diff --git a/core/src/main/java/org/springframework/security/jackson2/SecurityJackson2Modules.java b/core/src/main/java/org/springframework/security/jackson2/SecurityJackson2Modules.java index ef59d0a53e..b2492b2348 100644 --- a/core/src/main/java/org/springframework/security/jackson2/SecurityJackson2Modules.java +++ b/core/src/main/java/org/springframework/security/jackson2/SecurityJackson2Modules.java @@ -24,7 +24,9 @@ import com.fasterxml.jackson.databind.JavaType; import com.fasterxml.jackson.databind.Module; import com.fasterxml.jackson.databind.ObjectMapper; import com.fasterxml.jackson.databind.cfg.MapperConfig; +import com.fasterxml.jackson.databind.jsontype.BasicPolymorphicTypeValidator; import com.fasterxml.jackson.databind.jsontype.NamedType; +import com.fasterxml.jackson.databind.jsontype.PolymorphicTypeValidator; import com.fasterxml.jackson.databind.jsontype.TypeIdResolver; import com.fasterxml.jackson.databind.jsontype.TypeResolverBuilder; import org.apache.commons.logging.Log; @@ -146,19 +148,29 @@ public final class SecurityJackson2Modules { } /** - * An implementation of {@link ObjectMapper.DefaultTypeResolverBuilder} that overrides the {@link TypeIdResolver} - * with {@link WhitelistTypeIdResolver}. + * An implementation of {@link ObjectMapper.DefaultTypeResolverBuilder} + * that inserts an {@code allow all} {@link PolymorphicTypeValidator} + * and overrides the {@code TypeIdResolver} * @author Rob Winch */ static class WhitelistTypeResolverBuilder extends ObjectMapper.DefaultTypeResolverBuilder { WhitelistTypeResolverBuilder(ObjectMapper.DefaultTyping defaultTyping) { - super(defaultTyping); + super( + defaultTyping, + //we do explicit validation in the TypeIdResolver + BasicPolymorphicTypeValidator.builder() + .allowIfSubType(Object.class) + .build() + ); } + @Override protected TypeIdResolver idResolver(MapperConfig config, - JavaType baseType, Collection subtypes, boolean forSer, boolean forDeser) { - TypeIdResolver result = super.idResolver(config, baseType, subtypes, forSer, forDeser); + JavaType baseType, + PolymorphicTypeValidator subtypeValidator, + Collection subtypes, boolean forSer, boolean forDeser) { + TypeIdResolver result = super.idResolver(config, baseType, subtypeValidator, subtypes, forSer, forDeser); return new WhitelistTypeIdResolver(result); } } diff --git a/core/src/main/java/org/springframework/security/jackson2/UserDeserializer.java b/core/src/main/java/org/springframework/security/jackson2/UserDeserializer.java index b39b5ebc73..96d3ffe748 100644 --- a/core/src/main/java/org/springframework/security/jackson2/UserDeserializer.java +++ b/core/src/main/java/org/springframework/security/jackson2/UserDeserializer.java @@ -56,8 +56,11 @@ class UserDeserializer extends JsonDeserializer { public User deserialize(JsonParser jp, DeserializationContext ctxt) throws IOException, JsonProcessingException { ObjectMapper mapper = (ObjectMapper) jp.getCodec(); JsonNode jsonNode = mapper.readTree(jp); - Set authorities = mapper.convertValue(jsonNode.get("authorities"), new TypeReference>() { - }); + Set authorities = + mapper.convertValue( + jsonNode.get("authorities"), + new TypeReference>() {} + ); JsonNode password = readJsonNode(jsonNode, "password"); User result = new User( readJsonNode(jsonNode, "username").asText(), password.asText(""), diff --git a/gradle/dependency-management.gradle b/gradle/dependency-management.gradle index e9c886609c..62c6a51693 100644 --- a/gradle/dependency-management.gradle +++ b/gradle/dependency-management.gradle @@ -42,9 +42,9 @@ dependencyManagement { dependency 'asm:asm:3.1' dependency 'ch.qos.logback:logback-classic:1.2.3' dependency 'ch.qos.logback:logback-core:1.2.3' - dependency 'com.fasterxml.jackson.core:jackson-annotations:2.9.10' - dependency 'com.fasterxml.jackson.core:jackson-core:2.9.10' - dependency 'com.fasterxml.jackson.core:jackson-databind:2.9.10' + dependency 'com.fasterxml.jackson.core:jackson-annotations:2.10.0' + dependency 'com.fasterxml.jackson.core:jackson-core:2.10.0' + dependency 'com.fasterxml.jackson.core:jackson-databind:2.10.0' dependency 'com.fasterxml:classmate:1.3.4' dependency 'com.github.stephenc.jcip:jcip-annotations:1.0-1' dependency 'com.google.appengine:appengine-api-1.0-sdk:1.9.76'