Summary

There are some performance optimizations we can provide for jackson integration

Comment From: TanqiZhou

org.springframework.security.authentication.BadCredentialsException is not whitelisted. If you believe this class is safe to deserialize, please provide an explicit mapping using Jackson annotations or by providing a Mixin. If the serialization is only done by a trusted source, you can also enable default typing. See https://github.com/spring-projects/spring-security/issues/4370 for details; nested exception is java.

Comment From: chrylis

Since the error message points to this issue, can it please get a link to documentation on enabling default typing?

Comment From: miladamery

Since the error message points to this issue, can it please get a link to documentation on enabling default typing?

Hi. i have same issue and cant find how to enable default typing. i really appreciate if you provide a link or something else that says how to do it.

Comment From: jzheaux

To (de)serialize a BadCredentialsException, use CoreJackson2Module:

@Bean
public ObjectMapper objectMapper() {
    ObjectMapper mapper = new ObjectMapper()
    mapper.registerModule(new CoreJackson2Module());
    // ... your other configuration
    return mapper;
}

This calls SecurityJackson2Modules.enableDefaultTyping and adds the BadCredentialsException mixin.

Comment From: TanqiZhou

Good

Comment From: koundinya-goparaju-wcar

I am getting the following error when I try to deserialize the OAuth2AuthenticationToken The class with org.springframework.security.web.authentication.WebAuthenticationDetails and name of org.springframework.security.web.authentication.WebAuthenticationDetails is not in the allowlist. If you believe this class is safe to deserialize, please provide an explicit mapping using Jackson annotations or by providing a Mixin. If the serialization is only done by a trusted source, you can also enable default typing. See https://github.com/spring-projects/spring-security/issues/4370 for details (through reference chain: org.springframework.security.core.context.SecurityContextImpl["authentication"]->org.springframework.security.oauth2.client.authentication.OAuth2AuthenticationToken["details"])

Comment From: bmaassenee

I think i found a bug in WebServletJackson2Module with its constructor:

    public WebServletJackson2Module() {
        super(WebJackson2Module.class.getName(), new Version(1, 0, 0, null, null, null));
    }

registers it self as WebJackson2Module.class.getName(), with the result that ObjectMapper.registerModule rejects the module to be loaded because it thinks this module is already registered

Comment From: jzheaux

@bmaassenee, please consider filing an issue if you believe you've found a bug. If you'd include a small reproducing sample in your report, that will help resolve your issue more quickly.

Comment From: tsrgithub

{ "error_description": "OpenID Connect 1.0 UserInfo Error: The class with java.util.Collections$SingletonMap and name of java.util.Collections$SingletonMap is not in the allowlist. If you believe this class is safe to deserialize, please provide an explicit mapping using Jackson annotations or by providing a Mixin. If the serialization is only done by a trusted source, you can also enable default typing. See https://github.com/spring-projects/spring-security/issues/4370 for details", "error": "invalid_request", "error_uri": "https://openid.net/specs/openid-connect-core-1_0.html#UserInfoError" }

Comment From: rizkyJabar5

{ "error_description": "OpenID Connect 1.0 UserInfo Error: The class with java.util.Collections$SingletonMap and name of java.util.Collections$SingletonMap is not in the allowlist. If you believe this class is safe to deserialize, please provide an explicit mapping using Jackson annotations or by providing a Mixin. If the serialization is only done by a trusted source, you can also enable default typing. See #4370 for details", "error": "invalid_request", "error_uri": "https://openid.net/specs/openid-connect-core-1_0.html#UserInfoError" }

I have the same issue too. Has there been a fix for this?

Comment From: shrralis

The same happens in Kotlin projects, e.g. The class with kotlin.collections.EmptyList and name of kotlin.collections.EmptyList is not in the allowlist

Comment From: timadeshola

I am getting this error when attempt to generate refresh token. Using Spring Boot authorization server v3 The class with org.springframework.security.oauth2.server.authorization.authentication.OAuth2ClientAuthenticationToken and name of org.springframework.security.oauth2.server.authorization.authentication.OAuth2ClientAuthenticationToken is not in the allowlist. If you believe this class is safe to deserialize, please provide an explicit mapping using Jackson annotations or by providing a Mixin. If the serialization is only done by a trusted source, you can also enable default typing. See https://github.com/spring-projects/spring-security/issues/4370 for details

Comment From: a1473838623

my solution for OAuth2AuthorizationService config.

    @JsonTypeInfo(use = JsonTypeInfo.Id.CLASS, include = JsonTypeInfo.As.PROPERTY, property = "@class")
    public abstract static class SynchronizedSetMixin {
    }

    @Bean
    public OAuth2AuthorizationService authorizationService(JdbcTemplate jdbcTemplate,
                                                           RegisteredClientRepository registeredClientRepository) {
        JdbcOAuth2AuthorizationService.OAuth2AuthorizationRowMapper rowMapper =
                new JdbcOAuth2AuthorizationService.OAuth2AuthorizationRowMapper(registeredClientRepository);
        JdbcOAuth2AuthorizationService.OAuth2AuthorizationParametersMapper oAuth2AuthorizationParametersMapper =
                new JdbcOAuth2AuthorizationService.OAuth2AuthorizationParametersMapper();
        JdbcOAuth2AuthorizationService authorizationService =
                new JdbcOAuth2AuthorizationService(jdbcTemplate, registeredClientRepository);
        ObjectMapper objectMapper = new ObjectMapper();

        ClassLoader classLoader = JdbcOAuth2AuthorizationService.class.getClassLoader();
        List<Module> securityModules = SecurityJackson2Modules.getModules(classLoader);
        objectMapper.registerModules(securityModules);
        objectMapper.registerModule(new OAuth2AuthorizationServerJackson2Module());

        objectMapper.addMixIn(Collections.synchronizedSet(new HashSet<>()).getClass(), SynchronizedSetMixin.class);

        rowMapper.setObjectMapper(objectMapper);
        oAuth2AuthorizationParametersMapper.setObjectMapper(objectMapper);
        authorizationService.setAuthorizationRowMapper(rowMapper);
        authorizationService.setAuthorizationParametersMapper(oAuth2AuthorizationParametersMapper);

        return authorizationService;
    }

Comment From: z1098416956

The class with java.util.ImmutableCollections$List12 and name of java.util.ImmutableCollections$List12 is not in the allowlist. If you believe this class is safe to deserialize, please provide an explicit mapping using Jackson annotations or by providing a Mixin. If the serialization is only done by a trusted source, you can also enable default typing. See https://github.com/spring-projects/spring-security/issues/4370 for details???

所以这个是什么情况? 我已经把OAuth2Authorization.Token.class处理了,为什么还是出现这个错误? ` public class OAuth2AuthorizationModule extends SimpleModule {

@Serial
private static final long serialVersionUID = 1243758528885179491L;

public OAuth2AuthorizationModule() {
    super(OAuth2AuthorizationModule.class.getName(), new Version(1, 0, 0, null, null, null));
}

@Override
public void setupModule(SetupContext context) {
    SecurityJackson2Modules.enableDefaultTyping(context.getOwner());

    context.setMixInAnnotations(OAuth2Authorization.class, OAuth2AuthorizationMixin.class);
    context.setMixInAnnotations(OAuth2AuthorizationCode.class, OAuth2AuthorizationCodeMixin.class);
    context.setMixInAnnotations(OAuth2Authorization.Token.class, TokenMixin.class);
    context.setMixInAnnotations(OAuth2AccessToken.class, OAuth2AccessTokenMixin.class);
    context.setMixInAnnotations(OAuth2RefreshToken.class, OAuth2RefreshTokenMixin.class);
    context.setMixInAnnotations(AuthorizationGrantType.class, AuthorizationGrantTypeMixin.class);
    context.setMixInAnnotations(OAuth2AccessToken.TokenType.class, TokenTypeMixin.class);
}

} `

` @JsonTypeInfo(use = JsonTypeInfo.Id.CLASS) @JsonAutoDetect(fieldVisibility = JsonAutoDetect.Visibility.ANY, getterVisibility = JsonAutoDetect.Visibility.NONE, isGetterVisibility = JsonAutoDetect.Visibility.NONE) @JsonIgnoreProperties(ignoreUnknown = true) public abstract class TokenMixin {

@JsonCreator
TokenMixin(@JsonProperty("token") OAuth2Token token,
           @JsonProperty("metadata") Map<String, Object> metadata) {
}

} `

Comment From: taraksuthar1999

The class with com.example.authservice.security.models.CustomSecurityUserDetails and name of com.example.authservice.security.models.CustomSecurityUserDetails is not in the allowlist.

My Solution which worked for me was to create Deserializer for the class 

@JsonTypeInfo(
        use = JsonTypeInfo.Id.CLASS,
        include = JsonTypeInfo.As.PROPERTY
)
@JsonDeserialize(
        using = CustomSecurityUserDeserializer.class
)
@JsonAutoDetect(
        fieldVisibility = JsonAutoDetect.Visibility.ANY,
        getterVisibility = JsonAutoDetect.Visibility.NONE,
        isGetterVisibility = JsonAutoDetect.Visibility.NONE
)
@JsonIgnoreProperties(
        ignoreUnknown = true
)
public class CustomSecurityUserDetails implements UserDetails {
.....
.....
}