Upgrade Jackson JSON library to 2.10.0

core/src/main/java/org/springframework/security/jackson2/SecurityJackson2Modules.java

@@ -24,7 +24,9 @@ import com.fasterxml.jackson.databind.JavaType;
 import com.fasterxml.jackson.databind.Module;
 import com.fasterxml.jackson.databind.ObjectMapper;
 import com.fasterxml.jackson.databind.cfg.MapperConfig;
+import com.fasterxml.jackson.databind.jsontype.BasicPolymorphicTypeValidator;
 import com.fasterxml.jackson.databind.jsontype.NamedType;
+import com.fasterxml.jackson.databind.jsontype.PolymorphicTypeValidator;
 import com.fasterxml.jackson.databind.jsontype.TypeIdResolver;
 import com.fasterxml.jackson.databind.jsontype.TypeResolverBuilder;
 import org.apache.commons.logging.Log;
@@ -146,19 +148,29 @@ public final class SecurityJackson2Modules {
 	}
 
 	/**
-	 * An implementation of {@link ObjectMapper.DefaultTypeResolverBuilder} that overrides the {@link TypeIdResolver}
-	 * with {@link WhitelistTypeIdResolver}.
+	 * An implementation of {@link ObjectMapper.DefaultTypeResolverBuilder}
+	 * that inserts an {@code allow all} {@link PolymorphicTypeValidator}
+	 * and overrides the {@code TypeIdResolver}
 	 * @author Rob Winch
 	 */
 	static class WhitelistTypeResolverBuilder extends ObjectMapper.DefaultTypeResolverBuilder {
 
 		WhitelistTypeResolverBuilder(ObjectMapper.DefaultTyping defaultTyping) {
-			super(defaultTyping);
+			super(
+					defaultTyping,
+					//we do explicit validation in the TypeIdResolver
+					BasicPolymorphicTypeValidator.builder()
+							.allowIfSubType(Object.class)
+							.build()
+			);
 		}
 
+		@Override
 		protected TypeIdResolver idResolver(MapperConfig<?> config,
-											JavaType baseType, Collection<NamedType> subtypes, boolean forSer, boolean forDeser) {
-			TypeIdResolver result = super.idResolver(config, baseType, subtypes, forSer, forDeser);
+				JavaType baseType,
+				PolymorphicTypeValidator subtypeValidator,
+				Collection<NamedType> subtypes, boolean forSer, boolean forDeser) {
+			TypeIdResolver result = super.idResolver(config, baseType, subtypeValidator, subtypes, forSer, forDeser);
 			return new WhitelistTypeIdResolver(result);
 		}
 	}

core/src/main/java/org/springframework/security/jackson2/UserDeserializer.java

@@ -56,8 +56,11 @@ class UserDeserializer extends JsonDeserializer<User> {
 	public User deserialize(JsonParser jp, DeserializationContext ctxt) throws IOException, JsonProcessingException {
 		ObjectMapper mapper = (ObjectMapper) jp.getCodec();
 		JsonNode jsonNode = mapper.readTree(jp);
-		Set<GrantedAuthority> authorities = mapper.convertValue(jsonNode.get("authorities"), new TypeReference<Set<SimpleGrantedAuthority>>() {
-		});
+		Set<? extends GrantedAuthority> authorities =
+				mapper.convertValue(
+						jsonNode.get("authorities"),
+						new TypeReference<Set<SimpleGrantedAuthority>>() {}
+				);
 		JsonNode password = readJsonNode(jsonNode, "password");
 		User result =  new User(
 				readJsonNode(jsonNode, "username").asText(), password.asText(""),

gradle/dependency-management.gradle

@@ -42,9 +42,9 @@ dependencyManagement {
 		dependency 'asm:asm:3.1'
 		dependency 'ch.qos.logback:logback-classic:1.2.3'
 		dependency 'ch.qos.logback:logback-core:1.2.3'
-		dependency 'com.fasterxml.jackson.core:jackson-annotations:2.9.10'
-		dependency 'com.fasterxml.jackson.core:jackson-core:2.9.10'
-		dependency 'com.fasterxml.jackson.core:jackson-databind:2.9.10'
+		dependency 'com.fasterxml.jackson.core:jackson-annotations:2.10.0'
+		dependency 'com.fasterxml.jackson.core:jackson-core:2.10.0'
+		dependency 'com.fasterxml.jackson.core:jackson-databind:2.10.0'
 		dependency 'com.fasterxml:classmate:1.3.4'
 		dependency 'com.github.stephenc.jcip:jcip-annotations:1.0-1'
 		dependency 'com.google.appengine:appengine-api-1.0-sdk:1.9.76'