Expected Behavior
Allow custom extensions of WebAuthenticationDetails to be deserialized by Jackson.
Current Behavior
The current public constructor on WebAuthenticationDetails expects a HttpServletRequest, which is not available at the time of deserialization.
Context
We use a custom extension of WebAuthenticationDetails (e.g. ExWebAuthenticationDetails) along with a custom AbstractUserDetailsAuthenticationProvider to set it up. This all works great, except we are unable to deserialize ExWebAuthenticationDetails using Jackson because the only accessible constructor expects a HttpServletRequest.
It seems like this has been considered because WebAuthenticationDetails has a private constructor specifically for Jackson, but we can't use it because it's private: https://github.com/spring-projects/spring-security/blob/82426e20e1d3a407984fea99a3370080aa715f93/web/src/main/java/org/springframework/security/web/authentication/WebAuthenticationDetails.java#L56
At the moment our options are to create a mock implementing of HttpServletRequest that satisfies the constructor usage, or alternativaly copy the entire WebAuthenticationDetails class into our codebase... :/
Thanks!
Comment From: jzheaux
Thanks for the context, @danwashusen. I think it's reasonable to make the constructor public at this point.
To make it public, I think we should change the HttpServletRequest constructor to call it. Also, for consistency with the rest of Spring Security, the now-public constructor should remove the final keywords from the constructor parameters.
Can you submit a PR along those lines?
Comment From: jzheaux
I hope you had a nice holiday, @danwashusen! Are you interested in submitting a PR to address this issue?