Spring Boot RabbitMQ attempt to deserialize unauthorized class exception

Question

I use RabbitMQ in a Spring Boot project:

sender

@Component
@AllArgsConstructor
public class UserSender {

    private final RabbitTemplate rabbitTemplate;

    public String send() {
        User user = new User(1L, "Tom", "123");
        rabbitTemplate.convertAndSend("userQueue", user);
        return "user sender sent: " + user;
    }
}

Receiver

@Component
public class UserReceiver {

    @RabbitListener(queues = "userQueue")
    @RabbitHandler
    private void process(User user) {
        System.out.println("received user: " + user);
    }
}

When startup there is an exception:

Caused by: java.lang.SecurityException: Attempt to deserialize unauthorized class com.example.lab06.entity.User; add allowed class name patterns to the message converter or, if you trust the message orginiator, set environment variable 'SPRING_AMQP_DESERIALIZATION_TRUST_ALL' or system property 'spring.amqp.deserialization.trust.all' to true

I checked the Spring AMPQ Doc

You can set the patterns using the allowedListPatterns property on these converters. Alternatively, if you trust all message originators, you can set the environment variable SPRING_AMQP_DESERIALIZATION_TRUST_ALL or system property spring.amqp.deserialization.trust.all to true.

However, I can not set spring.amqp.deserialization.trust.all in application.properties. I get this error:

Cannot resolve configuration property 'spring.amqp.deserialization.trust.all'

How to fix it?

Answer 1

Using the allowedListPatterns property on the converter:

    @Bean
    public SimpleMessageConverter converter() {
        SimpleMessageConverter converter = new SimpleMessageConverter();
        converter.setAllowedListPatterns(List.of("xyz.test.common.*", "java.util.*"));
        return converter;
    }

Answer 2

thanks @Bertram，here is my solution by using setTrustedPackages:

@Configuration
public class RabbitMQConfig {

    @Bean
    public MessageConverter jsonToMapMessageConverter() {
        DefaultClassMapper defaultClassMapper = new DefaultClassMapper();
        defaultClassMapper.setTrustedPackages("YOUR_PACKAGE_NAME"); // trusted packages
        Jackson2JsonMessageConverter jackson2JsonMessageConverter = new Jackson2JsonMessageConverter();
        jackson2JsonMessageConverter.setClassMapper(defaultClassMapper);
        return jackson2JsonMessageConverter;
    }
    
    // ...
}