-
-
Notifications
You must be signed in to change notification settings - Fork 1.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Issue with locking down supressAccessChecks with Jackson Databind #992
Comments
I am not sure. I do prefer explicit, upfront exceptions over later-on ambiguous and misleading exceptions, which removal of check could cause. So I guess I'd like to understand your problem better, and/or suggest alternative handling. From original bug report it would seem to me that use of Jackson from a static initializer block of a class is bit dangerous in itself. Could that be changed to occur in a place where there is less damage from this check failing? Or perhaps handling of possible |
One thing I can and will do, for 2.7, is give method in question access to configuration, which will make it possible to use a One more possibility could be to figure out dynamically whether |
In the meantime, for version 2.6 and earlier, there is |
Customer reported issue with the AWS SDK for Java (aws/aws-sdk-java#528) asking for ability to restrict the permission supressAccessChecks in a security manager. Tried to fix the issue on our end by making all classes/constructors/methods involved in serialization public but was still getting exceptions from the databind library, specifically ClassUtils. Did a little investigation and found that the code handling SecurityExceptions seems to be incorrect.
The method isAccessible checks if access checks have been suppressed, i.e. not locked down by a security manager, rather then if the method/constructor/field is actually accessible per it's modifiers. If we are unable to suppress access checks can we not just proceed and have deserialization fail when the method is invoked? Unless I'm mistaken this makes Jackson unusable with a SecurityManager in place.
I'll put together a pull request for this.
The text was updated successfully, but these errors were encountered: