Stop CoreJacksonModule from overriding user DateTimeFeature configuration

Remove the global DateTimeFeature.WRITE_DATES_AS_TIMESTAMPS override
from CoreJacksonModule.setupModule() and use @jsonformat(shape = NUMBER)
on Mixin parameters/getters that need timestamp format for backward
compatibility.

Closes gh-18561

Signed-off-by: hanweiwei <duzielww@163.com>

Author: skyhww

core/src/main/java/org/springframework/security/jackson/CoreJacksonModule.java

@@ -20,8 +20,6 @@
 import java.time.Instant;
 
 import tools.jackson.core.Version;
-import tools.jackson.databind.cfg.DateTimeFeature;
-import tools.jackson.databind.cfg.MapperBuilder;
 import tools.jackson.databind.jsontype.BasicPolymorphicTypeValidator;
 
 import org.springframework.security.authentication.AnonymousAuthenticationToken;
@@ -101,7 +99,6 @@ public void configurePolymorphicTypeValidator(BasicPolymorphicTypeValidator.Buil
 
 	@Override
 	public void setupModule(SetupContext context) {
-		((MapperBuilder<?, ?>) context.getOwner()).enable(DateTimeFeature.WRITE_DATES_AS_TIMESTAMPS);
 		context.setMixIn(AnonymousAuthenticationToken.class, AnonymousAuthenticationTokenMixin.class);
 		context.setMixIn(RememberMeAuthenticationToken.class, RememberMeAuthenticationTokenMixin.class);
 		context.setMixIn(SimpleGrantedAuthority.class, SimpleGrantedAuthorityMixin.class);

core/src/main/java/org/springframework/security/jackson/FactorGrantedAuthorityMixin.java

@@ -20,6 +20,7 @@
 
 import com.fasterxml.jackson.annotation.JsonAutoDetect;
 import com.fasterxml.jackson.annotation.JsonCreator;
+import com.fasterxml.jackson.annotation.JsonFormat;
 import com.fasterxml.jackson.annotation.JsonProperty;
 import com.fasterxml.jackson.annotation.JsonTypeInfo;
 
@@ -44,7 +45,10 @@ abstract class FactorGrantedAuthorityMixin {
 	 */
 	@JsonCreator
 	FactorGrantedAuthorityMixin(@JsonProperty("authority") String authority,
-			@JsonProperty("issuedAt") Instant issuedAt) {
+			@JsonProperty("issuedAt") @JsonFormat(shape = JsonFormat.Shape.NUMBER) Instant issuedAt) {
 	}
 
+	@JsonFormat(shape = JsonFormat.Shape.NUMBER)
+	abstract Instant getIssuedAt();
+
 }

core/src/test/java/org/springframework/security/jackson/FactorGrantedAuthorityMixinTests.java

@@ -21,6 +21,9 @@
 import org.json.JSONException;
 import org.junit.jupiter.api.Test;
 import org.skyscreamer.jsonassert.JSONAssert;
+import tools.jackson.databind.cfg.DateTimeFeature;
+import tools.jackson.databind.json.JsonMapper;
+import tools.jackson.databind.jsontype.BasicPolymorphicTypeValidator;
 
 import org.springframework.security.core.GrantedAuthority;
 import org.springframework.security.core.authority.FactorGrantedAuthority;
@@ -57,4 +60,41 @@ void deserializeGrantedAuthorityTest() {
 		assertThat(authority.getIssuedAt()).isEqualTo(this.issuedAt);
 	}
 
+	@Test
+	void serializeWhenWriteDatesAsTimestampsDisabledThenStillUsesTimestamps() throws JSONException {
+		ClassLoader loader = getClass().getClassLoader();
+		JsonMapper customMapper = JsonMapper.builder()
+			.disable(DateTimeFeature.WRITE_DATES_AS_TIMESTAMPS)
+			.addModules(SecurityJacksonModules.getModules(loader, BasicPolymorphicTypeValidator.builder()))
+			.build();
+		GrantedAuthority authority = FactorGrantedAuthority.withAuthority("FACTOR_PASSWORD")
+			.issuedAt(this.issuedAt)
+			.build();
+		String json = customMapper.writeValueAsString(authority);
+		JSONAssert.assertEquals(AUTHORITY_JSON, json, true);
+	}
+
+	@Test
+	void deserializeWhenWriteDatesAsTimestampsDisabledThenStillDeserializesTimestamps() {
+		ClassLoader loader = getClass().getClassLoader();
+		JsonMapper customMapper = JsonMapper.builder()
+			.disable(DateTimeFeature.WRITE_DATES_AS_TIMESTAMPS)
+			.addModules(SecurityJacksonModules.getModules(loader, BasicPolymorphicTypeValidator.builder()))
+			.build();
+		FactorGrantedAuthority authority = (FactorGrantedAuthority) customMapper.readValue(AUTHORITY_JSON, Object.class);
+		assertThat(authority).isNotNull();
+		assertThat(authority.getAuthority()).isEqualTo("FACTOR_PASSWORD");
+		assertThat(authority.getIssuedAt()).isEqualTo(this.issuedAt);
+	}
+
+	@Test
+	void serializeDoesNotOverrideGlobalDateTimeFeature() {
+		ClassLoader loader = getClass().getClassLoader();
+		JsonMapper customMapper = JsonMapper.builder()
+			.disable(DateTimeFeature.WRITE_DATES_AS_TIMESTAMPS)
+			.addModules(SecurityJacksonModules.getModules(loader, BasicPolymorphicTypeValidator.builder()))
+			.build();
+		assertThat(customMapper.isEnabled(DateTimeFeature.WRITE_DATES_AS_TIMESTAMPS)).isFalse();
+	}
+
 }

oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/jackson/OAuth2AccessTokenMixin.java

@@ -21,6 +21,7 @@
 
 import com.fasterxml.jackson.annotation.JsonAutoDetect;
 import com.fasterxml.jackson.annotation.JsonCreator;
+import com.fasterxml.jackson.annotation.JsonFormat;
 import com.fasterxml.jackson.annotation.JsonProperty;
 import com.fasterxml.jackson.annotation.JsonTypeInfo;
 import tools.jackson.databind.annotation.JsonDeserialize;
@@ -45,8 +46,10 @@ abstract class OAuth2AccessTokenMixin {
 	OAuth2AccessTokenMixin(
 			@JsonProperty("tokenType") @JsonDeserialize(
 					converter = StdConverters.AccessTokenTypeConverter.class) OAuth2AccessToken.TokenType tokenType,
-			@JsonProperty("tokenValue") String tokenValue, @JsonProperty("issuedAt") Instant issuedAt,
-			@JsonProperty("expiresAt") Instant expiresAt, @JsonProperty("scopes") Set<String> scopes) {
+			@JsonProperty("tokenValue") String tokenValue,
+			@JsonProperty("issuedAt") @JsonFormat(shape = JsonFormat.Shape.NUMBER) Instant issuedAt,
+			@JsonProperty("expiresAt") @JsonFormat(shape = JsonFormat.Shape.NUMBER) Instant expiresAt,
+			@JsonProperty("scopes") Set<String> scopes) {
 	}
 
 }

oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/jackson/OAuth2RefreshTokenMixin.java

@@ -20,6 +20,7 @@
 
 import com.fasterxml.jackson.annotation.JsonAutoDetect;
 import com.fasterxml.jackson.annotation.JsonCreator;
+import com.fasterxml.jackson.annotation.JsonFormat;
 import com.fasterxml.jackson.annotation.JsonProperty;
 import com.fasterxml.jackson.annotation.JsonTypeInfo;
 
@@ -40,7 +41,8 @@
 abstract class OAuth2RefreshTokenMixin {
 
 	@JsonCreator
-	OAuth2RefreshTokenMixin(@JsonProperty("tokenValue") String tokenValue, @JsonProperty("issuedAt") Instant issuedAt) {
+	OAuth2RefreshTokenMixin(@JsonProperty("tokenValue") String tokenValue,
+			@JsonProperty("issuedAt") @JsonFormat(shape = JsonFormat.Shape.NUMBER) Instant issuedAt) {
 	}
 
 }

oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/jackson/OidcIdTokenMixin.java

@@ -21,6 +21,7 @@
 
 import com.fasterxml.jackson.annotation.JsonAutoDetect;
 import com.fasterxml.jackson.annotation.JsonCreator;
+import com.fasterxml.jackson.annotation.JsonFormat;
 import com.fasterxml.jackson.annotation.JsonProperty;
 import com.fasterxml.jackson.annotation.JsonTypeInfo;
 
@@ -41,8 +42,10 @@
 abstract class OidcIdTokenMixin {
 
 	@JsonCreator
-	OidcIdTokenMixin(@JsonProperty("tokenValue") String tokenValue, @JsonProperty("issuedAt") Instant issuedAt,
-			@JsonProperty("expiresAt") Instant expiresAt, @JsonProperty("claims") Map<String, Object> claims) {
+	OidcIdTokenMixin(@JsonProperty("tokenValue") String tokenValue,
+			@JsonProperty("issuedAt") @JsonFormat(shape = JsonFormat.Shape.NUMBER) Instant issuedAt,
+			@JsonProperty("expiresAt") @JsonFormat(shape = JsonFormat.Shape.NUMBER) Instant expiresAt,
+			@JsonProperty("claims") Map<String, Object> claims) {
 	}
 
 }