WIP Remove global default typing

This commits remove global default typing for better security and
use instead a custom PolymorphicTypeValidator. See
https://cowtowncoder.medium.com/jackson-2-10-safe-default-typing-2d018f0ce2ba for more details.

TODO Configure the PolymorphicTypeValidator in each module

Author: sdeleuze

cas/src/main/java/org/springframework/security/cas/jackson/AssertionImplMixin.java

@@ -45,7 +45,7 @@
  * @see CasJacksonModule
  * @see org.springframework.security.jackson.SecurityJacksonModules
  */
-@JsonTypeInfo(use = JsonTypeInfo.Id.CLASS, include = JsonTypeInfo.As.PROPERTY)
+@JsonTypeInfo(use = JsonTypeInfo.Id.CLASS)
 @JsonAutoDetect(fieldVisibility = JsonAutoDetect.Visibility.ANY, getterVisibility = JsonAutoDetect.Visibility.NONE,
 		isGetterVisibility = JsonAutoDetect.Visibility.NONE)
 @JsonIgnoreProperties(ignoreUnknown = true)
@@ -61,7 +61,8 @@ class AssertionImplMixin {
 	 * @param attributes the key/value pairs for this attribute.
 	 */
 	@JsonCreator
-	AssertionImplMixin(@JsonProperty("principal") AttributePrincipal principal,
+	AssertionImplMixin(
+			@JsonTypeInfo(use = JsonTypeInfo.Id.CLASS) @JsonProperty("principal") AttributePrincipal principal,
 			@JsonProperty("validFromDate") Date validFromDate, @JsonProperty("validUntilDate") Date validUntilDate,
 			@JsonProperty("authenticationDate") Date authenticationDate,
 			@JsonProperty("attributes") Map<String, Object> attributes) {

cas/src/main/java/org/springframework/security/cas/jackson/AttributePrincipalImplMixin.java

@@ -43,7 +43,7 @@
  * @see CasJacksonModule
  * @see org.springframework.security.jackson.SecurityJacksonModules
  */
-@JsonTypeInfo(use = JsonTypeInfo.Id.CLASS, include = JsonTypeInfo.As.PROPERTY)
+@JsonTypeInfo(use = JsonTypeInfo.Id.CLASS)
 @JsonAutoDetect(fieldVisibility = JsonAutoDetect.Visibility.ANY, getterVisibility = JsonAutoDetect.Visibility.NONE,
 		isGetterVisibility = JsonAutoDetect.Visibility.NONE)
 @JsonIgnoreProperties(ignoreUnknown = true)

cas/src/main/java/org/springframework/security/cas/jackson/CasAuthenticationTokenMixin.java

@@ -52,7 +52,7 @@
  * @see CasJacksonModule
  * @see org.springframework.security.jackson.SecurityJacksonModules
  */
-@JsonTypeInfo(use = JsonTypeInfo.Id.CLASS, include = JsonTypeInfo.As.PROPERTY)
+@JsonTypeInfo(use = JsonTypeInfo.Id.CLASS)
 @JsonAutoDetect(fieldVisibility = JsonAutoDetect.Visibility.ANY, isGetterVisibility = JsonAutoDetect.Visibility.NONE,
 		getterVisibility = JsonAutoDetect.Visibility.NONE, creatorVisibility = JsonAutoDetect.Visibility.ANY)
 @JsonIgnoreProperties(ignoreUnknown = true)
@@ -75,10 +75,13 @@ class CasAuthenticationTokenMixin {
 	 * principal and how to obtain a proxy ticket for the user.
 	 */
 	@JsonCreator
-	CasAuthenticationTokenMixin(@JsonProperty("keyHash") Integer keyHash, @JsonProperty("principal") Object principal,
-			@JsonProperty("credentials") Object credentials,
-			@JsonProperty("authorities") Collection<? extends GrantedAuthority> authorities,
-			@JsonProperty("userDetails") UserDetails userDetails, @JsonProperty("assertion") Assertion assertion) {
+	CasAuthenticationTokenMixin(@JsonProperty("keyHash") Integer keyHash,
+			@JsonTypeInfo(use = JsonTypeInfo.Id.CLASS) @JsonProperty("principal") Object principal,
+			@JsonTypeInfo(use = JsonTypeInfo.Id.CLASS) @JsonProperty("credentials") Object credentials,
+			@JsonTypeInfo(
+					use = JsonTypeInfo.Id.CLASS) @JsonProperty("authorities") Collection<? extends GrantedAuthority> authorities,
+			@JsonTypeInfo(use = JsonTypeInfo.Id.CLASS) @JsonProperty("userDetails") UserDetails userDetails,
+			@JsonTypeInfo(use = JsonTypeInfo.Id.CLASS) @JsonProperty("assertion") Assertion assertion) {
 	}
 
 }

cas/src/main/java/org/springframework/security/cas/jackson/CasJacksonModule.java

@@ -19,11 +19,9 @@
 import org.apereo.cas.client.authentication.AttributePrincipalImpl;
 import org.apereo.cas.client.validation.AssertionImpl;
 import tools.jackson.core.Version;
-import tools.jackson.databind.cfg.MapperBuilder;
 import tools.jackson.databind.module.SimpleModule;
 
 import org.springframework.security.cas.authentication.CasAuthenticationToken;
-import org.springframework.security.jackson.AllowlistTypeResolverBuilder;
 import org.springframework.security.jackson.SecurityJacksonModules;
 
 /**
@@ -55,7 +53,6 @@ public CasJacksonModule() {
 
 	@Override
 	public void setupModule(SetupContext context) {
-		((MapperBuilder<?, ?>) context.getOwner()).setDefaultTyping(new AllowlistTypeResolverBuilder());
 		context.setMixIn(AssertionImpl.class, AssertionImplMixin.class);
 		context.setMixIn(AttributePrincipalImpl.class, AttributePrincipalImplMixin.class);
 		context.setMixIn(CasAuthenticationToken.class, CasAuthenticationTokenMixin.class);

cas/src/test/java/org/springframework/security/cas/jackson/CasAuthenticationTokenMixinTests.java

@@ -56,11 +56,9 @@ public class CasAuthenticationTokenMixinTests {
 
 	public static final String AUTHORITY_JSON = "{\"@class\": \"org.springframework.security.core.authority.SimpleGrantedAuthority\", \"authority\": \"ROLE_USER\"}";
 
-	public static final String AUTHORITIES_SET_JSON = "[\"java.util.Collections$UnmodifiableSet\", [" + AUTHORITY_JSON
-			+ "]]";
+	public static final String AUTHORITIES_SET_JSON = "[" + AUTHORITY_JSON + "]";
 
-	public static final String AUTHORITIES_ARRAYLIST_JSON = "[\"java.util.Collections$UnmodifiableRandomAccessList\", ["
-			+ AUTHORITY_JSON + "]]";
+	public static final String AUTHORITIES_ARRAYLIST_JSON = "[" + AUTHORITY_JSON + "]";
 
 	// @formatter:off
 	public static final String USER_JSON = "{"
@@ -81,13 +79,10 @@ public class CasAuthenticationTokenMixinTests {
 			+ "," + "\"authenticated\": true, " + "\"details\": null," + "\"assertion\": {"
 			+ "\"@class\": \"org.apereo.cas.client.validation.AssertionImpl\", " + "\"principal\": {"
 			+ "\"@class\": \"org.apereo.cas.client.authentication.AttributePrincipalImpl\", "
-			+ "\"name\": \"assertName\", " + "\"attributes\": {\"@class\": \"java.util.Collections$EmptyMap\"}, "
-			+ "\"proxyGrantingTicket\": null, " + "\"proxyRetriever\": null" + "}, "
-			+ "\"validFromDate\": [\"java.util.Date\", " + START_DATE.getTime() + "], "
-			+ "\"validUntilDate\": [\"java.util.Date\", " + END_DATE.getTime() + "],"
-			+ "\"authenticationDate\": [\"java.util.Date\", " + START_DATE.getTime() + "], "
-			+ "\"attributes\": {\"@class\": \"java.util.Collections$EmptyMap\"},"
-			+ "\"context\": {\"@class\":\"java.util.HashMap\"}" + "}" + "}";
+			+ "\"name\": \"assertName\", " + "\"attributes\": {}, " + "\"proxyGrantingTicket\": null, "
+			+ "\"proxyRetriever\": null" + "}, " + "\"validFromDate\":" + START_DATE.getTime() + ", "
+			+ "\"validUntilDate\":" + END_DATE.getTime() + "," + "\"authenticationDate\":" + START_DATE.getTime() + ", "
+			+ "\"attributes\": {}," + "\"context\": {}" + "}" + "}";
 
 	private static final String CAS_TOKEN_CLEARED_JSON = CAS_TOKEN_JSON.replaceFirst(PASSWORD, "null");
 

core/src/main/java/org/springframework/security/jackson/AllowlistTypeResolverBuilder.java

@@ -23,6 +23,7 @@
 import com.fasterxml.jackson.annotation.JsonIgnoreProperties;
 import com.fasterxml.jackson.annotation.JsonProperty;
 import com.fasterxml.jackson.annotation.JsonTypeInfo;
+import org.jspecify.annotations.Nullable;
 
 import org.springframework.security.core.GrantedAuthority;
 
@@ -47,7 +48,7 @@
  * @see CoreJacksonModule
  * @see SecurityJacksonModules
  */
-@JsonTypeInfo(use = JsonTypeInfo.Id.CLASS, include = JsonTypeInfo.As.PROPERTY)
+@JsonTypeInfo(use = JsonTypeInfo.Id.CLASS)
 @JsonAutoDetect(fieldVisibility = JsonAutoDetect.Visibility.ANY, isGetterVisibility = JsonAutoDetect.Visibility.NONE,
 		getterVisibility = JsonAutoDetect.Visibility.NONE, creatorVisibility = JsonAutoDetect.Visibility.ANY)
 @JsonIgnoreProperties(ignoreUnknown = true)
@@ -63,8 +64,12 @@ class AnonymousAuthenticationTokenMixin {
 	 */
 	@JsonCreator
 	AnonymousAuthenticationTokenMixin(@JsonProperty("keyHash") Integer keyHash,
-			@JsonProperty("principal") Object principal,
-			@JsonProperty("authorities") Collection<? extends GrantedAuthority> authorities) {
+			@JsonProperty("principal") @JsonTypeInfo(use = JsonTypeInfo.Id.CLASS) Object principal,
+			@JsonProperty("authorities") @JsonTypeInfo(
+					use = JsonTypeInfo.Id.CLASS) Collection<? extends GrantedAuthority> authorities) {
 	}
 
+	@JsonTypeInfo(use = JsonTypeInfo.Id.CLASS)
+	private final @Nullable Collection<GrantedAuthority> authorities = null;
+
 }

core/src/main/java/org/springframework/security/jackson/AnonymousAuthenticationTokenMixin.java

@@ -41,7 +41,7 @@
  * @since 7.0
  * @see CoreJacksonModule
  */
-@JsonTypeInfo(use = JsonTypeInfo.Id.CLASS, include = JsonTypeInfo.As.PROPERTY)
+@JsonTypeInfo(use = JsonTypeInfo.Id.CLASS)
 @JsonIgnoreProperties(ignoreUnknown = true, value = { "cause", "stackTrace", "authenticationRequest" })
 class BadCredentialsExceptionMixin {
 

core/src/main/java/org/springframework/security/jackson/BadCredentialsExceptionMixin.java

@@ -16,15 +16,22 @@
 
 package org.springframework.security.jackson;
 
+import java.time.Instant;
+
 import tools.jackson.core.Version;
 import tools.jackson.databind.cfg.MapperBuilder;
+import tools.jackson.databind.jsontype.BasicPolymorphicTypeValidator;
+import tools.jackson.databind.jsontype.PolymorphicTypeValidator;
 import tools.jackson.databind.module.SimpleModule;
 
 import org.springframework.security.authentication.AnonymousAuthenticationToken;
 import org.springframework.security.authentication.BadCredentialsException;
 import org.springframework.security.authentication.RememberMeAuthenticationToken;
 import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
+import org.springframework.security.core.Authentication;
+import org.springframework.security.core.GrantedAuthority;
 import org.springframework.security.core.authority.SimpleGrantedAuthority;
+import org.springframework.security.core.context.SecurityContextImpl;
 import org.springframework.security.core.userdetails.User;
 
 /**
@@ -60,13 +67,63 @@ public CoreJacksonModule() {
 
 	@Override
 	public void setupModule(SetupContext context) {
-		((MapperBuilder<?, ?>) context.getOwner()).setDefaultTyping(new AllowlistTypeResolverBuilder());
+		PolymorphicTypeValidator ptv = BasicPolymorphicTypeValidator.builder()
+			.allowIfSubType(Instant.class)
+			// TODO Check if really necessary
+			.allowIfSubType("java.util.Collections$UnmodifiableSet")
+			.allowIfBaseType(GrantedAuthority.class)
+			.allowIfBaseType(Authentication.class)
+			.allowIfSubType(User.class)
+			.allowIfSubType(BadCredentialsException.class)
+			.allowIfSubType(SecurityContextImpl.class)
+			// TODO Move to the proper cas module
+			.allowIfSubType("org.apereo.cas.client.validation.AssertionImpl")
+			.allowIfSubType("org.apereo.cas.client.authentication.AttributePrincipalImpl")
+			// TODO Move to the proper ldap module
+			.allowIfSubType("org.springframework.security.ldap.userdetails.InetOrgPerson")
+			.allowIfSubType("org.springframework.security.ldap.userdetails.LdapUserDetailsImpl")
+			.allowIfSubType("org.springframework.security.ldap.userdetails.Person")
+			// TODO Move to the proper oauth2-client module
+			.allowIfSubType("org.springframework.security.oauth2.core.OAuth2AuthenticationException")
+			.allowIfSubType("org.springframework.security.oauth2.core.oidc.user.DefaultOidcUser")
+			.allowIfSubType("org.springframework.security.oauth2.core.endpoint.OAuth2AuthorizationRequest")
+			.allowIfSubType("org.springframework.security.oauth2.core.OAuth2Error")
+			.allowIfSubType("org.springframework.security.oauth2.client.OAuth2AuthorizedClient")
+			.allowIfSubType("org.springframework.security.oauth2.core.oidc.OidcIdToken")
+			.allowIfSubType("org.springframework.security.oauth2.core.oidc.OidcUserInfo")
+			.allowIfSubType("org.springframework.security.oauth2.core.user.DefaultOAuth2User")
+			.allowIfSubType("org.springframework.security.oauth2.client.registration.ClientRegistration")
+			.allowIfSubType("org.springframework.security.oauth2.core.OAuth2AccessToken")
+			.allowIfSubType("org.springframework.security.oauth2.core.OAuth2RefreshToken")
+			// TODO Move to the proper saml2-service-provider module
+			.allowIfSubType("org.springframework.security.saml2.provider.service.authentication.Saml2ResponseAssertion")
+			.allowIfSubType(
+					"org.springframework.security.saml2.provider.service.authentication.DefaultSaml2AuthenticatedPrincipal")
+			.allowIfSubType(
+					"org.springframework.security.saml2.provider.service.authentication.Saml2PostAuthenticationRequest")
+			.allowIfSubType(
+					"org.springframework.security.saml2.provider.service.authentication.logout.Saml2LogoutRequest")
+			.allowIfSubType(
+					"org.springframework.security.saml2.provider.service.authentication.Saml2RedirectAuthenticationRequest")
+			.allowIfSubType(
+					"org.springframework.security.saml2.provider.service.authentication.Saml2AuthenticationException")
+			.allowIfSubType("org.springframework.security.saml2.core.Saml2Error")
+			// TODO Move to the proper web module
+			.allowIfSubType("jakarta.servlet.http.Cookie")
+			.allowIfSubType("org.springframework.security.web.csrf.DefaultCsrfToken")
+			.allowIfSubType("org.springframework.security.web.savedrequest.DefaultSavedRequest")
+			.allowIfSubType("org.springframework.security.web.savedrequest.SavedCookie")
+			.allowIfSubType("org.springframework.security.web.authentication.WebAuthenticationDetails")
+			.allowIfSubType("org.springframework.security.web.server.csrf.DefaultCsrfToken")
+			.build();
+		((MapperBuilder<?, ?>) context.getOwner()).polymorphicTypeValidator(ptv);
 		context.setMixIn(AnonymousAuthenticationToken.class, AnonymousAuthenticationTokenMixin.class);
 		context.setMixIn(RememberMeAuthenticationToken.class, RememberMeAuthenticationTokenMixin.class);
 		context.setMixIn(SimpleGrantedAuthority.class, SimpleGrantedAuthorityMixin.class);
 		context.setMixIn(User.class, UserMixin.class);
 		context.setMixIn(UsernamePasswordAuthenticationToken.class, UsernamePasswordAuthenticationTokenMixin.class);
 		context.setMixIn(BadCredentialsException.class, BadCredentialsExceptionMixin.class);
+		context.setMixIn(SecurityContextImpl.class, SecurityContextImplMixin.class);
 	}
 
 }