[GitHub] [dubbo] jojocodeX commented on issue #12161: The class with org.springframework.security.oauth2.provider.OAuth2Authentication and name of org.springframework.security.oauth2.provider.OAuth2Authentication is not in the allowlist

["jojocodeX (via GitHub)" <gi...@apache.org>]

jojocodeX commented on issue #12161:
URL: https://github.com/apache/dubbo/issues/12161#issuecomment-1521153588

   > dubbo 3.2.0 看起来像dubbo provider反序列化Authentication时发生的错误 `org.apache.dubbo.spring.security.filter.ContextHolderAuthenticationPrepareFilter#setSecurityContext org.apache.dubbo.spring.security.filter.ContextHolderAuthenticationResolverFilter#getSecurityContext`
   > 
   > ```
   > Caused by: org.apache.dubbo.rpc.StatusRpcException: UNKNOWN : objectMapper! deserialize error java.lang.IllegalArgumentException: The class with org.springframework.security.oauth2.provider.OAuth2Authentication and name of org.springframework.security.oauth2.provider.OAuth2Authentication is not in the allowlist. If you believe this class is safe to deserialize, please provide an explicit mapping using Jackson annotations or by providing a Mixin. If the serialization is only done by a trusted source, you can also enable default typing. See https://github.com/spring-projects/spring-security/issues/4370 for details
   > java.lang.RuntimeException: objectMapper! deserialize error java.lang.IllegalArgumentException: The class with org.springframework.security.oauth2.provider.OAuth2Authentication and name of org.springframework.security.oauth2.provider.OAuth2Authentication is not in the allowlist. If you believe this class is safe to deserialize, please provide an explicit mapping using Jackson annotations or by providing a Mixin. If the serialization is only done by a trusted source, you can also enable default typing. See https://github.com/spring-projects/spring-security/issues/4370 for details
   > 	at org.apache.dubbo.spring.security.jackson.ObjectMapperCodec.deserialize(ObjectMapperCodec.java:50)
   > 	at org.apache.dubbo.spring.security.jackson.ObjectMapperCodec.deserialize(ObjectMapperCodec.java:58)
   > 	at org.apache.dubbo.spring.security.filter.ContextHolderAuthenticationResolverFilter.getSecurityContext(ContextHolderAuthenticationResolverFilter.java:56)
   > 	at org.apache.dubbo.spring.security.filter.ContextHolderAuthenticationResolverFilter.invoke(ContextHolderAuthenticationResolverFilter.java:45)
   > 	at org.apache.dubbo.rpc.cluster.filter.FilterChainBuilder$CopyOfFilterChainNode.invoke(FilterChainBuilder.java:331)
   > 
   > 	at org.apache.dubbo.rpc.TriRpcStatus.asException(TriRpcStatus.java:214)
   > 	at org.apache.dubbo.rpc.protocol.tri.call.UnaryClientCallListener.onClose(UnaryClientCallListener.java:51)
   > 	at org.apache.dubbo.rpc.protocol.tri.call.TripleClientCall.onComplete(TripleClientCall.java:112)
   > 	at org.apache.dubbo.rpc.protocol.tri.stream.TripleClientStream$ClientTransportListener.finishProcess(TripleClientStream.java:251)
   > 	at org.apache.dubbo.rpc.protocol.tri.stream.TripleClientStream$ClientTransportListener.onTrailersReceived(TripleClientStream.java:337)
   > 	at org.apache.dubbo.rpc.protocol.tri.stream.TripleClientStream$ClientTransportListener.lambda$onHeader$1(TripleClientStream.java:443)
   > 	at org.apache.dubbo.common.threadpool.serial.SerializingExecutor.run(SerializingExecutor.java:102)
   > 	at org.apache.dubbo.common.threadpool.ThreadlessExecutor$RunnableWrapper.run(ThreadlessExecutor.java:141)
   > 	at org.apache.dubbo.common.threadpool.ThreadlessExecutor.waitAndDrain(ThreadlessExecutor.java:70)
   > 	at org.apache.dubbo.rpc.AsyncRpcResult.get(AsyncRpcResult.java:202)
   > 	at org.apache.dubbo.rpc.protocol.AbstractInvoker.waitForResultIfSync(AbstractInvoker.java:286)
   > 	at org.apache.dubbo.rpc.protocol.AbstractInvoker.invoke(AbstractInvoker.java:189)
   > 	at org.apache.dubbo.rpc.listener.ListenerInvokerWrapper.invoke(ListenerInvokerWrapper.java:71)
   > 	at org.apache.dubbo.validation.filter.ValidationFilter.invoke(ValidationFilter.java:98)
   > 	at org.apache.dubbo.rpc.cluster.filter.FilterChainBuilder$CopyOfFilterChainNode.invoke(FilterChainBuilder.java:331)
   > 	at com.medusa.gruul.common.system.model.remote.SystemDubboConsumerSpreadConfig.invoke(SystemDubboConsumerSpreadConfig.java:27)
   > 	at org.apache.dubbo.rpc.cluster.filter.FilterChainBuilder$CopyOfFilterChainNode.invoke(FilterChainBuilder.java:331)
   > 	at com.medusa.gruul.common.security.resource.remote.AuthDubboConsumerSpreadConfig.invoke(AuthDubboConsumerSpreadConfig.java:30)
   > 	at org.apache.dubbo.rpc.cluster.filter.FilterChainBuilder$CopyOfFilterChainNode.invoke(FilterChainBuilder.java:331)
   > 	at org.apache.dubbo.metrics.filter.MetricsFilter.invoke(MetricsFilter.java:51)
   > 	at org.apache.dubbo.rpc.cluster.filter.FilterChainBuilder$CopyOfFilterChainNode.invoke(FilterChainBuilder.java:331)
   > 	at org.apache.dubbo.rpc.cluster.filter.FilterChainBuilder$CallbackRegistrationInvoker.invoke(FilterChainBuilder.java:194)
   > 	at org.apache.dubbo.rpc.protocol.ReferenceCountInvokerWrapper.invoke(ReferenceCountInvokerWrapper.java:78)
   > 	at org.apache.dubbo.rpc.cluster.support.AbstractClusterInvoker.invokeWithContext(AbstractClusterInvoker.java:380)
   > 	at org.apache.dubbo.rpc.cluster.support.FailoverClusterInvoker.doInvoke(FailoverClusterInvoker.java:81)
   > 	at org.apache.dubbo.rpc.cluster.support.AbstractClusterInvoker.invoke(AbstractClusterInvoker.java:341)
   > 	at org.apache.dubbo.rpc.cluster.router.RouterSnapshotFilter.invoke(RouterSnapshotFilter.java:46)
   > 	at org.apache.dubbo.rpc.cluster.filter.FilterChainBuilder$CopyOfFilterChainNode.invoke(FilterChainBuilder.java:331)
   > 	at org.apache.dubbo.monitor.support.MonitorFilter.invoke(MonitorFilter.java:101)
   > 	at org.apache.dubbo.rpc.cluster.filter.FilterChainBuilder$CopyOfFilterChainNode.invoke(FilterChainBuilder.java:331)
   > 	at org.apache.dubbo.rpc.cluster.filter.support.MetricsClusterFilter.invoke(MetricsClusterFilter.java:51)
   > 	at org.apache.dubbo.rpc.cluster.filter.FilterChainBuilder$CopyOfFilterChainNode.invoke(FilterChainBuilder.java:331)
   > 	at org.apache.dubbo.rpc.protocol.dubbo.filter.FutureFilter.invoke(FutureFilter.java:52)
   > 	at org.apache.dubbo.rpc.cluster.filter.FilterChainBuilder$CopyOfFilterChainNode.invoke(FilterChainBuilder.java:331)
   > 	at org.apache.dubbo.spring.security.filter.ContextHolderParametersSelectedTransferFilter.invoke(ContextHolderParametersSelectedTransferFilter.java:41)
   > 	at org.apache.dubbo.rpc.cluster.filter.FilterChainBuilder$CopyOfFilterChainNode.invoke(FilterChainBuilder.java:331)
   > 	at org.apache.dubbo.spring.security.filter.ContextHolderAuthenticationPrepareFilter.invoke(ContextHolderAuthenticationPrepareFilter.java:47)
   > 	at org.apache.dubbo.rpc.cluster.filter.FilterChainBuilder$CopyOfFilterChainNode.invoke(FilterChainBuilder.java:331)
   > 	at org.apache.dubbo.rpc.cluster.filter.support.ConsumerClassLoaderFilter.invoke(ConsumerClassLoaderFilter.java:40)
   > 	at org.apache.dubbo.rpc.cluster.filter.FilterChainBuilder$CopyOfFilterChainNode.invoke(FilterChainBuilder.java:331)
   > 	at org.apache.dubbo.rpc.cluster.filter.support.ConsumerContextFilter.invoke(ConsumerContextFilter.java:118)
   > 	at org.apache.dubbo.rpc.cluster.filter.FilterChainBuilder$CopyOfFilterChainNode.invoke(FilterChainBuilder.java:331)
   > 	at org.apache.dubbo.rpc.cluster.filter.FilterChainBuilder$CallbackRegistrationInvoker.invoke(FilterChainBuilder.java:194)
   > 	at org.apache.dubbo.rpc.cluster.support.wrapper.AbstractCluster$ClusterFilterInvoker.invoke(AbstractCluster.java:91)
   > 	at org.apache.dubbo.rpc.cluster.support.wrapper.MockClusterInvoker.invoke(MockClusterInvoker.java:103)
   > 	at org.apache.dubbo.rpc.cluster.support.wrapper.ScopeClusterInvoker.invoke(ScopeClusterInvoker.java:131)
   > 	at org.apache.dubbo.registry.client.migration.MigrationInvoker.invoke(MigrationInvoker.java:284)
   > 	at org.apache.dubbo.rpc.proxy.InvocationUtil.invoke(InvocationUtil.java:57)
   > 	at org.apache.dubbo.rpc.proxy.InvokerInvocationHandler.invoke(InvokerInvocationHandler.java:75)
   > 	at com.medusa.gruul.shop.api.rpc.ShopRpcServiceDubboProxy0.getShopInfoByShopId(ShopRpcServiceDubboProxy0.java)
   > 	at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
   > 	at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:77)
   > 	at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
   > 	at java.base/java.lang.reflect.Method.invoke(Method.java:568)
   > 	at org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:344)
   > 	at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:208)
   > 	at jdk.proxy2/jdk.proxy2.$Proxy176.getShopInfoByShopId(Unknown Source)
   > 	at com.medusa.gruul.service.uaa.service.service.impl.ShopAdminServiceImpl.lambda$myData$10(ShopAdminServiceImpl.java:253)
   > 	at com.medusa.gruul.common.security.resource.exntends.RoleTask.lambda$when$0(RoleTask.java:37)
   > 	at com.medusa.gruul.common.security.resource.exntends.RolePermMatcher.and(RolePermMatcher.java:174)
   > 	at com.medusa.gruul.common.security.resource.exntends.RoleTask.lambda$when$1(RoleTask.java:37)
   > 	at com.medusa.gruul.common.security.resource.exntends.RolePermMatcher.or(RolePermMatcher.java:190)
   > 	at com.medusa.gruul.common.security.resource.exntends.RoleTask.when(RoleTask.java:35)
   > 	at com.medusa.gruul.common.security.resource.exntends.RoleTask.ifAnyShopAdmin(RoleTask.java:113)
   > 	at com.medusa.gruul.service.uaa.service.service.impl.ShopAdminServiceImpl.lambda$myData$11(ShopAdminServiceImpl.java:250)
   > 	at io.vavr.control.Option.getOrElse(Option.java:336)
   > 	at com.medusa.gruul.service.uaa.service.service.impl.ShopAdminServiceImpl.myData(ShopAdminServiceImpl.java:243)
   > 	at com.medusa.gruul.service.uaa.service.service.impl.ShopAdminServiceImpl$$FastClassBySpringCGLIB$$ad26a94f.invoke(<generated>)
   > 	at org.springframework.cglib.proxy.MethodProxy.invoke(MethodProxy.java:218)
   > 	at org.springframework.aop.framework.CglibAopProxy.invokeMethod(CglibAopProxy.java:386)
   > 	at org.springframework.aop.framework.CglibAopProxy.access$000(CglibAopProxy.java:85)
   > 	at org.springframework.aop.framework.CglibAopProxy$DynamicAdvisedInterceptor.intercept(CglibAopProxy.java:704)
   > 	at com.medusa.gruul.service.uaa.service.service.impl.ShopAdminServiceImpl$$EnhancerBySpringCGLIB$$e31ae6f2.myData(<generated>)
   > 	at com.medusa.gruul.service.uaa.service.controller.ShopUserController.mine(ShopUserController.java:44)
   > 	at com.medusa.gruul.service.uaa.service.controller.ShopUserController$$FastClassBySpringCGLIB$$81a7126d.invoke(<generated>)
   > 	at org.springframework.cglib.proxy.MethodProxy.invoke(MethodProxy.java:218)
   > 	at org.springframework.aop.framework.CglibAopProxy$CglibMethodInvocation.invokeJoinpoint(CglibAopProxy.java:793)
   > 	at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:163)
   > 	at org.springframework.aop.framework.CglibAopProxy$CglibMethodInvocation.proceed(CglibAopProxy.java:763)
   > 	at org.springframework.security.access.intercept.aopalliance.MethodSecurityInterceptor.invoke(MethodSecurityInterceptor.java:61)
   > 	at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:186)
   > 	at org.springframework.aop.framework.CglibAopProxy$CglibMethodInvocation.proceed(CglibAopProxy.java:763)
   > 	at com.medusa.gruul.common.log.aspect.LogInterceptor.invoke(LogInterceptor.java:55)
   > 	at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:186)
   > 	at org.springframework.aop.framework.CglibAopProxy$CglibMethodInvocation.proceed(CglibAopProxy.java:763)
   > 	at org.springframework.aop.framework.CglibAopProxy$DynamicAdvisedInterceptor.intercept(CglibAopProxy.java:708)
   > 	at com.medusa.gruul.service.uaa.service.controller.ShopUserController$$EnhancerBySpringCGLIB$$dd2d6316.mine(<generated>)
   > 	at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
   > 	at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:77)
   > 	at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
   > 	at java.base/java.lang.reflect.Method.invoke(Method.java:568)
   > 	at org.springframework.web.method.support.InvocableHandlerMethod.doInvoke(InvocableHandlerMethod.java:205)
   > 	at org.springframework.web.method.support.InvocableHandlerMethod.invokeForRequest(InvocableHandlerMethod.java:150)
   > 	at org.springframework.web.servlet.mvc.method.annotation.ServletInvocableHandlerMethod.invokeAndHandle(ServletInvocableHandlerMethod.java:117)
   > 	at org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerAdapter.invokeHandlerMethod(RequestMappingHandlerAdapter.java:895)
   > 	at org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerAdapter.handleInternal(RequestMappingHandlerAdapter.java:808)
   > 	at org.springframework.web.servlet.mvc.method.AbstractHandlerMethodAdapter.handle(AbstractHandlerMethodAdapter.java:87)
   > 	at org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:1071)
   > 	at org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:964)
   > 	at org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:1006)
   > 	... 99 common frames omitted
   > ``
   > ```
   
   当前ObjectMapperCodec内部内置了一些反序列的对象，你可以看看你当前序列化对象有没有在 这些反序列化的对象里面，如果没有，或者有特殊的对象，你需要通过 ObjectMapperCodecCustomer 自定义


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@dubbo.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@dubbo.apache.org
For additional commands, e-mail: notifications-help@dubbo.apache.org