Jackson2ExecutionContextStringSerializer: customization

[fprochazka]

I would like to be able to extend the TRUSTED_CLASS_NAMES without having to copy&paste the entire Jackson2ExecutionContextStringSerializer.

I can see that you had to fix a security vuln in #3732, but it broke (de)serialization in a lot of apps. I have no problem adding the annotations to my classes, but I have no idea how to allow java.util.UUID.

I suggest that you introduce a mechanism, that would allow me to extend the list of trusted classes in case there is a JDK/library class I cannot modify.

---

Also it's really hard to override the serializer and I had to extend a bunch of configuration and bean factory classes to accomplish it.

[mminella]

Mixins are the expected way to handle classes you do not have the ability to modify with Jackson. Is there a reason you cannot use one for UUID? That being said, if we can confirm UUID is not a "gadget class", it also feels like one that would be reasonable to just add to our list.

[fprochazka]

@mminella Can you please show me how to configure the Jackson2ExecutionContextStringSerializer to allow UUID? How do I tell the ObjectMapper instance inside the class about the mixin?

I do not believe it's currently possible. I could configure my own ObjectMapper and add the mixin there, but then I lose the default, because setting the ObjectMapper resets the default and the createTrustedDefaultTyping() is private and I see no way to hook into that without reflection magic.

[snussbaumer]

I had the same issue than @fprochazka : maybe we're both missing something ... but as already stated if we create our own ObjectMapper we loose the TrustedTypeIdResolver entirely ...

Also I'm using spring-boot and used to having everything working out of the box with sensible defaults but still being configurable ... now to accept UUID (and java.sql.Timestamp in my case) I have to define a BatchConfigurer, configure a JobLauncher, JobRepository, JobExplorer (hoping I have everything setup correctly) ...

A property with a list of additional trusted types would be really great !

[fmbenhassine]

When trying to compare how other projects from the portfolio deal with this requirement, I see that SI provides an utility method to create an ObjectMapper which accepts a list of trusted packages (to augment the base list).

We will discuss this internally and see the best way to address it.