Make class SimpleSaml2AuthenticatedPrincipal public

[JoakimLofgren]

Expected Behavior

We are able to serialize/deserialize the class Saml2Authentication and SimpleSaml2AuthenticatedPrincipal using an object mapper.

Current Behavior

We cannot whitelist SimpleSaml2AuthenticatedPrincipal as it is package private and the deserialization crashes.

Context

We are using spring-session-data-mongo to store the HttpSession in a mongo collection.
This approach uses a object mapper to convert it to JSON/BSON.

We can whitelist and fix the Saml2Authentication storage with the following kotlin snippets:

objectMapper.addMixIn(Saml2Authentication::class.java, Saml2AuthenticationMixin::class.java)

...

/**
 * Used to whitelist [Saml2Authentication] for [SecurityJackson2Modules].
 */
class Saml2AuthenticationMixin @JsonCreator constructor(
    @JsonProperty("principal") principal: AuthenticatedPrincipal,
    @JsonProperty("saml2Response") saml2Response: String,
    @JsonProperty("authorities") authorities: Collection<GrantedAuthority>
) : Saml2Authentication(principal, saml2Response, authorities) // Nothing special

But I cannot add the following mixin as the class is package private:

/**
 * Used to whitelist [SimpleSaml2AuthenticatedPrincipal] for [SecurityJackson2Modules].
 */
class SimpleSaml2AuthenticatedPrincipalMixin // Nothing special

This is the exception we get without being able to whitelist the class:

com.fasterxml.jackson.databind.JsonMappingException: The class with 
org.springframework.security.saml2.provider.service.authentication.SimpleSaml2AuthenticatedPrincipal and name of 
org.springframework.security.saml2.provider.service.authentication.SimpleSaml2AuthenticatedPrincipal is not whitelisted. If you 
believe this class is safe to deserialize, please provide an explicit mapping using Jackson annotations or by providing a Mixin. If 
the serialization is only done by a trusted source, you can also enable default typing. See https://github.com/spring-projects
/spring-security/issues/4370 for details (through reference chain: 
org.springframework.session.data.mongo.MongoSession["attrs"]->
java.util.HashMap["SPRING_SECURITY_CONTEXT"]->
org.springframework.security.core.context.SecurityContextImpl["authentication"]->
org.springframework.security.saml2.provider.service.authentication.Saml2Authentication["principal"])

We have a workaround by using plain Java serialization using the Serializable interface and the Spring boot utils SerializationUtils.serialize() and SerializationUtils.deserialize().

E.g.:

/**
 * Used to whitelist [Saml2Authentication] for [SecurityJackson2Modules].
 */
@JsonDeserialize(using = SAMLAuthDeserializer::class)
@JsonSerialize(using = SAMLAuthSerializer::class)
class Saml2AuthenticationMixin

This approach works but is not ideal.

[jzheaux]

@JoakimLofgren I think it was package-private while the name was under consideration.

Would you be able to submit a PR to change the class to be named DefaultSaml2AuthenticatedPrincipal (to match DefaultOAuth2AuthenticatedPrincipal) and make the class public?

[JoakimLofgren]

Sure, I'll do it tomorrow.