Skip to content

fix jackson2 array deserialize #1678

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 1 commit into from
Closed

fix jackson2 array deserialize #1678

wants to merge 1 commit into from

Conversation

chenzhenjia
Copy link

Using http://127.0.0.1:3000/oauth2/authorize?scope=openid%20profile&client_id=xx&response_type=code&state=12345&test=1&test=2 throws IllegalArgumentException

Caused by: java.lang.IllegalArgumentException: The class with [Ljava.lang.String; and name of [Ljava.lang.String; is not in the allowlist. If you believe this class is safe to deserialize, please provide an explicit mapping using Jackson annotations or by providing a Mixin. If the serialization is only done by a trusted source, you can also enable default typing. See https://github.com/spring-projects/spring-security/issues/4370 for details
	at org.springframework.security.jackson2.SecurityJackson2Modules$AllowlistTypeIdResolver.typeFromId(SecurityJackson2Modules.java:285)

This is because the spring security jackson2 module does not support deserialization of arrays

"org.springframework.security.oauth2.core.endpoint.OAuth2AuthorizationRequest": {
        "@class": "org.springframework.security.oauth2.core.endpoint.OAuth2AuthorizationRequest",
        "authorizationUri": "http://127.0.0.1:3000/oauth2/authorize",
        "authorizationGrantType": {
            "value": "authorization_code"
        },
        "responseType": {
            "value": "code"
        },
        "clientId": "JK8x0nogVy9",
        "redirectUri": "http://www.baidu.com",
        "scopes": [
            "java.util.Collections$UnmodifiableSet",
            [
                "openid",
                "profile",
                "roles"
            ]
        ],
        "state": "12345",
        "additionalParameters": {
            "@class": "java.util.Collections$UnmodifiableMap",
            "test": [
                "[Ljava.lang.String;",
                [
                    "1",
                    "2"
                ]
            ]
        },
        "authorizationRequestUri": "http://127.0.0.1:3000/oauth2/authorize?response_type=code&client_id=JK8x0nogVy9&scope=openid%20profile%20roles&state=12345&redirect_uri=http://www.baidu.com&test=%5BLjava.lang.String;@6279dcb4",
        "attributes": {
            "@class": "java.util.Collections$UnmodifiableMap"
        }
    }

@chenzhenjia
Copy link
Author

Also the authorizationRequestUri value of OAuth2AuthorizationRequest is incorrect, but this is a problem with spring security oauth2 core

@spring-projects-issues spring-projects-issues added the status: waiting-for-triage An issue we've not yet triaged label Jul 24, 2024
@jgrandja
Copy link
Collaborator

Thanks for the PR @chenzhenjia.

However, @MrJovanovic13 already offered to provide the fix (see comment) and I just merged it via gh-1676.

I'll close this as a duplicate.

@jgrandja jgrandja closed this Jul 31, 2024
@jgrandja jgrandja self-assigned this Jul 31, 2024
@jgrandja jgrandja added status: duplicate A duplicate of another issue and removed status: waiting-for-triage An issue we've not yet triaged labels Jul 31, 2024
@chenzhenjia chenzhenjia deleted the fix-jackson2-array-deserialize branch August 1, 2024 01:47
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@jgrandja jgrandja

Labels
status: duplicate A duplicate of another issue
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@chenzhenjia @jgrandja @spring-projects-issues