JSON UserDetails deserializes null

JSON UserDetails null use to be treated as "".

This changes null to be treated as a null

Issue gh-3736

Author: Rob Winch

cas/src/test/java/org/springframework/security/cas/jackson2/CasAuthenticationTokenMixinTests.java

@@ -16,6 +16,11 @@
 
 package org.springframework.security.cas.jackson2;
 
+import java.io.IOException;
+import java.util.Collection;
+import java.util.Collections;
+import java.util.Date;
+
 import com.fasterxml.jackson.core.JsonProcessingException;
 import com.fasterxml.jackson.databind.ObjectMapper;
 import org.jasig.cas.client.authentication.AttributePrincipalImpl;
@@ -26,17 +31,14 @@
 import org.junit.runner.RunWith;
 import org.mockito.runners.MockitoJUnitRunner;
 import org.skyscreamer.jsonassert.JSONAssert;
+
 import org.springframework.security.cas.authentication.CasAuthenticationToken;
 import org.springframework.security.core.GrantedAuthority;
 import org.springframework.security.core.authority.SimpleGrantedAuthority;
 import org.springframework.security.core.userdetails.User;
+import org.springframework.security.core.userdetails.UserDetails;
 import org.springframework.security.jackson2.SecurityJacksonModules;
 
-import java.io.IOException;
-import java.util.Collection;
-import java.util.Collections;
-import java.util.Date;
-
 import static org.assertj.core.api.Assertions.assertThat;
 
 /**
@@ -92,6 +94,12 @@ public void serializeCasAuthenticationTestAfterEraseCredentialInvoked() throws J
 		JSONAssert.assertEquals(String.format(expectedJson, "null"), actualJson, true);
 	}
 
+	@Test
+	public void deserializeCasAuthenticationTestAfterEraseCredentialInvoked() throws Exception {
+		CasAuthenticationToken token = buildObjectMapper().readValue(String.format(expectedJson, "null"), CasAuthenticationToken.class);
+		assertThat(((UserDetails)token.getPrincipal()).getPassword()).isNull();
+	}
+
 	@Test
 	public void deserializeCasAuthenticationTest() throws IOException, JSONException {
 		CasAuthenticationToken token = buildObjectMapper().readValue(String.format(expectedJson, "\"" + PASSWORD + "\""), CasAuthenticationToken.class);

core/src/main/java/org/springframework/security/jackson2/UserDeserializer.java

@@ -58,12 +58,18 @@ public User deserialize(JsonParser jp, DeserializationContext ctxt) throws IOExc
 		JsonNode jsonNode = mapper.readTree(jp);
 		Set<GrantedAuthority> authorities = mapper.convertValue(jsonNode.get("authorities"), new TypeReference<Set<SimpleGrantedAuthority>>() {
 		});
-		return new User(
-				readJsonNode(jsonNode, "username").asText(), readJsonNode(jsonNode, "password").asText(""),
+		JsonNode password = readJsonNode(jsonNode, "password");
+		User result =  new User(
+				readJsonNode(jsonNode, "username").asText(), password.asText(""),
 				readJsonNode(jsonNode, "enabled").asBoolean(), readJsonNode(jsonNode, "accountNonExpired").asBoolean(),
 				readJsonNode(jsonNode, "credentialsNonExpired").asBoolean(),
 				readJsonNode(jsonNode, "accountNonLocked").asBoolean(), authorities
 		);
+		
+		if(password.asText(null) == null) {
+			result.eraseCredentials();
+		}
+		return result;
 	}
 
 	private JsonNode readJsonNode(JsonNode jsonNode, String field) {

core/src/test/java/org/springframework/security/jackson2/UserDeserializerTests.java

@@ -80,8 +80,8 @@ public void deserializeUserWithNullPasswordNoAuthorityTest() throws IOException
 		User user = mapper.readValue(userJsonWithoutPasswordString, User.class);
 		assertThat(user).isNotNull();
 		assertThat(user.getUsername()).isEqualTo("admin");
-		assertThat(user.getPassword()).isEqualTo("");
-		assertThat(user.getAuthorities()).hasSize(0);
+		assertThat(user.getPassword()).isNull();
+		assertThat(user.getAuthorities()).isEmpty();
 		assertThat(user.isEnabled()).isEqualTo(true);
 	}