SecurityJackson2Modules.getModules(): Cannot load module org.springframework.security.cas.jackson2.CasJackson2Module

[tanis138]

Describe the bug CAS support was removed in Sping Security 6: https://github.com/spring-projects/spring-security/issues/10441 But there's a small bug that appears in Spring Security debug logs when adding SecurityJackson2Modules to Jackson ObjectMapper.

To Reproduce

1. Enable logging.level.org.springframework.security=DEBUG
2. Add SecurityJackson2Modules.getModules() to ObjectMapper

   
   final var objectMapper = JsonMapper.builder()
   .addModules(SecurityJackson2Modules.getModules(this.loader))
   .build();

3. You will see error in logs:

| DEBUG | .s.s.j.SecurityJackson2Modules: 134 | Cannot load module org.springframework.security.cas.jackson2.CasJackson2Module java.lang.ClassNotFoundException: org.springframework.security.cas.jackson2.CasJackson2Module at java.base/jdk.internal.loader.BuiltinClassLoader.loadClass(BuiltinClassLoader.java:641) at java.base/jdk.internal.loader.ClassLoaders$AppClassLoader.loadClass(ClassLoaders.java:188) at java.base/java.lang.ClassLoader.loadClass(ClassLoader.java:526) at java.base/java.lang.Class.forName0(Native Method) at java.base/java.lang.Class.forName(Class.java:534) at java.base/java.lang.Class.forName(Class.java:513) at org.springframework.util.ClassUtils.forName(ClassUtils.java:304) at org.springframework.security.jackson2.SecurityJackson2Modules.loadAndGetInstance(SecurityJackson2Modules.java:127) at org.springframework.security.jackson2.SecurityJackson2Modules.addToModulesList(SecurityJackson2Modules.java:172) at org.springframework.security.jackson2.SecurityJackson2Modules.getModules(SecurityJackson2Modules.java:146)

**Expected behavior**
No exceptions in logs

**To fix**
Remove CasJackson2Module from org.springframework.security.jackson2.SecurityJackson2Modules#securityJackson2ModuleClasses

private static final List<String> securityJackson2ModuleClasses = Arrays.asList(
        "org.springframework.security.jackson2.CoreJackson2Module",
        "org.springframework.security.cas.jackson2.CasJackson2Module",
        "org.springframework.security.web.jackson2.WebJackson2Module",
        "org.springframework.security.web.server.jackson2.WebServerJackson2Module");

[marcusdacoregio]

Hi @tanis138, thanks for the report.

CAs support has been removed in 6.0 but re-added in 6.1. I believe that if there is no spring-security-cas module then it should refrain from trying to register its module. I'll take a look at this.

[tanis138]

CAs support has been removed in 6.0 but re-added in 6.1.

Oh, I see. So, the solution would be like:

pivate static final String casJackson2ModuleClass = "org.springframework.security.cas.jackson2.CasJackson2Module";

private static final boolean casPresent;

static {
    casPresent = ClassUtils.isPresent(casJackson2ModuleClass, classLoader);
}

public static List<Module> getModules(ClassLoader loader) {

    if (casPresent ) {
        addToModulesList(loader, modules, casJackson2ModuleClass );
    }

}