Improve serialize of proxy objects generated by AuthorizeReturnObject

Issue gh-15561

Author: kse-music

core/src/main/java/org/springframework/security/authorization/method/AuthorizationAdvisorProxyFactory.java

@@ -171,6 +171,7 @@ public Object proxy(Object target) {
 		for (Advisor advisor : this.advisors) {
 			factory.addAdvisors(advisor);
 		}
+		factory.setOpaque(true);
 		factory.setProxyTargetClass(!Modifier.isFinal(target.getClass().getModifiers()));
 		return factory.getProxy();
 	}
@@ -357,6 +358,7 @@ public Object visit(AuthorizationAdvisorProxyFactory proxyFactory, Object object
 				ProxyFactory factory = new ProxyFactory();
 				factory.setTargetClass(targetClass);
 				factory.setInterfaces(ClassUtils.getAllInterfacesForClass(targetClass));
+				factory.setOpaque(true);
 				factory.setProxyTargetClass(!Modifier.isFinal(targetClass.getModifiers()));
 				for (Advisor advisor : proxyFactory) {
 					factory.addAdvisors(advisor);

core/src/test/java/org/springframework/security/authorization/AuthorizationAdvisorProxyFactoryTests.java

@@ -34,6 +34,9 @@
 import java.util.function.Supplier;
 import java.util.stream.Stream;
 
+import com.fasterxml.jackson.core.JsonProcessingException;
+import com.fasterxml.jackson.databind.ObjectMapper;
+import com.fasterxml.jackson.databind.annotation.JsonSerialize;
 import org.jetbrains.annotations.NotNull;
 import org.junit.jupiter.api.Test;
 
@@ -336,6 +339,25 @@ public void setTargetVisitorIgnoreValueTypesThenIgnores() {
 		assertThat(factory.proxy(35)).isEqualTo(35);
 	}
 
+	@Test
+	public void serializeAuthorizationProxyObjectWhenProvideJsonSerialize() throws JsonProcessingException {
+		SecurityContextHolder.getContext().setAuthentication(this.admin);
+		AuthorizationAdvisorProxyFactory factory = AuthorizationAdvisorProxyFactory.withDefaults();
+		JsonSerializeUser user = new JsonSerializeUser("used JsonSerialize annotation");
+
+		ObjectMapper mapper = new ObjectMapper();
+		assertThat(mapper.writeValueAsString(proxy(factory, user))).doesNotContain("description");
+	}
+
+	@Test
+	public void serializeAuthorizationProxyObject() throws JsonProcessingException {
+		SecurityContextHolder.getContext().setAuthentication(this.admin);
+		AuthorizationAdvisorProxyFactory factory = AuthorizationAdvisorProxyFactory.withDefaults();
+		User user = proxy(factory, this.alan);
+		ObjectMapper mapper = new ObjectMapper();
+		assertThat(mapper.writeValueAsString(user)).isInstanceOf(String.class);
+	}
+
 	private Authentication authenticated(String user, String... authorities) {
 		return TestAuthentication.authenticated(TestAuthentication.withUsername(user).authorities(authorities).build());
 	}
@@ -363,6 +385,22 @@ interface Identifiable {
 
 	}
 
+	@JsonSerialize(as = User.class)
+	public static class JsonSerializeUser extends User {
+
+		private final String description;
+
+		JsonSerializeUser(String description) {
+			super("alan", "alan", "turing");
+			this.description = description;
+		}
+
+		public String getDescription() {
+			return this.description;
+		}
+
+	}
+
 	public static class User implements Identifiable, Comparable<User> {
 
 		private final String id;

docs/modules/ROOT/pages/servlet/authorization/method-security.adoc

@@ -2227,37 +2227,6 @@ class UserController  {
 ----
 ======
 
-If you are using Jackson, though, this may result in a serialization error like the following:
-
-[source,bash]
-====
-com.fasterxml.jackson.databind.exc.InvalidDefinitionException: Direct self-reference leading to cycle
-====
-
-This is due to how Jackson works with CGLIB proxies.
-To address this, add the following annotation to the top of the `User` class:
-
-[tabs]
-======
-Java::
-+
-[source,java,role="primary"]
-----
-@JsonSerialize(as = User.class)
-public class User {
-
-}
-----
-
-Kotlin::
-+
-[source,kotlin,role="secondary"]
-----
-@JsonSerialize(`as` = User::class)
-class User
-----
-======
-
 Finally, you will need to publish a <<custom_advice, custom interceptor>> to catch the `AccessDeniedException` thrown for each field, which you can do like so:
 
 [tabs]