Add Allow List to Jackson Support

[rwinch]

Summary

There are some performance optimizations we can provide for jackson integration

[TanqiZhou]

org.springframework.security.authentication.BadCredentialsException is not whitelisted. If you believe this class is safe to deserialize, please provide an explicit mapping using Jackson annotations or by providing a Mixin. If the serialization is only done by a trusted source, you can also enable default typing. See #4370 for details; nested exception is java.

[chrylis]

Since the error message points to this issue, can it please get a link to documentation on enabling default typing?

[miladamery]

Since the error message points to this issue, can it please get a link to documentation on enabling default typing?

Hi. i have same issue and cant find how to enable default typing. i really appreciate if you provide a link or something else that says how to do it.

[jzheaux]

To (de)serialize a BadCredentialsException, use CoreJackson2Module:

@Bean
public ObjectMapper objectMapper() {
    ObjectMapper mapper = new ObjectMapper()
    mapper.registerModule(new CoreJackson2Module());
    // ... your other configuration
    return mapper;
}

This calls SecurityJackson2Modules.enableDefaultTyping and adds the BadCredentialsException mixin.

[TanqiZhou]

Good

[koundinya-goparaju-wcar]

I am getting the following error when I try to deserialize the OAuth2AuthenticationToken
The class with org.springframework.security.web.authentication.WebAuthenticationDetails and name of org.springframework.security.web.authentication.WebAuthenticationDetails is not in the allowlist. If you believe this class is safe to deserialize, please provide an explicit mapping using Jackson annotations or by providing a Mixin. If the serialization is only done by a trusted source, you can also enable default typing. See https://github.com/spring-projects/spring-security/issues/4370 for details (through reference chain: org.springframework.security.core.context.SecurityContextImpl["authentication"]->org.springframework.security.oauth2.client.authentication.OAuth2AuthenticationToken["details"])

[tsrgithub]

{
"error_description": "OpenID Connect 1.0 UserInfo Error: The class with java.util.Collections$SingletonMap and name of java.util.Collections$SingletonMap is not in the allowlist. If you believe this class is safe to deserialize, please provide an explicit mapping using Jackson annotations or by providing a Mixin. If the serialization is only done by a trusted source, you can also enable default typing. See #4370 for details",
"error": "invalid_request",
"error_uri": "https://openid.net/specs/openid-connect-core-1_0.html#UserInfoError"
}

[rizkyJabar5]

{ "error_description": "OpenID Connect 1.0 UserInfo Error: The class with java.util.Collections$SingletonMap and name of java.util.Collections$SingletonMap is not in the allowlist. If you believe this class is safe to deserialize, please provide an explicit mapping using Jackson annotations or by providing a Mixin. If the serialization is only done by a trusted source, you can also enable default typing. See #4370 for details", "error": "invalid_request", "error_uri": "https://openid.net/specs/openid-connect-core-1_0.html#UserInfoError" }

I have the same issue too. Has there been a fix for this?

[shrralis]

The same happens in Kotlin projects, e.g. The class with kotlin.collections.EmptyList and name of kotlin.collections.EmptyList is not in the allowlist

[timadeshola]

I am getting this error when attempt to generate refresh token. Using Spring Boot authorization server v3
The class with org.springframework.security.oauth2.server.authorization.authentication.OAuth2ClientAuthenticationToken and name of org.springframework.security.oauth2.server.authorization.authentication.OAuth2ClientAuthenticationToken is not in the allowlist. If you believe this class is safe to deserialize, please provide an explicit mapping using Jackson annotations or by providing a Mixin. If the serialization is only done by a trusted source, you can also enable default typing. See https://github.com/spring-projects/spring-security/issues/4370 for details

[a1473838623]

my solution for OAuth2AuthorizationService config.

    @JsonTypeInfo(use = JsonTypeInfo.Id.CLASS, include = JsonTypeInfo.As.PROPERTY, property = "@class")
    public abstract static class SynchronizedSetMixin {
    }

    @Bean
    public OAuth2AuthorizationService authorizationService(JdbcTemplate jdbcTemplate,
                                                           RegisteredClientRepository registeredClientRepository) {
        JdbcOAuth2AuthorizationService.OAuth2AuthorizationRowMapper rowMapper =
                new JdbcOAuth2AuthorizationService.OAuth2AuthorizationRowMapper(registeredClientRepository);
        JdbcOAuth2AuthorizationService.OAuth2AuthorizationParametersMapper oAuth2AuthorizationParametersMapper =
                new JdbcOAuth2AuthorizationService.OAuth2AuthorizationParametersMapper();
        JdbcOAuth2AuthorizationService authorizationService =
                new JdbcOAuth2AuthorizationService(jdbcTemplate, registeredClientRepository);
        ObjectMapper objectMapper = new ObjectMapper();

        ClassLoader classLoader = JdbcOAuth2AuthorizationService.class.getClassLoader();
        List<Module> securityModules = SecurityJackson2Modules.getModules(classLoader);
        objectMapper.registerModules(securityModules);
        objectMapper.registerModule(new OAuth2AuthorizationServerJackson2Module());

        objectMapper.addMixIn(Collections.synchronizedSet(new HashSet<>()).getClass(), SynchronizedSetMixin.class);

        rowMapper.setObjectMapper(objectMapper);
        oAuth2AuthorizationParametersMapper.setObjectMapper(objectMapper);
        authorizationService.setAuthorizationRowMapper(rowMapper);
        authorizationService.setAuthorizationParametersMapper(oAuth2AuthorizationParametersMapper);

        return authorizationService;
    }

[z1098416956]

The class with java.util.ImmutableCollections$List12 and name of java.util.ImmutableCollections$List12 is not in the allowlist. If you believe this class is safe to deserialize, please provide an explicit mapping using Jackson annotations or by providing a Mixin. If the serialization is only done by a trusted source, you can also enable default typing. See #4370 for details？？？

所以这个是什么情况？
我已经把OAuth2Authorization.Token.class处理了，为什么还是出现这个错误？
` public class OAuth2AuthorizationModule extends SimpleModule {

@Serial
private static final long serialVersionUID = 1243758528885179491L;

public OAuth2AuthorizationModule() {
    super(OAuth2AuthorizationModule.class.getName(), new Version(1, 0, 0, null, null, null));
}

@Override
public void setupModule(SetupContext context) {
    SecurityJackson2Modules.enableDefaultTyping(context.getOwner());

    context.setMixInAnnotations(OAuth2Authorization.class, OAuth2AuthorizationMixin.class);
    context.setMixInAnnotations(OAuth2AuthorizationCode.class, OAuth2AuthorizationCodeMixin.class);
    context.setMixInAnnotations(OAuth2Authorization.Token.class, TokenMixin.class);
    context.setMixInAnnotations(OAuth2AccessToken.class, OAuth2AccessTokenMixin.class);
    context.setMixInAnnotations(OAuth2RefreshToken.class, OAuth2RefreshTokenMixin.class);
    context.setMixInAnnotations(AuthorizationGrantType.class, AuthorizationGrantTypeMixin.class);
    context.setMixInAnnotations(OAuth2AccessToken.TokenType.class, TokenTypeMixin.class);
}

} `

` @JsonTypeInfo(use = JsonTypeInfo.Id.CLASS)
@JsonAutoDetect(fieldVisibility = JsonAutoDetect.Visibility.ANY, getterVisibility = JsonAutoDetect.Visibility.NONE,
isGetterVisibility = JsonAutoDetect.Visibility.NONE)
@JsonIgnoreProperties(ignoreUnknown = true)
public abstract class TokenMixin {

@JsonCreator
TokenMixin(@JsonProperty("token") OAuth2Token token,
           @JsonProperty("metadata") Map<String, Object> metadata) {
}

} `

[taraksuthar1999]

The class with com.example.authservice.security.models.CustomSecurityUserDetails and name of com.example.authservice.security.models.CustomSecurityUserDetails is not in the allowlist.

My Solution which worked for me was to create Deserializer for the class

@JsonTypeInfo(
        use = JsonTypeInfo.Id.CLASS,
        include = JsonTypeInfo.As.PROPERTY
)
@JsonDeserialize(
        using = CustomSecurityUserDeserializer.class
)
@JsonAutoDetect(
        fieldVisibility = JsonAutoDetect.Visibility.ANY,
        getterVisibility = JsonAutoDetect.Visibility.NONE,
        isGetterVisibility = JsonAutoDetect.Visibility.NONE
)
@JsonIgnoreProperties(
        ignoreUnknown = true
)
public class CustomSecurityUserDetails implements UserDetails {
.....
.....
}