Skip to content

Whitelist for Jackson security is too strict and doesn't work well with Redis sessions in spring-session #4889

New issue
New issue
Closed
Closed
Whitelist for Jackson security is too strict and doesn't work well with Redis sessions in spring-session#4889
Assignees
rwinch
Labels
in: coreAn issue in spring-security-coretype: enhancementA general enhancement
Milestone
5.0.1
@chrisburrell

Description

@chrisburrell
chrisburrell
opened on Dec 1, 2017

Summary

When enabling the GenericJackson2JsonRedisSerializer, serialisation of the session fails due to the restrictive whitelisting, as related to #4370

This is because org.springframework.session.data.redis.RedisOperationsSessionRepository uses a HashMap to represent the "delta" field in RedisSession org.springframework.session.data.redis.RedisOperationsSessionRepository.RedisSession

Would it be possible to open-up HashMaps for deserialisation purposes. Seen as we already allow TreeMap, I can't see a HashMap would make much different security wise.

Metadata

Metadata

Assignees

Labels

in: coreAn issue in spring-security-coretype: enhancementA general enhancement

Type

No type

Projects

No projects

Milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions