Remove global default typing

This commits remove global default typing for better security
and use instead a custom PolymorphicTypeValidator. See
https://cowtowncoder.medium.com/jackson-2-10-safe-default-typing-2d018f0ce2ba
for more details.

See gh-17832
Signed-off-by: Sébastien Deleuze <sdeleuze@users.noreply.github.com>

Author: sdeleuze

cas/src/main/java/org/springframework/security/cas/jackson/AssertionImplMixin.java

@@ -45,7 +45,7 @@
  * @see CasJacksonModule
  * @see org.springframework.security.jackson.SecurityJacksonModules
  */
-@JsonTypeInfo(use = JsonTypeInfo.Id.CLASS, include = JsonTypeInfo.As.PROPERTY)
+@JsonTypeInfo(use = JsonTypeInfo.Id.CLASS)
 @JsonAutoDetect(fieldVisibility = JsonAutoDetect.Visibility.ANY, getterVisibility = JsonAutoDetect.Visibility.NONE,
 		isGetterVisibility = JsonAutoDetect.Visibility.NONE)
 @JsonIgnoreProperties(ignoreUnknown = true)
@@ -61,7 +61,8 @@ class AssertionImplMixin {
 	 * @param attributes the key/value pairs for this attribute.
 	 */
 	@JsonCreator
-	AssertionImplMixin(@JsonProperty("principal") AttributePrincipal principal,
+	AssertionImplMixin(
+			@JsonTypeInfo(use = JsonTypeInfo.Id.CLASS) @JsonProperty("principal") AttributePrincipal principal,
 			@JsonProperty("validFromDate") Date validFromDate, @JsonProperty("validUntilDate") Date validUntilDate,
 			@JsonProperty("authenticationDate") Date authenticationDate,
 			@JsonProperty("attributes") Map<String, Object> attributes) {

cas/src/main/java/org/springframework/security/cas/jackson/AttributePrincipalImplMixin.java

@@ -43,7 +43,7 @@
  * @see CasJacksonModule
  * @see org.springframework.security.jackson.SecurityJacksonModules
  */
-@JsonTypeInfo(use = JsonTypeInfo.Id.CLASS, include = JsonTypeInfo.As.PROPERTY)
+@JsonTypeInfo(use = JsonTypeInfo.Id.CLASS)
 @JsonAutoDetect(fieldVisibility = JsonAutoDetect.Visibility.ANY, getterVisibility = JsonAutoDetect.Visibility.NONE,
 		isGetterVisibility = JsonAutoDetect.Visibility.NONE)
 @JsonIgnoreProperties(ignoreUnknown = true)

cas/src/main/java/org/springframework/security/cas/jackson/CasAuthenticationTokenMixin.java

@@ -52,7 +52,7 @@
  * @see CasJacksonModule
  * @see org.springframework.security.jackson.SecurityJacksonModules
  */
-@JsonTypeInfo(use = JsonTypeInfo.Id.CLASS, include = JsonTypeInfo.As.PROPERTY)
+@JsonTypeInfo(use = JsonTypeInfo.Id.CLASS)
 @JsonAutoDetect(fieldVisibility = JsonAutoDetect.Visibility.ANY, isGetterVisibility = JsonAutoDetect.Visibility.NONE,
 		getterVisibility = JsonAutoDetect.Visibility.NONE, creatorVisibility = JsonAutoDetect.Visibility.ANY)
 @JsonIgnoreProperties(ignoreUnknown = true)
@@ -75,10 +75,13 @@ class CasAuthenticationTokenMixin {
 	 * principal and how to obtain a proxy ticket for the user.
 	 */
 	@JsonCreator
-	CasAuthenticationTokenMixin(@JsonProperty("keyHash") Integer keyHash, @JsonProperty("principal") Object principal,
-			@JsonProperty("credentials") Object credentials,
-			@JsonProperty("authorities") Collection<? extends GrantedAuthority> authorities,
-			@JsonProperty("userDetails") UserDetails userDetails, @JsonProperty("assertion") Assertion assertion) {
+	CasAuthenticationTokenMixin(@JsonProperty("keyHash") Integer keyHash,
+			@JsonTypeInfo(use = JsonTypeInfo.Id.CLASS) @JsonProperty("principal") Object principal,
+			@JsonTypeInfo(use = JsonTypeInfo.Id.CLASS) @JsonProperty("credentials") Object credentials,
+			@JsonTypeInfo(
+					use = JsonTypeInfo.Id.CLASS) @JsonProperty("authorities") Collection<? extends GrantedAuthority> authorities,
+			@JsonTypeInfo(use = JsonTypeInfo.Id.CLASS) @JsonProperty("userDetails") UserDetails userDetails,
+			@JsonTypeInfo(use = JsonTypeInfo.Id.CLASS) @JsonProperty("assertion") Assertion assertion) {
 	}
 
 }

cas/src/main/java/org/springframework/security/cas/jackson/CasJacksonModule.java

@@ -19,11 +19,10 @@
 import org.apereo.cas.client.authentication.AttributePrincipalImpl;
 import org.apereo.cas.client.validation.AssertionImpl;
 import tools.jackson.core.Version;
-import tools.jackson.databind.cfg.MapperBuilder;
-import tools.jackson.databind.module.SimpleModule;
+import tools.jackson.databind.jsontype.BasicPolymorphicTypeValidator;
 
 import org.springframework.security.cas.authentication.CasAuthenticationToken;
-import org.springframework.security.jackson.AllowlistTypeResolverBuilder;
+import org.springframework.security.jackson.SecurityJacksonModule;
 import org.springframework.security.jackson.SecurityJacksonModules;
 
 /**
@@ -47,15 +46,19 @@
  * @since 7.0
  * @see SecurityJacksonModules
  */
-public class CasJacksonModule extends SimpleModule {
+public class CasJacksonModule extends SecurityJacksonModule {
 
 	public CasJacksonModule() {
 		super(CasJacksonModule.class.getName(), new Version(1, 0, 0, null, null, null));
 	}
 
+	@Override
+	protected void configurePolymorphicTypeValidator(BasicPolymorphicTypeValidator.Builder builder) {
+		builder.allowIfSubType(AssertionImpl.class).allowIfSubType(AttributePrincipalImpl.class);
+	}
+
 	@Override
 	public void setupModule(SetupContext context) {
-		((MapperBuilder<?, ?>) context.getOwner()).setDefaultTyping(new AllowlistTypeResolverBuilder());
 		context.setMixIn(AssertionImpl.class, AssertionImplMixin.class);
 		context.setMixIn(AttributePrincipalImpl.class, AttributePrincipalImplMixin.class);
 		context.setMixIn(CasAuthenticationToken.class, CasAuthenticationTokenMixin.class);

cas/src/test/java/org/springframework/security/cas/jackson/CasAuthenticationTokenMixinTests.java

@@ -28,7 +28,6 @@
 import org.junit.jupiter.api.BeforeEach;
 import org.junit.jupiter.api.Test;
 import org.skyscreamer.jsonassert.JSONAssert;
-import tools.jackson.databind.cfg.DateTimeFeature;
 import tools.jackson.databind.json.JsonMapper;
 
 import org.springframework.security.cas.authentication.CasAuthenticationToken;
@@ -56,11 +55,9 @@ public class CasAuthenticationTokenMixinTests {
 
 	public static final String AUTHORITY_JSON = "{\"@class\": \"org.springframework.security.core.authority.SimpleGrantedAuthority\", \"authority\": \"ROLE_USER\"}";
 
-	public static final String AUTHORITIES_SET_JSON = "[\"java.util.Collections$UnmodifiableSet\", [" + AUTHORITY_JSON
-			+ "]]";
+	public static final String AUTHORITIES_SET_JSON = "[" + AUTHORITY_JSON + "]";
 
-	public static final String AUTHORITIES_ARRAYLIST_JSON = "[\"java.util.Collections$UnmodifiableRandomAccessList\", ["
-			+ AUTHORITY_JSON + "]]";
+	public static final String AUTHORITIES_ARRAYLIST_JSON = "[" + AUTHORITY_JSON + "]";
 
 	// @formatter:off
 	public static final String USER_JSON = "{"
@@ -81,13 +78,10 @@ public class CasAuthenticationTokenMixinTests {
 			+ "," + "\"authenticated\": true, " + "\"details\": null," + "\"assertion\": {"
 			+ "\"@class\": \"org.apereo.cas.client.validation.AssertionImpl\", " + "\"principal\": {"
 			+ "\"@class\": \"org.apereo.cas.client.authentication.AttributePrincipalImpl\", "
-			+ "\"name\": \"assertName\", " + "\"attributes\": {\"@class\": \"java.util.Collections$EmptyMap\"}, "
-			+ "\"proxyGrantingTicket\": null, " + "\"proxyRetriever\": null" + "}, "
-			+ "\"validFromDate\": [\"java.util.Date\", " + START_DATE.getTime() + "], "
-			+ "\"validUntilDate\": [\"java.util.Date\", " + END_DATE.getTime() + "],"
-			+ "\"authenticationDate\": [\"java.util.Date\", " + START_DATE.getTime() + "], "
-			+ "\"attributes\": {\"@class\": \"java.util.Collections$EmptyMap\"},"
-			+ "\"context\": {\"@class\":\"java.util.HashMap\"}" + "}" + "}";
+			+ "\"name\": \"assertName\", " + "\"attributes\": {}, " + "\"proxyGrantingTicket\": null, "
+			+ "\"proxyRetriever\": null" + "}, " + "\"validFromDate\":\"" + START_DATE.toInstant() + "\", "
+			+ "\"validUntilDate\":\"" + END_DATE.toInstant() + "\"," + "\"authenticationDate\":\""
+			+ START_DATE.toInstant() + "\", " + "\"attributes\": {}," + "\"context\": {}" + "}" + "}";
 
 	private static final String CAS_TOKEN_CLEARED_JSON = CAS_TOKEN_JSON.replaceFirst(PASSWORD, "null");
 
@@ -96,10 +90,7 @@ public class CasAuthenticationTokenMixinTests {
 	@BeforeEach
 	public void setup() {
 		ClassLoader loader = getClass().getClassLoader();
-		this.mapper = JsonMapper.builder()
-			.addModules(SecurityJacksonModules.getModules(loader))
-			.enable(DateTimeFeature.WRITE_DATES_AS_TIMESTAMPS)
-			.build();
+		this.mapper = JsonMapper.builder().addModules(SecurityJacksonModules.getModules(loader)).build();
 	}
 
 	@Test

core/src/main/java/org/springframework/security/jackson/AbstractAuthenticationTokenMixin.java

@@ -0,0 +1,34 @@
+/*
+ * Copyright 2004-present the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.security.jackson;
+
+import java.util.Collection;
+
+import com.fasterxml.jackson.annotation.JsonTypeInfo;
+import org.jspecify.annotations.Nullable;
+
+import org.springframework.security.core.GrantedAuthority;
+
+public class AbstractAuthenticationTokenMixin {
+
+	@JsonTypeInfo(use = JsonTypeInfo.Id.CLASS)
+	private final @Nullable Collection<GrantedAuthority> authorities = null;
+
+	@JsonTypeInfo(use = JsonTypeInfo.Id.CLASS)
+	private @Nullable Object details = null;
+
+}

core/src/main/java/org/springframework/security/jackson/AllowlistTypeResolverBuilder.java

@@ -47,7 +47,7 @@
  * @see CoreJacksonModule
  * @see SecurityJacksonModules
  */
-@JsonTypeInfo(use = JsonTypeInfo.Id.CLASS, include = JsonTypeInfo.As.PROPERTY)
+@JsonTypeInfo(use = JsonTypeInfo.Id.CLASS)
 @JsonAutoDetect(fieldVisibility = JsonAutoDetect.Visibility.ANY, isGetterVisibility = JsonAutoDetect.Visibility.NONE,
 		getterVisibility = JsonAutoDetect.Visibility.NONE, creatorVisibility = JsonAutoDetect.Visibility.ANY)
 @JsonIgnoreProperties(ignoreUnknown = true)
@@ -63,8 +63,9 @@ class AnonymousAuthenticationTokenMixin {
 	 */
 	@JsonCreator
 	AnonymousAuthenticationTokenMixin(@JsonProperty("keyHash") Integer keyHash,
-			@JsonProperty("principal") Object principal,
-			@JsonProperty("authorities") Collection<? extends GrantedAuthority> authorities) {
+			@JsonProperty("principal") @JsonTypeInfo(use = JsonTypeInfo.Id.CLASS) Object principal,
+			@JsonProperty("authorities") @JsonTypeInfo(
+					use = JsonTypeInfo.Id.CLASS) Collection<? extends GrantedAuthority> authorities) {
 	}
 
 }

core/src/main/java/org/springframework/security/jackson/AnonymousAuthenticationTokenMixin.java

@@ -41,7 +41,7 @@
  * @since 7.0
  * @see CoreJacksonModule
  */
-@JsonTypeInfo(use = JsonTypeInfo.Id.CLASS, include = JsonTypeInfo.As.PROPERTY)
+@JsonTypeInfo(use = JsonTypeInfo.Id.CLASS)
 @JsonIgnoreProperties(ignoreUnknown = true, value = { "cause", "stackTrace", "authenticationRequest" })
 class BadCredentialsExceptionMixin {