Closed
Description
I would like to be able to extend the TRUSTED_CLASS_NAMES
without having to copy&paste the entire Jackson2ExecutionContextStringSerializer
.
I can see that you had to fix a security vuln in #3732, but it broke (de)serialization in a lot of apps. I have no problem adding the annotations to my classes, but I have no idea how to allow java.util.UUID
.
I suggest that you introduce a mechanism, that would allow me to extend the list of trusted classes in case there is a JDK/library class I cannot modify.
Also it's really hard to override the serializer and I had to extend a bunch of configuration and bean factory classes to accomplish it.