Skip to content

Add Allow List to Jackson Support #4370

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
rwinch opened this issue Jun 6, 2017 · 15 comments
Closed

Add Allow List to Jackson Support #4370

rwinch opened this issue Jun 6, 2017 · 15 comments
Assignees
@rwinch
Labels
in: cas An issue in spring-security-cas in: core An issue in spring-security-core in: web An issue in web modules (web, webmvc) type: bug A general bug
Milestone
4.2.3

Comments

@rwinch
Copy link
Member

rwinch commented Jun 6, 2017

Summary

There are some performance optimizations we can provide for jackson integration
@rwinch rwinch added type: bug A general bug in: cas An issue in spring-security-cas in: core An issue in spring-security-core in: web An issue in web modules (web, webmvc) labels Jun 6, 2017
@rwinch rwinch added this to the 4.2.3 milestone Jun 6, 2017
@rwinch rwinch self-assigned this Jun 6, 2017
@rwinch rwinch closed this as completed Jun 8, 2017
rwinch added a commit that referenced this issue Jun 8, 2017
@rwinch
Update SecurityJackson2Modules
947d11f 
Fixes gh-4370
rwinch added a commit that referenced this issue Jun 8, 2017
@rwinch
Update SecurityJackson2Modules
5dee853 
Fixes gh-4370
@fpavageau fpavageau mentioned this issue Jul 20, 2017
Merged
1 task
@chrisburrell chrisburrell mentioned this issue Dec 1, 2017
Closed
@TanqiZhou
Copy link

org.springframework.security.authentication.BadCredentialsException is not whitelisted. If you believe this class is safe to deserialize, please provide an explicit mapping using Jackson annotations or by providing a Mixin. If the serialization is only done by a trusted source, you can also enable default typing. See #4370 for details; nested exception is java.

@vpavic vpavic mentioned this issue Mar 6, 2018
Closed
@YLombardi YLombardi mentioned this issue Mar 8, 2018
Merged
@davideanderson davideanderson mentioned this issue Mar 27, 2018
Closed
@iKrushYou iKrushYou mentioned this issue Apr 9, 2018
Closed
thomasdarimont pushed a commit to thomasdarimont/spring-security that referenced this issue Apr 25, 2018
@rwinch @thomasdarimont
Update SecurityJackson2Modules
263bdb0 
Fixes spring-projectsgh-4370
@chrylis
Copy link

chrylis commented Aug 10, 2018

Since the error message points to this issue, can it please get a link to documentation on enabling default typing?

@miladamery
Copy link

Since the error message points to this issue, can it please get a link to documentation on enabling default typing?

Hi. i have same issue and cant find how to enable default typing. i really appreciate if you provide a link or something else that says how to do it.

@jzheaux
Copy link
Contributor

jzheaux commented Mar 12, 2019

To (de)serialize a BadCredentialsException, use CoreJackson2Module:

@Bean
public ObjectMapper objectMapper() {
    ObjectMapper mapper = new ObjectMapper()
    mapper.registerModule(new CoreJackson2Module());
    // ... your other configuration
    return mapper;
}

This calls SecurityJackson2Modules.enableDefaultTyping and adds the BadCredentialsException mixin.

@TanqiZhou
Copy link

Good

@mengelbrecht mengelbrecht mentioned this issue Nov 20, 2020
Closed
@vkatoch2000 vkatoch2000 mentioned this issue Mar 25, 2021
Closed
siporqueno added a commit to siporqueno/spring-two that referenced this issue Apr 30, 2021
@siporqueno
Homework of Lesson 5. Modified objectMapper config in SessionConfig b…
33805a2 
…ased on spring-projects/spring-security#4370
@pengliaoye pengliaoye mentioned this issue Aug 8, 2021
Closed
@Basit-Mahmood Basit-Mahmood mentioned this issue Aug 16, 2021
Closed
@koundinya-goparaju-wcar
Copy link

I am getting the following error when I try to deserialize the OAuth2AuthenticationToken
The class with org.springframework.security.web.authentication.WebAuthenticationDetails and name of org.springframework.security.web.authentication.WebAuthenticationDetails is not in the allowlist. If you believe this class is safe to deserialize, please provide an explicit mapping using Jackson annotations or by providing a Mixin. If the serialization is only done by a trusted source, you can also enable default typing. See https://github.com/spring-projects/spring-security/issues/4370 for details (through reference chain: org.springframework.security.core.context.SecurityContextImpl["authentication"]->org.springframework.security.oauth2.client.authentication.OAuth2AuthenticationToken["details"])

Closed
@mbarringer mbarringer mentioned this issue Nov 5, 2021
Closed
@Ravis22 Ravis22 mentioned this issue Jan 5, 2022
Closed
kinsersh added a commit to kinsersh/spring-authorization-server that referenced this issue May 18, 2022
@kinsersh
Fix deserialize incompatibility with Okta ver claim
9300062 
Okta includes a "ver" claim in the ID tokens it issues that gets serialized to json, as follows:
{
  "@Class": "java.util.Collections$UnmodifiableMap",
  "ver": [
    "java.lang.Long",
    1
  ]
}

This claim is added by Okta automatically (see https://developer.okta.com/docs/reference/api/oidc/#id-token).

Spring Authorization Server encounters an error when attempting to deserialize this claim from Okta, as follows:
The class with java.lang.Long and name of java.lang.Long is not in the allowlist. If you believe this class is safe to deserialize, please provide an explicit mapping using Jackson annotations or by providing a Mixin. If the serialization is only done by a trusted source, you can also enable default typing. See spring-projects/spring-security#4370 for details
java.lang.IllegalArgumentException: The class with java.lang.Long and name of java.lang.Long is not in the allowlist. If you believe this class is safe to deserialize, please provide an explicit mapping using Jackson annotations or by providing a Mixin. If the serialization is only done by a trusted source, you can also enable default typing. See spring-projects/spring-security#4370 for details
	at org.springframework.security.jackson2.SecurityJackson2Modules$AllowlistTypeIdResolver.typeFromId(SecurityJackson2Modules.java:253)

The issue at spring-projects#567 has a similar symptom, though this situation would be encountered by any project wanting to do OpenID Connect with Okta. I thus recommend a general fix rather than a project-specific fix as recommended at spring-projects#397.

This commit defines a mixin that doesn't alter the json formatting but does instruct SecurityJackson2Modules.AllowlistTypeIdResolver to permit the deseralization of that Okta claim.

For broader context, below is an example of what is stored by Spring Authorization Server in the attributes column of the oauth2_authorization table.
{
  "@Class": "java.util.Collections$UnmodifiableMap",
  "org.springframework.security.oauth2.core.endpoint.OAuth2AuthorizationRequest": {
    "@Class": "org.springframework.security.oauth2.core.endpoint.OAuth2AuthorizationRequest",
    "authorizationUri": "http://localhost:5000/oauth2/authorize",
    "authorizationGrantType": {
      "value": "authorization_code"
    },
    "responseType": {
      "value": "code"
    },
    "clientId": "login-acceptance-test-client",
    "redirectUri": "http://127.0.0.1:5000/login-acceptance-test-client",
    "scopes": [
      "java.util.Collections$UnmodifiableSet",
      [
        "openid"
      ]
    ],
    "state": "foo",
    "additionalParameters": {
      "@Class": "java.util.Collections$UnmodifiableMap"
    },
    "authorizationRequestUri": "http://localhost:5000/oauth2/authorize?response_type=code&client_id=login-acceptance-test-client&scope=openid&state=foo&redirect_uri=http://127.0.0.1:5000/login-acceptance-test-client",
    "attributes": {
      "@Class": "java.util.Collections$UnmodifiableMap"
    }
  },
  "java.security.Principal": {
    "@Class": "org.springframework.security.oauth2.client.authentication.OAuth2AuthenticationToken",
    "principal": {
      "@Class": "org.springframework.security.oauth2.core.oidc.user.DefaultOidcUser",
      "authorities": [
        "java.util.Collections$UnmodifiableSet",
        [
          {
            "@Class": "org.springframework.security.oauth2.core.oidc.user.OidcUserAuthority",
            "authority": "ROLE_USER",
            "idToken": {
              "@Class": "org.springframework.security.oauth2.core.oidc.OidcIdToken",
              "tokenValue": "actualTokenValueRemoved",
              "issuedAt": 1652411922.000000000,
              "expiresAt": 1652415522.000000000,
              "claims": {
                "@Class": "java.util.Collections$UnmodifiableMap",
                "at_hash": "X4TpvHXTMw3kaBMRas-H6A",
                "sub": "00u4zn2e0w8cRRFv75d1",
                "ver": [
                  "java.lang.Long",
                  1
                ],
                "amr": [
                  "java.util.ArrayList",
                  [
                    "pwd"
                  ]
                ],
                "iss": [
                  "java.net.URL",
                  "https://dev-231911394952.okta.com"
                ],
                "preferred_username": "login.at.okta.public.local",
                "nonce": "pWQDfOxvpslr_FWiTqHlIRdCiT5Sfq-PWvBmSyrDki0",
                "aud": [
                  "java.util.ArrayList",
                  [
                    "0oa4varwxxjIMcDph5d7"
                  ]
                ],
                "idp": "00otba6t5x5dSt78H5d6",
                "auth_time": [
                  "java.time.Instant",
                  1652411920.000000000
                ],
                "name": "login at okta public local test",
                "exp": [
                  "java.time.Instant",
                  1652415522.000000000
                ],
                "iat": [
                  "java.time.Instant",
                  1652411922.000000000
                ],
                "email": "[email protected]",
                "jti": "ID.IfAKG8WvCxOy023DLl6I-WY-4pHgxMJZv1F79rqAtYM"
              }
            },
            "userInfo": {
              "@Class": "org.springframework.security.oauth2.core.oidc.OidcUserInfo",
              "claims": {
                "@Class": "java.util.Collections$UnmodifiableMap",
                "sub": "00u4zn2e0w8cRRFv75d1",
                "zoneinfo": "America/Los_Angeles",
                "email_verified": true,
                "updated_at": [
                  "java.time.Instant",
                  1652216788.000000000
                ],
                "name": "login at okta public local test",
                "preferred_username": "login.at.okta.public.local",
                "locale": "en_US",
                "given_name": "login at okta public local",
                "family_name": "test",
                "email": "[email protected]"
              }
            }
          },
          {
            "@Class": "org.springframework.security.core.authority.SimpleGrantedAuthority",
            "authority": "SCOPE_email"
          },
          {
            "@Class": "org.springframework.security.core.authority.SimpleGrantedAuthority",
            "authority": "SCOPE_openid"
          },
          {
            "@Class": "org.springframework.security.core.authority.SimpleGrantedAuthority",
            "authority": "SCOPE_phone"
          },
          {
            "@Class": "org.springframework.security.core.authority.SimpleGrantedAuthority",
            "authority": "SCOPE_profile"
          }
        ]
      ],
      "idToken": {
        "@Class": "org.springframework.security.oauth2.core.oidc.OidcIdToken",
        "tokenValue": "actualTokenValueRemoved",
        "issuedAt": 1652411922.000000000,
        "expiresAt": 1652415522.000000000,
        "claims": {
          "@Class": "java.util.Collections$UnmodifiableMap",
          "at_hash": "X4TpvHXTMw3kaBMRas-H6A",
          "sub": "00u4zn2e0w8cRRFv75d1",
          "ver": [
            "java.lang.Long",
            1
          ],
          "amr": [
            "java.util.ArrayList",
            [
              "pwd"
            ]
          ],
          "iss": [
            "java.net.URL",
            "https://dev-231911394952.okta.com"
          ],
          "preferred_username": "login.at.okta.public.local",
          "nonce": "pWQDfOxvpslr_FWiTqHlIRdCiT5Sfq-PWvBmSyrDki0",
          "aud": [
            "java.util.ArrayList",
            [
              "0oa4varwxxjIMcDph5d7"
            ]
          ],
          "idp": "00otba6t5x5dSt78H5d6",
          "auth_time": [
            "java.time.Instant",
            1652411920.000000000
          ],
          "name": "login at okta public local test",
          "exp": [
            "java.time.Instant",
            1652415522.000000000
          ],
          "iat": [
            "java.time.Instant",
            1652411922.000000000
          ],
          "email": "[email protected]",
          "jti": "ID.IfAKG8WvCxOy023DLl6I-WY-4pHgxMJZv1F79rqAtYM"
        }
      },
      "userInfo": {
        "@Class": "org.springframework.security.oauth2.core.oidc.OidcUserInfo",
        "claims": {
          "@Class": "java.util.Collections$UnmodifiableMap",
          "sub": "00u4zn2e0w8cRRFv75d1",
          "zoneinfo": "America/Los_Angeles",
          "email_verified": true,
          "updated_at": [
            "java.time.Instant",
            1652216788.000000000
          ],
          "name": "login at okta public local test",
          "preferred_username": "login.at.okta.public.local",
          "locale": "en_US",
          "given_name": "login at okta public local",
          "family_name": "test",
          "email": "[email protected]"
        }
      },
      "nameAttributeKey": "sub"
    },
    "authorities": [
      "java.util.Collections$UnmodifiableRandomAccessList",
      [
        {
          "@Class": "org.springframework.security.oauth2.core.oidc.user.OidcUserAuthority",
          "authority": "ROLE_USER",
          "idToken": {
            "@Class": "org.springframework.security.oauth2.core.oidc.OidcIdToken",
            "tokenValue": "actualTokenValueRemoved",
            "issuedAt": 1652411922.000000000,
            "expiresAt": 1652415522.000000000,
            "claims": {
              "@Class": "java.util.Collections$UnmodifiableMap",
              "at_hash": "X4TpvHXTMw3kaBMRas-H6A",
              "sub": "00u4zn2e0w8cRRFv75d1",
              "ver": [
                "java.lang.Long",
                1
              ],
              "amr": [
                "java.util.ArrayList",
                [
                  "pwd"
                ]
              ],
              "iss": [
                "java.net.URL",
                "https://dev-231911394952.okta.com"
              ],
              "preferred_username": "login.at.okta.public.local",
              "nonce": "pWQDfOxvpslr_FWiTqHlIRdCiT5Sfq-PWvBmSyrDki0",
              "aud": [
                "java.util.ArrayList",
                [
                  "0oa4varwxxjIMcDph5d7"
                ]
              ],
              "idp": "00otba6t5x5dSt78H5d6",
              "auth_time": [
                "java.time.Instant",
                1652411920.000000000
              ],
              "name": "login at okta public local test",
              "exp": [
                "java.time.Instant",
                1652415522.000000000
              ],
              "iat": [
                "java.time.Instant",
                1652411922.000000000
              ],
              "email": "[email protected]",
              "jti": "ID.IfAKG8WvCxOy023DLl6I-WY-4pHgxMJZv1F79rqAtYM"
            }
          },
          "userInfo": {
            "@Class": "org.springframework.security.oauth2.core.oidc.OidcUserInfo",
            "claims": {
              "@Class": "java.util.Collections$UnmodifiableMap",
              "sub": "00u4zn2e0w8cRRFv75d1",
              "zoneinfo": "America/Los_Angeles",
              "email_verified": true,
              "updated_at": [
                "java.time.Instant",
                1652216788.000000000
              ],
              "name": "login at okta public local test",
              "preferred_username": "login.at.okta.public.local",
              "locale": "en_US",
              "given_name": "login at okta public local",
              "family_name": "test",
              "email": "[email protected]"
            }
          }
        },
        {
          "@Class": "org.springframework.security.core.authority.SimpleGrantedAuthority",
          "authority": "SCOPE_email"
        },
        {
          "@Class": "org.springframework.security.core.authority.SimpleGrantedAuthority",
          "authority": "SCOPE_openid"
        },
        {
          "@Class": "org.springframework.security.core.authority.SimpleGrantedAuthority",
          "authority": "SCOPE_phone"
        },
        {
          "@Class": "org.springframework.security.core.authority.SimpleGrantedAuthority",
          "authority": "SCOPE_profile"
        }
      ]
    ],
    "authorizedClientRegistrationId": "oktaDev",
    "details": {
      "@Class": "org.springframework.security.web.authentication.WebAuthenticationDetails",
      "remoteAddress": "127.0.0.1",
      "sessionId": "A8634EA2537A251E8B3D22A5CC4A6E3D"
    }
  },
  "org.springframework.security.oauth2.server.authorization.OAuth2Authorization.AUTHORIZED_SCOPE": [
    "java.util.Collections$UnmodifiableSet",
    [
      "openid"
    ]
  ]
}
@kinsersh kinsersh mentioned this issue May 18, 2022
Closed
@Jxiu Jxiu mentioned this issue Aug 29, 2022
Closed
@najalba najalba mentioned this issue Sep 5, 2022
Closed
@klinck klinck mentioned this issue Nov 1, 2022
Open
@buckett buckett mentioned this issue Nov 10, 2022
Closed
@kuschzzp kuschzzp mentioned this issue Dec 16, 2022
Closed
@zkirill zkirill mentioned this issue Dec 18, 2022
Closed
@xuxiaowei-com-cn xuxiaowei-com-cn mentioned this issue Dec 30, 2022
Closed
lltx pushed a commit to pig-mesh/pig that referenced this issue Jan 4, 2023
@xuxiaowei-com-cn
✨ 将储存在 Redis 中的数据序列化为 JSON(本功能不兼容之前的Redis数据,需要将原有Redis数据清空才能正常使用)
b5ec3f4 
spring-projects/spring-security#4370
@buzzerrookie buzzerrookie mentioned this issue Jan 19, 2023
Closed
@nobodyiam nobodyiam mentioned this issue Mar 21, 2023
Closed
3 tasks
This was referenced Apr 6, 2023
Closed
Closed
@Been24 Been24 mentioned this issue May 22, 2023
Closed
@tsrgithub
Copy link

{
"error_description": "OpenID Connect 1.0 UserInfo Error: The class with java.util.Collections$SingletonMap and name of java.util.Collections$SingletonMap is not in the allowlist. If you believe this class is safe to deserialize, please provide an explicit mapping using Jackson annotations or by providing a Mixin. If the serialization is only done by a trusted source, you can also enable default typing. See #4370 for details",
"error": "invalid_request",
"error_uri": "https://openid.net/specs/openid-connect-core-1_0.html#UserInfoError"
}

@encyclopedi2a encyclopedi2a mentioned this issue Jun 4, 2023
Closed
@rizkyJabar5
Copy link

{ "error_description": "OpenID Connect 1.0 UserInfo Error: The class with java.util.Collections$SingletonMap and name of java.util.Collections$SingletonMap is not in the allowlist. If you believe this class is safe to deserialize, please provide an explicit mapping using Jackson annotations or by providing a Mixin. If the serialization is only done by a trusted source, you can also enable default typing. See #4370 for details", "error": "invalid_request", "error_uri": "https://openid.net/specs/openid-connect-core-1_0.html#UserInfoError" }

I have the same issue too. Has there been a fix for this?

@shrralis
Copy link

The same happens in Kotlin projects, e.g. The class with kotlin.collections.EmptyList and name of kotlin.collections.EmptyList is not in the allowlist

@timadeshola
Copy link

I am getting this error when attempt to generate refresh token. Using Spring Boot authorization server v3
The class with org.springframework.security.oauth2.server.authorization.authentication.OAuth2ClientAuthenticationToken and name of org.springframework.security.oauth2.server.authorization.authentication.OAuth2ClientAuthenticationToken is not in the allowlist. If you believe this class is safe to deserialize, please provide an explicit mapping using Jackson annotations or by providing a Mixin. If the serialization is only done by a trusted source, you can also enable default typing. See https://github.com/spring-projects/spring-security/issues/4370 for details

@a1473838623
Copy link

my solution for OAuth2AuthorizationService config.

    @JsonTypeInfo(use = JsonTypeInfo.Id.CLASS, include = JsonTypeInfo.As.PROPERTY, property = "@class")
    public abstract static class SynchronizedSetMixin {
    }

    @Bean
    public OAuth2AuthorizationService authorizationService(JdbcTemplate jdbcTemplate,
                                                           RegisteredClientRepository registeredClientRepository) {
        JdbcOAuth2AuthorizationService.OAuth2AuthorizationRowMapper rowMapper =
                new JdbcOAuth2AuthorizationService.OAuth2AuthorizationRowMapper(registeredClientRepository);
        JdbcOAuth2AuthorizationService.OAuth2AuthorizationParametersMapper oAuth2AuthorizationParametersMapper =
                new JdbcOAuth2AuthorizationService.OAuth2AuthorizationParametersMapper();
        JdbcOAuth2AuthorizationService authorizationService =
                new JdbcOAuth2AuthorizationService(jdbcTemplate, registeredClientRepository);
        ObjectMapper objectMapper = new ObjectMapper();

        ClassLoader classLoader = JdbcOAuth2AuthorizationService.class.getClassLoader();
        List<Module> securityModules = SecurityJackson2Modules.getModules(classLoader);
        objectMapper.registerModules(securityModules);
        objectMapper.registerModule(new OAuth2AuthorizationServerJackson2Module());

        objectMapper.addMixIn(Collections.synchronizedSet(new HashSet<>()).getClass(), SynchronizedSetMixin.class);

        rowMapper.setObjectMapper(objectMapper);
        oAuth2AuthorizationParametersMapper.setObjectMapper(objectMapper);
        authorizationService.setAuthorizationRowMapper(rowMapper);
        authorizationService.setAuthorizationParametersMapper(oAuth2AuthorizationParametersMapper);

        return authorizationService;
    }

@TeamOussama TeamOussama mentioned this issue Oct 18, 2024
Closed
@z1098416956
Copy link

z1098416956 commented Oct 30, 2024
edited
Loading

The class with java.util.ImmutableCollections$List12 and name of java.util.ImmutableCollections$List12 is not in the allowlist. If you believe this class is safe to deserialize, please provide an explicit mapping using Jackson annotations or by providing a Mixin. If the serialization is only done by a trusted source, you can also enable default typing. See #4370 for details???

所以这个是什么情况?
我已经把OAuth2Authorization.Token.class处理了,为什么还是出现这个错误?
` public class OAuth2AuthorizationModule extends SimpleModule {

@Serial
private static final long serialVersionUID = 1243758528885179491L;

public OAuth2AuthorizationModule() {
    super(OAuth2AuthorizationModule.class.getName(), new Version(1, 0, 0, null, null, null));
}

@Override
public void setupModule(SetupContext context) {
    SecurityJackson2Modules.enableDefaultTyping(context.getOwner());

    context.setMixInAnnotations(OAuth2Authorization.class, OAuth2AuthorizationMixin.class);
    context.setMixInAnnotations(OAuth2AuthorizationCode.class, OAuth2AuthorizationCodeMixin.class);
    context.setMixInAnnotations(OAuth2Authorization.Token.class, TokenMixin.class);
    context.setMixInAnnotations(OAuth2AccessToken.class, OAuth2AccessTokenMixin.class);
    context.setMixInAnnotations(OAuth2RefreshToken.class, OAuth2RefreshTokenMixin.class);
    context.setMixInAnnotations(AuthorizationGrantType.class, AuthorizationGrantTypeMixin.class);
    context.setMixInAnnotations(OAuth2AccessToken.TokenType.class, TokenTypeMixin.class);
}

} `

` @JsonTypeInfo(use = JsonTypeInfo.Id.CLASS)
@JsonAutoDetect(fieldVisibility = JsonAutoDetect.Visibility.ANY, getterVisibility = JsonAutoDetect.Visibility.NONE,
isGetterVisibility = JsonAutoDetect.Visibility.NONE)
@JsonIgnoreProperties(ignoreUnknown = true)
public abstract class TokenMixin {

@JsonCreator
TokenMixin(@JsonProperty("token") OAuth2Token token,
           @JsonProperty("metadata") Map<String, Object> metadata) {
}

} `

This was referenced Oct 30, 2024
Open
Open
@taraksuthar1999
Copy link

The class with com.example.authservice.security.models.CustomSecurityUserDetails and name of com.example.authservice.security.models.CustomSecurityUserDetails is not in the allowlist.

My Solution which worked for me was to create Deserializer for the class

@JsonTypeInfo(
        use = JsonTypeInfo.Id.CLASS,
        include = JsonTypeInfo.As.PROPERTY
)
@JsonDeserialize(
        using = CustomSecurityUserDeserializer.class
)
@JsonAutoDetect(
        fieldVisibility = JsonAutoDetect.Visibility.ANY,
        getterVisibility = JsonAutoDetect.Visibility.NONE,
        isGetterVisibility = JsonAutoDetect.Visibility.NONE
)
@JsonIgnoreProperties(
        ignoreUnknown = true
)
public class CustomSecurityUserDetails implements UserDetails {
.....
.....
}

musabbozkurt pushed a commit to musabbozkurt/oauth2-authorization-server that referenced this issue Feb 16, 2025
fix org.springframework.data.redis.serializer.SerializationException:…
8a1385f 
… Could not read JSON:The class with java.lang.Long and name of java.lang.Long is not in the allowlist. If you believe this class is safe to deserialize, please provide an explicit mapping using Jackson annotations or by providing a Mixin. If the serialization is only done by a trusted source, you can also enable default typing. See spring-projects/spring-security#4370 for details (through reference chain: java.util.HashMap["lastAccessedTime"])
This was referenced Mar 31, 2025
Closed
Open
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@rwinch rwinch

Labels
in: cas An issue in spring-security-cas in: core An issue in spring-security-core in: web An issue in web modules (web, webmvc) type: bug A general bug
Projects
None yet
Milestone
4.2.3
Development

No branches or pull requests
15 participants
@rwinch @chrylis @jzheaux @shrralis @miladamery @timadeshola @TanqiZhou @tsrgithub @bmaassenee @z1098416956 @rizkyJabar5 @koundinya-goparaju-wcar @a1473838623 @taraksuthar1999 and others