public class DefaultBaseTypeLimitingValidator extends PolymorphicTypeValidator implements Serializable
PolymorphicTypeValidator
that will only allow polymorphic handling if
the base type is NOT one of potential dangerous base types (see isUnsafeBaseType(com.fasterxml.jackson.databind.cfg.MapperConfig<?>, com.fasterxml.jackson.databind.JavaType)
for specific list of such base types). No further validation is performed on subtype.
Note that when using potentially unsafe base type like Object
a custom
implementation (or subtype with override) is needed. Most commonly subclasses would
override both isUnsafeBaseType(com.fasterxml.jackson.databind.cfg.MapperConfig<?>, com.fasterxml.jackson.databind.JavaType)
and isSafeSubType(com.fasterxml.jackson.databind.cfg.MapperConfig<?>, com.fasterxml.jackson.databind.JavaType, com.fasterxml.jackson.databind.JavaType)
: former to allow
all (or just more) base types, and latter to add actual validation of subtype.
PolymorphicTypeValidator.Base, PolymorphicTypeValidator.Validity
Constructor and Description |
---|
DefaultBaseTypeLimitingValidator() |
Modifier and Type | Method and Description |
---|---|
protected boolean |
isSafeSubType(MapperConfig<?> config,
JavaType baseType,
JavaType subType)
Helper called to determine whether given actual subtype is considered safe
to process: this will only be called if subtype was considered acceptable
earlier.
|
protected boolean |
isUnsafeBaseType(MapperConfig<?> config,
JavaType baseType)
Helper method called to determine if the given base type is known to be
problematic regarding possible "gadget types".
|
PolymorphicTypeValidator.Validity |
validateBaseType(MapperConfig<?> config,
JavaType baseType)
Method called when a property with polymorphic value is encountered, and a
TypeResolverBuilder is needed. |
PolymorphicTypeValidator.Validity |
validateSubClassName(MapperConfig<?> config,
JavaType baseType,
String subClassName)
|
PolymorphicTypeValidator.Validity |
validateSubType(MapperConfig<?> config,
JavaType baseType,
JavaType subType)
Method called after class name has been resolved to actual type, in cases where previous
call to
PolymorphicTypeValidator.validateSubClassName(com.fasterxml.jackson.databind.cfg.MapperConfig<?>, com.fasterxml.jackson.databind.JavaType, java.lang.String) returned PolymorphicTypeValidator.Validity.INDETERMINATE . |
public PolymorphicTypeValidator.Validity validateBaseType(MapperConfig<?> config, JavaType baseType)
PolymorphicTypeValidator
TypeResolverBuilder
is needed. Intent is to allow early determination
of cases where subtyping is completely denied (for example for security reasons),
or, conversely, allowed for allow subtypes (when base type guarantees that all subtypes
are known to be safe). Check can be thought of as both optimization (for latter case)
and eager-fail (for former case) to give better feedback.validateBaseType
in class PolymorphicTypeValidator
config
- Configuration for resolution: typically will be DeserializationConfig
baseType
- Nominal base type used for polymorphic handling: subtypes MUST be instances
of this type and assignment compatibility is verified by Jackson corePolymorphicTypeValidator.Validity.ALLOWED
returned, all subtypes will automatically be accepted without
further checks; is PolymorphicTypeValidator.Validity.DENIED
returned no subtyping allowed at all
(caller will usually throw an exception); otherwise (return PolymorphicTypeValidator.Validity.INDETERMINATE
)
per sub-type validation calls are made for each new subclass encountered.public PolymorphicTypeValidator.Validity validateSubClassName(MapperConfig<?> config, JavaType baseType, String subClassName)
PolymorphicTypeValidator
Class
or JavaType
.
Validator may be able to
determine validity of eventual type (and return PolymorphicTypeValidator.Validity.ALLOWED
or
PolymorphicTypeValidator.Validity.DENIED
) or, if not able to, can defer validation to actual
resolved type by returning PolymorphicTypeValidator.Validity.INDETERMINATE
.
Validator may also choose to indicate denial by throwing a JsonMappingException
(such as InvalidTypeIdException
)
validateSubClassName
in class PolymorphicTypeValidator
config
- Configuration for resolution: typically will be DeserializationConfig
baseType
- Nominal base type used for polymorphic handling: subtypes MUST be instances
of this type and assignment compatibility is verified by Jackson coresubClassName
- Name of class that will be resolved to Class
if
(and only if) validity check is not denied.null
public PolymorphicTypeValidator.Validity validateSubType(MapperConfig<?> config, JavaType baseType, JavaType subType)
PolymorphicTypeValidator
PolymorphicTypeValidator.validateSubClassName(com.fasterxml.jackson.databind.cfg.MapperConfig<?>, com.fasterxml.jackson.databind.JavaType, java.lang.String)
returned PolymorphicTypeValidator.Validity.INDETERMINATE
.
Validator should be able to determine validity and return appropriate PolymorphicTypeValidator.Validity
value, although it may also
Validator may also choose to indicate denial by throwing a JsonMappingException
(such as InvalidTypeIdException
)
validateSubType
in class PolymorphicTypeValidator
config
- Configuration for resolution: typically will be DeserializationConfig
baseType
- Nominal base type used for polymorphic handling: subtypes MUST be instances
of this type and assignment compatibility has been verified by Jackson coresubType
- Resolved subtype to validatenull
protected boolean isUnsafeBaseType(MapperConfig<?> config, JavaType baseType)
config
- Current mapper configurationbaseType
- Base type to testprotected boolean isSafeSubType(MapperConfig<?> config, JavaType baseType, JavaType subType)
config
- Current mapper configurationbaseType
- Base type of sub type (validated earlier)subType
- Sub type to testCopyright © 2021 JBoss by Red Hat. All rights reserved.