Add AuthorizationProxyMixin

This commit adds Jackson configuration specific to
authorization proxies created by Spring Security

Closes gh-18077

Author: jzheaux

core/src/main/java/org/springframework/security/jackson/AuthorizationProxyMixin.java

@@ -0,0 +1,33 @@
+/*
+ * Copyright 2004-present the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.security.jackson;
+
+import com.fasterxml.jackson.annotation.JsonIgnoreProperties;
+
+import org.springframework.security.authorization.method.AuthorizationProxy;
+
+/**
+ * Jackson configurations for objects that extend {@link AuthorizationProxy}
+ *
+ * @author Josh Cummings
+ * @since 7.0
+ * @see org.springframework.security.authorization.method.AuthorizationAdvisorProxyFactory
+ */
+@JsonIgnoreProperties("callbacks")
+class AuthorizationProxyMixin {
+
+}

core/src/main/java/org/springframework/security/jackson/CoreJacksonModule.java

@@ -29,6 +29,7 @@
 import org.springframework.security.authentication.RememberMeAuthenticationToken;
 import org.springframework.security.authentication.TestingAuthenticationToken;
 import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
+import org.springframework.security.authorization.method.AuthorizationProxy;
 import org.springframework.security.core.authority.FactorGrantedAuthority;
 import org.springframework.security.core.authority.SimpleGrantedAuthority;
 import org.springframework.security.core.context.SecurityContextImpl;
@@ -108,6 +109,7 @@ public void setupModule(SetupContext context) {
 		context.setMixIn(UsernamePasswordAuthenticationToken.class, UsernamePasswordAuthenticationTokenMixin.class);
 		context.setMixIn(TestingAuthenticationToken.class, TestingAuthenticationTokenMixin.class);
 		context.setMixIn(BadCredentialsException.class, BadCredentialsExceptionMixin.class);
+		context.setMixIn(AuthorizationProxy.class, AuthorizationProxyMixin.class);
 	}
 
 }

core/src/test/java/org/springframework/security/authorization/AuthorizationAdvisorProxyFactoryTests.java

@@ -34,7 +34,6 @@
 import java.util.function.Supplier;
 import java.util.stream.Stream;
 
-import org.junit.jupiter.api.Disabled;
 import org.junit.jupiter.api.Test;
 import tools.jackson.databind.json.JsonMapper;
 
@@ -50,6 +49,7 @@
 import org.springframework.security.authorization.method.AuthorizationProxy;
 import org.springframework.security.core.Authentication;
 import org.springframework.security.core.context.SecurityContextHolder;
+import org.springframework.security.jackson.CoreJacksonModule;
 
 import static org.assertj.core.api.Assertions.assertThat;
 import static org.assertj.core.api.Assertions.assertThatExceptionOfType;
@@ -340,15 +340,13 @@ public void setTargetVisitorIgnoreValueTypesThenIgnores() {
 		assertThat(factory.proxy(35)).isEqualTo(35);
 	}
 
-	// TODO Find why callbacks property is serialized with Jackson 3, not with Jackson 2
-	// FIXME: https://github.com/spring-projects/spring-security/issues/18077
-	@Disabled("callbacks property is serialized with Jackson 3, not with Jackson 2")
 	@Test
 	public void serializeWhenAuthorizationProxyObjectThenOnlyIncludesProxiedProperties() {
 		SecurityContextHolder.getContext().setAuthentication(this.admin);
 		AuthorizationAdvisorProxyFactory factory = AuthorizationAdvisorProxyFactory.withDefaults();
 		User user = proxy(factory, this.alan);
-		JsonMapper mapper = new JsonMapper();
+		// gh-18077
+		JsonMapper mapper = JsonMapper.builder().addModule(new CoreJacksonModule()).build();
 		String serialized = mapper.writeValueAsString(user);
 		Map<String, Object> properties = mapper.readValue(serialized, Map.class);
 		assertThat(properties).hasSize(3).containsKeys("id", "firstName", "lastName");