From fe40e6d65a99af639c8c7eeed98903e704eaa99d Mon Sep 17 00:00:00 2001
From: Onur Kagan Ozcan <onurkaganozcan@gmail.com>
Date: Mon, 24 Dec 2018 23:14:41 +0300
Subject: [PATCH] Fix UsernamePasswordAuthenticationTokenDeserializer to handle
 customized object mapper inclusion settings

Resolves #4698
---
 ...sswordAuthenticationTokenDeserializer.java |  5 +++--
 ...PasswordAuthenticationTokenMixinTests.java | 21 ++++++++++++++++++-
 2 files changed, 23 insertions(+), 3 deletions(-)

diff --git a/core/src/main/java/org/springframework/security/jackson2/UsernamePasswordAuthenticationTokenDeserializer.java b/core/src/main/java/org/springframework/security/jackson2/UsernamePasswordAuthenticationTokenDeserializer.java
index a0e4dfbf32..0eb1b3c4d1 100644
--- a/core/src/main/java/org/springframework/security/jackson2/UsernamePasswordAuthenticationTokenDeserializer.java
+++ b/core/src/main/java/org/springframework/security/jackson2/UsernamePasswordAuthenticationTokenDeserializer.java
@@ -41,6 +41,7 @@ import org.springframework.security.core.GrantedAuthority;
  *
  * @author Jitendra Singh
  * @author Greg Turnquist
+ * @author Onur Kagan Ozcan
  * @see UsernamePasswordAuthenticationTokenMixin
  * @since 4.2
  */
@@ -69,7 +70,7 @@ class UsernamePasswordAuthenticationTokenDeserializer extends JsonDeserializer<U
 		}
 		JsonNode credentialsNode = readJsonNode(jsonNode, "credentials");
 		Object credentials;
-		if (credentialsNode.isNull()) {
+		if (credentialsNode.isNull() || credentialsNode.isMissingNode()) {
 			credentials = null;
 		} else {
 			credentials = credentialsNode.asText();
@@ -83,7 +84,7 @@ class UsernamePasswordAuthenticationTokenDeserializer extends JsonDeserializer<U
 			token = new UsernamePasswordAuthenticationToken(principal, credentials);
 		}
 		JsonNode detailsNode = readJsonNode(jsonNode, "details");
-		if (detailsNode.isNull()) {
+		if (detailsNode.isNull() || detailsNode.isMissingNode()) {
 			token.setDetails(null);
 		} else {
 			token.setDetails(detailsNode);
diff --git a/core/src/test/java/org/springframework/security/jackson2/UsernamePasswordAuthenticationTokenMixinTests.java b/core/src/test/java/org/springframework/security/jackson2/UsernamePasswordAuthenticationTokenMixinTests.java
index dbea50ce3b..4624bc2f36 100644
--- a/core/src/test/java/org/springframework/security/jackson2/UsernamePasswordAuthenticationTokenMixinTests.java
+++ b/core/src/test/java/org/springframework/security/jackson2/UsernamePasswordAuthenticationTokenMixinTests.java
@@ -29,11 +29,16 @@ import org.springframework.security.authentication.UsernamePasswordAuthenticatio
 import org.springframework.security.core.authority.SimpleGrantedAuthority;
 import org.springframework.security.core.userdetails.User;
 
-import static org.assertj.core.api.Assertions.*;
+import static com.fasterxml.jackson.annotation.JsonInclude.Include.ALWAYS;
+import static com.fasterxml.jackson.annotation.JsonInclude.Include.NON_ABSENT;
+import static com.fasterxml.jackson.annotation.JsonInclude.Include.NON_NULL;
+import static com.fasterxml.jackson.annotation.JsonInclude.Value.construct;
+import static org.assertj.core.api.Assertions.assertThat;
 
 /**
  * @author Jitendra Singh
  * @author Greg Turnquist
+ * @author Onur Kagan Ozcan
  * @since 4.2
  */
 public class UsernamePasswordAuthenticationTokenMixinTests extends AbstractMixinTests {
@@ -163,6 +168,20 @@ public class UsernamePasswordAuthenticationTokenMixinTests extends AbstractMixin
 		assertThat(deserialized).isEqualTo(original);
 	}
 
+	@Test
+	public void serializingThenDeserializingWithConfiguredObjectMapperShouldWork() throws IOException {
+		// given
+		this.mapper.setDefaultPropertyInclusion(construct(ALWAYS, NON_NULL)).setSerializationInclusion(NON_ABSENT);
+		UsernamePasswordAuthenticationToken original = new UsernamePasswordAuthenticationToken("Frodo", null);
+
+		// when
+		String serialized = this.mapper.writeValueAsString(original);
+		UsernamePasswordAuthenticationToken deserialized =
+				this.mapper.readValue(serialized, UsernamePasswordAuthenticationToken.class);
+
+		// then
+		assertThat(deserialized).isEqualTo(original);
+	}
 
 	private UsernamePasswordAuthenticationToken createToken() {
 		User user = createDefaultUser();