well, using lombok with such a result is a bad idea. there should not be a getResolver() method, this is an implementation detail and no getter should be provided for it.
so to put it another way: good that the serialization fails, so you can fix the calls to not add a getResolver() method! stefan p.s. i'm not a fan of lombok in general and have no experience with it, but I assume it can be configured to not expose the resolver. > -----Original Message----- > From: Jörg Hoh <[email protected]> > Sent: Tuesday, June 27, 2023 1:28 PM > To: Sling Developers List <[email protected]> > Subject: Sling Model Exporter: Prevent serializing of a ResourceResolver > > Hi, > > Assuming this Sling Model (using Lombok's @Getter annotation) > > @Getter > @Model( > adaptables = { SlingHttpServletRequest.class }, > adapters = { MyModel.class, ComponentExporter.class }, > resourceType = MyModel.RESOURCE_TYPE) @Exporter( > name = ExporterConstants.SLING_MODEL_EXPORTER_NAME, > extensions = ExporterConstants.SLING_MODEL_EXTENSION) > public class MyModel implements ComponentExporter { > > static final String RESOURCE_TYPE = "myapp/components/mymodel"; > > @Inject > private ResourceResolver resolver; > > @ChildResource > private List<Resource> items; > > } > > When it this model is serialized via SlingModelExporter / Jackson, the > resolver field is also exported via the created getResolver()) method. > > But serializing that does not always work: > > org.apache.sling.models.factory.ExportException: > com.fasterxml.jackson.databind.exc.InvalidDefinitionException: No > serializer found for class > com.day.cq.wcm.core.impl.policies.ContentPolicyManagerImpl and no > properties discovered to create BeanSerializer (to avoid exception, > disable > SerializationFeature.FAIL_ON_EMPTY_BEANS) (through reference chain: > com.myapp.PageImpl[":items"]> [...] > com.myapp.MyModel["resolver"] > >org.apache.sling.resourceresolver.impl.ResourceResolverImpl["propertyMa > >p"] > >java.util.HashMap["com.day.cq.wcm.core.impl.policies.ContentPolicyAdapt > >erFactory.ContentPolicy"]) > at > org.apache.sling.models.jacksonexporter.impl.JacksonExporter.export(Jackso > nExporter.java:138) > [org.apache.sling.models.jacksonexporter:1.1.2] > at > org.apache.sling.models.impl.ModelAdapterFactory.exportModel(ModelAdapterF > actory.java:1333) > [org.apache.sling.models.impl:1.5.4] > > > I don't want to check each class I want to add to the propertyMap if it > can be serialized or not; and a more serious problem is that serializing > the resourceResolver and it's properyMap can leak a lot of information, > which should be not get public. > > Do you see a way to prevent serialization of the ResourceResolver (and > potentially other types as well) without touching the model classes? > > Jörg > > -- > Cheers, > Jörg Hoh, > > https://cqdump.joerghoh.de > Twitter: @joerghoh
