Update to jackson-databind-2.8.11.1

Fixes: gh-5101

cas/src/test/java/org/springframework/security/cas/jackson2/CasAuthenticationTokenMixinTests.java

@@ -55,7 +55,7 @@ public class CasAuthenticationTokenMixinTests {
 
 	public static final String AUTHORITIES_SET_JSON = "[\"java.util.Collections$UnmodifiableSet\", [" + AUTHORITY_JSON + "]]";
 
-	public static final String AUTHORITIES_ARRAYLIST_JSON = "[\"java.util.ArrayList\", [" + AUTHORITY_JSON + "]]";
+	public static final String AUTHORITIES_ARRAYLIST_JSON = "[\"java.util.Collections$UnmodifiableRandomAccessList\", [" + AUTHORITY_JSON + "]]";
 
 	// @formatter:off
 	public static final String USER_JSON = "{"
@@ -84,14 +84,14 @@ public class CasAuthenticationTokenMixinTests {
 			+ "\"principal\": {"
 				+ "\"@class\": \"org.jasig.cas.client.authentication.AttributePrincipalImpl\", "
 				+ "\"name\": \"assertName\", "
-				+ "\"attributes\": {\"@class\": \"java.util.Collections$EmptyMap\"}, "
+				+ "\"attributes\": {\"@class\": \"java.util.HashMap\"}, "
 				+ "\"proxyGrantingTicket\": null, "
 				+ "\"proxyRetriever\": null"
 			+ "}, "
 			+ "\"validFromDate\": [\"java.util.Date\", " + START_DATE.getTime() + "], "
 			+ "\"validUntilDate\": [\"java.util.Date\", " + END_DATE.getTime() + "],"
 			+ "\"authenticationDate\": [\"java.util.Date\", " + START_DATE.getTime() + "], "
-			+ "\"attributes\": {\"@class\": \"java.util.Collections$EmptyMap\"}" +
+			+ "\"attributes\": {\"@class\": \"java.util.HashMap\"}" +
 		"}"
 	+ "}";
 

core/src/main/java/org/springframework/security/jackson2/CoreJackson2Module.java

@@ -58,6 +58,7 @@ public class CoreJackson2Module extends SimpleModule {
 		context.setMixInAnnotations(RememberMeAuthenticationToken.class, RememberMeAuthenticationTokenMixin.class);
 		context.setMixInAnnotations(SimpleGrantedAuthority.class, SimpleGrantedAuthorityMixin.class);
 		context.setMixInAnnotations(Collections.<Object>unmodifiableSet(Collections.emptySet()).getClass(), UnmodifiableSetMixin.class);
+		context.setMixInAnnotations(Collections.<Object>unmodifiableList(Collections.emptyList()).getClass(), UnmodifiableListMixin.class);
 		context.setMixInAnnotations(User.class, UserMixin.class);
 		context.setMixInAnnotations(UsernamePasswordAuthenticationToken.class, UsernamePasswordAuthenticationTokenMixin.class);
 	}

core/src/main/java/org/springframework/security/jackson2/SecurityJackson2Modules.java

@@ -143,6 +143,7 @@ public final class SecurityJackson2Modules {
 		private static final Set<String> WHITELIST_CLASS_NAMES = Collections.unmodifiableSet(new HashSet(Arrays.asList(
 			"java.util.ArrayList",
 			"java.util.Collections$EmptyMap",
+			"java.util.Collections$UnmodifiableRandomAccessList",
 			"java.util.Date",
 			"java.util.TreeMap",
 			"java.util.HashMap",

core/src/main/java/org/springframework/security/jackson2/UnmodifiableListDeserializer.java

@@ -0,0 +1,63 @@
+/*
+ * Copyright 2002-2018 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.security.jackson2;
+
+import com.fasterxml.jackson.core.JsonParser;
+import com.fasterxml.jackson.core.JsonProcessingException;
+import com.fasterxml.jackson.databind.DeserializationContext;
+import com.fasterxml.jackson.databind.JsonDeserializer;
+import com.fasterxml.jackson.databind.JsonNode;
+import com.fasterxml.jackson.databind.ObjectMapper;
+import com.fasterxml.jackson.databind.node.ArrayNode;
+
+import java.io.IOException;
+import java.util.ArrayList;
+import java.util.Collections;
+import java.util.HashSet;
+import java.util.Iterator;
+import java.util.List;
+import java.util.Set;
+
+/**
+ * Custom deserializer for {@link UnmodifiableListMixin}.
+ *
+ * @author Rob Winch
+ * @see UnmodifiableSetMixin
+ * @since 4.2
+ */
+class UnmodifiableListDeserializer extends JsonDeserializer<List> {
+
+	@Override
+	public List deserialize(JsonParser jp, DeserializationContext ctxt) throws IOException, JsonProcessingException {
+		ObjectMapper mapper = (ObjectMapper) jp.getCodec();
+		JsonNode node = mapper.readTree(jp);
+		List<Object> result = new ArrayList<Object>();
+		if (node != null) {
+			if (node instanceof ArrayNode) {
+				ArrayNode arrayNode = (ArrayNode) node;
+				Iterator<JsonNode> nodeIterator = arrayNode.iterator();
+				while (nodeIterator.hasNext()) {
+					JsonNode elementNode = nodeIterator.next();
+					result.add(mapper.readValue(elementNode.traverse(mapper), Object.class));
+				}
+			} else {
+				result.add(mapper.readValue(node.traverse(mapper), Object.class));
+			}
+		}
+		return Collections.unmodifiableList(result);
+	}
+}

core/src/main/java/org/springframework/security/jackson2/UnmodifiableListMixin.java

@@ -0,0 +1,50 @@
+/*
+ * Copyright 2002-2018 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.security.jackson2;
+
+import com.fasterxml.jackson.annotation.JsonCreator;
+import com.fasterxml.jackson.annotation.JsonTypeInfo;
+import com.fasterxml.jackson.databind.annotation.JsonDeserialize;
+
+import java.util.Set;
+
+/**
+ * This mixin class used to deserialize java.util.Collections$UnmodifiableRandomAccessList
+ * and used with various AuthenticationToken implementation's mixin classes.
+ *
+ * <pre>
+ *     ObjectMapper mapper = new ObjectMapper();
+ *     mapper.registerModule(new CoreJackson2Module());
+ * </pre>
+ *
+ * @author Rob Winch
+ * @see UnmodifiableListDeserializer
+ * @see CoreJackson2Module
+ * @see SecurityJackson2Modules
+ * @since 4.2
+ */
+@JsonTypeInfo(use = JsonTypeInfo.Id.CLASS, include = JsonTypeInfo.As.PROPERTY)
+@JsonDeserialize(using = UnmodifiableListDeserializer.class)
+class UnmodifiableListMixin {
+
+	/**
+	 * Mixin Constructor
+	 * @param s the Set
+	 */
+	@JsonCreator
+	UnmodifiableListMixin(Set<?> s) {}
+}

core/src/test/java/org/springframework/security/jackson2/SimpleGrantedAuthorityMixinTests.java

@@ -36,11 +36,13 @@ public class SimpleGrantedAuthorityMixinTests extends AbstractMixinTests {
 	// @formatter:off
 	public static final String AUTHORITY_JSON = "{\"@class\": \"org.springframework.security.core.authority.SimpleGrantedAuthority\", \"authority\": \"ROLE_USER\"}";
 
-	public static final String AUTHORITIES_ARRAYLIST_JSON = "[\"java.util.ArrayList\", [" + AUTHORITY_JSON + "]]";
+	public static final String AUTHORITIES_ARRAYLIST_JSON = "[\"java.util.Collections$UnmodifiableRandomAccessList\", [" + AUTHORITY_JSON + "]]";
 
 	public static final String AUTHORITIES_SET_JSON = "[\"java.util.Collections$UnmodifiableSet\", [" + AUTHORITY_JSON + "]]";
 
-	public static final String NO_AUTHORITIES_ARRAYLIST_JSON = "[\"java.util.ArrayList\", []]";
+	public static final String NO_AUTHORITIES_ARRAYLIST_JSON = "[\"java.util.Collections$UnmodifiableRandomAccessList\", []]";
+
+	public static final String EMPTY_AUTHORITIES_ARRAYLIST_JSON = "[\"java.util.ArrayList\", []]";
 
 	public static final String NO_AUTHORITIES_SET_JSON = "[\"java.util.Collections$UnmodifiableSet\", []]";
 	// @formatter:on

core/src/test/java/org/springframework/security/jackson2/UsernamePasswordAuthenticationTokenMixinTests.java

@@ -70,7 +70,7 @@ public class UsernamePasswordAuthenticationTokenMixinTests extends AbstractMixin
 	// @formatter:off
 	private static final String UNAUTHENTICATED_STRINGPRINCIPAL_JSON = AUTHENTICATED_STRINGPRINCIPAL_JSON
 		.replace("\"authenticated\": true, ", "\"authenticated\": false, ")
-		.replace(SimpleGrantedAuthorityMixinTests.AUTHORITIES_ARRAYLIST_JSON, SimpleGrantedAuthorityMixinTests.NO_AUTHORITIES_ARRAYLIST_JSON);
+		.replace(SimpleGrantedAuthorityMixinTests.AUTHORITIES_ARRAYLIST_JSON, SimpleGrantedAuthorityMixinTests.EMPTY_AUTHORITIES_ARRAYLIST_JSON);
 	// @formatter:on
 
 	@Test

gradle/javaprojects.gradle

@@ -21,7 +21,7 @@ ext.groovyVersion = '2.4.4'
 ext.hsqlVersion = '2.3.2'
 ext.hibernateVersion = '5.0.12.Final'
 ext.hibernateValidatorVersion = '5.3.6.Final'
-ext.jacksonDatabindVersion = '2.8.10'
+ext.jacksonDatabindVersion = '2.8.11.1'
 ext.javaPersistenceVersion = '2.1.1'
 ext.jettyVersion = '6.1.26'
 ext.jstlVersion = '1.2.1'