dubbo icon indicating copy to clipboard operation
dubbo copied to clipboard
verified publisher icon apache

[Bug] org.springframework.security.oauth2.core.OAuth2AccessToken is not in the allowlist

Open JogJo opened this issue 3 weeks ago • 1 comments

Pre-check

  • [x] I am sure that all the content I provide is in English.

Search before asking

  • [x] I had searched in the issues and found no similar issues.

Apache Dubbo Component

Java SDK (apache/dubbo)

Dubbo Version

dubbo version: 3.3.6 OpenJDK21

Steps to reproduce this issue

my security conf is: serialize.allowlist org.springframework.security.oauth2.server.resource.authentication.BearerTokenAuthentication org.springframework.security.oauth2.core.OAuth2AccessToken

But it doesn't seem to have taken effect yet

WARN INFO:

2025-12-03 09:40:11.695 WARN 16996 --- [8.1.197:2088114] o.a.d.s.s.jackson.ObjectMapperCodec : [DUBBO] , dubbo version: 3.3.6, current host: 192.168.1.197, error code: 0-23. This may be caused by objectMapper! deserialize error, you can try to customize the ObjectMapperCodecCustomer., go to https://dubbo.apache.org/faq/0/23 to find instructions.

com.fasterxml.jackson.databind.JsonMappingException: The class with org.springframework.security.oauth2.core.OAuth2AccessToken and name of org.springframework.security.oauth2.core.OAuth2AccessToken is not in the allowlist. If you believe this class is safe to deserialize, please provide an explicit mapping using Jackson annotations or by providing a Mixin. If the serialization is only done by a trusted source, you can also enable default typing. See https://github.com/spring-projects/spring-security/issues/4370 for details (through reference chain: org.springframework.security.oauth2.server.resource.authentication.BearerTokenAuthentication["credentials"]) at com.fasterxml.jackson.databind.JsonMappingException.wrapWithPath(JsonMappingException.java:401) ~[jackson-databind-2.18.3.jar:2.18.3] at com.fasterxml.jackson.databind.JsonMappingException.wrapWithPath(JsonMappingException.java:360) ~[jackson-databind-2.18.3.jar:2.18.3] at com.fasterxml.jackson.databind.deser.BeanDeserializerBase.wrapAndThrow(BeanDeserializerBase.java:1964) ~[jackson-databind-2.18.3.jar:2.18.3] at com.fasterxml.jackson.databind.deser.BeanDeserializer._deserializeWithErrorWrapping(BeanDeserializer.java:587) ~[jackson-databind-2.18.3.jar:2.18.3] at com.fasterxml.jackson.databind.deser.BeanDeserializer._deserializeUsingPropertyBased(BeanDeserializer.java:447) ~[jackson-databind-2.18.3.jar:2.18.3] at com.fasterxml.jackson.databind.deser.BeanDeserializerBase.deserializeFromObjectUsingNonDefault(BeanDeserializerBase.java:1497) ~[jackson-databind-2.18.3.jar:2.18.3] at com.fasterxml.jackson.databind.deser.BeanDeserializer.deserializeFromObject(BeanDeserializer.java:348) ~[jackson-databind-2.18.3.jar:2.18.3] at com.fasterxml.jackson.databind.deser.BeanDeserializer._deserializeOther(BeanDeserializer.java:220) ~[jackson-databind-2.18.3.jar:2.18.3] at com.fasterxml.jackson.databind.deser.BeanDeserializer.deserialize(BeanDeserializer.java:187) ~[jackson-databind-2.18.3.jar:2.18.3] at com.fasterxml.jackson.databind.jsontype.impl.AsPropertyTypeDeserializer._deserializeTypedForId(AsPropertyTypeDeserializer.java:170) ~[jackson-databind-2.18.3.jar:2.18.3] at com.fasterxml.jackson.databind.jsontype.impl.AsPropertyTypeDeserializer.deserializeTypedFromObject(AsPropertyTypeDeserializer.java:136) ~[jackson-databind-2.18.3.jar:2.18.3] at com.fasterxml.jackson.databind.deser.AbstractDeserializer.deserializeWithType(AbstractDeserializer.java:263) ~[jackson-databind-2.18.3.jar:2.18.3] at com.fasterxml.jackson.databind.deser.impl.TypeWrappedDeserializer.deserialize(TypeWrappedDeserializer.java:74) ~[jackson-databind-2.18.3.jar:2.18.3] at com.fasterxml.jackson.databind.deser.DefaultDeserializationContext.readRootValue(DefaultDeserializationContext.java:342) ~[jackson-databind-2.18.3.jar:2.18.3] at com.fasterxml.jackson.databind.ObjectMapper._readMapAndClose(ObjectMapper.java:4931) ~[jackson-databind-2.18.3.jar:2.18.3] at com.fasterxml.jackson.databind.ObjectMapper.readValue(ObjectMapper.java:3929) ~[jackson-databind-2.18.3.jar:2.18.3] at org.apache.dubbo.spring.security.jackson.ObjectMapperCodec.deserialize(ObjectMapperCodec.java:51) ~[dubbo-3.3.6.jar:3.3.6] at org.apache.dubbo.spring.security.jackson.ObjectMapperCodec.deserialize(ObjectMapperCodec.java:68) ~[dubbo-3.3.6.jar:3.3.6] at org.apache.dubbo.spring.security.filter.ContextHolderAuthenticationResolverFilter.getSecurityContext(ContextHolderAuthenticationResolverFilter.java:74) ~[dubbo-3.3.6.jar:3.3.6] at org.apache.dubbo.spring.security.filter.ContextHolderAuthenticationResolverFilter.invoke(ContextHolderAuthenticationResolverFilter.java:61) ~[dubbo-3.3.6.jar:3.3.6] at org.apache.dubbo.rpc.cluster.filter.FilterChainBuilder$CopyOfFilterChainNode.invoke(FilterChainBuilder.java:349) ~[dubbo-3.3.6.jar:3.3.6] at org.apache.dubbo.rpc.filter.GenericFilter.invoke(GenericFilter.java:223) ~[dubbo-3.3.6.jar:3.3.6] at org.apache.dubbo.rpc.cluster.filter.FilterChainBuilder$CopyOfFilterChainNode.invoke(FilterChainBuilder.java:349) ~[dubbo-3.3.6.jar:3.3.6] at org.apache.dubbo.rpc.protocol.tri.h12.HttpContextFilter.invoke(HttpContextFilter.java:38) ~[dubbo-3.3.6.jar:3.3.6] at org.apache.dubbo.rpc.cluster.filter.FilterChainBuilder$CopyOfFilterChainNode.invoke(FilterChainBuilder.java:349) ~[dubbo-3.3.6.jar:3.3.6] at org.apache.dubbo.rpc.filter.ClassLoaderFilter.invoke(ClassLoaderFilter.java:54) ~[dubbo-3.3.6.jar:3.3.6] at org.apache.dubbo.rpc.cluster.filter.FilterChainBuilder$CopyOfFilterChainNode.invoke(FilterChainBuilder.java:349) ~[dubbo-3.3.6.jar:3.3.6] at org.apache.dubbo.rpc.filter.EchoFilter.invoke(EchoFilter.java:41) ~[dubbo-3.3.6.jar:3.3.6] at org.apache.dubbo.rpc.cluster.filter.FilterChainBuilder$CopyOfFilterChainNode.invoke(FilterChainBuilder.java:349) ~[dubbo-3.3.6.jar:3.3.6] at org.apache.dubbo.metrics.filter.MetricsFilter.invoke(MetricsFilter.java:86) ~[dubbo-3.3.6.jar:3.3.6] at org.apache.dubbo.metrics.filter.MetricsProviderFilter.invoke(MetricsProviderFilter.java:37) ~[dubbo-3.3.6.jar:3.3.6] at org.apache.dubbo.rpc.cluster.filter.FilterChainBuilder$CopyOfFilterChainNode.invoke(FilterChainBuilder.java:349) ~[dubbo-3.3.6.jar:3.3.6] at org.apache.dubbo.tracing.filter.ObservationReceiverFilter.invoke(ObservationReceiverFilter.java:59) ~[dubbo-3.3.6.jar:3.3.6] at org.apache.dubbo.rpc.cluster.filter.FilterChainBuilder$CopyOfFilterChainNode.invoke(FilterChainBuilder.java:349) ~[dubbo-3.3.6.jar:3.3.6] at org.apache.dubbo.rpc.filter.ProfilerServerFilter.invoke(ProfilerServerFilter.java:66) ~[dubbo-3.3.6.jar:3.3.6] at org.apache.dubbo.rpc.cluster.filter.FilterChainBuilder$CopyOfFilterChainNode.invoke(FilterChainBuilder.java:349) ~[dubbo-3.3.6.jar:3.3.6] at org.apache.dubbo.rpc.filter.ContextFilter.invoke(ContextFilter.java:191) ~[dubbo-3.3.6.jar:3.3.6] at org.apache.dubbo.rpc.cluster.filter.FilterChainBuilder$CopyOfFilterChainNode.invoke(FilterChainBuilder.java:349) ~[dubbo-3.3.6.jar:3.3.6] at org.apache.dubbo.rpc.cluster.filter.FilterChainBuilder$CallbackRegistrationInvoker.invoke(FilterChainBuilder.java:197) ~[dubbo-3.3.6.jar:3.3.6] at org.apache.dubbo.rpc.protocol.dubbo.DubboProtocol$1.reply(DubboProtocol.java:167) ~[dubbo-3.3.6.jar:3.3.6] at org.apache.dubbo.remoting.exchange.support.header.HeaderExchangeHandler.handleRequest(HeaderExchangeHandler.java:110) ~[dubbo-3.3.6.jar:3.3.6] at org.apache.dubbo.remoting.exchange.support.header.HeaderExchangeHandler.received(HeaderExchangeHandler.java:205) ~[dubbo-3.3.6.jar:3.3.6] at org.apache.dubbo.remoting.transport.DecodeHandler.received(DecodeHandler.java:52) ~[dubbo-3.3.6.jar:3.3.6] at org.apache.dubbo.remoting.transport.dispatcher.ChannelEventRunnable.run(ChannelEventRunnable.java:64) ~[dubbo-3.3.6.jar:3.3.6] at java.base/java.util.concurrent.ThreadPerTaskExecutor$TaskRunner.run(ThreadPerTaskExecutor.java:314) ~[na:na] at java.base/java.lang.VirtualThread.run(VirtualThread.java:311) ~[na:na] Caused by: java.lang.IllegalArgumentException: The class with org.springframework.security.oauth2.core.OAuth2AccessToken and name of org.springframework.security.oauth2.core.OAuth2AccessToken is not in the allowlist. If you believe this class is safe to deserialize, please provide an explicit mapping using Jackson annotations or by providing a Mixin. If the serialization is only done by a trusted source, you can also enable default typing. See https://github.com/spring-projects/spring-security/issues/4370 for details at org.springframework.security.jackson2.SecurityJackson2Modules$AllowlistTypeIdResolver.typeFromId(SecurityJackson2Modules.java:293) ~[spring-security-core-6.4.5.jar:6.4.5] at com.fasterxml.jackson.databind.jsontype.impl.TypeDeserializerBase._findDeserializer(TypeDeserializerBase.java:159) ~[jackson-databind-2.18.3.jar:2.18.3] at com.fasterxml.jackson.databind.jsontype.impl.AsPropertyTypeDeserializer._deserializeTypedForId(AsPropertyTypeDeserializer.java:151) ~[jackson-databind-2.18.3.jar:2.18.3] at com.fasterxml.jackson.databind.jsontype.impl.AsPropertyTypeDeserializer.deserializeTypedFromObject(AsPropertyTypeDeserializer.java:136) ~[jackson-databind-2.18.3.jar:2.18.3] at com.fasterxml.jackson.databind.deser.BeanDeserializerBase.deserializeWithType(BeanDeserializerBase.java:1382) ~[jackson-databind-2.18.3.jar:2.18.3] at com.fasterxml.jackson.databind.deser.SettableBeanProperty.deserialize(SettableBeanProperty.java:540) ~[jackson-databind-2.18.3.jar:2.18.3] at com.fasterxml.jackson.databind.deser.BeanDeserializer._deserializeWithErrorWrapping(BeanDeserializer.java:585) ~[jackson-databind-2.18.3.jar:2.18.3] ... 42 common frames omitted

What you expected to happen

I want to know how to solve it

Anything else

No response

Are you willing to submit a pull request to fix on your own?

  • [x] Yes I am willing to submit a pull request on my own!

Code of Conduct

JogJo avatar Dec 03 '25 01:12 JogJo

dubbo-spring6-security should be added to the pom.xml if the project uses OAuth2AccessToken since it's only be supported with spring6 / spring-boot 3.

zrlw avatar Dec 05 '25 07:12 zrlw