Spring Security + Session Redis——JSON序列化错误[The class xxx and name of xxx is not whitelisted. ]解决方案

前置Spring Security + Spring Session + Redis——【SecurityContext】和【AuthenticationToken】JSON反序列化问题解决方案问题描述Caused by: java.lang.IllegalArgumentException: The class with com.hailiu.model.Role and name of com

Starzkg

3543人浏览 · 2021-03-17 11:11:06

Starzkg · 2021-03-17 11:11:06 发布

前置

Spring Security + Spring Session + Redis——【SecurityContext】和【AuthenticationToken】JSON反序列化问题解决方案

问题描述

Caused by: java.lang.IllegalArgumentException: The class with com.hailiu.model.Role and name of com.hailiu.model.Role is not whitelisted. If you believe this class is safe to deserialize, please provide an explicit mapping using Jackson annotations or by providing a Mixin. If the serialization is only done by a trusted source, you can also enable default typing. See https://github.com/spring-projects/spring-security/issues/4370 for details
   at org.springframework.security.jackson2.SecurityJackson2Modules$WhitelistTypeIdResolver.typeFromId(SecurityJackson2Modules.java:252) ~[spring-security-core-5.3.5.RELEASE.jar:5.3.5.RELEASE]
   at com.fasterxml.jackson.databind.jsontype.impl.TypeDeserializerBase._findDeserializer(TypeDeserializerBase.java:154) ~[jackson-databind-2.11.3.jar:2.11.3]
   at com.fasterxml.jackson.databind.jsontype.impl.AsPropertyTypeDeserializer._deserializeTypedForId(AsPropertyTypeDeserializer.java:115) ~[jackson-databind-2.11.3.jar:2.11.3]
   at com.fasterxml.jackson.databind.jsontype.impl.AsPropertyTypeDeserializer.deserializeTypedFromObject(AsPropertyTypeDeserializer.java:99) ~[jackson-databind-2.11.3.jar:2.11.3]
   at com.fasterxml.jackson.databind.deser.BeanDeserializerBase.deserializeWithType(BeanDeserializerBase.java:1209) ~[jackson-databind-2.11.3.jar:2.11.3]
   at com.fasterxml.jackson.databind.deser.std.CollectionDeserializer.deserialize(CollectionDeserializer.java:292) ~[jackson-databind-2.11.3.jar:2.11.3]
   ... 63 common frames omitted

issues

https://github.com/spring-projects/spring-security/issues/9210

问题分析

源代码

		@Override
		public JavaType typeFromId(DatabindContext context, String id) throws IOException {
			DeserializationConfig config = (DeserializationConfig) context.getConfig();
			JavaType result = delegate.typeFromId(context, id);
			String className = result.getRawClass().getName();
			if (isWhitelisted(className)) {
				return result;
			}
			boolean isExplicitMixin = config.findMixInClassFor(result.getRawClass()) != null;
			if (isExplicitMixin) {
				return result;
			}
			JacksonAnnotation jacksonAnnotation = AnnotationUtils.findAnnotation(result.getRawClass(), JacksonAnnotation.class);
			if (jacksonAnnotation != null) {
				return result;
			}
			throw new IllegalArgumentException("The class with " + id + " and name of " + className + " is not whitelisted. " +
				"If you believe this class is safe to deserialize, please provide an explicit mapping using Jackson annotations or by providing a Mixin. " +
				"If the serialization is only done by a trusted source, you can also enable default typing. " +
				"See https://github.com/spring-projects/spring-security/issues/4370 for details");
		}

这异常不出现一共三个情况：

一、白名单的类

但是白名单不能继承、添加操作

二、有对应的Mixin类

三、有@JacksonAnnotation注解的类

Jackson的相关注解都有@JacksonAnnotation