What versions of Jackson are allowed in JBoss 6.4.20 patch?

前端 未结 2 1543
挽巷
挽巷 2021-02-20 05:11

I am trying to update my version of Jackson being used after the 6.4.20 JBoss patch. I\'m using org.codehause.jackson, and JBoss 6.4.x does not provide implicit dep

相关标签:
2条回答
  • 2021-02-20 05:30

    I recently upgraded from JBoss EAP 6.3.0 to 6.4.20 and had the same exception.

    Following the stackstrace of the exception I discovered that it becomes necessary to set the system property jackson.deserialization.whitelist.packages with the full class name of the classes you want to deserialize.

    If you want you can put only the suffix of the package. For multiple values, separate by comma. You can see this in the jackson-mapper-asl-1.9.9.redhat-6.jar class org.codehaus.jackson.map.deser.BeanDeserializerFactory of line 38 to 45.

    For JBoss environments you can define the system property in your standalone*.xml or domain.xml, as follows:

    <system-properties>
        <property name="jackson.deserialization.whitelist.packages" value="br.com.myapp" />
    </system-properties>
    
    0 讨论(0)
  • 2021-02-20 05:41

    Building on @MhagnumDw's answer, I also encountered the same error with JBoss 6.4.20 patch and used this solution. Here is the source code relevant source code from https://maven.repository.redhat.com/techpreview/all/org/codehaus/jackson/jackson-mapper-asl/1.9.9.redhat-6/jackson-mapper-asl-1.9.9.redhat-6-sources.jar in org.codehaus.jackson.map.deser.BeanDeserializerFactory;

    /**
         * @since 1.9.9.redhat-5
         */
    protected void checkLegalTypes(DeserializationConfig config, JavaType type,
            BeanDescription beanDesc)
        throws JsonMappingException
    {
        // There are certain nasty classes that could cause problems, mostly
        // via default typing -- catch them here.
        String full = type.getRawClass().getName();
    
        Iterator<String> iter = _cfgLegalPackageNames.iterator();
    
        boolean pass = false;
    
        while(iter.hasNext()) {
            if(full.startsWith(iter.next())) {
                pass = true;
                break;
            }
        }
    
        if(!pass) {
            throw new JsonMappingException(
                                      String.format("Illegal type (%s) to deserialize: prevented for security reasons", full));
        }
    }
    

    You can see that full.startsWith(iter.next()) means you can put in higher level package names to whitelist. For example,

    <system-properties>
        <property name="jackson.deserialization.whitelist.packages" value="br.com.myapp" />
    </system-properties>
    

    would whitelist br.com.myapp.package.aclass and br.com.myapp.package.bclass

    0 讨论(0)
提交回复
热议问题