Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add Allow List to Jackson Support #4370

Closed
rwinch opened this issue Jun 6, 2017 · 12 comments
Closed

Add Allow List to Jackson Support #4370

rwinch opened this issue Jun 6, 2017 · 12 comments
Assignees
@rwinch
Labels
in: cas An issue in spring-security-cas in: core An issue in spring-security-core in: web An issue in web modules (web, webmvc) type: bug A general bug
Milestone
4.2.3

Comments

@rwinch
Copy link
Member

rwinch commented Jun 6, 2017

Summary

There are some performance optimizations we can provide for jackson integration
@rwinch rwinch added type: bug A general bug in: cas An issue in spring-security-cas in: core An issue in spring-security-core in: web An issue in web modules (web, webmvc) labels Jun 6, 2017
@rwinch rwinch added this to the 4.2.3 milestone Jun 6, 2017
@rwinch rwinch self-assigned this Jun 6, 2017
@rwinch rwinch closed this as completed Jun 8, 2017
rwinch added a commit that referenced this issue Jun 8, 2017
@rwinch
Update SecurityJackson2Modules
947d11f 
Fixes gh-4370
rwinch added a commit that referenced this issue Jun 8, 2017
@rwinch
Update SecurityJackson2Modules
5dee853 
Fixes gh-4370
@fpavageau fpavageau mentioned this issue Jul 20, 2017
Merged
1 task
@chrisburrell chrisburrell mentioned this issue Dec 1, 2017
Closed
@TanqiZhou
Copy link

org.springframework.security.authentication.BadCredentialsException is not whitelisted. If you believe this class is safe to deserialize, please provide an explicit mapping using Jackson annotations or by providing a Mixin. If the serialization is only done by a trusted source, you can also enable default typing. See #4370 for details; nested exception is java.

@vpavic vpavic mentioned this issue Mar 6, 2018
Closed
@YLombardi YLombardi mentioned this issue Mar 8, 2018
Merged
@davideanderson davideanderson mentioned this issue Mar 27, 2018
Closed
@iKrushYou iKrushYou mentioned this issue Apr 9, 2018
Closed
thomasdarimont pushed a commit to thomasdarimont/spring-security that referenced this issue Apr 25, 2018
@rwinch @thomasdarimont
Update SecurityJackson2Modules
263bdb0 
Fixes spring-projectsgh-4370
@chrylis
Copy link

chrylis commented Aug 10, 2018

Since the error message points to this issue, can it please get a link to documentation on enabling default typing?

@miladamery
Copy link

Since the error message points to this issue, can it please get a link to documentation on enabling default typing?

Hi. i have same issue and cant find how to enable default typing. i really appreciate if you provide a link or something else that says how to do it.

@jzheaux
Copy link
Contributor

jzheaux commented Mar 12, 2019

To (de)serialize a BadCredentialsException, use CoreJackson2Module:

@Bean
public ObjectMapper objectMapper() {
    ObjectMapper mapper = new ObjectMapper()
    mapper.registerModule(new CoreJackson2Module());
    // ... your other configuration
    return mapper;
}

This calls SecurityJackson2Modules.enableDefaultTyping and adds the BadCredentialsException mixin.

@TanqiZhou
Copy link

Good

@mengelbrecht mengelbrecht mentioned this issue Nov 20, 2020
Closed
@vkatoch2000 vkatoch2000 mentioned this issue Mar 25, 2021
Closed
siporqueno added a commit to siporqueno/spring-two that referenced this issue Apr 30, 2021
@siporqueno
Homework of Lesson 5. Modified objectMapper config in SessionConfig b…
33805a2 
…ased on spring-projects/spring-security#4370
@pengliaoye pengliaoye mentioned this issue Aug 8, 2021
Closed
@Basit-Mahmood Basit-Mahmood mentioned this issue Aug 16, 2021
Closed
@koundinya-goparaju-wcar
Copy link

I am getting the following error when I try to deserialize the OAuth2AuthenticationToken
The class with org.springframework.security.web.authentication.WebAuthenticationDetails and name of org.springframework.security.web.authentication.WebAuthenticationDetails is not in the allowlist. If you believe this class is safe to deserialize, please provide an explicit mapping using Jackson annotations or by providing a Mixin. If the serialization is only done by a trusted source, you can also enable default typing. See https://github.com/spring-projects/spring-security/issues/4370 for details (through reference chain: org.springframework.security.core.context.SecurityContextImpl["authentication"]->org.springframework.security.oauth2.client.authentication.OAuth2AuthenticationToken["details"])

Closed
@mbarringer mbarringer mentioned this issue Nov 5, 2021
Closed
@Ravis22 Ravis22 mentioned this issue Jan 5, 2022
Closed
@vjcool2408 vjcool2408 mentioned this issue Jan 18, 2022
Closed
@rwinch rwinch changed the title Jackson Optimization Add Allow List to Jackson Support Mar 10, 2022
@bmaassenee
Copy link

bmaassenee commented Apr 19, 2022
edited

I think i found a bug in WebServletJackson2Module
with its constructor:

	public WebServletJackson2Module() {
		super(WebJackson2Module.class.getName(), new Version(1, 0, 0, null, null, null));
	}

registers it self as WebJackson2Module.class.getName(), with the result that ObjectMapper.registerModule rejects the module to be loaded because it thinks this module is already registered

@rwinch rwinch mentioned this issue Apr 29, 2022
Closed
@jzheaux
Copy link
Contributor

jzheaux commented May 6, 2022

@bmaassenee, please consider filing an issue if you believe you've found a bug. If you'd include a small reproducing sample in your report, that will help resolve your issue more quickly.

@meimosor meimosor mentioned this issue May 16, 2022
Closed
kinsersh added a commit to kinsersh/spring-authorization-server that referenced this issue May 18, 2022
@kinsersh
Fix deserialize incompatibility with Okta ver claim
9300062 
Okta includes a "ver" claim in the ID tokens it issues that gets serialized to json, as follows:
{
  "@Class": "java.util.Collections$UnmodifiableMap",
  "ver": [
    "java.lang.Long",
    1
  ]
}

This claim is added by Okta automatically (see https://developer.okta.com/docs/reference/api/oidc/#id-token).

Spring Authorization Server encounters an error when attempting to deserialize this claim from Okta, as follows:
The class with java.lang.Long and name of java.lang.Long is not in the allowlist. If you believe this class is safe to deserialize, please provide an explicit mapping using Jackson annotations or by providing a Mixin. If the serialization is only done by a trusted source, you can also enable default typing. See spring-projects/spring-security#4370 for details
java.lang.IllegalArgumentException: The class with java.lang.Long and name of java.lang.Long is not in the allowlist. If you believe this class is safe to deserialize, please provide an explicit mapping using Jackson annotations or by providing a Mixin. If the serialization is only done by a trusted source, you can also enable default typing. See spring-projects/spring-security#4370 for details
	at org.springframework.security.jackson2.SecurityJackson2Modules$AllowlistTypeIdResolver.typeFromId(SecurityJackson2Modules.java:253)

The issue at spring-projects#567 has a similar symptom, though this situation would be encountered by any project wanting to do OpenID Connect with Okta. I thus recommend a general fix rather than a project-specific fix as recommended at spring-projects#397.

This commit defines a mixin that doesn't alter the json formatting but does instruct SecurityJackson2Modules.AllowlistTypeIdResolver to permit the deseralization of that Okta claim.

For broader context, below is an example of what is stored by Spring Authorization Server in the attributes column of the oauth2_authorization table.
{
  "@Class": "java.util.Collections$UnmodifiableMap",
  "org.springframework.security.oauth2.core.endpoint.OAuth2AuthorizationRequest": {
    "@Class": "org.springframework.security.oauth2.core.endpoint.OAuth2AuthorizationRequest",
    "authorizationUri": "http://localhost:5000/oauth2/authorize",
    "authorizationGrantType": {
      "value": "authorization_code"
    },
    "responseType": {
      "value": "code"
    },
    "clientId": "login-acceptance-test-client",
    "redirectUri": "http://127.0.0.1:5000/login-acceptance-test-client",
    "scopes": [
      "java.util.Collections$UnmodifiableSet",
      [
        "openid"
      ]
    ],
    "state": "foo",
    "additionalParameters": {
      "@Class": "java.util.Collections$UnmodifiableMap"
    },
    "authorizationRequestUri": "http://localhost:5000/oauth2/authorize?response_type=code&client_id=login-acceptance-test-client&scope=openid&state=foo&redirect_uri=http://127.0.0.1:5000/login-acceptance-test-client",
    "attributes": {
      "@Class": "java.util.Collections$UnmodifiableMap"
    }
  },
  "java.security.Principal": {
    "@Class": "org.springframework.security.oauth2.client.authentication.OAuth2AuthenticationToken",
    "principal": {
      "@Class": "org.springframework.security.oauth2.core.oidc.user.DefaultOidcUser",
      "authorities": [
        "java.util.Collections$UnmodifiableSet",
        [
          {
            "@Class": "org.springframework.security.oauth2.core.oidc.user.OidcUserAuthority",
            "authority": "ROLE_USER",
            "idToken": {
              "@Class": "org.springframework.security.oauth2.core.oidc.OidcIdToken",
              "tokenValue": "actualTokenValueRemoved",
              "issuedAt": 1652411922.000000000,
              "expiresAt": 1652415522.000000000,
              "claims": {
                "@Class": "java.util.Collections$UnmodifiableMap",
                "at_hash": "X4TpvHXTMw3kaBMRas-H6A",
                "sub": "00u4zn2e0w8cRRFv75d1",
                "ver": [
                  "java.lang.Long",
                  1
                ],
                "amr": [
                  "java.util.ArrayList",
                  [
                    "pwd"
                  ]
                ],
                "iss": [
                  "java.net.URL",
                  "https://dev-231911394952.okta.com"
                ],
                "preferred_username": "login.at.okta.public.local",
                "nonce": "pWQDfOxvpslr_FWiTqHlIRdCiT5Sfq-PWvBmSyrDki0",
                "aud": [
                  "java.util.ArrayList",
                  [
                    "0oa4varwxxjIMcDph5d7"
                  ]
                ],
                "idp": "00otba6t5x5dSt78H5d6",
                "auth_time": [
                  "java.time.Instant",
                  1652411920.000000000
                ],
                "name": "login at okta public local test",
                "exp": [
                  "java.time.Instant",
                  1652415522.000000000
                ],
                "iat": [
                  "java.time.Instant",
                  1652411922.000000000
                ],
                "email": "login.at.okta.public.local@example.com",
                "jti": "ID.IfAKG8WvCxOy023DLl6I-WY-4pHgxMJZv1F79rqAtYM"
              }
            },
            "userInfo": {
              "@Class": "org.springframework.security.oauth2.core.oidc.OidcUserInfo",
              "claims": {
                "@Class": "java.util.Collections$UnmodifiableMap",
                "sub": "00u4zn2e0w8cRRFv75d1",
                "zoneinfo": "America/Los_Angeles",
                "email_verified": true,
                "updated_at": [
                  "java.time.Instant",
                  1652216788.000000000
                ],
                "name": "login at okta public local test",
                "preferred_username": "login.at.okta.public.local",
                "locale": "en_US",
                "given_name": "login at okta public local",
                "family_name": "test",
                "email": "login.at.okta.public.local@example.com"
              }
            }
          },
          {
            "@Class": "org.springframework.security.core.authority.SimpleGrantedAuthority",
            "authority": "SCOPE_email"
          },
          {
            "@Class": "org.springframework.security.core.authority.SimpleGrantedAuthority",
            "authority": "SCOPE_openid"
          },
          {
            "@Class": "org.springframework.security.core.authority.SimpleGrantedAuthority",
            "authority": "SCOPE_phone"
          },
          {
            "@Class": "org.springframework.security.core.authority.SimpleGrantedAuthority",
            "authority": "SCOPE_profile"
          }
        ]
      ],
      "idToken": {
        "@Class": "org.springframework.security.oauth2.core.oidc.OidcIdToken",
        "tokenValue": "actualTokenValueRemoved",
        "issuedAt": 1652411922.000000000,
        "expiresAt": 1652415522.000000000,
        "claims": {
          "@Class": "java.util.Collections$UnmodifiableMap",
          "at_hash": "X4TpvHXTMw3kaBMRas-H6A",
          "sub": "00u4zn2e0w8cRRFv75d1",
          "ver": [
            "java.lang.Long",
            1
          ],
          "amr": [
            "java.util.ArrayList",
            [
              "pwd"
            ]
          ],
          "iss": [
            "java.net.URL",
            "https://dev-231911394952.okta.com"
          ],
          "preferred_username": "login.at.okta.public.local",
          "nonce": "pWQDfOxvpslr_FWiTqHlIRdCiT5Sfq-PWvBmSyrDki0",
          "aud": [
            "java.util.ArrayList",
            [
              "0oa4varwxxjIMcDph5d7"
            ]
          ],
          "idp": "00otba6t5x5dSt78H5d6",
          "auth_time": [
            "java.time.Instant",
            1652411920.000000000
          ],
          "name": "login at okta public local test",
          "exp": [
            "java.time.Instant",
            1652415522.000000000
          ],
          "iat": [
            "java.time.Instant",
            1652411922.000000000
          ],
          "email": "login.at.okta.public.local@example.com",
          "jti": "ID.IfAKG8WvCxOy023DLl6I-WY-4pHgxMJZv1F79rqAtYM"
        }
      },
      "userInfo": {
        "@Class": "org.springframework.security.oauth2.core.oidc.OidcUserInfo",
        "claims": {
          "@Class": "java.util.Collections$UnmodifiableMap",
          "sub": "00u4zn2e0w8cRRFv75d1",
          "zoneinfo": "America/Los_Angeles",
          "email_verified": true,
          "updated_at": [
            "java.time.Instant",
            1652216788.000000000
          ],
          "name": "login at okta public local test",
          "preferred_username": "login.at.okta.public.local",
          "locale": "en_US",
          "given_name": "login at okta public local",
          "family_name": "test",
          "email": "login.at.okta.public.local@example.com"
        }
      },
      "nameAttributeKey": "sub"
    },
    "authorities": [
      "java.util.Collections$UnmodifiableRandomAccessList",
      [
        {
          "@Class": "org.springframework.security.oauth2.core.oidc.user.OidcUserAuthority",
          "authority": "ROLE_USER",
          "idToken": {
            "@Class": "org.springframework.security.oauth2.core.oidc.OidcIdToken",
            "tokenValue": "actualTokenValueRemoved",
            "issuedAt": 1652411922.000000000,
            "expiresAt": 1652415522.000000000,
            "claims": {
              "@Class": "java.util.Collections$UnmodifiableMap",
              "at_hash": "X4TpvHXTMw3kaBMRas-H6A",
              "sub": "00u4zn2e0w8cRRFv75d1",
              "ver": [
                "java.lang.Long",
                1
              ],
              "amr": [
                "java.util.ArrayList",
                [
                  "pwd"
                ]
              ],
              "iss": [
                "java.net.URL",
                "https://dev-231911394952.okta.com"
              ],
              "preferred_username": "login.at.okta.public.local",
              "nonce": "pWQDfOxvpslr_FWiTqHlIRdCiT5Sfq-PWvBmSyrDki0",
              "aud": [
                "java.util.ArrayList",
                [
                  "0oa4varwxxjIMcDph5d7"
                ]
              ],
              "idp": "00otba6t5x5dSt78H5d6",
              "auth_time": [
                "java.time.Instant",
                1652411920.000000000
              ],
              "name": "login at okta public local test",
              "exp": [
                "java.time.Instant",
                1652415522.000000000
              ],
              "iat": [
                "java.time.Instant",
                1652411922.000000000
              ],
              "email": "login.at.okta.public.local@example.com",
              "jti": "ID.IfAKG8WvCxOy023DLl6I-WY-4pHgxMJZv1F79rqAtYM"
            }
          },
          "userInfo": {
            "@Class": "org.springframework.security.oauth2.core.oidc.OidcUserInfo",
            "claims": {
              "@Class": "java.util.Collections$UnmodifiableMap",
              "sub": "00u4zn2e0w8cRRFv75d1",
              "zoneinfo": "America/Los_Angeles",
              "email_verified": true,
              "updated_at": [
                "java.time.Instant",
                1652216788.000000000
              ],
              "name": "login at okta public local test",
              "preferred_username": "login.at.okta.public.local",
              "locale": "en_US",
              "given_name": "login at okta public local",
              "family_name": "test",
              "email": "login.at.okta.public.local@example.com"
            }
          }
        },
        {
          "@Class": "org.springframework.security.core.authority.SimpleGrantedAuthority",
          "authority": "SCOPE_email"
        },
        {
          "@Class": "org.springframework.security.core.authority.SimpleGrantedAuthority",
          "authority": "SCOPE_openid"
        },
        {
          "@Class": "org.springframework.security.core.authority.SimpleGrantedAuthority",
          "authority": "SCOPE_phone"
        },
        {
          "@Class": "org.springframework.security.core.authority.SimpleGrantedAuthority",
          "authority": "SCOPE_profile"
        }
      ]
    ],
    "authorizedClientRegistrationId": "oktaDev",
    "details": {
      "@Class": "org.springframework.security.web.authentication.WebAuthenticationDetails",
      "remoteAddress": "127.0.0.1",
      "sessionId": "A8634EA2537A251E8B3D22A5CC4A6E3D"
    }
  },
  "org.springframework.security.oauth2.server.authorization.OAuth2Authorization.AUTHORIZED_SCOPE": [
    "java.util.Collections$UnmodifiableSet",
    [
      "openid"
    ]
  ]
}
@kinsersh kinsersh mentioned this issue May 18, 2022
Closed
xuxiaowei-com-cn added a commit to xuxiaowei-cloud/xuxiaowei-cloud that referenced this issue Aug 26, 2022
@xuxiaowei-com-cn
🐛 将Token中的Long类型改为String
1ec4656 
spring-projects/spring-security#4370
@Jxiu Jxiu mentioned this issue Aug 29, 2022
Closed
@najalba najalba mentioned this issue Sep 5, 2022
Closed
xuxiaowei-com-cn added a commit to xuxiaowei-cloud/xuxiaowei-cloud-next that referenced this issue Sep 7, 2022
@xuxiaowei-com-cn
🐛 与用户关联的数据,一律使用 users_id,不可使用 username,将Token中的Long类型改为String
3e612a1 
1. users_id 不可变
2. username 可能会发生变化(后期提供修改用户名的功能)
3. 日志要同时输出 users_id、username
spring-projects/spring-security#4370
xuxiaowei-com-cn added a commit to xuxiaowei-cloud/xuxiaowei-cloud that referenced this issue Sep 14, 2022
@xuxiaowei-com-cn
🐛 Session Redis 配置
b21dc18 
spring-projects/spring-security#4370
xuxiaowei-com-cn added a commit to xuxiaowei-cloud/xuxiaowei-cloud-next that referenced this issue Sep 14, 2022
@xuxiaowei-com-cn
🐛 Session Redis 配置
efd1152 
spring-projects/spring-security#4370
@klinck klinck mentioned this issue Nov 1, 2022
Open
@buckett buckett mentioned this issue Nov 10, 2022
Closed
@kuschzzp kuschzzp mentioned this issue Dec 16, 2022
Closed
@zkirill zkirill mentioned this issue Dec 18, 2022
Closed
@xuxiaowei-com-cn xuxiaowei-com-cn mentioned this issue Dec 30, 2022
Closed
lltx pushed a commit to pig-mesh/pig that referenced this issue Jan 4, 2023
@xuxiaowei-com-cn
✨ 将储存在 Redis 中的数据序列化为 JSON(本功能不兼容之前的Redis数据,需要将原有Redis数据清空才能正常使用)
b5ec3f4 
spring-projects/spring-security#4370
@buzzerrookie buzzerrookie mentioned this issue Jan 19, 2023
Closed
@nobodyiam nobodyiam mentioned this issue Mar 21, 2023
Closed
3 tasks
This was referenced Apr 6, 2023
Closed
Closed
@Been24 Been24 mentioned this issue May 22, 2023
Closed
@tsrgithub
Copy link

{
"error_description": "OpenID Connect 1.0 UserInfo Error: The class with java.util.Collections$SingletonMap and name of java.util.Collections$SingletonMap is not in the allowlist. If you believe this class is safe to deserialize, please provide an explicit mapping using Jackson annotations or by providing a Mixin. If the serialization is only done by a trusted source, you can also enable default typing. See #4370 for details",
"error": "invalid_request",
"error_uri": "https://openid.net/specs/openid-connect-core-1_0.html#UserInfoError"
}

@encyclopedi2a encyclopedi2a mentioned this issue Jun 4, 2023
Closed
@rizkyJabar5
Copy link

{ "error_description": "OpenID Connect 1.0 UserInfo Error: The class with java.util.Collections$SingletonMap and name of java.util.Collections$SingletonMap is not in the allowlist. If you believe this class is safe to deserialize, please provide an explicit mapping using Jackson annotations or by providing a Mixin. If the serialization is only done by a trusted source, you can also enable default typing. See #4370 for details", "error": "invalid_request", "error_uri": "https://openid.net/specs/openid-connect-core-1_0.html#UserInfoError" }

I have the same issue too. Has there been a fix for this?

@shrralis
Copy link

The same happens in Kotlin projects, e.g. The class with kotlin.collections.EmptyList and name of kotlin.collections.EmptyList is not in the allowlist

@timadeshola
Copy link

I am getting this error when attempt to generate refresh token. Using Spring Boot authorization server v3
The class with org.springframework.security.oauth2.server.authorization.authentication.OAuth2ClientAuthenticationToken and name of org.springframework.security.oauth2.server.authorization.authentication.OAuth2ClientAuthenticationToken is not in the allowlist. If you believe this class is safe to deserialize, please provide an explicit mapping using Jackson annotations or by providing a Mixin. If the serialization is only done by a trusted source, you can also enable default typing. See https://github.com/spring-projects/spring-security/issues/4370 for details

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@rwinch rwinch

Labels
in: cas An issue in spring-security-cas in: core An issue in spring-security-core in: web An issue in web modules (web, webmvc) type: bug A general bug
Projects
None yet
Milestone
4.2.3
Development

No branches or pull requests