Skip to content

AbstractMappingContext not compatible with JDK 17 anymore and violates open JDK security policy. #2845

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
amidukr opened this issue Jun 7, 2023 · 3 comments
Labels
status: duplicate A duplicate of another issue

Comments

@amidukr
Copy link

amidukr commented Jun 7, 2023

The latest Java guideline mandates that the library should not use the reflection of setAccessible(true) on java., sun., com.sun.* package and this is what is done by AbstractMappingContext, which violates security guidelines and makes Spring Data legacy framework not compatible with JDK 17 anymore.

You can see more about that on the official java page.
https://docs.oracle.com/en/java/javase/17/migrate/migrating-jdk-8-later-jdk-releases.html#GUID-12F945EB-71D6-46AF-8C3D-D354FD0B1781

Any chance that Spring Data become compatible with a later version of JDK starting with JDK 9 and so?

@spring-projects-issues spring-projects-issues added the status: waiting-for-triage An issue we've not yet triaged label Jun 7, 2023
@mp911de
Copy link
Member

mp911de commented Jun 7, 2023

This is a duplicate of #2844.

Spring Data 2.x is compatible with newer Java runtimes. Spring Data 3.x uses Java 17 as baseline. Please note that Spring Data doesn't distinguish between encapsulated and open types. If you choose to use a non-simple type that is encapsulated (e.g. java.time, BigInteger, BigDecimal, any type from your module path) then Spring Data continues to inspect constructors because in the end, the type needs to be constructed somehow.

Alternatively, you must provide a Converter that allows construction for Spring Data.

If you feel there's more we can do, then let us know about the details.

@mp911de mp911de closed this as not planned Won't fix, can't repro, duplicate, stale Jun 7, 2023
@mp911de mp911de added status: duplicate A duplicate of another issue and removed status: waiting-for-triage An issue we've not yet triaged labels Jun 7, 2023
@amidukr
Copy link
Author

amidukr commented Jun 7, 2023

@mp911de Hi Mark, thank you for your reply.

If there is a way for me to write a custom Converter to overcome this issue, I would appreciate using it. I've tried following code snippet, didn't helped:

@Bean fun bigIntegerToStringConvertor() = BigIntegerToStringConvertor
@Bean fun stringToBigIntegerConvertor() = 

object BigIntegerToStringConvertor: Converter<BigInteger, String> {...}

Is that Converter that you suggesting, is needed for JPA or noSQL? What I see issue is happening with Spring Data support for noSQL like MongoDB, CosmosDB.

  • I am currently working with CosmosDB data module which is supported by the Microsoft team, for bean construction they use mainly Jackson mapper which can convert string values into POJO. They use AbstractMappingContext to scrabble annotation from pojo, quite possible that @ID can be embedded somewhere in the nested field-object.
  • Regarding MongoDB, that is supported by you guys, not sure if MongoDB is using Jackson mapper approach, I've tried to dig into the code, but didn't figure out. However, I see people complain on Stackoverflow about the same issue with MongoDB.

@mp911de
Copy link
Member

mp911de commented Jun 8, 2023

Converters aren't beans, converters need to be registered through CustomConversions with the Spring Data module this converter applies to.

Spring Data MongoDB has its own MappingMongoConverter that isn't based on Jackson but rather we apply conversions and mapping on our own. Jackson isn't flexible enough to apply conversion rules for Query and Update objects for partial updates. Also, it is very easy to configure something in Jackson that doesn't then work for the Spring Data infrastructure.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
status: duplicate A duplicate of another issue
Projects
None yet
Development

No branches or pull requests

3 participants