Class PolymorphicTypeValidator
- java.lang.Object
-
- com.fasterxml.jackson.databind.jsontype.PolymorphicTypeValidator
-
- All Implemented Interfaces:
java.io.Serializable
- Direct Known Subclasses:
PolymorphicTypeValidator.Base
public abstract class PolymorphicTypeValidator extends java.lang.Object implements java.io.SerializableInterface for classes that handle validation of class-name - based subtypes used with Polymorphic Deserialization: both via "default typing" and explicit@JsonTypeInfowhen using Java Class name as Type Identifier. The main purpose, initially, is to allow pluggable allow lists to avoid security problems that occur with unlimited class names (See this article for full explanation).Calls to methods are done as follows:
- When a deserializer is needed for a polymorphic property (including root values) -- either
for explicitly annotated polymorphic type, or "default typing" --
validateBaseType(com.fasterxml.jackson.databind.cfg.MapperConfig<?>, com.fasterxml.jackson.databind.JavaType)is called to see if validity can be determined for all possible types: ifPolymorphicTypeValidator.Validity.ALLOWEDis returned no futher checks are made for any subtypes; ofPolymorphicTypeValidator.Validity.DENIEDis returned, an exception will be thrown to indicate invalid polymorphic property - If neither deny nor allowed was returned for property with specific base type, first time
specific Type Id (Class Name) is encountered, method
validateSubClassName(com.fasterxml.jackson.databind.cfg.MapperConfig<?>, com.fasterxml.jackson.databind.JavaType, java.lang.String)is called with resolved class name: it may indicate allowed/denied, resulting in either allowed use or denial with exception - If no denial/allowance indicated, class name is resolved to actual
Class, andvalidateSubType(MapperConfig, JavaType, JavaType)is called: ifPolymorphicTypeValidator.Validity.ALLOWEDis returned, usage is accepted; otherwise (denied or indeterminate) usage is not allowed and exception is thrown
Notes on implementations: implementations must be thread-safe and shareable (usually meaning they are stateless). Determinations for validity are usually effectively cached on per-property basis (by virtue of subtype deserializers being cached by polymorphic deserializers) so caching at validator level is usually not needed. If caching is used, however, it must be done in thread-safe manner as validators are shared within
ObjectMapperas well as possible across mappers (in case of default/standard validator).Also note that it is strongly recommended that all implementations are based on provided abstract base class,
PolymorphicTypeValidator.Basewhich contains helper methods and default implementations for returningPolymorphicTypeValidator.Validity.INDETERMINATEfor validation methods (to allow only overriding relevant methods implementation cares about)- Since:
- 2.10
- See Also:
- Serialized Form
-
-
Nested Class Summary
Nested Classes Modifier and Type Class Description static classPolymorphicTypeValidator.BaseShared base class with partial implementation (with all validation calls returningPolymorphicTypeValidator.Validity.INDETERMINATE) and convenience methods for indicating failure reasons.static classPolymorphicTypeValidator.ValidityDefinition of return values to indicate determination regarding validity.
-
Constructor Summary
Constructors Constructor Description PolymorphicTypeValidator()
-
Method Summary
All Methods Instance Methods Abstract Methods Modifier and Type Method Description abstract PolymorphicTypeValidator.ValidityvalidateBaseType(MapperConfig<?> config, JavaType baseType)Method called when a property with polymorphic value is encountered, and aTypeResolverBuilderis needed.abstract PolymorphicTypeValidator.ValidityvalidateSubClassName(MapperConfig<?> config, JavaType baseType, java.lang.String subClassName)Method called after intended class name for subtype has been read (and in case of minimal class name, expanded to fully-qualified class name) but before attempt is made to look up actualClassorJavaType.abstract PolymorphicTypeValidator.ValidityvalidateSubType(MapperConfig<?> config, JavaType baseType, JavaType subType)Method called after class name has been resolved to actual type, in cases where previous call tovalidateSubClassName(com.fasterxml.jackson.databind.cfg.MapperConfig<?>, com.fasterxml.jackson.databind.JavaType, java.lang.String)returnedPolymorphicTypeValidator.Validity.INDETERMINATE.
-
-
-
Method Detail
-
validateBaseType
public abstract PolymorphicTypeValidator.Validity validateBaseType(MapperConfig<?> config, JavaType baseType)
Method called when a property with polymorphic value is encountered, and aTypeResolverBuilderis needed. Intent is to allow early determination of cases where subtyping is completely denied (for example for security reasons), or, conversely, allowed for allow subtypes (when base type guarantees that all subtypes are known to be safe). Check can be thought of as both optimization (for latter case) and eager-fail (for former case) to give better feedback.- Parameters:
config- Configuration for resolution: typically will beDeserializationConfigbaseType- Nominal base type used for polymorphic handling: subtypes MUST be instances of this type and assignment compatibility is verified by Jackson core- Returns:
- Determination of general validity of all subtypes of given base type; if
PolymorphicTypeValidator.Validity.ALLOWEDreturned, all subtypes will automatically be accepted without further checks; isPolymorphicTypeValidator.Validity.DENIEDreturned no subtyping allowed at all (caller will usually throw an exception); otherwise (returnPolymorphicTypeValidator.Validity.INDETERMINATE) per sub-type validation calls are made for each new subclass encountered.
-
validateSubClassName
public abstract PolymorphicTypeValidator.Validity validateSubClassName(MapperConfig<?> config, JavaType baseType, java.lang.String subClassName) throws JsonMappingException
Method called after intended class name for subtype has been read (and in case of minimal class name, expanded to fully-qualified class name) but before attempt is made to look up actualClassorJavaType. Validator may be able to determine validity of eventual type (and returnPolymorphicTypeValidator.Validity.ALLOWEDorPolymorphicTypeValidator.Validity.DENIED) or, if not able to, can defer validation to actual resolved type by returningPolymorphicTypeValidator.Validity.INDETERMINATE.Validator may also choose to indicate denial by throwing a
JsonMappingException(such asInvalidTypeIdException)- Parameters:
config- Configuration for resolution: typically will beDeserializationConfigbaseType- Nominal base type used for polymorphic handling: subtypes MUST be instances of this type and assignment compatibility is verified by Jackson coresubClassName- Name of class that will be resolved toClassif (and only if) validity check is not denied.- Returns:
- Determination of validity of given class name, as a subtype of given base type:
should NOT return
null - Throws:
JsonMappingException
-
validateSubType
public abstract PolymorphicTypeValidator.Validity validateSubType(MapperConfig<?> config, JavaType baseType, JavaType subType) throws JsonMappingException
Method called after class name has been resolved to actual type, in cases where previous call tovalidateSubClassName(com.fasterxml.jackson.databind.cfg.MapperConfig<?>, com.fasterxml.jackson.databind.JavaType, java.lang.String)returnedPolymorphicTypeValidator.Validity.INDETERMINATE. Validator should be able to determine validity and return appropriatePolymorphicTypeValidator.Validityvalue, although it may alsoValidator may also choose to indicate denial by throwing a
JsonMappingException(such asInvalidTypeIdException)- Parameters:
config- Configuration for resolution: typically will beDeserializationConfigbaseType- Nominal base type used for polymorphic handling: subtypes MUST be instances of this type and assignment compatibility has been verified by Jackson coresubType- Resolved subtype to validate- Returns:
- Determination of validity of given class name, as a subtype of given base type:
should NOT return
null - Throws:
JsonMappingException
-
-