Module tools.jackson.databind
Package tools.jackson.databind.jsontype
Class DefaultBaseTypeLimitingValidator
java.lang.Object
tools.jackson.databind.jsontype.PolymorphicTypeValidator
tools.jackson.databind.jsontype.DefaultBaseTypeLimitingValidator
- All Implemented Interfaces:
Serializable
public class DefaultBaseTypeLimitingValidator
extends PolymorphicTypeValidator
implements Serializable
PolymorphicTypeValidator that will only allow polymorphic handling if
the base type is NOT one of potential dangerous base types (see isUnsafeBaseType(tools.jackson.databind.DatabindContext, tools.jackson.databind.JavaType)
for specific list of such base types).
This implementation is the default one used for annotation-based polymorphic deserialization.
Default Typing requires explicit registration of validator; while this implementation may
be used users are recommended to either use a custom implementation or sub-class this
implementation and override either validateSubClassName(tools.jackson.databind.DatabindContext, tools.jackson.databind.JavaType, java.lang.String) or
validateSubType(tools.jackson.databind.DatabindContext, tools.jackson.databind.JavaType, tools.jackson.databind.JavaType) to implement use-case specific validation.
Note that when using potentially unsafe base type like Object a custom
implementation (or subtype with override) is needed. Most commonly subclasses would
override both isUnsafeBaseType(tools.jackson.databind.DatabindContext, tools.jackson.databind.JavaType) and isSafeSubType(tools.jackson.databind.DatabindContext, tools.jackson.databind.JavaType, tools.jackson.databind.JavaType): former to allow
all (or just more) base types, and latter to add actual validation of subtype.
- See Also:
-
Nested Class Summary
Nested classes/interfaces inherited from class tools.jackson.databind.jsontype.PolymorphicTypeValidator
PolymorphicTypeValidator.Base, PolymorphicTypeValidator.Validity -
Constructor Summary
Constructors -
Method Summary
Modifier and TypeMethodDescriptionprotected booleanisSafeSubType(DatabindContext ctxt, JavaType baseType, JavaType subType) Helper called to determine whether given actual subtype is considered safe to process: this will only be called if subtype was considered acceptable earlier.protected booleanisUnsafeBaseType(DatabindContext ctxt, JavaType baseType) Helper method called to determine if the given base type is known to be problematic regarding possible "gadget types".validateBaseType(DatabindContext ctxt, JavaType baseType) Method called when a property with polymorphic value is encountered, and aTypeResolverBuilderis needed.validateSubClassName(DatabindContext ctxt, JavaType baseType, String subClassName) validateSubType(DatabindContext ctxt, JavaType baseType, JavaType subType) Method called after class name has been resolved to actual type, in cases where previous call toPolymorphicTypeValidator.validateSubClassName(tools.jackson.databind.DatabindContext, tools.jackson.databind.JavaType, java.lang.String)returnedPolymorphicTypeValidator.Validity.INDETERMINATE.
-
Constructor Details
-
DefaultBaseTypeLimitingValidator
public DefaultBaseTypeLimitingValidator()
-
-
Method Details
-
validateBaseType
Description copied from class:PolymorphicTypeValidatorMethod called when a property with polymorphic value is encountered, and aTypeResolverBuilderis needed. Intent is to allow early determination of cases where subtyping is completely denied (for example for security reasons), or, conversely, allowed for allow subtypes (when base type guarantees that all subtypes are known to be safe). Check can be thought of as both optimization (for latter case) and eager-fail (for former case) to give better feedback.- Specified by:
validateBaseTypein classPolymorphicTypeValidator- Parameters:
ctxt- Context for resolution: typically will beDeserializationContextbaseType- Nominal base type used for polymorphic handling: subtypes MUST be instances of this type and assignment compatibility is verified by Jackson core- Returns:
- Determination of general validity of all subtypes of given base type; if
PolymorphicTypeValidator.Validity.ALLOWEDreturned, all subtypes will automatically be accepted without further checks; isPolymorphicTypeValidator.Validity.DENIEDreturned no subtyping allowed at all (caller will usually throw an exception); otherwise (returnPolymorphicTypeValidator.Validity.INDETERMINATE) per sub-type validation calls are made for each new subclass encountered.
-
validateSubClassName
public PolymorphicTypeValidator.Validity validateSubClassName(DatabindContext ctxt, JavaType baseType, String subClassName) Description copied from class:PolymorphicTypeValidatorMethod called after intended class name for subtype has been read (and in case of minimal class name, expanded to fully-qualified class name) but before attempt is made to look up actualClassorJavaType. Validator may be able to determine validity of eventual type (and returnPolymorphicTypeValidator.Validity.ALLOWEDorPolymorphicTypeValidator.Validity.DENIED) or, if not able to, can defer validation to actual resolved type by returningPolymorphicTypeValidator.Validity.INDETERMINATE.Validator may also choose to indicate denial by throwing a
DatabindException(such asInvalidTypeIdException)- Specified by:
validateSubClassNamein classPolymorphicTypeValidator- Parameters:
ctxt- Context for resolution: typically will beDeserializationContextbaseType- Nominal base type used for polymorphic handling: subtypes MUST be instances of this type and assignment compatibility is verified by Jackson coresubClassName- Name of class that will be resolved toClassif (and only if) validity check is not denied.- Returns:
- Determination of validity of given class name, as a subtype of given base type:
should NOT return
null
-
validateSubType
public PolymorphicTypeValidator.Validity validateSubType(DatabindContext ctxt, JavaType baseType, JavaType subType) Description copied from class:PolymorphicTypeValidatorMethod called after class name has been resolved to actual type, in cases where previous call toPolymorphicTypeValidator.validateSubClassName(tools.jackson.databind.DatabindContext, tools.jackson.databind.JavaType, java.lang.String)returnedPolymorphicTypeValidator.Validity.INDETERMINATE. Validator should be able to determine validity and return appropriatePolymorphicTypeValidator.Validityvalue, although it may alsoValidator may also choose to indicate denial by throwing a
DatabindException(such asInvalidTypeIdException)- Specified by:
validateSubTypein classPolymorphicTypeValidator- Parameters:
ctxt- Context for resolution: typically will beDeserializationContextbaseType- Nominal base type used for polymorphic handling: subtypes MUST be instances of this type and assignment compatibility has been verified by Jackson coresubType- Resolved subtype to validate- Returns:
- Determination of validity of given class name, as a subtype of given base type:
should NOT return
null
-
isUnsafeBaseType
Helper method called to determine if the given base type is known to be problematic regarding possible "gadget types". Currently includes following types: which are JDK-included super types of at least one gadget type (not necessarily included in JDK)- Parameters:
ctxt- Processing context (to give access to configuration)baseType- Base type to test
-
isSafeSubType
Helper called to determine whether given actual subtype is considered safe to process: this will only be called if subtype was considered acceptable earlier.- Parameters:
ctxt- Processing context (to give access to configuration)baseType- Base type of sub type (validated earlier)subType- Sub type to test
-