Avoid LinkedMultiValueMap in Serializable Object

jzheaux · jzheaux · commit 3cfaf0d11da9 · 2022-12-23T15:54:00.000-07:00
Closes gh-11785
diff --git a/saml2/saml2-service-provider/src/opensaml4Main/java/org/springframework/security/saml2/provider/service/authentication/OpenSaml4AuthenticationProvider.java b/saml2/saml2-service-provider/src/opensaml4Main/java/org/springframework/security/saml2/provider/service/authentication/OpenSaml4AuthenticationProvider.java
@@ -23,6 +23,7 @@
 import java.util.Collection;
 import java.util.Collections;
 import java.util.HashMap;
+import java.util.LinkedHashMap;
 import java.util.List;
 import java.util.Map;
 import java.util.function.Consumer;
@@ -659,7 +660,7 @@ private static Map<String, List<Object>> getAssertionAttributes(Assertion assert
 				attributeMap.addAll(attribute.getName(), attributeValues);
 			}
 		}
-		return attributeMap;
+		return new LinkedHashMap<>(attributeMap); // gh-11785
 	}
 
 	private static List<String> getSessionIndexes(Assertion assertion) {
diff --git a/saml2/saml2-service-provider/src/opensaml4Test/java/org/springframework/security/saml2/provider/service/authentication/OpenSaml4AuthenticationProviderTests.java b/saml2/saml2-service-provider/src/opensaml4Test/java/org/springframework/security/saml2/provider/service/authentication/OpenSaml4AuthenticationProviderTests.java
@@ -32,6 +32,7 @@
 
 import javax.xml.namespace.QName;
 
+import com.fasterxml.jackson.databind.ObjectMapper;
 import net.shibboleth.utilities.java.support.xml.SerializeSupport;
 import org.junit.jupiter.api.Test;
 import org.opensaml.core.xml.XMLObject;
@@ -68,6 +69,7 @@
 
 import org.springframework.core.convert.converter.Converter;
 import org.springframework.security.core.Authentication;
+import org.springframework.security.jackson2.SecurityJackson2Modules;
 import org.springframework.security.saml2.Saml2Exception;
 import org.springframework.security.saml2.core.Saml2Error;
 import org.springframework.security.saml2.core.Saml2ErrorCodes;
@@ -349,6 +351,23 @@ public void authenticateWhenAssertionContainsAttributesThenItSucceeds() {
 		assertThat(principal.getSessionIndexes()).contains("session-index");
 	}
 
+	// gh-11785
+	@Test
+	public void deserializeWhenAssertionContainsAttributesThenWorks() throws Exception {
+		ObjectMapper mapper = new ObjectMapper();
+		ClassLoader loader = getClass().getClassLoader();
+		mapper.registerModules(SecurityJackson2Modules.getModules(loader));
+		Response response = response();
+		Assertion assertion = assertion();
+		List<AttributeStatement> attributes = TestOpenSamlObjects.attributeStatements();
+		assertion.getAttributeStatements().addAll(attributes);
+		response.getAssertions().add(signed(assertion));
+		Saml2AuthenticationToken token = token(response, verifying(registration()));
+		Authentication authentication = this.provider.authenticate(token);
+		String result = mapper.writeValueAsString(authentication);
+		mapper.readValue(result, Authentication.class);
+	}
+
 	@Test
 	public void authenticateWhenAssertionContainsCustomAttributesThenItSucceeds() {
 		Response response = response();

Original file line number	Diff line number	Diff line change
`@@ -23,6 +23,7 @@`
`23`	`23`	`import java.util.Collection;`
`24`	`24`	`import java.util.Collections;`
`25`	`25`	`import java.util.HashMap;`
	`26`	`+import java.util.LinkedHashMap;`
`26`	`27`	`import java.util.List;`
`27`	`28`	`import java.util.Map;`
`28`	`29`	`import java.util.function.Consumer;`
`@@ -659,7 +660,7 @@ private static Map<String, List<Object>> getAssertionAttributes(Assertion assert`
`659`	`660`	`attributeMap.addAll(attribute.getName(), attributeValues);`
`660`	`661`	`}`
`661`	`662`	`}`
`662`		`- return attributeMap;`
	`663`	`+ return new LinkedHashMap<>(attributeMap); // gh-11785`
`663`	`664`	`}`
`664`	`665`
`665`	`666`	`private static List<String> getSessionIndexes(Assertion assertion) {`