Create Jackson Mixin for OneTimeTokenAuthentication

Closes gh-18095 Signed-off-by: Marcus Hert da Coregio <marcusdacoregio@gmail.com>
3 months ago · 8254f589b8
6 changed files with 179 additions and 0 deletions
--- a/core/src/main/java/org/springframework/security/jackson/CoreJacksonModule.java
+++ b/core/src/main/java/org/springframework/security/jackson/CoreJacksonModule.java
@ -29,6 +29,7 @@ import org.springframework.security.authentication.BadCredentialsException;
 import org.springframework.security.authentication.RememberMeAuthenticationToken;
 import org.springframework.security.authentication.TestingAuthenticationToken;
 import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
 import org.springframework.security.authentication.ott.OneTimeTokenAuthentication;
 import org.springframework.security.core.authority.FactorGrantedAuthority;
 import org.springframework.security.core.authority.SimpleGrantedAuthority;
 import org.springframework.security.core.context.SecurityContextImpl;
@ -81,6 +82,7 @@ public class CoreJacksonModule extends SecurityJacksonModule {
 			.allowIfSubType(BadCredentialsException.class)
 			.allowIfSubType(SecurityContextImpl.class)
 			.allowIfSubType(TestingAuthenticationToken.class)
 			.allowIfSubType(OneTimeTokenAuthentication.class)
 			.allowIfSubType("java.util.Collections$UnmodifiableSet")
 			.allowIfSubType("java.util.Collections$UnmodifiableRandomAccessList")
 			.allowIfSubType("java.util.Collections$EmptyList")
@ -108,6 +110,7 @@ public class CoreJacksonModule extends SecurityJacksonModule {
 		context.setMixIn(UsernamePasswordAuthenticationToken.class, UsernamePasswordAuthenticationTokenMixin.class);
 		context.setMixIn(TestingAuthenticationToken.class, TestingAuthenticationTokenMixin.class);
 		context.setMixIn(BadCredentialsException.class, BadCredentialsExceptionMixin.class);
 		context.setMixIn(OneTimeTokenAuthentication.class, OneTimeTokenAuthenticationMixin.class);
 	}
 }
--- a/core/src/main/java/org/springframework/security/jackson/OneTimeTokenAuthenticationMixin.java
+++ b/core/src/main/java/org/springframework/security/jackson/OneTimeTokenAuthenticationMixin.java
@ -0,0 +1,56 @@
 /*
 * Copyright 2004-present the original author or authors.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *      https://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */
 package org.springframework.security.jackson;
 import java.util.Collection;
 import com.fasterxml.jackson.annotation.JsonAutoDetect;
 import com.fasterxml.jackson.annotation.JsonCreator;
 import com.fasterxml.jackson.annotation.JsonIgnoreProperties;
 import com.fasterxml.jackson.annotation.JsonProperty;
 import com.fasterxml.jackson.annotation.JsonTypeInfo;
 import org.springframework.security.core.GrantedAuthority;
 /**
 * Jackson Mixin class helps in serialize/deserialize
 * {@link org.springframework.security.authentication.ott.OneTimeTokenAuthentication}.
 *
 * <pre>
 *     JsonMapper mapper = JsonMapper.builder()
 * 			.addModules(new CoreJacksonModule())
 * 			.build();
 * </pre>
 *
 * @author Marcus Da Coregio
 * @since 7.1
 * @see CoreJacksonModule
 * @see SecurityJacksonModules
 *
 */
@JsonTypeInfo(use = JsonTypeInfo.Id.CLASS, include = JsonTypeInfo.As.PROPERTY)
@JsonAutoDetect(fieldVisibility = JsonAutoDetect.Visibility.NONE,
 		getterVisibility = JsonAutoDetect.Visibility.PUBLIC_ONLY, isGetterVisibility = JsonAutoDetect.Visibility.NONE)
@JsonIgnoreProperties(ignoreUnknown = true)
 abstract class OneTimeTokenAuthenticationMixin {
 	@JsonCreator
 	OneTimeTokenAuthenticationMixin(@JsonProperty("principal") Object principal,
 			@JsonProperty("authorities") Collection<? extends GrantedAuthority> authorities) {
 	}
 }
--- a/core/src/main/java/org/springframework/security/jackson2/CoreJackson2Module.java
+++ b/core/src/main/java/org/springframework/security/jackson2/CoreJackson2Module.java
@ -25,6 +25,7 @@ import org.springframework.security.authentication.AnonymousAuthenticationToken;
 import org.springframework.security.authentication.BadCredentialsException;
 import org.springframework.security.authentication.RememberMeAuthenticationToken;
 import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
 import org.springframework.security.authentication.ott.OneTimeTokenAuthenticationToken;
 import org.springframework.security.core.authority.FactorGrantedAuthority;
 import org.springframework.security.core.authority.SimpleGrantedAuthority;
 import org.springframework.security.core.userdetails.User;
@ -75,6 +76,7 @@ public class CoreJackson2Module extends SimpleModule {
 		context.setMixInAnnotations(UsernamePasswordAuthenticationToken.class,
 				UsernamePasswordAuthenticationTokenMixin.class);
 		context.setMixInAnnotations(BadCredentialsException.class, BadCredentialsExceptionMixin.class);
 		context.setMixInAnnotations(OneTimeTokenAuthenticationToken.class, OneTimeTokenAuthenticationTokenMixin.class);
 	}
 }
--- a/core/src/main/java/org/springframework/security/jackson2/OneTimeTokenAuthenticationTokenMixin.java
+++ b/core/src/main/java/org/springframework/security/jackson2/OneTimeTokenAuthenticationTokenMixin.java
@ -0,0 +1,55 @@
 /*
 * Copyright 2004-present the original author or authors.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *      https://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */
 package org.springframework.security.jackson2;
 import java.util.Collection;
 import com.fasterxml.jackson.annotation.JsonAutoDetect;
 import com.fasterxml.jackson.annotation.JsonCreator;
 import com.fasterxml.jackson.annotation.JsonIgnoreProperties;
 import com.fasterxml.jackson.annotation.JsonProperty;
 import com.fasterxml.jackson.annotation.JsonTypeInfo;
 import org.springframework.security.core.GrantedAuthority;
 /**
 * Jackson Mixin class helps in serialize/deserialize
 * {@link org.springframework.security.authentication.ott.OneTimeTokenAuthenticationToken}.
 *
 * <pre>
 *     ObjectMapper mapper = new ObjectMapper();
 *     mapper.registerModule(new CoreJackson2Module());
 * </pre>
 *
 * @author Marcus Da Coregio
 * @since 7.1
 * @see CoreJackson2Module
 * @see SecurityJackson2Modules
 *
 */
@JsonTypeInfo(use = JsonTypeInfo.Id.CLASS, include = JsonTypeInfo.As.PROPERTY)
@JsonAutoDetect(fieldVisibility = JsonAutoDetect.Visibility.NONE,
 		getterVisibility = JsonAutoDetect.Visibility.PUBLIC_ONLY, isGetterVisibility = JsonAutoDetect.Visibility.NONE)
@JsonIgnoreProperties(ignoreUnknown = true)
 abstract class OneTimeTokenAuthenticationTokenMixin {
 	@JsonCreator
 	OneTimeTokenAuthenticationTokenMixin(@JsonProperty("principal") Object principal,
 			@JsonProperty("authorities") Collection<? extends GrantedAuthority> authorities) {
 	}
 }
--- a/core/src/test/java/org/springframework/security/authentication/ott/OneTimeTokenAuthenticationTests.java
+++ b/core/src/test/java/org/springframework/security/authentication/ott/OneTimeTokenAuthenticationTests.java
@ -19,8 +19,11 @@ package org.springframework.security.authentication.ott;
 import java.util.Set;
 import org.junit.jupiter.api.Test;
 import tools.jackson.databind.json.JsonMapper;
 import org.springframework.security.core.GrantedAuthority;
 import org.springframework.security.core.authority.AuthorityUtils;
 import org.springframework.security.jackson.SecurityJacksonModules;
 import static org.assertj.core.api.Assertions.assertThat;
@ -41,4 +44,18 @@ class OneTimeTokenAuthenticationTests {
 		assertThat(authorities).containsExactlyInAnyOrder("FACTOR_ONE", "FACTOR_TWO");
 	}
 	// gh-18095
 	@Test
 	void shouldBeAbleToDeserializeFromJsonWithDefaultTypingActivated() {
 		JsonMapper mapper = JsonMapper.builder()
 			.addModules(SecurityJacksonModules.getModules(getClass().getClassLoader()))
 			.build();
 		OneTimeTokenAuthentication oneTimeTokenAuthentication = new OneTimeTokenAuthentication("principal",
 				AuthorityUtils.createAuthorityList("ROLE_USER"));
 		byte[] serialized = mapper.writeValueAsBytes(oneTimeTokenAuthentication);
 		OneTimeTokenAuthentication deserialized = mapper.readValue(serialized, OneTimeTokenAuthentication.class);
 		assertThat(deserialized.getPrincipal()).isEqualTo(oneTimeTokenAuthentication.getPrincipal());
 		assertThat(deserialized.getAuthorities()).extracting(GrantedAuthority::getAuthority).contains("ROLE_USER");
 	}
 }
--- a/core/src/test/java/org/springframework/security/authentication/ott/OneTimeTokenAuthenticationTokenTests.java
+++ b/core/src/test/java/org/springframework/security/authentication/ott/OneTimeTokenAuthenticationTokenTests.java
@ -0,0 +1,46 @@
 /*
 * Copyright 2004-present the original author or authors.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *      https://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */
 package org.springframework.security.authentication.ott;
 import java.io.IOException;
 import com.fasterxml.jackson.databind.ObjectMapper;
 import org.junit.jupiter.api.Test;
 import org.springframework.security.core.GrantedAuthority;
 import org.springframework.security.core.authority.AuthorityUtils;
 import org.springframework.security.jackson2.SecurityJackson2Modules;
 import static org.assertj.core.api.Assertions.assertThat;
 class OneTimeTokenAuthenticationTokenTests {
 	// gh-18095
 	@Test
 	void shouldBeAbleToDeserializeFromJsonWithDefaultTypingActivated() throws IOException {
 		ObjectMapper mapper = new ObjectMapper();
 		mapper.registerModules(SecurityJackson2Modules.getModules(getClass().getClassLoader()));
 		OneTimeTokenAuthenticationToken oneTimeTokenAuthenticationToken = new OneTimeTokenAuthenticationToken(
 				"principal", AuthorityUtils.createAuthorityList("ROLE_USER"));
 		byte[] serialized = mapper.writeValueAsBytes(oneTimeTokenAuthenticationToken);
 		OneTimeTokenAuthenticationToken deserialized = mapper.readValue(serialized,
 				OneTimeTokenAuthenticationToken.class);
 		assertThat(deserialized.getPrincipal()).isEqualTo(oneTimeTokenAuthenticationToken.getPrincipal());
 		assertThat(deserialized.getAuthorities()).extracting(GrantedAuthority::getAuthority).contains("ROLE_USER");
 	}
 }