What versions of Jackson are allowed in JBoss 6.4.20 patch?

Question

I am trying to update my version of Jackson being used after the 6.4.20 JBoss patch. I\'m using org.codehause.jackson, and JBoss 6.4.x does not provide implicit dep

Answer 1

Building on @MhagnumDw's answer, I also encountered the same error with JBoss 6.4.20 patch and used this solution. Here is the source code relevant source code from https://maven.repository.redhat.com/techpreview/all/org/codehaus/jackson/jackson-mapper-asl/1.9.9.redhat-6/jackson-mapper-asl-1.9.9.redhat-6-sources.jar in org.codehaus.jackson.map.deser.BeanDeserializerFactory;

/**
     * @since 1.9.9.redhat-5
     */
protected void checkLegalTypes(DeserializationConfig config, JavaType type,
        BeanDescription beanDesc)
    throws JsonMappingException
{
    // There are certain nasty classes that could cause problems, mostly
    // via default typing -- catch them here.
    String full = type.getRawClass().getName();

    Iterator iter = _cfgLegalPackageNames.iterator();

    boolean pass = false;

    while(iter.hasNext()) {
        if(full.startsWith(iter.next())) {
            pass = true;
            break;
        }
    }

    if(!pass) {
        throw new JsonMappingException(
                                  String.format("Illegal type (%s) to deserialize: prevented for security reasons", full));
    }
}

You can see that full.startsWith(iter.next()) means you can put in higher level package names to whitelist. For example,

would whitelist br.com.myapp.package.aclass and br.com.myapp.package.bclass