Describe the bug While following upgrade of spring security in preparation for move to Spring Boot 3 (Spring 6) from Spring Boot 2.7.8, we encountered an issue in a SpringBootTest for a RestController. We have a JWT token with two Map properties. It seems that a Map key of any other number type works except for Long with the upgrade. We were able to trace the issue to the nimbus-jose-jwt dependency version 9.24.4 provided via spring-security-oauth2-jose (version 5.8.1). nimbus-jose-jwt version 9.22 works fine.

To Reproduce Upgrade a spring boot 2.7.8 application with spring-security to 3 following directions here: [https://docs.spring.io/spring-security/reference/5.8/migration/index.html]. Write a spring boot test to call a GET resource with a Authorization header with Bearer token containing a Map property. The test fails with an exception similar to this: - WARN [main] handler.AbstractHandlerExceptionResolver (AbstractHandlerExceptionResolver.java:207) - Resolved [org.springframework.http.converter.HttpMessageNotWritableException: Could not write JSON: class java.long.String cannot be cast to java.lang.Number (java.lang.String and java.lang.Number are in module java.base of loader 'bootstrap')]

Expected behavior A Map with a Long key should still work in a JWT token.

Sample Not able to provide code from application.

Comment From: sjohnr

@willweyant thanks for reaching out! I apologize for the delay in response.

We have a JWT token with two Map properties.

A Map with a Long key should still work in a JWT token.

Numbers in JSON (RFC 8259) are defined as integers (which would map to java.lang.Integer) and object keys are strings. I don't believe it's possible for such a Map to be represented in JSON.

We were able to trace the issue to the nimbus-jose-jwt dependency version 9.24.4 provided via spring-security-oauth2-jose (version 5.8.1). nimbus-jose-jwt version 9.22 works fine.

The nimbus-jose-jwt project is a separate project from Spring Security. You would be best suited to reach out on the issue tracker for the nimbus-jose-jwt project.

I'm going to close this issue since it's for an external project. If you still believe this is a bug in Spring Security, please provide a minimal, reproducible sample and I'll be happy to take a look.