Improve cglib object serialize

Issue gh-15395

Author: kse-music

core/src/main/java/org/springframework/security/jackson2/AuthorizeReturnObjectJackson2Module.java

@@ -0,0 +1,35 @@
+/*
+ * Copyright 2024 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.security.jackson2;
+
+import com.fasterxml.jackson.databind.module.SimpleModule;
+
+/**
+ * Modify serializer so that to serialize Cglib object
+ *
+ * @author DingHao
+ * @since 6.4
+ * @see org.springframework.security.authorization.method.AuthorizeReturnObject
+ */
+public final class AuthorizeReturnObjectJackson2Module extends SimpleModule {
+
+	@Override
+	public void setupModule(SetupContext context) {
+		context.addBeanSerializerModifier(new CglibBeanSerializerModifier());
+	}
+
+}

core/src/main/java/org/springframework/security/jackson2/CglibBeanSerializerModifier.java

@@ -0,0 +1,59 @@
+/*
+ * Copyright 2024 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.security.jackson2;
+
+import java.io.IOException;
+
+import com.fasterxml.jackson.core.JsonGenerator;
+import com.fasterxml.jackson.databind.BeanDescription;
+import com.fasterxml.jackson.databind.JsonSerializer;
+import com.fasterxml.jackson.databind.SerializationConfig;
+import com.fasterxml.jackson.databind.SerializerProvider;
+import com.fasterxml.jackson.databind.ser.BeanSerializerModifier;
+
+import org.springframework.aop.support.AopUtils;
+import org.springframework.util.ClassUtils;
+
+/**
+ * Serialize cglib generated objects
+ *
+ * @author DingHao
+ * @since 6.4
+ */
+class CglibBeanSerializerModifier extends BeanSerializerModifier {
+
+	@Override
+	public JsonSerializer<?> modifySerializer(SerializationConfig config, BeanDescription beanDesc,
+			JsonSerializer<?> serializer) {
+		if (beanDesc.getBeanClass().getName().contains(ClassUtils.CGLIB_CLASS_SEPARATOR)) {
+			return new CglibObjectSerializer();
+		}
+		return serializer;
+	}
+
+	static class CglibObjectSerializer extends JsonSerializer<Object> {
+
+		@Override
+		public void serialize(Object value, JsonGenerator gen, SerializerProvider provider) throws IOException {
+			Class<?> targetClass = AopUtils.getTargetClass(value);
+			JsonSerializer<Object> serializer = provider.findValueSerializer(targetClass);
+			serializer.serialize(value, gen, provider);
+		}
+
+	}
+
+}

core/src/test/java/org/springframework/security/authorization/AuthorizationAdvisorProxyFactoryTests.java

@@ -34,6 +34,9 @@
 import java.util.function.Supplier;
 import java.util.stream.Stream;
 
+import com.fasterxml.jackson.core.JsonProcessingException;
+import com.fasterxml.jackson.databind.ObjectMapper;
+import com.fasterxml.jackson.databind.exc.InvalidDefinitionException;
 import org.jetbrains.annotations.NotNull;
 import org.junit.jupiter.api.Test;
 
@@ -46,6 +49,7 @@
 import org.springframework.security.authorization.method.AuthorizationAdvisorProxyFactory.TargetVisitor;
 import org.springframework.security.core.Authentication;
 import org.springframework.security.core.context.SecurityContextHolder;
+import org.springframework.security.jackson2.AuthorizeReturnObjectJackson2Module;
 
 import static org.assertj.core.api.Assertions.assertThat;
 import static org.assertj.core.api.Assertions.assertThatExceptionOfType;
@@ -336,6 +340,25 @@ public void setTargetVisitorIgnoreValueTypesThenIgnores() {
 		assertThat(factory.proxy(35)).isEqualTo(35);
 	}
 
+	@Test
+	public void serializeCglibObjectThrowException() {
+		SecurityContextHolder.getContext().setAuthentication(this.admin);
+		AuthorizationAdvisorProxyFactory factory = AuthorizationAdvisorProxyFactory.withDefaults();
+		User user = proxy(factory, this.alan);
+		ObjectMapper mapper = new ObjectMapper();
+		assertThatExceptionOfType(InvalidDefinitionException.class).isThrownBy(() -> mapper.writeValueAsString(user));
+	}
+
+	@Test
+	public void serializeCglibObjectSuccess() throws JsonProcessingException {
+		SecurityContextHolder.getContext().setAuthentication(this.admin);
+		AuthorizationAdvisorProxyFactory factory = AuthorizationAdvisorProxyFactory.withDefaults();
+		User user = proxy(factory, this.alan);
+		ObjectMapper mapper = new ObjectMapper();
+		mapper.registerModule(new AuthorizeReturnObjectJackson2Module());
+		assertThat(mapper.writeValueAsString(user)).isInstanceOf(String.class);
+	}
+
 	private Authentication authenticated(String user, String... authorities) {
 		return TestAuthentication.authenticated(TestAuthentication.withUsername(user).authorities(authorities).build());
 	}

docs/modules/ROOT/pages/servlet/authorization/method-security.adoc

@@ -2258,6 +2258,39 @@ class User
 ----
 ======
 
+Or register `AuthorizeReturnObjectJackson2Module` to `ObjectMapper`:
+
+[source,java]
+----
+ObjectMapper mapper = new ObjectMapper();
+mapper.registerModule(new AuthorizeReturnObjectJackson2Module());
+----
+
+If you are using Spring Boot, you can also publish `AuthorizeReturnObjectJackson2Module` as a bean:
+
+[tabs]
+======
+Java::
++
+[source,java,role="primary"]
+----
+@Bean
+public AuthorizeReturnObjectJackson2Module authorizeReturnObjectJackson2Module() {
+    return new AuthorizeReturnObjectJackson2Module();
+}
+----
+
+Kotlin::
++
+[source,kotlin,role="secondary"]
+----
+@Bean
+fun authorizeReturnObjectJackson2Module(): AuthorizeReturnObjectJackson2Module {
+    return AuthorizeReturnObjectJackson2Module()
+}
+----
+======
+
 Finally, you will need to publish a <<custom_advice, custom interceptor>> to catch the `AccessDeniedException` thrown for each field, which you can do like so:
 
 [tabs]