Skip to content

Jackson2ExecutionContextStringSerializer: customization #3765

New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom
Closed
fprochazka opened this issue Aug 24, 2020 · 8 comments · Fixed by #3787
Closed

Jackson2ExecutionContextStringSerializer: customization #3765

fprochazka opened this issue Aug 24, 2020 · 8 comments · Fixed by #3787
Labels
in: core type: enhancement
Milestone
4.3.0

Comments

@fprochazka
Copy link

fprochazka commented Aug 24, 2020
edited
Loading

I would like to be able to extend the TRUSTED_CLASS_NAMES without having to copy&paste the entire Jackson2ExecutionContextStringSerializer.

I can see that you had to fix a security vuln in #3732, but it broke (de)serialization in a lot of apps. I have no problem adding the annotations to my classes, but I have no idea how to allow java.util.UUID.

I suggest that you introduce a mechanism, that would allow me to extend the list of trusted classes in case there is a JDK/library class I cannot modify.

Also it's really hard to override the serializer and I had to extend a bunch of configuration and bean factory classes to accomplish it.
@fprochazka fprochazka added status: waiting-for-triage Issues that we did not analyse yet type: feature labels Aug 24, 2020
@mminella
Copy link
Member

Mixins are the expected way to handle classes you do not have the ability to modify with Jackson. Is there a reason you cannot use one for UUID? That being said, if we can confirm UUID is not a "gadget class", it also feels like one that would be reasonable to just add to our list.

@fprochazka
Copy link
Author

fprochazka commented Aug 25, 2020
edited
Loading

@mminella Can you please show me how to configure the Jackson2ExecutionContextStringSerializer to allow UUID? How do I tell the ObjectMapper instance inside the class about the mixin?

I do not believe it's currently possible. I could configure my own ObjectMapper and add the mixin there, but then I lose the default, because setting the ObjectMapper resets the default and the createTrustedDefaultTyping() is private and I see no way to hook into that without reflection magic.

@snussbaumer
Copy link

I had the same issue than @fprochazka : maybe we're both missing something ... but as already stated if we create our own ObjectMapper we loose the TrustedTypeIdResolver entirely ...

Also I'm using spring-boot and used to having everything working out of the box with sensible defaults but still being configurable ... now to accept UUID (and java.sql.Timestamp in my case) I have to define a BatchConfigurer, configure a JobLauncher, JobRepository, JobExplorer (hoping I have everything setup correctly) ...

A property with a list of additional trusted types would be really great !

@fmbenhassine
Copy link
Contributor

When trying to compare how other projects from the portfolio deal with this requirement, I see that SI provides an utility method to create an ObjectMapper which accepts a list of trusted packages (to augment the base list).

We will discuss this internally and see the best way to address it.

@fmbenhassine fmbenhassine added this to the 4.3.0 milestone Sep 1, 2020
fmbenhassine added a commit to fmbenhassine/spring-batch that referenced this issue Oct 6, 2020
@fmbenhassine
Add ability to amend trusted classes in Jackson2ExecutionContextStrin…
758e25c 
…gSerializer

This commit adds the ability to specify additional trusted
classes without having to provide a custom object mapper.

Issue spring-projects#3765
fmbenhassine added a commit to fmbenhassine/spring-batch that referenced this issue Oct 6, 2020
@fmbenhassine
Add ability to amend trusted classes in Jackson2ExecutionContextStrin…
bfec9a9 
…gSerializer

This commit adds the ability to specify additional trusted
classes without having to provide a custom object mapper.

Issue spring-projects#3765
@fmbenhassine fmbenhassine mentioned this issue Oct 6, 2020
Merged
@fmbenhassine fmbenhassine linked a pull request Oct 6, 2020 that will close this issue
Add ability to amend trusted classes in Jackson2ExecutionContextStringSerializer #3787
Merged
@fmbenhassine
Copy link
Contributor

I suggest that you introduce a mechanism, that would allow me to extend the list of trusted classes in case there is a JDK/library class I cannot modify.

I opened #3787 for this. It adds the ability to extend the base set of trusted classes (by passing the additional ones at construction time of the Jackson2ExecutionContextStringSerializer) without having to specify a custom object mapper.

@fprochazka @snussbaumer Looking forward to your feedback on this.

@snussbaumer
Copy link

snussbaumer commented Oct 7, 2020
edited
Loading

Thanks, it looks quite good to me !

I know this is spring boot territory, but it would be perfect if the interface org.springframework.boot.autoconfigure.batch.BatchConfigurer had a method to return the serializer. It would be implemented in BasicBatchConfigurer with just return new Jackson2ExecutionContextStringSerializer().
BasicBatchConfigurer would then call this method to properly initialize the jobExplorer and jobRepository.

This would looks like this for people wanting to customize the serializer

public class MyBatchConfigurer extends BasicBatchConfigurer {
   @Override
   public ExecutionContextSerializer getExecutionContectSerializer() {
       return new Jackson2ExecutionContextStringSerializer(UUID.getClass)
   }
}

@fmbenhassine fmbenhassine mentioned this issue Oct 9, 2020
Closed
fmbenhassine added a commit that referenced this issue Oct 16, 2020
@fmbenhassine
Add ability to amend trusted classes in Jackson2ExecutionContextStrin…
a0bcd7c 
…gSerializer

This commit adds the ability to specify additional trusted
classes without having to provide a custom object mapper.

Issue #3765
@fmbenhassine
Copy link
Contributor

Thank you for your feedback! #3787 is now merged.

I know this is spring boot territory, but it would be perfect if the interface org.springframework.boot.autoconfigure.batch.BatchConfigurer had a method to return the serializer.

The serializer is an implementation detail of the JobRepository, so I don't think it is appropriate to add it to the BatchConfigurer interface. This can be discussed in a separate issue if needed.

@fmbenhassine fmbenhassine mentioned this issue Jan 25, 2021
Closed
@dependabot dependabot bot mentioned this issue Mar 7, 2021
Open
@fmbenhassine fmbenhassine mentioned this issue Jun 16, 2021
Closed
@rakshitcgupta
Copy link

rakshitcgupta commented Nov 25, 2024
edited
Loading

Hi, I am getting following error. It seems primitive types cannot be serialized.
What can we do to fix these?

Caused by: java.lang.IllegalArgumentException: The class with [I and name of [I is not trusted. If you believe this class is safe to deserialize, you can add it to the base set of trusted classes at construction time or provide an explicit mapping using Jackson annotations or a custom ObjectMapper. If the serialization is only done by a trusted source, you can also enable default typing.

Caused by: com.fasterxml.jackson.databind.JsonMappingException: The class with [I and name of [I is not trusted. If you believe this class is safe to deserialize, you can add it to the base set of trusted classes at construction time or provide an explicit mapping using Jackson annotations or a custom ObjectMapper. If the serialization is only done by a trusted source, you can also enable default typing. (through reference chain: java.util.HashMap["columnTypes"])

# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees
No one assigned
Labels
in: core type: enhancement
Projects
None yet
Milestone
4.3.0
5 participants
@fprochazka @mminella @fmbenhassine @snussbaumer @rakshitcgupta