Class DefaultBaseTypeLimitingValidator
- All Implemented Interfaces:
Serializable
PolymorphicTypeValidator
that will only allow polymorphic handling if
the base type is NOT one of potential dangerous base types (see isUnsafeBaseType(edu.internet2.middleware.grouperClientExt.com.fasterxml.jackson.databind.cfg.MapperConfig<?>, edu.internet2.middleware.grouperClientExt.com.fasterxml.jackson.databind.JavaType)
for specific list of such base types). No further validation is performed on subtype.
Note that when using potentially unsafe base type like Object
a custom
implementation (or subtype with override) is needed. Most commonly subclasses would
override both isUnsafeBaseType(edu.internet2.middleware.grouperClientExt.com.fasterxml.jackson.databind.cfg.MapperConfig<?>, edu.internet2.middleware.grouperClientExt.com.fasterxml.jackson.databind.JavaType)
and isSafeSubType(edu.internet2.middleware.grouperClientExt.com.fasterxml.jackson.databind.cfg.MapperConfig<?>, edu.internet2.middleware.grouperClientExt.com.fasterxml.jackson.databind.JavaType, edu.internet2.middleware.grouperClientExt.com.fasterxml.jackson.databind.JavaType)
: former to allow
all (or just more) base types, and latter to add actual validation of subtype.
- Since:
- 2.11
- See Also:
-
Nested Class Summary
Nested classes/interfaces inherited from class edu.internet2.middleware.grouperClientExt.com.fasterxml.jackson.databind.jsontype.PolymorphicTypeValidator
PolymorphicTypeValidator.Base, PolymorphicTypeValidator.Validity
-
Constructor Summary
-
Method Summary
Modifier and TypeMethodDescriptionprotected boolean
isSafeSubType
(MapperConfig<?> config, JavaType baseType, JavaType subType) Helper called to determine whether given actual subtype is considered safe to process: this will only be called if subtype was considered acceptable earlier.protected boolean
isUnsafeBaseType
(MapperConfig<?> config, JavaType baseType) Helper method called to determine if the given base type is known to be problematic regarding possible "gadget types".validateBaseType
(MapperConfig<?> config, JavaType baseType) Method called when a property with polymorphic value is encountered, and aTypeResolverBuilder
is needed.validateSubClassName
(MapperConfig<?> config, JavaType baseType, String subClassName) validateSubType
(MapperConfig<?> config, JavaType baseType, JavaType subType) Method called after class name has been resolved to actual type, in cases where previous call toPolymorphicTypeValidator.validateSubClassName(edu.internet2.middleware.grouperClientExt.com.fasterxml.jackson.databind.cfg.MapperConfig<?>, edu.internet2.middleware.grouperClientExt.com.fasterxml.jackson.databind.JavaType, java.lang.String)
returnedPolymorphicTypeValidator.Validity.INDETERMINATE
.
-
Constructor Details
-
DefaultBaseTypeLimitingValidator
public DefaultBaseTypeLimitingValidator()
-
-
Method Details
-
validateBaseType
public PolymorphicTypeValidator.Validity validateBaseType(MapperConfig<?> config, JavaType baseType) Description copied from class:PolymorphicTypeValidator
Method called when a property with polymorphic value is encountered, and aTypeResolverBuilder
is needed. Intent is to allow early determination of cases where subtyping is completely denied (for example for security reasons), or, conversely, allowed for allow subtypes (when base type guarantees that all subtypes are known to be safe). Check can be thought of as both optimization (for latter case) and eager-fail (for former case) to give better feedback.- Specified by:
validateBaseType
in classPolymorphicTypeValidator
- Parameters:
config
- Configuration for resolution: typically will beDeserializationConfig
baseType
- Nominal base type used for polymorphic handling: subtypes MUST be instances of this type and assignment compatibility is verified by Jackson core- Returns:
- Determination of general validity of all subtypes of given base type; if
PolymorphicTypeValidator.Validity.ALLOWED
returned, all subtypes will automatically be accepted without further checks; isPolymorphicTypeValidator.Validity.DENIED
returned no subtyping allowed at all (caller will usually throw an exception); otherwise (returnPolymorphicTypeValidator.Validity.INDETERMINATE
) per sub-type validation calls are made for each new subclass encountered.
-
validateSubClassName
public PolymorphicTypeValidator.Validity validateSubClassName(MapperConfig<?> config, JavaType baseType, String subClassName) Description copied from class:PolymorphicTypeValidator
Method called after intended class name for subtype has been read (and in case of minimal class name, expanded to fully-qualified class name) but before attempt is made to look up actualClass
orJavaType
. Validator may be able to determine validity of eventual type (and returnPolymorphicTypeValidator.Validity.ALLOWED
orPolymorphicTypeValidator.Validity.DENIED
) or, if not able to, can defer validation to actual resolved type by returningPolymorphicTypeValidator.Validity.INDETERMINATE
.Validator may also choose to indicate denial by throwing a
JsonMappingException
(such asInvalidTypeIdException
)- Specified by:
validateSubClassName
in classPolymorphicTypeValidator
- Parameters:
config
- Configuration for resolution: typically will beDeserializationConfig
baseType
- Nominal base type used for polymorphic handling: subtypes MUST be instances of this type and assignment compatibility is verified by Jackson coresubClassName
- Name of class that will be resolved toClass
if (and only if) validity check is not denied.- Returns:
- Determination of validity of given class name, as a subtype of given base type:
should NOT return
null
-
validateSubType
public PolymorphicTypeValidator.Validity validateSubType(MapperConfig<?> config, JavaType baseType, JavaType subType) Description copied from class:PolymorphicTypeValidator
Method called after class name has been resolved to actual type, in cases where previous call toPolymorphicTypeValidator.validateSubClassName(edu.internet2.middleware.grouperClientExt.com.fasterxml.jackson.databind.cfg.MapperConfig<?>, edu.internet2.middleware.grouperClientExt.com.fasterxml.jackson.databind.JavaType, java.lang.String)
returnedPolymorphicTypeValidator.Validity.INDETERMINATE
. Validator should be able to determine validity and return appropriatePolymorphicTypeValidator.Validity
value, although it may alsoValidator may also choose to indicate denial by throwing a
JsonMappingException
(such asInvalidTypeIdException
)- Specified by:
validateSubType
in classPolymorphicTypeValidator
- Parameters:
config
- Configuration for resolution: typically will beDeserializationConfig
baseType
- Nominal base type used for polymorphic handling: subtypes MUST be instances of this type and assignment compatibility has been verified by Jackson coresubType
- Resolved subtype to validate- Returns:
- Determination of validity of given class name, as a subtype of given base type:
should NOT return
null
-
isUnsafeBaseType
Helper method called to determine if the given base type is known to be problematic regarding possible "gadget types". Currently includes following types: which are JDK-included super types of at least one gadget type (not necessarily included in JDK)- Parameters:
config
- Current mapper configurationbaseType
- Base type to test
-
isSafeSubType
Helper called to determine whether given actual subtype is considered safe to process: this will only be called if subtype was considered acceptable earlier.- Parameters:
config
- Current mapper configurationbaseType
- Base type of sub type (validated earlier)subType
- Sub type to test
-