Correct permissions of jackson-databind "the correct way"

[uschindler]

Description

[Describe what this change achieves]

Issues Resolved

This is to demonstrate how to fix #5504 the "correct way"

Check List

• New functionality includes testing.
  • All tests pass
• New functionality has been documented.
  • New functionality has javadoc added
• Commits are signed per the DCO using --signoff
• Commit changes are listed out in CHANGELOG.md file (See: Changelog)

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.

[uschindler]

This test of course fails as it uses setAccessible and also adds SuppressForbidden!? There was a reason why the forbiddenapis forbids setAccessible()!

[dblock]

I think you're saying that this is by design. Let's rewrite the test as such!

[uschindler]

See other PR #5768, I made a proposal. Alternatively remove the test. Because if the fields are "final" theres no need to test any other value than the final value.

[reta]

👍

[uschindler]

Unfortunately this is not working for jackson-databind, so we need a workaround or we should look at the new PR #5768.

[github-actions]

Gradle Check (Jenkins) Run Completed with:

• RESULT: ❌
• URL: https://build.ci.opensearch.org/job/gradle-check/9096/
• CommitID: 7955630
  Please examine the workflow log, locate, and copy-paste the failure(s) below, then iterate to green.
  Is the failure a flaky test unrelated to your change?

[uschindler]

I will close this as we have #5768, removing the dependency from server core.

In general this approach is the correct one to limit permissions to specific JAR files, but the downside is that the JAR file must implement AccessController#doPrivileged() whenever calling secrurity-critical APIs.