当前位置 博文首页 > 无限迭代中......:Spring Security + Session Redis——JSON序
Spring Security + Spring Session + Redis——【SecurityContext】和【AuthenticationToken】JSON反序列化问题解决方案
Caused by: java.lang.IllegalArgumentException: The class with com.hailiu.model.Role and name of com.hailiu.model.Role is not whitelisted. If you believe this class is safe to deserialize, please provide an explicit mapping using Jackson annotations or by providing a Mixin. If the serialization is only done by a trusted source, you can also enable default typing. See https://github.com/spring-projects/spring-security/issues/4370 for details
?? ?at org.springframework.security.jackson2.SecurityJackson2Modules$WhitelistTypeIdResolver.typeFromId(SecurityJackson2Modules.java:252) ~[spring-security-core-5.3.5.RELEASE.jar:5.3.5.RELEASE]
?? ?at com.fasterxml.jackson.databind.jsontype.impl.TypeDeserializerBase._findDeserializer(TypeDeserializerBase.java:154) ~[jackson-databind-2.11.3.jar:2.11.3]
?? ?at com.fasterxml.jackson.databind.jsontype.impl.AsPropertyTypeDeserializer._deserializeTypedForId(AsPropertyTypeDeserializer.java:115) ~[jackson-databind-2.11.3.jar:2.11.3]
?? ?at com.fasterxml.jackson.databind.jsontype.impl.AsPropertyTypeDeserializer.deserializeTypedFromObject(AsPropertyTypeDeserializer.java:99) ~[jackson-databind-2.11.3.jar:2.11.3]
?? ?at com.fasterxml.jackson.databind.deser.BeanDeserializerBase.deserializeWithType(BeanDeserializerBase.java:1209) ~[jackson-databind-2.11.3.jar:2.11.3]
?? ?at com.fasterxml.jackson.databind.deser.std.CollectionDeserializer.deserialize(CollectionDeserializer.java:292) ~[jackson-databind-2.11.3.jar:2.11.3]
?? ?... 63 common frames omitted
https://github.com/spring-projects/spring-security/issues/9210
https://github.com/spring-projects/spring-security/issues/9210
源代码
@Override
public JavaType typeFromId(DatabindContext context, String id) throws IOException {
DeserializationConfig config = (DeserializationConfig) context.getConfig();
JavaType result = delegate.typeFromId(context, id);
String className = result.getRawClass().getName();
if (isWhitelisted(className)) {
return result;
}
boolean isExplicitMixin = config.findMixInClassFor(result.getRawClass()) != null;
if (isExplicitMixin) {
return result;
}
JacksonAnnotation jacksonAnnotation = AnnotationUtils.findAnnotation(result.getRawClass(), JacksonAnnotation.class);
if (jacksonAnnotation != null) {
return result;
}
throw new IllegalArgumentException("The class with " + id + " and name of " + className + " is not whitelisted. " +
"If you believe this class is safe to deserialize, please provide an explicit mapping using Jackson annotations or by providing a Mixin. " +
"If the serialization is only done by a trusted source, you can also enable default typing. " +
"See https://github.com/spring-projects/spring-security/issues/4370 for details");
}
这异常不出现一共三个情况:
一、白名单的类
但是白名单不能继承、添加操作
二、有对应的Mixin类
三、有@JacksonAnnotation注解的类
Jackson的相关注解都有@JacksonAnnotation
方法一
编写一个Mixin类
参考:Spring Session & RedisでJacksonを使ったシリアライズを試してみる
方法二
在对应类上加 Jackson Annotations的注解
Spring Session & RedisでJacksonを使ったシリアライズを試してみる
cs