OAuth2AuthorizationServerJacksonModule should not override type validator configuration in SecurityJacksonModules

[aspan]

The OAuth2AuthorizationServerJacksonModule creates its own polymorphic type validator overriding the type validator created in SecurityJacksonModules.

Affects jackson3 support in 7.0.0-RC1

The following code should be removed from OAuth2AuthorizationServerJacksonModule.

		BasicPolymorphicTypeValidator.Builder builder = BasicPolymorphicTypeValidator.builder();
		this.configurePolymorphicTypeValidator(builder);
		((MapperBuilder<?, ?>) context.getOwner()).activateDefaultTyping(builder.build(), DefaultTyping.NON_FINAL,
				JsonTypeInfo.As.PROPERTY);

After removing the type validator I had to create the module and a type validator so the same type validator is used throughout the Jackson configuration.

    @Bean
    JsonMapperBuilderCustomizer jsonMapperBuilderCustomizer() {
        return new JsonMapperBuilderCustomizer() {
            @Override
            public void customize(@NonNull Builder jsonMapperBuilder) {
                BasicPolymorphicTypeValidator.Builder builder = BasicPolymorphicTypeValidator.builder();
                var oAuth2AuthorizationServerJacksonModule = new OAuth2AuthorizationServerJacksonModule();
                oAuth2AuthorizationServerJacksonModule.configurePolymorphicTypeValidator(builder);
                jsonMapperBuilder.addModules(SecurityJacksonModules.getModules(getClass().getClassLoader(), builder))
                                 .addModules(oAuth2AuthorizationServerJacksonModule);
            }
        };
    }

[christian-landbo]

Just upgraded from Boot M3 to RC1 and now we get a

Caused by: tools.jackson.databind.exc.InvalidTypeIdException: Could not resolve type id 'org.springframework.security.web.authentication.WebAuthenticationDetails' as a subtype of `java.lang.Object`: Configured `PolymorphicTypeValidator` (of type `tools.jackson.databind.jsontype.BasicPolymorphicTypeValidator`) denied resolution

I suspect this issue is why we see this all of a sudden.

We are using JdbcOAuth2AuthorizationService.

Trace:

Caused by: tools.jackson.databind.exc.InvalidTypeIdException: Could not resolve type id 'org.springframework.security.web.authentication.WebAuthenticationDetails' as a subtype of `java.lang.Object`: Configured `PolymorphicTypeValidator` (of type `tools.jackson.databind.jsontype.BasicPolymorphicTypeValidator`) denied resolution
 at [Source: REDACTED (`StreamReadFeature.INCLUDE_SOURCE_IN_LOCATION` disabled); byte offset: #UNKNOWN] (through reference chain: java.util.LinkedHashMap["java.security.Principal"])
	at tools.jackson.databind.exc.InvalidTypeIdException.from(InvalidTypeIdException.java:41)
	at tools.jackson.databind.DeserializationContext.invalidTypeIdException(DeserializationContext.java:2106)
	at tools.jackson.databind.DatabindContext._throwSubtypeClassNotAllowed(DatabindContext.java:285)
	at tools.jackson.databind.DatabindContext.resolveAndValidateSubType(DatabindContext.java:240)
	at tools.jackson.databind.jsontype.impl.ClassNameIdResolver._typeFromId(ClassNameIdResolver.java:87)
	at tools.jackson.databind.jsontype.impl.ClassNameIdResolver.typeFromId(ClassNameIdResolver.java:70)
	at tools.jackson.databind.jsontype.impl.TypeDeserializerBase._findDeserializer(TypeDeserializerBase.java:154)
	at tools.jackson.databind.jsontype.impl.AsPropertyTypeDeserializer._deserializeTypedForId(AsPropertyTypeDeserializer.java:119)
	at tools.jackson.databind.jsontype.impl.AsPropertyTypeDeserializer.deserializeTypedFromObject(AsPropertyTypeDeserializer.java:103)
	at tools.jackson.databind.jsontype.impl.AsPropertyTypeDeserializer.deserializeTypedFromAny(AsPropertyTypeDeserializer.java:203)
	at tools.jackson.databind.deser.jdk.UntypedObjectDeserializerNR.deserializeWithType(UntypedObjectDeserializerNR.java:98)
	at tools.jackson.databind.deser.impl.TypeWrappedDeserializer.deserialize(TypeWrappedDeserializer.java:72)
	at tools.jackson.databind.DeserializationContext._readValue(DeserializationContext.java:407)
	at tools.jackson.databind.DeserializationContext.readValue(DeserializationContext.java:391)
	at tools.jackson.databind.DeserializationContext.readValue(DeserializationContext.java:367)
	at tools.jackson.databind.DeserializationContext.readTreeAsValue(DeserializationContext.java:1205)
	at org.springframework.security.jackson.UsernamePasswordAuthenticationTokenDeserializer.deserialize(UsernamePasswordAuthenticationTokenDeserializer.java:80)
	at org.springframework.security.jackson.UsernamePasswordAuthenticationTokenDeserializer.deserialize(UsernamePasswordAuthenticationTokenDeserializer.java:47)
	at tools.jackson.databind.jsontype.impl.AsPropertyTypeDeserializer._deserializeTypedForId(AsPropertyTypeDeserializer.java:138)
	at tools.jackson.databind.jsontype.impl.AsPropertyTypeDeserializer.deserializeTypedFromObject(AsPropertyTypeDeserializer.java:103)
	at tools.jackson.databind.jsontype.impl.AsPropertyTypeDeserializer.deserializeTypedFromAny(AsPropertyTypeDeserializer.java:203)
	at tools.jackson.databind.deser.jdk.UntypedObjectDeserializerNR.deserializeWithType(UntypedObjectDeserializerNR.java:98)
	at tools.jackson.databind.deser.jdk.MapDeserializer._deserializeNoNullChecks(MapDeserializer.java:867)
	at tools.jackson.databind.deser.jdk.MapDeserializer._readAndBindStringKeyMap(MapDeserializer.java:601)
	at tools.jackson.databind.deser.jdk.MapDeserializer.deserialize(MapDeserializer.java:428)
	at tools.jackson.databind.deser.jdk.MapDeserializer.deserialize(MapDeserializer.java:30)
	at tools.jackson.databind.deser.std.StdConvertingDeserializer.deserialize(StdConvertingDeserializer.java:154)
	at tools.jackson.databind.jsontype.impl.AsPropertyTypeDeserializer._deserializeTypedForId(AsPropertyTypeDeserializer.java:138)
	at tools.jackson.databind.jsontype.impl.AsPropertyTypeDeserializer.deserializeTypedFromObject(AsPropertyTypeDeserializer.java:103)
	at tools.jackson.databind.deser.jdk.MapDeserializer.deserializeWithType(MapDeserializer.java:471)
	at tools.jackson.databind.deser.impl.TypeWrappedDeserializer.deserialize(TypeWrappedDeserializer.java:72)
	at tools.jackson.databind.deser.DeserializationContextExt.readRootValue(DeserializationContextExt.java:265)
	at tools.jackson.databind.ObjectMapper._readMapAndClose(ObjectMapper.java:2610)
	at tools.jackson.databind.ObjectMapper.readValue(ObjectMapper.java:1564)
	at org.springframework.security.oauth2.server.authorization.JdbcOAuth2AuthorizationService$JsonMapperOAuth2AuthorizationRowMapper.readValue(JdbcOAuth2AuthorizationService.java:495)
	at org.springframework.security.oauth2.server.authorization.JdbcOAuth2AuthorizationService$AbstractOAuth2AuthorizationRowMapper.parseMap(JdbcOAuth2AuthorizationService.java:705)
	... 131 more

[sdeleuze]

Hey, thanks for testing the RC1, I think indeed there is something to fix here.

I followed the original design of the freshly integrated (previously it was a standalone project) Jackson 2 support to implement the Jackson 3 support which leverages safe default typing, and focused on passing the tests, which did not exercised this WebAuthenticationDetails deserialization code path, by making OAuth2AuthorizationServerJacksonModule extending CoreJacksonModule, which does not include the types authorized by WebJacksonModule like the WebAuthenticationDetails one.

After discussing with @jgrandja, and even if the OAuth2 authorization server was previously standalone, it looks like a good idea to make it managed like other modules and benefit from SecurityJacksonModules infrastructure.

So I suggest the following changes:

• Change OAuth2AuthorizationServerJacksonModule to extend SecurityJacksonModule instead of CoreJacksonModule.
• Add support for OAuth2AuthorizationServerJacksonModule in SecurityJacksonModules like it is done for the client support.
• Replace OAuth2AuthorizationServerJacksonModule instantiations by SecurityJacksonModules.getModules(loader, builder)
• Adapt OAuth2AuthorizationServerJacksonModule Javadoc to advise using SecurityJacksonModules.getModules(loader, builder)
• Add a OAuth2 authorization server test that exercise the code path that needs WebAuthenticationDetails deserialization

That will allow automatic detection of WebJacksonModule and other modules in the classpath, as well as end-user customization of the additional types to customize.

@jgrandja I am available to review a related PR or branch if needed.

[christian-landbo]

Fyi we also see it on

Could not resolve type id 'org.springframework.security.saml2.provider.service.authentication.Saml2AssertionAuthentication'

Is there a workaround for now?

[sdeleuze]

The proposed solution should fix it.

I think a workaround with RC1 can be to extend OAuth2AuthorizationServerJacksonModule to add the missing types via a configurePolymorphicTypeValidator override.

[jgrandja]

@christian-landbo @aspan I tried the following workaround for JdbcOAuth2AuthorizationService with success.

	JdbcOAuth2AuthorizationService.JsonMapperOAuth2AuthorizationRowMapper rowMapper =
			new JdbcOAuth2AuthorizationService.JsonMapperOAuth2AuthorizationRowMapper(registeredClientRepository, createJsonMapper());
	jdbcAuthorizationService.setAuthorizationRowMapper(rowMapper);

	.....

	private static JsonMapper createJsonMapper() {
		BasicPolymorphicTypeValidator.Builder builder = BasicPolymorphicTypeValidator.builder();
		OAuth2AuthorizationServerJacksonModule authorizationServerJacksonModule = new OAuth2AuthorizationServerJacksonModule();
		authorizationServerJacksonModule.configurePolymorphicTypeValidator(builder);
		List<JacksonModule> securityJacksonModules = SecurityJacksonModules.getModules(JdbcOAuth2AuthorizationService.class.getClassLoader(), builder);
		return JsonMapper.builder()
				// IMPORTANT: authorizationServerJacksonModule MUST be before securityJacksonModules
				.addModules(authorizationServerJacksonModule)
				.addModules(securityJacksonModules)
				.build();
	}

Can you please try on your end and let me know if it worked? Thanks.

[aspan]

@jgrandja Yes that works. Switching the order did the trick.

[jgrandja]

Thanks @aspan !