Skip to content

Whitelist for Jackson security is too strict and doesn't work well with Redis sessions in spring-session #4889

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
chrisburrell opened this issue Dec 1, 2017 · 1 comment
Closed

Whitelist for Jackson security is too strict and doesn't work well with Redis sessions in spring-session #4889

chrisburrell opened this issue Dec 1, 2017 · 1 comment
Assignees
@rwinch
Labels
in: core An issue in spring-security-core type: enhancement A general enhancement
Milestone
5.0.1

Comments

@chrisburrell
Copy link

Summary

When enabling the GenericJackson2JsonRedisSerializer, serialisation of the session fails due to the restrictive whitelisting, as related to #4370

This is because org.springframework.session.data.redis.RedisOperationsSessionRepository uses a HashMap to represent the "delta" field in RedisSession org.springframework.session.data.redis.RedisOperationsSessionRepository.RedisSession

Would it be possible to open-up HashMaps for deserialisation purposes. Seen as we already allow TreeMap, I can't see a HashMap would make much different security wise.
chrisburrell pushed a commit to landbay/spring-security that referenced this issue Dec 1, 2017
@landbaychrisburrell
Issue spring-projects#4889 Adding HashMap to whitelist.
187cee0
@chrisburrell chrisburrell mentioned this issue Dec 1, 2017
Closed
rwinch pushed a commit that referenced this issue Jan 3, 2018
@landbaychrisburrell @rwinch
Add HashMap to Jackson whitelist
99a0baa 
Issue: gh-4889
rwinch added a commit that referenced this issue Jan 3, 2018
@rwinch
Test Jackson HashMap in Whitelist
6f74162 
Issue: gh-4889
rwinch pushed a commit that referenced this issue Jan 3, 2018
@landbaychrisburrell @rwinch
Add HashMap to Jackson whitelist
cf97e16 
Issue: gh-4889
rwinch added a commit that referenced this issue Jan 3, 2018
@rwinch
Test Jackson HashMap in Whitelist
803cdcf 
Issue: gh-4889
@rwinch rwinch added this to the 4.2.4 milestone Jan 3, 2018
@rwinch rwinch added in: core An issue in spring-security-core type: enhancement A general enhancement labels Jan 3, 2018
@rwinch rwinch self-assigned this Jan 3, 2018
@rwinch rwinch modified the milestones: 4.2.4, 5.0.1 Jan 3, 2018
@rwinch
Copy link
Member

rwinch commented Jan 3, 2018

Thanks for the issue and PR! I merged this into 4.2.x and master along with a test.

@rwinch rwinch closed this as completed Jan 3, 2018
@marcusdacoregio marcusdacoregio mentioned this issue May 30, 2023
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@rwinch rwinch

Labels
in: core An issue in spring-security-core type: enhancement A general enhancement
Projects
None yet
Milestone
5.0.1
Development

No branches or pull requests
2 participants
@rwinch @chrisburrell