Spring Security SecurityJackson2Modules.getModules(): Cannot load module org.springframework.security.cas.jackson2.CasJackson2Module

Describe the bug CAS support was removed in Sping Security 6: https://github.com/spring-projects/spring-security/issues/10441 But there's a small bug that appears in Spring Security debug logs when adding SecurityJackson2Modules to Jackson ObjectMapper.

To Reproduce 1. Enable logging.level.org.springframework.security=DEBUG 2. Add SecurityJackson2Modules.getModules() to ObjectMapper

 final var objectMapper = JsonMapper.builder()
    .addModules(SecurityJackson2Modules.getModules(this.loader))
    .build();

1. You will see error in logs:

 | DEBUG | .s.s.j.SecurityJackson2Modules: 134 | Cannot load module org.springframework.security.cas.jackson2.CasJackson2Module
java.lang.ClassNotFoundException: org.springframework.security.cas.jackson2.CasJackson2Module
    at java.base/jdk.internal.loader.BuiltinClassLoader.loadClass(BuiltinClassLoader.java:641)
    at java.base/jdk.internal.loader.ClassLoaders$AppClassLoader.loadClass(ClassLoaders.java:188)
    at java.base/java.lang.ClassLoader.loadClass(ClassLoader.java:526)
    at java.base/java.lang.Class.forName0(Native Method)
    at java.base/java.lang.Class.forName(Class.java:534)
    at java.base/java.lang.Class.forName(Class.java:513)
    at org.springframework.util.ClassUtils.forName(ClassUtils.java:304)
    at org.springframework.security.jackson2.SecurityJackson2Modules.loadAndGetInstance(SecurityJackson2Modules.java:127)
    at org.springframework.security.jackson2.SecurityJackson2Modules.addToModulesList(SecurityJackson2Modules.java:172)
    at org.springframework.security.jackson2.SecurityJackson2Modules.getModules(SecurityJackson2Modules.java:146)

Expected behavior No exceptions in logs

To fix Remove CasJackson2Module from org.springframework.security.jackson2.SecurityJackson2Modules#securityJackson2ModuleClasses

    private static final List<String> securityJackson2ModuleClasses = Arrays.asList(
            "org.springframework.security.jackson2.CoreJackson2Module",
            "org.springframework.security.cas.jackson2.CasJackson2Module",
            "org.springframework.security.web.jackson2.WebJackson2Module",
            "org.springframework.security.web.server.jackson2.WebServerJackson2Module");

Comment From: marcusdacoregio

Hi @tanis138, thanks for the report.

CAs support has been removed in 6.0 but re-added in 6.1. I believe that if there is no spring-security-cas module then it should refrain from trying to register its module. I'll take a look at this.

Comment From: tanis138

CAs support has been removed in 6.0 but re-added in 6.1.

Oh, I see. So, the solution would be like: ```

pivate static final String casJackson2ModuleClass = "org.springframework.security.cas.jackson2.CasJackson2Module";

private static final boolean casPresent;

static { casPresent = ClassUtils.isPresent(casJackson2ModuleClass, classLoader); }

public static List getModules(ClassLoader loader) {

if (casPresent ) {
    addToModulesList(loader, modules, casJackson2ModuleClass );
}

}