houkunlin opened a new issue, #12073: URL: https://github.com/apache/dubbo/issues/12073
<!-- If you need to report a security issue please visit https://github.com/apache/dubbo/security/policy --> - [ ] I have searched the [issues](https://github.com/apache/dubbo/issues) of this repository and believe that this is not a duplicate. ### Environment * Dubbo version: 3.2.0-beta.6 / org.apache.dubbo:dubbo-bom:3.2.0-beta.6 * Java version: java 17 * springboot 3.0.5 * org.springframework.cloud:spring-cloud-dependencies:2022.0.1 * com.alibaba.cloud:spring-cloud-alibaba-dependencies:2022.0.0.0-RC1 * com.alibaba.fastjson2:fastjson2:2.0.27 ### Steps to reproduce this issue 1. Dubbo请求获取用户信息 2. 返回自定义的UserDetails对象,登录成功 3. Dubbo再次请求获取用户信息 4. 控制台报错 自定义一个 UserDetails 对象,在SpringBootSecurity登录成功后返回自定义的 UserDetails 对象,此时再次发起Dubbo请求,无法获取数据,控制台报错。 ``` 2023-04-11T22:54:15.413+08:00 WARN 64592 --- [o-auto-1-exec-3] o.a.d.r.c.s.wrapper.MockClusterInvoker : [DUBBO] fail-mock: getLocalIdentifier fail-mock enabled , url : consumer://172.29.237.2/com.houkunlin.cloud.micro.rpc.UserDubboService?application=api-auth-server&background=false&check=true&dubbo=2.0.2&executor-management-mode=default&file-cache=false&interface=com.houkunlin.cloud.micro.rpc.UserDubboService&methods=getAssignAuthorities,getLeaderIds,getLocalIdentifier,getUserAllPermissionValues,getUserByUserId,getUserByUsername,loginFailureAction,loginSuccessAction,saveUserLog,updatePassword&mock=true&pid=64592&qos.enable=true&qos.port=9622®ister-mode=instance®ister.ip=172.29.237.2&release=3.2.0-beta.6&revision=0.0.7-SNAPSHOT-plain&side=consumer&sticky=false×tamp=1681224224385&unloadClusterRelated=false, dubbo version: 3.2.0-beta.6, current host: 172.29.237.2, error code: 2-17. This may be caused by failed to mock invoke, go to https://dubbo.apache.org/faq/2/17 to find instructions. org.apache.dubbo.rpc.RpcException: Failed to invoke the method getLocalIdentifier in the service com.houkunlin.cloud.micro.rpc.UserDubboService. Tried 3 times of the providers [172.29.237.2:20883] (1/1) from the registry 192.168.0.5:8848 on the consumer 172.29.237.2 using the dubbo version 3.2.0-beta.6. Last error is: Failed to invoke remote method: getLocalIdentifier, provider: DefaultServiceInstance{serviceName='system-user-server', host='172.29.237.2', port=20883, enabled=true, healthy=true, metadata={dubbo.metadata-service.url-params={"prefer.serialization":"fastjson2,hessian2","version":"1.0.0","dubbo":"2.0.2","release":"3.2.0-beta.6","side":"provider","port":"20883","protocol":"dubbo"}, dubbo.endpoints=[{"port":20883,"protocol":"dubbo"}], dubbo.metadata.revision=998f69ef376ecb6920e7f05d9e6f0b14, dubbo.metadata.storage-type=local, timestamp=1681209402712}}, service{name='com.houkunlin.cloud.micro.rpc.UserDubboService',group='null',version='null',protocol='dubbo',port='20883', params={executor-management-mode=default, side=provider, file-cache=false, release=3.2.0-beta.6, methods=getAssignAuthorities,getLeaderIds,getLocalIdentifier,getUserAllPermissionValues,getUserByUserId,getUserByUsername,loginFailureAction,loginSuccessAction,saveUserLog,updatePassword, deprecated=false, dubbo=2.0.2, interface=com.houkunlin.cloud.micro.rpc.UserDubboService, service-name-mapping=true, register-mode=instance, generic=false, revision=0.0.7-SNAPSHOT-plain, application=system-user-server, prefer.serialization=fastjson2,hessian2, background=false, dynamic=true, anyhost=true},}, cause: org.apache.dubbo.remoting.RemotingException: java.lang.RuntimeException: objectMapper! deserialize error java.lang.IllegalArgumentException: The class with com.houkunlin.cloud.micro.login.LoginUserDetails and name of com.houkunlin.cloud.micro.login.LoginUserDetails is not in the allowlist. If you believe this class is safe to deserialize, please provide an explicit mapping using Jackson annotat ions or by providing a Mixin. If the serialization is only done by a trusted source, you can also enable default typing. See https://github.com/spring-projects/spring-security/issues/4370 for details java.lang.RuntimeException: objectMapper! deserialize error java.lang.IllegalArgumentException: The class with com.houkunlin.cloud.micro.login.LoginUserDetails and name of com.houkunlin.cloud.micro.login.LoginUserDetails is not in the allowlist. If you believe this class is safe to deserialize, please provide an explicit mapping using Jackson annotations or by providing a Mixin. If the serialization is only done by a trusted source, you can also enable default typing. See https://github.com/spring-projects/spring-security/issues/4370 for details at org.apache.dubbo.spring.security.jackson.ObjectMapperCodec.deserialize(ObjectMapperCodec.java:50) at org.apache.dubbo.spring.security.jackson.ObjectMapperCodec.deserialize(ObjectMapperCodec.java:58) at org.apache.dubbo.spring.security.filter.ContextHolderAuthenticationResolverFilter.getSecurityContext(ContextHolderAuthenticationResolverFilter.java:56) at org.apache.dubbo.spring.security.filter.ContextHolderAuthenticationResolverFilter.invoke(ContextHolderAuthenticationResolverFilter.java:45) at org.apache.dubbo.rpc.cluster.filter.FilterChainBuilder$CopyOfFilterChainNode.invoke(FilterChainBuilder.java:331) at org.apache.dubbo.rpc.filter.GenericFilter.invoke(GenericFilter.java:192) at org.apache.dubbo.rpc.cluster.filter.FilterChainBuilder$CopyOfFilterChainNode.invoke(FilterChainBuilder.java:331) at org.apache.dubbo.rpc.filter.ClassLoaderFilter.invoke(ClassLoaderFilter.java:54) at org.apache.dubbo.rpc.cluster.filter.FilterChainBuilder$CopyOfFilterChainNode.invoke(FilterChainBuilder.java:331) at org.apache.dubbo.rpc.filter.EchoFilter.invoke(EchoFilter.java:41) at org.apache.dubbo.rpc.cluster.filter.FilterChainBuilder$CopyOfFilterChainNode.invoke(FilterChainBuilder.java:331) at org.apache.dubbo.rpc.filter.ProfilerServerFilter.invoke(ProfilerServerFilter.java:64) at org.apache.dubbo.rpc.cluster.filter.FilterChainBuilder$CopyOfFilterChainNode.invoke(FilterChainBuilder.java:331) at org.apache.dubbo.rpc.filter.ContextFilter.invoke(ContextFilter.java:144) at org.apache.dubbo.rpc.cluster.filter.FilterChainBuilder$CopyOfFilterChainNode.invoke(FilterChainBuilder.java:331) at org.apache.dubbo.rpc.cluster.filter.FilterChainBuilder$CallbackRegistrationInvoker.invoke(FilterChainBuilder.java:194) at org.apache.dubbo.rpc.protocol.dubbo.DubboProtocol$1.reply(DubboProtocol.java:159) at org.apache.dubbo.remoting.exchange.support.header.HeaderExchangeHandler.handleRequest(HeaderExchangeHandler.java:103) at org.apache.dubbo.remoting.exchange.support.header.HeaderExchangeHandler.received(HeaderExchangeHandler.java:186) at org.apache.dubbo.remoting.transport.DecodeHandler.received(DecodeHandler.java:53) at org.apache.dubbo.remoting.transport.dispatcher.ChannelEventRunnable.run(ChannelEventRunnable.java:62) at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1136) at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635) at org.apache.dubbo.common.threadlocal.InternalRunnable.run(InternalRunnable.java:41) at java.base/java.lang.Thread.run(Thread.java:833) ``` 尝试使用 `ObjectMapperCodecCustomer` 来处理 ObjectMapperCodec.ObjectMapper ,增加`context.setMixInAnnotations(LoginUserDetails.class, LoginUserDetailsMixin.class);`,断点发现配置正常生效,在Dubbo请求之前断点能够看到生效的信息,但是依旧无法完成反序列化,并且控制台报错的位置在调试模式无法断点。 复制 `CoreJackson2Module` 类到本地进行覆盖,取消 `// context.setMixInAnnotations(User.class, UserMixin.class);`配置,使用官方的 User 对象,调试运行发现本地 `CoreJackson2Module` 正常执行,并且ObjectMapperCodec.ObjectMapper无UserMixin配置,此时依旧能够请求成功,但是我想要的并不是使用官方的User对象,而是想要自定义的UserDetails对象。 上面两种方式,一种是增加自己的 Mixin 对象,一种是取消官方的 Mixin 对象配置,两种方式均无法正常生效,虽然断点看到的配置是生效的,但是实际Dubbo请求时执行的配置与断点的配置不一致 Pls. provide [GitHub address] to reproduce this issue. ### Expected Behavior <!-- What do you expect from the above steps?--> ### Actual Behavior <!-- What actually happens? --> If there is an exception, please attach the exception trace: ``` Just put your stack trace here! ``` -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: notifications-unsubscr...@dubbo.apache.org.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: notifications-unsubscr...@dubbo.apache.org For additional commands, e-mail: notifications-h...@dubbo.apache.org
