Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add 'Java. Util. Collections $SingletonMap' to 'org. Springframework. Security. Jackson2. SecurityJackson2Modules' ALLOWLIST_CLASS_NAMES set #1009

Closed
kuschzzp opened this issue Dec 16, 2022 · 1 comment
Closed

Add 'Java. Util. Collections $SingletonMap' to 'org. Springframework. Security. Jackson2. SecurityJackson2Modules' ALLOWLIST_CLASS_NAMES set #1009

kuschzzp opened this issue Dec 16, 2022 · 1 comment
Assignees
@jgrandja
Labels
for: external-project For an external project and not something we can fix

Comments

@kuschzzp
Copy link
Contributor

I according to the official document "https://docs.spring.io/spring-authorization-server/docs/current/reference/html/guides/how-to-jpa.html" The code that runs gets the correct access_token, then uses the access_token to request the /userinfo endpoint, but gets the following error:

{
    "error_description": "OpenID Connect 1.0 UserInfo Error: The class with java.util.Collections$SingletonMap and name of java.util.Collections$SingletonMap is not in the allowlist. If you believe this class is safe to deserialize, please provide an explicit mapping using Jackson annotations or by providing a Mixin. If the serialization is only done by a trusted source, you can also enable default typing. See https://github.com/spring-projects/spring-security/issues/4370 for details",
    "error": "invalid_request",
    "error_uri": "https://openid.net/specs/openid-connect-core-1_0.html#UserInfoError"
}

I went to consult the spring-projects/spring-security#4370, using the following methods to solve the error:

Create the following two classes:

@JsonTypeInfo(use = JsonTypeInfo.Id.CLASS)
@JsonDeserialize(using = SingletonMapDeserializer.class)
abstract class SingletonMapMixin {

    @JsonCreator
    SingletonMapMixin(Map<?, ?> map) {
    }
}

final class SingletonMapDeserializer extends JsonDeserializer<Map<?, ?>> {

    @Override
    public Map<?, ?> deserialize(JsonParser parser, DeserializationContext context) throws IOException {
        ObjectMapper mapper = (ObjectMapper) parser.getCodec();
        JsonNode mapNode = mapper.readTree(parser);
        Map<String, Object> result = new LinkedHashMap<>();
        if (mapNode != null && mapNode.isObject()) {
            Iterable<Map.Entry<String, JsonNode>> fields = mapNode::fields;
            for (Map.Entry<String, JsonNode> field : fields) {
                result.put(field.getKey(), mapper.readValue(field.getValue().traverse(mapper), Object.class));
            }
        }
        if (result.size() == 1) {
            for (Map.Entry<String, Object> entry : result.entrySet()) {
                return Collections.singletonMap(entry.getKey(), entry.getValue());
            }
        }
        return result;
    }

}

And then configure it:

this.objectMapper.addMixIn(Collections.singletonMap(String.class, Object.class).getClass(),SingletonMapMixin.class);

The above code works, but I'm still confused about the issue. In the "ALLOWLIST_CLASS_NAMES" collection of "org.Springframework.Security.Jackson2.SecurityJackson2Modules", The "java.Util.Collections $SingletonMap" property is not included.

........
static class AllowlistTypeIdResolver implements TypeIdResolver {

		private static final Set<String> ALLOWLIST_CLASS_NAMES;
		static {
			Set<String> names = new HashSet<>();
			names.add("java.util.ArrayList");
			names.add("java.util.Collections$EmptyList");
			names.add("java.util.Collections$EmptyMap");
			names.add("java.util.Collections$UnmodifiableRandomAccessList");
			names.add("java.util.Collections$SingletonList");
			names.add("java.util.Date");
			names.add("java.time.Instant");
			names.add("java.net.URL");
			names.add("java.util.TreeMap");
			names.add("java.util.HashMap");
			names.add("java.util.LinkedHashMap");
			names.add("org.springframework.security.core.context.SecurityContextImpl");
			names.add("java.util.Arrays$ArrayList");
			ALLOWLIST_CLASS_NAMES = Collections.unmodifiableSet(names);
		}
.....

Would it be possible to open-up java.Util.Collections $SingletonMap? Seen as we already allow java.util.Collections$SingletonList, I can't see adding a java.Util.Collections $SingletonMap would make much different.
@kuschzzp kuschzzp added the type: enhancement A general enhancement label Dec 16, 2022
@jgrandja
Copy link
Collaborator

jgrandja commented Jan 9, 2023

@kuschzzp

I according to the official document "https://docs.spring.io/spring-authorization-server/docs/current/reference/html/guides/how-to-jpa.html" The code that runs gets the correct access_token, then uses the access_token to request the /userinfo endpoint

I was not able to reproduce the error. The instructions provided should be more detailed providing step-by-step instructions on how to reproduce.

this.objectMapper.addMixIn(Collections.singletonMap(String.class, Object.class).getClass(),SingletonMapMixin.class)

This is the correct and expected way to register a mixin if the framework does not provide one.

Would it be possible to open-up java.Util.Collections $SingletonMap?

I'm going to close this issue since SecurityJackson2Modules lives in Spring Security and this issue should be logged there.

@jgrandja jgrandja closed this as completed Jan 9, 2023
@jgrandja jgrandja self-assigned this Jan 9, 2023
@jgrandja jgrandja added for: external-project For an external project and not something we can fix and removed type: enhancement A general enhancement labels Jan 9, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jgrandja jgrandja

Labels
for: external-project For an external project and not something we can fix
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@jgrandja @kuschzzp