JogJo opened a new issue, #15711: URL: https://github.com/apache/dubbo/issues/15711
### Pre-check - [x] I am sure that all the content I provide is in English. ### Search before asking - [x] I had searched in the [issues](https://github.com/apache/dubbo/issues?q=is%3Aissue) and found no similar issues. ### Apache Dubbo Component Java SDK (apache/dubbo) ### Dubbo Version dubbo version: 3.3.5 ### Steps to reproduce this issue ### security/serialize.allowlist ``` org.springframework.security.oauth2.server.resource.authentication.BearerTokenAuthentication ``` ### application.yml ``` dubbo: application: name: sys-server-dubbo logger: slf4j qos-enable: false check-serializable: false serialize-check-status: DISABLE protocol: name: dubbo port: -1 # prefer-serialization: fastjson2 # serialization: fastjson2 # serialization: fastjson2 registry: address: nacos://${NACOS_HOST:dev.okps.cn}:${NACOS_PORT:8848} username: ${NACOS_USER:nacos} password: ${NACOS_PWD:nacos} register-mode: instance provider: delay: 5000 # prefer-serialization: fastjson2 # serialization: fastjson2 consumer: check: false timeout: 5000 ``` ### Exception ``` DEBUG 27848 --- [erverWorker-6-5] i.netty.channel.DefaultChannelPipeline : Discarded inbound message Request [id=-1144165337143963126, version=2.0.2, twoWay=true, event=false, broken=false, mPayload=31995, data=RpcInvocation [methodName=getName, parameterTypes=[class java.lang.Long]]] that reached at the tail of the pipeline. Please check your pipeline configuration. 2025-09-30 15:27:16.732 DEBUG 27848 --- [erverWorker-6-5] i.netty.channel.DefaultChannelPipeline : Discarded message pipeline : [decoder, encoder, server-idle-handler, handler, DefaultChannelPipeline$TailContext#0]. Channel : [id: 0xd09db137, L:/192.168.188.134:20882 - R:/192.168.188.134:64555]. 2025-09-30 15:27:16.732 DEBUG 27848 --- [188.134:2088212] o.a.d.remoting.transport.DecodeHandler : [DUBBO] Decode decodeable message org.apache.dubbo.rpc.protocol.dubbo.DecodeableRpcInvocation, dubbo version: 3.3.5, current host: 192.168.188.134 2025-09-30 15:27:16.733 WARN 27848 --- [188.134:2088212] o.a.d.s.s.jackson.ObjectMapperCodec : [DUBBO] , dubbo version: 3.3.5, current host: 192.168.188.134, error code: 0-23. This may be caused by objectMapper! deserialize error, you can try to customize the ObjectMapperCodecCustomer., go to https://dubbo.apache.org/faq/0/23 to find instructions. java.lang.IllegalArgumentException: The class with org.springframework.security.oauth2.server.resource.authentication.BearerTokenAuthentication and name of org.springframework.security.oauth2.server.resource.authentication.BearerTokenAuthentication is not in the allowlist. If you believe this class is safe to deserialize, please provide an explicit mapping using Jackson annotations or by providing a Mixin. If the serialization is only done by a trusted source, you can also enable default typing. See https://github.com/spring-projects/spring-security/issues/4370 for details at org.springframework.security.jackson2.SecurityJackson2Modules$AllowlistTypeIdResolver.typeFromId(SecurityJackson2Modules.java:293) ~[spring-security-core-6.4.5.jar:6.4.5] at com.fasterxml.jackson.databind.jsontype.impl.TypeDeserializerBase._findDeserializer(TypeDeserializerBase.java:159) ~[jackson-databind-2.18.3.jar:2.18.3] at com.fasterxml.jackson.databind.jsontype.impl.AsPropertyTypeDeserializer._deserializeTypedForId(AsPropertyTypeDeserializer.java:151) ~[jackson-databind-2.18.3.jar:2.18.3] at com.fasterxml.jackson.databind.jsontype.impl.AsPropertyTypeDeserializer.deserializeTypedFromObject(AsPropertyTypeDeserializer.java:136) ~[jackson-databind-2.18.3.jar:2.18.3] at com.fasterxml.jackson.databind.deser.AbstractDeserializer.deserializeWithType(AbstractDeserializer.java:263) ~[jackson-databind-2.18.3.jar:2.18.3] at com.fasterxml.jackson.databind.deser.impl.TypeWrappedDeserializer.deserialize(TypeWrappedDeserializer.java:74) ~[jackson-databind-2.18.3.jar:2.18.3] at com.fasterxml.jackson.databind.deser.DefaultDeserializationContext.readRootValue(DefaultDeserializationContext.java:342) ~[jackson-databind-2.18.3.jar:2.18.3] at com.fasterxml.jackson.databind.ObjectMapper._readMapAndClose(ObjectMapper.java:4931) ~[jackson-databind-2.18.3.jar:2.18.3] at com.fasterxml.jackson.databind.ObjectMapper.readValue(ObjectMapper.java:3929) ~[jackson-databind-2.18.3.jar:2.18.3] at org.apache.dubbo.spring.security.jackson.ObjectMapperCodec.deserialize(ObjectMapperCodec.java:50) ~[dubbo-3.3.5.jar:3.3.5] at org.apache.dubbo.spring.security.jackson.ObjectMapperCodec.deserialize(ObjectMapperCodec.java:67) ~[dubbo-3.3.5.jar:3.3.5] at org.apache.dubbo.spring.security.filter.ContextHolderAuthenticationResolverFilter.getSecurityContext(ContextHolderAuthenticationResolverFilter.java:74) ~[dubbo-3.3.5.jar:3.3.5] at org.apache.dubbo.spring.security.filter.ContextHolderAuthenticationResolverFilter.invoke(ContextHolderAuthenticationResolverFilter.java:61) ~[dubbo-3.3.5.jar:3.3.5] at org.apache.dubbo.rpc.cluster.filter.FilterChainBuilder$CopyOfFilterChainNode.invoke(FilterChainBuilder.java:349) ~[dubbo-3.3.5.jar:3.3.5] at org.apache.dubbo.rpc.filter.GenericFilter.invoke(GenericFilter.java:222) ~[dubbo-3.3.5.jar:3.3.5] at org.apache.dubbo.rpc.cluster.filter.FilterChainBuilder$CopyOfFilterChainNode.invoke(FilterChainBuilder.java:349) ~[dubbo-3.3.5.jar:3.3.5] at org.apache.dubbo.rpc.protocol.tri.h12.HttpContextFilter.invoke(HttpContextFilter.java:38) ~[dubbo-3.3.5.jar:3.3.5] at org.apache.dubbo.rpc.cluster.filter.FilterChainBuilder$CopyOfFilterChainNode.invoke(FilterChainBuilder.java:349) ~[dubbo-3.3.5.jar:3.3.5] at org.apache.dubbo.rpc.filter.ClassLoaderFilter.invoke(ClassLoaderFilter.java:54) ~[dubbo-3.3.5.jar:3.3.5] at org.apache.dubbo.rpc.cluster.filter.FilterChainBuilder$CopyOfFilterChainNode.invoke(FilterChainBuilder.java:349) ~[dubbo-3.3.5.jar:3.3.5] at org.apache.dubbo.rpc.filter.EchoFilter.invoke(EchoFilter.java:41) ~[dubbo-3.3.5.jar:3.3.5] at org.apache.dubbo.rpc.cluster.filter.FilterChainBuilder$CopyOfFilterChainNode.invoke(FilterChainBuilder.java:349) ~[dubbo-3.3.5.jar:3.3.5] at org.apache.dubbo.metrics.filter.MetricsFilter.invoke(MetricsFilter.java:86) ~[dubbo-3.3.5.jar:3.3.5] at org.apache.dubbo.metrics.filter.MetricsProviderFilter.invoke(MetricsProviderFilter.java:37) ~[dubbo-3.3.5.jar:3.3.5] at org.apache.dubbo.rpc.cluster.filter.FilterChainBuilder$CopyOfFilterChainNode.invoke(FilterChainBuilder.java:349) ~[dubbo-3.3.5.jar:3.3.5] at org.apache.dubbo.tracing.filter.ObservationReceiverFilter.invoke(ObservationReceiverFilter.java:59) ~[dubbo-3.3.5.jar:3.3.5] at org.apache.dubbo.rpc.cluster.filter.FilterChainBuilder$CopyOfFilterChainNode.invoke(FilterChainBuilder.java:349) ~[dubbo-3.3.5.jar:3.3.5] at org.apache.dubbo.rpc.filter.ProfilerServerFilter.invoke(ProfilerServerFilter.java:66) ~[dubbo-3.3.5.jar:3.3.5] at org.apache.dubbo.rpc.cluster.filter.FilterChainBuilder$CopyOfFilterChainNode.invoke(FilterChainBuilder.java:349) ~[dubbo-3.3.5.jar:3.3.5] at org.apache.dubbo.rpc.filter.ContextFilter.invoke(ContextFilter.java:191) ~[dubbo-3.3.5.jar:3.3.5] at org.apache.dubbo.rpc.cluster.filter.FilterChainBuilder$CopyOfFilterChainNode.invoke(FilterChainBuilder.java:349) ~[dubbo-3.3.5.jar:3.3.5] at org.apache.dubbo.rpc.cluster.filter.FilterChainBuilder$CallbackRegistrationInvoker.invoke(FilterChainBuilder.java:197) ~[dubbo-3.3.5.jar:3.3.5] at org.apache.dubbo.rpc.protocol.dubbo.DubboProtocol$1.reply(DubboProtocol.java:167) ~[dubbo-3.3.5.jar:3.3.5] at org.apache.dubbo.remoting.exchange.support.header.HeaderExchangeHandler.handleRequest(HeaderExchangeHandler.java:110) ~[dubbo-3.3.5.jar:3.3.5] at org.apache.dubbo.remoting.exchange.support.header.HeaderExchangeHandler.received(HeaderExchangeHandler.java:205) ~[dubbo-3.3.5.jar:3.3.5] at org.apache.dubbo.remoting.transport.DecodeHandler.received(DecodeHandler.java:52) ~[dubbo-3.3.5.jar:3.3.5] at org.apache.dubbo.remoting.transport.dispatcher.ChannelEventRunnable.run(ChannelEventRunnable.java:64) ~[dubbo-3.3.5.jar:3.3.5] at java.base/java.util.concurrent.ThreadPerTaskExecutor$TaskRunner.run(ThreadPerTaskExecutor.java:314) ~[na:na] at java.base/java.lang.VirtualThread.run(VirtualThread.java:311) ~[na:na] ``` ### What you expected to happen After disabling serialization detection, no error should be reported ### Anything else _No response_ ### Are you willing to submit a pull request to fix on your own? - [ ] Yes I am willing to submit a pull request on my own! ### Code of Conduct - [x] I agree to follow this project's [Code of Conduct](https://www.apache.org/foundation/policies/conduct) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
