Cwikius-Spring/spring-security
1
0
Fork 0
mirror of https://github.com/spring-projects/spring-security.git synced 2025-11-10 19:48:50 +00:00
Code Issues Packages Projects Releases Wiki Activity

Add AuthorizationProxyMixin

Browse Source 
This commit adds Jackson configuration specific to
authorization proxies created by Spring Security

Closes gh-18077
This commit is contained in:
Josh Cummings 2025-10-20 17:16:21 -06:00
parent fb701e4615
commit 743817fc15
3 changed files with 38 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

33
core/src/main/java/org/springframework/security/jackson/AuthorizationProxyMixin.java Normal file
View File

@ -0,0 +1,33 @@
/*
* Copyright 2004-present the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* https://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.springframework.security.jackson;
import com.fasterxml.jackson.annotation.JsonIgnoreProperties;
import org.springframework.security.authorization.method.AuthorizationProxy;
/**
* Jackson configurations for objects that extend {@link AuthorizationProxy}
*
* @author Josh Cummings
* @since 7.0
* @see org.springframework.security.authorization.method.AuthorizationAdvisorProxyFactory
*/
@JsonIgnoreProperties("callbacks")
class AuthorizationProxyMixin {
}

2
core/src/main/java/org/springframework/security/jackson/CoreJacksonModule.java
View File

@ -29,6 +29,7 @@ import org.springframework.security.authentication.BadCredentialsException;
import org.springframework.security.authentication.RememberMeAuthenticationToken; import org.springframework.security.authentication.RememberMeAuthenticationToken;
import org.springframework.security.authentication.TestingAuthenticationToken; import org.springframework.security.authentication.TestingAuthenticationToken;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken; import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.authorization.method.AuthorizationProxy;
import org.springframework.security.core.authority.FactorGrantedAuthority; import org.springframework.security.core.authority.FactorGrantedAuthority;
import org.springframework.security.core.authority.SimpleGrantedAuthority; import org.springframework.security.core.authority.SimpleGrantedAuthority;
import org.springframework.security.core.context.SecurityContextImpl; import org.springframework.security.core.context.SecurityContextImpl;
@ -108,6 +109,7 @@ public class CoreJacksonModule extends SecurityJacksonModule {
context.setMixIn(UsernamePasswordAuthenticationToken.class, UsernamePasswordAuthenticationTokenMixin.class); context.setMixIn(UsernamePasswordAuthenticationToken.class, UsernamePasswordAuthenticationTokenMixin.class);
context.setMixIn(TestingAuthenticationToken.class, TestingAuthenticationTokenMixin.class); context.setMixIn(TestingAuthenticationToken.class, TestingAuthenticationTokenMixin.class);
context.setMixIn(BadCredentialsException.class, BadCredentialsExceptionMixin.class); context.setMixIn(BadCredentialsException.class, BadCredentialsExceptionMixin.class);
context.setMixIn(AuthorizationProxy.class, AuthorizationProxyMixin.class);
} }
} }

8
core/src/test/java/org/springframework/security/authorization/AuthorizationAdvisorProxyFactoryTests.java
View File

@ -34,7 +34,6 @@ import java.util.TreeSet;
import java.util.function.Supplier; import java.util.function.Supplier;
import java.util.stream.Stream; import java.util.stream.Stream;
import org.junit.jupiter.api.Disabled;
import org.junit.jupiter.api.Test; import org.junit.jupiter.api.Test;
import tools.jackson.databind.json.JsonMapper; import tools.jackson.databind.json.JsonMapper;
@ -50,6 +49,7 @@ import org.springframework.security.authorization.method.AuthorizationAdvisorPro
import org.springframework.security.authorization.method.AuthorizationProxy; import org.springframework.security.authorization.method.AuthorizationProxy;
import org.springframework.security.core.Authentication; import org.springframework.security.core.Authentication;
import org.springframework.security.core.context.SecurityContextHolder; import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.jackson.CoreJacksonModule;
import static org.assertj.core.api.Assertions.assertThat; import static org.assertj.core.api.Assertions.assertThat;
import static org.assertj.core.api.Assertions.assertThatExceptionOfType; import static org.assertj.core.api.Assertions.assertThatExceptionOfType;
@ -340,15 +340,13 @@ public class AuthorizationAdvisorProxyFactoryTests {
assertThat(factory.proxy(35)).isEqualTo(35); assertThat(factory.proxy(35)).isEqualTo(35);
} }
// TODO Find why callbacks property is serialized with Jackson 3, not with Jackson 2
// FIXME: https://github.com/spring-projects/spring-security/issues/18077
@Disabled("callbacks property is serialized with Jackson 3, not with Jackson 2")
@Test @Test
public void serializeWhenAuthorizationProxyObjectThenOnlyIncludesProxiedProperties() { public void serializeWhenAuthorizationProxyObjectThenOnlyIncludesProxiedProperties() {
SecurityContextHolder.getContext().setAuthentication(this.admin); SecurityContextHolder.getContext().setAuthentication(this.admin);
AuthorizationAdvisorProxyFactory factory = AuthorizationAdvisorProxyFactory.withDefaults(); AuthorizationAdvisorProxyFactory factory = AuthorizationAdvisorProxyFactory.withDefaults();
User user = proxy(factory, this.alan); User user = proxy(factory, this.alan);
JsonMapper mapper = new JsonMapper(); // gh-18077
JsonMapper mapper = JsonMapper.builder().addModule(new CoreJacksonModule()).build();
String serialized = mapper.writeValueAsString(user); String serialized = mapper.writeValueAsString(user);
Map<String, Object> properties = mapper.readValue(serialized, Map.class); Map<String, Object> properties = mapper.readValue(serialized, Map.class);
assertThat(properties).hasSize(3).containsKeys("id", "firstName", "lastName"); assertThat(properties).hasSize(3).containsKeys("id", "firstName", "lastName");