I would like to be able to extend the TRUSTED_CLASS_NAMES without having to copy&paste the entire Jackson2ExecutionContextStringSerializer.
I can see that you had to fix a security vuln in #3732, but it broke (de)serialization in a lot of apps. I have no problem adding the annotations to my classes, but I have no idea how to allow java.util.UUID.
I suggest that you introduce a mechanism, that would allow me to extend the list of trusted classes in case there is a JDK/library class I cannot modify.
Also it's really hard to override the serializer and I had to extend a bunch of configuration and bean factory classes to accomplish it.
I would like to be able to extend the
TRUSTED_CLASS_NAMESwithout having to copy&paste the entireJackson2ExecutionContextStringSerializer.I can see that you had to fix a security vuln in #3732, but it broke (de)serialization in a lot of apps. I have no problem adding the annotations to my classes, but I have no idea how to allow
java.util.UUID.I suggest that you introduce a mechanism, that would allow me to extend the list of trusted classes in case there is a JDK/library class I cannot modify.
Also it's really hard to override the serializer and I had to extend a bunch of configuration and bean factory classes to accomplish it.