Spring Security + Session Redis——JSON序列化错误[The class xxx and name of xxx is not whitelisted. ]解决方案
前置Spring Security + Spring Session + Redis——【SecurityContext】和【AuthenticationToken】JSON反序列化问题解决方案问题描述Caused by: java.lang.IllegalArgumentException: The class with com.hailiu.model.Role and name of com
前置
Spring Security + Spring Session + Redis——【SecurityContext】和【AuthenticationToken】JSON反序列化问题解决方案
问题描述
Caused by: java.lang.IllegalArgumentException: The class with com.hailiu.model.Role and name of com.hailiu.model.Role is not whitelisted. If you believe this class is safe to deserialize, please provide an explicit mapping using Jackson annotations or by providing a Mixin. If the serialization is only done by a trusted source, you can also enable default typing. See https://github.com/spring-projects/spring-security/issues/4370 for details
at org.springframework.security.jackson2.SecurityJackson2Modules$WhitelistTypeIdResolver.typeFromId(SecurityJackson2Modules.java:252) ~[spring-security-core-5.3.5.RELEASE.jar:5.3.5.RELEASE]
at com.fasterxml.jackson.databind.jsontype.impl.TypeDeserializerBase._findDeserializer(TypeDeserializerBase.java:154) ~[jackson-databind-2.11.3.jar:2.11.3]
at com.fasterxml.jackson.databind.jsontype.impl.AsPropertyTypeDeserializer._deserializeTypedForId(AsPropertyTypeDeserializer.java:115) ~[jackson-databind-2.11.3.jar:2.11.3]
at com.fasterxml.jackson.databind.jsontype.impl.AsPropertyTypeDeserializer.deserializeTypedFromObject(AsPropertyTypeDeserializer.java:99) ~[jackson-databind-2.11.3.jar:2.11.3]
at com.fasterxml.jackson.databind.deser.BeanDeserializerBase.deserializeWithType(BeanDeserializerBase.java:1209) ~[jackson-databind-2.11.3.jar:2.11.3]
at com.fasterxml.jackson.databind.deser.std.CollectionDeserializer.deserialize(CollectionDeserializer.java:292) ~[jackson-databind-2.11.3.jar:2.11.3]
... 63 common frames omitted
issues
https://github.com/spring-projects/spring-security/issues/9210
https://github.com/spring-projects/spring-security/issues/9210
问题分析
源代码
@Override
public JavaType typeFromId(DatabindContext context, String id) throws IOException {
DeserializationConfig config = (DeserializationConfig) context.getConfig();
JavaType result = delegate.typeFromId(context, id);
String className = result.getRawClass().getName();
if (isWhitelisted(className)) {
return result;
}
boolean isExplicitMixin = config.findMixInClassFor(result.getRawClass()) != null;
if (isExplicitMixin) {
return result;
}
JacksonAnnotation jacksonAnnotation = AnnotationUtils.findAnnotation(result.getRawClass(), JacksonAnnotation.class);
if (jacksonAnnotation != null) {
return result;
}
throw new IllegalArgumentException("The class with " + id + " and name of " + className + " is not whitelisted. " +
"If you believe this class is safe to deserialize, please provide an explicit mapping using Jackson annotations or by providing a Mixin. " +
"If the serialization is only done by a trusted source, you can also enable default typing. " +
"See https://github.com/spring-projects/spring-security/issues/4370 for details");
}
这异常不出现一共三个情况:
一、白名单的类
但是白名单不能继承、添加操作
二、有对应的Mixin类
三、有@JacksonAnnotation注解的类
Jackson的相关注解都有@JacksonAnnotation
解决方案
方法一
编写一个Mixin类
参考:Spring Session & RedisでJacksonを使ったシリアライズを試してみる
方法二
在对应类上加 Jackson Annotations的注解
参考文章
更多推荐
所有评论(0)