Add Jackson 3 support and deprecate Jackson 2 one

.gitignore

@@ -25,6 +25,7 @@ atlassian-ide-plugin.xml
 s101plugin.state
 .attach_pid*
 .~lock.*#
+.kotlin/
 
 !.idea/checkstyle-idea.xml
 !.idea/externalDependencies.xml

cas/spring-security-cas.gradle

@@ -15,6 +15,7 @@ dependencies {
 	api 'org.springframework:spring-web'
 
 	optional 'com.fasterxml.jackson.core:jackson-databind'
+	optional 'tools.jackson.core:jackson-databind'
 
 	provided 'jakarta.servlet:jakarta.servlet-api'
 

cas/src/main/java/org/springframework/security/cas/jackson/AssertionImplMixin.java

@@ -0,0 +1,71 @@
+/*
+ * Copyright 2004-present the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.security.cas.jackson;
+
+import java.util.Date;
+import java.util.Map;
+
+import com.fasterxml.jackson.annotation.JsonAutoDetect;
+import com.fasterxml.jackson.annotation.JsonCreator;
+import com.fasterxml.jackson.annotation.JsonIgnoreProperties;
+import com.fasterxml.jackson.annotation.JsonProperty;
+import com.fasterxml.jackson.annotation.JsonTypeInfo;
+import org.apereo.cas.client.authentication.AttributePrincipal;
+
+/**
+ * Helps in jackson deserialization of class
+ * {@link org.apereo.cas.client.validation.AssertionImpl}, which is used with
+ * {@link org.springframework.security.cas.authentication.CasAuthenticationToken}. To use
+ * this class we need to register with {@link tools.jackson.databind.json.JsonMapper}.
+ * Type information will be stored in @class property.
+ * <p>
+ * <pre>
+ *     JsonMapper mapper = JsonMapper.builder()
+ * 				.addModule(new CasJacksonModule())
+ * 				.build();
+ * </pre>
+ *
+ * @author Sebastien Deleuze
+ * @author Jitendra Singh
+ * @since 7.0
+ * @see CasJacksonModule
+ * @see org.springframework.security.jackson.SecurityJacksonModules
+ */
+@JsonTypeInfo(use = JsonTypeInfo.Id.CLASS)
+@JsonAutoDetect(fieldVisibility = JsonAutoDetect.Visibility.ANY, getterVisibility = JsonAutoDetect.Visibility.NONE,
+		isGetterVisibility = JsonAutoDetect.Visibility.NONE)
+@JsonIgnoreProperties(ignoreUnknown = true)
+class AssertionImplMixin {
+
+	/**
+	 * Mixin Constructor helps in deserialize
+	 * {@link org.apereo.cas.client.validation.AssertionImpl}
+	 * @param principal the Principal to associate with the Assertion.
+	 * @param validFromDate when the assertion is valid from.
+	 * @param validUntilDate when the assertion is valid to.
+	 * @param authenticationDate when the assertion is authenticated.
+	 * @param attributes the key/value pairs for this attribute.
+	 */
+	@JsonCreator
+	AssertionImplMixin(
+			@JsonTypeInfo(use = JsonTypeInfo.Id.CLASS) @JsonProperty("principal") AttributePrincipal principal,
+			@JsonProperty("validFromDate") Date validFromDate, @JsonProperty("validUntilDate") Date validUntilDate,
+			@JsonProperty("authenticationDate") Date authenticationDate,
+			@JsonProperty("attributes") Map<String, Object> attributes) {
+	}
+
+}

cas/src/main/java/org/springframework/security/cas/jackson/AttributePrincipalImplMixin.java

@@ -0,0 +1,68 @@
+/*
+ * Copyright 2004-present the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.security.cas.jackson;
+
+import java.util.Map;
+
+import com.fasterxml.jackson.annotation.JsonAutoDetect;
+import com.fasterxml.jackson.annotation.JsonCreator;
+import com.fasterxml.jackson.annotation.JsonIgnoreProperties;
+import com.fasterxml.jackson.annotation.JsonProperty;
+import com.fasterxml.jackson.annotation.JsonTypeInfo;
+import org.apereo.cas.client.proxy.ProxyRetriever;
+
+/**
+ * Helps in deserialize
+ * {@link org.apereo.cas.client.authentication.AttributePrincipalImpl} which is used with
+ * {@link org.springframework.security.cas.authentication.CasAuthenticationToken}. Type
+ * information will be stored in property named @class.
+ * <p>
+ * <pre>
+ *     JsonMapper mapper = JsonMapper.builder()
+ * 				.addModule(new CasJacksonModule())
+ * 				.build();
+ * </pre>
+ *
+ * @author Sebastien Deleuze
+ * @author Jitendra Singh
+ * @since 7.0
+ * @see CasJacksonModule
+ * @see org.springframework.security.jackson.SecurityJacksonModules
+ */
+@JsonTypeInfo(use = JsonTypeInfo.Id.CLASS)
+@JsonAutoDetect(fieldVisibility = JsonAutoDetect.Visibility.ANY, getterVisibility = JsonAutoDetect.Visibility.NONE,
+		isGetterVisibility = JsonAutoDetect.Visibility.NONE)
+@JsonIgnoreProperties(ignoreUnknown = true)
+class AttributePrincipalImplMixin {
+
+	/**
+	 * Mixin Constructor helps in deserialize
+	 * {@link org.apereo.cas.client.authentication.AttributePrincipalImpl}
+	 * @param name the unique identifier for the principal.
+	 * @param attributes the key/value pairs for this principal.
+	 * @param proxyGrantingTicket the ticket associated with this principal.
+	 * @param proxyRetriever the ProxyRetriever implementation to call back to the CAS
+	 * server.
+	 */
+	@JsonCreator
+	AttributePrincipalImplMixin(@JsonProperty("name") String name,
+			@JsonProperty("attributes") Map<String, Object> attributes,
+			@JsonProperty("proxyGrantingTicket") String proxyGrantingTicket,
+			@JsonProperty("proxyRetriever") ProxyRetriever proxyRetriever) {
+	}
+
+}

cas/src/main/java/org/springframework/security/cas/jackson/CasAuthenticationTokenMixin.java

@@ -0,0 +1,87 @@
+/*
+ * Copyright 2004-present the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.security.cas.jackson;
+
+import java.util.Collection;
+
+import com.fasterxml.jackson.annotation.JsonAutoDetect;
+import com.fasterxml.jackson.annotation.JsonCreator;
+import com.fasterxml.jackson.annotation.JsonIgnoreProperties;
+import com.fasterxml.jackson.annotation.JsonProperty;
+import com.fasterxml.jackson.annotation.JsonTypeInfo;
+import org.apereo.cas.client.validation.Assertion;
+
+import org.springframework.security.cas.authentication.CasAuthenticationProvider;
+import org.springframework.security.cas.authentication.CasAuthenticationToken;
+import org.springframework.security.core.GrantedAuthority;
+import org.springframework.security.core.userdetails.UserDetails;
+
+/**
+ * Mixin class which helps in deserialize {@link CasAuthenticationToken} using jackson.
+ * Two more dependent classes needs to register along with this mixin class.
+ * <ol>
+ * <li>{@link AssertionImplMixin}</li>
+ * <li>{@link AttributePrincipalImplMixin}</li>
+ * </ol>
+ *
+ * <p>
+ *
+ * <pre>
+ *     JsonMapper mapper = JsonMapper.builder()
+ * 				.addModule(new CasJacksonModule())
+ * 				.build();
+ * </pre>
+ *
+ * @author Sebastien Deleuze
+ * @author Jitendra Singh
+ * @since 7.0
+ * @see CasJacksonModule
+ * @see org.springframework.security.jackson.SecurityJacksonModules
+ */
+@JsonTypeInfo(use = JsonTypeInfo.Id.CLASS)
+@JsonAutoDetect(fieldVisibility = JsonAutoDetect.Visibility.ANY, isGetterVisibility = JsonAutoDetect.Visibility.NONE,
+		getterVisibility = JsonAutoDetect.Visibility.NONE, creatorVisibility = JsonAutoDetect.Visibility.ANY)
+@JsonIgnoreProperties(ignoreUnknown = true)
+class CasAuthenticationTokenMixin {
+
+	/**
+	 * Mixin Constructor helps in deserialize {@link CasAuthenticationToken}
+	 * @param keyHash hashCode of provided key to identify if this object made by a given
+	 * {@link CasAuthenticationProvider}
+	 * @param principal typically the UserDetails object (cannot be <code>null</code>)
+	 * @param credentials the service/proxy ticket ID from CAS (cannot be
+	 * <code>null</code>)
+	 * @param authorities the authorities granted to the user (from the
+	 * {@link org.springframework.security.core.userdetails.UserDetailsService}) (cannot
+	 * be <code>null</code>)
+	 * @param userDetails the user details (from the
+	 * {@link org.springframework.security.core.userdetails.UserDetailsService}) (cannot
+	 * be <code>null</code>)
+	 * @param assertion the assertion returned from the CAS servers. It contains the
+	 * principal and how to obtain a proxy ticket for the user.
+	 */
+	@JsonCreator
+	CasAuthenticationTokenMixin(@JsonProperty("keyHash") Integer keyHash,
+			@JsonTypeInfo(use = JsonTypeInfo.Id.CLASS) @JsonProperty("principal") Object principal,
+			@JsonTypeInfo(use = JsonTypeInfo.Id.CLASS) @JsonProperty("credentials") Object credentials,
+			@JsonTypeInfo(
+					use = JsonTypeInfo.Id.CLASS) @JsonProperty("authorities") Collection<? extends GrantedAuthority> authorities,
+			@JsonTypeInfo(use = JsonTypeInfo.Id.CLASS) @JsonProperty("userDetails") UserDetails userDetails,
+			@JsonTypeInfo(use = JsonTypeInfo.Id.CLASS) @JsonProperty("assertion") Assertion assertion) {
+	}
+
+}

cas/src/main/java/org/springframework/security/cas/jackson/CasJacksonModule.java

@@ -0,0 +1,67 @@
+/*
+ * Copyright 2004-present the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.security.cas.jackson;
+
+import org.apereo.cas.client.authentication.AttributePrincipalImpl;
+import org.apereo.cas.client.validation.AssertionImpl;
+import tools.jackson.core.Version;
+import tools.jackson.databind.jsontype.BasicPolymorphicTypeValidator;
+
+import org.springframework.security.cas.authentication.CasAuthenticationToken;
+import org.springframework.security.jackson.SecurityJacksonModule;
+import org.springframework.security.jackson.SecurityJacksonModules;
+
+/**
+ * Jackson module for spring-security-cas. This module register
+ * {@link AssertionImplMixin}, {@link AttributePrincipalImplMixin} and
+ * {@link CasAuthenticationTokenMixin}. If no default typing enabled by default then it'll
+ * enable it because typing info is needed to properly serialize/deserialize objects. In
+ * order to use this module just add this module into your JsonMapper configuration.
+ *
+ * <pre>
+ * JsonMapper mapper = JsonMapper.builder()
+ * 				.addModule(new CasJacksonModule())
+ * 				.build();
+ * </pre>
+ *
+ * <b>Note: use {@link SecurityJacksonModules#getModules(ClassLoader)} to get list of all
+ * security modules on the classpath.</b>
+ *
+ * @author Sebastien Deleuze
+ * @author Jitendra Singh
+ * @since 7.0
+ * @see SecurityJacksonModules
+ */
+public class CasJacksonModule extends SecurityJacksonModule {
+
+	public CasJacksonModule() {
+		super(CasJacksonModule.class.getName(), new Version(1, 0, 0, null, null, null));
+	}
+
+	@Override
+	protected void configurePolymorphicTypeValidator(BasicPolymorphicTypeValidator.Builder builder) {
+		builder.allowIfSubType(AssertionImpl.class).allowIfSubType(AttributePrincipalImpl.class);
+	}
+
+	@Override
+	public void setupModule(SetupContext context) {
+		context.setMixIn(AssertionImpl.class, AssertionImplMixin.class);
+		context.setMixIn(AttributePrincipalImpl.class, AttributePrincipalImplMixin.class);
+		context.setMixIn(CasAuthenticationToken.class, CasAuthenticationTokenMixin.class);
+	}
+
+}

cas/src/main/java/org/springframework/security/cas/jackson/package-info.java

@@ -0,0 +1,20 @@
+/*
+ * Copyright 2004-present the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+/**
+ * Jackson 3+ serialization support for CAS.
+ */
+package org.springframework.security.cas.jackson;

cas/src/main/java/org/springframework/security/cas/jackson2/AssertionImplMixin.java

@@ -33,6 +33,7 @@
  * this class we need to register with
  * {@link com.fasterxml.jackson.databind.ObjectMapper}. Type information will be stored
  * in @class property.
+ *
  * <p>
  * <pre>
  *     ObjectMapper mapper = new ObjectMapper();
@@ -43,7 +44,10 @@
  * @since 4.2
  * @see CasJackson2Module
  * @see org.springframework.security.jackson2.SecurityJackson2Modules
+ * @deprecated as of 7.0 in favor of
+ * {@code org.springframework.security.cas.jackson.AssertionImplMixin} based on Jackson 3
  */
+@Deprecated(forRemoval = true)
 @JsonTypeInfo(use = JsonTypeInfo.Id.CLASS, include = JsonTypeInfo.As.PROPERTY)
 @JsonAutoDetect(fieldVisibility = JsonAutoDetect.Visibility.ANY, getterVisibility = JsonAutoDetect.Visibility.NONE,
 		isGetterVisibility = JsonAutoDetect.Visibility.NONE)