-
Bug
-
Resolution: Not a Bug
-
Blocker
-
None
-
jboss-fuse-6.3
-
None
-
%
Switchyard Remote invoker feature stops working with new Fuse6.3.0 R13. This patch prevents Jackson to deserialize org.switchyard.serial.graph.Graph["references"] for security reasons.
Reproducer:
- whitelist package on EAP https://access.redhat.com/solutions/3442891
- run quickstart eap-server/quickstarts/switchyard/remote-invoker
jackson.deserialization.whitelist.packages=org.switchyard.serial.graph
Error:
org.codehaus.jackson.map.JsonMappingException: Illegal type (java.util.LinkedHashMap) to deserialize: prevented for security reasons (through reference chain: org.switchyard.serial.graph.Graph["references"]) at org.codehaus.jackson.map.TypeDeserializer.checkLegalTypes (TypeDeserializer.java:177) at org.codehaus.jackson.map.jsontype.impl.TypeDeserializerBase._findDeserializer (TypeDeserializerBase.java:122) at org.codehaus.jackson.map.jsontype.impl.AsArrayTypeDeserializer._deserialize (AsArrayTypeDeserializer.java:87) at org.codehaus.jackson.map.jsontype.impl.AsArrayTypeDeserializer.deserializeTypedFromObject (AsArrayTypeDeserializer.java:55) at org.codehaus.jackson.map.deser.std.MapDeserializer.deserializeWithType (MapDeserializer.java:273) at org.codehaus.jackson.map.deser.SettableBeanProperty.deserialize (SettableBeanProperty.java:297) at org.codehaus.jackson.map.deser.SettableBeanProperty$MethodProperty.deserializeAndSet (SettableBeanProperty.java:414) at org.codehaus.jackson.map.deser.BeanDeserializer.deserializeFromObject (BeanDeserializer.java:697) at org.codehaus.jackson.map.deser.BeanDeserializer.deserialize (BeanDeserializer.java:580) at org.codehaus.jackson.map.ObjectMapper._readMapAndClose (ObjectMapper.java:2732) at org.codehaus.jackson.map.ObjectMapper.readValue (ObjectMapper.java:1909) at org.switchyard.serial.jackson.format.JSONJacksonSerializer.deserialize (JSONJacksonSerializer.java:80) at org.switchyard.serial.graph.GraphSerializer.deserialize (GraphSerializer.java:60) at org.switchyard.remote.http.HttpInvoker.invoke (HttpInvoker.java:124) at org.switchyard.quickstarts.remoteinvoker.RemoteClient.main (RemoteClient.java:59) at sun.reflect.NativeMethodAccessorImpl.invoke0 (Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke (NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke (DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke (Method.java:498) at org.codehaus.mojo.exec.ExecJavaMojo$1.run (ExecJavaMojo.java:282) at java.lang.Thread.run (Thread.java:748)
