On Sun, Mar 29, 2020 at 7:42 AM Mark Raynsford <[email protected]> wrote: > > On 2020-03-28T17:24:31 -0700 > Tatu Saloranta <[email protected]> wrote: > > > > Jackson does not have out-of-the-box support for whitelisting all > > types allowed for general use; it only supports this for validating > > polymorphic deserialization (which is explained f.ex in > > https://medium.com/@cowtowncoder/jackson-2-10-safe-default-typing-2d018f0ce2ba). > > Yep, this was the post I read originally but couldn't work out if it > applied to me. It seems like it doesn't, given that I can't get type > annotations into the input JSON.
Right. And you really shouldn't, unless it is actually needed. Static type safety has its benefits, esp. in preventing possibility of attacker abusing types outside of your class definitions. > > But if you want, you should be able to implement this relatively > > easily by registering `Deserializers` (custom provider for > > deserializers) that will verify that type for which deserializer is > > needed is legit (class from list you define), and throws `Exception` > > if not, return `null` if it is (to let default JsonDeserializer be > > used). > > Provider needs to be added by a `Module` using > > `ObjectMapper.registerModule()`. > > > > Simplest way to do that would probably be to subclass > > `SimpleDeserializers`, override `_find(JavaType)` method, then > > construct `SimpleModule`, call `setDeserializers(...)`, register > > resulting module. > > Sounds good, thanks! I'll give it a shot. Good luck! -+ Tatu +- -- You received this message because you are subscribed to the Google Groups "jackson-user" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/jackson-user/CAL4a10hpAtsU42xW0g32JvwE1J%3Dmq64RtY1iTsfFJNOv7ki0mQ%40mail.gmail.com.
