmentSerializer.java | 13 +- ...catorAttestationResponseJackson2Mixin.java | 52 +++ ...AuthenticatorAttestationResponseMixin.java | 4 +- ...nticatorTransportJackson2Deserializer.java | 58 +++ .../AuthenticatorTransportJackson2Mixin.java | 39 ++ ...henticatorTransportJackson2Serializer.java | 45 +++ .../jackson/AuthenticatorTransportMixin.java | 4 +- .../AuthenticatorTransportSerializer.java | 15 +- .../webauthn/jackson/BytesJackson2Mixin.java | 45 +++ .../jackson/BytesJackson2Serializer.java | 52 +++ .../web/webauthn/jackson/BytesMixin.java | 2 +- .../web/webauthn/jackson/BytesSerializer.java | 11 +- ...gorithmIdentifierJackson2Deserializer.java | 58 +++ .../COSEAlgorithmIdentifierJackson2Mixin.java | 39 ++ ...AlgorithmIdentifierJackson2Serializer.java | 50 +++ .../jackson/COSEAlgorithmIdentifierMixin.java | 4 +- .../COSEAlgorithmIdentifierSerializer.java | 13 +- ...ionExtensionsClientInputJackson2Mixin.java | 31 ++ ...tensionsClientInputJackson2Serializer.java | 68 ++++ ...henticationExtensionsClientInputMixin.java | 2 +- ...cationExtensionsClientInputSerializer.java | 15 +- ...edentialPropertiesOutputJackson2Mixin.java | 40 ++ .../jackson/DurationJackson2Serializer.java | 51 +++ .../webauthn/jackson/DurationSerializer.java | 10 +- ...redentialCreationOptionsJackson2Mixin.java | 44 +++ ...blicKeyCredentialCreationOptionsMixin.java | 2 +- .../PublicKeyCredentialJackson2Mixin.java | 42 ++ .../jackson/PublicKeyCredentialMixin.java | 4 +- ...CredentialRequestOptionsJackson2Mixin.java | 44 +++ ...ublicKeyCredentialRequestOptionsMixin.java | 2 +- .../PublicKeyCredentialTypeDeserializer.java | 13 +- ...KeyCredentialTypeJackson2Deserializer.java | 55 +++ .../PublicKeyCredentialTypeJackson2Mixin.java | 39 ++ ...icKeyCredentialTypeJackson2Serializer.java | 53 +++ .../jackson/PublicKeyCredentialTypeMixin.java | 4 +- .../PublicKeyCredentialTypeSerializer.java | 13 +- .../RelyingPartyPublicKeyJackson2Mixin.java | 42 ++ .../ResidentKeyRequirementJackson2Mixin.java | 37 ++ ...identKeyRequirementJackson2Serializer.java | 53 +++ .../jackson/ResidentKeyRequirementMixin.java | 2 +- .../ResidentKeyRequirementSerializer.java | 13 +- ...rVerificationRequirementJackson2Mixin.java | 37 ++ ...ficationRequirementJackson2Serializer.java | 53 +++ .../UserVerificationRequirementMixin.java | 2 +- ...UserVerificationRequirementSerializer.java | 13 +- .../jackson/WebauthnJackson2Module.java | 52 +-- .../jackson/WebauthnJacksonModule.java | 97 +++++ ...licKeyCredentialCreationOptionsFilter.java | 12 +- .../WebAuthnRegistrationFilter.java | 12 +- .../WebAuthnAuthenticationFilterTests.java | 4 +- ...ionExtensionsClientInputJackson2Tests.java | 153 ++++++++ ...tionExtensionsClientInputJacksonTests.java | 7 +- .../web/webauthn/jackson/Jackson2Tests.java | 363 ++++++++++++++++++ .../web/webauthn/jackson/JacksonTests.java | 9 +- ...bAuthnRegistrationRequestJacksonTests.java | 9 +- 80 files changed, 2504 insertions(+), 191 deletions(-) create mode 100644 webauthn/src/main/java/org/springframework/security/web/webauthn/jackson/AttestationConveyancePreferenceJackson2Mixin.java create mode 100644 webauthn/src/main/java/org/springframework/security/web/webauthn/jackson/AttestationConveyancePreferenceJackson2Serializer.java create mode 100644 webauthn/src/main/java/org/springframework/security/web/webauthn/jackson/AuthenticationExtensionsClientInputJackson2Mixin.java create mode 100644 webauthn/src/main/java/org/springframework/security/web/webauthn/jackson/AuthenticationExtensionsClientInputJackson2Serializer.java create mode 100644 webauthn/src/main/java/org/springframework/security/web/webauthn/jackson/AuthenticationExtensionsClientInputsJackson2Mixin.java create mode 100644 webauthn/src/main/java/org/springframework/security/web/webauthn/jackson/AuthenticationExtensionsClientInputsJackson2Serializer.java create mode 100644 webauthn/src/main/java/org/springframework/security/web/webauthn/jackson/AuthenticationExtensionsClientOutputsJackson2Deserializer.java create mode 100644 webauthn/src/main/java/org/springframework/security/web/webauthn/jackson/AuthenticationExtensionsClientOutputsJackson2Mixin.java create mode 100644 webauthn/src/main/java/org/springframework/security/web/webauthn/jackson/AuthenticatorAssertionResponseJackson2Mixin.java create mode 100644 webauthn/src/main/java/org/springframework/security/web/webauthn/jackson/AuthenticatorAttachmentJackson2Deserializer.java create mode 100644 webauthn/src/main/java/org/springframework/security/web/webauthn/jackson/AuthenticatorAttachmentJackson2Mixin.java create mode 100644 webauthn/src/main/java/org/springframework/security/web/webauthn/jackson/AuthenticatorAttachmentJackson2Serializer.java create mode 100644 webauthn/src/main/java/org/springframework/security/web/webauthn/jackson/AuthenticatorAttestationResponseJackson2Mixin.java create mode 100644 webauthn/src/main/java/org/springframework/security/web/webauthn/jackson/AuthenticatorTransportJackson2Deserializer.java create mode 100644 webauthn/src/main/java/org/springframework/security/web/webauthn/jackson/AuthenticatorTransportJackson2Mixin.java create mode 100644 webauthn/src/main/java/org/springframework/security/web/webauthn/jackson/AuthenticatorTransportJackson2Serializer.java create mode 100644 webauthn/src/main/java/org/springframework/security/web/webauthn/jackson/BytesJackson2Mixin.java create mode 100644 webauthn/src/main/java/org/springframework/security/web/webauthn/jackson/BytesJackson2Serializer.java create mode 100644 webauthn/src/main/java/org/springframework/security/web/webauthn/jackson/COSEAlgorithmIdentifierJackson2Deserializer.java create mode 100644 webauthn/src/main/java/org/springframework/security/web/webauthn/jackson/COSEAlgorithmIdentifierJackson2Mixin.java create mode 100644 webauthn/src/main/java/org/springframework/security/web/webauthn/jackson/COSEAlgorithmIdentifierJackson2Serializer.java create mode 100644 webauthn/src/main/java/org/springframework/security/web/webauthn/jackson/CredProtectAuthenticationExtensionsClientInputJackson2Mixin.java create mode 100644 webauthn/src/main/java/org/springframework/security/web/webauthn/jackson/CredProtectAuthenticationExtensionsClientInputJackson2Serializer.java create mode 100644 webauthn/src/main/java/org/springframework/security/web/webauthn/jackson/CredentialPropertiesOutputJackson2Mixin.java create mode 100644 webauthn/src/main/java/org/springframework/security/web/webauthn/jackson/DurationJackson2Serializer.java create mode 100644 webauthn/src/main/java/org/springframework/security/web/webauthn/jackson/PublicKeyCredentialCreationOptionsJackson2Mixin.java create mode 100644 webauthn/src/main/java/org/springframework/security/web/webauthn/jackson/PublicKeyCredentialJackson2Mixin.java create mode 100644 webauthn/src/main/java/org/springframework/security/web/webauthn/jackson/PublicKeyCredentialRequestOptionsJackson2Mixin.java create mode 100644 webauthn/src/main/java/org/springframework/security/web/webauthn/jackson/PublicKeyCredentialTypeJackson2Deserializer.java create mode 100644 webauthn/src/main/java/org/springframework/security/web/webauthn/jackson/PublicKeyCredentialTypeJackson2Mixin.java create mode 100644 webauthn/src/main/java/org/springframework/security/web/webauthn/jackson/PublicKeyCredentialTypeJackson2Serializer.java create mode 100644 webauthn/src/main/java/org/springframework/security/web/webauthn/jackson/RelyingPartyPublicKeyJackson2Mixin.java create mode 100644 webauthn/src/main/java/org/springframework/security/web/webauthn/jackson/ResidentKeyRequirementJackson2Mixin.java create mode 100644 webauthn/src/main/java/org/springframework/security/web/webauthn/jackson/ResidentKeyRequirementJackson2Serializer.java create mode 100644 webauthn/src/main/java/org/springframework/security/web/webauthn/jackson/UserVerificationRequirementJackson2Mixin.java create mode 100644 webauthn/src/main/java/org/springframework/security/web/webauthn/jackson/UserVerificationRequirementJackson2Serializer.java create mode 100644 webauthn/src/main/java/org/springframework/security/web/webauthn/jackson/WebauthnJacksonModule.java create mode 100644 webauthn/src/test/java/org/springframework/security/web/webauthn/jackson/CredProtectAuthenticationExtensionsClientInputJackson2Tests.java create mode 100644 webauthn/src/test/java/org/springframework/security/web/webauthn/jackson/Jackson2Tests.java diff --git a/webauthn/spring-security-webauthn.gradle b/webauthn/spring-security-webauthn.gradle index 39413d024f..b289714464 100644 --- a/webauthn/spring-security-webauthn.gradle +++ b/webauthn/spring-security-webauthn.gradle @@ -15,6 +15,7 @@ dependencies { optional 'org.springframework:spring-jdbc' optional 'org.springframework:spring-tx' + optional 'tools.jackson.core:jackson-databind' provided 'jakarta.servlet:jakarta.servlet-api' diff --git a/webauthn/src/main/java/org/springframework/security/web/webauthn/authentication/PublicKeyCredentialRequestOptionsFilter.java b/webauthn/src/main/java/org/springframework/security/web/webauthn/authentication/PublicKeyCredentialRequestOptionsFilter.java index 2a72efdf41..bd2bb76641 100644 --- a/webauthn/src/main/java/org/springframework/security/web/webauthn/authentication/PublicKeyCredentialRequestOptionsFilter.java +++ b/webauthn/src/main/java/org/springframework/security/web/webauthn/authentication/PublicKeyCredentialRequestOptionsFilter.java @@ -22,13 +22,13 @@ import jakarta.servlet.ServletException; import jakarta.servlet.http.HttpServletRequest; import jakarta.servlet.http.HttpServletResponse; +import tools.jackson.databind.json.JsonMapper; import org.springframework.http.HttpHeaders; import org.springframework.http.HttpMethod; import org.springframework.http.MediaType; import org.springframework.http.converter.HttpMessageConverter; -import org.springframework.http.converter.json.Jackson2ObjectMapperBuilder; -import org.springframework.http.converter.json.MappingJackson2HttpMessageConverter; +import org.springframework.http.converter.json.JacksonJsonHttpMessageConverter; import org.springframework.http.server.ServletServerHttpResponse; import org.springframework.security.core.context.SecurityContext; import org.springframework.security.core.context.SecurityContextHolder; @@ -36,7 +36,7 @@ import org.springframework.security.web.servlet.util.matcher.PathPatternRequestMatcher; import org.springframework.security.web.util.matcher.RequestMatcher; import org.springframework.security.web.webauthn.api.PublicKeyCredentialRequestOptions; -import org.springframework.security.web.webauthn.jackson.WebauthnJackson2Module; +import org.springframework.security.web.webauthn.jackson.WebauthnJacksonModule; import org.springframework.security.web.webauthn.management.ImmutablePublicKeyCredentialRequestOptionsRequest; import org.springframework.security.web.webauthn.management.WebAuthnRelyingPartyOperations; import org.springframework.util.Assert; @@ -63,8 +63,8 @@ public class PublicKeyCredentialRequestOptionsFilter extends OncePerRequestFilte private PublicKeyCredentialRequestOptionsRepository requestOptionsRepository = new HttpSessionPublicKeyCredentialRequestOptionsRepository(); - private HttpMessageConverter converter = new MappingJackson2HttpMessageConverter( - Jackson2ObjectMapperBuilder.json().modules(new WebauthnJackson2Module()).build()); + private HttpMessageConverter converter = new JacksonJsonHttpMessageConverter( + JsonMapper.builder().addModule(new WebauthnJacksonModule()).build()); /** * Creates a new instance with the provided {@link WebAuthnRelyingPartyOperations}. diff --git a/webauthn/src/main/java/org/springframework/security/web/webauthn/authentication/WebAuthnAuthenticationFilter.java b/webauthn/src/main/java/org/springframework/security/web/webauthn/authentication/WebAuthnAuthenticationFilter.java index 03c7e1a1c5..6c83cab7ed 100644 --- a/webauthn/src/main/java/org/springframework/security/web/webauthn/authentication/WebAuthnAuthenticationFilter.java +++ b/webauthn/src/main/java/org/springframework/security/web/webauthn/authentication/WebAuthnAuthenticationFilter.java @@ -21,13 +21,14 @@ import jakarta.servlet.ServletException; import jakarta.servlet.http.HttpServletRequest; import jakarta.servlet.http.HttpServletResponse; +import tools.jackson.databind.json.JsonMapper; import org.springframework.core.ResolvableType; import org.springframework.http.HttpMethod; import org.springframework.http.HttpStatus; import org.springframework.http.converter.GenericHttpMessageConverter; -import org.springframework.http.converter.json.Jackson2ObjectMapperBuilder; -import org.springframework.http.converter.json.MappingJackson2HttpMessageConverter; +import org.springframework.http.converter.SmartHttpMessageConverter; +import org.springframework.http.converter.json.JacksonJsonHttpMessageConverter; import org.springframework.http.server.ServletServerHttpRequest; import org.springframework.security.authentication.BadCredentialsException; import org.springframework.security.core.Authentication; @@ -40,7 +41,7 @@ import org.springframework.security.web.webauthn.api.AuthenticatorAssertionResponse; import org.springframework.security.web.webauthn.api.PublicKeyCredential; import org.springframework.security.web.webauthn.api.PublicKeyCredentialRequestOptions; -import org.springframework.security.web.webauthn.jackson.WebauthnJackson2Module; +import org.springframework.security.web.webauthn.jackson.WebauthnJacksonModule; import org.springframework.security.web.webauthn.management.RelyingPartyAuthenticationRequest; import org.springframework.util.Assert; @@ -49,8 +50,7 @@ /** * Authenticates {@code PublicKeyCredential} that is * parsed from the body of the {@link HttpServletRequest} using the - * {@link #setConverter(GenericHttpMessageConverter)}. An example request is provided - * below: + * {@link #setConverter(SmartHttpMessageConverter)}. An example request is provided below: * * 
  * {
@@ -72,8 +72,8 @@
  */
 public class WebAuthnAuthenticationFilter extends AbstractAuthenticationProcessingFilter {
 
-	private GenericHttpMessageConverter converter = new MappingJackson2HttpMessageConverter(
-			Jackson2ObjectMapperBuilder.json().modules(new WebauthnJackson2Module()).build());
+	private SmartHttpMessageConverter converter = new JacksonJsonHttpMessageConverter(
+			JsonMapper.builder().addModule(new WebauthnJacksonModule()).build());
 
 	private PublicKeyCredentialRequestOptionsRepository requestOptionsRepository = new HttpSessionPublicKeyCredentialRequestOptionsRepository();
 
@@ -94,7 +94,7 @@ public Authentication attemptAuthentication(HttpServletRequest request, HttpServ
 		PublicKeyCredential publicKeyCredential = null;
 		try {
 			publicKeyCredential = (PublicKeyCredential) this.converter
-				.read(resolvableType.getType(), getClass(), httpRequest);
+				.read(resolvableType, httpRequest, null);
 		}
 		catch (Exception ex) {
 			throw new BadCredentialsException("Unable to authenticate the PublicKeyCredential", ex);
@@ -114,10 +114,11 @@ public Authentication attemptAuthentication(HttpServletRequest request, HttpServ
 	/**
 	 * Sets the {@link GenericHttpMessageConverter} to use for writing
 	 * {@code PublicKeyCredential} to the response. The
-	 * default is @{code MappingJackson2HttpMessageConverter}
+	 * default is @{code Jackson2HttpMessageConverter}
 	 * @param converter the {@link GenericHttpMessageConverter} to use. Cannot be null.
 	 */
-	public void setConverter(GenericHttpMessageConverter converter) {
+	// TODO Accept HttpMessageConverter
+	public void setConverter(SmartHttpMessageConverter converter) {
 		Assert.notNull(converter, "converter cannot be null");
 		this.converter = converter;
 	}
diff --git a/webauthn/src/main/java/org/springframework/security/web/webauthn/jackson/AttestationConveyancePreferenceJackson2Mixin.java b/webauthn/src/main/java/org/springframework/security/web/webauthn/jackson/AttestationConveyancePreferenceJackson2Mixin.java
new file mode 100644
index 0000000000..489acebfff
--- /dev/null
+++ b/webauthn/src/main/java/org/springframework/security/web/webauthn/jackson/AttestationConveyancePreferenceJackson2Mixin.java
@@ -0,0 +1,37 @@
+/*
+ * Copyright 2004-present the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.security.web.webauthn.jackson;
+
+import com.fasterxml.jackson.databind.annotation.JsonSerialize;
+
+import org.springframework.security.web.webauthn.api.AttestationConveyancePreference;
+
+/**
+ * Jackson mixin for {@link AttestationConveyancePreference}
+ *
+ * @author Rob Winch
+ * @since 6.4
+ * @deprecated as of 7.0 in favor of
+ * {@link org.springframework.security.web.webauthn.jackson.AttestationConveyancePreferenceMixin}
+ * based on Jackson 3
+ */
+@SuppressWarnings("removal")
+@Deprecated(forRemoval = true)
+@JsonSerialize(using = AttestationConveyancePreferenceJackson2Serializer.class)
+class AttestationConveyancePreferenceJackson2Mixin {
+
+}
diff --git a/webauthn/src/main/java/org/springframework/security/web/webauthn/jackson/AttestationConveyancePreferenceJackson2Serializer.java b/webauthn/src/main/java/org/springframework/security/web/webauthn/jackson/AttestationConveyancePreferenceJackson2Serializer.java
new file mode 100644
index 0000000000..99a93b4227
--- /dev/null
+++ b/webauthn/src/main/java/org/springframework/security/web/webauthn/jackson/AttestationConveyancePreferenceJackson2Serializer.java
@@ -0,0 +1,50 @@
+/*
+ * Copyright 2004-present the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.security.web.webauthn.jackson;
+
+import java.io.IOException;
+
+import com.fasterxml.jackson.core.JsonGenerator;
+import com.fasterxml.jackson.databind.SerializerProvider;
+import com.fasterxml.jackson.databind.ser.std.StdSerializer;
+
+import org.springframework.security.web.webauthn.api.AttestationConveyancePreference;
+
+/**
+ * Jackson serializer for {@link AttestationConveyancePreference}
+ *
+ * @author Rob Winch
+ * @since 6.4
+ * @deprecated as of 7.0 in favor of
+ * {@link org.springframework.security.web.webauthn.jackson.AttestationConveyancePreferenceSerializer}
+ * based on Jackson 3
+ */
+@Deprecated(forRemoval = true)
+@SuppressWarnings("serial")
+class AttestationConveyancePreferenceJackson2Serializer extends StdSerializer {
+
+	AttestationConveyancePreferenceJackson2Serializer() {
+		super(AttestationConveyancePreference.class);
+	}
+
+	@Override
+	public void serialize(AttestationConveyancePreference preference, JsonGenerator jgen, SerializerProvider provider)
+			throws IOException {
+		jgen.writeString(preference.getValue());
+	}
+
+}
diff --git a/webauthn/src/main/java/org/springframework/security/web/webauthn/jackson/AttestationConveyancePreferenceMixin.java b/webauthn/src/main/java/org/springframework/security/web/webauthn/jackson/AttestationConveyancePreferenceMixin.java
index e3abe5c967..41140d54fd 100644
--- a/webauthn/src/main/java/org/springframework/security/web/webauthn/jackson/AttestationConveyancePreferenceMixin.java
+++ b/webauthn/src/main/java/org/springframework/security/web/webauthn/jackson/AttestationConveyancePreferenceMixin.java
@@ -16,7 +16,7 @@
 
 package org.springframework.security.web.webauthn.jackson;
 
-import com.fasterxml.jackson.databind.annotation.JsonSerialize;
+import tools.jackson.databind.annotation.JsonSerialize;
 
 import org.springframework.security.web.webauthn.api.AttestationConveyancePreference;
 
diff --git a/webauthn/src/main/java/org/springframework/security/web/webauthn/jackson/AttestationConveyancePreferenceSerializer.java b/webauthn/src/main/java/org/springframework/security/web/webauthn/jackson/AttestationConveyancePreferenceSerializer.java
index 81f331491c..7eea519353 100644
--- a/webauthn/src/main/java/org/springframework/security/web/webauthn/jackson/AttestationConveyancePreferenceSerializer.java
+++ b/webauthn/src/main/java/org/springframework/security/web/webauthn/jackson/AttestationConveyancePreferenceSerializer.java
@@ -16,11 +16,10 @@
 
 package org.springframework.security.web.webauthn.jackson;
 
-import java.io.IOException;
-
-import com.fasterxml.jackson.core.JsonGenerator;
-import com.fasterxml.jackson.databind.SerializerProvider;
-import com.fasterxml.jackson.databind.ser.std.StdSerializer;
+import tools.jackson.core.JacksonException;
+import tools.jackson.core.JsonGenerator;
+import tools.jackson.databind.SerializationContext;
+import tools.jackson.databind.ser.std.StdSerializer;
 
 import org.springframework.security.web.webauthn.api.AttestationConveyancePreference;
 
@@ -38,8 +37,8 @@ class AttestationConveyancePreferenceSerializer extends StdSerializer {
+
+	/**
+	 * Creates a new instance.
+	 */
+	AuthenticationExtensionsClientInputJackson2Serializer() {
+		super(AuthenticationExtensionsClientInput.class);
+	}
+
+	@Override
+	public void serialize(AuthenticationExtensionsClientInput input, JsonGenerator jgen, SerializerProvider provider)
+			throws IOException {
+		jgen.writeObjectField(input.getExtensionId(), input.getInput());
+	}
+
+}
diff --git a/webauthn/src/main/java/org/springframework/security/web/webauthn/jackson/AuthenticationExtensionsClientInputMixin.java b/webauthn/src/main/java/org/springframework/security/web/webauthn/jackson/AuthenticationExtensionsClientInputMixin.java
index 0fa2f47e81..76b5b7113d 100644
--- a/webauthn/src/main/java/org/springframework/security/web/webauthn/jackson/AuthenticationExtensionsClientInputMixin.java
+++ b/webauthn/src/main/java/org/springframework/security/web/webauthn/jackson/AuthenticationExtensionsClientInputMixin.java
@@ -16,7 +16,7 @@
 
 package org.springframework.security.web.webauthn.jackson;
 
-import com.fasterxml.jackson.databind.annotation.JsonSerialize;
+import tools.jackson.databind.annotation.JsonSerialize;
 
 import org.springframework.security.web.webauthn.api.AuthenticationExtensionsClientInputs;
 
diff --git a/webauthn/src/main/java/org/springframework/security/web/webauthn/jackson/AuthenticationExtensionsClientInputSerializer.java b/webauthn/src/main/java/org/springframework/security/web/webauthn/jackson/AuthenticationExtensionsClientInputSerializer.java
index ce90ebd117..225b697bb7 100644
--- a/webauthn/src/main/java/org/springframework/security/web/webauthn/jackson/AuthenticationExtensionsClientInputSerializer.java
+++ b/webauthn/src/main/java/org/springframework/security/web/webauthn/jackson/AuthenticationExtensionsClientInputSerializer.java
@@ -16,11 +16,10 @@
 
 package org.springframework.security.web.webauthn.jackson;
 
-import java.io.IOException;
-
-import com.fasterxml.jackson.core.JsonGenerator;
-import com.fasterxml.jackson.databind.SerializerProvider;
-import com.fasterxml.jackson.databind.ser.std.StdSerializer;
+import tools.jackson.core.JacksonException;
+import tools.jackson.core.JsonGenerator;
+import tools.jackson.databind.SerializationContext;
+import tools.jackson.databind.ser.std.StdSerializer;
 
 import org.springframework.security.web.webauthn.api.AuthenticationExtensionsClientInput;
 
@@ -41,9 +40,9 @@ class AuthenticationExtensionsClientInputSerializer extends StdSerializer {
+
+	/**
+	 * Creates a new instance.
+	 */
+	AuthenticationExtensionsClientInputsJackson2Serializer() {
+		super(AuthenticationExtensionsClientInputs.class);
+	}
+
+	@Override
+	public void serialize(AuthenticationExtensionsClientInputs inputs, JsonGenerator jgen, SerializerProvider provider)
+			throws IOException {
+		jgen.writeStartObject();
+		for (AuthenticationExtensionsClientInput input : inputs.getInputs()) {
+			jgen.writeObject(input);
+		}
+		jgen.writeEndObject();
+	}
+
+}
diff --git a/webauthn/src/main/java/org/springframework/security/web/webauthn/jackson/AuthenticationExtensionsClientInputsMixin.java b/webauthn/src/main/java/org/springframework/security/web/webauthn/jackson/AuthenticationExtensionsClientInputsMixin.java
index 6d788e0837..11e9ed9ad7 100644
--- a/webauthn/src/main/java/org/springframework/security/web/webauthn/jackson/AuthenticationExtensionsClientInputsMixin.java
+++ b/webauthn/src/main/java/org/springframework/security/web/webauthn/jackson/AuthenticationExtensionsClientInputsMixin.java
@@ -16,7 +16,7 @@
 
 package org.springframework.security.web.webauthn.jackson;
 
-import com.fasterxml.jackson.databind.annotation.JsonSerialize;
+import tools.jackson.databind.annotation.JsonSerialize;
 
 import org.springframework.security.web.webauthn.api.AuthenticationExtensionsClientInputs;
 
diff --git a/webauthn/src/main/java/org/springframework/security/web/webauthn/jackson/AuthenticationExtensionsClientInputsSerializer.java b/webauthn/src/main/java/org/springframework/security/web/webauthn/jackson/AuthenticationExtensionsClientInputsSerializer.java
index 5a56b0690f..7d5eda91b8 100644
--- a/webauthn/src/main/java/org/springframework/security/web/webauthn/jackson/AuthenticationExtensionsClientInputsSerializer.java
+++ b/webauthn/src/main/java/org/springframework/security/web/webauthn/jackson/AuthenticationExtensionsClientInputsSerializer.java
@@ -16,11 +16,10 @@
 
 package org.springframework.security.web.webauthn.jackson;
 
-import java.io.IOException;
-
-import com.fasterxml.jackson.core.JsonGenerator;
-import com.fasterxml.jackson.databind.SerializerProvider;
-import com.fasterxml.jackson.databind.ser.std.StdSerializer;
+import tools.jackson.core.JacksonException;
+import tools.jackson.core.JsonGenerator;
+import tools.jackson.databind.SerializationContext;
+import tools.jackson.databind.ser.std.StdSerializer;
 
 import org.springframework.security.web.webauthn.api.AuthenticationExtensionsClientInput;
 import org.springframework.security.web.webauthn.api.AuthenticationExtensionsClientInputs;
@@ -42,11 +41,11 @@ class AuthenticationExtensionsClientInputsSerializer extends StdSerializer> outputs = new ArrayList<>();
-		for (String key = parser.nextFieldName(); key != null; key = parser.nextFieldName()) {
+		for (String key = parser.nextName(); key != null; key = parser.nextName()) {
 			JsonToken startObject = parser.nextValue();
 			if (startObject != JsonToken.START_OBJECT) {
 				break;
diff --git a/webauthn/src/main/java/org/springframework/security/web/webauthn/jackson/AuthenticationExtensionsClientOutputsJackson2Deserializer.java b/webauthn/src/main/java/org/springframework/security/web/webauthn/jackson/AuthenticationExtensionsClientOutputsJackson2Deserializer.java
new file mode 100644
index 0000000000..85f3f4b2a3
--- /dev/null
+++ b/webauthn/src/main/java/org/springframework/security/web/webauthn/jackson/AuthenticationExtensionsClientOutputsJackson2Deserializer.java
@@ -0,0 +1,84 @@
+/*
+ * Copyright 2004-present the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.security.web.webauthn.jackson;
+
+import java.io.IOException;
+import java.util.ArrayList;
+import java.util.List;
+
+import com.fasterxml.jackson.core.JacksonException;
+import com.fasterxml.jackson.core.JsonParser;
+import com.fasterxml.jackson.core.JsonToken;
+import com.fasterxml.jackson.databind.DeserializationContext;
+import com.fasterxml.jackson.databind.deser.std.StdDeserializer;
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
+
+import org.springframework.security.web.webauthn.api.AuthenticationExtensionsClientOutput;
+import org.springframework.security.web.webauthn.api.AuthenticationExtensionsClientOutputs;
+import org.springframework.security.web.webauthn.api.CredentialPropertiesOutput;
+import org.springframework.security.web.webauthn.api.ImmutableAuthenticationExtensionsClientOutputs;
+
+/**
+ * Provides Jackson deserialization of {@link AuthenticationExtensionsClientOutputs}.
+ *
+ * @author Rob Winch
+ * @since 6.4
+ * @deprecated as of 7.0 in favor of
+ * {@link org.springframework.security.web.webauthn.jackson.AuthenticationExtensionsClientOutputsDeserializer}
+ * based on Jackson 3
+ */
+@Deprecated(forRemoval = true)
+@SuppressWarnings("serial")
+class AuthenticationExtensionsClientOutputsJackson2Deserializer
+		extends StdDeserializer {
+
+	private static final Log logger = LogFactory
+		.getLog(AuthenticationExtensionsClientOutputsJackson2Deserializer.class);
+
+	/**
+	 * Creates a new instance.
+	 */
+	AuthenticationExtensionsClientOutputsJackson2Deserializer() {
+		super(AuthenticationExtensionsClientOutputs.class);
+	}
+
+	@Override
+	public AuthenticationExtensionsClientOutputs deserialize(JsonParser parser, DeserializationContext ctxt)
+			throws IOException, JacksonException {
+		List> outputs = new ArrayList<>();
+		for (String key = parser.nextFieldName(); key != null; key = parser.nextFieldName()) {
+			JsonToken startObject = parser.nextValue();
+			if (startObject != JsonToken.START_OBJECT) {
+				break;
+			}
+			if (CredentialPropertiesOutput.EXTENSION_ID.equals(key)) {
+				CredentialPropertiesOutput output = parser.readValueAs(CredentialPropertiesOutput.class);
+				outputs.add(output);
+			}
+			else {
+				if (logger.isDebugEnabled()) {
+					logger.debug("Skipping unknown extension with id " + key);
+				}
+				parser.nextValue();
+			}
+		}
+
+		return new ImmutableAuthenticationExtensionsClientOutputs(outputs);
+	}
+
+}
diff --git a/webauthn/src/main/java/org/springframework/security/web/webauthn/jackson/AuthenticationExtensionsClientOutputsJackson2Mixin.java b/webauthn/src/main/java/org/springframework/security/web/webauthn/jackson/AuthenticationExtensionsClientOutputsJackson2Mixin.java
new file mode 100644
index 0000000000..75ab461e47
--- /dev/null
+++ b/webauthn/src/main/java/org/springframework/security/web/webauthn/jackson/AuthenticationExtensionsClientOutputsJackson2Mixin.java
@@ -0,0 +1,37 @@
+/*
+ * Copyright 2004-present the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.security.web.webauthn.jackson;
+
+import com.fasterxml.jackson.databind.annotation.JsonDeserialize;
+
+import org.springframework.security.web.webauthn.api.AuthenticationExtensionsClientOutputs;
+
+/**
+ * Jackson mixin for {@link AuthenticationExtensionsClientOutputs}
+ *
+ * @author Rob Winch
+ * @since 6.4
+ * @deprecated as of 7.0 in favor of
+ * {@link org.springframework.security.web.webauthn.jackson.AuthenticationExtensionsClientOutputsMixin}
+ * based on Jackson 3
+ */
+@SuppressWarnings("removal")
+@Deprecated(forRemoval = true)
+@JsonDeserialize(using = AuthenticationExtensionsClientOutputsJackson2Deserializer.class)
+class AuthenticationExtensionsClientOutputsJackson2Mixin {
+
+}
diff --git a/webauthn/src/main/java/org/springframework/security/web/webauthn/jackson/AuthenticationExtensionsClientOutputsMixin.java b/webauthn/src/main/java/org/springframework/security/web/webauthn/jackson/AuthenticationExtensionsClientOutputsMixin.java
index e41e068536..c01f264426 100644
--- a/webauthn/src/main/java/org/springframework/security/web/webauthn/jackson/AuthenticationExtensionsClientOutputsMixin.java
+++ b/webauthn/src/main/java/org/springframework/security/web/webauthn/jackson/AuthenticationExtensionsClientOutputsMixin.java
@@ -16,7 +16,7 @@
 
 package org.springframework.security.web.webauthn.jackson;
 
-import com.fasterxml.jackson.databind.annotation.JsonDeserialize;
+import tools.jackson.databind.annotation.JsonDeserialize;
 
 import org.springframework.security.web.webauthn.api.AuthenticationExtensionsClientOutputs;
 
diff --git a/webauthn/src/main/java/org/springframework/security/web/webauthn/jackson/AuthenticatorAssertionResponseJackson2Mixin.java b/webauthn/src/main/java/org/springframework/security/web/webauthn/jackson/AuthenticatorAssertionResponseJackson2Mixin.java
new file mode 100644
index 0000000000..3b6eba49ca
--- /dev/null
+++ b/webauthn/src/main/java/org/springframework/security/web/webauthn/jackson/AuthenticatorAssertionResponseJackson2Mixin.java
@@ -0,0 +1,42 @@
+/*
+ * Copyright 2004-present the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.security.web.webauthn.jackson;
+
+import com.fasterxml.jackson.databind.annotation.JsonDeserialize;
+import com.fasterxml.jackson.databind.annotation.JsonPOJOBuilder;
+
+import org.springframework.security.web.webauthn.api.AuthenticatorAssertionResponse;
+
+/**
+ * Jackson mixin for {@link AuthenticatorAssertionResponse}
+ *
+ * @author Rob Winch
+ * @since 6.4
+ * @deprecated as of 7.0 in favor of
+ * {@link org.springframework.security.web.webauthn.jackson.AuthenticatorAssertionResponseMixin}
+ * based on Jackson 3
+ */
+@Deprecated(forRemoval = true)
+@JsonDeserialize(builder = AuthenticatorAssertionResponse.AuthenticatorAssertionResponseBuilder.class)
+class AuthenticatorAssertionResponseJackson2Mixin {
+
+	@JsonPOJOBuilder(withPrefix = "")
+	abstract class AuthenticatorAssertionResponseBuilderMixin {
+
+	}
+
+}
diff --git a/webauthn/src/main/java/org/springframework/security/web/webauthn/jackson/AuthenticatorAssertionResponseMixin.java b/webauthn/src/main/java/org/springframework/security/web/webauthn/jackson/AuthenticatorAssertionResponseMixin.java
index 2c28c59787..4e6c51dfa6 100644
--- a/webauthn/src/main/java/org/springframework/security/web/webauthn/jackson/AuthenticatorAssertionResponseMixin.java
+++ b/webauthn/src/main/java/org/springframework/security/web/webauthn/jackson/AuthenticatorAssertionResponseMixin.java
@@ -16,8 +16,8 @@
 
 package org.springframework.security.web.webauthn.jackson;
 
-import com.fasterxml.jackson.databind.annotation.JsonDeserialize;
-import com.fasterxml.jackson.databind.annotation.JsonPOJOBuilder;
+import tools.jackson.databind.annotation.JsonDeserialize;
+import tools.jackson.databind.annotation.JsonPOJOBuilder;
 
 import org.springframework.security.web.webauthn.api.AuthenticatorAssertionResponse;
 
diff --git a/webauthn/src/main/java/org/springframework/security/web/webauthn/jackson/AuthenticatorAttachmentJackson2Deserializer.java b/webauthn/src/main/java/org/springframework/security/web/webauthn/jackson/AuthenticatorAttachmentJackson2Deserializer.java
new file mode 100644
index 0000000000..98cbf670bf
--- /dev/null
+++ b/webauthn/src/main/java/org/springframework/security/web/webauthn/jackson/AuthenticatorAttachmentJackson2Deserializer.java
@@ -0,0 +1,58 @@
+/*
+ * Copyright 2004-present the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.security.web.webauthn.jackson;
+
+import java.io.IOException;
+
+import com.fasterxml.jackson.core.JacksonException;
+import com.fasterxml.jackson.core.JsonParser;
+import com.fasterxml.jackson.databind.DeserializationContext;
+import com.fasterxml.jackson.databind.deser.std.StdDeserializer;
+import org.jspecify.annotations.Nullable;
+
+import org.springframework.security.web.webauthn.api.AuthenticatorAttachment;
+
+/**
+ * Jackson deserializer for {@link AuthenticatorAttachment}
+ *
+ * @author Rob Winch
+ * @since 6.4
+ * @deprecated as of 7.0 in favor of
+ * {@link org.springframework.security.web.webauthn.jackson.AuthenticatorAttachmentDeserializer}
+ * based on Jackson 3
+ */
+@Deprecated(forRemoval = true)
+@SuppressWarnings("serial")
+class AuthenticatorAttachmentJackson2Deserializer extends StdDeserializer {
+
+	AuthenticatorAttachmentJackson2Deserializer() {
+		super(AuthenticatorAttachment.class);
+	}
+
+	@Override
+	public @Nullable AuthenticatorAttachment deserialize(JsonParser parser, DeserializationContext ctxt)
+			throws IOException, JacksonException {
+		String type = parser.readValueAs(String.class);
+		for (AuthenticatorAttachment publicKeyCredentialType : AuthenticatorAttachment.values()) {
+			if (publicKeyCredentialType.getValue().equals(type)) {
+				return publicKeyCredentialType;
+			}
+		}
+		return null;
+	}
+
+}
diff --git a/webauthn/src/main/java/org/springframework/security/web/webauthn/jackson/AuthenticatorAttachmentJackson2Mixin.java b/webauthn/src/main/java/org/springframework/security/web/webauthn/jackson/AuthenticatorAttachmentJackson2Mixin.java
new file mode 100644
index 0000000000..409f1a2f47
--- /dev/null
+++ b/webauthn/src/main/java/org/springframework/security/web/webauthn/jackson/AuthenticatorAttachmentJackson2Mixin.java
@@ -0,0 +1,39 @@
+/*
+ * Copyright 2004-present the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.security.web.webauthn.jackson;
+
+import com.fasterxml.jackson.databind.annotation.JsonDeserialize;
+import com.fasterxml.jackson.databind.annotation.JsonSerialize;
+
+import org.springframework.security.web.webauthn.api.AuthenticatorAttachment;
+
+/**
+ * Jackson mixin for {@link AuthenticatorAttachment}
+ *
+ * @author Rob Winch
+ * @since 6.4
+ * @deprecated as of 7.0 in favor of
+ * {@link org.springframework.security.web.webauthn.jackson.AuthenticatorAttachmentMixin}
+ * based on Jackson 3
+ */
+@SuppressWarnings("removal")
+@Deprecated(forRemoval = true)
+@JsonDeserialize(using = AuthenticatorAttachmentJackson2Deserializer.class)
+@JsonSerialize(using = AuthenticatorAttachmentJackson2Serializer.class)
+class AuthenticatorAttachmentJackson2Mixin {
+
+}
diff --git a/webauthn/src/main/java/org/springframework/security/web/webauthn/jackson/AuthenticatorAttachmentJackson2Serializer.java b/webauthn/src/main/java/org/springframework/security/web/webauthn/jackson/AuthenticatorAttachmentJackson2Serializer.java
new file mode 100644
index 0000000000..285f0d1dd8
--- /dev/null
+++ b/webauthn/src/main/java/org/springframework/security/web/webauthn/jackson/AuthenticatorAttachmentJackson2Serializer.java
@@ -0,0 +1,50 @@
+/*
+ * Copyright 2004-present the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.security.web.webauthn.jackson;
+
+import java.io.IOException;
+
+import com.fasterxml.jackson.core.JsonGenerator;
+import com.fasterxml.jackson.databind.SerializerProvider;
+import com.fasterxml.jackson.databind.ser.std.StdSerializer;
+
+import org.springframework.security.web.webauthn.api.AuthenticatorAttachment;
+
+/**
+ * Jackson serializer for {@link AuthenticatorAttachment}
+ *
+ * @author Rob Winch
+ * @since 6.4
+ * @deprecated as of 7.0 in favor of
+ * {@link org.springframework.security.web.webauthn.jackson.AuthenticatorAttachmentSerializer}
+ * based on Jackson 3
+ */
+@Deprecated(forRemoval = true)
+@SuppressWarnings("serial")
+class AuthenticatorAttachmentJackson2Serializer extends StdSerializer {
+
+	AuthenticatorAttachmentJackson2Serializer() {
+		super(AuthenticatorAttachment.class);
+	}
+
+	@Override
+	public void serialize(AuthenticatorAttachment attachment, JsonGenerator jgen, SerializerProvider provider)
+			throws IOException {
+		jgen.writeString(attachment.getValue());
+	}
+
+}
diff --git a/webauthn/src/main/java/org/springframework/security/web/webauthn/jackson/AuthenticatorAttachmentMixin.java b/webauthn/src/main/java/org/springframework/security/web/webauthn/jackson/AuthenticatorAttachmentMixin.java
index 820b5477ed..df4a397754 100644
--- a/webauthn/src/main/java/org/springframework/security/web/webauthn/jackson/AuthenticatorAttachmentMixin.java
+++ b/webauthn/src/main/java/org/springframework/security/web/webauthn/jackson/AuthenticatorAttachmentMixin.java
@@ -16,8 +16,8 @@
 
 package org.springframework.security.web.webauthn.jackson;
 
-import com.fasterxml.jackson.databind.annotation.JsonDeserialize;
-import com.fasterxml.jackson.databind.annotation.JsonSerialize;
+import tools.jackson.databind.annotation.JsonDeserialize;
+import tools.jackson.databind.annotation.JsonSerialize;
 
 import org.springframework.security.web.webauthn.api.AuthenticatorAttachment;
 
diff --git a/webauthn/src/main/java/org/springframework/security/web/webauthn/jackson/AuthenticatorAttachmentSerializer.java b/webauthn/src/main/java/org/springframework/security/web/webauthn/jackson/AuthenticatorAttachmentSerializer.java
index 3ccdf60514..9a854420fe 100644
--- a/webauthn/src/main/java/org/springframework/security/web/webauthn/jackson/AuthenticatorAttachmentSerializer.java
+++ b/webauthn/src/main/java/org/springframework/security/web/webauthn/jackson/AuthenticatorAttachmentSerializer.java
@@ -16,11 +16,10 @@
 
 package org.springframework.security.web.webauthn.jackson;
 
-import java.io.IOException;
-
-import com.fasterxml.jackson.core.JsonGenerator;
-import com.fasterxml.jackson.databind.SerializerProvider;
-import com.fasterxml.jackson.databind.ser.std.StdSerializer;
+import tools.jackson.core.JacksonException;
+import tools.jackson.core.JsonGenerator;
+import tools.jackson.databind.SerializationContext;
+import tools.jackson.databind.ser.std.StdSerializer;
 
 import org.springframework.security.web.webauthn.api.AuthenticatorAttachment;
 
@@ -38,8 +37,8 @@ class AuthenticatorAttachmentSerializer extends StdSerializer transports);
+
+	}
+
+}
diff --git a/webauthn/src/main/java/org/springframework/security/web/webauthn/jackson/AuthenticatorAttestationResponseMixin.java b/webauthn/src/main/java/org/springframework/security/web/webauthn/jackson/AuthenticatorAttestationResponseMixin.java
index cd43c3d59d..25c5c8f2c4 100644
--- a/webauthn/src/main/java/org/springframework/security/web/webauthn/jackson/AuthenticatorAttestationResponseMixin.java
+++ b/webauthn/src/main/java/org/springframework/security/web/webauthn/jackson/AuthenticatorAttestationResponseMixin.java
@@ -20,8 +20,8 @@
 
 import com.fasterxml.jackson.annotation.JsonIgnoreProperties;
 import com.fasterxml.jackson.annotation.JsonSetter;
-import com.fasterxml.jackson.databind.annotation.JsonDeserialize;
-import com.fasterxml.jackson.databind.annotation.JsonPOJOBuilder;
+import tools.jackson.databind.annotation.JsonDeserialize;
+import tools.jackson.databind.annotation.JsonPOJOBuilder;
 
 import org.springframework.security.web.webauthn.api.AuthenticatorAttestationResponse;
 import org.springframework.security.web.webauthn.api.AuthenticatorTransport;
diff --git a/webauthn/src/main/java/org/springframework/security/web/webauthn/jackson/AuthenticatorTransportJackson2Deserializer.java b/webauthn/src/main/java/org/springframework/security/web/webauthn/jackson/AuthenticatorTransportJackson2Deserializer.java
new file mode 100644
index 0000000000..3cea2df11e
--- /dev/null
+++ b/webauthn/src/main/java/org/springframework/security/web/webauthn/jackson/AuthenticatorTransportJackson2Deserializer.java
@@ -0,0 +1,58 @@
+/*
+ * Copyright 2004-present the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.security.web.webauthn.jackson;
+
+import java.io.IOException;
+
+import com.fasterxml.jackson.core.JacksonException;
+import com.fasterxml.jackson.core.JsonParser;
+import com.fasterxml.jackson.databind.DeserializationContext;
+import com.fasterxml.jackson.databind.deser.std.StdDeserializer;
+import org.jspecify.annotations.Nullable;
+
+import org.springframework.security.web.webauthn.api.AuthenticatorTransport;
+
+/**
+ * Jackson deserializer for {@link AuthenticatorTransport}
+ *
+ * @author Rob Winch
+ * @since 6.4
+ * @deprecated as of 7.0 in favor of
+ * {@link org.springframework.security.web.webauthn.jackson.AuthenticatorTransportDeserializer}
+ * based on Jackson 3
+ */
+@Deprecated(forRemoval = true)
+@SuppressWarnings("serial")
+class AuthenticatorTransportJackson2Deserializer extends StdDeserializer {
+
+	AuthenticatorTransportJackson2Deserializer() {
+		super(AuthenticatorTransport.class);
+	}
+
+	@Override
+	public @Nullable AuthenticatorTransport deserialize(JsonParser parser, DeserializationContext ctxt)
+			throws IOException, JacksonException {
+		String transportValue = parser.readValueAs(String.class);
+		for (AuthenticatorTransport transport : AuthenticatorTransport.values()) {
+			if (transport.getValue().equals(transportValue)) {
+				return transport;
+			}
+		}
+		return null;
+	}
+
+}
diff --git a/webauthn/src/main/java/org/springframework/security/web/webauthn/jackson/AuthenticatorTransportJackson2Mixin.java b/webauthn/src/main/java/org/springframework/security/web/webauthn/jackson/AuthenticatorTransportJackson2Mixin.java
new file mode 100644
index 0000000000..4f55835069
--- /dev/null
+++ b/webauthn/src/main/java/org/springframework/security/web/webauthn/jackson/AuthenticatorTransportJackson2Mixin.java
@@ -0,0 +1,39 @@
+/*
+ * Copyright 2004-present the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.security.web.webauthn.jackson;
+
+import com.fasterxml.jackson.databind.annotation.JsonDeserialize;
+import com.fasterxml.jackson.databind.annotation.JsonSerialize;
+
+import org.springframework.security.web.webauthn.api.AuthenticatorTransport;
+
+/**
+ * Jackson mixin for {@link AuthenticatorTransport}
+ *
+ * @author Rob Winch
+ * @since 6.4
+ * @deprecated as of 7.0 in favor of
+ * {@link org.springframework.security.web.webauthn.jackson.AuthenticatorTransportMixin}
+ * based on Jackson 3
+ */
+@SuppressWarnings("removal")
+@Deprecated(forRemoval = true)
+@JsonDeserialize(using = AuthenticatorTransportJackson2Deserializer.class)
+@JsonSerialize(using = AuthenticatorTransportJackson2Serializer.class)
+class AuthenticatorTransportJackson2Mixin {
+
+}
diff --git a/webauthn/src/main/java/org/springframework/security/web/webauthn/jackson/AuthenticatorTransportJackson2Serializer.java b/webauthn/src/main/java/org/springframework/security/web/webauthn/jackson/AuthenticatorTransportJackson2Serializer.java
new file mode 100644
index 0000000000..229c807174
--- /dev/null
+++ b/webauthn/src/main/java/org/springframework/security/web/webauthn/jackson/AuthenticatorTransportJackson2Serializer.java
@@ -0,0 +1,45 @@
+/*
+ * Copyright 2004-present the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.security.web.webauthn.jackson;
+
+import java.io.IOException;
+
+import com.fasterxml.jackson.core.JsonGenerator;
+import com.fasterxml.jackson.databind.JsonSerializer;
+import com.fasterxml.jackson.databind.SerializerProvider;
+
+import org.springframework.security.web.webauthn.api.AuthenticatorTransport;
+
+/**
+ * Jackson serializer for {@link AuthenticatorTransport}
+ *
+ * @author Rob Winch
+ * @since 6.4
+ * @deprecated as of 7.0 in favor of
+ * {@link org.springframework.security.web.webauthn.jackson.AuthenticatorTransportSerializer}
+ * based on Jackson 3
+ */
+@Deprecated(forRemoval = true)
+class AuthenticatorTransportJackson2Serializer extends JsonSerializer {
+
+	@Override
+	public void serialize(AuthenticatorTransport transport, JsonGenerator jgen, SerializerProvider provider)
+			throws IOException {
+		jgen.writeString(transport.getValue());
+	}
+
+}
diff --git a/webauthn/src/main/java/org/springframework/security/web/webauthn/jackson/AuthenticatorTransportMixin.java b/webauthn/src/main/java/org/springframework/security/web/webauthn/jackson/AuthenticatorTransportMixin.java
index 76c97fc2c7..9be251fce6 100644
--- a/webauthn/src/main/java/org/springframework/security/web/webauthn/jackson/AuthenticatorTransportMixin.java
+++ b/webauthn/src/main/java/org/springframework/security/web/webauthn/jackson/AuthenticatorTransportMixin.java
@@ -16,8 +16,8 @@
 
 package org.springframework.security.web.webauthn.jackson;
 
-import com.fasterxml.jackson.databind.annotation.JsonDeserialize;
-import com.fasterxml.jackson.databind.annotation.JsonSerialize;
+import tools.jackson.databind.annotation.JsonDeserialize;
+import tools.jackson.databind.annotation.JsonSerialize;
 
 import org.springframework.security.web.webauthn.api.AuthenticatorTransport;
 
diff --git a/webauthn/src/main/java/org/springframework/security/web/webauthn/jackson/AuthenticatorTransportSerializer.java b/webauthn/src/main/java/org/springframework/security/web/webauthn/jackson/AuthenticatorTransportSerializer.java
index 92a485587a..3e9999f72c 100644
--- a/webauthn/src/main/java/org/springframework/security/web/webauthn/jackson/AuthenticatorTransportSerializer.java
+++ b/webauthn/src/main/java/org/springframework/security/web/webauthn/jackson/AuthenticatorTransportSerializer.java
@@ -16,11 +16,10 @@
 
 package org.springframework.security.web.webauthn.jackson;
 
-import java.io.IOException;
-
-import com.fasterxml.jackson.core.JsonGenerator;
-import com.fasterxml.jackson.databind.JsonSerializer;
-import com.fasterxml.jackson.databind.SerializerProvider;
+import tools.jackson.core.JacksonException;
+import tools.jackson.core.JsonGenerator;
+import tools.jackson.databind.SerializationContext;
+import tools.jackson.databind.ValueSerializer;
 
 import org.springframework.security.web.webauthn.api.AuthenticatorTransport;
 
@@ -30,11 +29,11 @@
  * @author Rob Winch
  * @since 6.4
  */
-class AuthenticatorTransportSerializer extends JsonSerializer {
+class AuthenticatorTransportSerializer extends ValueSerializer {
 
 	@Override
-	public void serialize(AuthenticatorTransport transport, JsonGenerator jgen, SerializerProvider provider)
-			throws IOException {
+	public void serialize(AuthenticatorTransport transport, JsonGenerator jgen, SerializationContext ctxt)
+			throws JacksonException {
 		jgen.writeString(transport.getValue());
 	}
 
diff --git a/webauthn/src/main/java/org/springframework/security/web/webauthn/jackson/BytesJackson2Mixin.java b/webauthn/src/main/java/org/springframework/security/web/webauthn/jackson/BytesJackson2Mixin.java
new file mode 100644
index 0000000000..b41a2db0e8
--- /dev/null
+++ b/webauthn/src/main/java/org/springframework/security/web/webauthn/jackson/BytesJackson2Mixin.java
@@ -0,0 +1,45 @@
+/*
+ * Copyright 2004-present the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.security.web.webauthn.jackson;
+
+import com.fasterxml.jackson.annotation.JsonCreator;
+import com.fasterxml.jackson.databind.annotation.JsonSerialize;
+
+import org.springframework.security.web.webauthn.api.Bytes;
+
+/**
+ * Jackson mixin for {@link Bytes}
+ *
+ * @author Rob Winch
+ * @since 6.4
+ * @deprecated as of 7.0 in favor of
+ * {@link org.springframework.security.web.webauthn.jackson.BytesMixin} based on Jackson 3
+ */
+@SuppressWarnings("removal")
+@Deprecated(forRemoval = true)
+@JsonSerialize(using = BytesJackson2Serializer.class)
+final class BytesJackson2Mixin {
+
+	@JsonCreator
+	static Bytes fromBase64(String value) {
+		return Bytes.fromBase64(value);
+	}
+
+	private BytesJackson2Mixin() {
+	}
+
+}
diff --git a/webauthn/src/main/java/org/springframework/security/web/webauthn/jackson/BytesJackson2Serializer.java b/webauthn/src/main/java/org/springframework/security/web/webauthn/jackson/BytesJackson2Serializer.java
new file mode 100644
index 0000000000..88daaa0f17
--- /dev/null
+++ b/webauthn/src/main/java/org/springframework/security/web/webauthn/jackson/BytesJackson2Serializer.java
@@ -0,0 +1,52 @@
+/*
+ * Copyright 2004-present the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.security.web.webauthn.jackson;
+
+import java.io.IOException;
+
+import com.fasterxml.jackson.core.JsonGenerator;
+import com.fasterxml.jackson.databind.SerializerProvider;
+import com.fasterxml.jackson.databind.ser.std.StdSerializer;
+
+import org.springframework.security.web.webauthn.api.Bytes;
+
+/**
+ * Jackson serializer for {@link Bytes}
+ *
+ * @author Rob Winch
+ * @since 6.4
+ * @deprecated as of 7.0 in favor of
+ * {@link org.springframework.security.web.webauthn.jackson.BytesSerializer} based on
+ * Jackson 3
+ */
+@Deprecated(forRemoval = true)
+@SuppressWarnings("serial")
+class BytesJackson2Serializer extends StdSerializer {
+
+	/**
+	 * Creates a new instance.
+	 */
+	BytesJackson2Serializer() {
+		super(Bytes.class);
+	}
+
+	@Override
+	public void serialize(Bytes bytes, JsonGenerator jgen, SerializerProvider provider) throws IOException {
+		jgen.writeString(bytes.toBase64UrlString());
+	}
+
+}
diff --git a/webauthn/src/main/java/org/springframework/security/web/webauthn/jackson/BytesMixin.java b/webauthn/src/main/java/org/springframework/security/web/webauthn/jackson/BytesMixin.java
index ea4567659a..74a256f765 100644
--- a/webauthn/src/main/java/org/springframework/security/web/webauthn/jackson/BytesMixin.java
+++ b/webauthn/src/main/java/org/springframework/security/web/webauthn/jackson/BytesMixin.java
@@ -17,7 +17,7 @@
 package org.springframework.security.web.webauthn.jackson;
 
 import com.fasterxml.jackson.annotation.JsonCreator;
-import com.fasterxml.jackson.databind.annotation.JsonSerialize;
+import tools.jackson.databind.annotation.JsonSerialize;
 
 import org.springframework.security.web.webauthn.api.Bytes;
 
diff --git a/webauthn/src/main/java/org/springframework/security/web/webauthn/jackson/BytesSerializer.java b/webauthn/src/main/java/org/springframework/security/web/webauthn/jackson/BytesSerializer.java
index f52d39b20c..0d2041c435 100644
--- a/webauthn/src/main/java/org/springframework/security/web/webauthn/jackson/BytesSerializer.java
+++ b/webauthn/src/main/java/org/springframework/security/web/webauthn/jackson/BytesSerializer.java
@@ -16,11 +16,10 @@
 
 package org.springframework.security.web.webauthn.jackson;
 
-import java.io.IOException;
-
-import com.fasterxml.jackson.core.JsonGenerator;
-import com.fasterxml.jackson.databind.SerializerProvider;
-import com.fasterxml.jackson.databind.ser.std.StdSerializer;
+import tools.jackson.core.JacksonException;
+import tools.jackson.core.JsonGenerator;
+import tools.jackson.databind.SerializationContext;
+import tools.jackson.databind.ser.std.StdSerializer;
 
 import org.springframework.security.web.webauthn.api.Bytes;
 
@@ -41,7 +40,7 @@ class BytesSerializer extends StdSerializer {
 	}
 
 	@Override
-	public void serialize(Bytes bytes, JsonGenerator jgen, SerializerProvider provider) throws IOException {
+	public void serialize(Bytes bytes, JsonGenerator jgen, SerializationContext provider) throws JacksonException {
 		jgen.writeString(bytes.toBase64UrlString());
 	}
 
diff --git a/webauthn/src/main/java/org/springframework/security/web/webauthn/jackson/COSEAlgorithmIdentifierJackson2Deserializer.java b/webauthn/src/main/java/org/springframework/security/web/webauthn/jackson/COSEAlgorithmIdentifierJackson2Deserializer.java
new file mode 100644
index 0000000000..ba2d2a14c7
--- /dev/null
+++ b/webauthn/src/main/java/org/springframework/security/web/webauthn/jackson/COSEAlgorithmIdentifierJackson2Deserializer.java
@@ -0,0 +1,58 @@
+/*
+ * Copyright 2004-present the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.security.web.webauthn.jackson;
+
+import java.io.IOException;
+
+import com.fasterxml.jackson.core.JacksonException;
+import com.fasterxml.jackson.core.JsonParser;
+import com.fasterxml.jackson.databind.DeserializationContext;
+import com.fasterxml.jackson.databind.deser.std.StdDeserializer;
+import org.jspecify.annotations.Nullable;
+
+import org.springframework.security.web.webauthn.api.COSEAlgorithmIdentifier;
+
+/**
+ * Jackson serializer for {@link COSEAlgorithmIdentifier}
+ *
+ * @author Rob Winch
+ * @since 6.4
+ * @deprecated as of 7.0 in favor of
+ * {@link org.springframework.security.web.webauthn.jackson.COSEAlgorithmIdentifierDeserializer}
+ * based on Jackson 3
+ */
+@Deprecated(forRemoval = true)
+@SuppressWarnings("serial")
+class COSEAlgorithmIdentifierJackson2Deserializer extends StdDeserializer {
+
+	COSEAlgorithmIdentifierJackson2Deserializer() {
+		super(COSEAlgorithmIdentifier.class);
+	}
+
+	@Override
+	public @Nullable COSEAlgorithmIdentifier deserialize(JsonParser parser, DeserializationContext ctxt)
+			throws IOException, JacksonException {
+		Long transportValue = parser.readValueAs(Long.class);
+		for (COSEAlgorithmIdentifier identifier : COSEAlgorithmIdentifier.values()) {
+			if (identifier.getValue() == transportValue.longValue()) {
+				return identifier;
+			}
+		}
+		return null;
+	}
+
+}
diff --git a/webauthn/src/main/java/org/springframework/security/web/webauthn/jackson/COSEAlgorithmIdentifierJackson2Mixin.java b/webauthn/src/main/java/org/springframework/security/web/webauthn/jackson/COSEAlgorithmIdentifierJackson2Mixin.java
new file mode 100644
index 0000000000..f1ef94cacb
--- /dev/null
+++ b/webauthn/src/main/java/org/springframework/security/web/webauthn/jackson/COSEAlgorithmIdentifierJackson2Mixin.java
@@ -0,0 +1,39 @@
+/*
+ * Copyright 2004-present the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.security.web.webauthn.jackson;
+
+import com.fasterxml.jackson.databind.annotation.JsonDeserialize;
+import com.fasterxml.jackson.databind.annotation.JsonSerialize;
+
+import org.springframework.security.web.webauthn.api.COSEAlgorithmIdentifier;
+
+/**
+ * Jackson mixin for {@link COSEAlgorithmIdentifier}
+ *
+ * @author Rob Winch
+ * @since 6.4
+ * @deprecated as of 7.0 in favor of
+ * {@link org.springframework.security.web.webauthn.jackson.COSEAlgorithmIdentifierMixin}
+ * based on Jackson 3
+ */
+@SuppressWarnings("removal")
+@Deprecated(forRemoval = true)
+@JsonSerialize(using = COSEAlgorithmIdentifierJackson2Serializer.class)
+@JsonDeserialize(using = COSEAlgorithmIdentifierJackson2Deserializer.class)
+abstract class COSEAlgorithmIdentifierJackson2Mixin {
+
+}
diff --git a/webauthn/src/main/java/org/springframework/security/web/webauthn/jackson/COSEAlgorithmIdentifierJackson2Serializer.java b/webauthn/src/main/java/org/springframework/security/web/webauthn/jackson/COSEAlgorithmIdentifierJackson2Serializer.java
new file mode 100644
index 0000000000..9f1a3771c9
--- /dev/null
+++ b/webauthn/src/main/java/org/springframework/security/web/webauthn/jackson/COSEAlgorithmIdentifierJackson2Serializer.java
@@ -0,0 +1,50 @@
+/*
+ * Copyright 2004-present the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.security.web.webauthn.jackson;
+
+import java.io.IOException;
+
+import com.fasterxml.jackson.core.JsonGenerator;
+import com.fasterxml.jackson.databind.SerializerProvider;
+import com.fasterxml.jackson.databind.ser.std.StdSerializer;
+
+import org.springframework.security.web.webauthn.api.COSEAlgorithmIdentifier;
+
+/**
+ * Jackson serializer for {@link COSEAlgorithmIdentifier}
+ *
+ * @author Rob Winch
+ * @since 6.4
+ * @deprecated as of 7.0 in favor of
+ * {@link org.springframework.security.web.webauthn.jackson.COSEAlgorithmIdentifierSerializer}
+ * based on Jackson 3
+ */
+@Deprecated(forRemoval = true)
+@SuppressWarnings("serial")
+class COSEAlgorithmIdentifierJackson2Serializer extends StdSerializer {
+
+	COSEAlgorithmIdentifierJackson2Serializer() {
+		super(COSEAlgorithmIdentifier.class);
+	}
+
+	@Override
+	public void serialize(COSEAlgorithmIdentifier identifier, JsonGenerator jgen, SerializerProvider provider)
+			throws IOException {
+		jgen.writeNumber(identifier.getValue());
+	}
+
+}
diff --git a/webauthn/src/main/java/org/springframework/security/web/webauthn/jackson/COSEAlgorithmIdentifierMixin.java b/webauthn/src/main/java/org/springframework/security/web/webauthn/jackson/COSEAlgorithmIdentifierMixin.java
index 0b04587ec7..2b02f42e33 100644
--- a/webauthn/src/main/java/org/springframework/security/web/webauthn/jackson/COSEAlgorithmIdentifierMixin.java
+++ b/webauthn/src/main/java/org/springframework/security/web/webauthn/jackson/COSEAlgorithmIdentifierMixin.java
@@ -16,8 +16,8 @@
 
 package org.springframework.security.web.webauthn.jackson;
 
-import com.fasterxml.jackson.databind.annotation.JsonDeserialize;
-import com.fasterxml.jackson.databind.annotation.JsonSerialize;
+import tools.jackson.databind.annotation.JsonDeserialize;
+import tools.jackson.databind.annotation.JsonSerialize;
 
 import org.springframework.security.web.webauthn.api.COSEAlgorithmIdentifier;
 
diff --git a/webauthn/src/main/java/org/springframework/security/web/webauthn/jackson/COSEAlgorithmIdentifierSerializer.java b/webauthn/src/main/java/org/springframework/security/web/webauthn/jackson/COSEAlgorithmIdentifierSerializer.java
index 9c05a79dfe..a772606357 100644
--- a/webauthn/src/main/java/org/springframework/security/web/webauthn/jackson/COSEAlgorithmIdentifierSerializer.java
+++ b/webauthn/src/main/java/org/springframework/security/web/webauthn/jackson/COSEAlgorithmIdentifierSerializer.java
@@ -16,11 +16,10 @@
 
 package org.springframework.security.web.webauthn.jackson;
 
-import java.io.IOException;
-
-import com.fasterxml.jackson.core.JsonGenerator;
-import com.fasterxml.jackson.databind.SerializerProvider;
-import com.fasterxml.jackson.databind.ser.std.StdSerializer;
+import tools.jackson.core.JacksonException;
+import tools.jackson.core.JsonGenerator;
+import tools.jackson.databind.SerializationContext;
+import tools.jackson.databind.ser.std.StdSerializer;
 
 import org.springframework.security.web.webauthn.api.COSEAlgorithmIdentifier;
 
@@ -38,8 +37,8 @@ class COSEAlgorithmIdentifierSerializer extends StdSerializercredProtect
+ * extension.
+ *
+ * @author Rob Winch
+ * @deprecated as of 7.0 in favor of
+ * {@link org.springframework.security.web.webauthn.jackson.CredProtectAuthenticationExtensionsClientInputSerializer}
+ * based on Jackson 3
+ */
+@Deprecated(forRemoval = true)
+@SuppressWarnings("serial")
+class CredProtectAuthenticationExtensionsClientInputJackson2Serializer
+		extends StdSerializer {
+
+	protected CredProtectAuthenticationExtensionsClientInputJackson2Serializer() {
+		super(CredProtectAuthenticationExtensionsClientInput.class);
+	}
+
+	@Override
+	public void serialize(CredProtectAuthenticationExtensionsClientInput input, JsonGenerator jgen,
+			SerializerProvider provider) throws IOException {
+		CredProtectAuthenticationExtensionsClientInput.CredProtect credProtect = input.getInput();
+		String policy = toString(credProtect.getCredProtectionPolicy());
+		jgen.writeObjectField("credentialProtectionPolicy", policy);
+		jgen.writeObjectField("enforceCredentialProtectionPolicy", credProtect.isEnforceCredentialProtectionPolicy());
+	}
+
+	private static String toString(CredProtectAuthenticationExtensionsClientInput.CredProtect.ProtectionPolicy policy) {
+		switch (policy) {
+			case USER_VERIFICATION_OPTIONAL:
+				return "userVerificationOptional";
+			case USER_VERIFICATION_OPTIONAL_WITH_CREDENTIAL_ID_LIST:
+				return "userVerificationOptionalWithCredentialIdList";
+			case USER_VERIFICATION_REQUIRED:
+				return "userVerificationRequired";
+			default:
+				throw new IllegalArgumentException("Unsupported ProtectionPolicy " + policy);
+		}
+	}
+
+}
diff --git a/webauthn/src/main/java/org/springframework/security/web/webauthn/jackson/CredProtectAuthenticationExtensionsClientInputMixin.java b/webauthn/src/main/java/org/springframework/security/web/webauthn/jackson/CredProtectAuthenticationExtensionsClientInputMixin.java
index 2682eff186..f5ab374466 100644
--- a/webauthn/src/main/java/org/springframework/security/web/webauthn/jackson/CredProtectAuthenticationExtensionsClientInputMixin.java
+++ b/webauthn/src/main/java/org/springframework/security/web/webauthn/jackson/CredProtectAuthenticationExtensionsClientInputMixin.java
@@ -16,7 +16,7 @@
 
 package org.springframework.security.web.webauthn.jackson;
 
-import com.fasterxml.jackson.databind.annotation.JsonSerialize;
+import tools.jackson.databind.annotation.JsonSerialize;
 
 @JsonSerialize(using = CredProtectAuthenticationExtensionsClientInputSerializer.class)
 class CredProtectAuthenticationExtensionsClientInputMixin {
diff --git a/webauthn/src/main/java/org/springframework/security/web/webauthn/jackson/CredProtectAuthenticationExtensionsClientInputSerializer.java b/webauthn/src/main/java/org/springframework/security/web/webauthn/jackson/CredProtectAuthenticationExtensionsClientInputSerializer.java
index ddda5fb22f..6bba9f2f8d 100644
--- a/webauthn/src/main/java/org/springframework/security/web/webauthn/jackson/CredProtectAuthenticationExtensionsClientInputSerializer.java
+++ b/webauthn/src/main/java/org/springframework/security/web/webauthn/jackson/CredProtectAuthenticationExtensionsClientInputSerializer.java
@@ -16,11 +16,10 @@
 
 package org.springframework.security.web.webauthn.jackson;
 
-import java.io.IOException;
-
-import com.fasterxml.jackson.core.JsonGenerator;
-import com.fasterxml.jackson.databind.SerializerProvider;
-import com.fasterxml.jackson.databind.ser.std.StdSerializer;
+import tools.jackson.core.JacksonException;
+import tools.jackson.core.JsonGenerator;
+import tools.jackson.databind.SerializationContext;
+import tools.jackson.databind.ser.std.StdSerializer;
 
 import org.springframework.security.web.webauthn.api.CredProtectAuthenticationExtensionsClientInput;
 
@@ -41,11 +40,11 @@ protected CredProtectAuthenticationExtensionsClientInputSerializer() {
 
 	@Override
 	public void serialize(CredProtectAuthenticationExtensionsClientInput input, JsonGenerator jgen,
-			SerializerProvider provider) throws IOException {
+			SerializationContext ctxt) throws JacksonException {
 		CredProtectAuthenticationExtensionsClientInput.CredProtect credProtect = input.getInput();
 		String policy = toString(credProtect.getCredProtectionPolicy());
-		jgen.writeObjectField("credentialProtectionPolicy", policy);
-		jgen.writeObjectField("enforceCredentialProtectionPolicy", credProtect.isEnforceCredentialProtectionPolicy());
+		jgen.writePOJOProperty("credentialProtectionPolicy", policy);
+		jgen.writePOJOProperty("enforceCredentialProtectionPolicy", credProtect.isEnforceCredentialProtectionPolicy());
 	}
 
 	private static String toString(CredProtectAuthenticationExtensionsClientInput.CredProtect.ProtectionPolicy policy) {
diff --git a/webauthn/src/main/java/org/springframework/security/web/webauthn/jackson/CredentialPropertiesOutputJackson2Mixin.java b/webauthn/src/main/java/org/springframework/security/web/webauthn/jackson/CredentialPropertiesOutputJackson2Mixin.java
new file mode 100644
index 0000000000..f23f42ff17
--- /dev/null
+++ b/webauthn/src/main/java/org/springframework/security/web/webauthn/jackson/CredentialPropertiesOutputJackson2Mixin.java
@@ -0,0 +1,40 @@
+/*
+ * Copyright 2004-present the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.security.web.webauthn.jackson;
+
+import com.fasterxml.jackson.annotation.JsonIgnoreProperties;
+import com.fasterxml.jackson.annotation.JsonProperty;
+
+import org.springframework.security.web.webauthn.api.CredentialPropertiesOutput;
+
+/**
+ * Jackson mixin for {@link CredentialPropertiesOutput}
+ *
+ * @author Rob Winch
+ * @since 6.4
+ * @deprecated as of 7.0 in favor of
+ * {@link org.springframework.security.web.webauthn.jackson.CredentialPropertiesOutputMixin}
+ * based on Jackson 3
+ */
+@Deprecated(forRemoval = true)
+@JsonIgnoreProperties(ignoreUnknown = true)
+abstract class CredentialPropertiesOutputJackson2Mixin {
+
+	CredentialPropertiesOutputJackson2Mixin(@JsonProperty("rk") boolean rk) {
+	}
+
+}
diff --git a/webauthn/src/main/java/org/springframework/security/web/webauthn/jackson/DurationJackson2Serializer.java b/webauthn/src/main/java/org/springframework/security/web/webauthn/jackson/DurationJackson2Serializer.java
new file mode 100644
index 0000000000..cce50657ac
--- /dev/null
+++ b/webauthn/src/main/java/org/springframework/security/web/webauthn/jackson/DurationJackson2Serializer.java
@@ -0,0 +1,51 @@
+/*
+ * Copyright 2004-present the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.security.web.webauthn.jackson;
+
+import java.io.IOException;
+import java.time.Duration;
+
+import com.fasterxml.jackson.core.JsonGenerator;
+import com.fasterxml.jackson.databind.SerializerProvider;
+import com.fasterxml.jackson.databind.ser.std.StdSerializer;
+
+/**
+ * Jackson serializer for {@link Duration}
+ *
+ * @author Rob Winch
+ * @since 6.4
+ * @deprecated as of 7.0 in favor of
+ * {@link org.springframework.security.web.webauthn.jackson.DurationSerializer} based on
+ * Jackson 3
+ */
+@Deprecated(forRemoval = true)
+@SuppressWarnings("serial")
+class DurationJackson2Serializer extends StdSerializer {
+
+	/**
+	 * Creates an instance.
+	 */
+	DurationJackson2Serializer() {
+		super(Duration.class);
+	}
+
+	@Override
+	public void serialize(Duration duration, JsonGenerator jgen, SerializerProvider provider) throws IOException {
+		jgen.writeNumber(duration.toMillis());
+	}
+
+}
diff --git a/webauthn/src/main/java/org/springframework/security/web/webauthn/jackson/DurationSerializer.java b/webauthn/src/main/java/org/springframework/security/web/webauthn/jackson/DurationSerializer.java
index cdba90b484..9eba908b14 100644
--- a/webauthn/src/main/java/org/springframework/security/web/webauthn/jackson/DurationSerializer.java
+++ b/webauthn/src/main/java/org/springframework/security/web/webauthn/jackson/DurationSerializer.java
@@ -16,12 +16,12 @@
 
 package org.springframework.security.web.webauthn.jackson;
 
-import java.io.IOException;
 import java.time.Duration;
 
-import com.fasterxml.jackson.core.JsonGenerator;
-import com.fasterxml.jackson.databind.SerializerProvider;
-import com.fasterxml.jackson.databind.ser.std.StdSerializer;
+import tools.jackson.core.JacksonException;
+import tools.jackson.core.JsonGenerator;
+import tools.jackson.databind.SerializationContext;
+import tools.jackson.databind.ser.std.StdSerializer;
 
 /**
  * Jackson serializer for {@link Duration}
@@ -40,7 +40,7 @@ class DurationSerializer extends StdSerializer {
 	}
 
 	@Override
-	public void serialize(Duration duration, JsonGenerator jgen, SerializerProvider provider) throws IOException {
+	public void serialize(Duration duration, JsonGenerator jgen, SerializationContext ctxt) throws JacksonException {
 		jgen.writeNumber(duration.toMillis());
 	}
 
diff --git a/webauthn/src/main/java/org/springframework/security/web/webauthn/jackson/PublicKeyCredentialCreationOptionsJackson2Mixin.java b/webauthn/src/main/java/org/springframework/security/web/webauthn/jackson/PublicKeyCredentialCreationOptionsJackson2Mixin.java
new file mode 100644
index 0000000000..2115f7ef58
--- /dev/null
+++ b/webauthn/src/main/java/org/springframework/security/web/webauthn/jackson/PublicKeyCredentialCreationOptionsJackson2Mixin.java
@@ -0,0 +1,44 @@
+/*
+ * Copyright 2004-present the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.security.web.webauthn.jackson;
+
+import java.time.Duration;
+
+import com.fasterxml.jackson.annotation.JsonInclude;
+import com.fasterxml.jackson.databind.annotation.JsonSerialize;
+import org.jspecify.annotations.Nullable;
+
+import org.springframework.security.web.webauthn.api.PublicKeyCredentialCreationOptions;
+
+/**
+ * Jackson mixin for {@link PublicKeyCredentialCreationOptions}
+ *
+ * @author Rob Winch
+ * @since 6.4
+ * @deprecated as of 7.0 in favor of
+ * {@link org.springframework.security.web.webauthn.jackson.PublicKeyCredentialCreationOptionsMixin}
+ * based on Jackson 3
+ */
+@SuppressWarnings("removal")
+@Deprecated(forRemoval = true)
+@JsonInclude(JsonInclude.Include.NON_NULL)
+abstract class PublicKeyCredentialCreationOptionsJackson2Mixin {
+
+	@JsonSerialize(using = DurationJackson2Serializer.class)
+	private @Nullable Duration timeout;
+
+}
diff --git a/webauthn/src/main/java/org/springframework/security/web/webauthn/jackson/PublicKeyCredentialCreationOptionsMixin.java b/webauthn/src/main/java/org/springframework/security/web/webauthn/jackson/PublicKeyCredentialCreationOptionsMixin.java
index 7b21e07fe4..4131e95409 100644
--- a/webauthn/src/main/java/org/springframework/security/web/webauthn/jackson/PublicKeyCredentialCreationOptionsMixin.java
+++ b/webauthn/src/main/java/org/springframework/security/web/webauthn/jackson/PublicKeyCredentialCreationOptionsMixin.java
@@ -19,8 +19,8 @@
 import java.time.Duration;
 
 import com.fasterxml.jackson.annotation.JsonInclude;
-import com.fasterxml.jackson.databind.annotation.JsonSerialize;
 import org.jspecify.annotations.Nullable;
+import tools.jackson.databind.annotation.JsonSerialize;
 
 import org.springframework.security.web.webauthn.api.PublicKeyCredentialCreationOptions;
 
diff --git a/webauthn/src/main/java/org/springframework/security/web/webauthn/jackson/PublicKeyCredentialJackson2Mixin.java b/webauthn/src/main/java/org/springframework/security/web/webauthn/jackson/PublicKeyCredentialJackson2Mixin.java
new file mode 100644
index 0000000000..8e5755f434
--- /dev/null
+++ b/webauthn/src/main/java/org/springframework/security/web/webauthn/jackson/PublicKeyCredentialJackson2Mixin.java
@@ -0,0 +1,42 @@
+/*
+ * Copyright 2004-present the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.security.web.webauthn.jackson;
+
+import com.fasterxml.jackson.databind.annotation.JsonDeserialize;
+import com.fasterxml.jackson.databind.annotation.JsonPOJOBuilder;
+
+import org.springframework.security.web.webauthn.api.PublicKeyCredential;
+
+/**
+ * Jackson mixin for {@link PublicKeyCredential}
+ *
+ * @author Rob Winch
+ * @since 6.4
+ * @deprecated as of 7.0 in favor of
+ * {@link org.springframework.security.web.webauthn.jackson.PublicKeyCredentialMixin}
+ * based on Jackson 3
+ */
+@Deprecated(forRemoval = true)
+@JsonDeserialize(builder = PublicKeyCredential.PublicKeyCredentialBuilder.class)
+class PublicKeyCredentialJackson2Mixin {
+
+	@JsonPOJOBuilder(withPrefix = "")
+	static class PublicKeyCredentialBuilderMixin {
+
+	}
+
+}
diff --git a/webauthn/src/main/java/org/springframework/security/web/webauthn/jackson/PublicKeyCredentialMixin.java b/webauthn/src/main/java/org/springframework/security/web/webauthn/jackson/PublicKeyCredentialMixin.java
index 31eda4c206..ee9498f07e 100644
--- a/webauthn/src/main/java/org/springframework/security/web/webauthn/jackson/PublicKeyCredentialMixin.java
+++ b/webauthn/src/main/java/org/springframework/security/web/webauthn/jackson/PublicKeyCredentialMixin.java
@@ -16,8 +16,8 @@
 
 package org.springframework.security.web.webauthn.jackson;
 
-import com.fasterxml.jackson.databind.annotation.JsonDeserialize;
-import com.fasterxml.jackson.databind.annotation.JsonPOJOBuilder;
+import tools.jackson.databind.annotation.JsonDeserialize;
+import tools.jackson.databind.annotation.JsonPOJOBuilder;
 
 import org.springframework.security.web.webauthn.api.PublicKeyCredential;
 
diff --git a/webauthn/src/main/java/org/springframework/security/web/webauthn/jackson/PublicKeyCredentialRequestOptionsJackson2Mixin.java b/webauthn/src/main/java/org/springframework/security/web/webauthn/jackson/PublicKeyCredentialRequestOptionsJackson2Mixin.java
new file mode 100644
index 0000000000..b95160864e
--- /dev/null
+++ b/webauthn/src/main/java/org/springframework/security/web/webauthn/jackson/PublicKeyCredentialRequestOptionsJackson2Mixin.java
@@ -0,0 +1,44 @@
+/*
+ * Copyright 2004-present the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.security.web.webauthn.jackson;
+
+import java.time.Duration;
+
+import com.fasterxml.jackson.annotation.JsonInclude;
+import com.fasterxml.jackson.databind.annotation.JsonSerialize;
+import org.jspecify.annotations.Nullable;
+
+import org.springframework.security.web.webauthn.api.PublicKeyCredentialRequestOptions;
+
+/**
+ * Jackson mixin for {@link PublicKeyCredentialRequestOptions}
+ *
+ * @author Rob Winch
+ * @since 6.4
+ * @deprecated as of 7.0 in favor of
+ * {@link org.springframework.security.web.webauthn.jackson.PublicKeyCredentialRequestOptionsMixin}
+ * based on Jackson 3
+ */
+@SuppressWarnings("removal")
+@Deprecated(forRemoval = true)
+@JsonInclude(content = JsonInclude.Include.NON_NULL)
+class PublicKeyCredentialRequestOptionsJackson2Mixin {
+
+	@JsonSerialize(using = DurationJackson2Serializer.class)
+	private final @Nullable Duration timeout = null;
+
+}
diff --git a/webauthn/src/main/java/org/springframework/security/web/webauthn/jackson/PublicKeyCredentialRequestOptionsMixin.java b/webauthn/src/main/java/org/springframework/security/web/webauthn/jackson/PublicKeyCredentialRequestOptionsMixin.java
index b2bc403c87..67425588f3 100644
--- a/webauthn/src/main/java/org/springframework/security/web/webauthn/jackson/PublicKeyCredentialRequestOptionsMixin.java
+++ b/webauthn/src/main/java/org/springframework/security/web/webauthn/jackson/PublicKeyCredentialRequestOptionsMixin.java
@@ -19,8 +19,8 @@
 import java.time.Duration;
 
 import com.fasterxml.jackson.annotation.JsonInclude;
-import com.fasterxml.jackson.databind.annotation.JsonSerialize;
 import org.jspecify.annotations.Nullable;
+import tools.jackson.databind.annotation.JsonSerialize;
 
 import org.springframework.security.web.webauthn.api.PublicKeyCredentialRequestOptions;
 
diff --git a/webauthn/src/main/java/org/springframework/security/web/webauthn/jackson/PublicKeyCredentialTypeDeserializer.java b/webauthn/src/main/java/org/springframework/security/web/webauthn/jackson/PublicKeyCredentialTypeDeserializer.java
index 94f76b3262..7af1ae2b35 100644
--- a/webauthn/src/main/java/org/springframework/security/web/webauthn/jackson/PublicKeyCredentialTypeDeserializer.java
+++ b/webauthn/src/main/java/org/springframework/security/web/webauthn/jackson/PublicKeyCredentialTypeDeserializer.java
@@ -16,12 +16,10 @@
 
 package org.springframework.security.web.webauthn.jackson;
 
-import java.io.IOException;
-
-import com.fasterxml.jackson.core.JacksonException;
-import com.fasterxml.jackson.core.JsonParser;
-import com.fasterxml.jackson.databind.DeserializationContext;
-import com.fasterxml.jackson.databind.deser.std.StdDeserializer;
+import tools.jackson.core.JacksonException;
+import tools.jackson.core.JsonParser;
+import tools.jackson.databind.DeserializationContext;
+import tools.jackson.databind.deser.std.StdDeserializer;
 
 import org.springframework.security.web.webauthn.api.PublicKeyCredentialType;
 
@@ -42,8 +40,7 @@ class PublicKeyCredentialTypeDeserializer extends StdDeserializer {
+
+	/**
+	 * Creates a new instance.
+	 */
+	PublicKeyCredentialTypeJackson2Deserializer() {
+		super(PublicKeyCredentialType.class);
+	}
+
+	@Override
+	public PublicKeyCredentialType deserialize(JsonParser parser, DeserializationContext ctxt)
+			throws IOException, JacksonException {
+		String type = parser.readValueAs(String.class);
+		return PublicKeyCredentialType.valueOf(type);
+	}
+
+}
diff --git a/webauthn/src/main/java/org/springframework/security/web/webauthn/jackson/PublicKeyCredentialTypeJackson2Mixin.java b/webauthn/src/main/java/org/springframework/security/web/webauthn/jackson/PublicKeyCredentialTypeJackson2Mixin.java
new file mode 100644
index 0000000000..09d579a5e8
--- /dev/null
+++ b/webauthn/src/main/java/org/springframework/security/web/webauthn/jackson/PublicKeyCredentialTypeJackson2Mixin.java
@@ -0,0 +1,39 @@
+/*
+ * Copyright 2004-present the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.security.web.webauthn.jackson;
+
+import com.fasterxml.jackson.databind.annotation.JsonDeserialize;
+import com.fasterxml.jackson.databind.annotation.JsonSerialize;
+
+import org.springframework.security.web.webauthn.api.PublicKeyCredentialType;
+
+/**
+ * Jackson mixin for {@link PublicKeyCredentialType}
+ *
+ * @author Rob Winch
+ * @since 6.4
+ * @deprecated as of 7.0 in favor of
+ * {@link org.springframework.security.web.webauthn.jackson.PublicKeyCredentialTypeMixin}
+ * based on Jackson 3
+ */
+@SuppressWarnings("removal")
+@Deprecated(forRemoval = true)
+@JsonSerialize(using = PublicKeyCredentialTypeJackson2Serializer.class)
+@JsonDeserialize(using = PublicKeyCredentialTypeJackson2Deserializer.class)
+abstract class PublicKeyCredentialTypeJackson2Mixin {
+
+}
diff --git a/webauthn/src/main/java/org/springframework/security/web/webauthn/jackson/PublicKeyCredentialTypeJackson2Serializer.java b/webauthn/src/main/java/org/springframework/security/web/webauthn/jackson/PublicKeyCredentialTypeJackson2Serializer.java
new file mode 100644
index 0000000000..d2f71a4e83
--- /dev/null
+++ b/webauthn/src/main/java/org/springframework/security/web/webauthn/jackson/PublicKeyCredentialTypeJackson2Serializer.java
@@ -0,0 +1,53 @@
+/*
+ * Copyright 2004-present the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.security.web.webauthn.jackson;
+
+import java.io.IOException;
+
+import com.fasterxml.jackson.core.JsonGenerator;
+import com.fasterxml.jackson.databind.SerializerProvider;
+import com.fasterxml.jackson.databind.ser.std.StdSerializer;
+
+import org.springframework.security.web.webauthn.api.PublicKeyCredentialType;
+
+/**
+ * Jackson serializer for {@link PublicKeyCredentialType}
+ *
+ * @author Rob Winch
+ * @since 6.4
+ * @deprecated as of 7.0 in favor of
+ * {@link org.springframework.security.web.webauthn.jackson.PublicKeyCredentialTypeSerializer}
+ * based on Jackson 3
+ */
+@Deprecated(forRemoval = true)
+@SuppressWarnings("serial")
+class PublicKeyCredentialTypeJackson2Serializer extends StdSerializer {
+
+	/**
+	 * Creates a new instance.
+	 */
+	PublicKeyCredentialTypeJackson2Serializer() {
+		super(PublicKeyCredentialType.class);
+	}
+
+	@Override
+	public void serialize(PublicKeyCredentialType type, JsonGenerator jgen, SerializerProvider provider)
+			throws IOException {
+		jgen.writeString(type.getValue());
+	}
+
+}
diff --git a/webauthn/src/main/java/org/springframework/security/web/webauthn/jackson/PublicKeyCredentialTypeMixin.java b/webauthn/src/main/java/org/springframework/security/web/webauthn/jackson/PublicKeyCredentialTypeMixin.java
index fc9e6f533d..3918c22f95 100644
--- a/webauthn/src/main/java/org/springframework/security/web/webauthn/jackson/PublicKeyCredentialTypeMixin.java
+++ b/webauthn/src/main/java/org/springframework/security/web/webauthn/jackson/PublicKeyCredentialTypeMixin.java
@@ -16,8 +16,8 @@
 
 package org.springframework.security.web.webauthn.jackson;
 
-import com.fasterxml.jackson.databind.annotation.JsonDeserialize;
-import com.fasterxml.jackson.databind.annotation.JsonSerialize;
+import tools.jackson.databind.annotation.JsonDeserialize;
+import tools.jackson.databind.annotation.JsonSerialize;
 
 import org.springframework.security.web.webauthn.api.PublicKeyCredentialType;
 
diff --git a/webauthn/src/main/java/org/springframework/security/web/webauthn/jackson/PublicKeyCredentialTypeSerializer.java b/webauthn/src/main/java/org/springframework/security/web/webauthn/jackson/PublicKeyCredentialTypeSerializer.java
index 9078dccc4e..e2b08d1388 100644
--- a/webauthn/src/main/java/org/springframework/security/web/webauthn/jackson/PublicKeyCredentialTypeSerializer.java
+++ b/webauthn/src/main/java/org/springframework/security/web/webauthn/jackson/PublicKeyCredentialTypeSerializer.java
@@ -16,11 +16,10 @@
 
 package org.springframework.security.web.webauthn.jackson;
 
-import java.io.IOException;
-
-import com.fasterxml.jackson.core.JsonGenerator;
-import com.fasterxml.jackson.databind.SerializerProvider;
-import com.fasterxml.jackson.databind.ser.std.StdSerializer;
+import tools.jackson.core.JacksonException;
+import tools.jackson.core.JsonGenerator;
+import tools.jackson.databind.SerializationContext;
+import tools.jackson.databind.ser.std.StdSerializer;
 
 import org.springframework.security.web.webauthn.api.PublicKeyCredentialType;
 
@@ -41,8 +40,8 @@ class PublicKeyCredentialTypeSerializer extends StdSerializer credential,
+			@JsonProperty("label") String label) {
+	}
+
+}
diff --git a/webauthn/src/main/java/org/springframework/security/web/webauthn/jackson/ResidentKeyRequirementJackson2Mixin.java b/webauthn/src/main/java/org/springframework/security/web/webauthn/jackson/ResidentKeyRequirementJackson2Mixin.java
new file mode 100644
index 0000000000..26ed140b39
--- /dev/null
+++ b/webauthn/src/main/java/org/springframework/security/web/webauthn/jackson/ResidentKeyRequirementJackson2Mixin.java
@@ -0,0 +1,37 @@
+/*
+ * Copyright 2004-present the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.security.web.webauthn.jackson;
+
+import com.fasterxml.jackson.databind.annotation.JsonSerialize;
+
+import org.springframework.security.web.webauthn.api.ResidentKeyRequirement;
+
+/**
+ * Jackson mixin for {@link ResidentKeyRequirement}
+ *
+ * @author Rob Winch
+ * @since 6.4
+ * @deprecated as of 7.0 in favor of
+ * {@link org.springframework.security.web.webauthn.jackson.ResidentKeyRequirementMixin}
+ * based on Jackson 3
+ */
+@SuppressWarnings("removal")
+@Deprecated(forRemoval = true)
+@JsonSerialize(using = ResidentKeyRequirementJackson2Serializer.class)
+abstract class ResidentKeyRequirementJackson2Mixin {
+
+}
diff --git a/webauthn/src/main/java/org/springframework/security/web/webauthn/jackson/ResidentKeyRequirementJackson2Serializer.java b/webauthn/src/main/java/org/springframework/security/web/webauthn/jackson/ResidentKeyRequirementJackson2Serializer.java
new file mode 100644
index 0000000000..23947e6454
--- /dev/null
+++ b/webauthn/src/main/java/org/springframework/security/web/webauthn/jackson/ResidentKeyRequirementJackson2Serializer.java
@@ -0,0 +1,53 @@
+/*
+ * Copyright 2004-present the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.security.web.webauthn.jackson;
+
+import java.io.IOException;
+
+import com.fasterxml.jackson.core.JsonGenerator;
+import com.fasterxml.jackson.databind.SerializerProvider;
+import com.fasterxml.jackson.databind.ser.std.StdSerializer;
+
+import org.springframework.security.web.webauthn.api.ResidentKeyRequirement;
+
+/**
+ * Jackson serializer for {@link ResidentKeyRequirement}
+ *
+ * @author Rob Winch
+ * @since 6.4
+ * @deprecated as of 7.0 in favor of
+ * {@link org.springframework.security.web.webauthn.jackson.ResidentKeyRequirementSerializer}
+ * based on Jackson 3
+ */
+@Deprecated(forRemoval = true)
+@SuppressWarnings("serial")
+class ResidentKeyRequirementJackson2Serializer extends StdSerializer {
+
+	/**
+	 * Creates a new instance.
+	 */
+	ResidentKeyRequirementJackson2Serializer() {
+		super(ResidentKeyRequirement.class);
+	}
+
+	@Override
+	public void serialize(ResidentKeyRequirement requirement, JsonGenerator jgen, SerializerProvider provider)
+			throws IOException {
+		jgen.writeString(requirement.getValue());
+	}
+
+}
diff --git a/webauthn/src/main/java/org/springframework/security/web/webauthn/jackson/ResidentKeyRequirementMixin.java b/webauthn/src/main/java/org/springframework/security/web/webauthn/jackson/ResidentKeyRequirementMixin.java
index b6527c3a0a..ed24f1f43b 100644
--- a/webauthn/src/main/java/org/springframework/security/web/webauthn/jackson/ResidentKeyRequirementMixin.java
+++ b/webauthn/src/main/java/org/springframework/security/web/webauthn/jackson/ResidentKeyRequirementMixin.java
@@ -16,7 +16,7 @@
 
 package org.springframework.security.web.webauthn.jackson;
 
-import com.fasterxml.jackson.databind.annotation.JsonSerialize;
+import tools.jackson.databind.annotation.JsonSerialize;
 
 import org.springframework.security.web.webauthn.api.ResidentKeyRequirement;
 
diff --git a/webauthn/src/main/java/org/springframework/security/web/webauthn/jackson/ResidentKeyRequirementSerializer.java b/webauthn/src/main/java/org/springframework/security/web/webauthn/jackson/ResidentKeyRequirementSerializer.java
index 554d3d5694..58c7ff5dc5 100644
--- a/webauthn/src/main/java/org/springframework/security/web/webauthn/jackson/ResidentKeyRequirementSerializer.java
+++ b/webauthn/src/main/java/org/springframework/security/web/webauthn/jackson/ResidentKeyRequirementSerializer.java
@@ -16,11 +16,10 @@
 
 package org.springframework.security.web.webauthn.jackson;
 
-import java.io.IOException;
-
-import com.fasterxml.jackson.core.JsonGenerator;
-import com.fasterxml.jackson.databind.SerializerProvider;
-import com.fasterxml.jackson.databind.ser.std.StdSerializer;
+import tools.jackson.core.JacksonException;
+import tools.jackson.core.JsonGenerator;
+import tools.jackson.databind.SerializationContext;
+import tools.jackson.databind.ser.std.StdSerializer;
 
 import org.springframework.security.web.webauthn.api.ResidentKeyRequirement;
 
@@ -41,8 +40,8 @@ class ResidentKeyRequirementSerializer extends StdSerializer {
+
+	/**
+	 * Creates a new instance.
+	 */
+	UserVerificationRequirementJackson2Serializer() {
+		super(UserVerificationRequirement.class);
+	}
+
+	@Override
+	public void serialize(UserVerificationRequirement requirement, JsonGenerator jgen, SerializerProvider provider)
+			throws IOException {
+		jgen.writeString(requirement.getValue());
+	}
+
+}
diff --git a/webauthn/src/main/java/org/springframework/security/web/webauthn/jackson/UserVerificationRequirementMixin.java b/webauthn/src/main/java/org/springframework/security/web/webauthn/jackson/UserVerificationRequirementMixin.java
index 06fa2a94bc..32e48eacef 100644
--- a/webauthn/src/main/java/org/springframework/security/web/webauthn/jackson/UserVerificationRequirementMixin.java
+++ b/webauthn/src/main/java/org/springframework/security/web/webauthn/jackson/UserVerificationRequirementMixin.java
@@ -16,7 +16,7 @@
 
 package org.springframework.security.web.webauthn.jackson;
 
-import com.fasterxml.jackson.databind.annotation.JsonSerialize;
+import tools.jackson.databind.annotation.JsonSerialize;
 
 import org.springframework.security.web.webauthn.api.UserVerificationRequirement;
 
diff --git a/webauthn/src/main/java/org/springframework/security/web/webauthn/jackson/UserVerificationRequirementSerializer.java b/webauthn/src/main/java/org/springframework/security/web/webauthn/jackson/UserVerificationRequirementSerializer.java
index 29290f12b8..6ac2f344b4 100644
--- a/webauthn/src/main/java/org/springframework/security/web/webauthn/jackson/UserVerificationRequirementSerializer.java
+++ b/webauthn/src/main/java/org/springframework/security/web/webauthn/jackson/UserVerificationRequirementSerializer.java
@@ -16,11 +16,10 @@
 
 package org.springframework.security.web.webauthn.jackson;
 
-import java.io.IOException;
-
-import com.fasterxml.jackson.core.JsonGenerator;
-import com.fasterxml.jackson.databind.SerializerProvider;
-import com.fasterxml.jackson.databind.ser.std.StdSerializer;
+import tools.jackson.core.JacksonException;
+import tools.jackson.core.JsonGenerator;
+import tools.jackson.databind.SerializationContext;
+import tools.jackson.databind.ser.std.StdSerializer;
 
 import org.springframework.security.web.webauthn.api.UserVerificationRequirement;
 
@@ -41,8 +40,8 @@ class UserVerificationRequirementSerializer extends StdSerializer converter = new MappingJackson2HttpMessageConverter(
-			Jackson2ObjectMapperBuilder.json().modules(new WebauthnJackson2Module()).build());
+	private HttpMessageConverter converter = new JacksonJsonHttpMessageConverter(
+			JsonMapper.builder().addModule(new WebauthnJacksonModule()).build());
 
 	/**
 	 * Creates a new instance.
@@ -131,7 +131,7 @@ public void setCreationOptionsRepository(PublicKeyCredentialCreationOptionsRepos
 	/**
 	 * Set the {@link HttpMessageConverter} to read the
 	 * {@link WebAuthnRegistrationFilter.WebAuthnRegistrationRequest} and write the
-	 * response. The default is {@link MappingJackson2HttpMessageConverter}.
+	 * response. The default is {@link JacksonJsonHttpMessageConverter}.
 	 * @param converter the {@link HttpMessageConverter} to use. Cannot be null.
 	 */
 	public void setConverter(HttpMessageConverter converter) {
diff --git a/webauthn/src/main/java/org/springframework/security/web/webauthn/registration/WebAuthnRegistrationFilter.java b/webauthn/src/main/java/org/springframework/security/web/webauthn/registration/WebAuthnRegistrationFilter.java
index c6359d0c4c..781faf7295 100644
--- a/webauthn/src/main/java/org/springframework/security/web/webauthn/registration/WebAuthnRegistrationFilter.java
+++ b/webauthn/src/main/java/org/springframework/security/web/webauthn/registration/WebAuthnRegistrationFilter.java
@@ -18,7 +18,6 @@
 
 import java.io.IOException;
 
-import com.fasterxml.jackson.databind.json.JsonMapper;
 import jakarta.servlet.FilterChain;
 import jakarta.servlet.ServletException;
 import jakarta.servlet.http.HttpServletRequest;
@@ -26,13 +25,14 @@
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
 import org.jspecify.annotations.Nullable;
+import tools.jackson.databind.json.JsonMapper;
 
 import org.springframework.http.HttpInputMessage;
 import org.springframework.http.HttpMethod;
 import org.springframework.http.HttpStatus;
 import org.springframework.http.MediaType;
 import org.springframework.http.converter.HttpMessageConverter;
-import org.springframework.http.converter.json.MappingJackson2HttpMessageConverter;
+import org.springframework.http.converter.json.JacksonJsonHttpMessageConverter;
 import org.springframework.http.server.ServletServerHttpRequest;
 import org.springframework.http.server.ServletServerHttpResponse;
 import org.springframework.security.web.servlet.util.matcher.PathPatternRequestMatcher;
@@ -40,7 +40,7 @@
 import org.springframework.security.web.webauthn.api.Bytes;
 import org.springframework.security.web.webauthn.api.CredentialRecord;
 import org.springframework.security.web.webauthn.api.PublicKeyCredentialCreationOptions;
-import org.springframework.security.web.webauthn.jackson.WebauthnJackson2Module;
+import org.springframework.security.web.webauthn.jackson.WebauthnJacksonModule;
 import org.springframework.security.web.webauthn.management.ImmutableRelyingPartyRegistrationRequest;
 import org.springframework.security.web.webauthn.management.RelyingPartyPublicKey;
 import org.springframework.security.web.webauthn.management.UserCredentialRepository;
@@ -88,8 +88,8 @@ public class WebAuthnRegistrationFilter extends OncePerRequestFilter {
 
 	private final UserCredentialRepository userCredentials;
 
-	private HttpMessageConverter converter = new MappingJackson2HttpMessageConverter(
-			JsonMapper.builder().addModule(new WebauthnJackson2Module()).build());
+	private HttpMessageConverter converter = new JacksonJsonHttpMessageConverter(
+			JsonMapper.builder().addModule(new WebauthnJacksonModule()).build());
 
 	private PublicKeyCredentialCreationOptionsRepository creationOptionsRepository = new HttpSessionPublicKeyCredentialCreationOptionsRepository();
 
@@ -152,7 +152,7 @@ protected void doFilterInternal(HttpServletRequest request, HttpServletResponse
 	/**
 	 * Set the {@link HttpMessageConverter} to read the
 	 * {@link WebAuthnRegistrationRequest} and write the response. The default is
-	 * {@link MappingJackson2HttpMessageConverter}.
+	 * {@link JacksonJsonHttpMessageConverter}.
 	 * @param converter the {@link HttpMessageConverter} to use. Cannot be null.
 	 */
 	public void setConverter(HttpMessageConverter converter) {
diff --git a/webauthn/src/test/java/org/springframework/security/web/webauthn/authentication/WebAuthnAuthenticationFilterTests.java b/webauthn/src/test/java/org/springframework/security/web/webauthn/authentication/WebAuthnAuthenticationFilterTests.java
index 74e2c8603f..a5853b91cd 100644
--- a/webauthn/src/test/java/org/springframework/security/web/webauthn/authentication/WebAuthnAuthenticationFilterTests.java
+++ b/webauthn/src/test/java/org/springframework/security/web/webauthn/authentication/WebAuthnAuthenticationFilterTests.java
@@ -27,7 +27,7 @@
 import org.skyscreamer.jsonassert.JSONAssert;
 
 import org.springframework.http.HttpStatus;
-import org.springframework.http.converter.GenericHttpMessageConverter;
+import org.springframework.http.converter.SmartHttpMessageConverter;
 import org.springframework.mock.web.MockHttpServletRequest;
 import org.springframework.mock.web.MockHttpServletResponse;
 import org.springframework.mock.web.MockServletContext;
@@ -79,7 +79,7 @@ class WebAuthnAuthenticationFilterTests {
 			""";
 
 	@Mock
-	private GenericHttpMessageConverter converter;
+	private SmartHttpMessageConverter converter;
 
 	@Mock
 	private PublicKeyCredentialRequestOptionsRepository requestOptionsRepository;
diff --git a/webauthn/src/test/java/org/springframework/security/web/webauthn/jackson/CredProtectAuthenticationExtensionsClientInputJackson2Tests.java b/webauthn/src/test/java/org/springframework/security/web/webauthn/jackson/CredProtectAuthenticationExtensionsClientInputJackson2Tests.java
new file mode 100644
index 0000000000..dcc9521da1
--- /dev/null
+++ b/webauthn/src/test/java/org/springframework/security/web/webauthn/jackson/CredProtectAuthenticationExtensionsClientInputJackson2Tests.java
@@ -0,0 +1,153 @@
+/*
+ * Copyright 2004-present the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.security.web.webauthn.jackson;
+
+import com.fasterxml.jackson.databind.ObjectMapper;
+import org.junit.jupiter.api.BeforeEach;
+import org.junit.jupiter.api.Test;
+import org.skyscreamer.jsonassert.JSONAssert;
+
+import org.springframework.security.web.webauthn.api.CredProtectAuthenticationExtensionsClientInput;
+import org.springframework.security.web.webauthn.api.ImmutableAuthenticationExtensionsClientInputs;
+
+/**
+ * Test Jackson serialization of CredProtectAuthenticationExtensionsClientInput
+ *
+ * @author Rob Winch
+ */
+class CredProtectAuthenticationExtensionsClientInputJackson2Tests {
+
+	private ObjectMapper mapper;
+
+	@BeforeEach
+	void setup() {
+		this.mapper = new ObjectMapper();
+		this.mapper.registerModule(new WebauthnJackson2Module());
+	}
+
+	@Test
+	void writeAuthenticationExtensionsClientInputsWhenCredProtectUserVerificationOptional() throws Exception {
+		String expected = """
+					{
+						"credentialProtectionPolicy": "userVerificationOptional",
+						"enforceCredentialProtectionPolicy": true
+					}
+				""";
+
+		CredProtectAuthenticationExtensionsClientInput.CredProtect credProtect = new CredProtectAuthenticationExtensionsClientInput.CredProtect(
+				CredProtectAuthenticationExtensionsClientInput.CredProtect.ProtectionPolicy.USER_VERIFICATION_OPTIONAL,
+				true);
+		CredProtectAuthenticationExtensionsClientInput credProtectInput = new CredProtectAuthenticationExtensionsClientInput(
+				credProtect);
+		ImmutableAuthenticationExtensionsClientInputs clientInputs = new ImmutableAuthenticationExtensionsClientInputs(
+				credProtectInput);
+
+		String actual = this.mapper.writeValueAsString(clientInputs);
+
+		JSONAssert.assertEquals(expected, actual, false);
+	}
+
+	@Test
+	void writeAuthenticationExtensionsClientInputsWhenCredProtectUserVerificationOptionalWithCredentialIdList()
+			throws Exception {
+		String expected = """
+					{
+						"credentialProtectionPolicy": "userVerificationOptionalWithCredentialIdList",
+						"enforceCredentialProtectionPolicy": true
+					}
+				""";
+
+		CredProtectAuthenticationExtensionsClientInput.CredProtect credProtect = new CredProtectAuthenticationExtensionsClientInput.CredProtect(
+				CredProtectAuthenticationExtensionsClientInput.CredProtect.ProtectionPolicy.USER_VERIFICATION_OPTIONAL_WITH_CREDENTIAL_ID_LIST,
+				true);
+		CredProtectAuthenticationExtensionsClientInput credProtectInput = new CredProtectAuthenticationExtensionsClientInput(
+				credProtect);
+		ImmutableAuthenticationExtensionsClientInputs clientInputs = new ImmutableAuthenticationExtensionsClientInputs(
+				credProtectInput);
+
+		String actual = this.mapper.writeValueAsString(clientInputs);
+
+		JSONAssert.assertEquals(expected, actual, false);
+	}
+
+	@Test
+	void writeAuthenticationExtensionsClientInputsWhenCredProtectUserVerificationRequired() throws Exception {
+		String expected = """
+					{
+						"credentialProtectionPolicy": "userVerificationRequired",
+						"enforceCredentialProtectionPolicy": true
+					}
+				""";
+
+		CredProtectAuthenticationExtensionsClientInput.CredProtect credProtect = new CredProtectAuthenticationExtensionsClientInput.CredProtect(
+				CredProtectAuthenticationExtensionsClientInput.CredProtect.ProtectionPolicy.USER_VERIFICATION_REQUIRED,
+				true);
+		CredProtectAuthenticationExtensionsClientInput credProtectInput = new CredProtectAuthenticationExtensionsClientInput(
+				credProtect);
+		ImmutableAuthenticationExtensionsClientInputs clientInputs = new ImmutableAuthenticationExtensionsClientInputs(
+				credProtectInput);
+
+		String actual = this.mapper.writeValueAsString(clientInputs);
+
+		JSONAssert.assertEquals(expected, actual, false);
+	}
+
+	@Test
+	void writeAuthenticationExtensionsClientInputsWhenEnforceCredentialProtectionPolicyTrue() throws Exception {
+		String expected = """
+					{
+						"credentialProtectionPolicy": "userVerificationOptional",
+						"enforceCredentialProtectionPolicy": true
+					}
+				""";
+
+		CredProtectAuthenticationExtensionsClientInput.CredProtect credProtect = new CredProtectAuthenticationExtensionsClientInput.CredProtect(
+				CredProtectAuthenticationExtensionsClientInput.CredProtect.ProtectionPolicy.USER_VERIFICATION_OPTIONAL,
+				true);
+		CredProtectAuthenticationExtensionsClientInput credProtectInput = new CredProtectAuthenticationExtensionsClientInput(
+				credProtect);
+		ImmutableAuthenticationExtensionsClientInputs clientInputs = new ImmutableAuthenticationExtensionsClientInputs(
+				credProtectInput);
+
+		String actual = this.mapper.writeValueAsString(clientInputs);
+
+		JSONAssert.assertEquals(expected, actual, false);
+	}
+
+	@Test
+	void writeAuthenticationExtensionsClientInputsWhenEnforceCredentialProtectionPolicyFalse() throws Exception {
+		String expected = """
+					{
+						"credentialProtectionPolicy": "userVerificationOptional",
+						"enforceCredentialProtectionPolicy": false
+					}
+				""";
+
+		CredProtectAuthenticationExtensionsClientInput.CredProtect credProtect = new CredProtectAuthenticationExtensionsClientInput.CredProtect(
+				CredProtectAuthenticationExtensionsClientInput.CredProtect.ProtectionPolicy.USER_VERIFICATION_OPTIONAL,
+				false);
+		CredProtectAuthenticationExtensionsClientInput credProtectInput = new CredProtectAuthenticationExtensionsClientInput(
+				credProtect);
+		ImmutableAuthenticationExtensionsClientInputs clientInputs = new ImmutableAuthenticationExtensionsClientInputs(
+				credProtectInput);
+
+		String actual = this.mapper.writeValueAsString(clientInputs);
+
+		JSONAssert.assertEquals(expected, actual, false);
+	}
+
+}
diff --git a/webauthn/src/test/java/org/springframework/security/web/webauthn/jackson/CredProtectAuthenticationExtensionsClientInputJacksonTests.java b/webauthn/src/test/java/org/springframework/security/web/webauthn/jackson/CredProtectAuthenticationExtensionsClientInputJacksonTests.java
index 50d52fa1d6..d2beb3d53f 100644
--- a/webauthn/src/test/java/org/springframework/security/web/webauthn/jackson/CredProtectAuthenticationExtensionsClientInputJacksonTests.java
+++ b/webauthn/src/test/java/org/springframework/security/web/webauthn/jackson/CredProtectAuthenticationExtensionsClientInputJacksonTests.java
@@ -16,10 +16,10 @@
 
 package org.springframework.security.web.webauthn.jackson;
 
-import com.fasterxml.jackson.databind.ObjectMapper;
 import org.junit.jupiter.api.BeforeEach;
 import org.junit.jupiter.api.Test;
 import org.skyscreamer.jsonassert.JSONAssert;
+import tools.jackson.databind.json.JsonMapper;
 
 import org.springframework.security.web.webauthn.api.CredProtectAuthenticationExtensionsClientInput;
 import org.springframework.security.web.webauthn.api.ImmutableAuthenticationExtensionsClientInputs;
@@ -31,12 +31,11 @@
  */
 class CredProtectAuthenticationExtensionsClientInputJacksonTests {
 
-	private ObjectMapper mapper;
+	private JsonMapper mapper;
 
 	@BeforeEach
 	void setup() {
-		this.mapper = new ObjectMapper();
-		this.mapper.registerModule(new WebauthnJackson2Module());
+		this.mapper = JsonMapper.builder().addModule(new WebauthnJacksonModule()).build();
 	}
 
 	@Test
diff --git a/webauthn/src/test/java/org/springframework/security/web/webauthn/jackson/Jackson2Tests.java b/webauthn/src/test/java/org/springframework/security/web/webauthn/jackson/Jackson2Tests.java
new file mode 100644
index 0000000000..d93384cb13
--- /dev/null
+++ b/webauthn/src/test/java/org/springframework/security/web/webauthn/jackson/Jackson2Tests.java
@@ -0,0 +1,363 @@
+/*
+ * Copyright 2004-present the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.security.web.webauthn.jackson;
+
+import java.time.Duration;
+import java.util.Arrays;
+
+import com.fasterxml.jackson.core.type.TypeReference;
+import com.fasterxml.jackson.databind.ObjectMapper;
+import org.junit.jupiter.api.BeforeEach;
+import org.junit.jupiter.api.Test;
+import org.skyscreamer.jsonassert.JSONAssert;
+
+import org.springframework.security.web.webauthn.api.AuthenticationExtensionsClientOutputs;
+import org.springframework.security.web.webauthn.api.AuthenticatorAssertionResponse;
+import org.springframework.security.web.webauthn.api.AuthenticatorAttachment;
+import org.springframework.security.web.webauthn.api.AuthenticatorAttestationResponse;
+import org.springframework.security.web.webauthn.api.AuthenticatorTransport;
+import org.springframework.security.web.webauthn.api.Bytes;
+import org.springframework.security.web.webauthn.api.CredentialPropertiesOutput;
+import org.springframework.security.web.webauthn.api.ImmutableAuthenticationExtensionsClientInput;
+import org.springframework.security.web.webauthn.api.ImmutableAuthenticationExtensionsClientInputs;
+import org.springframework.security.web.webauthn.api.ImmutableAuthenticationExtensionsClientOutputs;
+import org.springframework.security.web.webauthn.api.PublicKeyCredential;
+import org.springframework.security.web.webauthn.api.PublicKeyCredentialCreationOptions;
+import org.springframework.security.web.webauthn.api.PublicKeyCredentialRequestOptions;
+import org.springframework.security.web.webauthn.api.PublicKeyCredentialType;
+import org.springframework.security.web.webauthn.api.TestPublicKeyCredentialCreationOptions;
+import org.springframework.security.web.webauthn.api.UserVerificationRequirement;
+
+import static org.assertj.core.api.Assertions.assertThat;
+
+class Jackson2Tests {
+
+	private ObjectMapper mapper;
+
+	@BeforeEach
+	void setup() {
+		this.mapper = new ObjectMapper();
+		this.mapper.registerModule(new WebauthnJackson2Module());
+	}
+
+	@Test
+	void readAuthenticatorTransport() throws Exception {
+		AuthenticatorTransport transport = this.mapper.readValue("\"hybrid\"", AuthenticatorTransport.class);
+
+		assertThat(transport).isEqualTo(AuthenticatorTransport.HYBRID);
+	}
+
+	@Test
+	void readAuthenticatorAttachment() throws Exception {
+		AuthenticatorAttachment value = this.mapper.readValue("\"cross-platform\"", AuthenticatorAttachment.class);
+		assertThat(value).isEqualTo(AuthenticatorAttachment.CROSS_PLATFORM);
+	}
+
+	@Test
+	void writeAuthenticatorAttachment() throws Exception {
+		String value = this.mapper.writeValueAsString(AuthenticatorAttachment.CROSS_PLATFORM);
+		assertThat(value).isEqualTo("\"cross-platform\"");
+	}
+
+	@Test
+	void readAuthenticationExtensionsClientOutputs() throws Exception {
+		String json = """
+				{
+					"credProps": {
+						"rk": false
+					}
+				}
+				""";
+		ImmutableAuthenticationExtensionsClientOutputs clientExtensionResults = new ImmutableAuthenticationExtensionsClientOutputs(
+				new CredentialPropertiesOutput(false));
+
+		AuthenticationExtensionsClientOutputs outputs = this.mapper.readValue(json,
+				AuthenticationExtensionsClientOutputs.class);
+		assertThat(outputs).usingRecursiveComparison().isEqualTo(clientExtensionResults);
+	}
+
+	@Test
+	void readAuthenticationExtensionsClientOutputsWhenAuthenticatorDisplayName() throws Exception {
+		String json = """
+				{
+					"credProps": {
+						"rk": false,
+						"authenticatorDisplayName": "1Password"
+					}
+				}
+				""";
+		ImmutableAuthenticationExtensionsClientOutputs clientExtensionResults = new ImmutableAuthenticationExtensionsClientOutputs(
+				new CredentialPropertiesOutput(false));
+
+		AuthenticationExtensionsClientOutputs outputs = this.mapper.readValue(json,
+				AuthenticationExtensionsClientOutputs.class);
+		assertThat(outputs).usingRecursiveComparison().isEqualTo(clientExtensionResults);
+	}
+
+	@Test
+	void readCredPropsWhenAuthenticatorDisplayName() throws Exception {
+		String json = """
+				{
+					"rk": false,
+					"authenticatorDisplayName": "1Password"
+				}
+				""";
+		CredentialPropertiesOutput credProps = new CredentialPropertiesOutput(false);
+
+		CredentialPropertiesOutput outputs = this.mapper.readValue(json, CredentialPropertiesOutput.class);
+		assertThat(outputs).usingRecursiveComparison().isEqualTo(credProps);
+	}
+
+	@Test
+	void readAuthenticationExtensionsClientOutputsWhenFieldAfter() throws Exception {
+		String json = """
+				{
+					"clientOutputs": {
+						"credProps": {
+							"rk": false
+						}
+					},
+					"label": "Cell Phone"
+				}
+				""";
+		ImmutableAuthenticationExtensionsClientOutputs clientExtensionResults = new ImmutableAuthenticationExtensionsClientOutputs(
+				new CredentialPropertiesOutput(false));
+
+		ClassWithOutputsAndAnotherField expected = new ClassWithOutputsAndAnotherField();
+		expected.setClientOutputs(clientExtensionResults);
+		expected.setLabel("Cell Phone");
+
+		ClassWithOutputsAndAnotherField actual = this.mapper.readValue(json, ClassWithOutputsAndAnotherField.class);
+		assertThat(actual).usingRecursiveComparison().isEqualTo(expected);
+	}
+
+	@Test
+	void writePublicKeyCredentialCreationOptions() throws Exception {
+		String expected = """
+				{
+				    "attestation": "none",
+				    "authenticatorSelection": {
+				        "residentKey": "required"
+				    },
+				    "challenge": "q7lCdd3SVQxdC-v8pnRAGEn1B2M-t7ZECWPwCAmhWvc",
+				    "excludeCredentials": [],
+				    "extensions": {
+				        "credProps": true
+				    },
+				    "pubKeyCredParams": [
+				        {
+				            "alg": -7,
+				            "type": "public-key"
+				        },{
+				            "alg": -8,
+				            "type": "public-key"
+				        },
+				        {
+				            "alg": -257,
+				            "type": "public-key"
+				        }
+				    ],
+				    "rp": {
+				        "id": "example.localhost",
+				        "name": "SimpleWebAuthn Example"
+				    },
+				    "timeout": 300000,
+				    "user": {
+				        "displayName": "user@example.localhost",
+				        "id": "oWJtkJ6vJ_m5b84LB4_K7QKTCTEwLIjCh4tFMCGHO4w",
+				        "name": "user@example.localhost"
+				    }
+				}
+				""";
+
+		PublicKeyCredentialCreationOptions options = TestPublicKeyCredentialCreationOptions
+			.createPublicKeyCredentialCreationOptions()
+			.build();
+
+		String string = this.mapper.writeValueAsString(options);
+
+		JSONAssert.assertEquals(expected, string, false);
+	}
+
+	@Test
+	void readPublicKeyCredentialAuthenticatorAttestationResponse() throws Exception {
+
+		PublicKeyCredential publicKeyCredential = this.mapper.readValue(
+				PublicKeyCredentialJson.PUBLIC_KEY_JSON,
+				new TypeReference>() {
+				});
+
+		ImmutableAuthenticationExtensionsClientOutputs clientExtensionResults = new ImmutableAuthenticationExtensionsClientOutputs(
+				new CredentialPropertiesOutput(false));
+
+		PublicKeyCredential expected = PublicKeyCredential.builder()
+			.id("AX6nVVERrH6opMafUGn3Z9EyNEy6cftfBKV_2YxYl1jdW8CSJxMKGXFV3bnrKTiMSJeInkG7C6B2lPt8E5i3KaM")
+			.rawId(Bytes
+				.fromBase64("AX6nVVERrH6opMafUGn3Z9EyNEy6cftfBKV_2YxYl1jdW8CSJxMKGXFV3bnrKTiMSJeInkG7C6B2lPt8E5i3KaM"))
+			.response(AuthenticatorAttestationResponse.builder()
+				.attestationObject(Bytes.fromBase64(
+						"o2NmbXRkbm9uZWdhdHRTdG10oGhhdXRoRGF0YVjFSZYN5YgOjGh0NBcPZHZgW4_krrmihjLHmVzzuoMdl2NFAAAAAAAAAAAAAAAAAAAAAAAAAAAAQQF-p1VREax-qKTGn1Bp92fRMjRMunH7XwSlf9mMWJdY3VvAkicTChlxVd256yk4jEiXiJ5BuwugdpT7fBOYtymjpQECAyYgASFYIJK-2epPEw0ujHN-gvVp2Hp3ef8CzU3zqwO5ylx8L2OsIlggK5x5OlTGEPxLS-85TAABum4aqVK4CSWJ7LYDdkjuBLk"))
+				.clientDataJSON(Bytes.fromBase64(
+						"eyJ0eXBlIjoid2ViYXV0aG4uY3JlYXRlIiwiY2hhbGxlbmdlIjoiSUJRbnVZMVowSzFIcUJvRldDcDJ4bEpsOC1vcV9hRklYenlUX0YwLTBHVSIsIm9yaWdpbiI6Imh0dHA6Ly9sb2NhbGhvc3Q6ODA4MCIsImNyb3NzT3JpZ2luIjpmYWxzZX0"))
+				.transports(AuthenticatorTransport.HYBRID, AuthenticatorTransport.INTERNAL)
+				.build())
+			.type(PublicKeyCredentialType.PUBLIC_KEY)
+			.clientExtensionResults(clientExtensionResults)
+			.authenticatorAttachment(AuthenticatorAttachment.CROSS_PLATFORM)
+			.build();
+
+		assertThat(publicKeyCredential).usingRecursiveComparison().isEqualTo(expected);
+	}
+
+	@Test
+	void readPublicKeyCredentialAuthenticatorAttestationResponseWhenExtraFields() throws Exception {
+		final String json = """
+				{
+					 "attestationObject": "o2NmbXRkbm9uZWdhdHRTdG10oGhhdXRoRGF0YVjFSZYN5YgOjGh0NBcPZHZgW4_krrmihjLHmVzzuoMdl2NFAAAAAAAAAAAAAAAAAAAAAAAAAAAAQQF-p1VREax-qKTGn1Bp92fRMjRMunH7XwSlf9mMWJdY3VvAkicTChlxVd256yk4jEiXiJ5BuwugdpT7fBOYtymjpQECAyYgASFYIJK-2epPEw0ujHN-gvVp2Hp3ef8CzU3zqwO5ylx8L2OsIlggK5x5OlTGEPxLS-85TAABum4aqVK4CSWJ7LYDdkjuBLk",
+					 "clientDataJSON": "eyJ0eXBlIjoid2ViYXV0aG4uY3JlYXRlIiwiY2hhbGxlbmdlIjoiSUJRbnVZMVowSzFIcUJvRldDcDJ4bEpsOC1vcV9hRklYenlUX0YwLTBHVSIsIm9yaWdpbiI6Imh0dHA6Ly9sb2NhbGhvc3Q6ODA4MCIsImNyb3NzT3JpZ2luIjpmYWxzZX0",
+					 "transports": [
+					   "hybrid",
+					   "internal"
+					 ],
+					 "publicKeyAlgorithm": -7,
+					 "publicKey": "MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEkr7Z6k8TDS6Mc36C9WnYend5_wLNTfOrA7nKXHwvY6wrnHk6VMYQ_EtL7zlMAAG6bhqpUrgJJYnstgN2SO4EuQ",
+					 "authenticatorData": "SZYN5YgOjGh0NBcPZHZgW4_krrmihjLHmVzzuoMdl2NFAAAAAAAAAAAAAAAAAAAAAAAAAAAAQQF-p1VREax-qKTGn1Bp92fRMjRMunH7XwSlf9mMWJdY3VvAkicTChlxVd256yk4jEiXiJ5BuwugdpT7fBOYtymjpQECAyYgASFYIJK-2epPEw0ujHN-gvVp2Hp3ef8CzU3zqwO5ylx8L2OsIlggK5x5OlTGEPxLS-85TAABum4aqVK4CSWJ7LYDdkjuBLk"
+				}
+				""";
+		AuthenticatorAttestationResponse response = this.mapper.readValue(json, AuthenticatorAttestationResponse.class);
+
+		ImmutableAuthenticationExtensionsClientOutputs clientExtensionResults = new ImmutableAuthenticationExtensionsClientOutputs(
+				new CredentialPropertiesOutput(false));
+
+		AuthenticatorAttestationResponse expected = AuthenticatorAttestationResponse.builder()
+			.attestationObject(Bytes.fromBase64(
+					"o2NmbXRkbm9uZWdhdHRTdG10oGhhdXRoRGF0YVjFSZYN5YgOjGh0NBcPZHZgW4_krrmihjLHmVzzuoMdl2NFAAAAAAAAAAAAAAAAAAAAAAAAAAAAQQF-p1VREax-qKTGn1Bp92fRMjRMunH7XwSlf9mMWJdY3VvAkicTChlxVd256yk4jEiXiJ5BuwugdpT7fBOYtymjpQECAyYgASFYIJK-2epPEw0ujHN-gvVp2Hp3ef8CzU3zqwO5ylx8L2OsIlggK5x5OlTGEPxLS-85TAABum4aqVK4CSWJ7LYDdkjuBLk"))
+			.clientDataJSON(Bytes.fromBase64(
+					"eyJ0eXBlIjoid2ViYXV0aG4uY3JlYXRlIiwiY2hhbGxlbmdlIjoiSUJRbnVZMVowSzFIcUJvRldDcDJ4bEpsOC1vcV9hRklYenlUX0YwLTBHVSIsIm9yaWdpbiI6Imh0dHA6Ly9sb2NhbGhvc3Q6ODA4MCIsImNyb3NzT3JpZ2luIjpmYWxzZX0"))
+			.transports(AuthenticatorTransport.HYBRID, AuthenticatorTransport.INTERNAL)
+			.build();
+
+		assertThat(response).usingRecursiveComparison().isEqualTo(expected);
+	}
+
+	@Test
+	void writeAuthenticationOptions() throws Exception {
+		PublicKeyCredentialRequestOptions credentialRequestOptions = PublicKeyCredentialRequestOptions.builder()
+			.allowCredentials(Arrays.asList())
+			.challenge(Bytes.fromBase64("I69THX904Q8ONhCgUgOu2PCQCcEjTDiNmokdbgsAsYU"))
+			.rpId("example.localhost")
+			.timeout(Duration.ofMinutes(5))
+			.userVerification(UserVerificationRequirement.REQUIRED)
+			.build();
+		String actual = this.mapper.writeValueAsString(credentialRequestOptions);
+
+		String expected = """
+						{
+				    "challenge": "I69THX904Q8ONhCgUgOu2PCQCcEjTDiNmokdbgsAsYU",
+				    "allowCredentials": [],
+				    "timeout": 300000,
+				    "userVerification": "required",
+				    "rpId": "example.localhost"
+				  }
+
+				""";
+		JSONAssert.assertEquals(expected, actual, false);
+	}
+
+	@Test
+	void readPublicKeyCredentialAuthenticatorAssertionResponse() throws Exception {
+		String json = """
+					{
+					   "id": "IquGb208Fffq2cROa1ZxMg",
+					   "rawId": "IquGb208Fffq2cROa1ZxMg",
+					   "response": {
+						 "authenticatorData": "SZYN5YgOjGh0NBcPZHZgW4_krrmihjLHmVzzuoMdl2MdAAAAAA",
+						 "clientDataJSON": "eyJ0eXBlIjoid2ViYXV0aG4uZ2V0IiwiY2hhbGxlbmdlIjoiaDB2Z3dHUWpvQ3pBekRVc216UHBrLUpWSUpSUmduMEw0S1ZTWU5SY0VaYyIsIm9yaWdpbiI6Imh0dHA6Ly9sb2NhbGhvc3Q6ODA4MCIsImNyb3NzT3JpZ2luIjpmYWxzZX0",
+						 "signature": "MEUCIAdfzPAn3voyXynwa0IXk1S0envMY5KP3NEe9aj4B2BuAiEAm_KJhQoWXdvfhbzwACU3NM4ltQe7_Il46qFUwtpuTdg",
+						 "userHandle": "oWJtkJ6vJ_m5b84LB4_K7QKTCTEwLIjCh4tFMCGHO4w"
+					   },
+					   "type": "public-key",
+					   "clientExtensionResults": {},
+					   "authenticatorAttachment": "cross-platform"
+					 }
+				""";
+		PublicKeyCredential publicKeyCredential = this.mapper.readValue(json,
+				new TypeReference>() {
+				});
+
+		ImmutableAuthenticationExtensionsClientOutputs clientExtensionResults = new ImmutableAuthenticationExtensionsClientOutputs();
+
+		PublicKeyCredential expected = PublicKeyCredential.builder()
+			.id("IquGb208Fffq2cROa1ZxMg")
+			.rawId(Bytes.fromBase64("IquGb208Fffq2cROa1ZxMg"))
+			.response(AuthenticatorAssertionResponse.builder()
+				.authenticatorData(Bytes.fromBase64("SZYN5YgOjGh0NBcPZHZgW4_krrmihjLHmVzzuoMdl2MdAAAAAA"))
+				.clientDataJSON(Bytes.fromBase64(
+						"eyJ0eXBlIjoid2ViYXV0aG4uZ2V0IiwiY2hhbGxlbmdlIjoiaDB2Z3dHUWpvQ3pBekRVc216UHBrLUpWSUpSUmduMEw0S1ZTWU5SY0VaYyIsIm9yaWdpbiI6Imh0dHA6Ly9sb2NhbGhvc3Q6ODA4MCIsImNyb3NzT3JpZ2luIjpmYWxzZX0"))
+				.signature(Bytes.fromBase64(
+						"MEUCIAdfzPAn3voyXynwa0IXk1S0envMY5KP3NEe9aj4B2BuAiEAm_KJhQoWXdvfhbzwACU3NM4ltQe7_Il46qFUwtpuTdg"))
+				.userHandle(Bytes.fromBase64("oWJtkJ6vJ_m5b84LB4_K7QKTCTEwLIjCh4tFMCGHO4w"))
+				.build())
+			.type(PublicKeyCredentialType.PUBLIC_KEY)
+			.clientExtensionResults(clientExtensionResults)
+			.authenticatorAttachment(AuthenticatorAttachment.CROSS_PLATFORM)
+			.build();
+
+		assertThat(publicKeyCredential).usingRecursiveComparison().isEqualTo(expected);
+	}
+
+	@Test
+	void writeAuthenticationExtensionsClientInputsWhenCredPropsTrue() throws Exception {
+		String expected = """
+					{
+						"credProps": true
+					}
+				""";
+
+		ImmutableAuthenticationExtensionsClientInputs clientInputs = new ImmutableAuthenticationExtensionsClientInputs(
+				ImmutableAuthenticationExtensionsClientInput.credProps);
+
+		String actual = this.mapper.writeValueAsString(clientInputs);
+
+		JSONAssert.assertEquals(expected, actual, false);
+	}
+
+	public static class ClassWithOutputsAndAnotherField {
+
+		private String label;
+
+		private AuthenticationExtensionsClientOutputs clientOutputs;
+
+		public String getLabel() {
+			return this.label;
+		}
+
+		public void setLabel(String label) {
+			this.label = label;
+		}
+
+		public AuthenticationExtensionsClientOutputs getClientOutputs() {
+			return this.clientOutputs;
+		}
+
+		public void setClientOutputs(AuthenticationExtensionsClientOutputs clientOutputs) {
+			this.clientOutputs = clientOutputs;
+		}
+
+	}
+
+}
diff --git a/webauthn/src/test/java/org/springframework/security/web/webauthn/jackson/JacksonTests.java b/webauthn/src/test/java/org/springframework/security/web/webauthn/jackson/JacksonTests.java
index ba970125e0..6c68662e80 100644
--- a/webauthn/src/test/java/org/springframework/security/web/webauthn/jackson/JacksonTests.java
+++ b/webauthn/src/test/java/org/springframework/security/web/webauthn/jackson/JacksonTests.java
@@ -19,11 +19,11 @@
 import java.time.Duration;
 import java.util.Arrays;
 
-import com.fasterxml.jackson.core.type.TypeReference;
-import com.fasterxml.jackson.databind.ObjectMapper;
 import org.junit.jupiter.api.BeforeEach;
 import org.junit.jupiter.api.Test;
 import org.skyscreamer.jsonassert.JSONAssert;
+import tools.jackson.core.type.TypeReference;
+import tools.jackson.databind.json.JsonMapper;
 
 import org.springframework.security.web.webauthn.api.AuthenticationExtensionsClientOutputs;
 import org.springframework.security.web.webauthn.api.AuthenticatorAssertionResponse;
@@ -46,12 +46,11 @@
 
 class JacksonTests {
 
-	private ObjectMapper mapper;
+	private JsonMapper mapper;
 
 	@BeforeEach
 	void setup() {
-		this.mapper = new ObjectMapper();
-		this.mapper.registerModule(new WebauthnJackson2Module());
+		this.mapper = JsonMapper.builder().addModule(new WebauthnJacksonModule()).build();
 	}
 
 	@Test
diff --git a/webauthn/src/test/java/org/springframework/security/web/webauthn/registration/WebAuthnRegistrationRequestJacksonTests.java b/webauthn/src/test/java/org/springframework/security/web/webauthn/registration/WebAuthnRegistrationRequestJacksonTests.java
index f5db6c5227..34aebf6c91 100644
--- a/webauthn/src/test/java/org/springframework/security/web/webauthn/registration/WebAuthnRegistrationRequestJacksonTests.java
+++ b/webauthn/src/test/java/org/springframework/security/web/webauthn/registration/WebAuthnRegistrationRequestJacksonTests.java
@@ -16,9 +16,9 @@
 
 package org.springframework.security.web.webauthn.registration;
 
-import com.fasterxml.jackson.databind.ObjectMapper;
 import org.junit.jupiter.api.BeforeEach;
 import org.junit.jupiter.api.Test;
+import tools.jackson.databind.json.JsonMapper;
 
 import org.springframework.security.web.webauthn.api.AuthenticatorAttachment;
 import org.springframework.security.web.webauthn.api.AuthenticatorAttestationResponse;
@@ -29,7 +29,7 @@
 import org.springframework.security.web.webauthn.api.PublicKeyCredential;
 import org.springframework.security.web.webauthn.api.PublicKeyCredentialType;
 import org.springframework.security.web.webauthn.jackson.PublicKeyCredentialJson;
-import org.springframework.security.web.webauthn.jackson.WebauthnJackson2Module;
+import org.springframework.security.web.webauthn.jackson.WebauthnJacksonModule;
 import org.springframework.security.web.webauthn.management.RelyingPartyPublicKey;
 
 import static org.assertj.core.api.Assertions.assertThat;
@@ -40,12 +40,11 @@
  */
 class WebAuthnRegistrationRequestJacksonTests {
 
-	private ObjectMapper mapper;
+	private JsonMapper mapper;
 
 	@BeforeEach
 	void setup() {
-		this.mapper = new ObjectMapper();
-		this.mapper.registerModule(new WebauthnJackson2Module());
+		this.mapper = JsonMapper.builder().addModule(new WebauthnJacksonModule()).build();
 	}
 
 	@Test

From 3ad68d088db23be2ef1a7d97d036a62d2fc1259a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?S=C3=A9bastien=20Deleuze?=
 
Date: Fri, 3 Oct 2025 15:22:52 +0200
Subject: [PATCH 06/14] Add support for JacksonJsonHttpMessageConverter
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

This commit introduces classpath checks and instantiation of
JacksonJsonHttpMessageConverter (based on Jackson 3) leveraging
a new GenericHttpMessageConverterAdapter which allows to adapt
SmartHttpMessageConverter to GenericHttpMessageConverter.

See gh-17832
Signed-off-by: Sébastien Deleuze 
---
 .../web/server/HttpMessageConverters.java     |  9 ++
 .../http/converter/HttpMessageConverters.java |  9 ++
 .../http/converter/HttpMessageConverters.java | 11 ++-
 .../web/HttpMessageConverters.java            |  9 ++
 ...OidcUserInfoHttpMessageConverterTests.java |  4 +-
 .../GenericHttpMessageConverterAdapter.java   | 99 +++++++++++++++++++
 .../http/converter/HttpMessageConverters.java |  8 ++
 ...cessTokenResponseHttpMessageConverter.java |  3 +-
 .../OAuth2ErrorHttpMessageConverter.java      |  3 +-
 ...OAuth2ProtectedResourceMetadataFilter.java |  8 ++
 .../GenericHttpMessageConverterAdapter.java   | 99 +++++++++++++++++++
 .../WebAuthnAuthenticationFilter.java         | 27 +++--
 .../WebAuthnAuthenticationFilterTests.java    |  6 +-
 13 files changed, 282 insertions(+), 13 deletions(-)
 create mode 100644 oauth2/oauth2-core/src/main/java/org/springframework/security/oauth2/core/http/converter/GenericHttpMessageConverterAdapter.java
 create mode 100644 web/src/main/java/org/springframework/security/web/http/GenericHttpMessageConverterAdapter.java

diff --git a/config/src/main/java/org/springframework/security/config/web/server/HttpMessageConverters.java b/config/src/main/java/org/springframework/security/config/web/server/HttpMessageConverters.java
index 8a85a37182..a8f262b126 100644
--- a/config/src/main/java/org/springframework/security/config/web/server/HttpMessageConverters.java
+++ b/config/src/main/java/org/springframework/security/config/web/server/HttpMessageConverters.java
@@ -19,8 +19,10 @@
 import org.springframework.http.converter.GenericHttpMessageConverter;
 import org.springframework.http.converter.HttpMessageConverter;
 import org.springframework.http.converter.json.GsonHttpMessageConverter;
+import org.springframework.http.converter.json.JacksonJsonHttpMessageConverter;
 import org.springframework.http.converter.json.JsonbHttpMessageConverter;
 import org.springframework.http.converter.json.MappingJackson2HttpMessageConverter;
+import org.springframework.security.oauth2.core.http.converter.GenericHttpMessageConverterAdapter;
 import org.springframework.util.ClassUtils;
 
 /**
@@ -32,6 +34,8 @@
  */
 final class HttpMessageConverters {
 
+	private static final boolean jacksonPresent;
+
 	private static final boolean jackson2Present;
 
 	private static final boolean gsonPresent;
@@ -40,6 +44,7 @@ final class HttpMessageConverters {
 
 	static {
 		ClassLoader classLoader = HttpMessageConverters.class.getClassLoader();
+		jacksonPresent = ClassUtils.isPresent("tools.jackson.databind.json.JsonMapper", classLoader);
 		jackson2Present = ClassUtils.isPresent("com.fasterxml.jackson.databind.ObjectMapper", classLoader)
 				&& ClassUtils.isPresent("com.fasterxml.jackson.core.JsonGenerator", classLoader);
 		gsonPresent = ClassUtils.isPresent("com.google.gson.Gson", classLoader);
@@ -49,7 +54,11 @@ final class HttpMessageConverters {
 	private HttpMessageConverters() {
 	}
 
+	@SuppressWarnings("removal")
 	static GenericHttpMessageConverter getJsonMessageConverter() {
+		if (jacksonPresent) {
+			return new GenericHttpMessageConverterAdapter<>(new JacksonJsonHttpMessageConverter());
+		}
 		if (jackson2Present) {
 			return new MappingJackson2HttpMessageConverter();
 		}
diff --git a/oauth2/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/http/converter/HttpMessageConverters.java b/oauth2/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/http/converter/HttpMessageConverters.java
index e8db55e819..c5daa5e126 100644
--- a/oauth2/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/http/converter/HttpMessageConverters.java
+++ b/oauth2/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/http/converter/HttpMessageConverters.java
@@ -19,8 +19,10 @@
 import org.springframework.http.converter.GenericHttpMessageConverter;
 import org.springframework.http.converter.HttpMessageConverter;
 import org.springframework.http.converter.json.GsonHttpMessageConverter;
+import org.springframework.http.converter.json.JacksonJsonHttpMessageConverter;
 import org.springframework.http.converter.json.JsonbHttpMessageConverter;
 import org.springframework.http.converter.json.MappingJackson2HttpMessageConverter;
+import org.springframework.security.web.http.GenericHttpMessageConverterAdapter;
 import org.springframework.util.ClassUtils;
 
 /**
@@ -32,6 +34,8 @@
  */
 final class HttpMessageConverters {
 
+	private static final boolean jacksonPresent;
+
 	private static final boolean jackson2Present;
 
 	private static final boolean gsonPresent;
@@ -40,6 +44,7 @@ final class HttpMessageConverters {
 
 	static {
 		ClassLoader classLoader = HttpMessageConverters.class.getClassLoader();
+		jacksonPresent = ClassUtils.isPresent("tools.jackson.databind.json.JsonMapper", classLoader);
 		jackson2Present = ClassUtils.isPresent("com.fasterxml.jackson.databind.ObjectMapper", classLoader)
 				&& ClassUtils.isPresent("com.fasterxml.jackson.core.JsonGenerator", classLoader);
 		gsonPresent = ClassUtils.isPresent("com.google.gson.Gson", classLoader);
@@ -49,7 +54,11 @@ final class HttpMessageConverters {
 	private HttpMessageConverters() {
 	}
 
+	@SuppressWarnings("removal")
 	static GenericHttpMessageConverter getJsonMessageConverter() {
+		if (jacksonPresent) {
+			return new GenericHttpMessageConverterAdapter<>(new JacksonJsonHttpMessageConverter());
+		}
 		if (jackson2Present) {
 			return new MappingJackson2HttpMessageConverter();
 		}
diff --git a/oauth2/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/oidc/http/converter/HttpMessageConverters.java b/oauth2/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/oidc/http/converter/HttpMessageConverters.java
index e277b3fcdc..4b6e1f929d 100644
--- a/oauth2/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/oidc/http/converter/HttpMessageConverters.java
+++ b/oauth2/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/oidc/http/converter/HttpMessageConverters.java
@@ -19,19 +19,23 @@
 import org.springframework.http.converter.GenericHttpMessageConverter;
 import org.springframework.http.converter.HttpMessageConverter;
 import org.springframework.http.converter.json.GsonHttpMessageConverter;
+import org.springframework.http.converter.json.JacksonJsonHttpMessageConverter;
 import org.springframework.http.converter.json.JsonbHttpMessageConverter;
 import org.springframework.http.converter.json.MappingJackson2HttpMessageConverter;
+import org.springframework.security.web.http.GenericHttpMessageConverterAdapter;
 import org.springframework.util.ClassUtils;
 
 /**
  * Utility methods for {@link HttpMessageConverter}'s.
  *
  * @author Joe Grandja
- * @author l uamas
+ * @author luamas
  * @since 7.0
  */
 final class HttpMessageConverters {
 
+	private static final boolean jacksonPresent;
+
 	private static final boolean jackson2Present;
 
 	private static final boolean gsonPresent;
@@ -40,6 +44,7 @@ final class HttpMessageConverters {
 
 	static {
 		ClassLoader classLoader = HttpMessageConverters.class.getClassLoader();
+		jacksonPresent = ClassUtils.isPresent("tools.jackson.databind.json.JsonMapper", classLoader);
 		jackson2Present = ClassUtils.isPresent("com.fasterxml.jackson.databind.ObjectMapper", classLoader)
 				&& ClassUtils.isPresent("com.fasterxml.jackson.core.JsonGenerator", classLoader);
 		gsonPresent = ClassUtils.isPresent("com.google.gson.Gson", classLoader);
@@ -49,7 +54,11 @@ final class HttpMessageConverters {
 	private HttpMessageConverters() {
 	}
 
+	@SuppressWarnings("removal")
 	static GenericHttpMessageConverter getJsonMessageConverter() {
+		if (jacksonPresent) {
+			return new GenericHttpMessageConverterAdapter<>(new JacksonJsonHttpMessageConverter());
+		}
 		if (jackson2Present) {
 			return new MappingJackson2HttpMessageConverter();
 		}
diff --git a/oauth2/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/web/HttpMessageConverters.java b/oauth2/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/web/HttpMessageConverters.java
index f246152d95..0229c8171c 100644
--- a/oauth2/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/web/HttpMessageConverters.java
+++ b/oauth2/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/web/HttpMessageConverters.java
@@ -19,8 +19,10 @@
 import org.springframework.http.converter.GenericHttpMessageConverter;
 import org.springframework.http.converter.HttpMessageConverter;
 import org.springframework.http.converter.json.GsonHttpMessageConverter;
+import org.springframework.http.converter.json.JacksonJsonHttpMessageConverter;
 import org.springframework.http.converter.json.JsonbHttpMessageConverter;
 import org.springframework.http.converter.json.MappingJackson2HttpMessageConverter;
+import org.springframework.security.web.http.GenericHttpMessageConverterAdapter;
 import org.springframework.util.ClassUtils;
 
 /**
@@ -31,6 +33,8 @@
  */
 final class HttpMessageConverters {
 
+	private static final boolean jacksonPresent;
+
 	private static final boolean jackson2Present;
 
 	private static final boolean gsonPresent;
@@ -39,6 +43,7 @@ final class HttpMessageConverters {
 
 	static {
 		ClassLoader classLoader = HttpMessageConverters.class.getClassLoader();
+		jacksonPresent = ClassUtils.isPresent("tools.jackson.databind.json.JsonMapper", classLoader);
 		jackson2Present = ClassUtils.isPresent("com.fasterxml.jackson.databind.ObjectMapper", classLoader)
 				&& ClassUtils.isPresent("com.fasterxml.jackson.core.JsonGenerator", classLoader);
 		gsonPresent = ClassUtils.isPresent("com.google.gson.Gson", classLoader);
@@ -48,7 +53,11 @@ final class HttpMessageConverters {
 	private HttpMessageConverters() {
 	}
 
+	@SuppressWarnings("removal")
 	static GenericHttpMessageConverter getJsonMessageConverter() {
+		if (jacksonPresent) {
+			return new GenericHttpMessageConverterAdapter<>(new JacksonJsonHttpMessageConverter());
+		}
 		if (jackson2Present) {
 			return new MappingJackson2HttpMessageConverter();
 		}
diff --git a/oauth2/oauth2-authorization-server/src/test/java/org/springframework/security/oauth2/server/authorization/oidc/http/converter/OidcUserInfoHttpMessageConverterTests.java b/oauth2/oauth2-authorization-server/src/test/java/org/springframework/security/oauth2/server/authorization/oidc/http/converter/OidcUserInfoHttpMessageConverterTests.java
index ce9b0601b1..c445cc9dd2 100644
--- a/oauth2/oauth2-authorization-server/src/test/java/org/springframework/security/oauth2/server/authorization/oidc/http/converter/OidcUserInfoHttpMessageConverterTests.java
+++ b/oauth2/oauth2-authorization-server/src/test/java/org/springframework/security/oauth2/server/authorization/oidc/http/converter/OidcUserInfoHttpMessageConverterTests.java
@@ -90,7 +90,7 @@ public void readInternalWhenValidParametersThenSuccess() {
 				"		\"postal_code\": \"75007\",\n" +
 				"		\"country\": \"France\"\n" +
 				"	},\n" +
-				"	\"updated_at\": 1607633867\n" +
+				"	\"updated_at\": \"2020-12-10T20:57:47Z\"\n" +
 				"}\n";
 		// @formatter:on
 
@@ -178,7 +178,7 @@ public void writeInternalWhenOidcUserInfoThenSuccess() {
 		assertThat(userInfoResponse).contains("\"address\":");
 		assertThat(userInfoResponse)
 			.contains("\"formatted\":\"Champ de Mars\\n5 Av. Anatole France\\n75007 Paris\\nFrance\"");
-		assertThat(userInfoResponse).contains("\"updated_at\":1607633867");
+		assertThat(userInfoResponse).contains("\"updated_at\":\"2020-12-10T20:57:47Z\"");
 		assertThat(userInfoResponse).contains("\"custom_claim\":\"value\"");
 		assertThat(userInfoResponse).contains("\"custom_collection_claim\":[\"value1\",\"value2\"]");
 	}
diff --git a/oauth2/oauth2-core/src/main/java/org/springframework/security/oauth2/core/http/converter/GenericHttpMessageConverterAdapter.java b/oauth2/oauth2-core/src/main/java/org/springframework/security/oauth2/core/http/converter/GenericHttpMessageConverterAdapter.java
new file mode 100644
index 0000000000..7f2f0e51a3
--- /dev/null
+++ b/oauth2/oauth2-core/src/main/java/org/springframework/security/oauth2/core/http/converter/GenericHttpMessageConverterAdapter.java
@@ -0,0 +1,99 @@
+/*
+ * Copyright 2004-present the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.security.oauth2.core.http.converter;
+
+import java.io.IOException;
+import java.lang.reflect.Type;
+import java.util.List;
+
+import org.jspecify.annotations.Nullable;
+
+import org.springframework.core.ResolvableType;
+import org.springframework.http.HttpInputMessage;
+import org.springframework.http.HttpOutputMessage;
+import org.springframework.http.MediaType;
+import org.springframework.http.converter.GenericHttpMessageConverter;
+import org.springframework.http.converter.HttpMessageNotReadableException;
+import org.springframework.http.converter.HttpMessageNotWritableException;
+import org.springframework.http.converter.SmartHttpMessageConverter;
+
+/**
+ * {@link GenericHttpMessageConverter} implementation that delegates to a
+ * {@link SmartHttpMessageConverter}.
+ *
+ * @param  the converted object type
+ * @author Sebastien Deleuze
+ * @since 7.0
+ */
+public class GenericHttpMessageConverterAdapter implements GenericHttpMessageConverter {
+
+	private final SmartHttpMessageConverter smartConverter;
+
+	public GenericHttpMessageConverterAdapter(SmartHttpMessageConverter smartConverter) {
+		this.smartConverter = smartConverter;
+	}
+
+	@Override
+	public boolean canRead(Type type, @Nullable Class contextClass, @Nullable MediaType mediaType) {
+		return this.smartConverter.canRead(ResolvableType.forType(type), mediaType);
+	}
+
+	@Override
+	public T read(Type type, @Nullable Class contextClass, HttpInputMessage inputMessage)
+			throws IOException, HttpMessageNotReadableException {
+		return this.smartConverter.read(ResolvableType.forType(type), inputMessage, null);
+	}
+
+	@Override
+	public boolean canWrite(@Nullable Type type, Class clazz, @Nullable MediaType mediaType) {
+		return this.smartConverter.canWrite(ResolvableType.forType(type), clazz, mediaType);
+	}
+
+	@Override
+	public void write(T t, @Nullable Type type, @Nullable MediaType contentType, HttpOutputMessage outputMessage)
+			throws IOException, HttpMessageNotWritableException {
+		this.smartConverter.write(t, ResolvableType.forType(type), contentType, outputMessage, null);
+	}
+
+	@Override
+	public boolean canRead(Class clazz, @Nullable MediaType mediaType) {
+		return this.smartConverter.canRead(ResolvableType.forClass(clazz), mediaType);
+	}
+
+	@Override
+	public boolean canWrite(Class clazz, @Nullable MediaType mediaType) {
+		return this.smartConverter.canWrite(clazz, mediaType);
+	}
+
+	@Override
+	public List getSupportedMediaTypes() {
+		return this.smartConverter.getSupportedMediaTypes();
+	}
+
+	@Override
+	public T read(Class clazz, HttpInputMessage inputMessage)
+			throws IOException, HttpMessageNotReadableException {
+		return this.smartConverter.read(clazz, inputMessage);
+	}
+
+	@Override
+	public void write(T t, @Nullable MediaType contentType, HttpOutputMessage outputMessage)
+			throws IOException, HttpMessageNotWritableException {
+		this.smartConverter.write(t, contentType, outputMessage);
+	}
+
+}
diff --git a/oauth2/oauth2-core/src/main/java/org/springframework/security/oauth2/core/http/converter/HttpMessageConverters.java b/oauth2/oauth2-core/src/main/java/org/springframework/security/oauth2/core/http/converter/HttpMessageConverters.java
index 6ed2158801..fca64a7667 100644
--- a/oauth2/oauth2-core/src/main/java/org/springframework/security/oauth2/core/http/converter/HttpMessageConverters.java
+++ b/oauth2/oauth2-core/src/main/java/org/springframework/security/oauth2/core/http/converter/HttpMessageConverters.java
@@ -19,6 +19,7 @@
 import org.springframework.http.converter.GenericHttpMessageConverter;
 import org.springframework.http.converter.HttpMessageConverter;
 import org.springframework.http.converter.json.GsonHttpMessageConverter;
+import org.springframework.http.converter.json.JacksonJsonHttpMessageConverter;
 import org.springframework.http.converter.json.JsonbHttpMessageConverter;
 import org.springframework.http.converter.json.MappingJackson2HttpMessageConverter;
 import org.springframework.util.ClassUtils;
@@ -32,6 +33,8 @@
  */
 final class HttpMessageConverters {
 
+	private static final boolean jacksonPresent;
+
 	private static final boolean jackson2Present;
 
 	private static final boolean gsonPresent;
@@ -40,6 +43,7 @@ final class HttpMessageConverters {
 
 	static {
 		ClassLoader classLoader = HttpMessageConverters.class.getClassLoader();
+		jacksonPresent = ClassUtils.isPresent("tools.jackson.databind.json.JsonMapper", classLoader);
 		jackson2Present = ClassUtils.isPresent("com.fasterxml.jackson.databind.ObjectMapper", classLoader)
 				&& ClassUtils.isPresent("com.fasterxml.jackson.core.JsonGenerator", classLoader);
 		gsonPresent = ClassUtils.isPresent("com.google.gson.Gson", classLoader);
@@ -49,7 +53,11 @@ final class HttpMessageConverters {
 	private HttpMessageConverters() {
 	}
 
+	@SuppressWarnings("removal")
 	static GenericHttpMessageConverter getJsonMessageConverter() {
+		if (jacksonPresent) {
+			return new GenericHttpMessageConverterAdapter<>(new JacksonJsonHttpMessageConverter());
+		}
 		if (jackson2Present) {
 			return new MappingJackson2HttpMessageConverter();
 		}
diff --git a/oauth2/oauth2-core/src/main/java/org/springframework/security/oauth2/core/http/converter/OAuth2AccessTokenResponseHttpMessageConverter.java b/oauth2/oauth2-core/src/main/java/org/springframework/security/oauth2/core/http/converter/OAuth2AccessTokenResponseHttpMessageConverter.java
index 3cd184029a..f431dea5a3 100644
--- a/oauth2/oauth2-core/src/main/java/org/springframework/security/oauth2/core/http/converter/OAuth2AccessTokenResponseHttpMessageConverter.java
+++ b/oauth2/oauth2-core/src/main/java/org/springframework/security/oauth2/core/http/converter/OAuth2AccessTokenResponseHttpMessageConverter.java
@@ -52,7 +52,8 @@ public class OAuth2AccessTokenResponseHttpMessageConverter
 	private static final ParameterizedTypeReference> STRING_OBJECT_MAP = new ParameterizedTypeReference<>() {
 	};
 
-	private GenericHttpMessageConverter jsonMessageConverter = HttpMessageConverters.getJsonMessageConverter();
+	private final GenericHttpMessageConverter jsonMessageConverter = HttpMessageConverters
+		.getJsonMessageConverter();
 
 	private Converter, OAuth2AccessTokenResponse> accessTokenResponseConverter = new DefaultMapOAuth2AccessTokenResponseConverter();
 
diff --git a/oauth2/oauth2-core/src/main/java/org/springframework/security/oauth2/core/http/converter/OAuth2ErrorHttpMessageConverter.java b/oauth2/oauth2-core/src/main/java/org/springframework/security/oauth2/core/http/converter/OAuth2ErrorHttpMessageConverter.java
index fca5c344fb..70e0556bf3 100644
--- a/oauth2/oauth2-core/src/main/java/org/springframework/security/oauth2/core/http/converter/OAuth2ErrorHttpMessageConverter.java
+++ b/oauth2/oauth2-core/src/main/java/org/springframework/security/oauth2/core/http/converter/OAuth2ErrorHttpMessageConverter.java
@@ -52,7 +52,8 @@ public class OAuth2ErrorHttpMessageConverter extends AbstractHttpMessageConverte
 	private static final ParameterizedTypeReference> STRING_OBJECT_MAP = new ParameterizedTypeReference<>() {
 	};
 
-	private GenericHttpMessageConverter jsonMessageConverter = HttpMessageConverters.getJsonMessageConverter();
+	private final GenericHttpMessageConverter jsonMessageConverter = HttpMessageConverters
+		.getJsonMessageConverter();
 
 	protected Converter, OAuth2Error> errorConverter = new OAuth2ErrorConverter();
 
diff --git a/oauth2/oauth2-resource-server/src/main/java/org/springframework/security/oauth2/server/resource/web/OAuth2ProtectedResourceMetadataFilter.java b/oauth2/oauth2-resource-server/src/main/java/org/springframework/security/oauth2/server/resource/web/OAuth2ProtectedResourceMetadataFilter.java
index df74af6a7b..1a839291eb 100644
--- a/oauth2/oauth2-resource-server/src/main/java/org/springframework/security/oauth2/server/resource/web/OAuth2ProtectedResourceMetadataFilter.java
+++ b/oauth2/oauth2-resource-server/src/main/java/org/springframework/security/oauth2/server/resource/web/OAuth2ProtectedResourceMetadataFilter.java
@@ -31,9 +31,11 @@
 import org.springframework.http.converter.GenericHttpMessageConverter;
 import org.springframework.http.converter.HttpMessageNotWritableException;
 import org.springframework.http.converter.json.GsonHttpMessageConverter;
+import org.springframework.http.converter.json.JacksonJsonHttpMessageConverter;
 import org.springframework.http.converter.json.JsonbHttpMessageConverter;
 import org.springframework.http.converter.json.MappingJackson2HttpMessageConverter;
 import org.springframework.http.server.ServletServerHttpResponse;
+import org.springframework.security.oauth2.core.http.converter.GenericHttpMessageConverterAdapter;
 import org.springframework.security.oauth2.server.resource.OAuth2ProtectedResourceMetadata;
 import org.springframework.security.web.servlet.util.matcher.PathPatternRequestMatcher;
 import org.springframework.security.web.util.UrlUtils;
@@ -139,6 +141,8 @@ private static String resolveResourceIdentifier(HttpServletRequest request) {
 
 	private static final class HttpMessageConverters {
 
+		private static final boolean jacksonPresent;
+
 		private static final boolean jackson2Present;
 
 		private static final boolean gsonPresent;
@@ -147,6 +151,7 @@ private static final class HttpMessageConverters {
 
 		static {
 			ClassLoader classLoader = HttpMessageConverters.class.getClassLoader();
+			jacksonPresent = ClassUtils.isPresent("tools.jackson.databind.json.JsonMapper", classLoader);
 			jackson2Present = ClassUtils.isPresent("com.fasterxml.jackson.databind.ObjectMapper", classLoader)
 					&& ClassUtils.isPresent("com.fasterxml.jackson.core.JsonGenerator", classLoader);
 			gsonPresent = ClassUtils.isPresent("com.google.gson.Gson", classLoader);
@@ -158,6 +163,9 @@ private HttpMessageConverters() {
 
 		@SuppressWarnings("removal")
 		private static GenericHttpMessageConverter getJsonMessageConverter() {
+			if (jacksonPresent) {
+				return new GenericHttpMessageConverterAdapter<>(new JacksonJsonHttpMessageConverter());
+			}
 			if (jackson2Present) {
 				return new MappingJackson2HttpMessageConverter();
 			}
diff --git a/web/src/main/java/org/springframework/security/web/http/GenericHttpMessageConverterAdapter.java b/web/src/main/java/org/springframework/security/web/http/GenericHttpMessageConverterAdapter.java
new file mode 100644
index 0000000000..de3875157f
--- /dev/null
+++ b/web/src/main/java/org/springframework/security/web/http/GenericHttpMessageConverterAdapter.java
@@ -0,0 +1,99 @@
+/*
+ * Copyright 2004-present the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.security.web.http;
+
+import java.io.IOException;
+import java.lang.reflect.Type;
+import java.util.List;
+
+import org.jspecify.annotations.Nullable;
+
+import org.springframework.core.ResolvableType;
+import org.springframework.http.HttpInputMessage;
+import org.springframework.http.HttpOutputMessage;
+import org.springframework.http.MediaType;
+import org.springframework.http.converter.GenericHttpMessageConverter;
+import org.springframework.http.converter.HttpMessageNotReadableException;
+import org.springframework.http.converter.HttpMessageNotWritableException;
+import org.springframework.http.converter.SmartHttpMessageConverter;
+
+/**
+ * {@link GenericHttpMessageConverter} implementation that delegates to a
+ * {@link SmartHttpMessageConverter}.
+ *
+ * @param  the converted object type
+ * @author Sebastien Deleuze
+ * @since 7.0
+ */
+public class GenericHttpMessageConverterAdapter implements GenericHttpMessageConverter {
+
+	private final SmartHttpMessageConverter smartConverter;
+
+	public GenericHttpMessageConverterAdapter(SmartHttpMessageConverter smartConverter) {
+		this.smartConverter = smartConverter;
+	}
+
+	@Override
+	public boolean canRead(Type type, @Nullable Class contextClass, @Nullable MediaType mediaType) {
+		return this.smartConverter.canRead(ResolvableType.forType(type), mediaType);
+	}
+
+	@Override
+	public T read(Type type, @Nullable Class contextClass, HttpInputMessage inputMessage)
+			throws IOException, HttpMessageNotReadableException {
+		return this.smartConverter.read(ResolvableType.forType(type), inputMessage, null);
+	}
+
+	@Override
+	public boolean canWrite(@Nullable Type type, Class clazz, @Nullable MediaType mediaType) {
+		return this.smartConverter.canWrite(ResolvableType.forType(type), clazz, mediaType);
+	}
+
+	@Override
+	public void write(T t, @Nullable Type type, @Nullable MediaType contentType, HttpOutputMessage outputMessage)
+			throws IOException, HttpMessageNotWritableException {
+		this.smartConverter.write(t, ResolvableType.forType(type), contentType, outputMessage, null);
+	}
+
+	@Override
+	public boolean canRead(Class clazz, @Nullable MediaType mediaType) {
+		return this.smartConverter.canRead(ResolvableType.forClass(clazz), mediaType);
+	}
+
+	@Override
+	public boolean canWrite(Class clazz, @Nullable MediaType mediaType) {
+		return this.smartConverter.canWrite(clazz, mediaType);
+	}
+
+	@Override
+	public List getSupportedMediaTypes() {
+		return this.smartConverter.getSupportedMediaTypes();
+	}
+
+	@Override
+	public T read(Class clazz, HttpInputMessage inputMessage)
+			throws IOException, HttpMessageNotReadableException {
+		return this.smartConverter.read(clazz, inputMessage);
+	}
+
+	@Override
+	public void write(T t, @Nullable MediaType contentType, HttpOutputMessage outputMessage)
+			throws IOException, HttpMessageNotWritableException {
+		this.smartConverter.write(t, contentType, outputMessage);
+	}
+
+}
diff --git a/webauthn/src/main/java/org/springframework/security/web/webauthn/authentication/WebAuthnAuthenticationFilter.java b/webauthn/src/main/java/org/springframework/security/web/webauthn/authentication/WebAuthnAuthenticationFilter.java
index 6c83cab7ed..b58ea78b67 100644
--- a/webauthn/src/main/java/org/springframework/security/web/webauthn/authentication/WebAuthnAuthenticationFilter.java
+++ b/webauthn/src/main/java/org/springframework/security/web/webauthn/authentication/WebAuthnAuthenticationFilter.java
@@ -38,6 +38,7 @@
 import org.springframework.security.web.authentication.HttpMessageConverterAuthenticationSuccessHandler;
 import org.springframework.security.web.authentication.HttpStatusEntryPoint;
 import org.springframework.security.web.context.HttpSessionSecurityContextRepository;
+import org.springframework.security.web.http.GenericHttpMessageConverterAdapter;
 import org.springframework.security.web.webauthn.api.AuthenticatorAssertionResponse;
 import org.springframework.security.web.webauthn.api.PublicKeyCredential;
 import org.springframework.security.web.webauthn.api.PublicKeyCredentialRequestOptions;
@@ -50,7 +51,8 @@
 /**
  * Authenticates {@code PublicKeyCredential} that is
  * parsed from the body of the {@link HttpServletRequest} using the
- * {@link #setConverter(SmartHttpMessageConverter)}. An example request is provided below:
+ * {@link #setConverter(GenericHttpMessageConverter)}. An example request is provided
+ * below:
  *
  * 
  * {
@@ -72,8 +74,8 @@
  */
 public class WebAuthnAuthenticationFilter extends AbstractAuthenticationProcessingFilter {
 
-	private SmartHttpMessageConverter converter = new JacksonJsonHttpMessageConverter(
-			JsonMapper.builder().addModule(new WebauthnJacksonModule()).build());
+	private GenericHttpMessageConverter converter = new GenericHttpMessageConverterAdapter<>(
+			new JacksonJsonHttpMessageConverter(JsonMapper.builder().addModule(new WebauthnJacksonModule()).build()));
 
 	private PublicKeyCredentialRequestOptionsRepository requestOptionsRepository = new HttpSessionPublicKeyCredentialRequestOptionsRepository();
 
@@ -94,7 +96,7 @@ public Authentication attemptAuthentication(HttpServletRequest request, HttpServ
 		PublicKeyCredential publicKeyCredential = null;
 		try {
 			publicKeyCredential = (PublicKeyCredential) this.converter
-				.read(resolvableType, httpRequest, null);
+				.read(resolvableType.getType(), getClass(), httpRequest);
 		}
 		catch (Exception ex) {
 			throw new BadCredentialsException("Unable to authenticate the PublicKeyCredential", ex);
@@ -114,15 +116,26 @@ public Authentication attemptAuthentication(HttpServletRequest request, HttpServ
 	/**
 	 * Sets the {@link GenericHttpMessageConverter} to use for writing
 	 * {@code PublicKeyCredential} to the response. The
-	 * default is @{code Jackson2HttpMessageConverter}
+	 * default is @{code MappingJackson2HttpMessageConverter}
 	 * @param converter the {@link GenericHttpMessageConverter} to use. Cannot be null.
 	 */
-	// TODO Accept HttpMessageConverter
-	public void setConverter(SmartHttpMessageConverter converter) {
+	public void setConverter(GenericHttpMessageConverter converter) {
 		Assert.notNull(converter, "converter cannot be null");
 		this.converter = converter;
 	}
 
+	/**
+	 * Sets the {@link SmartHttpMessageConverter} to use for writing
+	 * {@code PublicKeyCredential} to the response. The
+	 * default is @{code MappingJackson2HttpMessageConverter}
+	 * @param converter the {@link SmartHttpMessageConverter} to use. Cannot be null.
+	 * @since 7.0
+	 */
+	public void setConverter(SmartHttpMessageConverter converter) {
+		Assert.notNull(converter, "converter cannot be null");
+		this.converter = new GenericHttpMessageConverterAdapter<>(converter);
+	}
+
 	/**
 	 * Sets the {@link PublicKeyCredentialRequestOptionsRepository} to use. The default is
 	 * {@link HttpSessionPublicKeyCredentialRequestOptionsRepository}.
diff --git a/webauthn/src/test/java/org/springframework/security/web/webauthn/authentication/WebAuthnAuthenticationFilterTests.java b/webauthn/src/test/java/org/springframework/security/web/webauthn/authentication/WebAuthnAuthenticationFilterTests.java
index a5853b91cd..51a1b53d06 100644
--- a/webauthn/src/test/java/org/springframework/security/web/webauthn/authentication/WebAuthnAuthenticationFilterTests.java
+++ b/webauthn/src/test/java/org/springframework/security/web/webauthn/authentication/WebAuthnAuthenticationFilterTests.java
@@ -27,6 +27,7 @@
 import org.skyscreamer.jsonassert.JSONAssert;
 
 import org.springframework.http.HttpStatus;
+import org.springframework.http.converter.GenericHttpMessageConverter;
 import org.springframework.http.converter.SmartHttpMessageConverter;
 import org.springframework.mock.web.MockHttpServletRequest;
 import org.springframework.mock.web.MockHttpServletResponse;
@@ -101,7 +102,10 @@ void setup() {
 
 	@Test
 	void setConverterWhenNullThenIllegalArgumentException() {
-		assertThatIllegalArgumentException().isThrownBy(() -> this.filter.setConverter(null));
+		assertThatIllegalArgumentException()
+			.isThrownBy(() -> this.filter.setConverter((GenericHttpMessageConverter) null));
+		assertThatIllegalArgumentException()
+			.isThrownBy(() -> this.filter.setConverter((SmartHttpMessageConverter) null));
 	}
 
 	@Test

From e73875930a6db9297b96496b52f618d2d9e08780 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?S=C3=A9bastien=20Deleuze?=
 
Date: Fri, 17 Oct 2025 11:24:48 +0200
Subject: [PATCH 07/14] Refine documentation for Jackson 3
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

This commit refines the documentation by:
 - Updating Jackson documentation for Jackson 3
 - Removing the outdated documentation in servlet
 - Adding migration guidelines

Closes gh-17832
Signed-off-by: Sébastien Deleuze 
---
 docs/modules/ROOT/nav.adoc                    |  1 -
 .../pages/features/integrations/jackson.adoc  | 54 ++++++++++++++++---
 docs/modules/ROOT/pages/migration/index.adoc  | 18 +++++++
 .../pages/servlet/integrations/jackson.adoc   | 30 -----------
 4 files changed, 66 insertions(+), 37 deletions(-)
 delete mode 100644 docs/modules/ROOT/pages/servlet/integrations/jackson.adoc

diff --git a/docs/modules/ROOT/nav.adoc b/docs/modules/ROOT/nav.adoc
index 186b024a23..ad2a966ffb 100644
--- a/docs/modules/ROOT/nav.adoc
+++ b/docs/modules/ROOT/nav.adoc
@@ -110,7 +110,6 @@
 *** xref:servlet/exploits/firewall.adoc[]
 ** xref:servlet/integrations/index.adoc[Integrations]
 *** xref:servlet/integrations/concurrency.adoc[Concurrency]
-*** xref:servlet/integrations/jackson.adoc[Jackson]
 *** xref:servlet/integrations/localization.adoc[Localization]
 *** xref:servlet/integrations/servlet-api.adoc[Servlet APIs]
 *** xref:servlet/integrations/data.adoc[Spring Data]
diff --git a/docs/modules/ROOT/pages/features/integrations/jackson.adoc b/docs/modules/ROOT/pages/features/integrations/jackson.adoc
index d9cfbe6e75..1e2cd49fc2 100644
--- a/docs/modules/ROOT/pages/features/integrations/jackson.adoc
+++ b/docs/modules/ROOT/pages/features/integrations/jackson.adoc
@@ -1,10 +1,15 @@
 [[jackson]]
 = Jackson Support
 
-Spring Security provides Jackson support for persisting Spring Security related classes.
+Spring Security provides Jackson 3 support for persisting Spring Security related classes.
 This can improve the performance of serializing Spring Security related classes when working with distributed sessions (i.e. session replication, Spring Session, etc).
 
-To use it, register the `SecurityJacksonModules.getModules(ClassLoader)` with `JsonMapper.Builder` (https://github.com/FasterXML/jackson-databind[jackson-databind]):
+[NOTE]
+====
+Jackson 2 support is still available but deprecated for removal, so you are encouraged to migrate to Jackson 3.
+====
+
+To use it, register `SecurityJacksonModules.getModules(ClassLoader)` with `JsonMapper.Builder` (https://github.com/FasterXML/jackson-databind[jackson-databind]):
 
 [tabs]
 ======
@@ -39,12 +44,49 @@ val json: String = mapper.writeValueAsString(context)
 ----
 ======
 
+[NOTE]
+====
+Using `SecurityJacksonModules` as above enables automatic inclusion of type information and configure a
+`PolymorphicTypeValidator` that handles the validation of class names.
+====
+
+If needed, you can add custom classes to the validation handling.
+
+[tabs]
+======
+Java::
++
+[source,java,role="primary"]
+----
+ClassLoader loader = getClass().getClassLoader();
+BasicPolymorphicTypeValidator.Builder builder = BasicPolymorphicTypeValidator.builder()
+        .allowIfSubType(MyCustomType.class);
+JsonMapper mapper = JsonMapper.builder()
+        .addModules(SecurityJacksonModules.getModules(loader, builder))
+        .build();
+----
+
+Kotlin::
++
+[source,kotlin,role="secondary"]
+----
+val loader = javaClass.classLoader
+val builder = BasicPolymorphicTypeValidator.builder()
+        .allowIfSubType(MyCustomType::class)
+val mapper = JsonMapper.builder()
+    .addModules(SecurityJacksonModules.getModules(loader, builder))
+    .build()
+----
+======
+
 [NOTE]
 ====
 The following Spring Security modules provide Jackson support:
 
-- spring-security-core (`CoreJacksonModule`)
-- spring-security-web (`WebJacksonModule`, `WebServletJacksonModule`, `WebServerJacksonModule`)
-- xref:servlet/oauth2/client/index.adoc#oauth2client[ spring-security-oauth2-client] (`OAuth2ClientJacksonModule`)
-- spring-security-cas (`CasJacksonModule`)
+- spring-security-core (javadoc:org.springframework.security.jackson.CoreJacksonModule[])
+- spring-security-web (javadoc:org.springframework.security.web.jackson.WebJacksonModule[], javadoc:org.springframework.security.web.jackson.WebServletJacksonModule[], javadoc:org.springframework.security.web.server.jackson.WebServerJacksonModule[])
+- spring-security-oauth2-client (javadoc:org.springframework.security.oauth2.client.jackson.OAuth2ClientJacksonModule[])
+- spring-security-cas (javadoc:org.springframework.security.cas.jackson.CasJacksonModule[])
+- spring-security-ldap (javadoc:org.springframework.security.ldap.jackson.LdapJacksonModule[])
+- spring-security-saml2 (javadoc:org.springframework.security.saml2.jackson.Saml2JacksonModule[])
 ====
diff --git a/docs/modules/ROOT/pages/migration/index.adoc b/docs/modules/ROOT/pages/migration/index.adoc
index 4ad6c991df..fee59f5f43 100644
--- a/docs/modules/ROOT/pages/migration/index.adoc
+++ b/docs/modules/ROOT/pages/migration/index.adoc
@@ -16,6 +16,24 @@ The first step is to ensure you are the latest patch release of Spring Boot 4.0.
 Next, you should ensure you are on the latest patch release of Spring Security 7.
 For directions, on how to update to Spring Security 7 visit the xref:getting-spring-security.adoc[] section of the reference guide.
 
+=== Migrate from Jackson 2 to Jackson 3
+
+The configuration of Jackson 2 `ObjectMapper` with `SecurityJackson2Modules` should be replaced by the configuration of
+Jackson 3 `JsonMapper.Builder` with `SecurityJacksonModules`. See the
+https://github.com/FasterXML/jackson/blob/main/jackson3/MIGRATING_TO_JACKSON_3.md[Jackson 3 Migration Guide] for more details.
+
+It is recommended to replace the configuration of
+individual modules like `CoreJacksonModule` by the module detection from `SecurityJacksonModules` as it enables
+automatic inclusion of type information and configure a `PolymorphicTypeValidator` that handles the validation of class
+names.
+
+The Jackson 3 support uses the same format than the now deprecated Jackson 2 one, so class instances serialized with
+Jackson 2 should be deserializable with the Jackson 3 support.
+
+`spring-security-oauth2-authorization-server` now uses Jackson 3 by default. If you want to continue
+to use the deprecated Jackson 2 support, the transitive dependency on Jackson 3 (`tools.jackson.core:jackson-databind`)
+should be excluded and a dependency on Jackson 2 (`com.fasterxml.jackson.core:jackson-databind`) should be added.
+
 == Perform Application-Specific Steps
 
 Next, there are steps you need to perform based on whether it is a xref:migration/servlet/index.adoc[Servlet] or xref:migration/reactive.adoc[Reactive] application.
diff --git a/docs/modules/ROOT/pages/servlet/integrations/jackson.adoc b/docs/modules/ROOT/pages/servlet/integrations/jackson.adoc
deleted file mode 100644
index dc7016edc0..0000000000
--- a/docs/modules/ROOT/pages/servlet/integrations/jackson.adoc
+++ /dev/null
@@ -1,30 +0,0 @@
-[[jackson]]
-= Jackson Support
-
-Spring Security provides Jackson support for persisting Spring Security-related classes.
-This can improve the performance of serializing Spring Security-related classes when working with distributed sessions (session replication, Spring Session, and so on).
-
-To use it, register the `SecurityJacksonModules.getModules(ClassLoader)` with `JsonMapper.Builder` (https://github.com/FasterXML/jackson-databind[jackson-databind]):
-
-[source,java]
-----
-ClassLoader loader = getClass().getClassLoader();
-JsonMapper mapper = JsonMapper.builder()
-        .addModules(SecurityJacksonModules.getModules(loader))
-        .build();
-
-// ... use JsonMapper    as normally ...
-SecurityContext context = new SecurityContextImpl();
-// ...
-String json = mapper.writeValueAsString(context);
-----
-
-[NOTE]
-====
-The following Spring Security modules provide Jackson support:
-
-- spring-security-core (javadoc:org.springframework.security.jackson.CoreJacksonModule[])
-- spring-security-web (javadoc:org.springframework.security.web.jackson.WebJacksonModule[], javadoc:org.springframework.security.web.jackson.WebServletJacksonModule[], javadoc:org.springframework.security.web.server.jackson.WebServerJacksonModule[])
-- <> (javadoc:org.springframework.security.oauth2.client.jackson.OAuth2ClientJacksonModule[])
-- spring-security-cas (javadoc:org.springframework.security.cas.jackson.CasJacksonModule[])
-====

From dcfe588e2f373216e11d07374e1450f1a3129059 Mon Sep 17 00:00:00 2001
From: Rob Winch <362503+rwinch@users.noreply.github.com>
Date: Fri, 17 Oct 2025 13:31:42 -0500
Subject: [PATCH 08/14] Add Jackson 3 TestingAuthenticationToken Support

Without this many of the tests fail when using Jackson 3
---
 .../security/jackson/CoreJacksonModule.java   |  1 +
 .../TestingAuthenticationTokenMixin.java      | 32 +++++----
 .../TestingAuthenticationTokenMixinTests.java | 72 +++++++++++++++++++
 3 files changed, 93 insertions(+), 12 deletions(-)
 rename {oauth2/oauth2-authorization-server/src/test/java/org/springframework/security/oauth2/server/authorization => core/src/main/java/org/springframework/security}/jackson/TestingAuthenticationTokenMixin.java (52%)
 create mode 100644 core/src/test/java/org/springframework/security/jackson/TestingAuthenticationTokenMixinTests.java

diff --git a/core/src/main/java/org/springframework/security/jackson/CoreJacksonModule.java b/core/src/main/java/org/springframework/security/jackson/CoreJacksonModule.java
index 58293a1797..73ecdddb62 100644
--- a/core/src/main/java/org/springframework/security/jackson/CoreJacksonModule.java
+++ b/core/src/main/java/org/springframework/security/jackson/CoreJacksonModule.java
@@ -107,6 +107,7 @@ public void setupModule(SetupContext context) {
 		context.setMixIn(FactorGrantedAuthority.class, FactorGrantedAuthorityMixin.class);
 		context.setMixIn(User.class, UserMixin.class);
 		context.setMixIn(UsernamePasswordAuthenticationToken.class, UsernamePasswordAuthenticationTokenMixin.class);
+		context.setMixIn(TestingAuthenticationToken.class, TestingAuthenticationTokenMixin.class);
 		context.setMixIn(BadCredentialsException.class, BadCredentialsExceptionMixin.class);
 	}
 
diff --git a/oauth2/oauth2-authorization-server/src/test/java/org/springframework/security/oauth2/server/authorization/jackson/TestingAuthenticationTokenMixin.java b/core/src/main/java/org/springframework/security/jackson/TestingAuthenticationTokenMixin.java
similarity index 52%
rename from oauth2/oauth2-authorization-server/src/test/java/org/springframework/security/oauth2/server/authorization/jackson/TestingAuthenticationTokenMixin.java
rename to core/src/main/java/org/springframework/security/jackson/TestingAuthenticationTokenMixin.java
index bc0a70212a..1ffd231793 100644
--- a/oauth2/oauth2-authorization-server/src/test/java/org/springframework/security/oauth2/server/authorization/jackson/TestingAuthenticationTokenMixin.java
+++ b/core/src/main/java/org/springframework/security/jackson/TestingAuthenticationTokenMixin.java
@@ -14,36 +14,44 @@
  * limitations under the License.
  */
 
-package org.springframework.security.oauth2.server.authorization.jackson;
+package org.springframework.security.jackson;
 
-import java.util.List;
+import java.util.Collection;
 
 import com.fasterxml.jackson.annotation.JsonAutoDetect;
 import com.fasterxml.jackson.annotation.JsonCreator;
-import com.fasterxml.jackson.annotation.JsonIgnoreProperties;
 import com.fasterxml.jackson.annotation.JsonProperty;
 import com.fasterxml.jackson.annotation.JsonTypeInfo;
 
-import org.springframework.security.authentication.TestingAuthenticationToken;
 import org.springframework.security.core.GrantedAuthority;
 
 /**
- * This mixin class is used to serialize/deserialize {@link TestingAuthenticationToken}.
+ * This is a Jackson mixin class helps in serialize/deserialize
+ * {@link org.springframework.security.authentication.AnonymousAuthenticationToken} class.
  *
- * @author Steve Riesenberg
+ * @author Sebastien Deleuze
+ * @author Jitendra Singh
  * @since 7.0
- * @see TestingAuthenticationToken
+ * @see CoreJacksonModule
+ * @see SecurityJacksonModules
  */
 @JsonTypeInfo(use = JsonTypeInfo.Id.CLASS)
-@JsonAutoDetect(fieldVisibility = JsonAutoDetect.Visibility.ANY, getterVisibility = JsonAutoDetect.Visibility.NONE,
-		isGetterVisibility = JsonAutoDetect.Visibility.NONE)
-@JsonIgnoreProperties(value = { "authenticated" }, ignoreUnknown = true)
-public class TestingAuthenticationTokenMixin {
+@JsonAutoDetect(fieldVisibility = JsonAutoDetect.Visibility.ANY, isGetterVisibility = JsonAutoDetect.Visibility.NONE,
+		getterVisibility = JsonAutoDetect.Visibility.NONE, creatorVisibility = JsonAutoDetect.Visibility.ANY)
+class TestingAuthenticationTokenMixin {
 
+	/**
+	 * Constructor used by Jackson to create object of
+	 * {@link org.springframework.security.authentication.AnonymousAuthenticationToken}.
+	 * {@link org.springframework.security.authentication.AnonymousAuthenticationToken#AnonymousAuthenticationToken(String, Object, Collection)}
+	 * @param principal the principal (typically a UserDetails)
+	 * @param credentials the credentials
+	 * @param authorities the authorities granted to the principal
+	 */
 	@JsonCreator
 	TestingAuthenticationTokenMixin(@JsonProperty("principal") Object principal,
 			@JsonProperty("credentials") Object credentials,
-			@JsonProperty("authorities") List authorities) {
+			@JsonProperty("authorities") Collection authorities) {
 	}
 
 }
diff --git a/core/src/test/java/org/springframework/security/jackson/TestingAuthenticationTokenMixinTests.java b/core/src/test/java/org/springframework/security/jackson/TestingAuthenticationTokenMixinTests.java
new file mode 100644
index 0000000000..e824628fd8
--- /dev/null
+++ b/core/src/test/java/org/springframework/security/jackson/TestingAuthenticationTokenMixinTests.java
@@ -0,0 +1,72 @@
+/*
+ * Copyright 2004-present the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.security.jackson;
+
+import org.junit.jupiter.api.Test;
+import org.skyscreamer.jsonassert.JSONAssert;
+
+import org.springframework.security.authentication.TestingAuthenticationToken;
+
+import static org.assertj.core.api.Assertions.assertThat;
+
+/**
+ * Tests {@link TestingAuthenticationTokenMixin}.
+ *
+ * @author Rob Winch
+ * @since 7.0
+ */
+class TestingAuthenticationTokenMixinTests extends AbstractMixinTests {
+
+	private static final String EXPECTED_JSON = """
+			{
+				"@class": "org.springframework.security.authentication.TestingAuthenticationToken",
+				"authorities": [
+				  "java.util.Collections$UnmodifiableRandomAccessList",
+				  [
+				    {
+				      "@class": "org.springframework.security.core.authority.SimpleGrantedAuthority",
+				      "authority": "ROLE_A"
+				    },
+				    {
+				      "@class": "org.springframework.security.core.authority.SimpleGrantedAuthority",
+				      "authority": "ROLE_B"
+				    }
+				  ]
+				],
+				"details": null,
+				"authenticated": true,
+				"credentials": null,
+				"principal": "principal"
+			}""";
+
+	private TestingAuthenticationToken expectedToken = new TestingAuthenticationToken("principal", null, "ROLE_A",
+			"ROLE_B");
+
+	@Test
+	void serialize() throws Exception {
+		String json = this.mapper.writeValueAsString(this.expectedToken);
+		JSONAssert.assertEquals(EXPECTED_JSON, json, true);
+	}
+
+	@Test
+	void deserialize() {
+		TestingAuthenticationToken actual = (TestingAuthenticationToken) this.mapper.readValue(EXPECTED_JSON,
+				Object.class);
+		assertThat(actual).isEqualTo(this.expectedToken);
+	}
+
+}

From 056a910050aa38df7dd07548f16c40dfb9c5f86b Mon Sep 17 00:00:00 2001
From: Rob Winch <362503+rwinch@users.noreply.github.com>
Date: Fri, 17 Oct 2025 11:10:38 -0500
Subject: [PATCH 09/14] JacksonDelegate uses SecurityJacksonModules

---
 .../authorization/JdbcOAuth2AuthorizationService.java    | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/oauth2/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/JdbcOAuth2AuthorizationService.java b/oauth2/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/JdbcOAuth2AuthorizationService.java
index eb0aa4f531..1af8933a49 100644
--- a/oauth2/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/JdbcOAuth2AuthorizationService.java
+++ b/oauth2/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/JdbcOAuth2AuthorizationService.java
@@ -36,6 +36,7 @@
 import com.fasterxml.jackson.core.JsonProcessingException;
 import com.fasterxml.jackson.databind.Module;
 import com.fasterxml.jackson.databind.ObjectMapper;
+import tools.jackson.databind.JacksonModule;
 import tools.jackson.databind.json.JsonMapper;
 
 import org.springframework.aot.hint.RuntimeHints;
@@ -54,6 +55,7 @@
 import org.springframework.jdbc.support.lob.LobCreator;
 import org.springframework.jdbc.support.lob.LobHandler;
 import org.springframework.lang.Nullable;
+import org.springframework.security.jackson.SecurityJacksonModules;
 import org.springframework.security.jackson2.SecurityJackson2Modules;
 import org.springframework.security.oauth2.core.AuthorizationGrantType;
 import org.springframework.security.oauth2.core.OAuth2AccessToken;
@@ -897,11 +899,14 @@ public static class JacksonDelegate implements Mapper {
 		private final JsonMapper jsonMapper;
 
 		public JacksonDelegate() {
-			this.jsonMapper = JsonMapper.builder().addModules(new OAuth2AuthorizationServerJacksonModule()).build();
+			this(JsonMapper.builder());
 		}
 
 		public JacksonDelegate(JsonMapper.Builder builder) {
-			this.jsonMapper = builder.addModules(new OAuth2AuthorizationServerJacksonModule()).build();
+			List modules = SecurityJacksonModules.getModules(getClass().getClassLoader());
+			this.jsonMapper = builder.addModules(modules)
+				.addModules(new OAuth2AuthorizationServerJacksonModule())
+				.build();
 		}
 
 		@Override

From 06a4616867e11b05afea39b817be2aaba833e523 Mon Sep 17 00:00:00 2001
From: Rob Winch <362503+rwinch@users.noreply.github.com>
Date: Fri, 17 Oct 2025 13:47:27 -0500
Subject: [PATCH 10/14] Remove JdbcOAuth2AuthorizationService.Mapper

- We should not introduce an unnecessary public API
  - It would need to be removed when Jackson 2 support was removed, but
    was required to configure Jackson 3 support
  - There are already existing interfaces that could be used
- OAuth2AuthorizationRowMapper & OAuth2AuthorizationParametersMapper had
  unnecessary breaking changes by removing getter/setter for ObjectMapper
- To prevent NoClassDefFoundErrors all optional (Jackson) dependencies
  need to be on different classes & we wish to preserve the existing
  accessors for ObjectMapper which is this uses subclasses
- With added TestAuthenticationTokenMixin support, no need to explicitly
  add it in tests
---
 .../server/authorization/JwkSetTests.java     |  29 +-
 .../OAuth2AuthorizationCodeGrantTests.java    |  28 +-
 .../OAuth2ClientCredentialsGrantTests.java    |  29 +-
 .../OAuth2RefreshTokenGrantTests.java         |  29 +-
 .../OAuth2TokenIntrospectionTests.java        |  29 +-
 .../OAuth2TokenRevocationTests.java           |  29 +-
 .../server/authorization/OidcTests.java       |  29 +-
 etc/checkstyle/checkstyle-suppressions.xml    |   1 +
 .../JdbcOAuth2AuthorizationService.java       | 283 +++++++++++-------
 .../JdbcOAuth2AuthorizationServiceTests.java  |  19 +-
 10 files changed, 198 insertions(+), 307 deletions(-)

diff --git a/config/src/test/java/org/springframework/security/config/annotation/web/configurers/oauth2/server/authorization/JwkSetTests.java b/config/src/test/java/org/springframework/security/config/annotation/web/configurers/oauth2/server/authorization/JwkSetTests.java
index 663b279c00..291ec87adf 100644
--- a/config/src/test/java/org/springframework/security/config/annotation/web/configurers/oauth2/server/authorization/JwkSetTests.java
+++ b/config/src/test/java/org/springframework/security/config/annotation/web/configurers/oauth2/server/authorization/JwkSetTests.java
@@ -24,7 +24,6 @@
 import org.junit.jupiter.api.BeforeAll;
 import org.junit.jupiter.api.Test;
 import org.junit.jupiter.api.extension.ExtendWith;
-import tools.jackson.databind.json.JsonMapper;
 
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.context.annotation.Bean;
@@ -35,7 +34,6 @@
 import org.springframework.jdbc.datasource.embedded.EmbeddedDatabase;
 import org.springframework.jdbc.datasource.embedded.EmbeddedDatabaseBuilder;
 import org.springframework.jdbc.datasource.embedded.EmbeddedDatabaseType;
-import org.springframework.security.authentication.TestingAuthenticationToken;
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
 import org.springframework.security.config.annotation.web.configuration.OAuth2AuthorizationServerConfiguration;
 import org.springframework.security.config.test.SpringTestContext;
@@ -45,7 +43,6 @@
 import org.springframework.security.oauth2.server.authorization.OAuth2AuthorizationService;
 import org.springframework.security.oauth2.server.authorization.client.JdbcRegisteredClientRepository;
 import org.springframework.security.oauth2.server.authorization.client.RegisteredClientRepository;
-import org.springframework.security.oauth2.server.authorization.jackson2.TestingAuthenticationTokenMixin;
 import org.springframework.security.oauth2.server.authorization.settings.AuthorizationServerSettings;
 import org.springframework.test.web.servlet.MockMvc;
 
@@ -142,11 +139,7 @@ static class AuthorizationServerConfiguration {
 		@Bean
 		OAuth2AuthorizationService authorizationService(JdbcOperations jdbcOperations,
 				RegisteredClientRepository registeredClientRepository) {
-			JdbcOAuth2AuthorizationService authorizationService = new JdbcOAuth2AuthorizationService(jdbcOperations,
-					registeredClientRepository);
-			authorizationService.setAuthorizationRowMapper(new RowMapper(registeredClientRepository));
-			authorizationService.setAuthorizationParametersMapper(new ParametersMapper());
-			return authorizationService;
+			return new JdbcOAuth2AuthorizationService(jdbcOperations, registeredClientRepository);
 		}
 
 		@Bean
@@ -164,26 +157,6 @@ JWKSource jwkSource() {
 			return jwkSource;
 		}
 
-		static class RowMapper extends JdbcOAuth2AuthorizationService.OAuth2AuthorizationRowMapper {
-
-			RowMapper(RegisteredClientRepository registeredClientRepository) {
-				super(registeredClientRepository);
-				setMapper(new JdbcOAuth2AuthorizationService.JacksonDelegate(JsonMapper.builder()
-					.addMixIn(TestingAuthenticationToken.class, TestingAuthenticationTokenMixin.class)));
-			}
-
-		}
-
-		static class ParametersMapper extends JdbcOAuth2AuthorizationService.OAuth2AuthorizationParametersMapper {
-
-			ParametersMapper() {
-				super();
-				setMapper(new JdbcOAuth2AuthorizationService.JacksonDelegate(JsonMapper.builder()
-					.addMixIn(TestingAuthenticationToken.class, TestingAuthenticationTokenMixin.class)));
-			}
-
-		}
-
 	}
 
 	@EnableWebSecurity
diff --git a/config/src/test/java/org/springframework/security/config/annotation/web/configurers/oauth2/server/authorization/OAuth2AuthorizationCodeGrantTests.java b/config/src/test/java/org/springframework/security/config/annotation/web/configurers/oauth2/server/authorization/OAuth2AuthorizationCodeGrantTests.java
index 83d2b98250..7b485487d8 100644
--- a/config/src/test/java/org/springframework/security/config/annotation/web/configurers/oauth2/server/authorization/OAuth2AuthorizationCodeGrantTests.java
+++ b/config/src/test/java/org/springframework/security/config/annotation/web/configurers/oauth2/server/authorization/OAuth2AuthorizationCodeGrantTests.java
@@ -46,7 +46,6 @@
 import org.junit.jupiter.api.Test;
 import org.junit.jupiter.api.extension.ExtendWith;
 import org.mockito.ArgumentCaptor;
-import tools.jackson.databind.json.JsonMapper;
 
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.context.annotation.Bean;
@@ -117,7 +116,6 @@
 import org.springframework.security.oauth2.server.authorization.client.RegisteredClient;
 import org.springframework.security.oauth2.server.authorization.client.RegisteredClientRepository;
 import org.springframework.security.oauth2.server.authorization.client.TestRegisteredClients;
-import org.springframework.security.oauth2.server.authorization.jackson2.TestingAuthenticationTokenMixin;
 import org.springframework.security.oauth2.server.authorization.settings.AuthorizationServerSettings;
 import org.springframework.security.oauth2.server.authorization.settings.ClientSettings;
 import org.springframework.security.oauth2.server.authorization.token.DelegatingOAuth2TokenGenerator;
@@ -1240,11 +1238,7 @@ static class AuthorizationServerConfiguration {
 		@Bean
 		OAuth2AuthorizationService authorizationService(JdbcOperations jdbcOperations,
 				RegisteredClientRepository registeredClientRepository) {
-			JdbcOAuth2AuthorizationService authorizationService = new JdbcOAuth2AuthorizationService(jdbcOperations,
-					registeredClientRepository);
-			authorizationService.setAuthorizationRowMapper(new RowMapper(registeredClientRepository));
-			authorizationService.setAuthorizationParametersMapper(new ParametersMapper());
-			return authorizationService;
+			return new JdbcOAuth2AuthorizationService(jdbcOperations, registeredClientRepository);
 		}
 
 		@Bean
@@ -1297,26 +1291,6 @@ PasswordEncoder passwordEncoder() {
 			return NoOpPasswordEncoder.getInstance();
 		}
 
-		static class RowMapper extends JdbcOAuth2AuthorizationService.OAuth2AuthorizationRowMapper {
-
-			RowMapper(RegisteredClientRepository registeredClientRepository) {
-				super(registeredClientRepository);
-				setMapper(new JdbcOAuth2AuthorizationService.JacksonDelegate(JsonMapper.builder()
-					.addMixIn(TestingAuthenticationToken.class, TestingAuthenticationTokenMixin.class)));
-			}
-
-		}
-
-		static class ParametersMapper extends JdbcOAuth2AuthorizationService.OAuth2AuthorizationParametersMapper {
-
-			ParametersMapper() {
-				super();
-				setMapper(new JdbcOAuth2AuthorizationService.JacksonDelegate(JsonMapper.builder()
-					.addMixIn(TestingAuthenticationToken.class, TestingAuthenticationTokenMixin.class)));
-			}
-
-		}
-
 	}
 
 	@EnableWebSecurity
diff --git a/config/src/test/java/org/springframework/security/config/annotation/web/configurers/oauth2/server/authorization/OAuth2ClientCredentialsGrantTests.java b/config/src/test/java/org/springframework/security/config/annotation/web/configurers/oauth2/server/authorization/OAuth2ClientCredentialsGrantTests.java
index f60511156b..6e0dc3ae83 100644
--- a/config/src/test/java/org/springframework/security/config/annotation/web/configurers/oauth2/server/authorization/OAuth2ClientCredentialsGrantTests.java
+++ b/config/src/test/java/org/springframework/security/config/annotation/web/configurers/oauth2/server/authorization/OAuth2ClientCredentialsGrantTests.java
@@ -40,7 +40,6 @@
 import org.junit.jupiter.api.Test;
 import org.junit.jupiter.api.extension.ExtendWith;
 import org.mockito.ArgumentCaptor;
-import tools.jackson.databind.json.JsonMapper;
 
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.context.annotation.Bean;
@@ -53,7 +52,6 @@
 import org.springframework.jdbc.datasource.embedded.EmbeddedDatabaseBuilder;
 import org.springframework.jdbc.datasource.embedded.EmbeddedDatabaseType;
 import org.springframework.security.authentication.AuthenticationProvider;
-import org.springframework.security.authentication.TestingAuthenticationToken;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
 import org.springframework.security.config.annotation.web.configuration.OAuth2AuthorizationServerConfiguration;
@@ -94,7 +92,6 @@
 import org.springframework.security.oauth2.server.authorization.client.RegisteredClient;
 import org.springframework.security.oauth2.server.authorization.client.RegisteredClientRepository;
 import org.springframework.security.oauth2.server.authorization.client.TestRegisteredClients;
-import org.springframework.security.oauth2.server.authorization.jackson2.TestingAuthenticationTokenMixin;
 import org.springframework.security.oauth2.server.authorization.settings.AuthorizationServerSettings;
 import org.springframework.security.oauth2.server.authorization.settings.ClientSettings;
 import org.springframework.security.oauth2.server.authorization.token.JwtEncodingContext;
@@ -534,11 +531,7 @@ static class AuthorizationServerConfiguration {
 		@Bean
 		OAuth2AuthorizationService authorizationService(JdbcOperations jdbcOperations,
 				RegisteredClientRepository registeredClientRepository) {
-			JdbcOAuth2AuthorizationService authorizationService = new JdbcOAuth2AuthorizationService(jdbcOperations,
-					registeredClientRepository);
-			authorizationService.setAuthorizationRowMapper(new RowMapper(registeredClientRepository));
-			authorizationService.setAuthorizationParametersMapper(new ParametersMapper());
-			return authorizationService;
+			return new JdbcOAuth2AuthorizationService(jdbcOperations, registeredClientRepository);
 		}
 
 		@Bean
@@ -570,26 +563,6 @@ PasswordEncoder passwordEncoder() {
 			return NoOpPasswordEncoder.getInstance();
 		}
 
-		static class RowMapper extends JdbcOAuth2AuthorizationService.OAuth2AuthorizationRowMapper {
-
-			RowMapper(RegisteredClientRepository registeredClientRepository) {
-				super(registeredClientRepository);
-				setMapper(new JdbcOAuth2AuthorizationService.JacksonDelegate(JsonMapper.builder()
-					.addMixIn(TestingAuthenticationToken.class, TestingAuthenticationTokenMixin.class)));
-			}
-
-		}
-
-		static class ParametersMapper extends JdbcOAuth2AuthorizationService.OAuth2AuthorizationParametersMapper {
-
-			ParametersMapper() {
-				super();
-				setMapper(new JdbcOAuth2AuthorizationService.JacksonDelegate(JsonMapper.builder()
-					.addMixIn(TestingAuthenticationToken.class, TestingAuthenticationTokenMixin.class)));
-			}
-
-		}
-
 	}
 
 	@EnableWebSecurity
diff --git a/config/src/test/java/org/springframework/security/config/annotation/web/configurers/oauth2/server/authorization/OAuth2RefreshTokenGrantTests.java b/config/src/test/java/org/springframework/security/config/annotation/web/configurers/oauth2/server/authorization/OAuth2RefreshTokenGrantTests.java
index 5f01cea6c2..16df4207b9 100644
--- a/config/src/test/java/org/springframework/security/config/annotation/web/configurers/oauth2/server/authorization/OAuth2RefreshTokenGrantTests.java
+++ b/config/src/test/java/org/springframework/security/config/annotation/web/configurers/oauth2/server/authorization/OAuth2RefreshTokenGrantTests.java
@@ -39,7 +39,6 @@
 import org.junit.jupiter.api.BeforeAll;
 import org.junit.jupiter.api.Test;
 import org.junit.jupiter.api.extension.ExtendWith;
-import tools.jackson.databind.json.JsonMapper;
 
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.context.annotation.Bean;
@@ -57,7 +56,6 @@
 import org.springframework.mock.http.client.MockClientHttpResponse;
 import org.springframework.mock.web.MockHttpServletResponse;
 import org.springframework.security.authentication.AuthenticationProvider;
-import org.springframework.security.authentication.TestingAuthenticationToken;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
 import org.springframework.security.config.annotation.web.configuration.OAuth2AuthorizationServerConfiguration;
@@ -99,7 +97,6 @@
 import org.springframework.security.oauth2.server.authorization.client.RegisteredClient;
 import org.springframework.security.oauth2.server.authorization.client.RegisteredClientRepository;
 import org.springframework.security.oauth2.server.authorization.client.TestRegisteredClients;
-import org.springframework.security.oauth2.server.authorization.jackson2.TestingAuthenticationTokenMixin;
 import org.springframework.security.oauth2.server.authorization.token.JwtEncodingContext;
 import org.springframework.security.oauth2.server.authorization.token.OAuth2TokenCustomizer;
 import org.springframework.security.web.SecurityFilterChain;
@@ -468,11 +465,7 @@ static class AuthorizationServerConfiguration {
 		@Bean
 		OAuth2AuthorizationService authorizationService(JdbcOperations jdbcOperations,
 				RegisteredClientRepository registeredClientRepository) {
-			JdbcOAuth2AuthorizationService authorizationService = new JdbcOAuth2AuthorizationService(jdbcOperations,
-					registeredClientRepository);
-			authorizationService.setAuthorizationRowMapper(new RowMapper(registeredClientRepository));
-			authorizationService.setAuthorizationParametersMapper(new ParametersMapper());
-			return authorizationService;
+			return new JdbcOAuth2AuthorizationService(jdbcOperations, registeredClientRepository);
 		}
 
 		@Bean
@@ -513,26 +506,6 @@ PasswordEncoder passwordEncoder() {
 			return NoOpPasswordEncoder.getInstance();
 		}
 
-		static class RowMapper extends JdbcOAuth2AuthorizationService.OAuth2AuthorizationRowMapper {
-
-			RowMapper(RegisteredClientRepository registeredClientRepository) {
-				super(registeredClientRepository);
-				setMapper(new JdbcOAuth2AuthorizationService.JacksonDelegate(JsonMapper.builder()
-					.addMixIn(TestingAuthenticationToken.class, TestingAuthenticationTokenMixin.class)));
-			}
-
-		}
-
-		static class ParametersMapper extends JdbcOAuth2AuthorizationService.OAuth2AuthorizationParametersMapper {
-
-			ParametersMapper() {
-				super();
-				setMapper(new JdbcOAuth2AuthorizationService.JacksonDelegate(JsonMapper.builder()
-					.addMixIn(TestingAuthenticationToken.class, TestingAuthenticationTokenMixin.class)));
-			}
-
-		}
-
 	}
 
 	@EnableWebSecurity
diff --git a/config/src/test/java/org/springframework/security/config/annotation/web/configurers/oauth2/server/authorization/OAuth2TokenIntrospectionTests.java b/config/src/test/java/org/springframework/security/config/annotation/web/configurers/oauth2/server/authorization/OAuth2TokenIntrospectionTests.java
index 018ca4ad36..e4bd35d062 100644
--- a/config/src/test/java/org/springframework/security/config/annotation/web/configurers/oauth2/server/authorization/OAuth2TokenIntrospectionTests.java
+++ b/config/src/test/java/org/springframework/security/config/annotation/web/configurers/oauth2/server/authorization/OAuth2TokenIntrospectionTests.java
@@ -35,7 +35,6 @@
 import org.junit.jupiter.api.Test;
 import org.junit.jupiter.api.extension.ExtendWith;
 import org.mockito.ArgumentCaptor;
-import tools.jackson.databind.json.JsonMapper;
 
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.context.annotation.Bean;
@@ -52,7 +51,6 @@
 import org.springframework.mock.http.client.MockClientHttpResponse;
 import org.springframework.mock.web.MockHttpServletResponse;
 import org.springframework.security.authentication.AuthenticationProvider;
-import org.springframework.security.authentication.TestingAuthenticationToken;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
 import org.springframework.security.config.annotation.web.configuration.OAuth2AuthorizationServerConfiguration;
@@ -88,7 +86,6 @@
 import org.springframework.security.oauth2.server.authorization.client.RegisteredClientRepository;
 import org.springframework.security.oauth2.server.authorization.client.TestRegisteredClients;
 import org.springframework.security.oauth2.server.authorization.http.converter.OAuth2TokenIntrospectionHttpMessageConverter;
-import org.springframework.security.oauth2.server.authorization.jackson2.TestingAuthenticationTokenMixin;
 import org.springframework.security.oauth2.server.authorization.settings.AuthorizationServerSettings;
 import org.springframework.security.oauth2.server.authorization.settings.ClientSettings;
 import org.springframework.security.oauth2.server.authorization.settings.OAuth2TokenFormat;
@@ -508,11 +505,7 @@ static class AuthorizationServerConfiguration {
 		@Bean
 		OAuth2AuthorizationService authorizationService(JdbcOperations jdbcOperations,
 				RegisteredClientRepository registeredClientRepository) {
-			JdbcOAuth2AuthorizationService authorizationService = new JdbcOAuth2AuthorizationService(jdbcOperations,
-					registeredClientRepository);
-			authorizationService.setAuthorizationRowMapper(new RowMapper(registeredClientRepository));
-			authorizationService.setAuthorizationParametersMapper(new ParametersMapper());
-			return authorizationService;
+			return new JdbcOAuth2AuthorizationService(jdbcOperations, registeredClientRepository);
 		}
 
 		@Bean
@@ -550,26 +543,6 @@ PasswordEncoder passwordEncoder() {
 			return NoOpPasswordEncoder.getInstance();
 		}
 
-		static class RowMapper extends JdbcOAuth2AuthorizationService.OAuth2AuthorizationRowMapper {
-
-			RowMapper(RegisteredClientRepository registeredClientRepository) {
-				super(registeredClientRepository);
-				setMapper(new JdbcOAuth2AuthorizationService.JacksonDelegate(JsonMapper.builder()
-					.addMixIn(TestingAuthenticationToken.class, TestingAuthenticationTokenMixin.class)));
-			}
-
-		}
-
-		static class ParametersMapper extends JdbcOAuth2AuthorizationService.OAuth2AuthorizationParametersMapper {
-
-			ParametersMapper() {
-				super();
-				setMapper(new JdbcOAuth2AuthorizationService.JacksonDelegate(JsonMapper.builder()
-					.addMixIn(TestingAuthenticationToken.class, TestingAuthenticationTokenMixin.class)));
-			}
-
-		}
-
 	}
 
 	@EnableWebSecurity
diff --git a/config/src/test/java/org/springframework/security/config/annotation/web/configurers/oauth2/server/authorization/OAuth2TokenRevocationTests.java b/config/src/test/java/org/springframework/security/config/annotation/web/configurers/oauth2/server/authorization/OAuth2TokenRevocationTests.java
index 5506c81607..8ff0e389f1 100644
--- a/config/src/test/java/org/springframework/security/config/annotation/web/configurers/oauth2/server/authorization/OAuth2TokenRevocationTests.java
+++ b/config/src/test/java/org/springframework/security/config/annotation/web/configurers/oauth2/server/authorization/OAuth2TokenRevocationTests.java
@@ -31,7 +31,6 @@
 import org.junit.jupiter.api.Test;
 import org.junit.jupiter.api.extension.ExtendWith;
 import org.mockito.ArgumentCaptor;
-import tools.jackson.databind.json.JsonMapper;
 
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.context.annotation.Bean;
@@ -44,7 +43,6 @@
 import org.springframework.jdbc.datasource.embedded.EmbeddedDatabaseBuilder;
 import org.springframework.jdbc.datasource.embedded.EmbeddedDatabaseType;
 import org.springframework.security.authentication.AuthenticationProvider;
-import org.springframework.security.authentication.TestingAuthenticationToken;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
 import org.springframework.security.config.annotation.web.configuration.OAuth2AuthorizationServerConfiguration;
@@ -72,7 +70,6 @@
 import org.springframework.security.oauth2.server.authorization.client.RegisteredClient;
 import org.springframework.security.oauth2.server.authorization.client.RegisteredClientRepository;
 import org.springframework.security.oauth2.server.authorization.client.TestRegisteredClients;
-import org.springframework.security.oauth2.server.authorization.jackson2.TestingAuthenticationTokenMixin;
 import org.springframework.security.oauth2.server.authorization.settings.AuthorizationServerSettings;
 import org.springframework.security.oauth2.server.authorization.web.authentication.OAuth2TokenRevocationAuthenticationConverter;
 import org.springframework.security.web.SecurityFilterChain;
@@ -317,11 +314,7 @@ static class AuthorizationServerConfiguration {
 		@Bean
 		OAuth2AuthorizationService authorizationService(JdbcOperations jdbcOperations,
 				RegisteredClientRepository registeredClientRepository) {
-			JdbcOAuth2AuthorizationService authorizationService = new JdbcOAuth2AuthorizationService(jdbcOperations,
-					registeredClientRepository);
-			authorizationService.setAuthorizationRowMapper(new RowMapper(registeredClientRepository));
-			authorizationService.setAuthorizationParametersMapper(new ParametersMapper());
-			return authorizationService;
+			return new JdbcOAuth2AuthorizationService(jdbcOperations, registeredClientRepository);
 		}
 
 		@Bean
@@ -348,26 +341,6 @@ PasswordEncoder passwordEncoder() {
 			return NoOpPasswordEncoder.getInstance();
 		}
 
-		static class RowMapper extends JdbcOAuth2AuthorizationService.OAuth2AuthorizationRowMapper {
-
-			RowMapper(RegisteredClientRepository registeredClientRepository) {
-				super(registeredClientRepository);
-				setMapper(new JdbcOAuth2AuthorizationService.JacksonDelegate(JsonMapper.builder()
-					.addMixIn(TestingAuthenticationToken.class, TestingAuthenticationTokenMixin.class)));
-			}
-
-		}
-
-		static class ParametersMapper extends JdbcOAuth2AuthorizationService.OAuth2AuthorizationParametersMapper {
-
-			ParametersMapper() {
-				super();
-				setMapper(new JdbcOAuth2AuthorizationService.JacksonDelegate(JsonMapper.builder()
-					.addMixIn(TestingAuthenticationToken.class, TestingAuthenticationTokenMixin.class)));
-			}
-
-		}
-
 	}
 
 	@EnableWebSecurity
diff --git a/config/src/test/java/org/springframework/security/config/annotation/web/configurers/oauth2/server/authorization/OidcTests.java b/config/src/test/java/org/springframework/security/config/annotation/web/configurers/oauth2/server/authorization/OidcTests.java
index 354c3a3926..34984b8fa8 100644
--- a/config/src/test/java/org/springframework/security/config/annotation/web/configurers/oauth2/server/authorization/OidcTests.java
+++ b/config/src/test/java/org/springframework/security/config/annotation/web/configurers/oauth2/server/authorization/OidcTests.java
@@ -36,7 +36,6 @@
 import org.junit.jupiter.api.BeforeAll;
 import org.junit.jupiter.api.Test;
 import org.junit.jupiter.api.extension.ExtendWith;
-import tools.jackson.databind.json.JsonMapper;
 
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.context.annotation.Bean;
@@ -53,7 +52,6 @@
 import org.springframework.mock.http.client.MockClientHttpResponse;
 import org.springframework.mock.web.MockHttpServletResponse;
 import org.springframework.mock.web.MockHttpSession;
-import org.springframework.security.authentication.TestingAuthenticationToken;
 import org.springframework.security.config.Customizer;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
@@ -91,7 +89,6 @@
 import org.springframework.security.oauth2.server.authorization.client.RegisteredClient;
 import org.springframework.security.oauth2.server.authorization.client.RegisteredClientRepository;
 import org.springframework.security.oauth2.server.authorization.client.TestRegisteredClients;
-import org.springframework.security.oauth2.server.authorization.jackson2.TestingAuthenticationTokenMixin;
 import org.springframework.security.oauth2.server.authorization.settings.AuthorizationServerSettings;
 import org.springframework.security.oauth2.server.authorization.token.DelegatingOAuth2TokenGenerator;
 import org.springframework.security.oauth2.server.authorization.token.JwtEncodingContext;
@@ -632,11 +629,7 @@ SecurityFilterChain authorizationServerSecurityFilterChain(HttpSecurity http) th
 		@Bean
 		OAuth2AuthorizationService authorizationService(JdbcOperations jdbcOperations,
 				RegisteredClientRepository registeredClientRepository) {
-			JdbcOAuth2AuthorizationService authorizationService = new JdbcOAuth2AuthorizationService(jdbcOperations,
-					registeredClientRepository);
-			authorizationService.setAuthorizationRowMapper(new RowMapper(registeredClientRepository));
-			authorizationService.setAuthorizationParametersMapper(new ParametersMapper());
-			return authorizationService;
+			return new JdbcOAuth2AuthorizationService(jdbcOperations, registeredClientRepository);
 		}
 
 		@Bean
@@ -692,26 +685,6 @@ SessionRegistry sessionRegistry() {
 			return sessionRegistry;
 		}
 
-		static class RowMapper extends JdbcOAuth2AuthorizationService.OAuth2AuthorizationRowMapper {
-
-			RowMapper(RegisteredClientRepository registeredClientRepository) {
-				super(registeredClientRepository);
-				setMapper(new JdbcOAuth2AuthorizationService.JacksonDelegate(JsonMapper.builder()
-					.addMixIn(TestingAuthenticationToken.class, TestingAuthenticationTokenMixin.class)));
-			}
-
-		}
-
-		static class ParametersMapper extends JdbcOAuth2AuthorizationService.OAuth2AuthorizationParametersMapper {
-
-			ParametersMapper() {
-				super();
-				setMapper(new JdbcOAuth2AuthorizationService.JacksonDelegate(JsonMapper.builder()
-					.addMixIn(TestingAuthenticationToken.class, TestingAuthenticationTokenMixin.class)));
-			}
-
-		}
-
 	}
 
 	@EnableWebSecurity
diff --git a/etc/checkstyle/checkstyle-suppressions.xml b/etc/checkstyle/checkstyle-suppressions.xml
index 0f48fa1a0e..4dd1798f5a 100644
--- a/etc/checkstyle/checkstyle-suppressions.xml
+++ b/etc/checkstyle/checkstyle-suppressions.xml
@@ -24,6 +24,7 @@
 	
 	
 	
+	
 	
 	
 	
diff --git a/oauth2/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/JdbcOAuth2AuthorizationService.java b/oauth2/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/JdbcOAuth2AuthorizationService.java
index 1af8933a49..45018582ec 100644
--- a/oauth2/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/JdbcOAuth2AuthorizationService.java
+++ b/oauth2/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/JdbcOAuth2AuthorizationService.java
@@ -71,7 +71,6 @@
 import org.springframework.security.oauth2.server.authorization.jackson.OAuth2AuthorizationServerJacksonModule;
 import org.springframework.security.oauth2.server.authorization.jackson2.OAuth2AuthorizationServerJackson2Module;
 import org.springframework.util.Assert;
-import org.springframework.util.ClassUtils;
 import org.springframework.util.CollectionUtils;
 import org.springframework.util.StringUtils;
 
@@ -245,11 +244,11 @@ public JdbcOAuth2AuthorizationService(JdbcOperations jdbcOperations,
 		Assert.notNull(lobHandler, "lobHandler cannot be null");
 		this.jdbcOperations = jdbcOperations;
 		this.lobHandler = lobHandler;
-		OAuth2AuthorizationRowMapper authorizationRowMapper = new OAuth2AuthorizationRowMapper(
+		JsonMapperOAuth2AuthorizationRowMapper authorizationRowMapper = new JsonMapperOAuth2AuthorizationRowMapper(
 				registeredClientRepository);
 		authorizationRowMapper.setLobHandler(lobHandler);
 		this.authorizationRowMapper = authorizationRowMapper;
-		this.authorizationParametersMapper = new OAuth2AuthorizationParametersMapper();
+		this.authorizationParametersMapper = new JsonMapperOAuth2AuthorizationParametersMapper();
 		initColumnMetadata(jdbcOperations);
 	}
 
@@ -467,18 +466,86 @@ private static SqlParameterValue mapToSqlParameter(String columnName, String val
 
 	/**
 	 * The default {@link RowMapper} that maps the current row in
-	 * {@code java.sql.ResultSet} to {@link OAuth2Authorization}.
+	 * {@code java.sql.ResultSet} to {@link OAuth2Authorization} using Jackson 3's
+	 * {@link JsonMapper} to read all {@code Map} within the result.
+	 *
+	 * @author Rob Winch
+	 * @since 7.0
 	 */
-	public static class OAuth2AuthorizationRowMapper implements RowMapper {
+	public static class JsonMapperOAuth2AuthorizationRowMapper extends AbstractOAuth2AuthorizationRowMapper {
 
-		private final RegisteredClientRepository registeredClientRepository;
+		private final JsonMapper jsonMapper;
 
-		private LobHandler lobHandler = new DefaultLobHandler();
+		public JsonMapperOAuth2AuthorizationRowMapper(RegisteredClientRepository registeredClientRepository) {
+			this(registeredClientRepository, Jackson3.createJsonMapper());
+		}
+
+		public JsonMapperOAuth2AuthorizationRowMapper(RegisteredClientRepository registeredClientRepository,
+				JsonMapper jsonMapper) {
+			super(registeredClientRepository);
+			this.jsonMapper = jsonMapper;
+		}
+
+		@Override
+		Map readValue(String data) {
+			final ParameterizedTypeReference> typeReference = new ParameterizedTypeReference<>() {
+			};
+			tools.jackson.databind.JavaType javaType = this.jsonMapper.getTypeFactory()
+				.constructType(typeReference.getType());
+			return this.jsonMapper.readValue(data, javaType);
+		}
 
-		private Mapper mapper = (ClassUtils.isPresent("tools.jackson.databind.json.JsonMapper",
-				OAuth2AuthorizationRowMapper.class.getClassLoader())) ? new JacksonDelegate() : new Jackson2Delegate();
+	}
+
+	/**
+	 * A {@link RowMapper} that maps the current row in {@code java.sql.ResultSet} to
+	 * {@link OAuth2Authorization} using Jackson 2's {@link ObjectMapper}.
+	 *
+	 * @deprecated Use {@link JsonMapperOAuth2AuthorizationRowMapper} to switch to Jackson
+	 * 3.
+	 */
+	@Deprecated(forRemoval = true, since = "7.0")
+	public static class OAuth2AuthorizationRowMapper extends AbstractOAuth2AuthorizationRowMapper {
+
+		private ObjectMapper objectMapper = Jackson2.createObjectMapper();
 
 		public OAuth2AuthorizationRowMapper(RegisteredClientRepository registeredClientRepository) {
+			super(registeredClientRepository);
+		}
+
+		public final void setObjectMapper(ObjectMapper objectMapper) {
+			Assert.notNull(objectMapper, "objectMapper cannot be null");
+			this.objectMapper = objectMapper;
+		}
+
+		protected ObjectMapper getObjectMapper() {
+			return this.objectMapper;
+		}
+
+		@Override
+		Map readValue(String data) throws JsonProcessingException {
+			final ParameterizedTypeReference> typeReference = new ParameterizedTypeReference<>() {
+			};
+			com.fasterxml.jackson.databind.JavaType javaType = this.objectMapper.getTypeFactory()
+				.constructType(typeReference.getType());
+			return this.objectMapper.readValue(data, javaType);
+		}
+
+	}
+
+	/**
+	 * The base {@link RowMapper} that maps the current row in {@code java.sql.ResultSet}
+	 * to {@link OAuth2Authorization}. This is extracted to a distinct class so that
+	 * {@link OAuth2AuthorizationRowMapper} can be deprecated in favor of
+	 * {@link JsonMapperOAuth2AuthorizationRowMapper}.
+	 */
+	private abstract static class AbstractOAuth2AuthorizationRowMapper implements RowMapper {
+
+		private final RegisteredClientRepository registeredClientRepository;
+
+		private LobHandler lobHandler = new DefaultLobHandler();
+
+		AbstractOAuth2AuthorizationRowMapper(RegisteredClientRepository registeredClientRepository) {
 			Assert.notNull(registeredClientRepository, "registeredClientRepository cannot be null");
 			this.registeredClientRepository = registeredClientRepository;
 		}
@@ -625,11 +692,6 @@ public final void setLobHandler(LobHandler lobHandler) {
 			this.lobHandler = lobHandler;
 		}
 
-		public final void setMapper(Mapper mapper) {
-			Assert.notNull(mapper, "objectMapper cannot be null");
-			this.mapper = mapper;
-		}
-
 		protected final RegisteredClientRepository getRegisteredClientRepository() {
 			return this.registeredClientRepository;
 		}
@@ -638,33 +700,116 @@ protected final LobHandler getLobHandler() {
 			return this.lobHandler;
 		}
 
-		protected final Mapper getMapper() {
-			return this.mapper;
-		}
-
 		private Map parseMap(String data) {
 			try {
-				return this.mapper.readValue(data, new ParameterizedTypeReference<>() {
-				});
+				return readValue(data);
 			}
 			catch (Exception ex) {
 				throw new IllegalArgumentException(ex.getMessage(), ex);
 			}
 		}
 
+		abstract Map readValue(String data) throws Exception;
+
+	}
+
+	/**
+	 * Nested class to protect from getting {@link NoClassDefFoundError} when Jackson 2 is
+	 * not on the classpath.
+	 *
+	 * @deprecated This is used to allow transition to Jackson 3. Use {@link Jackson3}
+	 * instead.
+	 */
+	@Deprecated(forRemoval = true, since = "7.0")
+	private static final class Jackson2 {
+
+		static ObjectMapper createObjectMapper() {
+			ObjectMapper objectMapper = new ObjectMapper();
+			ClassLoader classLoader = Jackson2.class.getClassLoader();
+			List securityModules = SecurityJackson2Modules.getModules(classLoader);
+			objectMapper.registerModules(securityModules);
+			objectMapper.registerModule(new OAuth2AuthorizationServerJackson2Module());
+			return objectMapper;
+		}
+
+	}
+
+	/**
+	 * Nested class used to get a common default instance of {@link JsonMapper}. It is in
+	 * a nested class to protect from getting {@link NoClassDefFoundError} when Jackson 3
+	 * is not on the classpath.
+	 */
+	private static final class Jackson3 {
+
+		static JsonMapper createJsonMapper() {
+			List modules = SecurityJacksonModules.getModules(Jackson3.class.getClassLoader());
+			return JsonMapper.builder()
+				.addModules(modules)
+				.addModules(new OAuth2AuthorizationServerJacksonModule())
+				.build();
+		}
+
+	}
+
+	/**
+	 * @deprecated Use {@link JsonMapperOAuth2AuthorizationParametersMapper} to migrate to
+	 * Jackson 3.
+	 */
+	@Deprecated(forRemoval = true, since = "7.0")
+	public static class OAuth2AuthorizationParametersMapper extends AbstractOAuth2AuthorizationParametersMapper {
+
+		private ObjectMapper objectMapper = Jackson2.createObjectMapper();
+
+		@Override
+		String writeValueAsString(Map data) throws JsonProcessingException {
+			return this.objectMapper.writeValueAsString(data);
+		}
+
+		protected final ObjectMapper getObjectMapper() {
+			return this.objectMapper;
+		}
+
+		public final void setObjectMapper(ObjectMapper objectMapper) {
+			Assert.notNull(objectMapper, "objectMapper cannot be null");
+			this.objectMapper = objectMapper;
+		}
+
 	}
 
 	/**
 	 * The default {@code Function} that maps {@link OAuth2Authorization} to a
-	 * {@code List} of {@link SqlParameterValue}.
+	 * {@code List} of {@link SqlParameterValue} using an instance of Jackson 3's
+	 * {@link JsonMapper}.
 	 */
-	public static class OAuth2AuthorizationParametersMapper
-			implements Function> {
+	public static final class JsonMapperOAuth2AuthorizationParametersMapper
+			extends AbstractOAuth2AuthorizationParametersMapper {
+
+		private final JsonMapper mapper;
+
+		public JsonMapperOAuth2AuthorizationParametersMapper() {
+			this(Jackson3.createJsonMapper());
+		}
+
+		public JsonMapperOAuth2AuthorizationParametersMapper(JsonMapper mapper) {
+			Assert.notNull(mapper, "mapper cannot be null");
+			this.mapper = mapper;
+		}
 
-		private Mapper mapper = (ClassUtils.isPresent("tools.jackson.databind.json.JsonMapper",
-				OAuth2AuthorizationRowMapper.class.getClassLoader())) ? new JacksonDelegate() : new Jackson2Delegate();
+		@Override
+		String writeValueAsString(Map data) throws Exception {
+			return this.mapper.writeValueAsString(data);
+		}
 
-		public OAuth2AuthorizationParametersMapper() {
+	}
+
+	/**
+	 * The base {@code Function} that maps {@link OAuth2Authorization} to a {@code List}
+	 * of {@link SqlParameterValue}.
+	 */
+	private abstract static class AbstractOAuth2AuthorizationParametersMapper
+			implements Function> {
+
+		protected AbstractOAuth2AuthorizationParametersMapper() {
 		}
 
 		@Override
@@ -736,15 +881,6 @@ public List apply(OAuth2Authorization authorization) {
 			return parameters;
 		}
 
-		public final void setMapper(Mapper mapper) {
-			Assert.notNull(mapper, "mapper cannot be null");
-			this.mapper = mapper;
-		}
-
-		protected final Mapper getMapper() {
-			return this.mapper;
-		}
-
 		private  List toSqlParameterList(String tokenColumnName,
 				String tokenMetadataColumnName, OAuth2Authorization.Token token) {
 
@@ -773,13 +909,15 @@ private  List toSqlParameterList(Strin
 
 		private String writeMap(Map data) {
 			try {
-				return this.mapper.writeValueAsString(data);
+				return writeValueAsString(data);
 			}
 			catch (Exception ex) {
 				throw new IllegalArgumentException(ex.getMessage(), ex);
 			}
 		}
 
+		abstract String writeValueAsString(Map data) throws Exception;
+
 	}
 
 	private static final class LobCreatorArgumentPreparedStatementSetter extends ArgumentPreparedStatementSetter {
@@ -850,77 +988,4 @@ public void registerHints(RuntimeHints hints, ClassLoader classLoader) {
 
 	}
 
-	public interface Mapper {
-
-		String writeValueAsString(Object data);
-
-		 T readValue(String value, ParameterizedTypeReference typeReference);
-
-	}
-
-	@SuppressWarnings("removal")
-	public static class Jackson2Delegate implements Mapper {
-
-		private final ObjectMapper objectMapper = new ObjectMapper();
-
-		public Jackson2Delegate() {
-			ClassLoader classLoader = Jackson2Delegate.class.getClassLoader();
-			List securityModules = SecurityJackson2Modules.getModules(classLoader);
-			this.objectMapper.registerModules(securityModules);
-			this.objectMapper.registerModule(new OAuth2AuthorizationServerJackson2Module());
-		}
-
-		@Override
-		public String writeValueAsString(Object data) {
-			try {
-				return this.objectMapper.writeValueAsString(data);
-			}
-			catch (JsonProcessingException ex) {
-				throw new IllegalArgumentException(ex.getMessage(), ex);
-			}
-		}
-
-		@Override
-		public  T readValue(String value, ParameterizedTypeReference typeReference) {
-			try {
-				com.fasterxml.jackson.databind.JavaType javaType = this.objectMapper.getTypeFactory()
-					.constructType(typeReference.getType());
-				return this.objectMapper.readValue(value, javaType);
-			}
-			catch (JsonProcessingException ex) {
-				throw new IllegalArgumentException(ex.getMessage(), ex);
-			}
-		}
-
-	}
-
-	public static class JacksonDelegate implements Mapper {
-
-		private final JsonMapper jsonMapper;
-
-		public JacksonDelegate() {
-			this(JsonMapper.builder());
-		}
-
-		public JacksonDelegate(JsonMapper.Builder builder) {
-			List modules = SecurityJacksonModules.getModules(getClass().getClassLoader());
-			this.jsonMapper = builder.addModules(modules)
-				.addModules(new OAuth2AuthorizationServerJacksonModule())
-				.build();
-		}
-
-		@Override
-		public String writeValueAsString(Object data) {
-			return this.jsonMapper.writeValueAsString(data);
-		}
-
-		@Override
-		public  T readValue(String value, ParameterizedTypeReference typeReference) {
-			tools.jackson.databind.JavaType javaType = this.jsonMapper.getTypeFactory()
-				.constructType(typeReference.getType());
-			return this.jsonMapper.readValue(value, javaType);
-		}
-
-	}
-
 }
diff --git a/oauth2/oauth2-authorization-server/src/test/java/org/springframework/security/oauth2/server/authorization/JdbcOAuth2AuthorizationServiceTests.java b/oauth2/oauth2-authorization-server/src/test/java/org/springframework/security/oauth2/server/authorization/JdbcOAuth2AuthorizationServiceTests.java
index 1f83dfc0f0..8d428a2fb2 100644
--- a/oauth2/oauth2-authorization-server/src/test/java/org/springframework/security/oauth2/server/authorization/JdbcOAuth2AuthorizationServiceTests.java
+++ b/oauth2/oauth2-authorization-server/src/test/java/org/springframework/security/oauth2/server/authorization/JdbcOAuth2AuthorizationServiceTests.java
@@ -32,8 +32,9 @@
 import org.junit.jupiter.api.AfterEach;
 import org.junit.jupiter.api.BeforeEach;
 import org.junit.jupiter.api.Test;
+import tools.jackson.core.type.TypeReference;
+import tools.jackson.databind.json.JsonMapper;
 
-import org.springframework.core.ParameterizedTypeReference;
 import org.springframework.dao.DataRetrievalFailureException;
 import org.springframework.jdbc.core.ArgumentPreparedStatementSetter;
 import org.springframework.jdbc.core.JdbcOperations;
@@ -44,6 +45,7 @@
 import org.springframework.jdbc.datasource.embedded.EmbeddedDatabase;
 import org.springframework.jdbc.datasource.embedded.EmbeddedDatabaseBuilder;
 import org.springframework.jdbc.datasource.embedded.EmbeddedDatabaseType;
+import org.springframework.security.jackson.SecurityJacksonModules;
 import org.springframework.security.oauth2.core.AuthorizationGrantType;
 import org.springframework.security.oauth2.core.OAuth2AccessToken;
 import org.springframework.security.oauth2.core.OAuth2DeviceCode;
@@ -526,6 +528,12 @@ private static EmbeddedDatabase createDb(String schema) {
 		// @formatter:on
 	}
 
+	private static JsonMapper createSecurityMapper() {
+		return JsonMapper.builder()
+			.addModules(SecurityJacksonModules.getModules(JdbcOAuth2AuthorizationServiceTests.class.getClassLoader()))
+			.build();
+	}
+
 	private static final class CustomJdbcOAuth2AuthorizationService extends JdbcOAuth2AuthorizationService {
 
 		// @formatter:off
@@ -626,8 +634,11 @@ private OAuth2Authorization findBy(String filter, Object... args) {
 		private static final class CustomOAuth2AuthorizationRowMapper
 				extends JdbcOAuth2AuthorizationService.OAuth2AuthorizationRowMapper {
 
+			private JsonMapper mapper;
+
 			private CustomOAuth2AuthorizationRowMapper(RegisteredClientRepository registeredClientRepository) {
 				super(registeredClientRepository);
+				this.mapper = createSecurityMapper();
 			}
 
 			@Override
@@ -747,7 +758,7 @@ public OAuth2Authorization mapRow(ResultSet rs, int rowNum) throws SQLException
 
 			private Map parseMap(String data) {
 				try {
-					return getMapper().readValue(data, new ParameterizedTypeReference<>() {
+					return this.mapper.readValue(data, new TypeReference<>() {
 					});
 				}
 				catch (Exception ex) {
@@ -760,6 +771,8 @@ private Map parseMap(String data) {
 		private static final class CustomOAuth2AuthorizationParametersMapper
 				extends JdbcOAuth2AuthorizationService.OAuth2AuthorizationParametersMapper {
 
+			private final JsonMapper mapper = createSecurityMapper();
+
 			@Override
 			public List apply(OAuth2Authorization authorization) {
 				List parameters = new ArrayList<>();
@@ -852,7 +865,7 @@ private  List toSqlParameterList(
 
 			private String writeMap(Map data) {
 				try {
-					return getMapper().writeValueAsString(data);
+					return this.mapper.writeValueAsString(data);
 				}
 				catch (Exception ex) {
 					throw new IllegalArgumentException(ex.getMessage(), ex);

From 31d618a4c934f443acfd53cdf14f572f237a4efb Mon Sep 17 00:00:00 2001
From: Rob Winch <362503+rwinch@users.noreply.github.com>
Date: Fri, 17 Oct 2025 15:07:51 -0500
Subject: [PATCH 11/14] Remove Extra Blank Line from CoreJacksonModule

---
 .../org/springframework/security/jackson/CoreJacksonModule.java  | 1 -
 1 file changed, 1 deletion(-)

diff --git a/core/src/main/java/org/springframework/security/jackson/CoreJacksonModule.java b/core/src/main/java/org/springframework/security/jackson/CoreJacksonModule.java
index 73ecdddb62..0d633f4c2d 100644
--- a/core/src/main/java/org/springframework/security/jackson/CoreJacksonModule.java
+++ b/core/src/main/java/org/springframework/security/jackson/CoreJacksonModule.java
@@ -58,7 +58,6 @@
  * @see SecurityJacksonModules
  */
 @SuppressWarnings("serial")
-
 public class CoreJacksonModule extends SecurityJacksonModule {
 
 	public CoreJacksonModule() {

From bb134cfd069b764f340f4020f9f3baebfb785a88 Mon Sep 17 00:00:00 2001
From: Rob Winch <362503+rwinch@users.noreply.github.com>
Date: Fri, 17 Oct 2025 16:23:51 -0500
Subject: [PATCH 12/14] Deprecate
 WebAuthnAuthenticationFilter.setConverter(GenericHttpMessageConverter)

This makes sense given that Framework's new Jackson support is a
SmartHttpMessageConverter. Additionally,
GenericHttpMessageConverterAdapter is now package private to encapsulate
it.

Issue gh-18073
---
 .../GenericHttpMessageConverterAdapter.java   | 99 -------------------
 .../WebAuthnAuthenticationFilter.java         | 73 ++++++++++++--
 2 files changed, 67 insertions(+), 105 deletions(-)
 delete mode 100644 web/src/main/java/org/springframework/security/web/http/GenericHttpMessageConverterAdapter.java

diff --git a/web/src/main/java/org/springframework/security/web/http/GenericHttpMessageConverterAdapter.java b/web/src/main/java/org/springframework/security/web/http/GenericHttpMessageConverterAdapter.java
deleted file mode 100644
index de3875157f..0000000000
--- a/web/src/main/java/org/springframework/security/web/http/GenericHttpMessageConverterAdapter.java
+++ /dev/null
@@ -1,99 +0,0 @@
-/*
- * Copyright 2004-present the original author or authors.
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *      https://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package org.springframework.security.web.http;
-
-import java.io.IOException;
-import java.lang.reflect.Type;
-import java.util.List;
-
-import org.jspecify.annotations.Nullable;
-
-import org.springframework.core.ResolvableType;
-import org.springframework.http.HttpInputMessage;
-import org.springframework.http.HttpOutputMessage;
-import org.springframework.http.MediaType;
-import org.springframework.http.converter.GenericHttpMessageConverter;
-import org.springframework.http.converter.HttpMessageNotReadableException;
-import org.springframework.http.converter.HttpMessageNotWritableException;
-import org.springframework.http.converter.SmartHttpMessageConverter;
-
-/**
- * {@link GenericHttpMessageConverter} implementation that delegates to a
- * {@link SmartHttpMessageConverter}.
- *
- * @param  the converted object type
- * @author Sebastien Deleuze
- * @since 7.0
- */
-public class GenericHttpMessageConverterAdapter implements GenericHttpMessageConverter {
-
-	private final SmartHttpMessageConverter smartConverter;
-
-	public GenericHttpMessageConverterAdapter(SmartHttpMessageConverter smartConverter) {
-		this.smartConverter = smartConverter;
-	}
-
-	@Override
-	public boolean canRead(Type type, @Nullable Class contextClass, @Nullable MediaType mediaType) {
-		return this.smartConverter.canRead(ResolvableType.forType(type), mediaType);
-	}
-
-	@Override
-	public T read(Type type, @Nullable Class contextClass, HttpInputMessage inputMessage)
-			throws IOException, HttpMessageNotReadableException {
-		return this.smartConverter.read(ResolvableType.forType(type), inputMessage, null);
-	}
-
-	@Override
-	public boolean canWrite(@Nullable Type type, Class clazz, @Nullable MediaType mediaType) {
-		return this.smartConverter.canWrite(ResolvableType.forType(type), clazz, mediaType);
-	}
-
-	@Override
-	public void write(T t, @Nullable Type type, @Nullable MediaType contentType, HttpOutputMessage outputMessage)
-			throws IOException, HttpMessageNotWritableException {
-		this.smartConverter.write(t, ResolvableType.forType(type), contentType, outputMessage, null);
-	}
-
-	@Override
-	public boolean canRead(Class clazz, @Nullable MediaType mediaType) {
-		return this.smartConverter.canRead(ResolvableType.forClass(clazz), mediaType);
-	}
-
-	@Override
-	public boolean canWrite(Class clazz, @Nullable MediaType mediaType) {
-		return this.smartConverter.canWrite(clazz, mediaType);
-	}
-
-	@Override
-	public List getSupportedMediaTypes() {
-		return this.smartConverter.getSupportedMediaTypes();
-	}
-
-	@Override
-	public T read(Class clazz, HttpInputMessage inputMessage)
-			throws IOException, HttpMessageNotReadableException {
-		return this.smartConverter.read(clazz, inputMessage);
-	}
-
-	@Override
-	public void write(T t, @Nullable MediaType contentType, HttpOutputMessage outputMessage)
-			throws IOException, HttpMessageNotWritableException {
-		this.smartConverter.write(t, contentType, outputMessage);
-	}
-
-}
diff --git a/webauthn/src/main/java/org/springframework/security/web/webauthn/authentication/WebAuthnAuthenticationFilter.java b/webauthn/src/main/java/org/springframework/security/web/webauthn/authentication/WebAuthnAuthenticationFilter.java
index b58ea78b67..c4016a1ef3 100644
--- a/webauthn/src/main/java/org/springframework/security/web/webauthn/authentication/WebAuthnAuthenticationFilter.java
+++ b/webauthn/src/main/java/org/springframework/security/web/webauthn/authentication/WebAuthnAuthenticationFilter.java
@@ -17,16 +17,25 @@
 package org.springframework.security.web.webauthn.authentication;
 
 import java.io.IOException;
+import java.util.List;
+import java.util.Map;
 
 import jakarta.servlet.ServletException;
 import jakarta.servlet.http.HttpServletRequest;
 import jakarta.servlet.http.HttpServletResponse;
+import org.jspecify.annotations.Nullable;
 import tools.jackson.databind.json.JsonMapper;
 
 import org.springframework.core.ResolvableType;
+import org.springframework.http.HttpInputMessage;
 import org.springframework.http.HttpMethod;
+import org.springframework.http.HttpOutputMessage;
 import org.springframework.http.HttpStatus;
+import org.springframework.http.MediaType;
+import org.springframework.http.converter.AbstractSmartHttpMessageConverter;
 import org.springframework.http.converter.GenericHttpMessageConverter;
+import org.springframework.http.converter.HttpMessageNotReadableException;
+import org.springframework.http.converter.HttpMessageNotWritableException;
 import org.springframework.http.converter.SmartHttpMessageConverter;
 import org.springframework.http.converter.json.JacksonJsonHttpMessageConverter;
 import org.springframework.http.server.ServletServerHttpRequest;
@@ -38,7 +47,6 @@
 import org.springframework.security.web.authentication.HttpMessageConverterAuthenticationSuccessHandler;
 import org.springframework.security.web.authentication.HttpStatusEntryPoint;
 import org.springframework.security.web.context.HttpSessionSecurityContextRepository;
-import org.springframework.security.web.http.GenericHttpMessageConverterAdapter;
 import org.springframework.security.web.webauthn.api.AuthenticatorAssertionResponse;
 import org.springframework.security.web.webauthn.api.PublicKeyCredential;
 import org.springframework.security.web.webauthn.api.PublicKeyCredentialRequestOptions;
@@ -74,8 +82,8 @@
  */
 public class WebAuthnAuthenticationFilter extends AbstractAuthenticationProcessingFilter {
 
-	private GenericHttpMessageConverter converter = new GenericHttpMessageConverterAdapter<>(
-			new JacksonJsonHttpMessageConverter(JsonMapper.builder().addModule(new WebauthnJacksonModule()).build()));
+	private SmartHttpMessageConverter converter = new JacksonJsonHttpMessageConverter(
+			JsonMapper.builder().addModule(new WebauthnJacksonModule()).build());
 
 	private PublicKeyCredentialRequestOptionsRepository requestOptionsRepository = new HttpSessionPublicKeyCredentialRequestOptionsRepository();
 
@@ -96,7 +104,7 @@ public Authentication attemptAuthentication(HttpServletRequest request, HttpServ
 		PublicKeyCredential publicKeyCredential = null;
 		try {
 			publicKeyCredential = (PublicKeyCredential) this.converter
-				.read(resolvableType.getType(), getClass(), httpRequest);
+				.read(resolvableType, httpRequest, null);
 		}
 		catch (Exception ex) {
 			throw new BadCredentialsException("Unable to authenticate the PublicKeyCredential", ex);
@@ -118,10 +126,12 @@ public Authentication attemptAuthentication(HttpServletRequest request, HttpServ
 	 * {@code PublicKeyCredential} to the response. The
 	 * default is @{code MappingJackson2HttpMessageConverter}
 	 * @param converter the {@link GenericHttpMessageConverter} to use. Cannot be null.
+	 * @deprecated use {@link #setConverter(SmartHttpMessageConverter)}
 	 */
+	@Deprecated(forRemoval = true, since = "7.0")
 	public void setConverter(GenericHttpMessageConverter converter) {
 		Assert.notNull(converter, "converter cannot be null");
-		this.converter = converter;
+		this.converter = new GenericHttpMessageConverterAdapter<>(converter);
 	}
 
 	/**
@@ -133,7 +143,7 @@ public void setConverter(GenericHttpMessageConverter converter) {
 	 */
 	public void setConverter(SmartHttpMessageConverter converter) {
 		Assert.notNull(converter, "converter cannot be null");
-		this.converter = new GenericHttpMessageConverterAdapter<>(converter);
+		this.converter = converter;
 	}
 
 	/**
@@ -147,4 +157,55 @@ public void setRequestOptionsRepository(PublicKeyCredentialRequestOptionsReposit
 		this.requestOptionsRepository = requestOptionsRepository;
 	}
 
+	/**
+	 * Adapts a {@link GenericHttpMessageConverter} to a
+	 * {@link SmartHttpMessageConverter}.
+	 *
+	 * @param  The type
+	 * @author Rob Winch
+	 * @since 7.0
+	 */
+	private static final class GenericHttpMessageConverterAdapter extends AbstractSmartHttpMessageConverter {
+
+		private final GenericHttpMessageConverter delegate;
+
+		private GenericHttpMessageConverterAdapter(GenericHttpMessageConverter delegate) {
+			Assert.notNull(delegate, "delegate cannot be null");
+			this.delegate = delegate;
+		}
+
+		@Override
+		public boolean canRead(Class clazz, @Nullable MediaType mediaType) {
+			return this.delegate.canRead(clazz, mediaType);
+		}
+
+		@Override
+		public boolean canWrite(Class clazz, @Nullable MediaType mediaType) {
+			return this.delegate.canWrite(clazz, mediaType);
+		}
+
+		@Override
+		public List getSupportedMediaTypes() {
+			return this.delegate.getSupportedMediaTypes();
+		}
+
+		@Override
+		public List getSupportedMediaTypes(Class clazz) {
+			return this.delegate.getSupportedMediaTypes(clazz);
+		}
+
+		@Override
+		protected void writeInternal(T t, ResolvableType type, HttpOutputMessage outputMessage,
+				@Nullable Map hints) throws IOException, HttpMessageNotWritableException {
+			this.delegate.write(t, null, outputMessage);
+		}
+
+		@Override
+		public T read(ResolvableType type, HttpInputMessage inputMessage, @Nullable Map hints)
+				throws IOException, HttpMessageNotReadableException {
+			return this.delegate.read(type.getType(), null, inputMessage);
+		}
+
+	}
+
 }

From a4bc5aacc4ae38a5b43dfc417e3ed674b05cc2d9 Mon Sep 17 00:00:00 2001
From: Rob Winch <362503+rwinch@users.noreply.github.com>
Date: Fri, 17 Oct 2025 16:25:51 -0500
Subject: [PATCH 13/14] Encapsulate GenericHttpMessageConverterAdapter

This will allow its removal in gh-18073
---
 .../GenericHttpMessageConverterAdapter.java   | 99 +++++++++++++++++++
 .../web/server/HttpMessageConverters.java     |  1 -
 .../GenericHttpMessageConverterAdapter.java   | 99 +++++++++++++++++++
 .../http/converter/HttpMessageConverters.java |  1 -
 .../GenericHttpMessageConverterAdapter.java   | 99 +++++++++++++++++++
 .../http/converter/HttpMessageConverters.java |  1 -
 .../GenericHttpMessageConverterAdapter.java   | 99 +++++++++++++++++++
 .../web/HttpMessageConverters.java            |  1 -
 .../GenericHttpMessageConverterAdapter.java   |  4 +-
 .../GenericHttpMessageConverterAdapter.java   | 99 +++++++++++++++++++
 ...OAuth2ProtectedResourceMetadataFilter.java |  1 -
 11 files changed, 497 insertions(+), 7 deletions(-)
 create mode 100644 config/src/main/java/org/springframework/security/config/web/server/GenericHttpMessageConverterAdapter.java
 create mode 100644 oauth2/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/http/converter/GenericHttpMessageConverterAdapter.java
 create mode 100644 oauth2/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/oidc/http/converter/GenericHttpMessageConverterAdapter.java
 create mode 100644 oauth2/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/web/GenericHttpMessageConverterAdapter.java
 create mode 100644 oauth2/oauth2-resource-server/src/main/java/org/springframework/security/oauth2/server/resource/web/GenericHttpMessageConverterAdapter.java

diff --git a/config/src/main/java/org/springframework/security/config/web/server/GenericHttpMessageConverterAdapter.java b/config/src/main/java/org/springframework/security/config/web/server/GenericHttpMessageConverterAdapter.java
new file mode 100644
index 0000000000..8a61462f05
--- /dev/null
+++ b/config/src/main/java/org/springframework/security/config/web/server/GenericHttpMessageConverterAdapter.java
@@ -0,0 +1,99 @@
+/*
+ * Copyright 2004-present the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.security.config.web.server;
+
+import java.io.IOException;
+import java.lang.reflect.Type;
+import java.util.List;
+
+import org.jspecify.annotations.Nullable;
+
+import org.springframework.core.ResolvableType;
+import org.springframework.http.HttpInputMessage;
+import org.springframework.http.HttpOutputMessage;
+import org.springframework.http.MediaType;
+import org.springframework.http.converter.GenericHttpMessageConverter;
+import org.springframework.http.converter.HttpMessageNotReadableException;
+import org.springframework.http.converter.HttpMessageNotWritableException;
+import org.springframework.http.converter.SmartHttpMessageConverter;
+
+/**
+ * {@link GenericHttpMessageConverter} implementation that delegates to a
+ * {@link SmartHttpMessageConverter}.
+ *
+ * @param  the converted object type
+ * @author Sebastien Deleuze
+ * @since 7.0
+ */
+final class GenericHttpMessageConverterAdapter implements GenericHttpMessageConverter {
+
+	private final SmartHttpMessageConverter smartConverter;
+
+	GenericHttpMessageConverterAdapter(SmartHttpMessageConverter smartConverter) {
+		this.smartConverter = smartConverter;
+	}
+
+	@Override
+	public boolean canRead(Type type, @Nullable Class contextClass, @Nullable MediaType mediaType) {
+		return this.smartConverter.canRead(ResolvableType.forType(type), mediaType);
+	}
+
+	@Override
+	public T read(Type type, @Nullable Class contextClass, HttpInputMessage inputMessage)
+			throws IOException, HttpMessageNotReadableException {
+		return this.smartConverter.read(ResolvableType.forType(type), inputMessage, null);
+	}
+
+	@Override
+	public boolean canWrite(@Nullable Type type, Class clazz, @Nullable MediaType mediaType) {
+		return this.smartConverter.canWrite(ResolvableType.forType(type), clazz, mediaType);
+	}
+
+	@Override
+	public void write(T t, @Nullable Type type, @Nullable MediaType contentType, HttpOutputMessage outputMessage)
+			throws IOException, HttpMessageNotWritableException {
+		this.smartConverter.write(t, ResolvableType.forType(type), contentType, outputMessage, null);
+	}
+
+	@Override
+	public boolean canRead(Class clazz, @Nullable MediaType mediaType) {
+		return this.smartConverter.canRead(ResolvableType.forClass(clazz), mediaType);
+	}
+
+	@Override
+	public boolean canWrite(Class clazz, @Nullable MediaType mediaType) {
+		return this.smartConverter.canWrite(clazz, mediaType);
+	}
+
+	@Override
+	public List getSupportedMediaTypes() {
+		return this.smartConverter.getSupportedMediaTypes();
+	}
+
+	@Override
+	public T read(Class clazz, HttpInputMessage inputMessage)
+			throws IOException, HttpMessageNotReadableException {
+		return this.smartConverter.read(clazz, inputMessage);
+	}
+
+	@Override
+	public void write(T t, @Nullable MediaType contentType, HttpOutputMessage outputMessage)
+			throws IOException, HttpMessageNotWritableException {
+		this.smartConverter.write(t, contentType, outputMessage);
+	}
+
+}
diff --git a/config/src/main/java/org/springframework/security/config/web/server/HttpMessageConverters.java b/config/src/main/java/org/springframework/security/config/web/server/HttpMessageConverters.java
index a8f262b126..22d18762e5 100644
--- a/config/src/main/java/org/springframework/security/config/web/server/HttpMessageConverters.java
+++ b/config/src/main/java/org/springframework/security/config/web/server/HttpMessageConverters.java
@@ -22,7 +22,6 @@
 import org.springframework.http.converter.json.JacksonJsonHttpMessageConverter;
 import org.springframework.http.converter.json.JsonbHttpMessageConverter;
 import org.springframework.http.converter.json.MappingJackson2HttpMessageConverter;
-import org.springframework.security.oauth2.core.http.converter.GenericHttpMessageConverterAdapter;
 import org.springframework.util.ClassUtils;
 
 /**
diff --git a/oauth2/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/http/converter/GenericHttpMessageConverterAdapter.java b/oauth2/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/http/converter/GenericHttpMessageConverterAdapter.java
new file mode 100644
index 0000000000..735a0dfb46
--- /dev/null
+++ b/oauth2/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/http/converter/GenericHttpMessageConverterAdapter.java
@@ -0,0 +1,99 @@
+/*
+ * Copyright 2004-present the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.security.oauth2.server.authorization.http.converter;
+
+import java.io.IOException;
+import java.lang.reflect.Type;
+import java.util.List;
+
+import org.jspecify.annotations.Nullable;
+
+import org.springframework.core.ResolvableType;
+import org.springframework.http.HttpInputMessage;
+import org.springframework.http.HttpOutputMessage;
+import org.springframework.http.MediaType;
+import org.springframework.http.converter.GenericHttpMessageConverter;
+import org.springframework.http.converter.HttpMessageNotReadableException;
+import org.springframework.http.converter.HttpMessageNotWritableException;
+import org.springframework.http.converter.SmartHttpMessageConverter;
+
+/**
+ * {@link GenericHttpMessageConverter} implementation that delegates to a
+ * {@link SmartHttpMessageConverter}.
+ *
+ * @param  the converted object type
+ * @author Sebastien Deleuze
+ * @since 7.0
+ */
+final class GenericHttpMessageConverterAdapter implements GenericHttpMessageConverter {
+
+	private final SmartHttpMessageConverter smartConverter;
+
+	GenericHttpMessageConverterAdapter(SmartHttpMessageConverter smartConverter) {
+		this.smartConverter = smartConverter;
+	}
+
+	@Override
+	public boolean canRead(Type type, @Nullable Class contextClass, @Nullable MediaType mediaType) {
+		return this.smartConverter.canRead(ResolvableType.forType(type), mediaType);
+	}
+
+	@Override
+	public T read(Type type, @Nullable Class contextClass, HttpInputMessage inputMessage)
+			throws IOException, HttpMessageNotReadableException {
+		return this.smartConverter.read(ResolvableType.forType(type), inputMessage, null);
+	}
+
+	@Override
+	public boolean canWrite(@Nullable Type type, Class clazz, @Nullable MediaType mediaType) {
+		return this.smartConverter.canWrite(ResolvableType.forType(type), clazz, mediaType);
+	}
+
+	@Override
+	public void write(T t, @Nullable Type type, @Nullable MediaType contentType, HttpOutputMessage outputMessage)
+			throws IOException, HttpMessageNotWritableException {
+		this.smartConverter.write(t, ResolvableType.forType(type), contentType, outputMessage, null);
+	}
+
+	@Override
+	public boolean canRead(Class clazz, @Nullable MediaType mediaType) {
+		return this.smartConverter.canRead(ResolvableType.forClass(clazz), mediaType);
+	}
+
+	@Override
+	public boolean canWrite(Class clazz, @Nullable MediaType mediaType) {
+		return this.smartConverter.canWrite(clazz, mediaType);
+	}
+
+	@Override
+	public List getSupportedMediaTypes() {
+		return this.smartConverter.getSupportedMediaTypes();
+	}
+
+	@Override
+	public T read(Class clazz, HttpInputMessage inputMessage)
+			throws IOException, HttpMessageNotReadableException {
+		return this.smartConverter.read(clazz, inputMessage);
+	}
+
+	@Override
+	public void write(T t, @Nullable MediaType contentType, HttpOutputMessage outputMessage)
+			throws IOException, HttpMessageNotWritableException {
+		this.smartConverter.write(t, contentType, outputMessage);
+	}
+
+}
diff --git a/oauth2/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/http/converter/HttpMessageConverters.java b/oauth2/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/http/converter/HttpMessageConverters.java
index c5daa5e126..623099f7f9 100644
--- a/oauth2/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/http/converter/HttpMessageConverters.java
+++ b/oauth2/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/http/converter/HttpMessageConverters.java
@@ -22,7 +22,6 @@
 import org.springframework.http.converter.json.JacksonJsonHttpMessageConverter;
 import org.springframework.http.converter.json.JsonbHttpMessageConverter;
 import org.springframework.http.converter.json.MappingJackson2HttpMessageConverter;
-import org.springframework.security.web.http.GenericHttpMessageConverterAdapter;
 import org.springframework.util.ClassUtils;
 
 /**
diff --git a/oauth2/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/oidc/http/converter/GenericHttpMessageConverterAdapter.java b/oauth2/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/oidc/http/converter/GenericHttpMessageConverterAdapter.java
new file mode 100644
index 0000000000..2add8e916f
--- /dev/null
+++ b/oauth2/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/oidc/http/converter/GenericHttpMessageConverterAdapter.java
@@ -0,0 +1,99 @@
+/*
+ * Copyright 2004-present the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.security.oauth2.server.authorization.oidc.http.converter;
+
+import java.io.IOException;
+import java.lang.reflect.Type;
+import java.util.List;
+
+import org.jspecify.annotations.Nullable;
+
+import org.springframework.core.ResolvableType;
+import org.springframework.http.HttpInputMessage;
+import org.springframework.http.HttpOutputMessage;
+import org.springframework.http.MediaType;
+import org.springframework.http.converter.GenericHttpMessageConverter;
+import org.springframework.http.converter.HttpMessageNotReadableException;
+import org.springframework.http.converter.HttpMessageNotWritableException;
+import org.springframework.http.converter.SmartHttpMessageConverter;
+
+/**
+ * {@link GenericHttpMessageConverter} implementation that delegates to a
+ * {@link SmartHttpMessageConverter}.
+ *
+ * @param  the converted object type
+ * @author Sebastien Deleuze
+ * @since 7.0
+ */
+final class GenericHttpMessageConverterAdapter implements GenericHttpMessageConverter {
+
+	private final SmartHttpMessageConverter smartConverter;
+
+	GenericHttpMessageConverterAdapter(SmartHttpMessageConverter smartConverter) {
+		this.smartConverter = smartConverter;
+	}
+
+	@Override
+	public boolean canRead(Type type, @Nullable Class contextClass, @Nullable MediaType mediaType) {
+		return this.smartConverter.canRead(ResolvableType.forType(type), mediaType);
+	}
+
+	@Override
+	public T read(Type type, @Nullable Class contextClass, HttpInputMessage inputMessage)
+			throws IOException, HttpMessageNotReadableException {
+		return this.smartConverter.read(ResolvableType.forType(type), inputMessage, null);
+	}
+
+	@Override
+	public boolean canWrite(@Nullable Type type, Class clazz, @Nullable MediaType mediaType) {
+		return this.smartConverter.canWrite(ResolvableType.forType(type), clazz, mediaType);
+	}
+
+	@Override
+	public void write(T t, @Nullable Type type, @Nullable MediaType contentType, HttpOutputMessage outputMessage)
+			throws IOException, HttpMessageNotWritableException {
+		this.smartConverter.write(t, ResolvableType.forType(type), contentType, outputMessage, null);
+	}
+
+	@Override
+	public boolean canRead(Class clazz, @Nullable MediaType mediaType) {
+		return this.smartConverter.canRead(ResolvableType.forClass(clazz), mediaType);
+	}
+
+	@Override
+	public boolean canWrite(Class clazz, @Nullable MediaType mediaType) {
+		return this.smartConverter.canWrite(clazz, mediaType);
+	}
+
+	@Override
+	public List getSupportedMediaTypes() {
+		return this.smartConverter.getSupportedMediaTypes();
+	}
+
+	@Override
+	public T read(Class clazz, HttpInputMessage inputMessage)
+			throws IOException, HttpMessageNotReadableException {
+		return this.smartConverter.read(clazz, inputMessage);
+	}
+
+	@Override
+	public void write(T t, @Nullable MediaType contentType, HttpOutputMessage outputMessage)
+			throws IOException, HttpMessageNotWritableException {
+		this.smartConverter.write(t, contentType, outputMessage);
+	}
+
+}
diff --git a/oauth2/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/oidc/http/converter/HttpMessageConverters.java b/oauth2/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/oidc/http/converter/HttpMessageConverters.java
index 4b6e1f929d..f442a6636e 100644
--- a/oauth2/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/oidc/http/converter/HttpMessageConverters.java
+++ b/oauth2/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/oidc/http/converter/HttpMessageConverters.java
@@ -22,7 +22,6 @@
 import org.springframework.http.converter.json.JacksonJsonHttpMessageConverter;
 import org.springframework.http.converter.json.JsonbHttpMessageConverter;
 import org.springframework.http.converter.json.MappingJackson2HttpMessageConverter;
-import org.springframework.security.web.http.GenericHttpMessageConverterAdapter;
 import org.springframework.util.ClassUtils;
 
 /**
diff --git a/oauth2/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/web/GenericHttpMessageConverterAdapter.java b/oauth2/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/web/GenericHttpMessageConverterAdapter.java
new file mode 100644
index 0000000000..93063d97f5
--- /dev/null
+++ b/oauth2/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/web/GenericHttpMessageConverterAdapter.java
@@ -0,0 +1,99 @@
+/*
+ * Copyright 2004-present the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.security.oauth2.server.authorization.web;
+
+import java.io.IOException;
+import java.lang.reflect.Type;
+import java.util.List;
+
+import org.jspecify.annotations.Nullable;
+
+import org.springframework.core.ResolvableType;
+import org.springframework.http.HttpInputMessage;
+import org.springframework.http.HttpOutputMessage;
+import org.springframework.http.MediaType;
+import org.springframework.http.converter.GenericHttpMessageConverter;
+import org.springframework.http.converter.HttpMessageNotReadableException;
+import org.springframework.http.converter.HttpMessageNotWritableException;
+import org.springframework.http.converter.SmartHttpMessageConverter;
+
+/**
+ * {@link GenericHttpMessageConverter} implementation that delegates to a
+ * {@link SmartHttpMessageConverter}.
+ *
+ * @param  the converted object type
+ * @author Sebastien Deleuze
+ * @since 7.0
+ */
+final class GenericHttpMessageConverterAdapter implements GenericHttpMessageConverter {
+
+	private final SmartHttpMessageConverter smartConverter;
+
+	GenericHttpMessageConverterAdapter(SmartHttpMessageConverter smartConverter) {
+		this.smartConverter = smartConverter;
+	}
+
+	@Override
+	public boolean canRead(Type type, @Nullable Class contextClass, @Nullable MediaType mediaType) {
+		return this.smartConverter.canRead(ResolvableType.forType(type), mediaType);
+	}
+
+	@Override
+	public T read(Type type, @Nullable Class contextClass, HttpInputMessage inputMessage)
+			throws IOException, HttpMessageNotReadableException {
+		return this.smartConverter.read(ResolvableType.forType(type), inputMessage, null);
+	}
+
+	@Override
+	public boolean canWrite(@Nullable Type type, Class clazz, @Nullable MediaType mediaType) {
+		return this.smartConverter.canWrite(ResolvableType.forType(type), clazz, mediaType);
+	}
+
+	@Override
+	public void write(T t, @Nullable Type type, @Nullable MediaType contentType, HttpOutputMessage outputMessage)
+			throws IOException, HttpMessageNotWritableException {
+		this.smartConverter.write(t, ResolvableType.forType(type), contentType, outputMessage, null);
+	}
+
+	@Override
+	public boolean canRead(Class clazz, @Nullable MediaType mediaType) {
+		return this.smartConverter.canRead(ResolvableType.forClass(clazz), mediaType);
+	}
+
+	@Override
+	public boolean canWrite(Class clazz, @Nullable MediaType mediaType) {
+		return this.smartConverter.canWrite(clazz, mediaType);
+	}
+
+	@Override
+	public List getSupportedMediaTypes() {
+		return this.smartConverter.getSupportedMediaTypes();
+	}
+
+	@Override
+	public T read(Class clazz, HttpInputMessage inputMessage)
+			throws IOException, HttpMessageNotReadableException {
+		return this.smartConverter.read(clazz, inputMessage);
+	}
+
+	@Override
+	public void write(T t, @Nullable MediaType contentType, HttpOutputMessage outputMessage)
+			throws IOException, HttpMessageNotWritableException {
+		this.smartConverter.write(t, contentType, outputMessage);
+	}
+
+}
diff --git a/oauth2/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/web/HttpMessageConverters.java b/oauth2/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/web/HttpMessageConverters.java
index 0229c8171c..5c8897f69c 100644
--- a/oauth2/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/web/HttpMessageConverters.java
+++ b/oauth2/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/web/HttpMessageConverters.java
@@ -22,7 +22,6 @@
 import org.springframework.http.converter.json.JacksonJsonHttpMessageConverter;
 import org.springframework.http.converter.json.JsonbHttpMessageConverter;
 import org.springframework.http.converter.json.MappingJackson2HttpMessageConverter;
-import org.springframework.security.web.http.GenericHttpMessageConverterAdapter;
 import org.springframework.util.ClassUtils;
 
 /**
diff --git a/oauth2/oauth2-core/src/main/java/org/springframework/security/oauth2/core/http/converter/GenericHttpMessageConverterAdapter.java b/oauth2/oauth2-core/src/main/java/org/springframework/security/oauth2/core/http/converter/GenericHttpMessageConverterAdapter.java
index 7f2f0e51a3..3e6aff6725 100644
--- a/oauth2/oauth2-core/src/main/java/org/springframework/security/oauth2/core/http/converter/GenericHttpMessageConverterAdapter.java
+++ b/oauth2/oauth2-core/src/main/java/org/springframework/security/oauth2/core/http/converter/GenericHttpMessageConverterAdapter.java
@@ -39,11 +39,11 @@
  * @author Sebastien Deleuze
  * @since 7.0
  */
-public class GenericHttpMessageConverterAdapter implements GenericHttpMessageConverter {
+final class GenericHttpMessageConverterAdapter implements GenericHttpMessageConverter {
 
 	private final SmartHttpMessageConverter smartConverter;
 
-	public GenericHttpMessageConverterAdapter(SmartHttpMessageConverter smartConverter) {
+	GenericHttpMessageConverterAdapter(SmartHttpMessageConverter smartConverter) {
 		this.smartConverter = smartConverter;
 	}
 
diff --git a/oauth2/oauth2-resource-server/src/main/java/org/springframework/security/oauth2/server/resource/web/GenericHttpMessageConverterAdapter.java b/oauth2/oauth2-resource-server/src/main/java/org/springframework/security/oauth2/server/resource/web/GenericHttpMessageConverterAdapter.java
new file mode 100644
index 0000000000..724bc82fe8
--- /dev/null
+++ b/oauth2/oauth2-resource-server/src/main/java/org/springframework/security/oauth2/server/resource/web/GenericHttpMessageConverterAdapter.java
@@ -0,0 +1,99 @@
+/*
+ * Copyright 2004-present the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.security.oauth2.server.resource.web;
+
+import java.io.IOException;
+import java.lang.reflect.Type;
+import java.util.List;
+
+import org.jspecify.annotations.Nullable;
+
+import org.springframework.core.ResolvableType;
+import org.springframework.http.HttpInputMessage;
+import org.springframework.http.HttpOutputMessage;
+import org.springframework.http.MediaType;
+import org.springframework.http.converter.GenericHttpMessageConverter;
+import org.springframework.http.converter.HttpMessageNotReadableException;
+import org.springframework.http.converter.HttpMessageNotWritableException;
+import org.springframework.http.converter.SmartHttpMessageConverter;
+
+/**
+ * {@link GenericHttpMessageConverter} implementation that delegates to a
+ * {@link SmartHttpMessageConverter}.
+ *
+ * @param  the converted object type
+ * @author Sebastien Deleuze
+ * @since 7.0
+ */
+final class GenericHttpMessageConverterAdapter implements GenericHttpMessageConverter {
+
+	private final SmartHttpMessageConverter smartConverter;
+
+	GenericHttpMessageConverterAdapter(SmartHttpMessageConverter smartConverter) {
+		this.smartConverter = smartConverter;
+	}
+
+	@Override
+	public boolean canRead(Type type, @Nullable Class contextClass, @Nullable MediaType mediaType) {
+		return this.smartConverter.canRead(ResolvableType.forType(type), mediaType);
+	}
+
+	@Override
+	public T read(Type type, @Nullable Class contextClass, HttpInputMessage inputMessage)
+			throws IOException, HttpMessageNotReadableException {
+		return this.smartConverter.read(ResolvableType.forType(type), inputMessage, null);
+	}
+
+	@Override
+	public boolean canWrite(@Nullable Type type, Class clazz, @Nullable MediaType mediaType) {
+		return this.smartConverter.canWrite(ResolvableType.forType(type), clazz, mediaType);
+	}
+
+	@Override
+	public void write(T t, @Nullable Type type, @Nullable MediaType contentType, HttpOutputMessage outputMessage)
+			throws IOException, HttpMessageNotWritableException {
+		this.smartConverter.write(t, ResolvableType.forType(type), contentType, outputMessage, null);
+	}
+
+	@Override
+	public boolean canRead(Class clazz, @Nullable MediaType mediaType) {
+		return this.smartConverter.canRead(ResolvableType.forClass(clazz), mediaType);
+	}
+
+	@Override
+	public boolean canWrite(Class clazz, @Nullable MediaType mediaType) {
+		return this.smartConverter.canWrite(clazz, mediaType);
+	}
+
+	@Override
+	public List getSupportedMediaTypes() {
+		return this.smartConverter.getSupportedMediaTypes();
+	}
+
+	@Override
+	public T read(Class clazz, HttpInputMessage inputMessage)
+			throws IOException, HttpMessageNotReadableException {
+		return this.smartConverter.read(clazz, inputMessage);
+	}
+
+	@Override
+	public void write(T t, @Nullable MediaType contentType, HttpOutputMessage outputMessage)
+			throws IOException, HttpMessageNotWritableException {
+		this.smartConverter.write(t, contentType, outputMessage);
+	}
+
+}
diff --git a/oauth2/oauth2-resource-server/src/main/java/org/springframework/security/oauth2/server/resource/web/OAuth2ProtectedResourceMetadataFilter.java b/oauth2/oauth2-resource-server/src/main/java/org/springframework/security/oauth2/server/resource/web/OAuth2ProtectedResourceMetadataFilter.java
index 1a839291eb..d5168e1150 100644
--- a/oauth2/oauth2-resource-server/src/main/java/org/springframework/security/oauth2/server/resource/web/OAuth2ProtectedResourceMetadataFilter.java
+++ b/oauth2/oauth2-resource-server/src/main/java/org/springframework/security/oauth2/server/resource/web/OAuth2ProtectedResourceMetadataFilter.java
@@ -35,7 +35,6 @@
 import org.springframework.http.converter.json.JsonbHttpMessageConverter;
 import org.springframework.http.converter.json.MappingJackson2HttpMessageConverter;
 import org.springframework.http.server.ServletServerHttpResponse;
-import org.springframework.security.oauth2.core.http.converter.GenericHttpMessageConverterAdapter;
 import org.springframework.security.oauth2.server.resource.OAuth2ProtectedResourceMetadata;
 import org.springframework.security.web.servlet.util.matcher.PathPatternRequestMatcher;
 import org.springframework.security.web.util.UrlUtils;

From 6ea3f2081bb220e1655b8569e428e1b5a9803b1c Mon Sep 17 00:00:00 2001
From: Rob Winch <362503+rwinch@users.noreply.github.com>
Date: Sun, 19 Oct 2025 16:26:05 -0500
Subject: [PATCH 14/14] Link to gh-18077

---
 .../authorization/AuthorizationAdvisorProxyFactoryTests.java     | 1 +
 1 file changed, 1 insertion(+)

diff --git a/core/src/test/java/org/springframework/security/authorization/AuthorizationAdvisorProxyFactoryTests.java b/core/src/test/java/org/springframework/security/authorization/AuthorizationAdvisorProxyFactoryTests.java
index 2cdcee0a4b..eef00d19d4 100644
--- a/core/src/test/java/org/springframework/security/authorization/AuthorizationAdvisorProxyFactoryTests.java
+++ b/core/src/test/java/org/springframework/security/authorization/AuthorizationAdvisorProxyFactoryTests.java
@@ -341,6 +341,7 @@ public void setTargetVisitorIgnoreValueTypesThenIgnores() {
 	}
 
 	// TODO Find why callbacks property is serialized with Jackson 3, not with Jackson 2
+	// FIXME: https://github.com/spring-projects/spring-security/issues/18077
 	@Disabled("callbacks property is serialized with Jackson 3, not with Jackson 2")
 	@Test
 	public void serializeWhenAuthorizationProxyObjectThenOnlyIncludesProxiedProperties() {