@Override public JavaType typeFromId(DatabindContext context, String id) throws IOException { DeserializationConfig config = (DeserializationConfig) context.getConfig(); JavaType result = delegate.typeFromId(context, id); String className = result.getRawClass().getName(); if (isWhitelisted(className)) { return delegate.typeFromId(context, id); } boolean isExplicitMixin = config.findMixInClassFor(result.getRawClass()) != null; if (isExplicitMixin) { return result; } JacksonAnnotation jacksonAnnotation = AnnotationUtils.findAnnotation(result.getRawClass(), JacksonAnnotation.class); if (jacksonAnnotation != null) { return result; } throw new IllegalArgumentException("The class with " + id + " and name of " + className + " is not whitelisted. " + "If you believe this class is safe to deserialize, please provide an explicit mapping using Jackson annotations or by providing a Mixin. " + "If the serialization is only done by a trusted source, you can also enable default typing. " + "See https://github.com/spring-projects/spring-security/issues/4370 for details"); }
@Override public JavaType typeFromId(DatabindContext context, String id) throws IOException { DeserializationConfig config = (DeserializationConfig) context.getConfig(); JavaType result = delegate.typeFromId(context, id); String className = result.getRawClass().getName(); if (isWhitelisted(className)) { return delegate.typeFromId(context, id); } boolean isExplicitMixin = config.findMixInClassFor(result.getRawClass()) != null; if (isExplicitMixin) { return result; } JacksonAnnotation jacksonAnnotation = AnnotationUtils.findAnnotation(result.getRawClass(), JacksonAnnotation.class); if (jacksonAnnotation != null) { return result; } throw new IllegalArgumentException("The class with " + id + " and name of " + className + " is not whitelisted. " + "If you believe this class is safe to deserialize, please provide an explicit mapping using Jackson annotations or by providing a Mixin. " + "If the serialization is only done by a trusted source, you can also enable default typing. " + "See https://github.com/spring-projects/spring-security/issues/4370 for details"); }
JavaType type = _idResolver.typeFromId(ctxt, typeId); if (type == null) {
@Override public JavaType typeFromId(DatabindContext context, String id) throws IOException { DeserializationConfig config = (DeserializationConfig) context.getConfig(); JavaType result = this.delegate.typeFromId(context, id); Package aPackage = result.getRawClass().getPackage(); if (aPackage == null || isTrustedPackage(aPackage.getName())) { return result; } boolean isExplicitMixin = config.findMixInClassFor(result.getRawClass()) != null; if (isExplicitMixin) { return result; } throw new IllegalArgumentException("The class with " + id + " and name of " + "" + result.getRawClass().getName() + " is not in the trusted packages: " + "" + this.trustedPackages + ". " + "If you believe this class is safe to deserialize, please provide its name or an explicit Mixin. " + "If the serialization is only done by a trusted source, you can also enable default typing."); }
@Override public JavaType handleMissingTypeId(DeserializationContext ctxt, JavaType baseType, TypeIdResolver idResolver, String failureMsg) throws IOException { if (baseType.getRawClass() == Feature.class) { return idResolver.typeFromId(ctxt, "Feature"); } return super.handleMissingTypeId(ctxt, baseType, idResolver, failureMsg); }
@Override public JavaType typeFromId(DatabindContext context, String id) throws IOException { DeserializationConfig config = (DeserializationConfig) context.getConfig(); JavaType result = delegate.typeFromId(context, id); String className = result.getRawClass().getName(); if (isWhitelisted(className)) { return delegate.typeFromId(context, id); } boolean isExplicitMixin = config.findMixInClassFor(result.getRawClass()) != null; if (isExplicitMixin) { return result; } JacksonAnnotation jacksonAnnotation = AnnotationUtils.findAnnotation(result.getRawClass(), JacksonAnnotation.class); if (jacksonAnnotation != null) { return result; } throw new IllegalArgumentException("The class with " + id + " and name of " + className + " is not whitelisted. " + "If you believe this class is safe to deserialize, please provide an explicit mapping using Jackson annotations or by providing a Mixin. " + "If the serialization is only done by a trusted source, you can also enable default typing. " + "See https://github.com/spring-projects/spring-security/issues/4370 for details"); }
@Override public JavaType typeFromId(DatabindContext context, String id) throws IOException { DeserializationConfig config = (DeserializationConfig) context.getConfig(); JavaType result = this.delegate.typeFromId(context, id); Package aPackage = result.getRawClass().getPackage(); if (aPackage == null || isTrustedPackage(aPackage.getName())) { return result; } boolean isExplicitMixin = config.findMixInClassFor(result.getRawClass()) != null; if (isExplicitMixin) { return result; } throw new IllegalArgumentException("The class with " + id + " and name of " + "" + result.getRawClass().getName() + " is not in the trusted packages: " + "" + this.trustedPackages + ". " + "If you believe this class is safe to deserialize, please provide its name or an explicit Mixin. " + "If the serialization is only done by a trusted source, you can also enable default typing."); }
deser = _deserializers.get(typeId); if (deser == null) { JavaType type = _idResolver.typeFromId(typeId); if (type == null) {
deser = _deserializers.get(typeId); if (deser == null) { JavaType type = _idResolver.typeFromId(typeId); if (type == null) {
JavaType type = _idResolver.typeFromId(ctxt, typeId); if (type == null) {
JavaType type = _idResolver.typeFromId(ctxt, typeId); if (type == null) {
@Override public Object deserialize(JsonParser p, DeserializationContext ctxt) throws IOException { // Make sure we have a native type ID *AND* that we can resolve it to a type; otherwise, we'll end up in a recursive loop if (p.canReadTypeId()) { Object typeId = p.getTypeId(); if (typeId != null) { if (_typeDeserializer != null) { TypeIdResolver resolver = _typeDeserializer.getTypeIdResolver(); if (resolver != null && resolver.typeFromId(ctxt, typeId.toString()) != null) { return _typeDeserializer.deserializeTypedFromAny(p, ctxt); } } } } return super.deserialize(p, ctxt); }
@Override public Object deserializeWithType(JsonParser p, DeserializationContext ctxt, TypeDeserializer typeDeserializer) throws IOException { // Use type deserializer if we have type information, even for scalar values if (typeDeserializer != null) { if (p.canReadTypeId()) { Object typeId = p.getTypeId(); if (typeId != null) { TypeIdResolver resolver = typeDeserializer.getTypeIdResolver(); // Make sure that we actually can resolve the type ID, otherwise we'll end up in a recursive loop if (resolver != null && resolver.typeFromId(ctxt, p.getTypeId().toString()) != null) { return typeDeserializer.deserializeTypedFromAny(p, ctxt); } } } } return super.deserializeWithType(p, ctxt, typeDeserializer); }
if (_typeDeserializer != null) { TypeIdResolver idResolver = _typeDeserializer.getTypeIdResolver(); JavaType keyType = idResolver.typeFromId(ctxt, p.getTypeId().toString()); if (keyType != null) { deserializer = ctxt.findKeyDeserializer(keyType, null);
JavaType type = _idResolver.typeFromId(ctxt, typeId); if (type == null) {
JavaType type = _idResolver.typeFromId(ctxt, typeId); if (type == null) {
private Object _deserialize(JsonParser p, DeserializationContext ctxt) throws IOException, JsonProcessingException { String[] typeIds = ionParser(p).getTypeAnnotations(); //cannot return null String typeIdToUse = null; TypeIdResolver typeIdResolver = super.getTypeIdResolver(); if (typeIdResolver instanceof MultipleTypeIdResolver) { typeIdToUse = ((MultipleTypeIdResolver) typeIdResolver).selectId(typeIds); } else if (null != typeIdResolver) { // Possibly multiple ids, but we don't have a polymorphic resolver; pick the first one which resolves for (String typeId : typeIds) { JavaType type = typeIdResolver.typeFromId(ctxt, typeId); if (null != type) { typeIdToUse = typeId; } } } JsonDeserializer<?> deserializer; if (null == typeIdToUse) { deserializer = _findDefaultImplDeserializer(ctxt); } else { deserializer = super._findDeserializer(ctxt, typeIdToUse); } // 22-Mar-2017, tatu: Getting `null` presumably means that no type id nor // default impl found, but that this is ok (otherwise exception thrown) if (deserializer == null) { return null; } return deserializer.deserialize(p, ctxt); }