Skip to content

Whitelist for Jackson security is too strict and doesn't work well with Redis sessions in spring-session #4889

Closed
@chrisburrell

Description

@chrisburrell

Summary

When enabling the GenericJackson2JsonRedisSerializer, serialisation of the session fails due to the restrictive whitelisting, as related to #4370

This is because org.springframework.session.data.redis.RedisOperationsSessionRepository uses a HashMap to represent the "delta" field in RedisSession org.springframework.session.data.redis.RedisOperationsSessionRepository.RedisSession

Would it be possible to open-up HashMaps for deserialisation purposes. Seen as we already allow TreeMap, I can't see a HashMap would make much different security wise.

Metadata

Metadata

Assignees

Labels

in: coreAn issue in spring-security-coretype: enhancementA general enhancement

Type

No type

Projects

No projects

Milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions