jackson-databind icon indicating copy to clipboard operation
jackson-databind copied to clipboard

Published 20 hours ago verified publisher icon FasterXML

Add `MapperFeature`s for disabling Field, Method, Creator introspection for JDK classes (and backing extension point)

Open cowtowncoder opened this issue 5 months ago • 1 comments

(note: addresses #4907 in part)

Since introspection of core JDK types (java., sun., com.sun.) and extended JDK types (javax.) can be problematic for platforms like Graal (or maybe even in future JDKs), it seems useful to be able to block some or all of it.

At the same time, a small number of JDK types (like java.lang.StackTraceElement) require introspection by JDK, we cannot simply block all such introspection (or would need to do extensive allow-listing).

So, let's introduce 6 new MapperFeatures to allow/disallow introspection of:

  1. Fields
  2. Methods (setters, getters)
  3. Creators (constructors, factory methods)

over

  1. Core JDK types
  2. Extended JDK types

and default so that only Field introspection is disabled by default.

This needs to go in 2.20 being API extension.

EDIT: in addition to new features, there should be new extension point that is used for features, but that can be overridden for fully-custom logic -- something like ReflectionAccessManager (etc), with default implementation that operates on features, configurable on ObjectMapper via Builder.

cowtowncoder avatar May 09 '25 03:05 cowtowncoder