On Sat, Sep 21, 2019 at 3:04 AM Marc Dzaebel <[email protected]> wrote: > > Thank's Tatu, > > As you said, Jackson only deserializes polymorphically if the target type > indicates it via resolver or default typing. However, if you e.g. serialize > an object with Java writeObject and readObject again, the result has correct > type and properties, which is because Java serialization always add's the > type (which is possible for Jackson too, but ubiquitous, so much more complex > than needed). > > So a class, that holds heterogenous types in an Object property is not > transferable, unless you globally configure, that all Objects have to be > serialized with a type attribute. It's certainly possible to define > Serializers/Deserializers, that achieve the needed polymorphic > deserialization, but it could be much simpler, if there'd be an option at > least for deserialization, that says, if there is a type attribute at the > beginning, create this type, rather than a natural one. Of course, this could > only be used in secured environments, but would ensure readable and compact > JSON without the need to think about deserialization at all.
This is what "Default Typing" is about, and yes, has caused endless grief with CVEs... :-D I am not sure if you are familiar with it, but if not, you may want to have a look -- in 2.9 and before, it's "ObjectMapper.enableDefaultTyping()", and with 2.10 it will be replaced with safer "activeDefaultTyping()" (which now requires `PolymorphicTypeValidator` to validate that type is accepted). Implementation-wise it is similar to adding `@JsonTypeInfo` as mix-in to a wide category of types. -+ Tatu +- -- You received this message because you are subscribed to the Google Groups "jackson-user" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/jackson-user/CAL4a10ji7w0JUm1hKakvokA5Gj8Xv68L-t-VZuzjgGWeZXTV1g%40mail.gmail.com.
