What versions of Jackson are allowed in JBoss 6.4.20 patch?

China☆狼群 提交于 2020-07-06 08:40:10

问题


I am trying to update my version of Jackson being used after the 6.4.20 JBoss patch. I'm using org.codehause.jackson, and JBoss 6.4.x does not provide implicit dependencies for the newer com.fasterxml.jackson as far as I'm aware.

Is it appropriate to assume that jackson-mapper-asl-1.9.9.redhat-6 is the valid package to use for this patch? When scrolling to the noarch section of the 6.4.20 announcement, I see codehaus-jackson-mapper-asl-1.9.9-12.redhat_6 mentioned. Does that mean this is the version recommended? I can see that it was released 05/14/18 and the announcement was made 05/15/18.

Currently I am experiencing the following error as codehause-jackson-mapper-asl is associated with fasterxml-jackson-databind, leading me to believe I'm using the incorrect version.

16:01:22,620 ERROR [org.jboss.resteasy.resteasy_jaxrs.i18n] (http-127.0.0.1:8080-1) RESTEASY000100: Failed executing POST /find: org.jboss.resteasy.spi.ReaderException:

org.codehaus.jackson.map.JsonMappingException: Illegal type [...] to deserialize: prevented for security reasons

[...]

Caused by: org.codehaus.jackson.map.JsonMappingException: Illegal type [...] to deserialize: prevented for security reasons at org.codehaus.jackson.map.deser.BeanDeserializerFactory.checkLegalTypes(BeanDeserializerFactory.java:1521) [jackson-mapper-asl-1.9.9.redhat-6.jar:1.9.9.redhat-6] `


回答1:


I recently upgraded from JBoss EAP 6.3.0 to 6.4.20 and had the same exception.

Following the stackstrace of the exception I discovered that it becomes necessary to set the system property jackson.deserialization.whitelist.packages with the full class name of the classes you want to deserialize.

If you want you can put only the suffix of the package. For multiple values, separate by comma. You can see this in the jackson-mapper-asl-1.9.9.redhat-6.jar class org.codehaus.jackson.map.deser.BeanDeserializerFactory of line 38 to 45.

For JBoss environments you can define the system property in your standalone*.xml or domain.xml, as follows:

<system-properties>
    <property name="jackson.deserialization.whitelist.packages" value="br.com.myapp" />
</system-properties>



回答2:


Building on @MhagnumDw's answer, I also encountered the same error with JBoss 6.4.20 patch and used this solution. Here is the source code relevant source code from https://maven.repository.redhat.com/techpreview/all/org/codehaus/jackson/jackson-mapper-asl/1.9.9.redhat-6/jackson-mapper-asl-1.9.9.redhat-6-sources.jar in org.codehaus.jackson.map.deser.BeanDeserializerFactory;

/**
     * @since 1.9.9.redhat-5
     */
protected void checkLegalTypes(DeserializationConfig config, JavaType type,
        BeanDescription beanDesc)
    throws JsonMappingException
{
    // There are certain nasty classes that could cause problems, mostly
    // via default typing -- catch them here.
    String full = type.getRawClass().getName();

    Iterator<String> iter = _cfgLegalPackageNames.iterator();

    boolean pass = false;

    while(iter.hasNext()) {
        if(full.startsWith(iter.next())) {
            pass = true;
            break;
        }
    }

    if(!pass) {
        throw new JsonMappingException(
                                  String.format("Illegal type (%s) to deserialize: prevented for security reasons", full));
    }
}

You can see that full.startsWith(iter.next()) means you can put in higher level package names to whitelist. For example,

<system-properties>
    <property name="jackson.deserialization.whitelist.packages" value="br.com.myapp" />
</system-properties>

would whitelist br.com.myapp.package.aclass and br.com.myapp.package.bclass



来源:https://stackoverflow.com/questions/50917932/what-versions-of-jackson-are-allowed-in-jboss-6-4-20-patch

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!