jackson-databind icon indicating copy to clipboard operation
jackson-databind copied to clipboard
verified publisher icon FasterXML

Jackon 3: `@JsonSubTypes` does not affect validity checks

Open sdeleuze opened this issue 2 months ago • 1 comments

Search before asking

  • [x] I searched in the issues and found nothing similar.

Describe the bug

Please find below a reproducer for a use case we have for Spring Security Jackson 3 support, where we would like to disable global default typing (for better security) and just rely on @JsonTypeInfo + @JsonSubTypes for polymorphic deserialization, and that seems not possible.

Despite the fact we register a strict set of sub types via @JsonSubTypes to deserialize Object principal, Jackson 3 requires a custom PolymorphicTypeValidator, which we would like to avoid because we try to remove mandatory mapper configuration.

Could DefaultBaseTypeLimitingValidator relax its checks in that case and take in account @JsonSubTypes configured in the mixins?

Version Information

3.0.0-rc10

Reproduction

import com.fasterxml.jackson.annotation.JsonSubTypes;
import com.fasterxml.jackson.annotation.JsonTypeInfo;
import org.junit.jupiter.api.Test;
import tools.jackson.databind.json.JsonMapper;

import static org.assertj.core.api.Assertions.assertThat;

public class JacksonPTVTests {

	@Test
	void stringPrincipal() {
		JsonMapper mapper = new JsonMapper();
		String json = mapper.writeValueAsString(new User("bob"));
		User user = mapper.readValue(json, User.class);
		assertThat(user.principal()).isEqualTo("bob");
	}

	@Test
	void customPrincipal() {
		JsonMapper mapper = new JsonMapper();
		String json = mapper.writeValueAsString(new User(new CustomPrincipal("bob")));
		User user = mapper.readValue(json, User.class);
		assertThat(user.principal()).isInstanceOf(CustomPrincipal.class);
	}

	@JsonTypeInfo(use = JsonTypeInfo.Id.CLASS, include = JsonTypeInfo.As.PROPERTY)
	record User(
			@JsonTypeInfo(use = JsonTypeInfo.Id.CLASS, include = JsonTypeInfo.As.PROPERTY)
			@JsonSubTypes({ @JsonSubTypes.Type(CustomPrincipal.class)})
			Object principal) {
	}

	record CustomPrincipal(String login) {
	}
}

Generates the following error

Configured `PolymorphicTypeValidator` (of type `tools.jackson.databind.jsontype.DefaultBaseTypeLimitingValidator`) denies resolution of all subtypes of base type `java.lang.Object` as using too generic base type can open a security hole without checks on subtype: please configure a custom `PolymorphicTypeValidator` for this use case

Expected behavior

@JsonSubTypes({ @JsonSubTypes.Type(CustomPrincipal.class)}) is enough to make the Object principal deserialization safe and authorized by default.

Additional context

No response

sdeleuze avatar Sep 24 '25 19:09 sdeleuze

Quick note: correct, PolymorphicTypeValidator does not use @JsonSubTypes information for anything: @JsonSubTypes only helps find Type names used with @JsonTypeInfo(use = JsonTypeInfo.Id.NAME) usage. (wherein Id.CLASS_NAME does not need such help).

The idea of tying validity (optionally) to indicated subtypes is reasonable but such connection does not yet exist.

We can think of ways to make that happen: f.ex with an addition of a new property in @JsonTypeInfo, but probably would also require additional plumbing to make PolymorphicTypeValidator able to access registered subtypes. (that interaction may be the challenging part).

cowtowncoder avatar Sep 24 '25 20:09 cowtowncoder