Menu
I am trying to update my version of Jackson being used after the 6.4.20 JBoss patch. I'm using org.codehause.jackson, and JBoss 6.4.x does not provide implicit dependencies for the newer com.fasterxml.jackson as far as I'm aware.
Is it appropriate to assume that jackson-mapper-asl-1.9.9.redhat-6 is the valid package to use for this patch? When scrolling to the noarch section of the 6.4.20 announcement, I see codehaus-jackson-mapper-asl-1.9.9-12.redhat_6 mentioned. Does that mean this is the version recommended? I can see that it was released 05/14/18 and the announcement was made 05/15/18.
Currently I am experiencing the following error as codehause-jackson-mapper-asl is associated with fasterxml-jackson-databind, leading me to believe I'm using the incorrect version.
16:01:22,620 ERROR [org.jboss.resteasy.resteasy_jaxrs.i18n] (http-127.0.0.1:8080-1) RESTEASY000100: Failed executing POST /find: org.jboss.resteasy.spi.ReaderException:
org.codehaus.jackson.map.JsonMappingException: Illegal type [...] to deserialize: prevented for security reasons
[...]
Caused by: org.codehaus.jackson.map.JsonMappingException: Illegal type [...] to deserialize: prevented for security reasons at org.codehaus.jackson.map.deser.BeanDeserializerFactory.checkLegalTypes(BeanDeserializerFactory.java:1521) [jackson-mapper-asl-1.9.9.redhat-6.jar:1.9.9.redhat-6] `
793
JBoss EAP also periodically provides individual or cumulative patches that contain bug and security fixes. Cumulative patches increment the minor release version by the last digit, for example from 7. 0. 1 to 7. 0. 2. These patches do not require migration and should not impact the server configuration files.
Find Red Hat JBoss Enterprise Application Platform 7.0 Update Incremental Maven Repository in the list, where is the cumulative patch number you want to update to, and then click Download.
If you are subscribed to the 'current' repository, this may mean that your installation will also be upgraded to the next available minor release. For more details, see the information on choosing a JBoss EAP repository in the Installation Guide.
You are taken to the Software Downloads page. Select Application Platform in the drop-down box or in the menu on the left. You are presented with a list of file downloads. Select 5.1.0 or 5.1.1 from the Version drop-down box, depending on the platform version you want to install. For 5.1.1, download the JBoss Remoting 2.5.3SP1 security advisory:
I recently upgraded from JBoss EAP 6.3.0 to 6.4.20 and had the same exception.
Following the stackstrace of the exception I discovered that it becomes necessary to set the system property jackson.deserialization.whitelist.packages with the full class name of the classes you want to deserialize.
If you want you can put only the suffix of the package. For multiple values, separate by comma. You can see this in the jackson-mapper-asl-1.9.9.redhat-6.jar class org.codehaus.jackson.map.deser.BeanDeserializerFactory of line 38 to 45.
For JBoss environments you can define the system property in your standalone*.xml or domain.xml, as follows:
<system-properties>
<property name="jackson.deserialization.whitelist.packages" value="br.com.myapp" />
</system-properties>
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
