javascript
Spring Security + Session Redis——JSON序列化错误[The class xxx and name of xxx is not whitelisted. ]解决方案
前置
Spring Security + Spring Session + Redis——【SecurityContext】和【AuthenticationToken】JSON反序列化問題解決方案
問題描述
Caused by: java.lang.IllegalArgumentException: The class with com.hailiu.model.Role and name of com.hailiu.model.Role is not whitelisted. If you believe this class is safe to deserialize, please provide an explicit mapping using Jackson annotations or by providing a Mixin. If the serialization is only done by a trusted source, you can also enable default typing. See https://github.com/spring-projects/spring-security/issues/4370 for details
?? ?at org.springframework.security.jackson2.SecurityJackson2Modules$WhitelistTypeIdResolver.typeFromId(SecurityJackson2Modules.java:252) ~[spring-security-core-5.3.5.RELEASE.jar:5.3.5.RELEASE]
?? ?at com.fasterxml.jackson.databind.jsontype.impl.TypeDeserializerBase._findDeserializer(TypeDeserializerBase.java:154) ~[jackson-databind-2.11.3.jar:2.11.3]
?? ?at com.fasterxml.jackson.databind.jsontype.impl.AsPropertyTypeDeserializer._deserializeTypedForId(AsPropertyTypeDeserializer.java:115) ~[jackson-databind-2.11.3.jar:2.11.3]
?? ?at com.fasterxml.jackson.databind.jsontype.impl.AsPropertyTypeDeserializer.deserializeTypedFromObject(AsPropertyTypeDeserializer.java:99) ~[jackson-databind-2.11.3.jar:2.11.3]
?? ?at com.fasterxml.jackson.databind.deser.BeanDeserializerBase.deserializeWithType(BeanDeserializerBase.java:1209) ~[jackson-databind-2.11.3.jar:2.11.3]
?? ?at com.fasterxml.jackson.databind.deser.std.CollectionDeserializer.deserialize(CollectionDeserializer.java:292) ~[jackson-databind-2.11.3.jar:2.11.3]
?? ?... 63 common frames omitted
issues
https://github.com/spring-projects/spring-security/issues/9210
https://github.com/spring-projects/spring-security/issues/9210
問題分析
源代碼
@Overridepublic JavaType typeFromId(DatabindContext context, String id) throws IOException {DeserializationConfig config = (DeserializationConfig) context.getConfig();JavaType result = delegate.typeFromId(context, id);String className = result.getRawClass().getName();if (isWhitelisted(className)) {return result;}boolean isExplicitMixin = config.findMixInClassFor(result.getRawClass()) != null;if (isExplicitMixin) {return result;}JacksonAnnotation jacksonAnnotation = AnnotationUtils.findAnnotation(result.getRawClass(), JacksonAnnotation.class);if (jacksonAnnotation != null) {return result;}throw new IllegalArgumentException("The class with " + id + " and name of " + className + " is not whitelisted. " +"If you believe this class is safe to deserialize, please provide an explicit mapping using Jackson annotations or by providing a Mixin. " +"If the serialization is only done by a trusted source, you can also enable default typing. " +"See https://github.com/spring-projects/spring-security/issues/4370 for details");}這異常不出現(xiàn)一共三個(gè)情況:
一、白名單的類
但是白名單不能繼承、添加操作
二、有對(duì)應(yīng)的Mixin類
三、有@JacksonAnnotation注解的類
Jackson的相關(guān)注解都有@JacksonAnnotation
解決方案
方法一
編寫一個(gè)Mixin類
參考:Spring Session & RedisでJacksonを使ったシリアライズを試してみる
方法二
在對(duì)應(yīng)類上加 Jackson Annotations的注解
參考文章
Spring Session & RedisでJacksonを使ったシリアライズを試してみる
總結(jié)
以上是生活随笔為你收集整理的Spring Security + Session Redis——JSON序列化错误[The class xxx and name of xxx is not whitelisted. ]解决方案的全部內(nèi)容,希望文章能夠幫你解決所遇到的問題。
- 上一篇: Spring Security + Sp
- 下一篇: Spring Security——集成S