Add JSON Serialization

Fixes gh-3812

Author: jitendra-bisht

cas/cas.gradle

@@ -8,7 +8,10 @@ dependencies {
 			"org.springframework:spring-web:$springVersion",
 			"org.jasig.cas.client:cas-client-core:$casClientVersion"
 
-	optional "net.sf.ehcache:ehcache:$ehcacheVersion"
+	optional "net.sf.ehcache:ehcache:$ehcacheVersion",
+			"com.fasterxml.jackson.core:jackson-databind:$jacksonDatavindVersion"
+
+	testCompile "org.skyscreamer:jsonassert:$jsonassertVersion"
 
 	provided "javax.servlet:javax.servlet-api:$servletApiVersion"
 }

cas/src/main/java/org/springframework/security/cas/authentication/CasAuthenticationToken.java

@@ -50,37 +50,62 @@ public class CasAuthenticationToken extends AbstractAuthenticationToken implemen
 	/**
 	 * Constructor.
 	 *
-	 * @param key to identify if this object made by a given
-	 * {@link CasAuthenticationProvider}
-	 * @param principal typically the UserDetails object (cannot be <code>null</code>)
+	 * @param key         to identify if this object made by a given
+	 *                    {@link CasAuthenticationProvider}
+	 * @param principal   typically the UserDetails object (cannot be <code>null</code>)
 	 * @param credentials the service/proxy ticket ID from CAS (cannot be
-	 * <code>null</code>)
+	 *                    <code>null</code>)
 	 * @param authorities the authorities granted to the user (from the
-	 * {@link org.springframework.security.core.userdetails.UserDetailsService}) (cannot
-	 * be <code>null</code>)
+	 *                    {@link org.springframework.security.core.userdetails.UserDetailsService}) (cannot
+	 *                    be <code>null</code>)
 	 * @param userDetails the user details (from the
-	 * {@link org.springframework.security.core.userdetails.UserDetailsService}) (cannot
-	 * be <code>null</code>)
-	 * @param assertion the assertion returned from the CAS servers. It contains the
-	 * principal and how to obtain a proxy ticket for the user.
-	 *
+	 *                    {@link org.springframework.security.core.userdetails.UserDetailsService}) (cannot
+	 *                    be <code>null</code>)
+	 * @param assertion   the assertion returned from the CAS servers. It contains the
+	 *                    principal and how to obtain a proxy ticket for the user.
 	 * @throws IllegalArgumentException if a <code>null</code> was passed
 	 */
 	public CasAuthenticationToken(final String key, final Object principal,
-			final Object credentials,
-			final Collection<? extends GrantedAuthority> authorities,
-			final UserDetails userDetails, final Assertion assertion) {
+								final Object credentials,
+								final Collection<? extends GrantedAuthority> authorities,
+								final UserDetails userDetails, final Assertion assertion) {
+		this(extractKeyHash(key), principal, credentials, authorities, userDetails, assertion);
+	}
+
+	/**
+	 * Private constructor for Jackson Deserialization support
+	 *
+	 * @param keyHash     hashCode of provided key to identify if this object made by a given
+	 *                    {@link CasAuthenticationProvider}
+	 * @param principal   typically the UserDetails object (cannot be <code>null</code>)
+	 * @param credentials the service/proxy ticket ID from CAS (cannot be
+	 *                    <code>null</code>)
+	 * @param authorities the authorities granted to the user (from the
+	 *                    {@link org.springframework.security.core.userdetails.UserDetailsService}) (cannot
+	 *                    be <code>null</code>)
+	 * @param userDetails the user details (from the
+	 *                    {@link org.springframework.security.core.userdetails.UserDetailsService}) (cannot
+	 *                    be <code>null</code>)
+	 * @param assertion   the assertion returned from the CAS servers. It contains the
+	 *                    principal and how to obtain a proxy ticket for the user.
+	 * @throws IllegalArgumentException if a <code>null</code> was passed
+	 * @since 4.2
+	 */
+	private CasAuthenticationToken(final Integer keyHash, final Object principal,
+									final Object credentials,
+									final Collection<? extends GrantedAuthority> authorities,
+									final UserDetails userDetails, final Assertion assertion) {
 		super(authorities);
 
-		if ((key == null) || ("".equals(key)) || (principal == null)
+		if ((principal == null)
 				|| "".equals(principal) || (credentials == null)
 				|| "".equals(credentials) || (authorities == null)
 				|| (userDetails == null) || (assertion == null)) {
 			throw new IllegalArgumentException(
 					"Cannot pass null or empty values to constructor");
 		}
 
-		this.keyHash = key.hashCode();
+		this.keyHash = keyHash;
 		this.principal = principal;
 		this.credentials = credentials;
 		this.userDetails = userDetails;
@@ -91,6 +116,18 @@ public CasAuthenticationToken(final String key, final Object principal,
 	// ~ Methods
 	// ========================================================================================================
 
+	private static Integer extractKeyHash(String key) {
+		Object value = nullSafeValue(key);
+		return value.hashCode();
+	}
+
+	private static Object nullSafeValue(Object value) {
+		if (value == null || "".equals(value)) {
+			throw new IllegalArgumentException("Cannot pass null or empty values to constructor");
+		}
+		return value;
+	}
+
 	public boolean equals(final Object obj) {
 		if (!super.equals(obj)) {
 			return false;

cas/src/main/java/org/springframework/security/cas/jackson2/AssertionImplMixin.java

@@ -0,0 +1,62 @@
+/*
+ * Copyright 2015-2016 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.security.cas.jackson2;
+
+import com.fasterxml.jackson.annotation.*;
+import org.jasig.cas.client.authentication.AttributePrincipal;
+
+import java.util.Date;
+import java.util.Map;
+
+/**
+ * Helps in jackson deserialization of class {@link org.jasig.cas.client.validation.AssertionImpl}, which is
+ * used with {@link org.springframework.security.cas.authentication.CasAuthenticationToken}.
+ * To use this class we need to register with {@link com.fasterxml.jackson.databind.ObjectMapper}. Type information
+ * will be stored in @class property.
+ * <p>
+ * <pre>
+ *     ObjectMapper mapper = new ObjectMapper();
+ *     mapper.registerModule(new CasJackson2Module());
+ * </pre>
+ *
+ *
+ * @author Jitendra Singh
+ * @see CasJackson2Module
+ * @see org.springframework.security.jackson2.SecurityJacksonModules
+ * @since 4.2
+ */
+@JsonTypeInfo(use = JsonTypeInfo.Id.CLASS, include = JsonTypeInfo.As.PROPERTY)
+@JsonAutoDetect(fieldVisibility = JsonAutoDetect.Visibility.ANY,
+		getterVisibility = JsonAutoDetect.Visibility.NONE, isGetterVisibility = JsonAutoDetect.Visibility.NONE)
+@JsonIgnoreProperties(ignoreUnknown = true)
+public class AssertionImplMixin {
+
+	/**
+	 * Mixin Constructor helps in deserialize {@link org.jasig.cas.client.validation.AssertionImpl}
+	 *
+	 * @param principal the Principal to associate with the Assertion.
+	 * @param validFromDate when the assertion is valid from.
+	 * @param validUntilDate when the assertion is valid to.
+	 * @param authenticationDate when the assertion is authenticated.
+	 * @param attributes the key/value pairs for this attribute.
+	 */
+	@JsonCreator
+	public AssertionImplMixin(@JsonProperty("principal") AttributePrincipal principal,
+								@JsonProperty("validFromDate") Date validFromDate, @JsonProperty("validUntilDate") Date validUntilDate,
+								@JsonProperty("authenticationDate") Date authenticationDate, @JsonProperty("attributes") Map<String, Object> attributes){
+	}
+}

cas/src/main/java/org/springframework/security/cas/jackson2/AttributePrincipalImplMixin.java

@@ -0,0 +1,58 @@
+/*
+ * Copyright 2015-2016 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.security.cas.jackson2;
+
+import com.fasterxml.jackson.annotation.*;
+import org.jasig.cas.client.proxy.ProxyRetriever;
+
+import java.util.Map;
+
+/**
+ * Helps in deserialize {@link org.jasig.cas.client.authentication.AttributePrincipalImpl} which is used with
+ * {@link org.springframework.security.cas.authentication.CasAuthenticationToken}. Type information will be stored
+ * in property named @class.
+ * <p>
+ * <pre>
+ *     ObjectMapper mapper = new ObjectMapper();
+ *     mapper.registerModule(new CasJackson2Module());
+ * </pre>
+ *
+ * @author Jitendra Singh
+ * @see CasJackson2Module
+ * @see org.springframework.security.jackson2.SecurityJacksonModules
+ * @since 4.2
+ */
+@JsonTypeInfo(use = JsonTypeInfo.Id.CLASS, include = JsonTypeInfo.As.PROPERTY)
+@JsonAutoDetect(fieldVisibility = JsonAutoDetect.Visibility.ANY, getterVisibility = JsonAutoDetect.Visibility.NONE,
+		isGetterVisibility = JsonAutoDetect.Visibility.NONE)
+@JsonIgnoreProperties(ignoreUnknown = true)
+public class AttributePrincipalImplMixin {
+
+	/**
+	 * Mixin Constructor helps in deserialize {@link org.jasig.cas.client.authentication.AttributePrincipalImpl}
+	 *
+	 * @param name the unique identifier for the principal.
+	 * @param attributes the key/value pairs for this principal.
+	 * @param proxyGrantingTicket the ticket associated with this principal.
+	 * @param proxyRetriever the ProxyRetriever implementation to call back to the CAS server.
+	 */
+	@JsonCreator
+	public AttributePrincipalImplMixin(@JsonProperty("name") String name, @JsonProperty("attributes") Map<String, Object> attributes,
+										@JsonProperty("proxyGrantingTicket") String proxyGrantingTicket,
+										@JsonProperty("proxyRetriever") ProxyRetriever proxyRetriever) {
+	}
+}

cas/src/main/java/org/springframework/security/cas/jackson2/CasAuthenticationTokenMixin.java

@@ -0,0 +1,77 @@
+/*
+ * Copyright 2015-2016 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.security.cas.jackson2;
+
+import com.fasterxml.jackson.annotation.*;
+import org.jasig.cas.client.validation.Assertion;
+import org.springframework.security.cas.authentication.CasAuthenticationProvider;
+import org.springframework.security.cas.authentication.CasAuthenticationToken;
+import org.springframework.security.core.GrantedAuthority;
+import org.springframework.security.core.userdetails.UserDetails;
+
+import java.util.Collection;
+
+/**
+ * Mixin class which helps in deserialize {@link org.springframework.security.cas.authentication.CasAuthenticationToken}
+ * using jackson. Two more dependent classes needs to register along with this mixin class.
+ * <ol>
+ * 		<li>{@link org.springframework.security.cas.jackson2.AssertionImplMixin}</li>
+ *      <li>{@link org.springframework.security.cas.jackson2.AttributePrincipalImplMixin}</li>
+ * </ol>
+ *
+ * <p>
+ *
+ * <pre>
+ *     ObjectMapper mapper = new ObjectMapper();
+ *     mapper.registerModule(new CasJackson2Module());
+ * </pre>
+ *
+ * @author Jitendra Singh
+ * @see CasJackson2Module
+ * @see org.springframework.security.jackson2.SecurityJacksonModules
+ * @since 4.2
+ */
+@JsonTypeInfo(use = JsonTypeInfo.Id.CLASS, include = JsonTypeInfo.As.PROPERTY)
+@JsonAutoDetect(fieldVisibility = JsonAutoDetect.Visibility.ANY, isGetterVisibility = JsonAutoDetect.Visibility.NONE,
+		getterVisibility = JsonAutoDetect.Visibility.NONE, creatorVisibility = JsonAutoDetect.Visibility.ANY)
+@JsonIgnoreProperties(ignoreUnknown = true)
+public class CasAuthenticationTokenMixin {
+
+	/**
+	 * Mixin Constructor helps in deserialize {@link CasAuthenticationToken}
+	 *
+	 * @param keyHash hashCode of provided key to identify if this object made by a given
+	 * {@link CasAuthenticationProvider}
+	 * @param principal typically the UserDetails object (cannot be <code>null</code>)
+	 * @param credentials the service/proxy ticket ID from CAS (cannot be
+	 * <code>null</code>)
+	 * @param authorities the authorities granted to the user (from the
+	 * {@link org.springframework.security.core.userdetails.UserDetailsService}) (cannot
+	 * be <code>null</code>)
+	 * @param userDetails the user details (from the
+	 * {@link org.springframework.security.core.userdetails.UserDetailsService}) (cannot
+	 * be <code>null</code>)
+	 * @param assertion the assertion returned from the CAS servers. It contains the
+	 * principal and how to obtain a proxy ticket for the user.
+	 */
+	@JsonCreator
+	public CasAuthenticationTokenMixin(@JsonProperty("keyHash") Integer keyHash, @JsonProperty("principal") Object principal,
+										@JsonProperty("credentials") Object credentials,
+										@JsonProperty("authorities") Collection<? extends GrantedAuthority> authorities,
+										@JsonProperty("userDetails") UserDetails userDetails, @JsonProperty("assertion") Assertion assertion) {
+	}
+}

cas/src/main/java/org/springframework/security/cas/jackson2/CasJackson2Module.java

@@ -0,0 +1,56 @@
+/*
+ * Copyright 2015-2016 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.security.cas.jackson2;
+
+import com.fasterxml.jackson.core.Version;
+import com.fasterxml.jackson.databind.ObjectMapper;
+import com.fasterxml.jackson.databind.module.SimpleModule;
+import org.jasig.cas.client.authentication.AttributePrincipalImpl;
+import org.jasig.cas.client.validation.AssertionImpl;
+import org.springframework.security.cas.authentication.CasAuthenticationToken;
+import org.springframework.security.jackson2.SecurityJacksonModules;
+
+/**
+ * Jackson module for spring-security-cas. This module register {@link AssertionImplMixin},
+ * {@link AttributePrincipalImplMixin} and {@link CasAuthenticationTokenMixin}. If no default typing enabled by default then
+ * it'll enable it because typing info is needed to properly serialize/deserialize objects. In order to use this module just
+ * add this module into your ObjectMapper configuration.
+ *
+ * <pre>
+ *     ObjectMapper mapper = new ObjectMapper();
+ *     mapper.registerModule(new CasJackson2Module());
+ * </pre>
+ *  <b>Note: use {@link SecurityJacksonModules#getModules()} to get list of all security modules.</b>
+ *
+ * @author Jitendra Singh.
+ * @see org.springframework.security.jackson2.SecurityJacksonModules
+ * @since 4.2
+ */
+public class CasJackson2Module extends SimpleModule {
+
+	public CasJackson2Module() {
+		super(CasJackson2Module.class.getName(), new Version(1, 0, 0, null, null, null));
+	}
+
+	@Override
+	public void setupModule(SetupContext context) {
+		SecurityJacksonModules.enableDefaultTyping((ObjectMapper) context.getOwner());
+		context.setMixInAnnotations(AssertionImpl.class, AssertionImplMixin.class);
+		context.setMixInAnnotations(AttributePrincipalImpl.class, AttributePrincipalImplMixin.class);
+		context.setMixInAnnotations(CasAuthenticationToken.class, CasAuthenticationTokenMixin.class);
+	}
+}