What versions of Jackson are allowed in JBoss 6.4.20 patch?

Question

I am trying to update my version of Jackson being used after the 6.4.20 JBoss patch. I\'m using org.codehause.jackson, and JBoss 6.4.x does not provide implicit dep

Answer 1

I recently upgraded from JBoss EAP 6.3.0 to 6.4.20 and had the same exception.

Following the stackstrace of the exception I discovered that it becomes necessary to set the system property jackson.deserialization.whitelist.packages with the full class name of the classes you want to deserialize.

If you want you can put only the suffix of the package. For multiple values, separate by comma. You can see this in the jackson-mapper-asl-1.9.9.redhat-6.jar class org.codehaus.jackson.map.deser.BeanDeserializerFactory of line 38 to 45.

For JBoss environments you can define the system property in your standalone*.xml or domain.xml, as follows:

<system-properties>
    <property name="jackson.deserialization.whitelist.packages" value="br.com.myapp" />
</system-properties>

Answer 2

Building on @MhagnumDw's answer, I also encountered the same error with JBoss 6.4.20 patch and used this solution. Here is the source code relevant source code from https://maven.repository.redhat.com/techpreview/all/org/codehaus/jackson/jackson-mapper-asl/1.9.9.redhat-6/jackson-mapper-asl-1.9.9.redhat-6-sources.jar in org.codehaus.jackson.map.deser.BeanDeserializerFactory;

/**
     * @since 1.9.9.redhat-5
     */
protected void checkLegalTypes(DeserializationConfig config, JavaType type,
        BeanDescription beanDesc)
    throws JsonMappingException
{
    // There are certain nasty classes that could cause problems, mostly
    // via default typing -- catch them here.
    String full = type.getRawClass().getName();

    Iterator<String> iter = _cfgLegalPackageNames.iterator();

    boolean pass = false;

    while(iter.hasNext()) {
        if(full.startsWith(iter.next())) {
            pass = true;
            break;
        }
    }

    if(!pass) {
        throw new JsonMappingException(
                                  String.format("Illegal type (%s) to deserialize: prevented for security reasons", full));
    }
}

You can see that full.startsWith(iter.next()) means you can put in higher level package names to whitelist. For example,

<system-properties>
    <property name="jackson.deserialization.whitelist.packages" value="br.com.myapp" />
</system-properties>

would whitelist br.com.myapp.package.aclass and br.com.myapp.package.bclass