Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

#893 Disable Jackson ObjectMapper FAIL_ON_UNKNOWN_PROPERTIES Deserialization Feature by default #894

Closed
wants to merge 1 commit into from
Closed

#893 Disable Jackson ObjectMapper FAIL_ON_UNKNOWN_PROPERTIES Deserialization Feature by default #894

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
16 changes: 16 additions & 0 deletions extensions/jackson/src/main/java/io/jsonwebtoken/jackson/io/JacksonDeserializer.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,7 @@

import com.fasterxml.jackson.core.JsonParser;
import com.fasterxml.jackson.databind.DeserializationContext;
import com.fasterxml.jackson.databind.DeserializationFeature;
import com.fasterxml.jackson.databind.ObjectMapper;
import com.fasterxml.jackson.databind.deser.std.UntypedObjectDeserializer;
import com.fasterxml.jackson.databind.module.SimpleModule;
Expand Down Expand Up @@ -65,13 +66,27 @@ public JacksonDeserializer() {
* specified {@code claimTypeMap}. This ensures that the JJWT parsing behavior does not unexpectedly
* modify the state of another application-specific {@code ObjectMapper}.
* <p>
* The {@code FAIL_ON_UNKNOWN_PROPERTIES} deserialization feature of Jackson {@code ObjectMapper} is disabled by default.
* <p>
* If you would like to use your own {@code ObjectMapper} instance that also supports custom types for
* JWT {@code Claims}, you will need to first customize your {@code ObjectMapper} instance by registering
* your custom types and then use the {@link #JacksonDeserializer(ObjectMapper)} constructor instead.
*
* @param claimTypeMap The claim name-to-class map used to deserialize claims into the given type
* @see JacksonDeserializer#JacksonDeserializer(Map, boolean)
*/
public JacksonDeserializer(Map<String, Class<?>> claimTypeMap) {
this(claimTypeMap, false);
}

/**
* Creates a new JacksonDeserializer where the values of the claims can be parsed into given types.
* @param claimTypeMap The claim name-to-class map used to deserialize claims into the given type
* @param failOnUnknownProperties The flag used to enable({@code true}) or disable({@code false})
* the {@code FAIL_ON_UNKNOWN_PROPERTIES} deserialization feature of Jackson {@code ObjectMapper}
* @see JacksonDeserializer#JacksonDeserializer(Map)
*/
public JacksonDeserializer(Map<String, Class<?>> claimTypeMap, boolean failOnUnknownProperties) {
// DO NOT reuse JacksonSerializer.DEFAULT_OBJECT_MAPPER as this could result in sharing the custom deserializer
// between instances
this(new ObjectMapper());
Expand All @@ -80,6 +95,7 @@ public JacksonDeserializer(Map<String, Class<?>> claimTypeMap) {
SimpleModule module = new SimpleModule();
module.addDeserializer(Object.class, new MappedTypeDeserializer(Collections.unmodifiableMap(claimTypeMap)));
objectMapper.registerModule(module);
objectMapper.configure(DeserializationFeature.FAIL_ON_UNKNOWN_PROPERTIES, failOnUnknownProperties);
}

/**
Expand Down