12

I am trying to update my version of Jackson being used after the 6.4.20 JBoss patch. I'm using org.codehause.jackson, and JBoss 6.4.x does not provide implicit dependencies for the newer com.fasterxml.jackson as far as I'm aware.

Is it appropriate to assume that jackson-mapper-asl-1.9.9.redhat-6 is the valid package to use for this patch? When scrolling to the noarch section of the 6.4.20 announcement, I see codehaus-jackson-mapper-asl-1.9.9-12.redhat_6 mentioned. Does that mean this is the version recommended? I can see that it was released 05/14/18 and the announcement was made 05/15/18.

Currently I am experiencing the following error as codehause-jackson-mapper-asl is associated with fasterxml-jackson-databind, leading me to believe I'm using the incorrect version.

16:01:22,620 ERROR [org.jboss.resteasy.resteasy_jaxrs.i18n] (http-127.0.0.1:8080-1) RESTEASY000100: Failed executing POST /find: org.jboss.resteasy.spi.ReaderException:

org.codehaus.jackson.map.JsonMappingException: Illegal type [...] to deserialize: prevented for security reasons

[...]

Caused by: org.codehaus.jackson.map.JsonMappingException: Illegal type [...] to deserialize: prevented for security reasons at org.codehaus.jackson.map.deser.BeanDeserializerFactory.checkLegalTypes(BeanDeserializerFactory.java:1521) [jackson-mapper-asl-1.9.9.redhat-6.jar:1.9.9.redhat-6] `

Community
  • 1
  • 1
marco dominguez
  • 121
  • 1
  • 3

2 Answers2

21

I recently upgraded from JBoss EAP 6.3.0 to 6.4.20 and had the same exception.

Following the stackstrace of the exception I discovered that it becomes necessary to set the system property jackson.deserialization.whitelist.packages with the full class name of the classes you want to deserialize.

If you want you can put only the suffix of the package. For multiple values, separate by comma. You can see this in the jackson-mapper-asl-1.9.9.redhat-6.jar class org.codehaus.jackson.map.deser.BeanDeserializerFactory of line 38 to 45.

For JBoss environments you can define the system property in your standalone*.xml or domain.xml, as follows:

<system-properties>
    <property name="jackson.deserialization.whitelist.packages" value="br.com.myapp" />
</system-properties>
MhagnumDw
  • 893
  • 1
  • 10
  • 12
5

Building on @MhagnumDw's answer, I also encountered the same error with JBoss 6.4.20 patch and used this solution. Here is the source code relevant source code from https://maven.repository.redhat.com/techpreview/all/org/codehaus/jackson/jackson-mapper-asl/1.9.9.redhat-6/jackson-mapper-asl-1.9.9.redhat-6-sources.jar in org.codehaus.jackson.map.deser.BeanDeserializerFactory;

/**
     * @since 1.9.9.redhat-5
     */
protected void checkLegalTypes(DeserializationConfig config, JavaType type,
        BeanDescription beanDesc)
    throws JsonMappingException
{
    // There are certain nasty classes that could cause problems, mostly
    // via default typing -- catch them here.
    String full = type.getRawClass().getName();

    Iterator<String> iter = _cfgLegalPackageNames.iterator();

    boolean pass = false;

    while(iter.hasNext()) {
        if(full.startsWith(iter.next())) {
            pass = true;
            break;
        }
    }

    if(!pass) {
        throw new JsonMappingException(
                                  String.format("Illegal type (%s) to deserialize: prevented for security reasons", full));
    }
}

You can see that full.startsWith(iter.next()) means you can put in higher level package names to whitelist. For example,

<system-properties>
    <property name="jackson.deserialization.whitelist.packages" value="br.com.myapp" />
</system-properties>

would whitelist br.com.myapp.package.aclass and br.com.myapp.package.bclass

leontp587
  • 791
  • 2
  • 9
  • 21