Pre-check
- [x] I am sure that all the content I provide is in English.
Search before asking
- [x] I had searched in the issues and found no similar issues.
Apache Dubbo Component
Java SDK (apache/dubbo)
Dubbo Version
JDK17 dubbo-spring-boot-starter V3.3.3 spring-security-oauth2-authorization-server V1.3.4
Steps to reproduce this issue
I found that using spring-authorization-server Authentication can't be deserialize.
Not only BearerTokenAuthentication, more like OAuth2ClientAuthenticationToken RegisteredClient ClientAuthenticationMethod alse can't be deserialize
2025-02-11 09:58:44 [DubboServerHandler-172.20.224.1:20881-thread-9] WARN org.apache.dubbo.spring.security.jackson.ObjectMapperCodec
- [DUBBO] , dubbo version: 3.3.3, current host: 172.20.224.1, error code: 0-23. This may be caused by objectMapper! deserialize error, you can try to customize the ObjectMapperCodecCustomer., go to https://dubbo.apache.org/faq/0/23 to find instructions.
java.lang.IllegalArgumentException: The class with org.springframework.security.oauth2.server.resource.authentication.BearerTokenAuthentication and name of org.springframework.security.oauth2.server.resource.authentication.BearerTokenAuthentication is not in the allowlist. If you believe this class is safe to deserialize, please provide an explicit mapping using Jackson annotations or by providing a Mixin. If the serialization is only done by a trusted source, you can also enable default typing. See https://github.com/spring-projects/spring-security/issues/4370 for details
at org.springframework.security.jackson2.SecurityJackson2Modules$AllowlistTypeIdResolver.typeFromId(SecurityJackson2Modules.java:292)
at com.fasterxml.jackson.databind.jsontype.impl.TypeDeserializerBase._findDeserializer(TypeDeserializerBase.java:159)
at com.fasterxml.jackson.databind.jsontype.impl.AsPropertyTypeDeserializer._deserializeTypedForId(AsPropertyTypeDeserializer.java:151)
at com.fasterxml.jackson.databind.jsontype.impl.AsPropertyTypeDeserializer.deserializeTypedFromObject(AsPropertyTypeDeserializer.java:136)
at com.fasterxml.jackson.databind.deser.AbstractDeserializer.deserializeWithType(AbstractDeserializer.java:263)
at com.fasterxml.jackson.databind.deser.impl.TypeWrappedDeserializer.deserialize(TypeWrappedDeserializer.java:74)
at com.fasterxml.jackson.databind.deser.DefaultDeserializationContext.readRootValue(DefaultDeserializationContext.java:342)
at com.fasterxml.jackson.databind.ObjectMapper._readMapAndClose(ObjectMapper.java:4905)
at com.fasterxml.jackson.databind.ObjectMapper.readValue(ObjectMapper.java:3909)
at org.apache.dubbo.spring.security.jackson.ObjectMapperCodec.deserialize(ObjectMapperCodec.java:50)
at org.apache.dubbo.spring.security.jackson.ObjectMapperCodec.deserialize(ObjectMapperCodec.java:67)
at org.apache.dubbo.spring.security.filter.ContextHolderAuthenticationResolverFilter.getSecurityContext(ContextHolderAuthenticationResolverFilter.java:74)
at org.apache.dubbo.spring.security.filter.ContextHolderAuthenticationResolverFilter.invoke(ContextHolderAuthenticationResolverFilter.java:61)
at org.apache.dubbo.rpc.cluster.filter.FilterChainBuilder$CopyOfFilterChainNode.invoke(FilterChainBuilder.java:349)
at org.apache.dubbo.rpc.filter.GenericFilter.invoke(GenericFilter.java:222)
at org.apache.dubbo.rpc.cluster.filter.FilterChainBuilder$CopyOfFilterChainNode.invoke(FilterChainBuilder.java:349)
at org.apache.dubbo.rpc.protocol.tri.h12.HttpContextFilter.invoke(HttpContextFilter.java:38)
at org.apache.dubbo.rpc.cluster.filter.FilterChainBuilder$CopyOfFilterChainNode.invoke(FilterChainBuilder.java:349)
at org.apache.dubbo.rpc.filter.ClassLoaderFilter.invoke(ClassLoaderFilter.java:54)
at org.apache.dubbo.rpc.cluster.filter.FilterChainBuilder$CopyOfFilterChainNode.invoke(FilterChainBuilder.java:349)
at org.apache.dubbo.rpc.filter.EchoFilter.invoke(EchoFilter.java:41)
at org.apache.dubbo.rpc.cluster.filter.FilterChainBuilder$CopyOfFilterChainNode.invoke(FilterChainBuilder.java:349)
at org.apache.dubbo.metrics.filter.MetricsFilter.invoke(MetricsFilter.java:86)
at org.apache.dubbo.metrics.filter.MetricsProviderFilter.invoke(MetricsProviderFilter.java:37)
at org.apache.dubbo.rpc.cluster.filter.FilterChainBuilder$CopyOfFilterChainNode.invoke(FilterChainBuilder.java:349)
at org.apache.dubbo.tracing.filter.ObservationReceiverFilter.invoke(ObservationReceiverFilter.java:59)
at org.apache.dubbo.rpc.cluster.filter.FilterChainBuilder$CopyOfFilterChainNode.invoke(FilterChainBuilder.java:349)
at org.apache.dubbo.rpc.filter.ProfilerServerFilter.invoke(ProfilerServerFilter.java:66)
at org.apache.dubbo.rpc.cluster.filter.FilterChainBuilder$CopyOfFilterChainNode.invoke(FilterChainBuilder.java:349)
at org.apache.dubbo.rpc.filter.ContextFilter.invoke(ContextFilter.java:191)
at org.apache.dubbo.rpc.cluster.filter.FilterChainBuilder$CopyOfFilterChainNode.invoke(FilterChainBuilder.java:349)
at org.apache.dubbo.rpc.cluster.filter.FilterChainBuilder$CallbackRegistrationInvoker.invoke(FilterChainBuilder.java:197)
at org.apache.dubbo.rpc.protocol.dubbo.DubboProtocol$1.reply(DubboProtocol.java:167)
at org.apache.dubbo.remoting.exchange.support.header.HeaderExchangeHandler.handleRequest(HeaderExchangeHandler.java:110)
at org.apache.dubbo.remoting.exchange.support.header.HeaderExchangeHandler.received(HeaderExchangeHandler.java:205)
at org.apache.dubbo.remoting.transport.DecodeHandler.received(DecodeHandler.java:52)
at org.apache.dubbo.remoting.transport.dispatcher.ChannelEventRunnable.run(ChannelEventRunnable.java:64)
at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1136)
at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635)
at org.apache.dubbo.common.threadlocal.InternalRunnable.run(InternalRunnable.java:39)
at java.base/java.lang.Thread.run(Thread.java:833)
What you expected to happen
I search issues#11603, but i wanna know if dubbo can support?
Anything else
No response
Are you willing to submit a pull request to fix on your own?
- [ ] Yes I am willing to submit a pull request on my own!
Code of Conduct
- [x] I agree to follow this project's Code of Conduct
Comment From: AlbumenJ
Would you like to fix it?
Comment From: wzkris
Would you like to fix it? Later I will try it
Comment From: ningbing
I'm using Dubbo3.3.0 + Spring Security,也是提示一样的错误: java.lang.IllegalArgumentException: The class with org.springframework.security.oauth2.server.resource.authentication.JwtAuthenticationToken and name of org.springframework.security.oauth2.server.resource.authentication.JwtAuthenticationToken is not in the allowlist. If you believe this class is safe to deserialize, please provide an explicit mapping using Jackson annotations or by providing a Mixin. If the serialization is only done by a trusted source, you can also enable default typing. See https://github.com/spring-projects/spring-security/issues/4370 for details at org.springframework.security.jackson2.SecurityJackson2Modules$AllowlistTypeIdResolver.typeFromId(SecurityJackson2Modules.java:285) ~[spring-security-core-6.3.3.jar:6.3.3] at com.fasterxml.jackson.databind.jsontype.impl.TypeDeserializerBase._findDeserializer(TypeDeserializerBase.java:159) ~[jackson-databind-2.17.2.jar:2.17.2] at com.fasterxml.jackson.databind.jsontype.impl.AsPropertyTypeDeserializer._deserializeTypedForId(AsPropertyTypeDeserializer.java:151) ~[jackson-databind-2.17.2.jar:2.17.2] at com.fasterxml.jackson.databind.jsontype.impl.AsPropertyTypeDeserializer.deserializeTypedFromObject(AsPropertyTypeDeserializer.java:136) ~[jackson-databind-2.17.2.jar:2.17.2] at com.fasterxml.jackson.databind.deser.AbstractDeserializer.deserializeWithType(AbstractDeserializer.java:263) ~[jackson-databind-2.17.2.jar:2.17.2] at com.fasterxml.jackson.databind.deser.impl.TypeWrappedDeserializer.deserialize(TypeWrappedDeserializer.java:74) ~[jackson-databind-2.17.2.jar:2.17.2] at com.fasterxml.jackson.databind.deser.DefaultDeserializationContext.readRootValue(DefaultDeserializationContext.java:342) ~[jackson-databind-2.17.2.jar:2.17.2] at com.fasterxml.jackson.databind.ObjectMapper._readMapAndClose(ObjectMapper.java:4905) ~[jackson-databind-2.17.2.jar:2.17.2] at com.fasterxml.jackson.databind.ObjectMapper.readValue(ObjectMapper.java:3909) ~[jackson-databind-2.17.2.jar:2.17.2] at org.apache.dubbo.spring.security.jackson.ObjectMapperCodec.deserialize(ObjectMapperCodec.java:50) ~[dubbo-3.3.0.jar:3.3.0] at org.apache.dubbo.spring.security.jackson.ObjectMapperCodec.deserialize(ObjectMapperCodec.java:67) ~[dubbo-3.3.0.jar:3.3.0] at org.apache.dubbo.spring.security.filter.ContextHolderAuthenticationResolverFilter.getSecurityContext(ContextHolderAuthenticationResolverFilter.java:74) ~[dubbo-3.3.0.jar:3.3.0] at org.apache.dubbo.spring.security.filter.ContextHolderAuthenticationResolverFilter.invoke(ContextHolderAuthenticationResolverFilter.java:61) ~[dubbo-3.3.0.jar:3.3.0] at org.apache.dubbo.rpc.cluster.filter.FilterChainBuilder$CopyOfFilterChainNode.invoke(FilterChainBuilder.java:349) ~[dubbo-3.3.0.jar:3.3.0] at org.apache.dubbo.rpc.filter.GenericFilter.invoke(GenericFilter.java:222) ~[dubbo-3.3.0.jar:3.3.0] at org.apache.dubbo.rpc.cluster.filter.FilterChainBuilder$CopyOfFilterChainNode.invoke(FilterChainBuilder.java:349) ~[dubbo-3.3.0.jar:3.3.0] at org.apache.dubbo.rpc.protocol.tri.h12.HttpContextFilter.invoke(HttpContextFilter.java:38) ~[dubbo-3.3.0.jar:3.3.0] at org.apache.dubbo.rpc.cluster.filter.FilterChainBuilder$CopyOfFilterChainNode.invoke(FilterChainBuilder.java:349) ~[dubbo-3.3.0.jar:3.3.0] at org.apache.dubbo.rpc.filter.ClassLoaderFilter.invoke(ClassLoaderFilter.java:54) ~[dubbo-3.3.0.jar:3.3.0] at org.apache.dubbo.rpc.cluster.filter.FilterChainBuilder$CopyOfFilterChainNode.invoke(FilterChainBuilder.java:349) ~[dubbo-3.3.0.jar:3.3.0] at org.apache.dubbo.rpc.filter.EchoFilter.invoke(EchoFilter.java:41) ~[dubbo-3.3.0.jar:3.3.0] at org.apache.dubbo.rpc.cluster.filter.FilterChainBuilder$CopyOfFilterChainNode.invoke(FilterChainBuilder.java:349) ~[dubbo-3.3.0.jar:3.3.0] at org.apache.dubbo.metrics.filter.MetricsFilter.invoke(MetricsFilter.java:86) ~[dubbo-3.3.0.jar:3.3.0] at org.apache.dubbo.metrics.filter.MetricsProviderFilter.invoke(MetricsProviderFilter.java:37) ~[dubbo-3.3.0.jar:3.3.0] at org.apache.dubbo.rpc.cluster.filter.FilterChainBuilder$CopyOfFilterChainNode.invoke(FilterChainBuilder.java:349) ~[dubbo-3.3.0.jar:3.3.0] at org.apache.dubbo.tracing.filter.ObservationReceiverFilter.invoke(ObservationReceiverFilter.java:59) ~[dubbo-3.3.0.jar:3.3.0] at org.apache.dubbo.rpc.cluster.filter.FilterChainBuilder$CopyOfFilterChainNode.invoke(FilterChainBuilder.java:349) ~[dubbo-3.3.0.jar:3.3.0] at org.apache.dubbo.rpc.filter.ProfilerServerFilter.invoke(ProfilerServerFilter.java:66) ~[dubbo-3.3.0.jar:3.3.0] at org.apache.dubbo.rpc.cluster.filter.FilterChainBuilder$CopyOfFilterChainNode.invoke(FilterChainBuilder.java:349) ~[dubbo-3.3.0.jar:3.3.0] at org.apache.dubbo.rpc.filter.ContextFilter.invoke(ContextFilter.java:191) ~[dubbo-3.3.0.jar:3.3.0] at org.apache.dubbo.rpc.cluster.filter.FilterChainBuilder$CopyOfFilterChainNode.invoke(FilterChainBuilder.java:349) ~[dubbo-3.3.0.jar:3.3.0] at org.apache.dubbo.rpc.cluster.filter.FilterChainBuilder$CallbackRegistrationInvoker.invoke(FilterChainBuilder.java:197) ~[dubbo-3.3.0.jar:3.3.0] at org.apache.dubbo.rpc.protocol.dubbo.DubboProtocol$1.reply(DubboProtocol.java:167) ~[dubbo-3.3.0.jar:3.3.0] at org.apache.dubbo.remoting.exchange.support.header.HeaderExchangeHandler.handleRequest(HeaderExchangeHandler.java:110) ~[dubbo-3.3.0.jar:3.3.0] at org.apache.dubbo.remoting.exchange.support.header.HeaderExchangeHandler.received(HeaderExchangeHandler.java:205) ~[dubbo-3.3.0.jar:3.3.0] at org.apache.dubbo.remoting.transport.DecodeHandler.received(DecodeHandler.java:52) ~[dubbo-3.3.0.jar:3.3.0] at org.apache.dubbo.remoting.transport.dispatcher.ChannelEventRunnable.run(ChannelEventRunnable.java:64) ~[dubbo-3.3.0.jar:3.3.0] at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1144) ~[na:na] at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:642) ~[na:na] at org.apache.dubbo.common.threadlocal.InternalRunnable.run(InternalRunnable.java:39) ~[dubbo-3.3.0.jar:3.3.0] at java.base/java.lang.Thread.run(Thread.java:1583) ~[na:na]
请问这个需要怎么解决呢,尝试了好多方式: 1. serialize.allowlist 不行 2. check-serializable: false 不行 3. serialize-check-status: WARN 不行 4. serialization: fastjson2 serialization: hession2 不行
还能有什么办法呢?
Comment From: wzkris
I already created PR #15414. @AlbumenJ PTAL