Create Jackson Mixin for InvalidOneTimeTokenException#19210
Open
seonwooj0810 wants to merge 1 commit into
Open
Create Jackson Mixin for InvalidOneTimeTokenException#19210seonwooj0810 wants to merge 1 commit into
seonwooj0810 wants to merge 1 commit into
Conversation
InvalidOneTimeTokenException had no Jackson mixin registered, so storing the session in a serialized backing store (for example, Redis) failed to deserialize when the exception was present in the security context. This commit follows the existing BadCredentialsExceptionMixin pattern, adding mixins in the jackson and jackson2 packages and registering them in CoreJacksonModule and CoreJackson2Module. The Jackson 3 PolymorphicTypeValidator is updated to allow InvalidOneTimeTokenException as a subtype. Closes spring-projectsgh-19203 Signed-off-by: seonwoo_jung <laborlawseon@kap.kr>
spring-projects-issues
added
the
status: waiting-for-triage
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Closes gh-19203
Problem
InvalidOneTimeTokenExceptionhad no Jackson mixin registered. When thesession is persisted to a serialized backing store (e.g. Redis), and the
security context contains this exception (for example after a failed
one-time-token login attempt), the session cannot be deserialized.
This is the same shape of bug that gh-18095 reported for
OneTimeTokenAuthenticationToken(fixed in gh-18096).Change
Mirrors the existing
BadCredentialsExceptionMixinpattern, whichcovers an analogous
AuthenticationExceptionsubtype:InvalidOneTimeTokenExceptionMixinin both theorg.springframework.security.jackson(Jackson 3) andorg.springframework.security.jackson2(Jackson 2, deprecated)packages.
CoreJacksonModuleandCoreJackson2Module.InvalidOneTimeTokenExceptionto the allowed subtypes inCoreJacksonModule#configurePolymorphicTypeValidator.The mixin ignores
cause,stackTrace, andauthenticationRequest,matching
BadCredentialsExceptionMixin.Test plan
./gradlew :spring-security-core:test --tests "org.springframework.security.jackson.InvalidOneTimeTokenExceptionMixinTests" --tests "org.springframework.security.jackson2.InvalidOneTimeTokenExceptionMixinTests"— passes (4/4).jackson,jackson2, andauthentication.otttest packages re-run — all green, no regressions../gradlew :spring-security-core:checkFormatMain :spring-security-core:checkFormatTest :spring-security-core:checkstyleMain :spring-security-core:checkstyleTest— passes.Build was run with
-PtestToolchain=21since JDK 25 was not availablelocally; the project compiles with
--release 17so this does notaffect the produced bytecode.