diff --git a/spring-integration-core/src/main/java/org/springframework/integration/support/json/JacksonJsonUtils.java b/spring-integration-core/src/main/java/org/springframework/integration/support/json/JacksonJsonUtils.java index 64a95a9644f..abec1de7591 100644 --- a/spring-integration-core/src/main/java/org/springframework/integration/support/json/JacksonJsonUtils.java +++ b/spring-integration-core/src/main/java/org/springframework/integration/support/json/JacksonJsonUtils.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2019 the original author or authors. + * Copyright 2002-2020 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -167,13 +167,13 @@ private static final class WhitelistTypeIdResolver implements TypeIdResolver { WhitelistTypeIdResolver(TypeIdResolver delegate, String... trustedPackages) { this.delegate = delegate; if (trustedPackages != null) { - for (String whiteListClass : trustedPackages) { - if ("*".equals(whiteListClass)) { + for (String whiteListPackage : trustedPackages) { + if ("*".equals(whiteListPackage)) { this.trustedPackages.clear(); break; } else { - this.trustedPackages.add(whiteListClass); + this.trustedPackages.add(whiteListPackage); } } } @@ -224,7 +224,10 @@ public JavaType typeFromId(DatabindContext context, String id) throws IOExceptio private boolean isTrustedPackage(String packageName) { if (!this.trustedPackages.isEmpty()) { for (String trustedPackage : this.trustedPackages) { - if (packageName.equals(trustedPackage) || packageName.startsWith(trustedPackage + ".")) { + if (packageName.equals(trustedPackage) || + (!packageName.equals("java.util.logging") + && packageName.startsWith(trustedPackage + "."))) { + return true; } } diff --git a/src/reference/asciidoc/redis.adoc b/src/reference/asciidoc/redis.adoc index 273decbcc46..e7861acc71e 100644 --- a/src/reference/asciidoc/redis.adoc +++ b/src/reference/asciidoc/redis.adoc @@ -367,9 +367,11 @@ However, if you want to use a different serialization technique (such as JSON), Starting with version 4.3.10, the Framework provides Jackson serializer and deserializer implementations for `Message` instances and `MessageHeaders` instances -- `MessageJacksonDeserializer` and `MessageHeadersJacksonSerializer`, respectively. They have to be configured with the `SimpleModule` options for the `ObjectMapper`. -In addition, you should set `enableDefaultTyping` on the `ObjectMapper` to add type information for each serialized complex object. +In addition, you should set `enableDefaultTyping` on the `ObjectMapper` to add type information for each serialized complex object (if you trust the source). That type information is then used during deserialization. The framework provides a utility method called `JacksonJsonUtils.messagingAwareMapper()`, which is already supplied with all the previously mentioned properties and serializers. +This utility method comes with the `trustedPackages` argument to limit Java packages for deserialization to avoid security vulnerabilities. +The default trusted packages: `java.util`, `java.lang`, `org.springframework.messaging.support`, `org.springframework.integration.support`, `org.springframework.integration.message`, `org.springframework.integration.store`. To manage JSON serialization in the `RedisMessageStore`, you must configure it in a fashion similar to the following example: ====