Support extensions of WebAuthenticationDetails when using Jackson serialization

[danwashusen]

Expected Behavior

Allow custom extensions of WebAuthenticationDetails to be deserialized by Jackson.

Current Behavior

The current public constructor on WebAuthenticationDetails expects a HttpServletRequest, which is not available at the time of deserialization.

Context

We use a custom extension of WebAuthenticationDetails (e.g. ExWebAuthenticationDetails) along with a custom AbstractUserDetailsAuthenticationProvider to set it up. This all works great, except we are unable to deserialize ExWebAuthenticationDetails using Jackson because the only accessible constructor expects a HttpServletRequest.

It seems like this has been considered because WebAuthenticationDetails has a private constructor specifically for Jackson, but we can't use it because it's private:

spring-security/web/src/main/java/org/springframework/security/web/authentication/WebAuthenticationDetails.java

Line 56 in 82426e2

private WebAuthenticationDetails(final String remoteAddress, final String sessionId) {

At the moment our options are to create a mock implementing of HttpServletRequest that satisfies the constructor usage, or alternativaly copy the entire WebAuthenticationDetails class into our codebase... :/

Thanks!

[jzheaux]

Thanks for the context, @danwashusen. I think it's reasonable to make the constructor public at this point.

To make it public, I think we should change the HttpServletRequest constructor to call it. Also, for consistency with the rest of Spring Security, the now-public constructor should remove the final keywords from the constructor parameters.

Can you submit a PR along those lines?

[jzheaux]

I hope you had a nice holiday, @danwashusen! Are you interested in submitting a PR to address this issue?