org.springframework.security.web.authentication.WebAuthenticationDetails is not in the allowlist

[koundinya-goparaju-wcar]

Describe the bug
I am using postgres database to store sessions. I am trying to store the session attributes in json.
My SessionConfiguration class is as follows
`@Configuration
public class SessionConfiguration implements BeanClassLoaderAware {

private final NotificationService notificationService;

private ClassLoader loader;

public SessionConfiguration(NotificationService notificationService) {
    this.notificationService = notificationService;
}

@Bean
SessionRepositoryCustomizer<JdbcIndexedSessionRepository> sessionRepositoryCustomizer() {
    return new PostgreSqlJdbcIndexedSessionRepositoryCustomizer();
}

@Bean
public ConversionServiceFactoryBean conversionService()
{
    ConversionServiceFactoryBean bean = new ConversionServiceFactoryBean();
    bean.setConverters(getConverters());

    return bean;
}

private Set<Converter> getConverters()
{
    Set<Converter> converters = new HashSet<>();
    converters.add(getJsonSerializingConverter());
    converters.add(getJsonDeserializingConverter());

    return converters;
}

Converter<Object, byte[]> getJsonSerializingConverter() {
    return new Converter<>() {
        @Override
        public byte[] convert(@Nonnull Object source) {
            ObjectMapper objectMapper = objectMapper();
            try {
                return objectMapper.writeValueAsBytes(source);
            } catch (IOException e) {
                notificationService.send("Json serialization failed for Spring Session: " + e.getMessage(), NotificationType.SEVERE_ERROR);
            }
            return null;
        }
    };
}

Converter<byte[], Object> getJsonDeserializingConverter() {
    return new Converter<>() {
        @Override
        public Object convert(@Nonnull byte[] source) {
            ObjectMapper objectMapper = objectMapper();
            try {
                return objectMapper.readValue(source, Object.class);
            } catch (IOException e) {
                notificationService.send("Json deserialization failed for Spring Session: " + e.getMessage(), NotificationType.SEVERE_ERROR);
            }
            return null;
        }
    };
}

@Bean
ObjectMapper objectMapper() {
    ObjectMapper mapper = new ObjectMapper();
    mapper.registerModules(SecurityJackson2Modules.getModules(this.loader));
    return mapper;
}

@Override
public void setBeanClassLoader(@Nonnull ClassLoader classLoader) {
    this.loader = classLoader;
}

}I get the the following exception during the oauth2 login flow. The class with org.springframework.security.web.authentication.WebAuthenticationDetails and name of org.springframework.security.web.authentication.WebAuthenticationDetails is not in the allowlist. If you believe this class is safe to deserialize, please provide an explicit mapping using Jackson annotations or by providing a Mixin. If the serialization is only done by a trusted source, you can also enable default typing. See #4370 for details (through reference chain: org.springframework.security.core.context.SecurityContextImpl["authentication"]->org.springframework.security.oauth2.client.authentication.OAuth2AuthenticationToken["details"])`
To Reproduce

Expected behavior
It shall deserialize/serialize the security related session attributes properly.
Sample

A link to a GitHub repository with a minimal, reproducible sample.

Reports that include a sample will take priority over reports that do not.
At times, we may require a sample, so it is good to try and include a sample up front.

[jzheaux]

Hi, @koundinya-goparaju-wcar, sorry to hear you are having trouble.

I'm not able to reproduce the issue, and it appears that WebAuthenticationDetails is added by the getModules method so long as it can find javax.servlet.http.Cookie on the classpath.

At this point, this feels like this is a question that would be better suited to Stack Overflow. We prefer to use GitHub issues only for bugs and enhancements. Feel free to update this issue with a link to the re-posted question (so that other people can find it) or add more detail if you feel this is a genuine bug.

[okohub]

@koundinya-goparaju-wcar
@jzheaux

I was actually looking for this bug in issues and I am here. The bug referred in this issue is actually arisen with jackson 2.13 upgrade.

Here is the fix that @rwinch done:
e1f4ec1#diff-5c62847c40ed2430d1eba97aed66221b3b6dcfd599b44587b91c5f36d3189435

With jackson 2.13, typeId resolving is changed a bit with SimpleModule.

You can check these in 2.13:

com.fasterxml.jackson.databind.module.SimpleModule#getTypeId
com.fasterxml.jackson.databind.module.SimpleModule#_hasExplicitName

The typeId was returning className in 2.12 and there was no issue (of course typo is still typo 😄)

with 2.13, it returns that "typo" and set implementation does not allow adding same id.

This ruined my day today :)

We will make a workaround until a new Spring Boot release with Security 5.6.0+

[koundinyagoparaju]

Thanks for finding the root cause @okohub!
I managed to solve the issue temporarily by setting the MapperFeature.IGNORE_DUPLICATE_MODULE_REGISTRATIONS flag to false in the ObjectMapper.