Remove Java security context serialization (#2677)
Remove Java security context serialization - it is replaced by JSON security context serialization (optimized as size). Backward incompatible change. Java security context serialization was not used in default hawkbit runtime out of the box. So, it's assumed none uses it. Anyway, if anyone has enabled it, he could, in order to keep backward compatibility, get the java security context serialization from the previous hawkbit releases/commits and register it again as a spring bean in his hawkbit extension. Signed-off-by: Avgustin Marinov <Avgustin.Marinov@bosch.com>
This commit is contained in:
@@ -32,7 +32,6 @@ import org.eclipse.hawkbit.security.SpringSecurityAuditorAware.AuditorAwarePrinc
|
||||
import org.eclipse.hawkbit.tenancy.TenantAwareAuthenticationDetails;
|
||||
import org.eclipse.hawkbit.tenancy.TenantAwareUser;
|
||||
import org.springframework.security.core.Authentication;
|
||||
import org.springframework.security.core.AuthenticationException;
|
||||
import org.springframework.security.core.GrantedAuthority;
|
||||
import org.springframework.security.core.authority.SimpleGrantedAuthority;
|
||||
import org.springframework.security.core.context.SecurityContext;
|
||||
@@ -49,17 +48,8 @@ public interface SecurityContextSerializer {
|
||||
SecurityContextSerializer NOP = new Nop();
|
||||
/**
|
||||
* Serializer the uses JSON serialization.
|
||||
* <p/>
|
||||
* Note that on deserialization this serialization does (if configured) fallback to {@link #JAVA_SERIALIZATION}.
|
||||
*/
|
||||
SecurityContextSerializer JSON_SERIALIZATION = new JsonSerialization();
|
||||
/**
|
||||
* Serializer the uses Java serialization of {@link java.io.Serializable} objects (legacy, not recommended).
|
||||
* <p/>
|
||||
* Note that serialized via java serialization context might become unreadable if incompatible
|
||||
* changes are made to the object classes.
|
||||
*/
|
||||
SecurityContextSerializer JAVA_SERIALIZATION = new JavaSerialization();
|
||||
|
||||
/**
|
||||
* Return security context as string (could be just a reference)
|
||||
@@ -82,11 +72,9 @@ public interface SecurityContextSerializer {
|
||||
* It returns <code>null</code> as serialized context and throws exception if
|
||||
* someone try to deserialize anything.
|
||||
*/
|
||||
@NoArgsConstructor(access = AccessLevel.PRIVATE)
|
||||
class Nop implements SecurityContextSerializer {
|
||||
|
||||
private Nop() {
|
||||
}
|
||||
|
||||
@Override
|
||||
public String serialize(final SecurityContext securityContext) {
|
||||
return null;
|
||||
@@ -106,8 +94,6 @@ public interface SecurityContextSerializer {
|
||||
class JsonSerialization implements SecurityContextSerializer {
|
||||
|
||||
private static final ObjectMapper OBJECT_MAPPER = new ObjectMapper();
|
||||
private static final boolean FALLBACK_TO_JAVA_SERIALIZATION =
|
||||
!Boolean.getBoolean("hawkbit.security.contextSerializer.json.no-fallback-to-java");
|
||||
|
||||
@Override
|
||||
public String serialize(final SecurityContext securityContext) {
|
||||
@@ -124,13 +110,6 @@ public interface SecurityContextSerializer {
|
||||
Objects.requireNonNull(securityContextString);
|
||||
final String securityContextTrimmed = securityContextString.trim();
|
||||
try {
|
||||
// java serialization starts with {@link ObjectStreamConstants#STREAM_MAGIC} (0xAC, 0xED) bytes
|
||||
// while trimmed json object starts with '{'
|
||||
if (FALLBACK_TO_JAVA_SERIALIZATION &&
|
||||
(securityContextTrimmed.isEmpty() || securityContextTrimmed.charAt(0) != '{')) {
|
||||
return JAVA_SERIALIZATION.deserialize(securityContextString);
|
||||
}
|
||||
|
||||
return OBJECT_MAPPER.readerFor(SecCtxInfo.class).<SecCtxInfo> readValue(securityContextTrimmed).toSecurityContext();
|
||||
} catch (final JsonProcessingException e) {
|
||||
throw new RuntimeException(e);
|
||||
|
||||
@@ -10,7 +10,6 @@
|
||||
package org.eclipse.hawkbit.security;
|
||||
|
||||
import static org.assertj.core.api.Assertions.assertThat;
|
||||
import static org.eclipse.hawkbit.security.SecurityContextSerializer.JAVA_SERIALIZATION;
|
||||
import static org.eclipse.hawkbit.security.SecurityContextSerializer.JSON_SERIALIZATION;
|
||||
|
||||
import java.util.List;
|
||||
@@ -63,24 +62,6 @@ class SecurityContextSerializerTest {
|
||||
assertThat(serialized).hasSizeLessThan(4096); // ensure that it is not too big
|
||||
}
|
||||
|
||||
// test JSON serialization fallback to java serialization
|
||||
@Test
|
||||
void backwardCompatibilityOfJavaSerialization() {
|
||||
final SecurityContext securityContext = SecurityContextHolder.getContext();
|
||||
securityContext.setAuthentication(
|
||||
new UsernamePasswordAuthenticationToken("user", null, AUTHORITIES.stream().map(SimpleGrantedAuthority::new).toList()));
|
||||
|
||||
final String newSerialized = JSON_SERIALIZATION.serialize(securityContext);
|
||||
final String oldSerialized = JAVA_SERIALIZATION.serialize(securityContext);
|
||||
|
||||
assertThat(oldSerialized).isNotEqualTo(newSerialized);
|
||||
final Authentication deserializedOld = JSON_SERIALIZATION.deserialize(oldSerialized).getAuthentication();
|
||||
final Authentication deserializedNew = JSON_SERIALIZATION.deserialize(newSerialized).getAuthentication();
|
||||
assertThat(SpringSecurityAuditorAware.resolveAuditor(deserializedOld)).hasToString(SpringSecurityAuditorAware.resolveAuditor(deserializedNew));
|
||||
assertThat(deserializedOld.getAuthorities()).isEqualTo(deserializedNew.getAuthorities());
|
||||
assertThat(deserializedOld.isAuthenticated()).isEqualTo(deserializedNew.isAuthenticated());
|
||||
}
|
||||
|
||||
@Test
|
||||
void testUsername() {
|
||||
final SecurityContext securityContext = SecurityContextHolder.getContext();
|
||||
@@ -106,4 +87,4 @@ class SecurityContextSerializerTest {
|
||||
}
|
||||
return sb.toString();
|
||||
}
|
||||
}
|
||||
}
|
||||
Reference in New Issue
Block a user