On Fri, Mar 27, 2020 at 1:27 PM 'Mark Raynsford' via jackson-user <[email protected]> wrote: > > Hello! > > I'm using Jackson to consume data returned by the AdoptOpenJDK API [0]. > This JSON doesn't contain type annotations, but I do know all of the > types ahead of time thanks to their publishing of a schema via Swagger. > > I've defined the set of types published by the API: > > https://raw.githubusercontent.com/AdoptOpenJDK/openjdk-api-java-client/feature/v3/net.adoptopenjdk.v3.vanilla/src/main/java/net/adoptopenjdk/v3/vanilla/AOV3AST.java > > Deserializing values of these types works correctly when using an object > mapper that uses nearly the default settings: > > https://raw.githubusercontent.com/AdoptOpenJDK/openjdk-api-java-client/feature/v3/net.adoptopenjdk.v3.vanilla/src/main/java/net/adoptopenjdk/v3/vanilla/AOV3ObjectMappers.java > > However, for reasons of paranoia, I'd now like to configure the object > mapper such that the set of types it is allowed to deserialize is > fixed. In other words: A deserialization whitelist. Specifically, the > whitelist would look like this: > > net.adoptopenjdk.v3.vanilla.AOV3AST.AOV3ReleaseNamesJSON > net.adoptopenjdk.v3.vanilla.AOV3AST.AOV3AvailableReleasesJSON > net.adoptopenjdk.v3.vanilla.AOV3AST.AOV3ReleaseVersionJSON > net.adoptopenjdk.v3.vanilla.AOV3AST.AOV3ReleaseVersionsJSON > net.adoptopenjdk.v3.vanilla.AOV3AST.AOV3InstallerJSON > net.adoptopenjdk.v3.vanilla.AOV3AST.AOV3PackageJSON > net.adoptopenjdk.v3.vanilla.AOV3AST.AOV3BinaryJSON > net.adoptopenjdk.v3.vanilla.AOV3AST.AOV3SourceJSON > net.adoptopenjdk.v3.vanilla.AOV3AST.AOV3ReleaseJSON > java.math.BigInteger > java.net.URI > java.util.List > > Additionally, I'd need one concrete List implementation, but I'm not > sure which that would be. I'm happy to use whatever Jackson is choosing > internally. > > What is the most efficient way to set up this whitelist?
Jackson does not have out-of-the-box support for whitelisting all types allowed for general use; it only supports this for validating polymorphic deserialization (which is explained f.ex in https://medium.com/@cowtowncoder/jackson-2-10-safe-default-typing-2d018f0ce2ba). But if you want, you should be able to implement this relatively easily by registering `Deserializers` (custom provider for deserializers) that will verify that type for which deserializer is needed is legit (class from list you define), and throws `Exception` if not, return `null` if it is (to let default JsonDeserializer be used). Provider needs to be added by a `Module` using `ObjectMapper.registerModule()`. Simplest way to do that would probably be to subclass `SimpleDeserializers`, override `_find(JavaType)` method, then construct `SimpleModule`, call `setDeserializers(...)`, register resulting module. I hope this helps, -+ Tatu +- -- You received this message because you are subscribed to the Google Groups "jackson-user" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/jackson-user/CAL4a10jgOQDkOZca5K86fowSyP7_n91xtiWfN4jyg98hWbXhpA%40mail.gmail.com.
